\
 | Configure how the Home Button behaves.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton
**Data type:** Integer
**Allowed values:**
- **0 (default)** - Not configured. Show home button, and load the default Start page.
- **1** - Enabled. Show home button and load New Tab page
- **2** - Enabled. Show home button & set a specific page.
- **3** - Enabled. Hide the home button.
 | If you set ConfigureHomeButton to 2, configure the home button URL.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL
**Data type:** String
**Allowed values:** Enter a URL, for example, https://www.bing.com | - | **[SetNewTabPageURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl)**
 | Set a custom URL for the New Tab page.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL
**Data type:** String
**Allowed values:** Enter a URL, for example, https://www.msn.com | + | **[ConfigureKioskMode](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode)**
 | Configure the display mode for Microsoft Edge Legacy as a kiosk app.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode
**Data type:** Integer
**Allowed values:**
- **Single-app kiosk experience**
- **0** - Digital signage and interactive display
- **1** - InPrivate Public browsing
- **Multi-app kiosk experience**
- **0** - Normal Microsoft Edge Legacy running in assigned access
- **1** - InPrivate public browsing with other apps
 | Change the time in minutes from the last user activity before Microsoft Edge Legacy kiosk mode resets the user's session.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout
**Data type:** Integer
**Allowed values:**
- **0** - No idle timer
- **1-1440 (5 minutes is the default)** - Set reset on idle timer
 | Set one or more start pages, URLs, to load when Microsoft Edge Legacy launches.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/HomePages
**Data type:** String
**Allowed values:**
Enter one or more URLs, for example,  | Configure how the Home Button behaves. **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton **Data type:** Integer **Allowed values:**  | If you set ConfigureHomeButton to 2, configure the home button URL. **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL **Data type:** String **Allowed values:** Enter a URL, for example, https://www.bing.com |
+ | **[SetNewTabPageURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl)**  | Set a custom URL for the New Tab page. **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL **Data type:** String **Allowed values:** Enter a URL, for example, https://www.msn.com |
**_Congratulations!_** You’ve just finished setting up a kiosk or digital signage with policies for Microsoft Edge Legacy kiosk mode using Microsoft Intune or other MDM service.
diff --git a/browsers/internet-explorer/docfx.json b/browsers/internet-explorer/docfx.json
index 576a1de28f..a796135a6b 100644
--- a/browsers/internet-explorer/docfx.json
+++ b/browsers/internet-explorer/docfx.json
@@ -39,7 +39,16 @@
"folder_relative_path_in_docset": "./"
}
},
- "titleSuffix": "Internet Explorer"
+ "titleSuffix": "Internet Explorer",
+ "contributors_to_exclude": [
+ "rjagiewich",
+ "traya1",
+ "rmca14",
+ "claydetels19",
+ "jborsecnik",
+ "tiburd",
+ "garycentric"
+ ],
},
"externalReference": [],
"template": "op.html",
diff --git a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md
index edcb50cb9e..bd0befaee9 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md
@@ -68,7 +68,7 @@ Additional information on Internet Explorer 11, including a Readiness Toolkit, t
## Availability of Internet Explorer 11
-Automatic Updates will start to distribute Internet Explorer 11 shortly after the final release of the product and will distribute it through the Microsoft Endpoint Configuration Manager and WSUS.
+Automatic Updates will start to distribute Internet Explorer 11 shortly after the final release of the product and will distribute it through the Microsoft Endpoint Manager and WSUS.
## Prevent automatic installation of Internet Explorer 11 with WSUS
diff --git a/browsers/internet-explorer/kb-support/ie-edge-faqs.md b/browsers/internet-explorer/kb-support/ie-edge-faqs.md
index 0257a9db03..5c29be5126 100644
--- a/browsers/internet-explorer/kb-support/ie-edge-faqs.md
+++ b/browsers/internet-explorer/kb-support/ie-edge-faqs.md
@@ -10,9 +10,7 @@ ms.prod: internet-explorer
ms.technology:
ms.topic: kb-support
ms.custom: CI=111020
-ms.localizationpriority: Normal
-# localization_priority: medium
-# ms.translationtype: MT
+ms.localizationpriority: medium
ms.date: 01/23/2020
---
# Internet Explorer and Microsoft Edge frequently asked questions (FAQ) for IT Pros
diff --git a/devices/hololens/docfx.json b/devices/hololens/docfx.json
index 5228341de6..6d55b1a859 100644
--- a/devices/hololens/docfx.json
+++ b/devices/hololens/docfx.json
@@ -45,7 +45,16 @@
"folder_relative_path_in_docset": "./"
}
- }
+ },
+ "contributors_to_exclude": [
+ "rjagiewich",
+ "traya1",
+ "rmca14",
+ "claydetels19",
+ "jborsecnik",
+ "tiburd",
+ "garycentric"
+ ],
},
"fileMetadata": {},
"template": [],
diff --git a/education/developers.yml b/education/developers.yml
index 9e21b6d27f..6533d8c51c 100644
--- a/education/developers.yml
+++ b/education/developers.yml
@@ -18,16 +18,16 @@ additionalContent:
# Card
- title: UWP apps for education
summary: Learn how to write universal apps for education.
- url: https://docs.microsoft.com/en-us/windows/uwp/apps-for-education/
+ url: https://docs.microsoft.com/windows/uwp/apps-for-education/
# Card
- title: Take a test API
summary: Learn how web applications can use the API to provide a locked down experience for taking tests.
- url: https://docs.microsoft.com/en-us/windows/uwp/apps-for-education/take-a-test-api
+ url: https://docs.microsoft.com/windows/uwp/apps-for-education/take-a-test-api
# Card
- title: Office Education Dev center
summary: Integrate with Office 365 across devices and services to extend Microsoft enterprise-scale compliance and security to students, teachers, and staff in your education app
- url: https://dev.office.com/industry-verticals/edu
+ url: https://developer.microsoft.com/office/edu
# Card
- title: Data Streamer
summary: Bring new STEM experiences into the classroom with real-time data in Excel using Data Streamer. Data Streamer can send data to Excel from a sensor or application.
- url: https://docs.microsoft.com/en-us/microsoft-365/education/data-streamer
\ No newline at end of file
+ url: https://docs.microsoft.com/microsoft-365/education/data-streamer
diff --git a/education/docfx.json b/education/docfx.json
index 809a2da28f..8ba1394c6d 100644
--- a/education/docfx.json
+++ b/education/docfx.json
@@ -7,7 +7,8 @@
"**/**.yml"
],
"exclude": [
- "**/obj/**"
+ "**/obj/**",
+ "**/includes/**"
]
}
],
@@ -19,7 +20,8 @@
"**/*.svg"
],
"exclude": [
- "**/obj/**"
+ "**/obj/**",
+ "**/includes/**"
]
}
],
diff --git a/education/includes/education-content-updates.md b/education/includes/education-content-updates.md
new file mode 100644
index 0000000000..156feee1de
--- /dev/null
+++ b/education/includes/education-content-updates.md
@@ -0,0 +1,11 @@
+
+
+
+
+## Week of January 11, 2021
+
+
+| Published On |Topic title | Change |
+|------|------------|--------|
+| 1/14/2021 | [Chromebook migration guide (Windows 10)](/education/windows/chromebook-migration-guide) | modified |
+| 1/14/2021 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified |
diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md
index cbbdb3502b..3cd18bebdd 100644
--- a/education/windows/chromebook-migration-guide.md
+++ b/education/windows/chromebook-migration-guide.md
@@ -457,7 +457,7 @@ Table 5. Select on-premises AD DS, Azure AD, or hybrid
The disadvantages of this method are that it: Configuration Manager and Intune together extend Configuration Manager from an on-premises management system for domain-joined devices to a solution that can manage devices regardless of their location and connectivity options. This hybrid option provides the benefits of both Configuration Manager and Intune. https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/{app ID}/applockerdata Microsoft Application Virtualization (App-V) apps have typically been configured, deployed, and managed through on-premises group policies using Microsoft Endpoint Configuration Manager or App-V server. In Windows 10, version 1703, App-V apps can be configured, deployed, and managed using mobile device management (MDM), matching their on-premises counterparts. Microsoft Application Virtualization (App-V) apps have typically been configured, deployed, and managed through on-premises group policies using Microsoft Endpoint Manager or App-V server. In Windows 10, version 1703, App-V apps can be configured, deployed, and managed using mobile device management (MDM), matching their on-premises counterparts. MDM services can be used to publish App-V packages to clients running Windows 10, version 1703 (or later). All capabilities such as App-V enablement, configuration, and publishing can be completed using the EnterpriseAppVManagement CSP. Added support for Windows 10 Pro starting in the version 1809. Added FinalStatus setting in Windows 10, version 1809. Added new settings in Windows 10, version 1809. Added new CSP in Windows 10, version 1809. Added new settings in Windows 10, version 1809. Posted an updated version of the Policy DDF for Windows 10, version 1809. Added the following new policies in Windows 10, version 1809: Start/DisableContextMenus - added in Windows 10, version 1803. RestrictedGroups/ConfigureGroupMembership - added new schema to apply and retrieve the policy. Added the following note: Added new settings in Windows 10, version 1809. Added NonRemovable setting under AppManagement node in Windows 10, version 1809. Added new configuration service provider in Windows 10, version 1809. Added S mode settings and SyncML examples in Windows 10, version 1809. Added 3 new certificate nodes in Windows 10, version 1809. Added a new node Health/ProductStatus in Windows 10, version 1809. Added a new node AllowStandardUserEncryption in Windows 10, version 1809. Added a new node SMBIOSSerialNumber in Windows 10, version 1809. Added the following new policies in Windows 10, version 1809: Recent changes: Added a new node WifiCost in Windows 10, version 1809. Recent changes: Added new node AllowStandardUserEncryption in Windows 10, version 1809. Recent changes: Added the following new policies in Windows 10, version 1809: Updated the DDF files in the Windows 10 version 1703 and 1709. Added the following node in Windows 10, version 1803: Added the following node in Windows 10, version 1803: Added a new CSP in Windows 10, version 1803. Updated version available. MMAT is a tool you can use to determine which Group Policies are set on a target user/computer and cross-reference them against the list of supported MDM policies. Added the DDF download of Windows 10, version 1803 configuration service providers. Added the following new policies for Windows 10, version 1803: Added the following node in Windows 10, version 1803: Added the following node in Windows 10, version 1803: Added the following videos: Added a new CSP in Windows 10, version 1803. Added the following node in Windows 10, version 1803: Added the following new policies for Windows 10, version 1803: The following existing policies were updated: Added a new section: Added new section ServicesAllowedList usage guide. Added SyncML examples and updated the settings descriptions. Reverted back to Windows 10, version 1709. Removed previous draft documentation for version 1803. Added the following new policies for Windows 10, version 1803: Updated the XSD and Plug-in profile example for VPNv2 CSP. Added the following nodes in Windows 10, version 1803: Updated the AssigneAccessConfiguration schema. Starting in Windows 10, version 1803 AssignedAccess CSP is supported in HoloLens (1st gen) Commercial Suite. Added example for HoloLens (1st gen) Commercial Suite. Added a new CSP in Windows 10, version 1803. Added the following node in Windows 10, version 1803: Added the following new policies for Windows 10, version 1803: Added the following policies the were added in Windows 10, version 1709 Security/RequireDeviceEncryption - updated to show it is supported in desktop. Updated the description for AllowWarningForOtherDiskEncryption to describe changes added in Windows 10, version 1803. Added new node MaintainProcessorArchitectureOnUpdate in Windows 10, next major update. Added ./User/Vendor/MSFT/DMClient/Provider/[ProviderID]/FirstSyncStatus node. Also added the following nodes in Windows 10, version 1803: Added new node (OfflineScan) in Windows 10, version 1803. Added a new CSP in Windows 10, version 1803. Added the following nodes in Windows 10, version 1803: Added new section CSP DDF files download Added the following policies for Windows 10, version 1709: Added missing policies from previous releases: Updated the DDF content for Windows 10 version 1709. Added a link to the download of Policy DDF for Windows 10, version 1709. Updated the following policies: Added new CSP in Windows 10, version 1709. Added SyncML examples for the new Configuration node. Added new nodes to the DMClient CSP in Windows 10, version 1709. Updated the CSP and DDF topics. Added the following new policies for Windows 10, version 1709: Added new settings to Update/BranchReadinessLevel policy in Windows 10 version 1709. Starting in Windows 10, version 1709, AssignedAccess CSP is also supported in Windows 10 Pro. Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store. The Windows 10 enrollment protocol was updated. The following elements were added to the RequestSecurityToken message: For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation. Added a SyncML example. Added RegisterDNS setting in Windows 10, version 1709. Added new topic to introduce a new Group Policy for automatic MDM enrollment. New features in the Settings app: For details, see Managing connections and Collecting diagnostic logs Added new step-by-step guide to enable ADMX-backed policies. Added the following statement: Updated the description of the PuposeGroups node to add the GUID for applications. This node is required instead of optional. Updated the Settings/EDPEnforcementLevel values to the following: Added two new SyncML examples (to disable the calendar app and to block usage of the map app) in Allow list examples. Added the following settings in Windows 10, version 1709: Added the following setting in Windows 10, version 1709: Added the following new policies for Windows 10, version 1709: Changed the name of new policy to CredentialProviders/DisableAutomaticReDeploymentCredentials from CredentialProviders/EnableWindowsAutopilotResetCredentials. Changed the names of the following policies: Added links to the additional ADMX-backed BitLocker policies. There were issues reported with the previous release of the following policies. These issues were fixed in Window 10, version 1709: The root node for the CleanPC configuration service provider. {7CFA04A5-0F3F-445C-88A4-C86ED2AD94EA} Ethernet 10Mbps Ethernet 10 Mbps {97D3D1B3-854A-4C32-BD1C-C13069078370} Ethernet 100Mbps Ethernet 100 Mbps {A8F4FE66-8D04-43F5-9DD2-2A85BD21029B} Yes nocharacteristic uncharacteristic Yes characteristic-query Yes Recursive query: Yes Top level query: Yes Top-level query: Yes The root node for the DeveloperSetup configuration service provider.
diff --git a/windows/client-management/mdm/devicemanageability-csp.md b/windows/client-management/mdm/devicemanageability-csp.md
index 3bf0368ffd..99d2930eff 100644
--- a/windows/client-management/mdm/devicemanageability-csp.md
+++ b/windows/client-management/mdm/devicemanageability-csp.md
@@ -1,6 +1,6 @@
---
title: DeviceManageability CSP
-description: The DeviceManageability configuration service provider (CSP) is used retrieve general information about MDM configuration capabilities on the device.
+description: The DeviceManageability configuration service provider (CSP) is used to retrieve general information about MDM configuration capabilities on the device.
ms.assetid: FE563221-D5B5-4EFD-9B60-44FE4066B0D2
ms.reviewer:
manager: dansimp
@@ -15,14 +15,21 @@ ms.date: 11/01/2017
# DeviceManageability CSP
-The DeviceManageability configuration service provider (CSP) is used retrieve the general information about MDM configuration capabilities on the device. This CSP was added in Windows 10, version 1607.
+The DeviceManageability configuration service provider (CSP) is used to retrieve the general information about MDM configuration capabilities on the device. This CSP was added in Windows 10, version 1607.
-For performance reasons DeviceManageability CSP directly reads the CSP version from the registry. Specifically, the value csp\_version is used to determine each of the CSP versions. The csp\_version is a value under each of the CSP registration keys. To have consistency on the CSP version, the CSP GetProperty implementation for CFGMGR\_PROPERTY\_SEMANTICTYPE has to be updated to read from the registry as well, so that the both paths return the same information.
-
-The following diagram shows the DeviceManageability configuration service provider in a tree format.
-
-
+For performance reasons, DeviceManageability CSP directly reads the CSP version from the registry. Specifically, the value csp\_version is used to determine each of the CSP versions. The csp\_version is a value under each of the CSP registration keys. To have consistency on the CSP version, the CSP GetProperty implementation for CFGMGR\_PROPERTY\_SEMANTICTYPE has to be updated to read from the registry as well, so that the both paths return the same information.
+The following shows the DeviceManageability configuration service provider in a tree format.
+```
+./Device/Vendor/MSFT
+DeviceManageability
+----Capabilities
+--------CSPVersions
+----Provider (Added in Windows 10, version 1709)
+--------ProviderID (Added in Windows 10, version 1709)
+------------ConfigInfo (Added in Windows 10, version 1709)
+------------EnrollmentInfo (Added in Windows 10, version 1709)
+```
**./Device/Vendor/MSFT/DeviceManageability**
Root node to group information about runtime MDM configuration capability on the target device.
diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md
index 6ab35ba018..826af867cb 100644
--- a/windows/client-management/mdm/devicestatus-csp.md
+++ b/windows/client-management/mdm/devicestatus-csp.md
@@ -17,10 +17,52 @@ ms.date: 04/30/2019
The DeviceStatus configuration service provider is used by the enterprise to keep track of device inventory and query the state of compliance of these devices with their enterprise policies.
-The following image shows the DeviceStatus configuration service provider in tree format.
-
-
-
+The following shows the DeviceStatus configuration service provider in tree format.
+```
+./Vendor/MSFT
+DeviceStatus
+----SecureBootState
+----CellularIdentities
+--------IMEI
+------------IMSI
+------------ICCID
+------------PhoneNumber
+------------CommercializationOperator
+------------RoamingStatus
+------------RoamingCompliance
+----NetworkIdentifiers
+--------MacAddress
+------------IPAddressV4
+------------IPAddressV6
+------------IsConnected
+------------Type
+----Compliance
+--------EncryptionCompliance
+----TPM
+--------SpecificationVersion
+----OS
+--------Edition
+--------Mode
+----Antivirus
+--------SignatureStatus
+--------Status
+----Antispyware
+--------SignatureStatus
+--------Status
+----Firewall
+--------Status
+----UAC
+--------Status
+----Battery
+--------Status
+--------EstimatedChargeRemaining
+--------EstimatedRuntime
+----DomainName
+----DeviceGuard
+--------VirtualizationBasedSecurityHwReq
+--------VirtualizationBasedSecurityStatus
+--------LsaCfgCredGuardStatus
+```
**DeviceStatus**
The root node for the DeviceStatus configuration service provider.
diff --git a/windows/client-management/mdm/devinfo-csp.md b/windows/client-management/mdm/devinfo-csp.md
index ba02947ada..e9c0979c67 100644
--- a/windows/client-management/mdm/devinfo-csp.md
+++ b/windows/client-management/mdm/devinfo-csp.md
@@ -17,16 +17,23 @@ ms.date: 06/26/2017
The DevInfo configuration service provider handles the managed object which provides device information to the OMA DM server. This device information is automatically sent to the OMA DM server at the beginning of each OMA DM session.
-> **Note** This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
+> [!NOTE]
+> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
For the DevInfo CSP, you cannot use the Replace command unless the node already exists.
-The following diagram shows the DevInfo configuration service provider management object in tree format as used by OMA Device Management. The OMA Client provisioning protocol is not supported by this configuration service provider.
-
-
-
+The following shows the DevInfo configuration service provider management object in tree format as used by OMA Device Management. The OMA Client provisioning protocol is not supported by this configuration service provider.
+```
+.
+DevInfo
+----DevId
+----Man
+----Mod
+----DmV
+----Lang
+```
**DevId**
Required. Returns an application-specific global unique device identifier by default.
diff --git a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
index db52ac149a..28c2b08822 100644
--- a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
+++ b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
@@ -23,10 +23,10 @@ To help diagnose enrollment or device management issues in Windows 10 devices m
1. At the bottom of the **Settings** page, click **Create report**.
- 
+ 
1. A window opens that shows the path to the log files. Click **Export**.
- 
+ 
1. In File Explorer, navigate to c:\Users\Public\Documents\MDMDiagnostics to see the report.
@@ -112,8 +112,8 @@ Example: Export the Debug logs
```
-## Collect logs from Windows 10 Mobile devices
-
+
+
-## Collect logs remotely from Windows 10 Holographic or Windows 10 Mobile devices
+## Collect logs remotely from Windows 10 Holographic
-For holographic or mobile devices already enrolled in MDM, you can remotely collect MDM logs through the MDM channel using the [DiagnosticLog CSP](diagnosticlog-csp.md).
+For holographic already enrolled in MDM, you can remotely collect MDM logs through the MDM channel using the [DiagnosticLog CSP](diagnosticlog-csp.md).
You can use the DiagnosticLog CSP to enable the ETW provider. The provider ID is 3DA494E4-0FE2-415C-B895-FB5265C5C83B. The following examples show how to enable the ETW provider:
@@ -294,21 +294,21 @@ For best results, ensure that the PC or VM on which you are viewing logs matches
3. Navigate to the etl file that you got from the device and then open the file.
4. Click **Yes** when prompted to save it to the new log format.
- 
+ 
5. The new view contains traces from the channel. Click on **Filter Current Log** from the **Actions** menu.
- 
+ 
6. Add a filter to Event sources by selecting **DeviceManagement-EnterpriseDiagnostics-Provider** and click **OK**.
- 
+ 
7. Now you are ready to start reviewing the logs.
- 
+ 
## Collect device state data
@@ -336,9 +336,3 @@ Here's an example of how to collect current MDM device state data using the [Dia
```
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/diagnosticlog-csp.md b/windows/client-management/mdm/diagnosticlog-csp.md
index 2c49067d90..99f4ef73c5 100644
--- a/windows/client-management/mdm/diagnosticlog-csp.md
+++ b/windows/client-management/mdm/diagnosticlog-csp.md
@@ -26,9 +26,39 @@ The following are the links to different versions of the DiagnosticLog CSP DDF f
- [DiagnosticLog CSP version 1.2](diagnosticlog-ddf.md#version-1-2)
-The following diagram shows the DiagnosticLog CSP in tree format.
-
-
+The following shows the DiagnosticLog CSP in tree format.
+```
+./Vendor/MSFT
+DiagnosticLog
+----EtwLog
+--------Collectors
+------------CollectorName
+----------------TraceStatus
+----------------TraceLogFileMode
+----------------TraceControl
+----------------LogFileSizeLimitMB
+----------------Providers
+--------------------ProviderGuid
+------------------------Keywords
+------------------------TraceLevel
+------------------------State
+--------Channels
+------------ChannelName
+----------------Export
+----------------State
+----------------Filter
+----DeviceStateData
+--------MdmConfiguration
+----FileDownload
+--------DMChannel
+------------FileContext
+----------------BlockSizeKB
+----------------BlockCount
+----------------BlockIndexToRead
+----------------BlockData
+----------------DataBlocks
+--------------------BlockNumber
+```
**./Vendor/MSFT/DiagnosticLog**
The root node for the DiagnosticLog CSP.
@@ -199,8 +229,111 @@ A Get to the above URI will return the results of the data gathering for the las
Each data gathering node is annotated with the HRESULT of the action and the collection is also annotated with an overall HRESULT. In this example, note that the mdmdiagnosticstool.exe command failed.
-The zip file which is created also contains a results.xml file whose contents align to the Data section in the SyncML for ArchiveResults. Accordingly, an IT admin using the zip file for troubleshooting can determine the order and success of each directive without needing a permanent record of the SyncML value for DiagnosticArchive/ArchiveResults.
+### Making use of the uploaded data
+The zip archive which is created and uploaded by the CSP contains a folder structure like the following:
+```powershell
+PS C:\> dir C:\DiagArchiveExamples\DiagLogs-MYDEVICE-20201202T182748Z
+
+ Directory: C:\DiagArchiveExamples\DiagLogs-MYDEVICE-20201202T182748Z
+
+Mode LastWriteTime Length Name
+---- ------------- ------ ----
+la--- 1/4/2021 2:45 PM 1
+la--- 1/4/2021 2:45 PM 2
+la--- 12/2/2020 6:27 PM 2701 results.xml
+```
+Each data gathering directive from the original `Collection` XML corresponds to a folder in the output. For example, if the first directive was Defines the root node for the DMSessionActions configuration service provider. Group settings per device management (DM) server. Each group of settings is distinguished by the Provider ID of the server. It must be the same DM server Provider ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. Only one enterprise management server is supported, which means that there should be only one ProviderID node under NodeCache. Group settings per device management (DM) server. Each group of settings is distinguished by the Provider ID of the server. It must be the same DM server Provider ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. Only one enterprise management server is supported, which means there should be only one ProviderID node under NodeCache. Scope is dynamic. Supported operations are Get, Add, and Delete. Value type is string. Supported operation is Get. Node for power related configrations Node for power-related configrations Maximum number of continuous skipped sync sessions when the device is in low power state. Maximum number of continuous skipped sync sessions when the device is in low-power state. Value type is integer. Supported operations are Add, Get, Replace, and Delete. Maximum time in minutes when the device can skip the check-in with the server if the device is in low power state. Maximum time in minutes when the device can skip the check-in with the server if the device is in low-power state. Value type is integer. Supported operations are Add, Get, Replace, and Delete. The root node for the DynamicManagement configuration service provider. Supported operation is Get. Node created by the server to define a context. Maximum amount of characters allowed is 38. Node created by the server to define a context. Maximum number of characters allowed is 38. Supported operations are Add, Get, and Delete. Value type is string. Supported operations are Add, Get, Delete, and Replace. Response from applying a Settings Pack that contains information on each individual action.. Response from applying a Settings Pack that contains information on each individual action. Value type is string. Supported operation is Get. Reports status of the context. If there was a failure, SettingsPackResponse should be checked for what exactly failed.. Reports status of the context. If there was a failure, SettingsPackResponse should be checked for what exactly failed. Value type is integer. Supported operation is Get. A value that determines how to handle conflict resolution of applying multiple contexts on the device. This is required and must be distinct of other priorities.. A value that determines how to handle conflict resolution of applying multiple contexts on the device. This is required and must be distinct of other priorities. Value type is integer. Supported operations are Add, Get, Delete, and Replace. The root node for the EnterpriseAPN configuration service provider. Root node for the EnterpriseAppVManagement configuration service provider. Root node for the Firewall configuration service provider. Value type is string. Supported operations are Add, Get, Replace, and Delete. Comma separated list of local addresses covered by the rule. The default value is "". Valid tokens include: Comma separated list of local addresses covered by the rule. The default value is "*". Valid tokens include: Value type is string. Supported operations are Add, Get, Replace, and Delete. List of comma separated tokens specifying the remote addresses covered by the rule. The default value is "". Valid tokens include: List of comma separated tokens specifying the remote addresses covered by the rule. The default value is "*". Valid tokens include: The Device HealthAttestation session (DHA-Session) describes the end-to-end communication flow that is performed in one device health attestation session. The following list of transactions are performed in one DHA-Session: The following list of transactions is performed in one DHA-Session: Device HealthAttestation enabled (DHA-Enabled) device management solution is a device management tool that is integrated with the DHA feature. DHA-Enabled device management solutions enable enterprise IT managers to raise the security protection bar for their managed devices based on hardware (TPM) protected data that can be trusted even if a device is compromised by advanced security threats or running a malicious (jailbroken) operating system. The following list of operations are performed by DHA-Enabled-MDM: The following list of operations is performed by DHA-Enabled-MDM The Device HealthAttestation Configuration Service Provider (DHA-CSP) uses a device’s TPM and firmware to measure critical security properties of the device’s BIOS and Windows boot, such that even on a system infected with kernel level malware or a rootkit, these properties cannot be spoofed. The following list of operations are performed by DHA-CSP: The following list of operations is performed by DHA-CSP: Device HealthAttestation Service (DHA-Service) validates the data it receives from DHA-CSP and issues a highly trusted hardware (TPM) protected report (DHA-Report) to DHA-Enabled device management solutions through a tamper resistant and tamper evident communication channel. DHA-Service is available in 2 flavors: “DHA-Cloud” and “DHA-Server2016”. DHA-Service supports a variety of implementation scenarios including cloud, on premises, air-gapped, and hybrid scenarios. The following list of operations are performed by DHA-Service: The following list of operations is performed by DHA-Service: Accessible to all enterprise managed devices via following: Accessible to all enterprise-managed devices via following: (DHA-EMC) DHA-EMC refers to an enterprise managed DHA-Service that is running as a virtual host/service on a Windows Server 2016 compatible - enterprise managed cloud service, such as Microsoft Azure. (DHA-EMC) DHA-EMC refers to an enterprise-managed DHA-Service that is running as a virtual host/service on a Windows Server 2016 compatible - enterprise-managed cloud service, such as Microsoft Azure. Accessible to all enterprise managed devices via following: Accessible to all enterprise-managed devices via following: The root node for the device HealthAttestation configuration service provider. Added the following new policies in Windows 10, version 2004: Updated the following policy in Windows 10, version 2004: Deprecated the following policies in Windows 10, version 2004: Added the following new node: Added the following new node: Added the following new node: Added the following new policies in Windows 10, version 1809: Added new settings in Windows 10, version 1809. Added NonRemovable setting under AppManagement node in Windows 10, version 1809. Added new configuration service provider in Windows 10, version 1809. Added S mode settings and SyncML examples in Windows 10, version 1809. Added 3 new certificate nodes in Windows 10, version 1809. Added a new node Health/ProductStatus in Windows 10, version 1809. Added a new node AllowStandardUserEncryption in Windows 10, version 1809. Added support for Windows 10 Pro. Added a new node SMBIOSSerialNumber in Windows 10, version 1809. Added a new node WifiCost in Windows 10, version 1809. Added new settings in Windows 10, version 1809. Added new settings in Windows 10, version 1809. Added new CSP in Windows 10, version 1809. Added FinalStatus setting in Windows 10, version 1809. Added the following new policies for Windows 10, version 1803: Security/RequireDeviceEncryption - updated to show it is supported in desktop. Updated the description for AllowWarningForOtherDiskEncryption to describe changes added in Windows 10, version 1803. Added ./User/Vendor/MSFT/DMClient/Provider/[ProviderID]/FirstSyncStatus node. Also added the following nodes in Windows 10, version 1803: Added new node (OfflineScan) in Windows 10, version 1803. Added a new CSP in Windows 10, version 1803. Added the following nodes in Windows 10, version 1803: Added the following nodes in Windows 10, version 1803: Updated the AssigneAccessConfiguration schema. Starting in Windows 10, version 1803 AssignedAccess CSP is supported in HoloLens (1st gen) Commercial Suite. Added example for HoloLens (1st gen) Commercial Suite. Added a new CSP in Windows 10, version 1803. Added the following node in Windows 10, version 1803: Added the following node in Windows 10, version 1803: Added the following node in Windows 10, version 1803: Added a new CSP in Windows 10, version 1803. Added the following node in Windows 10, version 1803: Added the following node in Windows 10, version 1803: Added a new CSP in Windows 10, version 1803. Updated version available. MMAT is a tool you can use to determine which Group Policies are set on a target user/computer and cross-reference them against the list of supported MDM policies. Added the DDF download of Windows 10, version 1803 configuration service providers. The Windows 10 enrollment protocol was updated. The following elements were added to the RequestSecurityToken message: For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation. Added new CSP in Windows 10, version 1709. Added new CSP in Windows 10, version 1709. Added DeviceTunnel and RegisterDNS settings in Windows 10, version 1709. Added the following settings in Windows 10, version 1709: Added the following setting in Windows 10, version 1709. Starting in Windows 10, version 1709, AssignedAccess CSP is supported in Windows 10 Pro. Added the following settings in Windows 10, version 1709: Added the following setting in Windows 10, version 1709: Added new nodes to the DMClient CSP in Windows 10, version 1709. Updated the CSP and DDF topics. Changed the minimum personal identification number (PIN) length to 4 digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709. Added new policies. Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store. New features in the Settings app: For details, see Managing connection and Collecting diagnostic logs Added new topic to introduce a new Group Policy for automatic MDM enrollment. Added the following new policies for Windows 10, version 1709: Added the following nodes: To PurposeGroups setting, added the following values: Added the following setting: Added the following setting: Added the following setting: Added the following nodes and settings: For these CSPs, support was added for Windows 10 Home, Pro, Enterprise, and Education editions. Added the following settings: Added the following setting: Added new CSP. This CSP is only supported in Windows 10 Mobile and Mobile Enterprise editions. Added the following new policies: Removed TextInput/AllowLinguisticDataCollection Starting in Windows 10, version 1703, Update/UpdateServiceUrl is not supported in Windows 10 Mobile Enterprise and IoT Enterprise Starting in Windows 10, version 1703, the maximum value of Update/DeferFeatureUpdatesPeriodInDays has been increased from 180 days, to 365 days. Starting in Windows 10, version 1703, in Browser/HomePages you can use the "<about:blank>" value if you don’t want to send traffic to Microsoft. Starting in Windows 10, version 1703, Start/StartLayout can now be set on a per-device basis in addition to the pre-existing per-user basis. Added the ConfigOperations/ADMXInstall node and setting, which is used to ingest ADMX files. Added the following setting: Added new CSP. Added new CSP. Added new CSP. Added new CSP. Added the following setting: Starting in Windows 10, version 1703, AllowUserDecryption is no longer supported. Added the following settings: Added new CSP. New mobile application management (MAM) support added in Windows 10, version 1703. Added the following new node and settings: Added new CSP. Added new CSP. Added new CSP. Added the following settings: Added the following nodes and settings: Added new CSP. Added the following setting: Added the following setting: Added new CSP. Added new settings in Windows 10, version 1703. The default value for SetEduPolicies changed to false. The default value for SleepTimeout changed to 300. Added following setting: Added following settings: Added a zip file containing the DDF XML files of the CSPs. The link to the download is available in the DDF topics of various CSPs. Added new setting in Windows 10, version 1703. Added new classes and properties. Added a section describing SyncML examples of various ADMX elements. Added a new topic describing how to deploy and configure App-V apps using MDM. Added new setting in the March service release of Windows 10, version 1607. Added new settings in Windows 10, version 1703. Added following deep link parameters to the table: Updated the following topics to indicate MDM support in Windows 10 S. Added the following setting: Sideloading of apps Starting in Windows 10, version 1607, sideloading of apps is only allowed through EnterpriseModernAppManagement CSP. Product keys (5x5) will no longer be supported to enable sideloading on Windows 10, version 1607 devices. New value for NodeCache CSP In NodeCache CSP, the value of NodeCache root node starting in Windows 10, version 1607 is com.microsoft/1.0/MDM/NodeCache. New CSP. Removed the following policies: Added the WiFi/AllowManualWiFiConfiguration and WiFi/AllowWiFi policies for Windows 10, version 1607: Added the following new policies: Updated the Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts description to remove outdated information. Updated DeliveryOptimization/DODownloadMode to add new values. Updated Experience/AllowCortana description to clarify what each supported value does. Updated Security/AntiTheftMode description to clarify what each supported value does. Added the following settings: Removed the EnrollmentID setting. New CSP. Added the following new settings: Added SyncML examples. New CSP for Windows 10, version 1607 Added version 1.3 of the CSP with two new settings. Added the new 1.3 version of the DDF. Added the following new settings in Windows 10, version 1607. New CSP for Windows 10, version 1607 New CSP for Windows 10, version 1607 Added the following settings for Windows 10, version 1607 New CSP for Windows 10, version 1607. New CSP for Windows 10, version 1607. New CSP for Windows 10, version 1607. Added new classes for Windows 10, version 1607. Topic renamed from "Enrollment UI". Completely updated enrollment procedures and screenshots. Added the following new setting for Windows 10, version 1607: Added the following new settings in Windows 10, version 1607: Added the following new node and settings in Windows 10, version 1607, but not documented: Deprecated the following node in Windows 10, version 1607: New configuration service providers added in Windows 10, version 1511 New and updated policies in Policy CSP The following policies have been added to the Policy CSP: The following policies have been updated in the Policy CSP: The following policies have been deprecated in the Policy CSP: Management tool for the Microsoft Store for Business New topics. The Store for Business has a new web service designed for the enterprise to acquire, manage, and distribute applications in bulk. It enables several capabilities that are required for the enterprise to manage the lifecycle of applications from acquisition to updates. Custom header for generic alert The MDM-GenericAlert is a new custom header that hosts one or more alert information provided in the http messages sent by the device to the server during an OMA DM session. The generic alert is sent if the session is triggered by the device due to one or more critical or fatal alerts. Here is alert format: If present, the MDM-GenericAlert is presented in every the outgoing MDM message in the same OMA DM session. For more information about generic alerts, see section 8.7 in the OMA Device Management Protocol, Approved Version 1.2.1 in this OMA website. Alert message for slow client response When the MDM server sends a configuration request, sometimes it takes the client longer than the HTTP timeout to get all information together and then the session ends unexpectedly due to timeout. By default, the MDM client does not send an alert that a DM request is pending. To work around the timeout, you can use EnableOmaDmKeepAliveMessage setting to keep the session alive by sending a heartbeat message back to the server. This is achieved by sending a SyncML message with a specific device alert element in the body until the client is able to respond back to the server with the requested information. For details, see EnableOmaDmKeepAliveMessage node in the DMClient CSP. New node in DMClient CSP Added a new node EnableOmaDmKeepAliveMessage to the DMClient CSP and updated the ManagementServerAddress to indicate that it can contain a list of URLs. New nodes in EnterpriseModernAppManagement CSP Added the following nodes to the EnterpriseModernAppManagement CSP: New nodes in EnterpriseExt CSP Added the following nodes to the EnterpriseExt CSP: New node in EnterpriseExtFileSystem CSP Added OemProfile node to EnterpriseExtFileSystem CSP. New nodes in PassportForWork CSP Added the following nodes to PassportForWork CSP: Updated EnterpriseAssignedAccess CSP Here are the changes to the EnterpriseAssignedAccess CSP: New nodes in the DevDetail CSP Here are the changes to the DevDetail CSP: Handling large objects Added support for the client to handle uploading of large objects to the server. Added support for Windows 10 Pro starting in the version 1809. Added FinalStatus setting in Windows 10, version 1809. Added new settings in Windows 10, version 1809. Added new CSP in Windows 10, version 1809. Added new settings in Windows 10, version 1809. Posted an updated version of the Policy DDF for Windows 10, version 1809. Added the following new policies in Windows 10, version 1809: Start/DisableContextMenus - added in Windows 10, version 1803. RestrictedGroups/ConfigureGroupMembership - added new schema to apply and retrieve the policy. Added the following note: Added new settings in Windows 10, version 1809. Added NonRemovable setting under AppManagement node in Windows 10, version 1809. Added new configuration service provider in Windows 10, version 1809. Added S mode settings and SyncML examples in Windows 10, version 1809. Added 3 new certificate nodes in Windows 10, version 1809. Added a new node Health/ProductStatus in Windows 10, version 1809. Added a new node AllowStandardUserEncryption in Windows 10, version 1809. Added a new node SMBIOSSerialNumber in Windows 10, version 1809. Added the following new policies in Windows 10, version 1809: Recent changes: Added a new node WifiCost in Windows 10, version 1809. Recent changes: Added new node AllowStandardUserEncryption in Windows 10, version 1809. Recent changes: Added the following new policies in Windows 10, version 1809: Updated the DDF files in the Windows 10 version 1703 and 1709. Added the following node in Windows 10, version 1803: Added the following node in Windows 10, version 1803: Added a new CSP in Windows 10, version 1803. Updated version available. MMAT is a tool you can use to determine which Group Policies are set on a target user/computer and cross-reference them against the list of supported MDM policies. Added the DDF download of Windows 10, version 1803 configuration service providers. Added the following new policies for Windows 10, version 1803: Added the following node in Windows 10, version 1803: Added the following node in Windows 10, version 1803: Added the following videos: Added a new CSP in Windows 10, version 1803. Added the following node in Windows 10, version 1803: Added the following new policies for Windows 10, version 1803: The following existing policies were updated: Added a new section: Added new section ServicesAllowedList usage guide. Added SyncML examples and updated the settings descriptions. Reverted back to Windows 10, version 1709. Removed previous draft documentation for version 1803. Added the following new policies for Windows 10, version 1803: Updated the XSD and Plug-in profile example for VPNv2 CSP. Added the following nodes in Windows 10, version 1803: Updated the AssigneAccessConfiguration schema. Starting in Windows 10, version 1803 AssignedAccess CSP is supported in HoloLens (1st gen) Commercial Suite. Added example for HoloLens (1st gen) Commercial Suite. Added a new CSP in Windows 10, version 1803. Added the following node in Windows 10, version 1803: Added the following new policies for Windows 10, version 1803: Added the following policies the were added in Windows 10, version 1709 Security/RequireDeviceEncryption - updated to show it is supported in desktop. Updated the description for AllowWarningForOtherDiskEncryption to describe changes added in Windows 10, version 1803. Added new node MaintainProcessorArchitectureOnUpdate in Windows 10, next major update. Added ./User/Vendor/MSFT/DMClient/Provider/[ProviderID]/FirstSyncStatus node. Also added the following nodes in Windows 10, version 1803: Added new node (OfflineScan) in Windows 10, version 1803. Added a new CSP in Windows 10, version 1803. Added the following nodes in Windows 10, version 1803: Added new section CSP DDF files download Added the following policies for Windows 10, version 1709: Added missing policies from previous releases: Updated the DDF content for Windows 10 version 1709. Added a link to the download of Policy DDF for Windows 10, version 1709. Updated the following policies: Added new CSP in Windows 10, version 1709. Added SyncML examples for the new Configuration node. Added new nodes to the DMClient CSP in Windows 10, version 1709. Updated the CSP and DDF topics. Added the following new policies for Windows 10, version 1709: Added new settings to Update/BranchReadinessLevel policy in Windows 10 version 1709. Starting in Windows 10, version 1709, AssignedAccess CSP is also supported in Windows 10 Pro. Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store. The Windows 10 enrollment protocol was updated. The following elements were added to the RequestSecurityToken message: For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation. Added a SyncML example. Added RegisterDNS setting in Windows 10, version 1709. Added new topic to introduce a new Group Policy for automatic MDM enrollment. New features in the Settings app: For details, see Managing connections and Collecting diagnostic logs Added new step-by-step guide to enable ADMX-backed policies. Added the following statement: Updated the description of the PuposeGroups node to add the GUID for applications. This node is required instead of optional. Updated the Settings/EDPEnforcementLevel values to the following: Added two new SyncML examples (to disable the calendar app and to block usage of the map app) in Allow list examples. Added the following settings in Windows 10, version 1709: Added the following setting in Windows 10, version 1709: Added the following new policies for Windows 10, version 1709: Changed the name of new policy to CredentialProviders/DisableAutomaticReDeploymentCredentials from CredentialProviders/EnableWindowsAutopilotResetCredentials. Changed the names of the following policies: Added links to the additional ADMX-backed BitLocker policies. There were issues reported with the previous release of the following policies. These issues were fixed in Window 10, version 1709: The root node for the Surface Hub configuration service provider.
-**DeviceAccount**
+**DeviceAccount**
Node for setting device account information. A device account is a Microsoft Exchange account that is connected with Skype for Business, which allows people to join scheduled meetings, make Skype for Business calls, and share content from the device. See the Surface Hub administrator guide for more information about setting up a device account.
To use a device account from Azure Active Directory
-1. Set the UserPrincipalName (for Azure AD).
-2. Set a valid Password.
-3. Execute ValidateAndCommit to validate the specified username and password combination against Azure AD.
-4. Get the ErrorContext in case something goes wrong during validation.
+1. Set the UserPrincipalName (for Azure AD).
+2. Set a valid Password.
+3. Execute ValidateAndCommit to validate the specified username and password combination against Azure AD.
+4. Get the ErrorContext in case something goes wrong during validation.
> [!NOTE]
> If the device cannot auto-discover the Exchange server and Session Initiation Protocol (SIP) address from this information, you should specify the ExchangeServer and SipAddress.
-
+
Here's a SyncML example.
```xml
@@ -89,67 +89,72 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
To use a device account from Active Directory
-1. Set the DomainName.
-2. Set the UserName.
-3. Set a valid Password.
-4. Execute the ValidateAndCommit node.
+1. Set the DomainName.
+2. Set the UserName.
+3. Set a valid Password.
+4. Execute the ValidateAndCommit node.
-**DeviceAccount/DomainName**
+**DeviceAccount/DomainName**
Domain of the device account when you are using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account.
The data type is string. Supported operation is Get and Replace.
-**DeviceAccount/UserName**
+**DeviceAccount/UserName**
Username of the device account when you are using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account.
The data type is string. Supported operation is Get and Replace.
-**DeviceAccount/UserPrincipalName**
+**DeviceAccount/UserPrincipalName**
User principal name (UPN) of the device account. To use a device account from Azure Active Directory or a hybrid deployment, you should specify the UPN of the device account.
The data type is string. Supported operation is Get and Replace.
-**DeviceAccount/SipAddress**
+**DeviceAccount/SipAddress**
Session Initiation Protocol (SIP) address of the device account. Normally, the device will try to auto-discover the SIP. This field is only required if auto-discovery fails.
The data type is string. Supported operation is Get and Replace.
-**DeviceAccount/Password**
+**DeviceAccount/Password**
Password for the device account.
The data type is string. Supported operation is Get and Replace. The operation Get is allowed, but it will always return a blank.
-**DeviceAccount/ValidateAndCommit**
+**DeviceAccount/ValidateAndCommit**
This method validates the data provided and then commits the changes.
The data type is string. Supported operation is Execute.
-**DeviceAccount/Email**
+**DeviceAccount/Email**
Email address of the device account.
The data type is string.
-**DeviceAccount/PasswordRotationEnabled**
+**DeviceAccount/PasswordRotationEnabled**
Specifies whether automatic password rotation is enabled. If you enforce a password expiration policy on the device account, use this setting to allow the device to manage its own password by changing it frequently, without requiring you to manually update the account information when the password expires. You can reset the password at any time using Active Directory (or Azure AD).
Valid values:
-- 0 - password rotation enabled
-- 1 - disabled
+- 0 - password rotation enabled
+- 1 - disabled
The data type is integer. Supported operation is Get and Replace.
-**DeviceAccount/ExchangeServer**
+**DeviceAccount/ExchangeServer**
Exchange server of the device account. Normally, the device will try to auto-discover the Exchange server. This field is only required if auto-discovery fails.
The data type is string. Supported operation is Get and Replace.
-**DeviceAccount/CalendarSyncEnabled**
+**DeviceAccount/ExchangeModernAuthEnabled**
+ Added in KB4598291 for Windows 10, version 20H2. Specifies whether Device Account calendar sync will attempt to use token-based Modern Authentication to connect to the Exchange Server. Default value is True.
+
+ The data type is boolean. Supported operation is Get and Replace.
+
+**DeviceAccount/CalendarSyncEnabled**
Specifies whether calendar sync and other Exchange server services is enabled.
The data type is boolean. Supported operation is Get and Replace.
-**DeviceAccount/ErrorContext**
+**DeviceAccount/ErrorContext**
If there is an error calling ValidateAndCommit, there is additional context for that error in this node. Here are the possible error values:
The data type is integer. Supported operation is Get.
-**MaintenanceHoursSimple/Hours**
+**MaintenanceHoursSimple/Hours**
Node for maintenance schedule.
-**MaintenanceHoursSimple/Hours/StartTime**
+**MaintenanceHoursSimple/Hours/StartTime**
Specifies the start time for maintenance hours in minutes from midnight. For example, to set a 2:00 am start time, set this value to 120.
The data type is integer. Supported operation is Get and Replace.
-**MaintenanceHoursSimple/Hours/Duration**
+**MaintenanceHoursSimple/Hours/Duration**
Specifies the duration of maintenance window in minutes. For example, to set a 3-hour duration, set this value to 180.
The data type is integer. Supported operation is Get and Replace.
-**InBoxApps**
+**InBoxApps**
Node for the in-box app settings.
-**InBoxApps/SkypeForBusiness**
+**InBoxApps/SkypeForBusiness**
Added in Windows 10, version 1703. Node for the Skype for Business settings.
-**InBoxApps/SkypeForBusiness/DomainName**
+**InBoxApps/SkypeForBusiness/DomainName**
Added in Windows 10, version 1703. Specifies the domain of the Skype for Business account when you are using Active Directory. For more information, see Set up Skype for Business Online.
The data type is string. Supported operation is Get and Replace.
-**InBoxApps/Welcome**
+**InBoxApps/Welcome**
Node for the welcome screen.
-**InBoxApps/Welcome/AutoWakeScreen**
+**InBoxApps/Welcome/AutoWakeScreen**
Automatically turn on the screen using motion sensors.
The data type is boolean. Supported operation is Get and Replace.
-**InBoxApps/Welcome/CurrentBackgroundPath**
- Background image for the welcome screen. To set this, specify a https URL to a PNG file (only PNGs are supported for security reasons).
+**InBoxApps/Welcome/CurrentBackgroundPath**
+ Background image for the welcome screen. To set this, specify an https URL to a PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, please ensure they are valid and installed on the Hub, otherwise it may not be able to load the image.
The data type is string. Supported operation is Get and Replace.
-**InBoxApps/Welcome/MeetingInfoOption**
+**InBoxApps/Welcome/MeetingInfoOption**
Meeting information displayed on the welcome screen.
Valid values:
-- 0 - Organizer and time only
-- 1 - Organizer, time, and subject. Subject is hidden in private meetings.
+- 0 - Organizer and time only
+- 1 - Organizer, time, and subject. Subject is hidden in private meetings.
The data type is integer. Supported operation is Get and Replace.
-**InBoxApps/WirelessProjection**
+**InBoxApps/WirelessProjection**
Node for the wireless projector app settings.
-**InBoxApps/WirelessProjection/PINRequired**
+**InBoxApps/WirelessProjection/PINRequired**
Users must enter a PIN to wirelessly project to the device.
The data type is boolean. Supported operation is Get and Replace.
-**InBoxApps/WirelessProjection/Enabled**
+**InBoxApps/WirelessProjection/Enabled**
Enables wireless projection to the device.
The data type is boolean. Supported operation is Get and Replace.
-**InBoxApps/WirelessProjection/Channel**
+**InBoxApps/WirelessProjection/Channel**
Wireless channel to use for Miracast operation. The supported channels are defined by the Wi-Fi Alliance Wi-Fi Direct specification.
The default value is 255. Outside of regulatory concerns, if the channel is configured incorrectly the driver will either not boot, or will broadcast on the wrong channel (which senders won't be looking for).
The data type is integer. Supported operation is Get and Replace.
-**InBoxApps/Connect**
+**InBoxApps/Connect**
Added in Windows 10, version 1703. Node for the Connect app.
-**InBoxApps/Connect/AutoLaunch**
+**InBoxApps/Connect/AutoLaunch**
Added in Windows 10, version 1703. Specifies whether to automatically launch the Connect app whenever a projection is initiated.
If this setting is true, the Connect app will be automatically launched. If false, the user will need to launch the Connect app manually from the Hub’s settings.
The data type is boolean. Supported operation is Get and Replace.
-**Properties**
+**Properties**
Node for the device properties.
-**Properties/FriendlyName**
+**Properties/FriendlyName**
Friendly name of the device. Specifies the name that users see when they want to wirelessly project to the device.
The data type is string. Supported operation is Get and Replace.
-**Properties/DefaultVolume**
+**Properties/DefaultVolume**
Added in Windows 10, version 1703. Specifies the default volume value for a new session. Permitted values are 0-100. The default is 45.
The data type is integer. Supported operation is Get and Replace.
-**Properties/ScreenTimeout**
- Added in Windows 10, version 1703. Specifies the number of minutes until the Hub screen turns off.
+**Properties/ScreenTimeout**
+ Added in Windows 10, version 1703. Specifies the number of minutes until the Hub screen turns off.
The following table shows the permitted values.
@@ -333,7 +338,7 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
The data type is integer. Supported operation is Get and Replace.
-**Properties/SessionTimeout**
- Added in Windows 10, version 1703. Specifies the number of minutes until the session times out.
+**Properties/SessionTimeout**
+ Added in Windows 10, version 1703. Specifies the number of minutes until the session times out.
The following table shows the permitted values.
@@ -385,7 +390,7 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
The data type is integer. Supported operation is Get and Replace.
-**Properties/SleepTimeout**
- Added in Windows 10, version 1703. Specifies the number of minutes until the Hub enters sleep mode.
+**Properties/SleepTimeout**
+ Added in Windows 10, version 1703. Specifies the number of minutes until the Hub enters sleep mode.
The following table shows the permitted values.
@@ -437,7 +442,7 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
The data type is integer. Supported operation is Get and Replace.
-**Properties/AllowSessionResume**
- Added in Windows 10, version 1703. Specifies whether to allow the ability to resume a session when the session times out.
+**Properties/SleepMode**
+ Added in Windows 10, version 20H2. Specifies the type of sleep mode for the Surface Hub.
- If this setting is true, the "Resume Session" feature will be available on the welcome screen when the screen is idle. If false, once the screen idles, the session will be automatically cleaned up as if the “End Session" feature was initiated.
+ Valid values:
+
+- 0 - Connected Standby (default)
+- 1 - Hibernate
+
+ The data type is integer. Supported operation is Get and Replace.
+
+**Properties/AllowSessionResume**
+ Added in Windows 10, version 1703. Specifies whether to allow the ability to resume a session when the session times out.
+
+ If this setting is true, the "Resume Session" feature will be available on the welcome screen when the screen is idle. If false, once the screen idles, the session will be automatically cleaned up as if the “End Session" feature was initiated.
The data type is boolean. Supported operation is Get and Replace.
-**Properties/AllowAutoProxyAuth**
+**Properties/AllowAutoProxyAuth**
Added in Windows 10, version 1703. Specifies whether to use the device account for proxy authentication.
If this setting is true, the device account will be used for proxy authentication. If false, a separate account will be used.
The data type is boolean. Supported operation is Get and Replace.
-**Properties/DisableSigninSuggestions**
- Added in Windows 10, version 1703. Specifies whether to disable auto-populating of the sign-in dialog with invitees from scheduled meetings.
+**Properties/DisableSigninSuggestions**
+ Added in Windows 10, version 1703. Specifies whether to disable auto-populating of the sign-in dialog with invitees from scheduled meetings.
If this setting is true, the sign-in dialog will not be populated. If false, the dialog will auto-populate.
The data type is boolean. Supported operation is Get and Replace.
-**Properties/DoNotShowMyMeetingsAndFiles**
+**Properties/DoNotShowMyMeetingsAndFiles**
Added in Windows 10, version 1703. Specifies whether to disable the "My meetings and files" feature in the Start menu, which shows the signed-in user's meetings and files from Office 365.
If this setting is true, the “My meetings and files” feature will not be shown. When false, the “My meetings and files” feature will be shown.
The data type is boolean. Supported operation is Get and Replace.
-**MOMAgent**
+**MOMAgent**
Node for the Microsoft Operations Management Suite.
-**MOMAgent/WorkspaceID**
+**MOMAgent/WorkspaceID**
GUID identifying the Microsoft Operations Management Suite workspace ID to collect the data. Set this to an empty string to disable the MOM agent.
The data type is string. Supported operation is Get and Replace.
-**MOMAgent/WorkspaceKey**
+**MOMAgent/WorkspaceKey**
Primary key for authenticating with the workspace.
The data type is string. Supported operation is Get and Replace. The Get operation is allowed, but it will always return an empty string.
-
-
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/tenantlockdown-csp.md b/windows/client-management/mdm/tenantlockdown-csp.md
index 5ce1c2c024..3c062277a0 100644
--- a/windows/client-management/mdm/tenantlockdown-csp.md
+++ b/windows/client-management/mdm/tenantlockdown-csp.md
@@ -1,6 +1,6 @@
---
title: TenantLockdown CSP
-description:
+description: To lock a device to a tenant to prevent accidental or intentional resets or wipes, use the TenantLockdown configuration service provider.
ms.author: dansimp
ms.topic: article
ms.prod: w10
@@ -21,10 +21,12 @@ The TenantLockdown configuration service provider is used by the IT admin to loc
> [!NOTE]
> The forced network connection is only applicable to devices after reset (not new).
-The following diagram shows the TenantLockdown configuration service provider in tree format.
-
-
-
+The following shows the TenantLockdown configuration service provider in tree format.
+```
+./Vendor/MSFT
+TenantLockdown
+----RequireNetworkInOOBE
+```
**./Vendor/MSFT/TenantLockdown**
The root node.
diff --git a/windows/client-management/mdm/tpmpolicy-csp.md b/windows/client-management/mdm/tpmpolicy-csp.md
index f97ea96a00..863fa75311 100644
--- a/windows/client-management/mdm/tpmpolicy-csp.md
+++ b/windows/client-management/mdm/tpmpolicy-csp.md
@@ -14,25 +14,27 @@ manager: dansimp
# TPMPolicy CSP
-The TPMPolicy configuration service provider (CSP) provides a mechanism to enable zero exhaust configuration on a Windows device for TPM software components. Zero exhaust is defined as no network traffic (diagnostic data or otherwise, such as downloading background images, Windows Updates, etc.) from Windows and inbox applications to public IP addresses unless directly intended by the user. This allows the enterprise admin to configure devices where no network communication is initiated by the system without explicit approval.
+The TPMPolicy configuration service provider (CSP) provides a mechanism to enable zero exhaust configuration on a Windows device for TPM software components. Zero exhaust is defined as no network traffic (diagnostic data or otherwise, such as downloading background images, Windows Updates, and so on.) from Windows and inbox applications to public IP addresses unless directly intended by the user. This allows the enterprise admin to configure devices where no network communication is initiated by the system without explicit approval.
The TPMPolicy CSP was added in Windows 10, version 1703.
-The following diagram shows the TPMPolicy configuration service provider in tree format.
-
-
-
+The following shows the TPMPolicy configuration service provider in tree format.
+```
+./Vendor/MSFT
+TPMPolicy
+----IsActiveZeroExhaust
+```
**./Device/Vendor/MSFT/TPMPolicy**
Defines the root node. Boolean value that indicates whether network traffic from the device to public IP addresses are not allowed unless directly intended by the user (zero exhaust). Default value is false. Some examples when zero exhaust is configured: Boolean value that indicates whether network traffic from the device to public IP addresses is not allowed unless directly intended by the user (zero exhaust). Default value is false. Some examples when zero exhaust is configured: The root node.
diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md
index df6b648e6e..e4a2c9975f 100644
--- a/windows/client-management/mdm/vpnv2-csp.md
+++ b/windows/client-management/mdm/vpnv2-csp.md
@@ -2,14 +2,14 @@
title: VPNv2 CSP
description: Learn how the VPNv2 configuration service provider (CSP) allows the mobile device management (MDM) server to configure the VPN profile of the device.
ms.assetid: 51ADA62E-1EE5-4F15-B2AD-52867F5B2AD2
-ms.reviewer:
+ms.reviewer: pesmith
manager: dansimp
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
-ms.date: 11/01/2017
+ms.date: 10/30/2020
---
# VPNv2 CSP
@@ -19,24 +19,304 @@ The VPNv2 configuration service provider allows the mobile device management (MD
Here are the requirements for this CSP:
-- VPN configuration commands must be wrapped in an Atomic block in SyncML.
-- For best results, configure your VPN certificates first before pushing down VPN profiles to devices. If you are using Windows Information Protection (WIP) (formerly known as Enterprise Data Protection), then you should configure VPN first before you configure WIP policies.
-- Instead of changing individual properties, follow these steps to make any changes:
+- VPN configuration commands must be wrapped in an Atomic block in SyncML.
+- For best results, configure your VPN certificates first before pushing down VPN profiles to devices. If you are using Windows Information Protection (WIP) (formerly known as Enterprise Data Protection), then you should configure VPN first before you configure WIP policies.
+- Instead of changing individual properties, follow these steps to make any changes:
- - Send a Delete command for the ProfileName to delete the entire profile.
- - Send the entire profile again with new values wrapped in an Atomic block.
+ - Send a Delete command for the ProfileName to delete the entire profile.
+ - Send the entire profile again with new values wrapped in an Atomic block.
In certain conditions you can change some properties directly, but we do not recommend it.
The XSDs for all EAP methods are shipped in the box and can be found at the following locations:
-- C:\\Windows\\schemas\\EAPHost
-- C:\\Windows\\schemas\\EAPMethods
+- `C:\\Windows\\schemas\\EAPHost`
+- `C:\\Windows\\schemas\\EAPMethods`
-The following diagram shows the VPNv2 configuration service provider in tree format.
+The following shows the VPNv2 configuration service provider in tree format.
-
+```
+./Vendor/MSFT
+VPNv2
+----ProfileName
+--------AppTriggerList
+------------appTriggerRowId
+----------------App
+--------------------Id
+--------------------Type
+--------RouteList
+------------routeRowId
+----------------Address
+----------------PrefixSize
+----------------Metric
+----------------ExclusionRoute
+--------DomainNameInformationList
+------------dniRowId
+----------------DomainName
+----------------DomainNameType
+----------------DnsServers
+----------------WebProxyServers
+----------------AutoTrigger
+----------------Persistent
+--------TrafficFilterList
+------------trafficFilterId
+----------------App
+--------------------Id
+--------------------Type
+----------------Claims
+----------------Protocol
+----------------LocalPortRanges
+----------------RemotePortRanges
+----------------LocalAddressRanges
+----------------RemoteAddressRanges
+----------------RoutingPolicyType
+----------------Direction
+--------EdpModeId
+--------RememberCredentials
+--------AlwaysOn
+--------LockDown
+--------DeviceTunnel
+--------RegisterDNS
+--------DnsSuffix
+--------ByPassForLocal
+--------TrustedNetworkDetection
+--------ProfileXML
+--------Proxy
+------------Manual
+----------------Server
+------------AutoConfigUrl
+--------APNBinding
+------------ProviderId
+------------AccessPointName
+------------UserName
+------------Password
+------------IsCompressionEnabled
+------------AuthenticationType
+--------DeviceCompliance
+------------Enabled
+------------Sso
+----------------Enabled
+----------------IssuerHash
+----------------Eku
+--------PluginProfile
+------------ServerUrlList
+------------CustomConfiguration
+------------PluginPackageFamilyName
+------------CustomStoreUrl
+------------WebAuth
+----------------Enabled
+----------------ClientId
+--------NativeProfile
+------------Servers
+------------RoutingPolicyType
+------------NativeProtocolType
+------------Authentication
+----------------UserMethod
+----------------MachineMethod
+----------------Eap
+--------------------Configuration
+--------------------Type
+----------------Certificate
+--------------------Issuer
+--------------------Eku
+------------CryptographySuite
+----------------AuthenticationTransformConstants
+----------------CipherTransformConstants
+----------------EncryptionMethod
+----------------IntegrityCheckMethod
+----------------DHGroup
+----------------PfsGroup
+------------L2tpPsk
+------------DisableClassBasedDefaultRoute
+------------PlumbIKEv2TSAsRoutes
+
+./User/Vendor/MSFT
+VPNv2
+----ProfileName
+--------AppTriggerList
+------------appTriggerRowId
+----------------App
+--------------------Id
+--------------------Type
+--------RouteList
+------------routeRowId
+----------------Address
+----------------PrefixSize
+----------------Metric
+----------------ExclusionRoute
+--------DomainNameInformationList
+------------dniRowId
+----------------DomainName
+----------------DomainNameType
+----------------DnsServers
+----------------WebProxyServers
+----------------AutoTrigger
+----------------Persistent
+--------TrafficFilterList
+------------trafficFilterId
+----------------App
+--------------------Id
+--------------------Type
+----------------Claims
+----------------Protocol
+----------------LocalPortRanges
+----------------RemotePortRanges
+----------------LocalAddressRanges
+----------------RemoteAddressRanges
+----------------RoutingPolicyType
+--------EdpModeId
+--------RememberCredentials
+--------AlwaysOn
+--------DnsSuffix
+--------ByPassForLocal
+--------TrustedNetworkDetection
+--------ProfileXML
+--------Proxy
+------------Manual
+----------------Server
+------------AutoConfigUrl
+--------APNBinding
+------------ProviderId
+------------AccessPointName
+------------UserName
+------------Password
+------------IsCompressionEnabled
+------------AuthenticationType
+--------DeviceCompliance
+------------Enabled
+------------Sso
+----------------Enabled
+----------------IssuerHash
+----------------Eku
+--------PluginProfile
+------------ServerUrlList
+------------CustomConfiguration
+------------PluginPackageFamilyName
+------------CustomStoreUrl
+------------WebAuth
+----------------Enabled
+----------------ClientId
+--------NativeProfile
+------------Servers
+------------RoutingPolicyType
+------------NativeProtocolType
+------------Authentication
+----------------UserMethod
+----------------MachineMethod
+----------------Eap
+--------------------Configuration
+--------------------Type
+----------------Certificate
+--------------------Issuer
+--------------------Eku
+------------CryptographySuite
+----------------AuthenticationTransformConstants
+----------------CipherTransformConstants
+----------------EncryptionMethod
+----------------IntegrityCheckMethod
+----------------DHGroup
+----------------PfsGroup
+------------L2tpPsk
+------------DisableClassBasedDefaultRoute
+------------PlumbIKEv2TSAsRoutes
+
+
+./Vendor/MSFT
+./User/Vendor/MSFT
+VPNv2
+----ProfileName
+--------AppTriggerList
+------------appTriggerRowId
+----------------App
+--------------------Id
+--------------------Type
+--------RouteList
+------------routeRowId
+----------------Address
+----------------PrefixSize
+----------------Metric
+----------------ExclusionRoute
+--------DomainNameInformationList
+------------dniRowId
+----------------DomainName
+----------------DomainNameType
+----------------DnsServers
+----------------WebProxyServers
+----------------AutoTrigger
+----------------Persistent
+--------TrafficFilterList
+------------trafficFilterId
+----------------App
+--------------------Id
+--------------------Type
+----------------Claims
+----------------Protocol
+----------------LocalPortRanges
+----------------RemotePortRanges
+----------------LocalAddressRanges
+----------------RemoteAddressRanges
+----------------RoutingPolicyType
+----------------Direction
+--------EdpModeId
+--------RememberCredentials
+--------AlwaysOn
+--------LockDown
+--------DeviceTunnel
+--------RegisterDNS
+--------DnsSuffix
+--------ByPassForLocal
+--------TrustedNetworkDetection
+--------ProfileXML
+--------Proxy
+------------Manual
+----------------Server
+------------AutoConfigUrl
+--------APNBinding
+------------ProviderId
+------------AccessPointName
+------------UserName
+------------Password
+------------IsCompressionEnabled
+------------AuthenticationType
+--------DeviceCompliance
+------------Enabled
+------------Sso
+----------------Enabled
+----------------IssuerHash
+----------------Eku
+--------PluginProfile
+------------ServerUrlList
+------------CustomConfiguration
+------------PluginPackageFamilyName
+------------CustomStoreUrl
+------------WebAuth
+----------------Enabled
+----------------ClientId
+--------NativeProfile
+------------Servers
+------------RoutingPolicyType
+------------NativeProtocolType
+------------Authentication
+----------------UserMethod
+----------------MachineMethod
+----------------Eap
+--------------------Configuration
+--------------------Type
+----------------Certificate
+--------------------Issuer
+--------------------Eku
+------------CryptographySuite
+----------------AuthenticationTransformConstants
+----------------CipherTransformConstants
+----------------EncryptionMethod
+----------------IntegrityCheckMethod
+----------------DHGroup
+----------------PfsGroup
+------------L2tpPsk
+------------DisableClassBasedDefaultRoute
+------------PlumbIKEv2TSAsRoutes
+```
**Device or User profile**
For user profile, use **./User/Vendor/MSFT** path and for device profile, use **./Device/Vendor/MSFT** path.
@@ -45,13 +325,14 @@ Unique alpha numeric identifier for the profile. The profile name must not inclu
Supported operations include Get, Add, and Delete.
-> **Note** If the profile name has a space or other non-alphanumeric character, it must be properly escaped according to the URL encoding standard.
+> [!NOTE]
+> If the profile name has a space or other non-alphanumeric character, it must be properly escaped according to the URL encoding standard.
**VPNv2/**ProfileName**/AppTriggerList**
Optional node. List of applications set to trigger the VPN. If any of these apps are launched and the VPN profile is currently the active profile, this VPN profile will be triggered to connect.
**VPNv2/**ProfileName**/AppTriggerList/**appTriggerRowId
-A sequential integer identifier which allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you should not skip numbers.
+A sequential integer identifier that allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you should not skip numbers.
Supported operations include Get, Add, Replace, and Delete.
@@ -64,8 +345,8 @@ App identity, which is either an app’s package family name or file path. The t
**VPNv2/**ProfileName**/AppTriggerList/**appTriggerRowId**/App/Type**
Returns the type of **App/Id**. This value can be either of the following:
-- PackageFamilyName - When this is returned, the App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of the Microsoft Store application.
-- FilePath - When this is returned, the App/Id value represents the full file path of the app. For example, `C:\Windows\System\Notepad.exe`.
+- PackageFamilyName - When this is returned, the App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of the Microsoft Store application.
+- FilePath - When this is returned, the App/Id value represents the full file path of the app. For example, `C:\Windows\System\Notepad.exe`.
Value type is chr. Supported operation is Get.
@@ -99,8 +380,8 @@ Value type is int. Supported operations include Get, Add, Replace, and Delete.
**VPNv2/**ProfileName**/RouteList/**routeRowId**/ExclusionRoute**
Added in Windows 10, version 1607. A boolean value that specifies if the route being added should point to the VPN Interface or the Physical Interface as the Gateway. Valid values:
-- False (default) - This route will direct traffic over the VPN
-- True - This route will direct traffic over the physical interface.
+- False (default) - This route will direct traffic over the VPN
+- True - This route will direct traffic over the physical interface.
Supported operations include Get, Add, Replace, and Delete.
@@ -117,30 +398,29 @@ Supported operations include Get, Add, Replace, and Delete.
**VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/DomainName**
Used to indicate the namespace to which the policy applies. When a Name query is issued, the DNS client compares the name in the query to all of the namespaces under DomainNameInformationList to find a match. This parameter can be one of the following types:
-- FQDN - Fully qualified domain name
-- Suffix - A domain suffix that will be appended to the shortname query for DNS resolution. To specify a suffix, prepend a **.** to the DNS suffix.
+- FQDN - Fully qualified domain name
+- Suffix - A domain suffix that will be appended to the shortname query for DNS resolution. To specify a suffix, prepend **.** to the DNS suffix.
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
**VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/DomainNameType**
Returns the namespace type. This value can be one of the following:
-- FQDN - If the DomainName was not prepended with a **.** and applies only to the fully qualified domain name (FQDN) of a specified host.
-- Suffix - If the DomainName was prepended with a **.** and applies to the specified namespace, all records in that namespace, and all subdomains.
+- FQDN - If the DomainName was not prepended with a**.** and applies only to the fully qualified domain name (FQDN) of a specified host.
+- Suffix - If the DomainName was prepended with a**.** and applies to the specified namespace, all records in that namespace, and all subdomains.
Value type is chr. Supported operation is Get.
**VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/DnsServers**
-List of comma separated DNS Server IP addresses to use for the namespace.
+List of comma-separated DNS Server IP addresses to use for the namespace.
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
**VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/WebProxyServers**
Optional. Web Proxy Server IP address if you are redirecting traffic through your intranet.
-> **Note** Currently only one web proxy server is supported.
-
-
+> [!NOTE]
+> Currently only one web proxy server is supported.
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
@@ -166,9 +446,8 @@ Supported operations include Get, Add, Replace, and Delete.
**VPNv2/**ProfileName**/TrafficFilterList**
An optional node that specifies a list of rules. Only traffic that matches these rules can be sent via the VPN Interface.
-> **Note** Once a TrafficFilterList is added, all traffic are blocked other than the ones matching the rules.
-
-
+> [!NOTE]
+> Once a TrafficFilterList is added, all traffic are blocked other than the ones matching the rules.
When adding multiple rules, each rule operates based on an OR with the other rules. Within each rule, each property operates based on an AND with each other.
@@ -183,9 +462,9 @@ App identity for the app-based traffic filter.
The value for this node can be one of the following:
-- PackageFamilyName - This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application.
-- FilePath - This App/Id value represents the full file path of the app. For example, `C:\Windows\System\Notepad.exe`.
-- SYSTEM – This value enables Kernel Drivers to send traffic through VPN (for example, PING or SMB).
+- PackageFamilyName - This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application.
+- FilePath - This App/Id value represents the full file path of the app. For example, `C:\Windows\System\Notepad.exe`.
+- SYSTEM – This value enables Kernel Drivers to send traffic through VPN (for example, PING or SMB).
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
@@ -203,45 +482,53 @@ Numeric value from 0-255 representing the IP protocol to allow. For example, TCP
Value type is int. Supported operations include Get, Add, Replace, and Delete.
**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/LocalPortRanges**
-A list of comma separated values specifying local port ranges to allow. For example, `100-120, 200, 300-320`.
+A list of comma-separated values specifying local port ranges to allow. For example, `100-120, 200, 300-320`.
-> **Note** Ports are only valid when the protocol is set to TCP=6 or UDP=17.
-
-
+> [!NOTE]
+> Ports are only valid when the protocol is set to TCP=6 or UDP=17.
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/RemotePortRanges**
-A list of comma separated values specifying remote port ranges to allow. For example, `100-120, 200, 300-320`.
+A list of comma-separated values specifying remote port ranges to allow. For example, `100-120, 200, 300-320`.
-> **Note** Ports are only valid when the protocol is set to TCP=6 or UDP=17.
-
-
+> [!NOTE]
+> Ports are only valid when the protocol is set to TCP=6 or UDP=17.
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/LocalAddressRanges**
-A list of comma separated values specifying local IP address ranges to allow.
+A list of comma-separated values specifying local IP address ranges to allow.
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/RemoteAddressRanges**
-A list of comma separated values specifying remote IP address ranges to allow.
+A list of comma-separated values specifying remote IP address ranges to allow.
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/RoutingPolicyType**
Specifies the routing policy if an App or Claims type is used in the traffic filter. The scope of this property is for this traffic filter rule alone. The value can be one of the following:
-- SplitTunnel - For this traffic filter rule, only the traffic meant for the VPN interface (as determined by the networking stack) goes over the interface. Internet traffic can continue to go over the other interfaces.
-- ForceTunnel - For this traffic rule all IP traffic must go through the VPN Interface only.
+- SplitTunnel - For this traffic filter rule, only the traffic meant for the VPN interface (as determined by the networking stack) goes over the interface. Internet traffic can continue to go over the other interfaces.
+- ForceTunnel - For this traffic rule all IP traffic must go through the VPN Interface only.
-This is only applicable for App ID based Traffic Filter rules.
+This is only applicable for App ID-based Traffic Filter rules.
+
+Value type is chr. Supported operations include Get, Add, Replace, and Delete.
+
+**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/Direction**
+Added in Windows 10, version 2004. Specifies the traffic direction to apply this policy to. Default is Outbound. The value can be one of the following:
+
+- Outbound - The rule applies to all outbound traffic
+- Inbound - The rule applies to all inbound traffic
+
+If no inbound filter is provided, then by default all unsolicited inbound traffic will be blocked.
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
**VPNv2/**ProfileName**/EdpModeId**
-Enterprise ID, which is required for connecting this VPN profile with an WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
+Enterprise ID, which is required for connecting this VPN profile with a WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
Additionally when connecting with Windows Information Protection (WIP)(formerly known as Enterprise Data Protection), the admin does not have to specify AppTriggerList and TrafficFilterList rules separately in this profile (unless more advanced config is needed) because the WIP policies and App lists automatically takes effect.
@@ -255,40 +542,22 @@ Supported operations include Get, Add, Replace, and Delete.
**VPNv2/**ProfileName**/AlwaysOn**
An optional flag to enable Always On mode. This will automatically connect the VPN at sign-in and will stay connected until the user manually disconnects.
-> **Note** Always On only works for the active profile. The first profile provisioned that can be auto triggered will automatically be set as active.
+> [!NOTE]
+> Always On only works for the active profile. The first profile provisioned that can be auto triggered will automatically be set as active.
Preserving user Always On preference
Windows has a feature to preserve a user’s AlwaysOn preference. In the event that a user manually unchecks the “Connect automatically” checkbox, Windows will remember this user preference for this profile name by adding the profile name to the value AutoTriggerDisabledProfilesList.
Should a management tool remove/add the same profile name back and set AlwaysOn to true, Windows will not check the box if the profile name exists in the below registry value in order to preserve user preference.
-Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Config
+Key: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Config`
Value: AutoTriggerDisabledProfilesList
Type: REG_MULTI_SZ
Valid values:
-- False (default) - Always On is turned off.
-- True - Always On is turned on.
-
-Value type is bool. Supported operations include Get, Add, Replace, and Delete.
-
-**VPNv2/**ProfileName**/LockDown** (./Device only profile)
-Lockdown profile.
-
-Valid values:
-
-- False (default) - this is not a LockDown profile.
-- True - this is a LockDown profile.
-
-When the LockDown profile is turned on, it does the following things:
-
-- First, it automatically becomes an "always on" profile.
-- Second, it can never be disconnected.
-- Third, if the profile is not connected, then the user has no network.
-- Fourth, no other profiles may be connected or modified.
-
-A Lockdown profile must be deleted before you can add, remove, or connect other profiles.
+- False (default) - Always On is turned off.
+- True - Always On is turned on.
Value type is bool. Supported operations include Get, Add, Replace, and Delete.
@@ -297,14 +566,14 @@ Device tunnel profile.
Valid values:
-- False (default) - this is not a device tunnel profile.
-- True - this is a device tunnel profile.
+- False (default) - this is not a device tunnel profile.
+- True - this is a device tunnel profile.
When the DeviceTunnel profile is turned on, it does the following things:
-- First, it automatically becomes an "always on" profile.
-- Second, it does not require the presence or logging in of any user to the machine in order for it to connect.
-- Third, no other device tunnel profile maybe be present on the same machine.
+- First, it automatically becomes an "always on" profile.
+- Second, it does not require the presence or logging in of any user to the machine in order for it to connect.
+- Third, no other device tunnel profile maybe is present on the same machine.-
A device tunnel profile must be deleted before another device tunnel profile can be added, removed, or connected.
@@ -315,11 +584,11 @@ Allows registration of the connection's address in DNS.
Valid values:
-- False = Do not register the connection's address in DNS (default).
-- True = Register the connection's addresses in DNS.
+- False = Do not register the connection's address in DNS (default).
+- True = Register the connection's addresses in DNS.
**VPNv2/**ProfileName**/DnsSuffix**
-Optional. Specifies one or more comma separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList.
+Optional. Specifies one or more comma-separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList.
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
@@ -327,7 +596,7 @@ Value type is chr. Supported operations include Get, Add, Replace, and Delete.
Reserved for future use.
**VPNv2/**ProfileName**/TrustedNetworkDetection**
-Optional. Comma separated string to identify the trusted network. VPN will not connect automatically when the user is on their corporate wireless network where protected resources are directly accessible to the device.
+Optional. Comma-separated string to identify the trusted network. VPN will not connect automatically when the user is on their corporate wireless network where protected resources are directly accessible to the device.
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
@@ -337,7 +606,10 @@ Added in Windows 10, version 1607. The XML schema for provisioning all the fiel
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
**VPNv2/**ProfileName**/Proxy**
-A collection of configuration objects to enable a post-connect proxy support for VPN. The proxy defined for this profile is applied when this profile is active and connected.
+A collection of configuration objects to enable a post-connect proxy support for VPN Force Tunnel connections. The proxy defined for this profile is applied when this profile is active and connected.
+
+> [!NOTE]
+> VPN proxy settings are used only on Force Tunnel connections. On Split Tunnel connections, the general proxy settings are used.
**VPNv2/**ProfileName**/Proxy/Manual**
Optional node containing the manual server settings.
@@ -395,7 +667,7 @@ Added in Windows 10, version 1607. Hashes for the VPN Client to look for the co
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
**VPNv2/**ProfileName**/DeviceCompliance/Sso/Eku**
-Added in Windows 10, version 1607. Comma Separated list of EKUs for the VPN Client to look for the correct certificate for Kerberos Authentication.
+Added in Windows 10, version 1607. Comma-Separated list of EKUs for the VPN Client to look for the correct certificate for Kerberos Authentication.
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
@@ -428,29 +700,30 @@ Required for native profiles. Public or routable IP address or DNS name for the
The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name.
-You can make a list of server by making a list of server names (with optional friendly names) seperated by commas. For example, server1.example.com,server2.example.com.
+You can make a list of server by making a list of server names (with optional friendly names) separated by commas. For example, server1.example.com,server2.example.com.
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
**VPNv2/**ProfileName**/NativeProfile/RoutingPolicyType**
Optional for native profiles. Type of routing policy. This value can be one of the following:
-- SplitTunnel - Traffic can go over any interface as determined by the networking stack.
-- ForceTunnel - All IP traffic must go over the VPN interface.
+- SplitTunnel - Traffic can go over any interface as determined by the networking stack.
+- ForceTunnel - All IP traffic must go over the VPN interface.
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
**VPNv2/**ProfileName**/NativeProfile/NativeProtocolType**
Required for native profiles. Type of tunneling protocol used. This value can be one of the following:
-- PPTP
-- L2TP
-- IKEv2
-- Automatic
+- PPTP
+- L2TP
+- IKEv2
+- Automatic
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-> **Note** The **Automatic** option means that the device will try each of the built-in tunneling protocols until one succeeds. It will attempt protocols in following order: SSTP, IKEv2, PPTP and then L2TP. This order is not customizable.
+> [!NOTE]
+> The **Automatic** option means that the device will try each of the built-in tunneling protocols until one succeeds. It will attempt protocols in following order: SSTP, IKEv2, PPTP and then L2TP. This order is not customizable.
**VPNv2/**ProfileName**/NativeProfile/Authentication**
Required node for native profile. It contains authentication information for the native VPN profile.
@@ -502,12 +775,12 @@ Added in Windows 10, version 1607.
The following list contains the valid values:
-- MD596
-- SHA196
-- SHA256128
-- GCMAES128
-- GCMAES192
-- GCMAES256
+- MD596
+- SHA196
+- SHA256128
+- GCMAES128
+- GCMAES192
+- GCMAES256
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
@@ -516,14 +789,14 @@ Added in Windows 10, version 1607.
The following list contains the valid values:
-- DES
-- DES3
-- AES128
-- AES192
-- AES256
-- GCMAES128
-- GCMAES192
-- GCMAES256
+- DES
+- DES3
+- AES128
+- AES192
+- AES256
+- GCMAES128
+- GCMAES192
+- GCMAES256
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
@@ -532,13 +805,13 @@ Added in Windows 10, version 1607.
The following list contains the valid values:
-- DES
-- DES3
-- AES128
-- AES192
-- AES256
-- AES\_GCM_128
-- AES\_GCM_256
+- DES
+- DES3
+- AES128
+- AES192
+- AES256
+- AES\_GCM_128
+- AES\_GCM_256
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
@@ -547,10 +820,10 @@ Added in Windows 10, version 1607.
The following list contains the valid values:
-- MD5
-- SHA196
-- SHA256
-- SHA384
+- MD5
+- SHA196
+- SHA256
+- SHA384
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
@@ -559,12 +832,12 @@ Added in Windows 10, version 1607.
The following list contains the valid values:
-- Group1
-- Group2
-- Group14
-- ECP256
-- ECP384
-- Group24
+- Group1
+- Group2
+- Group14
+- ECP256
+- ECP384
+- Group24
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
@@ -573,13 +846,13 @@ Added in Windows 10, version 1607.
The following list contains the valid values:
-- PFS1
-- PFS2
-- PFS2048
-- ECP256
-- ECP384
-- PFSMM
-- PFS24
+- PFS1
+- PFS2
+- PFS2048
+- ECP256
+- ECP384
+- PFSMM
+- PFS24
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
@@ -589,7 +862,7 @@ Added in Windows 10, version 1607. The preshared key used for an L2TP connectio
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
**VPNv2/**ProfileName**/NativeProfile/DisableClassBasedDefaultRoute**
-Added in Windows 10, version 1607. Specifies the class based default routes. For example, if the interface IP begins with 10, it assumes a class a IP and pushes the route to 10.0.0.0/8
+Added in Windows 10, version 1607. Specifies the class-based default routes. For example, if the interface IP begins with 10, it assumes a class an IP and pushes the route to 10.0.0.0/8
Value type is bool. Supported operations include Get, Add, Replace, and Delete.
@@ -1308,8 +1581,7 @@ Servers
```
-## Related topics
-
+## See also
[Configuration service provider reference](configuration-service-provider-reference.md)
@@ -1321,4 +1593,3 @@ Servers
-
diff --git a/windows/client-management/mdm/vpnv2-ddf-file.md b/windows/client-management/mdm/vpnv2-ddf-file.md
index aa531d9602..ea97295698 100644
--- a/windows/client-management/mdm/vpnv2-ddf-file.md
+++ b/windows/client-management/mdm/vpnv2-ddf-file.md
@@ -2,14 +2,14 @@
title: VPNv2 DDF file
description: This topic shows the OMA DM device description framework (DDF) for the VPNv2 configuration service provider.
ms.assetid: 4E2F36B7-D2EE-4F48-AD1A-6BDE7E72CC94
-ms.reviewer:
+ms.reviewer: pesmith
manager: dansimp
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
-ms.date: 12/05/2017
+ms.date: 10/30/2020
---
# VPNv2 DDF file
@@ -19,7 +19,7 @@ This topic shows the OMA DM device description framework (DDF) for the **VPNv2**
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
-The XML below is for Windows 10, version 1709.
+The XML below is for Windows 10, version 2004.
```xml
@@ -32,7 +32,7 @@ The XML below is for Windows 10, version 1709.
BIOSRead This problem is indicated when an application cannot access the Device\PhysicalMemory object beyond the kernel-mode drivers, on any of the Windows Server® 2003 operating systems. This problem is indicated when an application cannot access the Device\PhysicalMemory object beyond the kernel-mode drivers, on any of the Windows Server® 2003 operating systems. The fix enables OEM executable (.exe) files to use the GetSystemFirmwareTable function instead of the NtOpenSection function when the BIOS is queried for the \Device\Physical memory information.. ChangeFolderPathToXPStyle This fix is required when an application cannot return shell folder paths when it uses the SHGetFolder API. The fix intercepts the SHGetFolder path request to the common appdata file path and returns the Windows® XP-style file path instead of the Windows Vista-style file path. The fix intercepts the SHGetFolder path request to the common appdata file path and returns the Windows® XP-style file path instead of the Windows Vista-style file path. ClearLastErrorStatusonIntializeCriticalSection DirectXVersionLie This problem occurs when an application fails because it does not find the correct version number for DirectX®. This problem occurs when an application fails because it does not find the correct version number for DirectX®. The fix modifies the DXDIAGN GetProp function call to return the correct DirectX version. You can control this fix further by typing the following command at the command prompt: MAJORVERSION.MINORVERSION.LETTER IgnoreMSOXMLMF The problem is indicated by an error message that states that the operating system cannot locate the MSVCR80D.DLL file. The fix ignores the registered MSOXMLMF.DLL object, which Microsoft® Office 2007 loads into the operating system any time that you load an XML file, and then it fails the CoGetClassObject for its CLSID. This compatibility fix will just ignore the registered MSOXMLMF and fail the CoGetClassObject for its CLSID. The fix ignores the registered MSOXMLMF.DLL object, which Microsoft® Office 2007 loads into the operating system any time that you load an XML file, and then it fails the CoGetClassObject for its CLSID. This compatibility fix will just ignore the registered MSOXMLMF and fail the CoGetClassObject for its CLSID. IgnoreSetROP2 MIG_OFFLINE_PLATFORM_ARCH 32 or 64 While operating offline, this environment variable defines the architecture of the offline system, if the system does not match the WinPE and Scanstate.exe architecture. This environment variable enables the 32-bit ScanState application to gather data from a computer with 64-bit architecture, or the 64-bit ScanState application to gather data from a computer with 32-bit architecture. This is required when auto-detection of the offline architecture doesn’t function properly, for example, when the source system is running a 64-bit version of Windows XP. For example, to set this system environment variable for a 32-bit architecture, at a command prompt type the following: While operating offline, this environment variable defines the architecture of the offline system, if the system does not match the WinPE and Scanstate.exe architecture. This environment variable enables the 32-bit ScanState application to gather data from a computer with 64-bit architecture, or the 64-bit ScanState application to gather data from a computer with 32-bit architecture. This is required when auto-detection of the offline architecture doesn't function properly, for example, when the source system is running a 64-bit version of Windows XP. For example, to set this system environment variable for a 32-bit architecture, at a command prompt type the following: You can either: Specify up to three <role> elements within a <component> — one “Binaries” role element, one “Settings” role element and one “Data” role element. These parameters do not change the migration behavior — their only purpose is to help you categorize the settings that you are migrating. You can nest these <role> elements, but each nested element must be of the same role parameter. Specify one “Container” <role> element within a <component> element. In this case, you cannot specify any child <rules> elements, only other <component> elements. And each child <component> element must have the same type as that of parent <component> element. For example: Specify up to three <role> elements within a <component> — one "Binaries" role element, one "Settings" role element and one "Data" role element. These parameters do not change the migration behavior — their only purpose is to help you categorize the settings that you are migrating. You can nest these <role> elements, but each nested element must be of the same role parameter. Specify one "Container" <role> element within a <component> element. In this case, you cannot specify any child <rules> elements, only other <component> elements. And each child <component> element must have the same type as that of parent <component> element. For example: name Yes ID is a string value that is the name used to reference the environment variable. We recommend that ID start with the component’s name to avoid namespace collisions. For example, if your component’s name is MyComponent, and you want a variable that is your component’s install path, you could specify ID is a string value that is the name used to reference the environment variable. We recommend that ID start with the component's name to avoid namespace collisions. For example, if your component's name is MyComponent, and you want a variable that is your component's install path, you could specify remap No, default = FALSE Specifies whether to evaluate this environment variable as a remapping environment variable. Objects that are located in a path that is underneath this environment variable’s value are automatically moved to where the environment variable points on the destination computer. Specifies whether to evaluate this environment variable as a remapping environment variable. Objects that are located in a path that is underneath this environment variable's value are automatically moved to where the environment variable points on the destination computer. Type BuiltIn Local Builtin Local Default container Type BuiltIn Local Builtin Local Default container Type BuiltIn Local Builtin Local Default container Type Builtin local Builtin Local Default container Well-Known SID/RID S-1-5-<domain>-517 S-1-5-21-<domain>-517 Type Type Builtin local Builtin Local Default container Type BuiltIn Local Builtin Local Default container Type Domain local Builtin Local Default container Type Domain Global Global Default container Well-Known SID/RID S-1-5-<domain>-515 S-1-5-21-<domain>-515 Type Well-Known SID/RID S-1-5-<domain>-516 S-1-5-21-<domain>-516 Type Well-Known SID/RID S-1-5-<domain>-514 S-1-5-21-<domain>-514 Type Well-Known SID/RID S-1-5-<domain>-513 S-1-5-21-<domain>-513 Type Domain Global Global Default container Type Builtin local Domain Local Default container Well-Known SID/RID S-1-5-<domain>-520 S-1-5-21-<domain>-520 Type Default members Guest Guest Default member of Guest None Protected by ADMINSDHOLDER? Type Builtin local Builtin Local Default container Default member of No None Protected by ADMINSDHOLDER? Type BuiltIn Local Builtin Local Default container Type BuiltIn local Builtin Local Default container Type BuiltIn local Builtin Local Default container Type Builtin local Builtin Local Default container Type Builtin local Builtin Local Default container Type Builtin local Builtin Local Default container Type Builtin local Builtin Local Default container Type Domain Global Global Default container Type Domain local Builtin Local Default container Well-Known SID/RID S-1-5-32-<domain>-576 S-1-5-32-576 Type Builtin local Builtin Local Default container Type Builtin local Builtin Local Default container Type Builtin local Builtin Local Default container Well-Known SID/RID S-1-5-21-<domain>-521 Type Global Default container CN=Users, DC=<domain>, DC= Default members None Default member of Protected by ADMINSDHOLDER? Yes Safe to move out of default container? Yes Safe to delegate management of this group to non-Service admins? Default User Rights Well-Known SID/RID S-1-5-21-<domain>-521 Type Default container CN=Users, DC=<domain>, DC= Default members None Default member of Protected by ADMINSDHOLDER? Yes Safe to move out of default container? Yes Safe to delegate management of this group to non-Service admins? Default User Rights Type Builtin local Builtin Local Default container Type Builtin local Builtin Local Default container Well-Known SID/RID S-1-5-<root domain>-518 S-1-5-21-<root domain>-518 Type Type Builtin local Builtin Local Default container Type Builtin local Builtin Local Default container Type Builtin local Builtin Local Default container Default member of Domain Users (this membership is due to the fact that the Primary Group ID of all user accounts is Domain Users.) None Protected by ADMINSDHOLDER? Type Builtin local Builtin Local Default container User System Kernel A TPM is not required for BitLocker; however, only a computer with a TPM can provide the additional security of pre-startup system integrity verification and multifactor authentication.|
|BIOS configuration| **Note** The font should automatically install into your `%windir%/Fonts` directory. If it doesn’t, you’ll need to manually copy the font files into the **Fonts** directory and run the installation from there.
+- On each computer with the app installed, right-click on the font name and click **Install**. The font should automatically install into your `%windir%/Fonts` directory. If it doesn’t, you’ll need to manually copy the font files into the **Fonts** directory and run the installation from there.
**To fix your apps by excluding processes**
1. On each computer with the app installed, open regedit.exe and go to `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ FIPS Approved algorithms: AES (Cert. #4624); CKG (vendor affirmed); CVL (Certs. #1278 and #1281); DRBG (Cert. #1555); DSA (Cert. #1223); ECDSA (Cert. #1133); HMAC (Cert. #3061); KAS (Cert. #127); KBKDF (Cert. #140); KTS (AES Cert. #4626; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2521 and #2522); SHS (Cert. #3790); Triple-DES (Cert. #2459) FIPS approved algorithms: AES (Cert. #4624); CKG (vendor affirmed); CVL (Certs. #1278 and #1281); DRBG (Cert. #1555); DSA (Cert. #1223); ECDSA (Cert. #1133); HMAC (Cert. #3061); KAS (Cert. #127); KBKDF (Cert. #140); KTS (AES Cert. #4626; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2521 and #2522); SHS (Cert. #3790); Triple-DES (Cert. #2459) Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #1133); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #2521); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #1281); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #1278) FIPS Approved algorithms: AES (Certs. #4624 and #4626); CKG (vendor affirmed); CVL (Certs. #1278 and #1281); DRBG (Cert. #1555); DSA (Cert. #1223); ECDSA (Cert. #1133); HMAC (Cert. #3061); KAS (Cert. #127); KBKDF (Cert. #140); KTS (AES Cert. #4626; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2521 and #2523); SHS (Cert. #3790); Triple-DES (Cert. #2459) FIPS approved algorithms: AES (Certs. #4624 and #4626); CKG (vendor affirmed); CVL (Certs. #1278 and #1281); DRBG (Cert. #1555); DSA (Cert. #1223); ECDSA (Cert. #1133); HMAC (Cert. #3061); KAS (Cert. #127); KBKDF (Cert. #140); KTS (AES Cert. #4626; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2521 and #2523); SHS (Cert. #3790); Triple-DES (Cert. #2459) Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert.#1133); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert.#2521); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert.#1281) FIPS Approved algorithms: AES (Certs. #4624 and #4625); CKG (vendor affirmed); HMAC (Cert. #3061); PBKDF (vendor affirmed); RSA (Cert. #2523); SHS (Cert. #3790) FIPS approved algorithms: AES (Certs. #4624 and #4625); CKG (vendor affirmed); HMAC (Cert. #3061); PBKDF (vendor affirmed); RSA (Cert. #2523); SHS (Cert. #3790) Other algorithms: PBKDF (vendor affirmed); VMK KDF (vendor affirmed) FIPS Approved algorithms: AES (Certs. #4624 and #4625); RSA (Cert. #2523); SHS (Cert. #3790) FIPS approved algorithms: AES (Certs. #4624 and #4625); RSA (Cert. #2523); SHS (Cert. #3790) FIPS Approved algorithms: AES (Cert. #4624); RSA (Certs. #2522 and #2523); SHS (Cert. #3790) FIPS approved algorithms: AES (Cert. #4624); RSA (Certs. #2522 and #2523); SHS (Cert. #3790) Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v1.5 - RSASP1 Signature Primitive (Cert. #1282) FIPS Approved algorithms: AES (Cert. #4624); RSA (Certs. #2522 and #2523); SHS (Cert. #3790) FIPS approved algorithms: AES (Cert. #4624); RSA (Certs. #2522 and #2523); SHS (Cert. #3790) Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v1.5 - RSASP1 Signature Primitive (Cert. #1282) FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227) FIPS approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193, and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227) Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #922); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #887); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #886) FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227) FIPS approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193, and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227) Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #922); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #887) FIPS Approved algorithms: AES (Certs. #4061 and #4064); HMAC (Cert. #2651); PBKDF (vendor affirmed); RSA (Cert. #2193); SHS (Cert. #3347) FIPS approved algorithms: AES (Certs. #4061 and #4064); HMAC (Cert. #2651); PBKDF (vendor affirmed); RSA (Cert. #2193); SHS (Cert. #3347) Other algorithms: MD5; PBKDF (non-compliant); VMK KDF FIPS Approved algorithms: RSA (Cert. #2193); SHS (Cert. #3347) FIPS approved algorithms: RSA (Cert. #2193); SHS (Cert. #3347) Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888) FIPS Approved algorithms: RSA (Certs. #2193); SHS (Certs. #3347) FIPS approved algorithms: RSA (Certs. #2193); SHS (Certs. #3347) Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888) FIPS Approved algorithms: AES (Certs. #3629); DRBG (Certs. #955); DSA (Certs. #1024); ECDSA (Certs. #760); HMAC (Certs. #2381); KAS (Certs. #72; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #72); KTS (AES Certs. #3653; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1887, #1888 and #1889); SHS (Certs. #3047); Triple-DES (Certs. #2024) FIPS approved algorithms: AES (Certs. #3629); DRBG (Certs. #955); DSA (Certs. #1024); ECDSA (Certs. #760); HMAC (Certs. #2381); KAS (Certs. #72; key agreement; key establishment methodology provides between 112 bits and 256 bits of encryption strength); KBKDF (Certs. #72); KTS (AES Certs. #3653; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1887, #1888, and #1889); SHS (Certs. #3047); Triple-DES (Certs. #2024) Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #666); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #663); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #664) FIPS Approved algorithms: AES (Certs. #3629); DRBG (Certs. #955); DSA (Certs. #1024); ECDSA (Certs. #760); HMAC (Certs. #2381); KAS (Certs. #72; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #72); KTS (AES Certs. #3653; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1887, #1888 and #1889); SHS (Certs. #3047); Triple-DES (Certs. #2024) FIPS approved algorithms: AES (Certs. #3629); DRBG (Certs. #955); DSA (Certs. #1024); ECDSA (Certs. #760); HMAC (Certs. #2381); KAS (Certs. #72; key agreement; key establishment methodology provides between 112 bits and 256 bits of encryption strength); KBKDF (Certs. #72); KTS (AES Certs. #3653; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1887, #1888, and #1889); SHS (Certs. #3047); Triple-DES (Certs. #2024) Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #666); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #663) FIPS Approved algorithms: RSA (Certs. #1871); SHS (Certs. #3048) FIPS approved algorithms: RSA (Certs. #1871); SHS (Certs. #3048) Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665) FIPS Approved algorithms: RSA (Certs. #1871); SHS (Certs. #3048) FIPS approved algorithms: RSA (Certs. #1871); SHS (Certs. #3048) Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665) FIPS Approved algorithms: AES (Certs. #3497); DRBG (Certs. #868); DSA (Certs. #983); ECDSA (Certs. #706); HMAC (Certs. #2233); KAS (Certs. #64; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #66); KTS (AES Certs. #3507; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1783, #1798, and #1802); SHS (Certs. #2886); Triple-DES (Certs. #1969) FIPS approved algorithms: AES (Certs. #3497); DRBG (Certs. #868); DSA (Certs. #983); ECDSA (Certs. #706); HMAC (Certs. #2233); KAS (Certs. #64; key agreement; key establishment methodology provides between 112 bits and 256 bits of encryption strength); KBKDF (Certs. #66); KTS (AES Certs. #3507; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1783, #1798, and #1802); SHS (Certs. #2886); Triple-DES (Certs. #1969) Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #576); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #575) FIPS Approved algorithms: AES (Certs. #3497); DRBG (Certs. #868); DSA (Certs. #983); ECDSA (Certs. #706); HMAC (Certs. #2233); KAS (Certs. #64; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #66); KTS (AES Certs. #3507; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1783, #1798, and #1802); SHS (Certs. #2886); Triple-DES (Certs. #1969) FIPS approved algorithms: AES (Certs. #3497); DRBG (Certs. #868); DSA (Certs. #983); ECDSA (Certs. #706); HMAC (Certs. #2233); KAS (Certs. #64; key agreement; key establishment methodology provides between 112 bits and 256 bits of encryption strength); KBKDF (Certs. #66); KTS (AES Certs. #3507; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1783, #1798, and #1802); SHS (Certs. #2886); Triple-DES (Certs. #1969) Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #576) FIPS Approved algorithms: RSA (Certs. #1784); SHS (Certs. #2871) FIPS approved algorithms: RSA (Certs. #1784); SHS (Certs. #2871) Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572) FIPS Approved algorithms: RSA (Certs. #1784); SHS (Certs. #2871) FIPS approved algorithms: RSA (Certs. #1784); SHS (Certs. #2871) Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572) FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); DSA (Cert. #855); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. #2373); Triple-DES (Cert. #1692) FIPS approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); DSA (Cert. #855); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493, and #1519); SHS (Cert. #2373); Triple-DES (Cert. #1692) Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #288); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #289); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #323) FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. # 2373); Triple-DES (Cert. #1692) FIPS approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493, and #1519); SHS (Cert. # 2373); Triple-DES (Cert. #1692) Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #288); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #289) FIPS Approved algorithms: RSA (Cert. #1494); SHS (Cert. # 2373) FIPS approved algorithms: RSA (Cert. #1494); SHS (Cert. # 2373) Validated Component Implementations: PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #289) FIPS Approved algorithms: AES (Certs. #739 and #756); ECDSA (Cert. #82); HMAC (Cert. #412); RNG (Cert. #435 and SP 800-90 AES-CTR, vendor-affirmed); RSA (Certs. #353 and #357); SHS (Cert. #753); Triple-DES (Cert. #656)#739 and ); ECDSA (Cert. ); HMAC (Cert. ); RNG (Cert. and SP 800-90 AES-CTR, vendor-affirmed); RSA (Certs. and ); SHS (Cert. ); Triple-DES (Cert. ) Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength) FIPS approved algorithms: AES (Certs. #739 and #756); ECDSA (Cert. #82); HMAC (Cert. #412); RNG (Cert. #435 and SP 800-90 AES-CTR, vendor-affirmed); RSA (Certs. #353 and #357); SHS (Cert. #753); Triple-DES (Cert. #656)#739 and); ECDSA (Cert.); HMAC (Cert.); RNG (Cert. and SP 800-90 AES-CTR, vendor-affirmed); RSA (Certs. and); SHS (Cert.); Triple-DES (Cert.) Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 bits and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength) FIPS Approved algorithms: AES (Certs. #739 and #756); DSA (Cert. #283); ECDSA (Cert. #82); HMAC (Cert. #412); RNG (Cert. #435 and SP 800-90, vendor affirmed); RSA (Certs. #353 and #357); SHS (Cert. #753); Triple-DES (Cert. #656) Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant provides less than 112 bits of encryption strength) FIPS approved algorithms: AES (Certs. #739 and #756); DSA (Cert. #283); ECDSA (Cert. #82); HMAC (Cert. #412); RNG (Cert. #435 and SP 800-90, vendor affirmed); RSA (Certs. #353 and #357); SHS (Cert. #753); Triple-DES (Cert. #656) Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 bits and 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant provides less than 112 bits of encryption strength) FIPS Approved algorithms: AES (Cert. #739); HMAC (Cert. #407); RNG (SP 800-90, vendor affirmed); RSA (Certs. #353 and #354); SHS (Cert. #753); Triple-DES (Cert. #656) Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength) FIPS approved algorithms: AES (Cert. #739); HMAC (Cert. #407); RNG (SP 800-90, vendor affirmed); RSA (Certs. #353 and #354); SHS (Cert. #753); Triple-DES (Cert. #656) Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength) FIPS Approved algorithms: DSA (Cert. #281); RNG (Cert. #435); SHS (Cert. #753); Triple-DES (Cert. #656); Triple-DES MAC (Triple-DES Cert. #656, vendor affirmed) Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4 FIPS approved algorithms: DSA (Cert. #281); RNG (Cert. #435); SHS (Cert. #753); Triple-DES (Cert. #656); Triple-DES MAC (Triple-DES Cert. #656, vendor affirmed) Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4 FIPS Approved algorithms: HMAC (Cert. #429); RNG (Cert. #449); SHS (Cert. #785); Triple-DES (Cert. #677); Triple-DES MAC (Triple-DES Cert. #677, vendor affirmed) FIPS approved algorithms: HMAC (Cert. #429); RNG (Cert. #449); SHS (Cert. #785); Triple-DES (Cert. #677); Triple-DES MAC (Triple-DES Cert. #677, vendor affirmed) Other algorithms: DES; MD5; HMAC MD5 FIPS Approved algorithms: DSA (Cert. #292); RNG (Cert. #448); SHS (Cert. #784); Triple-DES (Cert. #676); Triple-DES MAC (Triple-DES Cert. #676, vendor affirmed) Other algorithms: DES; DES40; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits); MD5; RC2; RC4 FIPS approved algorithms: DSA (Cert. #292); RNG (Cert. #448); SHS (Cert. #784); Triple-DES (Cert. #676); Triple-DES MAC (Triple-DES Cert. #676, vendor affirmed) Other algorithms: DES; DES40; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits); MD5; RC2; RC4 FIPS Approved algorithms: AES (Cert. #781); HMAC (Cert. #428); RNG (Cert. #447); RSA (Cert. #371); SHS (Cert. #783); Triple-DES (Cert. #675); Triple-DES MAC (Triple-DES Cert. #675, vendor affirmed) Other algorithms: DES; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits) FIPS approved algorithms: AES (Cert. #781); HMAC (Cert. #428); RNG (Cert. #447); RSA (Cert. #371); SHS (Cert. #783); Triple-DES (Cert. #675); Triple-DES MAC (Triple-DES Cert. #675, vendor affirmed) Other algorithms: DES; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits) FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Cert. #29) FIPS approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Cert. #29) Other algorithms: DES (Cert. #66); RC2; RC4; MD5; DES40; Diffie-Hellman (key agreement) FIPS Approved algorithms: Triple-DES (Cert. #81); AES (Cert. #33); SHA-1 (Cert. #83); RSA (PKCS#1, vendor affirmed); HMAC-SHA-1 (Cert. #83, vendor affirmed) FIPS approved algorithms: Triple-DES (Cert. #81); AES (Cert. #33); SHA-1 (Cert. #83); RSA (PKCS#1, vendor affirmed); HMAC-SHA-1 (Cert. #83, vendor affirmed) Other algorithms: DES (Cert. #156); RC2; RC4; MD5 FIPS Approved algorithms: Triple-DES (Cert. #81); AES (Cert. #33); SHA-1 (Cert. #83); RSA (PKCS#1, vendor affirmed); HMAC-SHA-1 (Cert. #83, vendor affirmed) FIPS approved algorithms: Triple-DES (Cert. #81); AES (Cert. #33); SHA-1 (Cert. #83); RSA (PKCS#1, vendor affirmed); HMAC-SHA-1 (Cert. #83, vendor affirmed) Other algorithms: DES (Cert. #156); RC2; RC4; MD5 FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Cert. #35); HMAC-SHA-1 (Cert. #35, vendor affirmed) FIPS approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Cert. #35); HMAC-SHA-1 (Cert. #35, vendor affirmed) Other algorithms: DES (Cert. #89) FIPS Approved algorithms: Triple-DES (Cert. #16); SHA-1 (Certs. #35) FIPS approved algorithms: Triple-DES (Cert. #16); SHA-1 (Certs. #35) Other algorithms: DES (Certs. #89) (DSS/DH Enh: 5.0.2195.3665 [SP3]) FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Certs. #28 and #29); RSA (vendor affirmed) FIPS approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Certs. #28 and #29); RSA (vendor affirmed) Other algorithms: DES (Certs. #65, 66, 67 and 68); Diffie-Hellman (key agreement); RC2; RC4; MD2; MD4; MD5 FIPS Approved algorithms: Triple-DES (Cert. #16); SHA-1 (Certs. #35) FIPS approved algorithms: Triple-DES (Cert. #16); SHA-1 (Certs. #35) Other algorithms: DES (Certs. #89) FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Certs. #28 and #29); RSA (vendor affirmed) FIPS approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Certs. #28 and #29); RSA (vendor affirmed) Other algorithms: DES (Certs. #65, 66, 67 and 68); Diffie-Hellman (key agreement); RC2; RC4; MD2; MD4; MD5 (DSS/DH Enh: 5.0.2150.1391 [SP1]) FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Certs. #28 and #29); RSA (vendor affirmed) FIPS approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Certs. #28 and #29); RSA (vendor affirmed) Other algorithms: DES (Certs. #65, 66, 67 and 68); Diffie-Hellman (key agreement); RC2; RC4; MD2; MD4; MD5 FIPS Approved algorithms: Triple-DES (vendor affirmed); DSA/SHA-1 (Certs. #28 and 29); RSA (vendor affirmed) FIPS approved algorithms: Triple-DES (vendor affirmed); DSA/SHA-1 (Certs. #28 and 29); RSA (vendor affirmed) Other algorithms: DES (Certs. #65, 66, 67 and 68); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement) FIPS Approved algorithms: Triple-DES (vendor affirmed); SHA-1 (Certs. #20 and 21); DSA/SHA-1 (Certs. #25 and 26); RSA (vendor- affirmed) FIPS approved algorithms: Triple-DES (vendor affirmed); SHA-1 (Certs. #20 and 21); DSA/SHA-1 (Certs. #25 and 26); RSA (vendor- affirmed) Other algorithms: DES (Certs. #61, 62, 63 and 64); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement) FIPS Approved algorithms: AES (Certs. #4061 and #4064); HMAC (Cert. #2651); PBKDF (vendor affirmed); RSA (Cert. #2193); SHS (Cert. #3347) FIPS approved algorithms: AES (Certs. #4061 and #4064); HMAC (Cert. #2651); PBKDF (vendor affirmed); RSA (Cert. #2193); SHS (Cert. #3347) Other algorithms: MD5; PBKDF (non-compliant); VMK KDF FIPS Approved algorithms: DSA (Cert. #221); RNG (Cert. #314); RSA (Cert. #245); SHS (Cert. #611); Triple-DES (Cert. #543) Other algorithms: DES; DES40; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC4 FIPS approved algorithms: DSA (Cert. #221); RNG (Cert. #314); RSA (Cert. #245); SHS (Cert. #611); Triple-DES (Cert. #543) Other algorithms: DES; DES40; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC4 FIPS Approved algorithms: HMAC (Cert. #287); RNG (Cert. #313); SHS (Cert. #610); Triple-DES (Cert. #542) FIPS approved algorithms: HMAC (Cert. #287); RNG (Cert. #313); SHS (Cert. #610); Triple-DES (Cert. #542) Other algorithms: DES; HMAC-MD5 FIPS Approved algorithms: AES (Cert. #548); HMAC (Cert. #289); RNG (Cert. #316); RSA (Cert. #245); SHS (Cert. #613); Triple-DES (Cert. #544) Other algorithms: DES; RC2; RC4; MD2; MD4; MD5; RSA (key wrapping; key establishment methodology provides between 112 and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength) FIPS approved algorithms: AES (Cert. #548); HMAC (Cert. #289); RNG (Cert. #316); RSA (Cert. #245); SHS (Cert. #613); Triple-DES (Cert. #544) Other algorithms: DES; RC2; RC4; MD2; MD4; MD5; RSA (key wrapping; key establishment methodology provides between 112 bits and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength) FIPS Approved algorithms: Triple-DES (Certs. #201[1] and #370[1]); SHS (Certs. #177[1] and #371[2]) FIPS approved algorithms: Triple-DES (Certs. #201[1] and #370[1]); SHS (Certs. #177[1] and #371[2]) Other algorithms: DES (Cert. #230[1]); HMAC-MD5; HMAC-SHA-1 (non-compliant) [1] x86 FIPS Approved algorithms: Triple-DES (Cert. #192[1] and #365[2]); AES (Certs. #80[1] and #290[2]); SHS (Cert. #176[1] and #364[2]); HMAC (Cert. #176, vendor affirmed[1] and #99[2]); RSA (PKCS#1, vendor affirmed[1] and #81[2]) FIPS approved algorithms: Triple-DES (Cert. #192[1] and #365[2]); AES (Certs. #80[1] and #290[2]); SHS (Cert. #176[1] and #364[2]); HMAC (Cert. #176, vendor affirmed[1] and #99[2]); RSA (PKCS#1, vendor affirmed[1] and #81[2]) Other algorithms: DES (Cert. #226[1]); SHA-256[1]; SHA-384[1]; SHA-512[1]; RC2; RC4; MD2; MD4; MD5 [1] x86 FIPS Approved algorithms: Triple-DES (Certs. #199[1] and #381[2]); SHA-1 (Certs. #181[1] and #385[2]); DSA (Certs. #95[1] and #146[2]); RSA (Cert. #81) FIPS approved algorithms: Triple-DES (Certs. #199[1] and #381[2]); SHA-1 (Certs. #181[1] and #385[2]); DSA (Certs. #95[1] and #146[2]); RSA (Cert. #81) Other algorithms: DES (Cert. #229[1]); Diffie-Hellman (key agreement); RC2; RC4; MD5; DES 40 [1] x86 FIPS Approved algorithms: Triple-DES (Certs. #201[1] and #370[1]); SHS (Certs. #177[1] and #371[2]) FIPS approved algorithms: Triple-DES (Certs. #201[1] and #370[1]); SHS (Certs. #177[1] and #371[2]) Other algorithms: DES (Cert. #230[1]); HMAC-MD5; HMAC-SHA-1 (non-compliant) [1] x86 FIPS Approved algorithms: Triple-DES (Cert. #192[1] and #365[2]); AES (Certs. #80[1] and #290[2]); SHS (Cert. #176[1] and #364[2]); HMAC (Cert. #176, vendor affirmed[1] and #99[2]); RSA (PKCS#1, vendor affirmed[1] and #81[2]) FIPS approved algorithms: Triple-DES (Cert. #192[1] and #365[2]); AES (Certs. #80[1] and #290[2]); SHS (Cert. #176[1] and #364[2]); HMAC (Cert. #176, vendor affirmed[1] and #99[2]); RSA (PKCS#1, vendor affirmed[1] and #81[2]) Other algorithms: DES (Cert. #226[1]); SHA-256[1]; SHA-384[1]; SHA-512[1]; RC2; RC4; MD2; MD4; MD5 [1] x86 FIPS Approved algorithms: Triple-DES (Certs. #199[1] and #381[2]); SHA-1 (Certs. #181[1] and #385[2]); DSA (Certs. #95[1] and #146[2]); RSA (Cert. #81) FIPS approved algorithms: Triple-DES (Certs. #199[1] and #381[2]); SHA-1 (Certs. #181[1] and #385[2]); DSA (Certs. #95[1] and #146[2]); RSA (Cert. #81) Other algorithms: DES (Cert. #229[1]); Diffie-Hellman (key agreement); RC2; RC4; MD5; DES 40 [1] x86 FIPS Approved algorithms: AES (Certs.#4433and#4434); CKG (vendor affirmed); DRBG (Certs.#1432and#1433); HMAC (Certs.#2946and#2945); RSA (Certs.#2414and#2415); SHS (Certs.#3651and#3652); Triple-DES (Certs.#2383and#2384) Allowed algorithms: HMAC-MD5; MD5; NDRNG FIPS approved algorithms: AES (Certs.#4433and#4434); CKG (vendor affirmed); DRBG (Certs.#1432and#1433); HMAC (Certs.#2946and#2945); RSA (Certs.#2414and#2415); SHS (Certs.#3651and#3652); Triple-DES (Certs.#2383and#2384) Allowed algorithms: HMAC-MD5, MD5, NDRNG FIPS Approved algorithms: AES (Certs.#4430and#4431); CKG (vendor affirmed); CVL (Certs.#1139and#1140); DRBG (Certs.#1429and#1430); DSA (Certs.#1187and#1188); ECDSA (Certs.#1072and#1073); HMAC (Certs.#2942and#2943); KAS (Certs.#114and#115); RSA (Certs.#2411and#2412); SHS (Certs.#3648and#3649); Triple-DES (Certs.#2381and#2382) Allowed algorithms: MD5; NDRNG; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength FIPS approved algorithms: AES (Certs.#4430and#4431); CKG (vendor affirmed); CVL (Certs.#1139and#1140); DRBG (Certs.#1429and#1430); DSA (Certs.#1187and#1188); ECDSA (Certs.#1072and#1073); HMAC (Certs.#2942and#2943); KAS (Certs.#114and#115); RSA (Certs.#2411and#2412); SHS (Certs.#3648and#3649); Triple-DES (Certs.#2381and#2382) Allowed algorithms: MD5, NDRNG, RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength FIPS Approved algorithms: AES (Certs. #516 [1] and #2024 [2]); HMAC (Certs. #267 [1] and #1227 [2]); RNG (Certs. #292 [1] and #1060 [2]); RSA (Cert. #230 [1] and #1052 [2]); SHS (Certs. #589 [1] and #1774 [2]); Triple-DES (Certs. #526 [1] and #1308 [2]) FIPS approved algorithms: AES (Certs. #516 [1] and #2024 [2]); HMAC (Certs. #267 [1] and #1227 [2]); RNG (Certs. #292 [1] and #1060 [2]); RSA (Cert. #230 [1] and #1052 [2]); SHS (Certs. #589 [1] and #1774 [2]); Triple-DES (Certs. #526 [1] and #1308 [2]) Other algorithms: MD5; HMAC-MD5; RC2; RC4; DES FIPS Approved algorithms: Triple-DES (Cert. #18); SHA-1 (Certs. #32); RSA (vendor affirmed) FIPS approved algorithms: Triple-DES (Cert. #18); SHA-1 (Certs. #32); RSA (vendor affirmed) Other algorithms: DES (Certs. #91); DES MAC; RC2; MD2; MD5 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #4903 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #4903 Version 10.0.16299 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #4897 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #4897 Version 10.0.16299 AES Val#4902 Microsoft Surface Hub Cryptography Next Generation (CNG) Implementations #4900 Version 10.0.15063.674 AES Val#4901 Windows 10 Mobile (version 1709) Cryptography Next Generation (CNG) Implementations #4899 Version 10.0.15254 AES Val#4897 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Cryptography Next Generation (CNG) Implementations #4898 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Cryptography Next Generation (CNG) Implementations #4898 Version 10.0.16299 AES Val#4902 Microsoft Surface Hub BitLocker(R) Cryptographic Implementations #4896 Version 10.0.15063.674 AES Val#4901 Windows 10 Mobile (version 1709) BitLocker(R) Cryptographic Implementations #4895 Version 10.0.15254 AES Val#4897 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); BitLocker(R) Cryptographic Implementations #4894 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); BitLocker(R) Cryptographic Implementations #4894 Version 10.0.16299 CBC ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); OFB ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 ) CBC (e/d; 128, 192, 256); CFB128 (e/d; 128, 192, 256); OFB (e/d; 128, 192, 256); CTR (int only; 128, 192, 256) Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #4627 Version 10.0.15063 KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 ) AES Val#4624 KW (AE, AD, AES-128, AES-192, AES-256, FWD, 128, 256, 192, 320, 2048) Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile Cryptography Next Generation (CNG) Implementations #4626 Version 10.0.15063 CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 ) AES Val#4624 CCM (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16) Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile BitLocker(R) Cryptographic Implementations #4625 Version 10.0.15063 ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 ) CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 ) CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 ) IV Generated: ( External ) ; PT Lengths Tested: ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ; 96BitIV_Supported GMAC_Supported XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) ) ECB (e/d; 128, 192, 256); CBC (e/d; 128, 192, 256); CFB8 (e/d; 128, 192, 256); CFB128 (e/d; 128, 192, 256); CTR (int only; 128, 192, 256) CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16) CMAC (Generation/Verification) (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 16 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 16 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 16 Max: 16) GCM (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96) IV Generated: (External); PT Lengths Tested: (0, 1024, 8, 1016); Additional authenticated data lengths tested: (0, 1024, 8, 1016); 96 bit IV supported GMAC supported XTS((KS: XTS_128((e/d)(f)) KS: XTS_256((e/d)(f)) Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #4624 Version 10.0.15063 ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); ECB (e/d; 128, 192, 256); CBC (e/d; 128, 192, 256); Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #4434 Version 7.00.2872 ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); ECB (e/d; 128, 192, 256); CBC (e/d; 128, 192, 256); Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #4433 Version 8.00.6246 ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 ) ECB (e/d; 128, 192, 256); CBC (e/d; 128, 192, 256); CTR (int only; 128, 192, 256) Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #4431 Version 7.00.2872 ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 ) ECB (e/d; 128, 192, 256); CBC (e/d; 128, 192, 256); CTR (int only; 128, 192, 256) Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #4430 Version 8.00.6246 CBC ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); OFB ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 ) Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #4074 CBC (e/d; 128, 192, 256); CFB128 (e/d; 128, 192, 256); OFB (e/d; 128, 192, 256); CTR (int only; 128, 192, 256) Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #4074 Version 10.0.14393 ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 ) CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 ) CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 ) XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) ) ECB (e/d; 128, 192, 256); CBC (e/d; 128, 192, 256); CFB8 (e/d; 128, 192, 256); CFB128 (e/d; 128, 192, 256); CTR (int only; 128, 192, 256) CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16) CMAC (Generation/Verification) (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) GCM (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96) XTS((KS: XTS_128((e/d)(f)) KS: XTS_256((e/d)(f)) Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #4064 Version 10.0.14393 ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); ECB (e/d; 128, 192, 256); CBC (e/d; 128, 192, 256); CFB8 (e/d; 128, 192, 256); KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 192 , 256 , 320 , 2048 ) AES Val#4064 KW (AE, AD, AES-128, AES-192, AES-256, FWD, 128, 192, 256, 320, 2048) Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #4062 Version 10.0.14393 CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 ) AES Val#4064 CCM (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16) Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update BitLocker® Cryptographic Implementations #4061 Version 10.0.14393 KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 ) AES Val#3629 KW (AE, AD, AES-128, AES-192, AES-256, FWD, 128, 256, 192, 320, 2048) Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #3652 Version 10.0.10586 CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 ) AES Val#3629 CCM (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16) Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” BitLocker® Cryptographic Implementations #3653 Version 10.0.10586 ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); ECB (e/d; 128, 192, 256); CBC (e/d; 128, 192, 256); CFB8 (e/d; 128, 192, 256); ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 ) CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 ) CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 ) XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) ) ECB (e/d; 128, 192, 256); CBC (e/d; 128, 192, 256); CFB8 (e/d; 128, 192, 256); CFB128 (e/d; 128, 192, 256); CTR (int only; 128, 192, 256) CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16) CMAC (Generation/Verification) (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) GCM (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96) XTS((KS: XTS_128((e/d) (f)) KS: XTS_256((e/d) (f)) Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations #3629 Version 10.0.10586 KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 ) AES Val#3497 KW (AE, AD, AES-128, AES-192, AES-256, FWD, 128, 256, 192, 320, 2048) Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #3507 Version 10.0.10240 CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 ) AES Val#3497 CCM (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16) Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BitLocker® Cryptographic Implementations #3498 Version 10.0.10240 ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 ) CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 ) CMAC(Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 ) XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) ) ECB (e/d; 128, 192, 256); CBC (e/d; 128, 192, 256); CFB8 (e/d; 128, 192, 256); CFB128 (e/d; 128, 192, 256); CTR (int only; 128, 192, 256) CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16) CMAC(Generation/Verification) (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) GCM (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96) XTS((KS: XTS_128((e/d)(f)) KS: XTS_256((e/d)(f)) ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); ECB (e/d; 128, 192, 256); CBC (e/d; 128, 192, 256); CFB8 (e/d; 128, 192, 256); ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); ECB (e/d; 128, 192, 256); CBC (e/d; 128, 192, 256); CFB8 (e/d; 128, 192, 256); Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #2853 Version 6.3.9600 CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 ) AES Val#2832 Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 BitLocker� Cryptographic Implementations #2848 CCM (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16) Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 BitLocker Cryptographic Implementations #2848 Version 6.3.9600 CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 0 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 ) CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 ) IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 8 , 1024 ) ; 96BitIV_Supported ; CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 0 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16) CMAC (Generation/Verification) (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) GCM (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96) IV Generated: (Externally); PT Lengths Tested: (0, 128, 1024, 8, 1016); Additional authenticated data lengths tested: (0, 128, 1024, 8, 1016); IV Lengths Tested: (8, 1024); 96 bit IV supported; Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2832 Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2832 Version 6.3.9600 CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 ) CMAC (Generation/Verification ) (KS: 128; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 192; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 256; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) GCM(KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 ) CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16) CMAC (Generation/Verification) (KS: 128; Block Size(s); Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 16 Max: 16) (KS: 192; Block Size(s); Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 16 Max: 16) (KS: 256; Block Size(s); Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 16 Max: 16) GCM(KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96) CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 ) AES Val#2196 CCM (KS: 256) (Assoc. Data Len Range: 0 - 0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16) ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 ) ECB (e/d; 128, 192, 256); CBC (e/d; 128, 192, 256); CFB8 (e/d; 128, 192, 256); CFB128 (e/d; 128, 192, 256); CTR (int only; 128, 192, 256) ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); ECB (e/d; 128, 192, 256); CBC (e/d; 128, 192, 256); CFB8 (e/d; 128, 192, 256); Windows Server 2008 R2 and SP1 CNG algorithms #1187 Windows 7 Ultimate and SP1 CNG algorithms #1178 ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); ECB (e/d; 128, 192, 256); CBC (e/d; 128, 192, 256); CFB8 (e/d; 128, 192, 256); GCM GMAC Windows Server 2008 CNG algorithms #757 Windows Vista Ultimate SP1 CNG algorithms #756 CBC ( e/d; 128 , 256 ); CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 ) CBC (e/d; 128, 256); CCM (KS: 128, 256) (Assoc. Data Len Range: 0 - 8) (Payload Length Range: 4 - 32 (Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16) Windows Vista Ultimate BitLocker Drive Encryption #715 Windows Vista Ultimate BitLocker Drive Encryption #424 ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); ECB (e/d; 128, 192, 256); CBC (e/d; 128, 192, 256); CFB8 (e/d; 128, 192, 256); Windows Vista Ultimate SP1 and Windows Server 2008 Symmetric Algorithm Implementation #739 Windows Vista Symmetric Algorithm Implementation #553 ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 ) ECB (e/d; 128, 192, 256); CBC (e/d; 128, 192, 256); CTR (int only; 128, 192, 256) ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); ECB (e/d; 128, 192, 256); CBC (e/d; 128, 192, 256); Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #2024 Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #818 Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #781 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1733 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1733 Version 10.0.16299 Prerequisite: AES #4897 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1730 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1730 Version 10.0.16299 Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1556 Version 10.0.15063 Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1555 Version 10.0.15063 Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #1433 Version 7.00.2872 Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #1432 Version 8.00.6246 Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1430 Version 7.00.2872 Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1429 Version 8.00.6246 Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #1222 Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #1222 Version 10.0.14393 Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #1217 Version 10.0.14393 Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #955 Version 10.0.10586 Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #868 Version 10.0.10240 Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #489 Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #489 Version 6.3.9600 Prerequisite: SHS #4009, DRBG #1730 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1301 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1301 Version 10.0.16299 FIPS186-4: PQG(gen)PARMS TESTED: [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ] PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ] KeyPairGen: [ (2048,256) ; (3072,256) ] SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ] SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ] SHS: Val#3790 DRBG: Val# 1555 PQG(gen)PARMS TESTED: [(2048,256)SHA(256); (3072,256) SHA(256)] PQG(ver)PARMS TESTED: [(2048,256) SHA(256); (3072,256) SHA(256)] KeyPairGen: [(2048,256); (3072,256)] SIG(gen)PARMS TESTED: [(2048,256) SHA(256); (3072,256) SHA(256)] SIG(ver)PARMS TESTED: [(2048,256) SHA(256); (3072,256) SHA(256)] DRBG: validation number 1555 Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1223 Version 10.0.15063 Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1188 Version 7.00.2872 Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1187 Version 8.00.6246 FIPS186-4: SHS: validation number 3347 Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #1098 Version 10.0.14393 FIPS186-4: SHS: validation number 3047 Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #1024 Version 10.0.10586 FIPS186-4: SHS: validation number 2886 Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #983 Version 10.0.10240 FIPS186-4: Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #855 SHS: validation number 2373 Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #855 Version 6.3.9600 FIPS186-4: Windows Server 2008 R2 and SP1 CNG algorithms #391 Windows 7 Ultimate and SP1 CNG algorithms #386 Windows Server 2008 R2 and SP1 Enhanced DSS (DSSENH) #390 Windows 7 Ultimate and SP1 Enhanced DSS (DSSENH) #385 Windows Server 2008 CNG algorithms #284 Windows Vista Ultimate SP1 CNG algorithms #283 Windows Server 2008 Enhanced DSS (DSSENH) #282 Windows Vista Ultimate SP1 Enhanced DSS (DSSENH) #281 Windows Vista CNG algorithms #227 Windows Vista Enhanced DSS (DSSENH) #226 Prerequisite: SHS #2373, DRBG #489 Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1263 Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1263 Version 6.3.9600 Prerequisite: SHS #4009, DRBG #1733 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1252 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1252 Version 10.0.16299 Prerequisite: SHS #4009, DRBG #1730 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1247 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1247 Version 10.0.16299 Prerequisite: SHS #4009, DRBG #1730 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1246 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1246 Version 10.0.16299 Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1136 Version 10.0.15063 Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1135 Version 10.0.15063 Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1133 Version 10.0.15063 Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1073 Version 7.00.2872 Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1072 Version 8.00.6246 FIPS186-4: Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #920 SHS: validation number 3347 Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #920 Version 10.0.14393 FIPS186-4: SHS: validation number 3347 Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #911 Version 10.0.14393 FIPS186-4: SHS: validation number 3047 Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #760 Version 10.0.10586 FIPS186-4: SHS: validation number 2886 Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #706 Version 10.0.10240 FIPS186-4: Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #505 SHS: validation number 2373 Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #505 Version 6.3.9600 FIPS186-2: FIPS186-4: FIPS186-2: FIPS186-4: Windows Server 2008 R2 and SP1 CNG algorithms #142 Windows 7 Ultimate and SP1 CNG algorithms #141 Windows Server 2008 CNG algorithms #83 Windows Vista Ultimate SP1 CNG algorithms #82 Prerequisite: SHS #4009 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #3270 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #3270 Version 10.0.16299 Prerequisite: SHS #4009 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #3267 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #3267 Version 10.0.16299 HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3790 HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3790 HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3790 HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS validation number 3790 HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS validation number 3790 HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS validation number 3790 Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #3062 Version 10.0.15063 HMAC-SHA1(Key Sizes Ranges Tested: KSBS ) SHS Val#3790 HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3790 HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3790 HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val#3790 HMAC-SHA1(Key Sizes Ranges Tested: KSBS) SHS validation number 3790 HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS validation number 3790 HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS validation number 3790 HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS validation number 3790 Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #3061 Version 10.0.15063 HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3652 HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3652 HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3652 HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3652 HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS validation number 3652 HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS validation number 3652 HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS validation number 3652 HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 3652 Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2946 Version 7.00.2872 HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3651 HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3651 HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3651 HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3651 HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS validation number 3651 HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS validation number 3651 HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS validation number 3651 HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 3651 Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2945 Version 8.00.6246 HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val# 3649 HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val# 3649 HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val# 3649 HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal# 3649 HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS validation number 3649 HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS validation number 3649 HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS validation number 3649 HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 3649 Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2943 Version 7.00.2872 HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3648 HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3648 HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3648 HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3648 HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS validation number 3648 HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS validation number 3648 HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS validation number 3648 HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 3648 Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2942 Version 8.00.6246 HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2661 HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) HMAC-SHA256 (Key Size Ranges Tested: KSBS) HMAC-SHA384 (Key Size Ranges Tested: KSBS) Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2661 Version 10.0.14393 HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val# 3347 HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347 HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347 HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347 HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS validation number 3347 HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS validation number 3347 HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS validation number 3347 HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS validation number 3347 Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #2651 Version 10.0.14393 HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) HMAC-SHA256 (Key Size Ranges Tested: KSBS) HMAC-SHA384 (Key Size Ranges Tested: KSBS) HMAC-SHA512 (Key Size Ranges Tested: KSBS) Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations #2381 Version 10.0.10586 HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) HMAC-SHA256 (Key Size Ranges Tested: KSBS) HMAC-SHA384 (Key Size Ranges Tested: KSBS) HMAC-SHA512 (Key Size Ranges Tested: KSBS) Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #2233 Version 10.0.10240 HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1773 HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) HMAC-SHA256 (Key Size Ranges Tested: KSBS) HMAC-SHA384 (Key Size Ranges Tested: KSBS) HMAC-SHA512 (Key Size Ranges Tested: KSBS) Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1773 Version 6.3.9600 HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#2764 HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#2764 HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#2764 HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val#2764 HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS validation number 2764 HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS validation number 2764 HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS validation number 2764 HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS validation number 2764 Windows CE and Windows Mobile, and Windows Embedded Handheld Enhanced Cryptographic Provider (RSAENH) #2122 Version 5.2.29344 HMAC-SHA1 (Key Sizes Ranges Tested: KS#1902 HMAC-SHA256 ( Key Size Ranges Tested: KS#1902 HMAC-SHA256 (Key Size Ranges Tested: KS#1902 HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS#1902 HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS#1902 HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS#1902 HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS#1902 HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS#1902 HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS#1902 HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS#1902 HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS#1902 HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS#1903 HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS#1903 HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS#1903 HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS#1903 HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1773 HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1773 Tinker HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1773 HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1773 HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 1773 HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 1773 Tinker HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 1773 HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 1773 HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1774 HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1774 HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1774 HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1774 HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 1774 HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 1774 HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 1774 HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 1774 HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1081 HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1081 HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1081 HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1081 HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 1081 HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 1081 HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 1081 HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 1081 Windows Server 2008 R2 and SP1 CNG algorithms #686 Windows 7 and SP1 CNG algorithms #677 Windows Server 2008 R2 Enhanced Cryptographic Provider (RSAENH) #687 Windows 7 Enhanced Cryptographic Provider (RSAENH) #673 HMAC-SHA1(Key Sizes Ranges Tested: KSVal#1081 HMAC-SHA256 ( Key Size Ranges Tested: KSVal#1081 HMAC-SHA1(Key Sizes Ranges Tested: KSvalidation number 1081 HMAC-SHA256 (Key Size Ranges Tested: KSvalidation number 1081 HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#816 HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#816 HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#816 HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#816 HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 816 HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 816 HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 816 HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 816 HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#753 HMAC-SHA256 ( Key Size Ranges Tested: KSVal#753 HMAC-SHA1 (Key Sizes Ranges Tested: KSvalidation number 753 HMAC-SHA256 (Key Size Ranges Tested: KSvalidation number 753 HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#753 HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#753 HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#753 HMAC-SHA512 ( Key Size Ranges Tested: KSBS )SHS Val#753 HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 753 HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 753 HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 753 HMAC-SHA512 (Key Size Ranges Tested: KSBS)SHS validation number 753 Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) #408 Windows Vista Enhanced Cryptographic Provider (RSAENH) #407 HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )SHSVal#618 HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#618 HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#618 HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#618 HMAC-SHA1 (Key Sizes Ranges Tested: KSBS)SHSvalidation number 618 HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 618 HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 618 HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 618 Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #429 Windows XP, vendor-affirmed HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#783 HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#783 HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#783 HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#783 HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 783 HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 783 HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 783 HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 783 HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#613 HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#613 HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#613 HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#613 HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 613 HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 613 HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 613 HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 613 HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#753 HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#753 HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#753 HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#753 HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 753 HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 753 HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 753 HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 753 Windows Server 2008 CNG algorithms #413 Windows Vista Ultimate SP1 CNG algorithms #412 HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#737 HMAC-SHA256 ( Key Size Ranges Tested: KSVal#737 HMAC-SHA1 (Key Sizes Ranges Tested: KSvalidation number 737 HMAC-SHA256 (Key Size Ranges Tested: KSvalidation number 737 HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#618 HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#618 HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#618 HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#618 HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 618 HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 618 HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 618 HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 618 HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#589 HMAC-SHA256 ( Key Size Ranges Tested: KSBS )SHSVal#589 HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#589 HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#589 HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 589 HMAC-SHA256 (Key Size Ranges Tested: KSBS)SHSvalidation number 589 HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 589 HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 589 HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#578 HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#578 HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#578 HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#578 HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 578 HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 578 HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 578 HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 578 HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#495 HMAC-SHA256 ( Key Size Ranges Tested: KSVal#495 HMAC-SHA1 (Key Sizes Ranges Tested: KSvalidation number 495 HMAC-SHA256 (Key Size Ranges Tested: KSvalidation number 495 Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #99 Windows XP, vendor-affirmed HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#305 HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#305 HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#305 HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#305 HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 305 HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSvalidation number 305 HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSvalidation number 305 HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSvalidation number 305 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #149 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #149 Version 10.0.16299 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #146 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #146 Version 10.0.16299 ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Full Validation Key Regeneration ) SCHEMES [ FullUnified ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ] ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Full Validation Key Regeneration) SCHEMES [FullUnified (EC: P-256 SHA256 HMAC) (ED: P-384 SHA384 HMAC)] SHS validation number 3790 Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #128 Version 10.0.15063 FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder ) ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ] FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation) SCHEMES [dhEphem (KARole(s): Initiator / Responder) ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation) SCHEMES [EphemeralUnified (No_KC < KARole(s): Initiator / Responder>) (EC: P-256 SHA256 HMAC) (ED: P-384 SHA384 HMAC) (EE: P-521 HMAC (SHA512, HMAC_SHA512)))] Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #127 Version 10.0.15063 FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder ) ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ] FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation) SCHEMES [dhEphem (KARole(s): Initiator / Responder) ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration) SCHEMES [EphemeralUnified (No_KC < KARole(s): Initiator / Responder>) (EC: P-256 SHA256 HMAC) (ED: P-384 SHA384 HMAC) (EE: P-521 HMAC (SHA512, HMAC_SHA512)))] Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #115 Version 7.00.2872 FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder ) ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ] FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation) SCHEMES [dhEphem (KARole(s): Initiator / Responder) ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration) SCHEMES [EphemeralUnified (No_KC) (EC: P-256 SHA256 HMAC) (ED: P-384 SHA384 HMAC) (EE: P-521 HMAC (SHA512, HMAC_SHA512)))] Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #114 Version 8.00.6246 ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Full Validation Key Regeneration ) Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #93 ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Full Validation Key Regeneration) SHS validation number 3347 ECDSA validation number 920 DRBG validation number 1222 Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #93 Version 10.0.14393 FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SHS Val# 3347 DSA Val#1098 DRBG Val#1217 ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ] SHS Val# 3347 DSA Val#1098 ECDSA Val#911 DRBG Val#1217 HMAC Val#2651 FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation) SHS validation number 3347 DSA validation number 1098 DRBG validation number 1217 ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration) SCHEMES [EphemeralUnified (No_KC < KARole(s): Initiator / Responder >) (EC: P-256 SHA256 HMAC) (ED: P-384 SHA384 HMAC) (EE: P-521 HMAC (SHA512, HMAC_SHA512)))] SHS validation number 3347 DSA validation number 1098 ECDSA validation number 911 DRBG validation number 1217 HMAC validation number 2651 Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #92 Version 10.0.14393 FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder ) SHS Val# 3047 DSA Val#1024 DRBG Val#955 ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ] FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation) SCHEMES [dhEphem (KARole(s): Initiator / Responder) SHS validation number 3047 DSA validation number 1024 DRBG validation number 955 ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration) SCHEMES [EphemeralUnified (No_KC < KARole(s): Initiator / Responder >) (EC: P-256 SHA256 HMAC) (ED: P-384 SHA384 HMAC) (EE: P-521 HMAC (SHA512, HMAC_SHA512)))] SHS validation number 3047 ECDSA validation number 760 DRBG validation number 955 Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub Cryptography Next Generation (CNG) Implementations #72 Version 10.0.10586 FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder ) SHS Val# 2886 DSA Val#983 DRBG Val#868 ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ] FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation) SCHEMES [dhEphem (KARole(s): Initiator / Responder) SHS validation number 2886 DSA validation number 983 DRBG validation number 868 ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration) SCHEMES [EphemeralUnified (No_KC < KARole(s): Initiator / Responder >) (EC: P-256 SHA256 HMAC) (ED: P-384 SHA384 HMAC) (EE: P-521 HMAC (SHA512, HMAC_SHA512)))] SHS validation number 2886 ECDSA validation number 706 DRBG validation number 868 Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #64 Version 10.0.10240 FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder ) SHS Val#2373 DSA Val#855 DRBG Val#489 ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ] Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #47 FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation) SCHEMES [dhEphem (KARole(s): Initiator / Responder) SHS validation number 2373 DSA validation number 855 DRBG validation number 489 ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration) SCHEMES [EphemeralUnified (No_KC < KARole(s): Initiator / Responder >) (EC: P-256 SHA256 HMAC) (ED: P-384 SHA384 HMAC) (EE: P-521 HMAC (SHA512, HMAC_SHA512)))] SHS validation number 2373 ECDSA validation number 505 DRBG validation number 489 Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #47 Version 6.3.9600 FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder ) ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ] FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation) SCHEMES [dhEphem (KARole(s): Initiator / Responder) ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration) SCHEMES [EphemeralUnified (No_KC < KARole(s): Initiator / Responder>) (EC: P-256 SHA256 HMAC) (ED: P-384 SHA384 HMAC) (EE: P-521 HMAC (SHA512, HMAC_SHA512)))] KAS (SP 800–56A) key agreement key establishment methodology provides 80 to 256 bits of encryption strength key establishment methodology provides 80 bits to 256 bits of encryption strength Windows 7 and SP1, vendor-affirmed Windows Server 2008 R2 and SP1, vendor-affirmed K prerequisite: DRBG #1733, KAS #149 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #160 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #160 Version 10.0.16299 K prerequisite: KAS #146 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Cryptography Next Generation (CNG) Implementations #157 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Cryptography Next Generation (CNG) Implementations #157 Version 10.0.16299 Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #141 Version 10.0.15063 Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile Cryptography Next Generation (CNG) Implementations #140 Version 10.0.15063 CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA384] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) ) Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #102 CTR_Mode: (Llength(Min20 Max64) MACSupported([HMACSHA1] [HMACSHA256] [HMACSHA384]) LocationCounter([BeforeFixedData]) rlength([32])) KAS validation number 93 DRBG validation number 1222 MAC validation number 2661 Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #102 Version 10.0.14393 CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) ) CTR_Mode: (Llength(Min20 Max64) MACSupported([CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512]) LocationCounter([BeforeFixedData]) rlength([32])) KAS validation number 92 AES validation number 4064 DRBG validation number 1217 MAC validation number 2651 Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #101 Version 10.0.14393 CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) ) CTR_Mode: (Llength(Min20 Max64) MACSupported([CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512]) LocationCounter([BeforeFixedData]) rlength([32])) KAS validation number 72 AES validation number 3629 DRBG validation number 955 MAC validation number 2381 Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #72 Version 10.0.10586 CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) ) CTR_Mode: (Llength(Min20 Max64) MACSupported([CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512]) LocationCounter([BeforeFixedData]) rlength([32])) KAS validation number 64 AES validation number 3497 RBG validation number 868 MAC validation number 2233 Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #66 Version 10.0.10240 CTR_Mode: ( Llength( Min0 Max0 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) ) Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #30 CTR_Mode: (Llength(Min0 Max0) MACSupported([HMACSHA1] [HMACSHA256] [HMACSHA512]) LocationCounter([BeforeFixedData]) rlength([32])) Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #30 Version 6.3.9600 CTR_Mode: ( Llength( Min0 Max4 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) ) CTR_Mode: (Llength(Min0 Max4) MACSupported([HMACSHA1] [HMACSHA256] [HMACSHA512]) LocationCounter([BeforeFixedData]) rlength([32])) DRBG #258 HMAC validation number 1345 FIPS 186-2 General Purpose [ (x-Original); (SHA-1) ] [(x-Original); (SHA-1)] Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1060 Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #292 Windows CE and Windows Mobile 6.0 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #286 FIPS 186-2 FIPS 186-2 General Purpose Windows 7 and SP1 and Windows Server 2008 R2 and SP1 RNG Library #649 Windows Vista Ultimate SP1 and Windows Server 2008 RNG Implementation #435 Windows Vista RNG implementation #321 Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #470 Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #449 Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #447 Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #448 Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #314 Prerequisite: SHS #4009, DRBG #1733 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #2676 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #2676 Version 10.0.16299 Prerequisite: SHS #4009, DRBG #1730 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); RSA32 Algorithm Implementations #2674 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); RSA32 Algorithm Implementations #2674 Version 10.0.16299 Prerequisite: SHS #4009, DRBG #1730 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #2668 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #2668 Version 10.0.16299 Prerequisite: SHS #4009, DRBG #1730 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #2667 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #2667 Version 10.0.16299 Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #2524 Version 10.0.15063 Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile RSA32 Algorithm Implementations #2523 Version 10.0.15063 Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #2522 Version 10.0.15063 Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #2521 Version 10.0.15063 FIPS186-2: FIPS186-4: Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2415 Version 7.00.2872 FIPS186-2: FIPS186-4: Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2414 Version 8.00.6246 FIPS186-2: FIPS186-4: Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2412 Version 7.00.2872 FIPS186-2: FIPS186-4: Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2411 Version 8.00.6246 FIPS186-4: SHA Val# 3347 Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2206 Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2206 Version 10.0.14393 FIPS186-4: SHA validation number 3347 DRBG: validation number 1217 Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA Key Generation Implementation #2195 Version 10.0.14393 FIPS186-4: SHA Val#3346 soft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #2194 Version 10.0.14393 FIPS186-4: SHA validation number 3347 DRBG: validation number 1217 Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #2193 Version 10.0.14393 FIPS186-4: Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) Sig(Ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(62))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) SHA validation number 3347 DRBG: validation number 1217 Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #2192 Version 10.0.14393 FIPS186-4: SHA validation number 3047 DRBG: validation number 955 Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” RSA Key Generation Implementation #1889 Version 10.0.10586 FIPS186-4: SHA Val#3048 Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub RSA32 Algorithm Implementations #1871 Version 10.0.10586 FIPS186-4: SHA Val# 3047 Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub MsBignum Cryptographic Implementations #1888 Version 10.0.10586 FIPS186-4: SHA Val# 3047 Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub Cryptography Next Generation (CNG) Implementations #1887 Version 10.0.10586 FIPS186-4: SHA validation number 2886 DRBG: validation number 868 Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA Key Generation Implementation #1798 Version 10.0.10240 FIPS186-4: SHA Val#2871 Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #1784 Version 10.0.10240 FIPS186-4: SHA Val#2871 Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #1783 Version 10.0.10240 FIPS186-4: SHA Val# 2886 Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #1802 Version 10.0.10240 FIPS186-4: Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 RSA Key Generation Implementation #1487 SHA validation number 2373 DRBG: validation number 489 Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 RSA Key Generation Implementation #1487 Version 6.3.9600 FIPS186-4: SHA Val#2373 Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #1494 Version 6.3.9600 FIPS186-4: SHA Val#2373 Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1493 Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1493 Version 6.3.9600 FIPS186-4: SHA Val#2373 Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #1519 Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #1519 Version 6.3.9600 FIPS186-4: Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1134. Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 1134. Windows Server 2008 R2 and SP1 CNG algorithms #567 Windows 7 and SP1 CNG algorithms #560 Windows Server 2008 CNG algorithms #358 Windows Vista SP1 CNG algorithms #357 Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) #355 Windows Vista SP1 Enhanced Cryptographic Provider (RSAENH) #354 FIPS186-2: – PKCS#1 v1.5, signature generation and verification – PKCS#1 v1.5, signature generation, and verification – Mod sizes: 1024, 1536, 2048, 3072, 4096 – SHS: SHA–1/256/384/512 Windows XP, vendor-affirmed Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #4009 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #4009 Version 10.0.16299 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #2556 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #2556 Version 10.0.16299 Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #2459 Version 10.0.15063 TECB( KO 1 e/d, ) ; TCBC( KO 1 e/d, ) TECB(KO 1 e/d); TCBC(KO 1 e/d) Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2384 Version 8.00.6246 TECB( KO 1 e/d, ) ; TCBC( KO 1 e/d, ) TECB(KO 1 e/d); TCBC(KO 1 e/d) Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2383 Version 8.00.6246 TECB( KO 1 e/d, ) ; TCBC( KO 1 e/d, ) ; CTR ( int only ) TECB(KO 1 e/d); TCBC(KO 1 e/d); CTR (int only) Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2382 Version 7.00.2872 TECB( KO 1 e/d, ) ; TCBC( KO 1 e/d, ) TECB(KO 1 e/d); TCBC(KO 1 e/d) Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2381 Version 8.00.6246 TECB( KO 1 e/d, ) ; TCBC( KO 1 e/d, ) ; TCFB8( KO 1 e/d, ) ; TCFB64( KO 1 e/d, ) TECB(KO 1 e/d); TCBC(KO 1 e/d); TCFB8(KO 1 e/d); TCFB64(KO 1 e/d) Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #2227 Version 10.0.14393 TECB( KO 1 e/d, ) ; TCBC( KO 1 e/d, ) ; TCFB8( KO 1 e/d, ) ; TCFB64( KO 1 e/d, ) TECB(KO 1 e/d); TCBC(KO 1 e/d); TCFB8(KO 1 e/d); TCFB64(KO 1 e/d) Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #2024 Version 10.0.10586 TECB( KO 1 e/d, ) ; TCBC( KO 1 e/d, ) ; TCFB8( KO 1 e/d, ) ; TCFB64( KO 1 e/d, ) TECB(KO 1 e/d); TCBC(KO 1 e/d); TCFB8(KO 1 e/d); TCFB64(KO 1 e/d) Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #1969 Version 10.0.10240 TECB( KO 1 e/d, ) ; TCBC( KO 1 e/d, ) ; TCFB8( KO 1 e/d, ) ; TCFB64( KO 1 e/d, ) Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1692 TECB(KO 1 e/d); TCBC(KO 1 e/d); TCFB8(KO 1 e/d); TCFB64(KO 1 e/d) Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1692 Version 6.3.9600 TECB( e/d; KO 1,2 ) ; TCBC( e/d; KO 1,2 ) ; TCFB8( e/d; KO 1,2 ) ; TCFB64( e/d; KO 1,2 ) TECB(e/d; KO 1, 2); TCBC(e/d; KO 1, 2); TCFB8(e/d; KO 1, 2); TCFB64(e/d; KO 1, 2) TECB( e/d; KO 1,2 ) ; TCBC( e/d; KO 1,2 ) ; TCFB8( e/d; KO 1,2 ) TECB(e/d; KO 1, 2); TCBC(e/d; KO 1, 2); TCFB8(e/d; KO 1, 2) TECB( e/d; KO 1,2 ) ; TCBC( e/d; KO 1,2 ) ; TCFB8( e/d; KO 1,2 ) TECB(e/d; KO 1, 2); TCBC(e/d; KO 1, 2); TCFB8(e/d; KO 1, 2) TECB( e/d; KO 1,2 ) ; TCBC( e/d; KO 1,2 ) ; TCFB8( e/d; KO 1,2 ) TECB(e/d; KO 1, 2); TCBC(e/d; KO 1, 2); TCFB8(e/d; KO 1, 2) TECB( e/d; KO 1,2 ) ; TCBC( e/d; KO 1,2 ) ; TCFB8( e/d; KO 1,2 ) TECB(e/d; KO 1, 2); TCBC(e/d; KO 1, 2); TCFB8(e/d; KO 1, 2) Windows 7 and SP1 and Windows Server 2008 R2 and SP1 #846, vendor-affirmed TECB( e/d; KO 1,2 ) ; TCBC( e/d; KO 1,2 ) TECB(e/d; KO 1, 2); TCBC(e/d; KO 1, 2) Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1308 Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1307 Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #691 Prerequisite: DRBG #489 Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1540 Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1540 Version 6.3.9600 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1518 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1518 Version 10.0.16299 Microsoft Surface Hub MsBignum Cryptographic Implementations #1517 Microsoft Surface Hub MsBignum Cryptographic Implementations #1517 Version 10.0.15063.674 Prerequisite: DRBG #1730 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1503 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1503 Version 10.0.16299 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1502 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1502 Version 10.0.16299 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1501 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1501 Version 10.0.16299 Prerequisite: DRBG #1730 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1499 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1499 Version 10.0.16299 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1498 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1498 Version 10.0.16299 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1497 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1497 Version 10.0.16299 Prerequisite: SHS #4009, HMAC #3267 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1496 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1496 Version 10.0.16299 FIPS186-4 ECDSA Signature Generation of hash sized messages ECDSA SigGen Component: CURVES( P-256 P-384 P-521 ) ECDSA SigGen Component: CURVES(P-256 P-384 P-521) Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1284 Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1279 Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #922 Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #894 Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #894 Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #288 Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #288 Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1280 Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #893 Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #893 Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #888 Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #665 Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #665 Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #572 Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1281 Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #895 Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #895 Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #887 SP800-135 Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1496 Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1496 Version 10.0.16299 Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1278 Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BCryptPrimitives and NCryptSSLp #575 Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 BCryptPrimitives and NCryptSSLp #323 Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 BCryptPrimitives and NCryptSSLp #323 C:\ProgramData\Documents\My Music\Sample Music . C:\ProgramData\Documents\My Pictures
-
-%PUBLIC% C:\Users\Public\Music\Sample Music . C:\Users\Public\Music\Sample Playlists . C:\Users\Public\Videos\Sample Videos . Manage tamper protection across your tenant | [Manage tamper protection for your organization using the Microsoft Defender Security Center](#manage-tamper-protection-for-your-organization-using-the-microsoft-defender-security-center) |
+| Turn tamper protection on (or off) for all or part of your organization using Intune Fine-tune tamper protection settings in your organization | [Manage tamper protection for your organization using Intune](#manage-tamper-protection-for-your-organization-using-intune) |
+| Turn tamper protection on (or off) for your organization with Configuration Manager | [Manage tamper protection for your organization using tenant attach with Configuration Manager, version 2006](#manage-tamper-protection-for-your-organization-with-configuration-manager-version-2006) |
+| Turn tamper protection on (or off) for an individual device | [Manage tamper protection on an individual device](#manage-tamper-protection-on-an-individual-device) |
+| View details about tampering attempts on devices | [View information about tampering attempts](#view-information-about-tampering-attempts) |
+| Review your security recommendations | [Review security recommendations](#review-your-security-recommendations) |
+| Review the list of frequently asked questions (FAQs) | [Browse the FAQs](#view-information-about-tampering-attempts) |
-2. [View information about tampering attempts](#view-information-about-tampering-attempts).
+## Manage tamper protection for your organization using the Microsoft Defender Security Center
-3. [Review your security recommendations](#review-your-security-recommendations).
+Tamper protection can be turned on or off for your tenant using the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)). Here are a few points to keep in mind:
-4. [Browse the frequently asked questions](#view-information-about-tampering-attempts).
+- Currently, the option to manage tamper protection in the Microsoft Defender Security Center is on by default for new deployments. For existing deployments, tamper protection is available on an opt-in basis, with plans to make this the default method in the near future. (To opt in, in the Microsoft Defender Security Center, choose **Settings** > **Advanced features** > **Tamper protection**.)
-## Turn tamper protection on (or off) for an individual machine
+- When you use the Microsoft Defender Security Center to manage tamper protection, you do not have to use Intune or the tenant attach method.
-> [!NOTE]
-> Tamper protection blocks attempts to modify Microsoft Defender Antivirus settings through the registry.
->
-> To help ensure that tamper protection doesn’t interfere with third-party security products or enterprise installation scripts that modify these settings, go to **Windows Security** and update **Security intelligence** to version 1.287.60.0 or later. (See [Security intelligence updates](https://www.microsoft.com/wdsi/definitions).)
->
-> Once you’ve made this update, tamper protection will continue to protect your registry settings, and will also log attempts to modify them without returning errors.
+- When you manage tamper protection in the Microsoft Defender Security Center, the setting is applied tenant wide, affecting all of your devices that are running Windows 10, Windows Server 2016, or Windows Server 2019. To fine-tune tamper protection (such as having tamper protection on for some devices but off for others), use either [Intune](#manage-tamper-protection-for-your-organization-using-intune) or [Configuration Manager with tenant attach](#manage-tamper-protection-for-your-organization-with-configuration-manager-version-2006).
-If you are a home user, or you are not subject to settings managed by a security team, you can use the Windows Security app to turn tamper protection on or off. You must have appropriate admin permissions on your machine to do this.
+- If you have a hybrid environment, tamper protection settings configured in Intune take precedence over settings configured in the Microsoft Defender Security Center.
-1. Click **Start**, and start typing *Defender*. In the search results, select **Windows Security**.
+### Requirements for managing tamper protection in the Microsoft Defender Security Center
-2. Select **Virus & threat protection** > **Virus & threat protection settings**.
+- You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-access.md), such as global admin, security admin, or security operations.
-3. Set **Tamper Protection** to **On** or **Off**.
+- Your Windows devices must be running one of the following versions of Windows:
+ - Windows 10
+ - [Windows Server 2019](/windows-server/get-started-19/whats-new-19)
+ - Windows Server, version [1803](https://docs.microsoft.com/windows/release-health/status-windows-10-1803) or later
+ - [Windows Server 2016](/windows-server/get-started/whats-new-in-windows-server-2016)
+ - For more information about releases, see [Windows 10 release information](https://docs.microsoft.com/windows/release-health/release-information).
- Here's what you see in the Windows Security app:
+- Your devices must be [onboarded to Microsoft Defender for Endpoint](../microsoft-defender-atp/onboarding.md).
- 
+- Your devices must be using anti-malware platform version 4.18.2010.7 (or above) and anti-malware engine version 1.1.17600.5 (or above). ([Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).)
-## Turn tamper protection on (or off) for your organization using Intune
+- [Cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) must be turned on.
-If you are part of your organization's security team, and your subscription includes [Intune](https://docs.microsoft.com/intune/fundamentals/what-is-intune), you can turn tamper protection on (or off) for your organization in the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com) portal.
+### Turn tamper protection on (or off) in the Microsoft Defender Security Center
-You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-access.md), such as global admin, security admin, or security operations, to perform the following task.
+
-1. Make sure your organization meets all of the following requirements to manage tamper protection using Intune:
+1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in.
- - Your organization uses [Intune to manage devices](https://docs.microsoft.com/intune/fundamentals/what-is-device-management). ([Intune licenses](https://docs.microsoft.com/intune/fundamentals/licenses) are required; this is included in Microsoft 365 E5.)
- - Your Windows machines must be running Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019) or later. (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information/) for more details about releases.)
- - You must be using Windows security with [security intelligence](https://www.microsoft.com/wdsi/definitions) updated to version 1.287.60.0 (or above).
- - Your machines must be using anti-malware platform version 4.18.1906.3 (or above) and anti-malware engine version 1.1.15500.X (or above). ([Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).)
+2. Choose **Settings**.
-2. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com) and sign in with your work or school account.
+3. Go to **General** > **Advanced features**, and then turn tamper protection on.
-3. Select **Devices** > **Configuration Profiles**.
+## Manage tamper protection for your organization using Intune
-4. Create a profile as follows:
+If you are part of your organization's security team, and your subscription includes [Intune](https://docs.microsoft.com/intune/fundamentals/what-is-intune), you can turn tamper protection on (or off) for your organization in the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com) portal. Use Intune when you want to fine-tune tamper protection settings. For example, if you want to enable tamper protection on some devices, but not all, use Intune.
- - Platform: **Windows 10 and later**
+### Requirements for managing tamper protection in Intune
- - Profile type: **Endpoint protection**
+- You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-access.md), such as global admin, security admin, or security operations.
- - Category: **Microsoft Defender Security Center**
+- Your organization uses [Intune to manage devices](https://docs.microsoft.com/intune/fundamentals/what-is-device-management). ([Intune licenses](https://docs.microsoft.com/intune/fundamentals/licenses) are required; Intune is included in Microsoft 365 E5.)
- - Tamper Protection: **Enabled**
+- Your Windows devices must be running Windows 10 OS [1709](https://docs.microsoft.com/windows/release-health/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-health/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019) or later. (For more information about releases, see [Windows 10 release information](https://docs.microsoft.com/windows/release-health/release-information).)
- 
+- You must be using Windows security with [security intelligence](https://www.microsoft.com/wdsi/definitions) updated to version 1.287.60.0 (or above).
-5. Assign the profile to one or more groups.
+- Your devices must be using anti-malware platform version 4.18.1906.3 (or above) and anti-malware engine version 1.1.15500.X (or above). ([Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).)
+
+### Turn tamper protection on (or off) in Intune
+
+
+
+1. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com) and sign in with your work or school account.
+
+2. Select **Devices** > **Configuration Profiles**.
+
+3. Create a profile that includes the following settings:
+ - **Platform: Windows 10 and later**
+ - **Profile type: Endpoint protection**
+ - **Category: Microsoft Defender Security Center**
+ - **Tamper Protection: Enabled**
+
+4. Assign the profile to one or more groups.
### Are you using Windows OS 1709, 1803, or 1809?
-If you are using Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), or [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019), you won't see **Tamper Protection** in the Windows Security app. In this case, you can use PowerShell to determine whether tamper protection is enabled.
+If you are using Windows 10 OS [1709](https://docs.microsoft.com/windows/release-health/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-health/status-windows-10-1803), or [1809](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019), you won't see **Tamper Protection** in the Windows Security app. Instead, you can use PowerShell to determine whether tamper protection is enabled.
#### Use PowerShell to determine whether tamper protection is turned on
@@ -127,45 +152,66 @@ If you are using Windows 10 OS [1709](https://docs.microsoft.com/windows/release
3. In the list of results, look for `IsTamperProtected`. (A value of *true* means tamper protection is enabled.)
-## Manage tamper protection with Configuration Manager, version 2006
+## Manage tamper protection for your organization with Configuration Manager, version 2006
-> [!IMPORTANT]
+If you're using [version 2006 of Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/plan-design/changes/whats-new-in-version-2006), you can manage tamper protection settings on Windows 10, Windows Server 2016, and Windows Server 2019 by using a method called *tenant attach*. Tenant attach enables you to sync your on-premises-only Configuration Manager devices into the Microsoft Endpoint Manager admin center, and then deliver endpoint security configuration policies to on-premises collections & devices.
+
+
+
+> [!NOTE]
> The procedure can be used to extend tamper protection to devices running Windows 10 and Windows Server 2019. Make sure to review the prerequisites and other information in the resources mentioned in this procedure.
-If you're using [version 2006 of Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/plan-design/changes/whats-new-in-version-2006), you can manage tamper protection settings on Windows 10 and Windows Server 2019 using tenant attach. Tenant attach enables you to sync your on-premises-only Configuration Manager devices into the Microsoft Endpoint Manager admin center, and then deliver your endpoint security configuration policies to your on-premises collections & devices.
+1. Set up tenant attach. To get help with this, see [Microsoft Endpoint Manager tenant attach: Device sync and device actions](https://docs.microsoft.com/mem/configmgr/tenant-attach/device-sync-actions).
-1. Set up tenant attach. See [Microsoft Endpoint Manager tenant attach: Device sync and device actions](https://docs.microsoft.com/mem/configmgr/tenant-attach/device-sync-actions).
+2. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Endpoint security** > **Antivirus**, and then choose **+ Create Policy**.
-> If you are not enrolled yet and would like to experience its benefits, go to Settings > General > Advanced features > Microsoft Threat Experts to apply. Once accepted, you will get the benefits of Targeted Attack Notifications, and start a 90-day trial of Experts on Demand. Contact your Microsoft representative to get a full Experts on Demand subscription.
-
-
-
-**[Centralized configuration and administration, APIs](management-apis.md)**
- Windows 10, Version 1607 and earlier: Windows 10, Version 1607 and earlier: If you enable this setting, it turns on Microsoft Defender SmartScreen and your employees are unable to turn it off. Additionally, when enabling this feature, you must also pick whether Microsoft Defender SmartScreen should Warn your employees or Warn and prevent bypassing the message (effectively blocking the employee from the site). If you disable this setting, it turns off Microsoft Defender SmartScreen and your employees are unable to turn it on. If you don't configure this setting, your employees can decide whether to use Microsoft Defender SmartScreen. Important: Using a trustworthy browser helps ensure that these protections work as expected. Important: Using a trustworthy browser helps ensure that these protections work as expected. Windows 10, version 1703: Windows 10, Version 1607 and earlier: Administrative Templates\Microsoft Edge\SmartScreen settings\Configure Microsoft Defender SmartScreen (Microsoft Edge version 77 or later) Windows 10, version 1703: Administrative Templates\Microsoft Edge\SmartScreen settings\Configure Microsoft Defender SmartScreen (Microsoft Edge version 77 or later) Windows 10, Version 1607 and earlier: If you enable this setting, it turns on Microsoft Defender SmartScreen and your employees are unable to turn it off. If you disable this setting, it turns off Microsoft Defender SmartScreen and your employees are unable to turn it on. If you don't configure this setting, your employees can decide whether to use Microsoft Defender SmartScreen. Windows 10, version 1703: Windows 10, Version 1511 and 1607: Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads (Microsoft Edge version 77 or later) Windows 10, version 1703: Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads (Microsoft Edge version 77 or later) Windows 10, Version 1511 and 1607: If you enable this setting, it stops employees from bypassing the warning, stopping the file download. If you disable or don't configure this setting, your employees can bypass the warnings and continue to download potentially malicious files. Windows 10, version 1703: Windows 10, Version 1511 and 1607: Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing Microsoft Defender SmartScreen prompts for sites (Microsoft Edge version 77 or later) Windows 10, version 1703: Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing Microsoft Defender SmartScreen prompts for sites (Microsoft Edge version 77 or later) Windows 10, Version 1511 and 1607: If you enable this setting, it stops employees from bypassing the warning, stopping them from going to the site. If you disable or don't configure this setting, your employees can bypass the warnings and continue to visit a potentially malicious site. Policy maintenance SRP policies must be updated by using the Local Security Policy snap-in (if the policies are created locally) or the Group Policy Management Console (GPMC). AppLocker policies can be updated by using the Local Security Policy snap-in (if the policies are created locally), or the GPMC, or the Windows PowerShell AppLocker cmdlets. AppLocker policies can be updated by using the Local Security Policy snap-in, if the policies are created locally, or the GPMC, or the Windows PowerShell AppLocker cmdlets. Policy application Enforcement mode SRP works in the “deny list mode” where administrators can create rules for files that they do not want to allow in this Enterprise whereas the rest of the file are allowed to run by default. SRP can also be configured in the “allow list mode” such that the by default all files are blocked and administrators need to create allow rules for files that they want to allow. AppLocker by default works in the “allow list mode” where only those files are allowed to run for which there is a matching allow rule. SRP works in the “deny list mode” where administrators can create rules for files that they don't want to allow in this Enterprise, but the rest of the files are allowed to run by default. SRP can also be configured in the “allow list mode” such that by default all files are blocked and administrators need to create allow rules for files that they want to allow. By default, AppLocker works in allow list mode. Only those files are allowed to run for which there's a matching allow rule. File types that can be controlled Designated file types SRP supports an extensible list of file types that are considered executable. You can add extensions for files that should be considered executable. AppLocker does not support this. AppLocker currently supports the following file extensions: AppLocker doesn't support this. AppLocker currently supports the following file extensions: Executables (.exe, .com) DLLs (.ocx, .dll) Editing the hash value SRP allows you to select a file to hash. AppLocker computes the hash value itself. Internally it uses the SHA2 Authenticode hash for Portable Executables (exe and DLL) and Windows Installers and a SHA2 flat file hash for the rest. AppLocker computes the hash value itself. Internally it uses the SHA2 Authenticode hash for Portable Executables (exe and DLL) and Windows Installers and an SHA2 flat file hash for the rest. Support for different security levels With SRP, you can specify the permissions with which an app can run. So, you can configure a rule such that notepad always runs with restricted permissions and never with administrative privileges. With SRP, you can specify the permissions with which an app can run. Then configure a rule such that Notepad always runs with restricted permissions and never with administrative privileges. SRP on Windows Vista and earlier supported multiple security levels. On Windows 7, that list was restricted to just two levels: Disallowed and Unrestricted (Basic User translates to Disallowed). AppLocker does not support security levels. Support for rule exceptions SRP does not support rule exceptions AppLocker rules can have exceptions which allow administrators to create rules such as “Allow everything from Windows except for Regedit.exe”. AppLocker rules can have exceptions that allow administrators to create rules such as “Allow everything from Windows except for Regedit.exe”. Support for audit mode SRP does not support audit mode. The only way to test SRP policies is to set up a test environment and run a few experiments. AppLocker supports audit mode which allows administrators to test the effect of their policy in the real production environment without impacting the user experience. Once you are satisfied with the results, you can start enforcing the policy. SRP doesn't support audit mode. The only way to test SRP policies is to set up a test environment and run a few experiments. AppLocker supports audit mode that allows administrators to test the effect of their policy in the real production environment without impacting the user experience. Once you are satisfied with the results, you can start enforcing the policy. Support for exporting and importing policies Rule enforcement Internally, SRP rules enforcement happens in the user-mode which is less secure. Internally, AppLocker rules for exes and dlls are enforced in the kernel-mode which is more secure than enforcing them in the user-mode. Internally, SRP rules enforcement happens in user-mode, which is less secure. Internally, AppLocker rules for exes and dlls are enforced in kernel-mode, which is more secure than enforcing them in the user-mode. Enforcement mode SRP works in the “deny list mode” where administrators can create rules for files that they do not want to allow in this Enterprise whereas the rest of the file are allowed to run by default. SRP works in the “deny list mode” where administrators can create rules for files that they do not want to allow in this Enterprise whereas the rest of the file is allowed to run by default. SRP can also be configured in the “allow list mode” so that by default all files are blocked and administrators need to create allow rules for files that they want to allow. AppLocker by default works in the “allow list mode” where only those files are allowed to run for which there is a matching allow rule. Support for rule exceptions SRP does not support rule exceptions. AppLocker rules can have exceptions which allow you to create rules such as “Allow everything from Windows except for regedit.exe”. AppLocker rules can have exceptions, which allow you to create rules such as “Allow everything from Windows except for regedit.exe”. Support for audit mode SRP does not support audit mode. The only way to test SRP policies is to set up a test environment and run a few experiments. AppLocker supports audit mode which allows you to test the effect of their policy in the real production environment without impacting the user experience. Once you are satisfied with the results, you can start enforcing the policy. AppLocker supports audit mode, which allows you to test the effect of their policy in the real production environment without impacting the user experience. Once you are satisfied with the results, you can start enforcing the policy. Support for exporting and importing policies Rule enforcement Internally, SRP rules enforcement happens in the user-mode which is less secure. Internally, AppLocker rules for .exe and .dll files are enforced in the kernel-mode which is more secure than enforcing them in the user-mode. Internally, SRP rules enforcement happens in the user-mode, which is less secure. Internally, AppLocker rules for .exe and .dll files are enforced in the kernel-mode, which is more secure than enforcing them in the user-mode.
\
|
+ | **[SetHomeButtonURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl)**X
- Use Microsoft Endpoint Configuration Manager for management
+Use Microsoft Endpoint Manager for management
X
X
diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md
index 280778ccb4..d2a18c7393 100644
--- a/education/windows/deploy-windows-10-in-a-school-district.md
+++ b/education/windows/deploy-windows-10-in-a-school-district.md
@@ -26,69 +26,106 @@ This guide shows you how to deploy the Windows 10 operating system in a school d
Proper preparation is essential for a successful district deployment. To avoid common mistakes, your first step is to plan a typical district configuration. Just as with building a house, you need a blueprint for what your district and individual schools should look like when it’s finished. The second step in preparation is to learn how you will manage the users, apps, and devices in your district. Just as a builder needs to have the right tools to build a house, you need the right set of tools to deploy your district.
->**Note** This guide focuses on Windows 10 deployment and management in a district. For management of other devices and operating systems in education environments, see [Manage BYOD and corporate-owned devices with MDM solutions](https://www.microsoft.com/cloud-platform/mobile-device-management).
+> [!NOTE]
+> This guide focuses on Windows 10 deployment and management in a district. For management of other devices and operating systems in education environments, see [Manage BYOD and corporate-owned devices with MDM solutions](https://www.microsoft.com/cloud-platform/mobile-device-management).
### Plan a typical district configuration
As part of preparing for your district deployment, you need to plan your district configuration — the focus of this guide. Figure 1 illustrates a typical finished district configuration that you can use as a model (the blueprint in our builder analogy) for the finished state.
-
+> [!div class="mx-imgBorder"]
+> 
*Figure 1. Typical district configuration for this guide*
A *district* consists of multiple schools, typically at different physical locations. Figure 2 illustrates a typical school configuration within the district that this guide uses.
-
+> [!div class="mx-imgBorder"]
+> 
*Figure 2. Typical school configuration for this guide*
Finally, each school consists of multiple classrooms. Figure 3 shows the classroom configuration this guide uses.
-
+> [!div class="mx-imgBorder"]
+> 
*Figure 3. Typical classroom configuration in a school*
This district configuration has the following characteristics:
* It contains one or more admin devices.
+
* It contains two or more schools.
+
* Each school contains two or more classrooms.
+
* Each classroom contains one teacher device.
+
* The classrooms connect to each other through multiple subnets.
+
* All devices in each classroom connect to a single subnet.
+
* All devices have high-speed, persistent connections to each other and to the Internet.
+
* All teachers and students have access to Microsoft Store or Microsoft Store for Business.
+
* You install a 64-bit version of Windows 10 on the admin device.
+
* You install the Windows Assessment and Deployment Kit (Windows ADK) on the admin device.
+
* You install the 64-bit version of the Microsoft Deployment Toolkit (MDT) 2013 Update 2 on the admin device.
- >**Note** In this guide, all references to MDT refer to the 64-bit version of MDT 2013 Update 2.
+
+ > [!NOTE]
+ > In this guide, all references to MDT refer to the 64-bit version of MDT 2013 Update 2.
+
* The devices use Azure AD in Office 365 Education for identity management.
+
* If you have on-premises AD DS, you can [integrate Azure AD with on-premises AD DS](https://azure.microsoft.com/documentation/articles/active-directory-aadconnect/).
+
* Use [Intune](https://docs.microsoft.com/intune/), [Mobile Device Management for Office 365](https://support.office.com/en-us/article/Set-up-Mobile-Device-Management-MDM-in-Office-365-dd892318-bc44-4eb1-af00-9db5430be3cd?ui=en-US&rs=en-US&ad=US), or [Group Policy in AD DS](https://technet.microsoft.com/library/cc725828.aspx) to manage devices.
+
* Each device supports a one-student-per-device or multiple-students-per-device scenario.
+
* The devices can be a mixture of different make, model, and processor architecture (32-bit or 64-bit) or be identical.
+
* To initiate Windows 10 deployment, use a USB flash drive, DVD-ROM or CD-ROM, or Pre-Boot Execution Environment (PXE) boot.
+
* The devices can be a mixture of different Windows 10 editions, such as Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education.
Use these characteristics at a minimum as you deploy your schools. If your district deployment is less complex, you may want to review the guidance in [Deploy Windows 10 in a school](https://technet.microsoft.com/edu/windows/deploy-windows-10-in-a-school).
->**Note** This guide focuses on Intune as the mobile device management (MDM) solution. If you want to use an MDM solution other than Intune, ignore the Intune-specific content in this guide. For each section, contact your MDM provider to determine the features and management capabilities for your institution.
+> [!NOTE]
+> This guide focuses on Intune as the mobile device management (MDM) solution. If you want to use an MDM solution other than Intune, ignore the Intune-specific content in this guide. For each section, contact your MDM provider to determine the features and management capabilities for your institution.
Office 365 Education allows:
* Students and faculty to use Microsoft Office to create and edit Microsoft Word, OneNote, PowerPoint, and Excel documents in a browser.
+
* Teachers to use the [OneNote Class Notebook app](https://www.onenote.com/classnotebook) to share content and collaborate with students.
+
* Faculty to use the [OneNote Staff Notebooks app](https://www.onenote.com/staffnotebookedu) to collaborate with other teachers, the administration, and faculty.
+
* Teachers to employ Sway to create interactive educational digital storytelling.
+
* Students and faculty to use email and calendars, with mailboxes up to 50 GB per user.
+
* Faculty to use advanced email features like email archiving and legal hold capabilities.
+
* Faculty to help prevent unauthorized users from accessing documents and email by using Microsoft Azure Rights Management.
+
* Faculty to use advanced compliance tools on the unified eDiscovery pages in the Office 365 Compliance Center.
+
* Faculty to host online classes, parent–teacher conferences, and other collaboration in Skype for Business.
+
* Students and faculty to access up to 1 TB of personal cloud storage that users inside and outside the educational institution can share through OneDrive for Business.
+
* Teachers to provide collaboration in the classroom through Microsoft SharePoint Online team sites.
+
* Students and faculty to use Office 365 Video to manage videos.
+
* Students and faculty to use Yammer to collaborate through private social networking.
+
* Students and faculty to access classroom resources from anywhere on any device (including Windows 10 Mobile, iOS, and Android devices).
For more information about Office 365 Education features and an FAQ, go to [Office 365 Education plans and pricing](https://products.office.com/en-us/academic).
@@ -105,7 +142,7 @@ This guide focuses on LTI deployments to deploy the reference device. You can us
MDT includes the Deployment Workbench, a console from which you can manage the deployment of Windows 10 and your apps. You configure the deployment process in the Deployment Workbench, including the management of operating systems, device drivers, apps, and migration of user settings on existing devices.
-LTI performs deployment from a *deployment share* — a network-shared folder on the device on which you installed MDT. You can perform over-the-network deployments from the deployment share or perform deployments from a local copy of the deployment share on a USB drive or DVD. You will learn more about MDT in the [Prepare the admin device](#prepare-the-admin-device) section.
+LTI performs deployment from a *deployment share* — a network-shared folder on the device on which you installed MDT. You can perform over-the-network deployments from the deployment share or perform deployments from a local copy of the deployment share on a USB drive or DVD. You will learn more about MDT in [Prepare the admin device](#prepare-the-admin-device), earlier in this article.
The focus of MDT is deployment, so you also need tools that help you manage your Windows 10 devices and apps. You can manage Windows 10 devices and apps with Intune, the Compliance Management feature in Office 365, or Group Policy in AD DS. You can use any combination of these tools based on your school requirements.
@@ -114,9 +151,13 @@ ZTI performs fully automated deployments using Configuration Manager and MDT. Al
The configuration process requires the following devices:
* **Admin device.** This is the device you use for your day-to-day job functions. It’s also the one you use to create and manage the Windows 10 and app deployment process. You install the Windows ADK, MDT, and the Configuration Manager Console on this device.
+
* **Reference devices.** These are the devices that you will use as a template for the faculty and student devices. You install Windows 10 and Windows desktop apps on these devices, and then capture an image (.wim file) of the devices.
+
You will have a reference device for each type of device in your district. For example, if your district has Surface, HP Stream, Dell Inspiron, and Lenovo Yoga devices, then you would have a reference device for each model. For more information about approved Windows 10 devices, see [Explore devices](https://www.microsoft.com/windows/view-all).
+
* **Faculty and staff devices.** These are the devices that the teachers, faculty, and staff use for their day-to-day job functions. You use the admin device to deploy (or upgrade) Windows 10 and apps to these devices.
+
* **Student devices.** The students will use these devices. You will use the admin device deploy (or upgrade) Windows 10 and apps to them.
The high-level process for deploying and configuring devices within individual classrooms, individual schools, and the district as a whole is as follows and illustrated in Figure 4:
@@ -139,7 +180,8 @@ The high-level process for deploying and configuring devices within individual c
9. On the admin device, manage the Windows 10 devices and apps, the Office 365 subscription, and the AD DS–Azure AD integration.
-
+> [!div class="mx-imgBorder"]
+> 
*Figure 4. How district configuration works*
@@ -160,7 +202,7 @@ Before you select the deployment and management methods, you need to review the
|Scenario feature |Cloud-centric|On-premises and cloud|
|---|---|---|
|Identity management | Azure AD (stand-alone or integrated with on-premises AD DS) | AD DS integrated with Azure AD |
-|Windows 10 deployment | MDT only | Microsoft Endpoint Configuration Manager with MDT |
+|Windows 10 deployment | MDT only | Microsoft Endpoint Manager with MDT |
|Configuration setting management | Intune | Group Policy
Intune|
|App and update management | Intune |Microsoft Endpoint Configuration Manager
Intune|
@@ -174,14 +216,14 @@ These scenarios assume the need to support:
Some constraints exist in these scenarios. As you select the deployment and management methods for your device, keep the following constraints in mind:
* You can use Group Policy or Intune to manage configuration settings on a device but not both.
-* You can use Microsoft Endpoint Configuration Manager or Intune to manage apps and updates on a device but not both.
+* You can use Microsoft Endpoint Manager or Intune to manage apps and updates on a device but not both.
* You cannot manage multiple users on a device with Intune if the device is AD DS domain joined.
Use the cloud-centric scenario and on-premises and cloud scenario as a guide for your district. You may need to customize these scenarios, however, based on your district. As you go through the [Select the deployment methods](#select-the-deployment-methods), [Select the configuration setting management methods](#select-the-configuration-setting-management-methods), and the [Select the app and update management products](#select-the-app-and-update-management-products) sections, remember these scenarios and use them as the basis for your district.
### Select the deployment methods
-To deploy Windows 10 and your apps, you can use MDT by itself or Microsoft Endpoint Configuration Manager and MDT together. For a district, there are a few ways to deploy Windows 10 to devices. Table 2 lists the methods that this guide describes and recommends. Use this information to determine which combination of deployment methods is right for your institution.
+To deploy Windows 10 and your apps, you can use MDT by itself or Microsoft Endpoint Manager and MDT together. For a district, there are a few ways to deploy Windows 10 to devices. Table 2 lists the methods that this guide describes and recommends. Use this information to determine which combination of deployment methods is right for your institution.
-
@@ -265,7 +307,7 @@ Record the deployment methods you selected in Table 3.
|Selection | Deployment method|
|--------- | -----------------|
| |MDT by itself |
-| |Microsoft Endpoint Configuration Manager and MDT|
+| |Microsoft Endpoint Manager and MDT|
*Table 3. Deployment methods selected*
@@ -441,12 +483,12 @@ Select this method when you:
-
Microsoft Endpoint Configuration Manager and Intune (hybrid)
+Microsoft Endpoint Manager and Intune (hybrid)
Configuration Manager and Intune in the hybrid configuration allow you to support application management throughout the entire application life cycle. You can deploy, upgrade, manage multiple versions, and retire applications by using Configuration Manager, and you can manage Windows desktop and Microsoft Store applications for both institution-owned and personal devices.
Select this method when you:
-
+
+ > [!NOTE]
+ > If you have already used your current sign-in account to create a new Office 365 subscription, you will be prompted to sign in. If you want to create a new Office 365 subscription, start an In-Private Window by using one of the following methods:
+ >
+ > - In Microsoft Edge, open the Microsoft Edge app (press Ctrl+Shift+P, or click or tap More actions), and then click or tap New InPrivate window.
+ >
+ > - In Internet Explorer 11, open Internet Explorer 11 (press Ctrl+Shift+P, or click or tap Settings), click or tap Safety, and then click or tap InPrivate Browsing.
2. On the **Get started** page, in **Enter your school email address**, type your school email address, and then click **Sign up**.
@@ -631,7 +682,8 @@ Now that you have created your new Office 365 Education subscription, add the do
To make it easier for faculty and students to join your Office 365 Education subscription (or *tenant*), allow them to automatically sign up to your tenant (*automatic tenant join*). In automatic tenant join, when a faculty member or student signs up for Office 365, Office 365 automatically adds (joins) the user to your Office 365 tenant.
->**Note** By default, automatic tenant join is enabled in Office 365 Education, with the exception of certain areas in Europe, the Middle East, and Africa. These countries/regions require opt-in steps to add new users to existing Office 365 tenants. Check your country/region requirements to determine the automatic tenant join default configuration. Also, if you use Azure AD Connect, then automatic tenant join is disabled. For more information, see [Office 365 Education Self-Sign up: Technical FAQ](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US&WT.mc_id=eml_CXM__33537_MOD_EDU_Student_Advantage_Rush).
+> [!NOTE]
+> By default, automatic tenant join is enabled in Office 365 Education, with the exception of certain areas in Europe, the Middle East, and Africa. These countries/regions require opt-in steps to add new users to existing Office 365 tenants. Check your country/region requirements to determine the automatic tenant join default configuration. Also, if you use Azure AD Connect, then automatic tenant join is disabled. For more information, see [Office 365 Education Self-Sign up: Technical FAQ](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US&WT.mc_id=eml_CXM__33537_MOD_EDU_Student_Advantage_Rush).
Office 365 uses the domain portion of the user’s email address to know which Office 365 tenant to join. For example, if a faculty member or student provides an email address of user@contoso.edu, then Office 365 automatically performs one of the following tasks:
@@ -640,7 +692,8 @@ Office 365 uses the domain portion of the user’s email address to know which O
You will always want faculty and students to join the Office 365 tenant that you created. Ensure that you perform the steps in the [Create a new Office 365 Education subscription](#create-a-new-office-365-education-subscription) and [Add domains and subdomains](#add-domains-and-subdomains) sections before you allow other faculty and students to join Office 365.
->**Note** You cannot merge multiple tenants, so any faculty or students who create their own tenant will need to abandon their existing tenant and join yours.
+> [!NOTE]
+> You cannot merge multiple tenants, so any faculty or students who create their own tenant will need to abandon their existing tenant and join yours.
By default, all new Office 365 Education subscriptions have automatic tenant join enabled, but you can enable or disable automatic tenant join by using the Windows PowerShell commands in Table 10. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US#BKMK_PreventJoins).
@@ -651,13 +704,15 @@ By default, all new Office 365 Education subscriptions have automatic tenant joi
*Table 10. Windows PowerShell commands to enable or disable automatic tenant join*
->**Note** If your institution has AD DS, then disable automatic tenant join. Instead, use Azure AD integration with AD DS to add users to your Office 365 tenant.
+> [!NOTE]
+> If your institution has AD DS, then disable automatic tenant join. Instead, use Azure AD integration with AD DS to add users to your Office 365 tenant.
### Disable automatic licensing
To reduce your administrative effort, automatically assign Office 365 Education or Office 365 Education Plus licenses to faculty and students when they sign up (automatic licensing). Automatic licensing also enables Office 365 Education or Office 365 Education Plus features that do not require administrative approval.
->**Note** By default, automatic licensing is enabled in Office 365 Education. If you want to use automatic licensing, then skip this section and go to the next section.
+> [!NOTE]
+> By default, automatic licensing is enabled in Office 365 Education. If you want to use automatic licensing, then skip this section and go to the next section.
Although all new Office 365 Education subscriptions have automatic licensing enabled by default, you can enable or disable it for your Office 365 tenant by using the Windows PowerShell commands in Table 11. For more information about how to run these commands, see [How can I prevent students from joining my existing Office 365 tenant](https://support.office.com/en-us/article/Office-365-Education-Self-Sign-up-Technical-FAQ-7fb1b2f9-94c2-4cbb-b01e-a6eca34261d6?ui=en-US&rs=en-US&ad=US#BKMK_PreventJoins).
@@ -678,7 +733,7 @@ The following Azure AD Premium features are not in Azure AD Basic:
* Allow designated users to manage group membership
* Dynamic group membership based on user metadata
-* Azure multifactor authentication (MFA; see [What is Azure Multi-Factor Authentication](https://azure.microsoft.com/documentation/articles/multi-factor-authentication/))
+* Azure AD Multi-Factor Authentication (MFA; see [What is Azure AD Multi-Factor Authentication](https://azure.microsoft.com/documentation/articles/multi-factor-authentication/))
* Identify cloud apps that your users run
* Self-service recovery of BitLocker
* Add local administrator accounts to Windows 10 devices
@@ -709,9 +764,11 @@ Now that you have an Office 365 subscription, you must determine how you’ll cr
In this method, you have an on-premises AD DS domain. As shown in Figure 5, the Azure AD Connector tool automatically synchronizes AD DS with Azure AD. When you add or change any user accounts in AD DS, the Azure AD Connector tool automatically updates Azure AD.
->**Note** Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](https://technet.microsoft.com/library/dn510997.aspx).
+> [!NOTE]
+> Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](https://technet.microsoft.com/library/dn510997.aspx).
-
+> [!div class="mx-imgBorder"]
+> 
*Figure 5. Automatic synchronization between AD DS and Azure AD*
@@ -721,7 +778,8 @@ For more information about how to perform this step, see the [Integrate on-premi
In this method, you have no on-premises AD DS domain. As shown in Figure 6, you manually prepare a .csv file with the student information from your source, and then manually import the information directly into Azure AD. The .csv file must be in the format that Office 365 specifies.
-
+> [!div class="mx-imgBorder"]
+> 
*Figure 6. Bulk import into Azure AD from other sources*
@@ -742,7 +800,8 @@ In this section, you selected the method for creating user accounts in your Offi
You can integrate your on-premises AD DS domain with Azure AD to provide identity management for your Office 365 tenant. With this integration, you can synchronize the users, security groups, and distribution lists in your AD DS domain with Azure AD with the Azure AD Connect tool. Users will be able to sign in to Office 365 automatically by using their email account and the same password they use to sign in to AD DS.
->**Note** If your institution does not have an on-premises AD DS domain, you can skip this section.
+> [!NOTE]
+> If your institution does not have an on-premises AD DS domain, you can skip this section.
### Select a synchronization model
@@ -752,13 +811,15 @@ You can deploy the Azure AD Connect tool:
- **On premises.** As shown in Figure 7, Azure AD Connect runs on premises, which has the advantage of not requiring a VPN connection to Azure. It does, however, require a virtual machine (VM) or physical server.
- 
+ > [!div class="mx-imgBorder"]
+ > 
*Figure 7. Azure AD Connect on premises*
- **In Azure.** As shown in Figure 8, Azure AD Connect runs on a VM in Azure AD, which has the advantages of being faster to provision (than a physical, on-premises server), offers better site availability, and helps reduce the number of on-premises servers. The disadvantage is that you need to deploy a VPN gateway on premises.
- 
+ > [!div class="mx-imgBorder"]
+ > 
*Figure 8. Azure AD Connect in Azure*
@@ -815,7 +876,8 @@ In this section, you selected your synchronization model, deployed Azure AD Conn
You can bulk-import user and group accounts into your on-premises AD DS domain. Bulk-importing accounts helps reduce the time and effort needed to create users compared to creating the accounts manually in the Office 365 Admin portal. First, you select the appropriate method for bulk-importing user accounts into AD DS. Next, you create the .csv file that contains the user accounts. Finally, you use the selected method to import the .csv file into AD DS.
->**Note** If your institution doesn’t have an on-premises AD DS domain, you can skip this section.
+> [!NOTE]
+> If your institution doesn’t have an on-premises AD DS domain, you can skip this section.
### Select the bulk import method
@@ -823,7 +885,7 @@ Several methods are available to bulk-import user accounts into AD DS domains. T
|Method |Description and reason to select this method |
|-------|---------------------------------------------|
-|Ldifde.exe|This command-line tool allows you to import and export objects (such as user accounts) from AD DS. Select this method if you aren’t comfortable with Microsoft Visual Basic Scripting Edition (VBScript), Windows PowerShell, or other scripting languages. For more information about using Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).|
+|Ldifde.exe|This command-line tool allows you to import and export objects (such as user accounts) from AD DS. Select this method if you aren't comfortable with Microsoft Visual Basic Scripting Edition (VBScript), Windows PowerShell, or other scripting languages. For more information about using Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).|
|VBScript|This scripting language uses the Active Directory Services Interfaces (ADSI) Component Object Model interface to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with VBScript. For more information about using VBScript and ADSI, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/library/bb727091.aspx) and [ADSI Scriptomatic](https://technet.microsoft.com/scriptcenter/dd939958.aspx).|
|Windows PowerShell|This scripting language natively supports cmdlets to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with Window PowerShell scripting. For more information about using Windows PowerShell, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](https://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).|
@@ -845,7 +907,8 @@ After you have selected your user and group account bulk import method, you’re
With the bulk-import source file finished, you’re ready to import the user and group accounts into AD DS. The steps for importing the file are slightly different for each method.
->**Note** Bulk-import your group accounts first, and then import your user accounts. Importing in this order allows you to specify group membership when you import your user accounts.
+> [!NOTE]
+> Bulk-import your group accounts first, and then import your user accounts. Importing in this order allows you to specify group membership when you import your user accounts.
For more information about how to import user accounts into AD DS by using:
@@ -865,7 +928,8 @@ You can bulk-import user and group accounts directly into Office 365, reducing t
Now that you have created your new Office 365 Education subscription, you need to create user accounts. You can add user accounts for the teachers, other faculty, and students who will use the classroom.
->**Note** If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant.
+> [!NOTE]
+> If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant.
You can use the Microsoft 365 admin center to add individual Office 365 accounts manually—a reasonable process when you’re adding only a few users. If you have many users, however, you can automate the process by creating a list of those users, and then use that list to create user accounts (that is, bulk-add users).
@@ -873,7 +937,8 @@ The bulk-add process assigns the same Office 365 Education license plan to all u
For more information about how to bulk-add users to Office 365, see [Add several users at the same time to Office 365 - Admin help](https://support.office.com/en-us/article/Add-several-users-at-the-same-time-to-Office-365-Admin-Help-1f5767ed-e717-4f24-969c-6ea9d412ca88?ui=en-US&rs=en-US&ad=US).
->**Note** If you encountered errors during bulk add, resolve them before you continue the bulk-add process. You can view the log file to see which users caused the errors, and then modify the .csv file to correct the problems. Click **Back** to retry the verification process.
+> [!NOTE]
+> If you encountered errors during bulk add, resolve them before you continue the bulk-add process. You can view the log file to see which users caused the errors, and then modify the .csv file to correct the problems. Click **Back** to retry the verification process.
The email accounts are assigned temporary passwords on creation. You must communicate these temporary passwords to your users before they can sign in to Office 365.
@@ -881,13 +946,15 @@ The email accounts are assigned temporary passwords on creation. You must commun
Assign SharePoint Online resource permissions to Office 365 security groups, not individual user accounts. For example, create one security group for faculty members and another for students. Then, you can assign unique SharePoint Online resource permissions to faculty members and a different set of permissions to students. Add or remove users from the security groups to grant or revoke access to SharePoint Online resources.
->**Note** If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant.
+> [!NOTE]
+> If your institution has AD DS, don’t create security accounts in Office 365. Instead, create the security groups in AD DS, and then use Azure AD integration to synchronize the security groups with your Office 365 tenant.
For information about creating security groups, see [Create an Office 365 Group in the admin center](https://support.office.com/en-us/article/Create-an-Office-365-Group-in-the-admin-center-74a1ef8b-3844-4d08-9980-9f8f7a36000f?ui=en-US&rs=en-001&ad=US).
You can add and remove users from security groups at any time.
->**Note** Office 365 evaluates group membership when users sign in. If you change group membership for a user, that user may have to sign out, and then sign in again for the change to take effect.
+> [!NOTE]
+> Office 365 evaluates group membership when users sign in. If you change group membership for a user, that user may have to sign out, and then sign in again for the change to take effect.
### Create email distribution groups
@@ -895,7 +962,8 @@ Microsoft Exchange Online uses an email distribution group as a single email rec
You can create email distribution groups based on job role (such as teacher, administration, or student) or specific interests (such as robotics, drama club, or soccer team). You can create any number of distribution groups, and users can be members of more than one group.
->**Note** Office 365 can take some time to complete the Exchange Online creation process. You will have to wait until the creation process ends before you can perform the following steps.
+> [!NOTE]
+> Office 365 can take some time to complete the Exchange Online creation process. You will have to wait until the creation process ends before you can perform the following steps.
For information about creating email distribution groups, see [Create an Office 365 Group in the admin center](https://support.office.com/en-us/article/Create-an-Office-365-Group-in-the-admin-center-74a1ef8b-3844-4d08-9980-9f8f7a36000f?ui=en-US&rs=en-001&ad=US).
@@ -957,7 +1025,8 @@ After you create the Microsoft Store for Business portal, configure it by using
Now that you have created your Microsoft Store for Business portal, you’re ready to find, acquire, and distribute apps that you will add to your portal. You do this from the **Inventory** page in Microsoft Store for Business.
->**Note** Your educational institution can now use a credit card or purchase order to pay for apps in Microsoft Store for Business.
+> [!NOTE]
+> Your educational institution can now use a credit card or purchase order to pay for apps in Microsoft Store for Business.
You can deploy apps to individual users or make apps available to users through your private store. Deploying apps to individual users restricts the app to those specified users. Making apps available through your private store allows all your users to install the apps.
@@ -989,13 +1058,15 @@ Depending on your school’s requirements, you may need any combination of the f
* Upgrade institution-owned devices to Windows 10 Education.
* Deploy new instances of Windows 10 Education so that new devices have a known configuration.
->**Note** Although you can use Windows 10 Home on institution-owned devices, Microsoft recommends that you use Windows 10 Pro or Windows 10 Education, instead. Windows 10 Pro and Windows 10 Education provide support for MDM, policy-based management, and Microsoft Store for Business—features not available in Windows 10 Home. For more information about how to upgrade Windows 10 Home to Windows 10 Pro or Windows 10 Education, see [Windows 10 edition upgrade](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades).
+> [!NOTE]
+> Although you can use Windows 10 Home on institution-owned devices, Microsoft recommends that you use Windows 10 Pro or Windows 10 Education, instead. Windows 10 Pro and Windows 10 Education provide support for MDM, policy-based management, and Microsoft Store for Business—features not available in Windows 10 Home. For more information about how to upgrade Windows 10 Home to Windows 10 Pro or Windows 10 Education, see [Windows 10 edition upgrade](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades).
For more information about the Windows 10 editions, see [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).
One other consideration is the mix of processor architectures you will support. If you can, support only 64-bit versions of Windows 10. If you have devices that can run only 32-bit versions of Windows 10, you will need to import both 64-bit and 32-bit versions of the Windows 10 editions listed above.
->**Note** On devices that have minimal system resources (such as devices with only 2 GB of memory or 32 GB of storage), use 32-bit versions of Windows 10 because 64-bit versions of Windows 10 place more stress on device system resources.
+> [!NOTE]
+> On devices that have minimal system resources (such as devices with only 2 GB of memory or 32 GB of storage), use 32-bit versions of Windows 10 because 64-bit versions of Windows 10 place more stress on device system resources.
Finally, as a best practice, minimize the number of operating systems that you deploy and manage. If possible, standardize institution-owned devices on one Windows 10 edition (such as a 64-bit version of Windows 10 Education or Windows 10 Pro). Of course, you cannot standardize personal devices on a specific operating system version or processor architecture.
@@ -1077,7 +1148,7 @@ At the end of this section, you should know the Windows 10 editions and processo
## Prepare for deployment
-Before you can deploy Windows 10 and your apps to devices, you need to prepare your MDT environment, Windows Deployment Services, and Microsoft Endpoint Configuration Manager (if you selected it to do operating system deployment in the [Select the deployment methods](#select-the-deployment-methods) section). In this section, you ensure that the deployment methods you selected in the [Select the deployment methods](#select-the-deployment-methods) section have the necessary Windows 10 editions and versions, Windows desktop apps, Microsoft Store apps, and device drivers.
+Before you can deploy Windows 10 and your apps to devices, you need to prepare your MDT environment, Windows Deployment Services, and Microsoft Endpoint Manager (if you selected it to do operating system deployment in the [Select the deployment methods](#select-the-deployment-methods) section). In this section, you ensure that the deployment methods you selected in the [Select the deployment methods](#select-the-deployment-methods) section have the necessary Windows 10 editions and versions, Windows desktop apps, Microsoft Store apps, and device drivers.
### Configure the MDT deployment share
@@ -1173,7 +1244,8 @@ For more information about how to update a deployment share, see [!IMPORTANT]
+> Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md).
+
As an admin, you can acquire apps from the Microsoft Store for Business and Education for your employees. Some apps are free, and some have a price. For info on app types that are supported, see [Apps in the Microsoft Store for Business](apps-in-microsoft-store-for-business.md). The following sections explain some of the settings for shopping.
## App licensing model
diff --git a/store-for-business/add-unsigned-app-to-code-integrity-policy.md b/store-for-business/add-unsigned-app-to-code-integrity-policy.md
index 24ec842c6c..fca2e9d796 100644
--- a/store-for-business/add-unsigned-app-to-code-integrity-policy.md
+++ b/store-for-business/add-unsigned-app-to-code-integrity-policy.md
@@ -3,25 +3,25 @@ title: Add unsigned app to code integrity policy (Windows 10)
description: When you want to add an unsigned app to a code integrity policy, you need to start with a code integrity policy created from a reference device.
ms.assetid: 580E18B1-2FFD-4EE4-8CC5-6F375BE224EA
ms.reviewer:
-manager: dansimp
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store, security
-author: TrudyHa
-ms.author: TrudyHa
+ms.author: cmcatee
+author: cmcatee-MSFT
+manager: scotv
ms.topic: conceptual
ms.localizationpriority: medium
-ms.date: 10/17/2017
+ms.date: 03/10/2021
---
# Add unsigned app to code integrity policy
> [!IMPORTANT]
-> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) will be available for consumption starting mid-September 2020, and you will have until the end of December 2020 to transition to DGSS v2. At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service between September and December 2020.
+> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until the end of December 2020 to transition to DGSS v2. At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by the end of December 2020.
>
> Following are the major changes we are making to the service:
-> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets will be available as a NuGet download.
+> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download, https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/.
> - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it).
> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired at the end of December 2020, you will no longer be able to download the leaf certificates used to sign your files.
>
@@ -32,7 +32,7 @@ ms.date: 10/17/2017
> - Download root cert
> - Download history of your signing operations
>
-> We will share detailed instructions and NuGet location before mid-September 2020. For any questions, please contact us at DGSSMigration@microsoft.com for more information on migration.
+> For any questions, please contact us at DGSSMigration@microsoft.com.
**Applies to**
@@ -62,7 +62,7 @@ Before you get started, be sure to review these best practices and requirements:
**Best practices**
-- **Naming convention** -- Using a naming convention makes it easier to find deployed catalog files. We'll use \*-Contoso.cat as the naming convention in this topic. For more information, see the section Inventorying catalog files by using Microsoft Endpoint Configuration Manager in the [Device Guard deployment guide](https://docs.microsoft.com/windows/device-security/device-guard/device-guard-deployment-guide).
+- **Naming convention** -- Using a naming convention makes it easier to find deployed catalog files. We'll use \*-Contoso.cat as the naming convention in this topic. For more information, see the section Inventorying catalog files by using Microsoft Endpoint Manager in the [Device Guard deployment guide](https://docs.microsoft.com/windows/device-security/device-guard/device-guard-deployment-guide).
- **Where to deploy code integrity policy** -- The [code integrity policy that you created](#create-ci-policy) should be deployed to the system on which you are running Package Inspector. This will ensure that the code integrity policy binaries are trusted.
Copy the commands for each step into an elevated Windows PowerShell session. You'll use Package Inspector to find and trust all binaries in the app.
@@ -99,7 +99,7 @@ After you're done, the files are saved to your desktop. You still need to sign t
## Catalog signing with Device Guard signing portal
-To sign catalog files with the Device Guard signing portal, you need to be signed up with the Microsoft Store for Business. For more information, see [Sign up for the Microsoft Store for Business](sign-up-microsoft-store-for-business.md).
+To sign catalog files with the Device Guard signing portal, you need to be signed up with the Microsoft Store for Business.
Catalog signing is a vital step to adding your unsigned apps to your code integrity policy.
@@ -117,4 +117,4 @@ Catalog signing is a vital step to adding your unsigned apps to your code integr
When you use the Device Guard signing portal to sign a catalog file, the signing certificate is added to the default policy. When you download the signed catalog file, you should also download the default policy and merge this code integrity policy with your existing code integrity policies to protect machines running the catalog file. You need to do this step to trust and run your catalog files. For more information, see the Merging code integrity policies in the [Device Guard deployment guide](https://docs.microsoft.com/windows/device-security/device-guard/device-guard-deployment-guide).
6. Open the root certificate that you downloaded, and follow the steps in **Certificate Import wizard** to install the certificate in your machine's certificate store.
-7. Deploy signed catalogs to your managed devices. For more information, see Deploy catalog files with Group Policy, or Deploy catalog files with Microsoft Endpoint Configuration Manager in the [Device Guard deployment guide](https://docs.microsoft.com/windows/device-security/device-guard/device-guard-deployment-guide).
+7. Deploy signed catalogs to your managed devices. For more information, see Deploy catalog files with Group Policy, or Deploy catalog files with Microsoft Endpoint Manager in the [Device Guard deployment guide](https://docs.microsoft.com/windows/device-security/device-guard/device-guard-deployment-guide).
diff --git a/store-for-business/device-guard-signing-portal.md b/store-for-business/device-guard-signing-portal.md
index a3e5be63f9..a891ecd541 100644
--- a/store-for-business/device-guard-signing-portal.md
+++ b/store-for-business/device-guard-signing-portal.md
@@ -18,10 +18,10 @@ ms.date: 10/17/2017
# Device Guard signing
> [!IMPORTANT]
-> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) will be available for consumption starting mid-September 2020, and you will have until the end of December 2020 to transition to DGSS v2. At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service between September and December 2020.
+> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until the end of December 2020 to transition to DGSS v2. At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by the end of December 2020.
>
> Following are the major changes we are making to the service:
-> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets will be available as a NuGet download.
+> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download, https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/.
> - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it).
> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired at the end of December 2020, you will no longer be able to download the leaf certificates used to sign your files.
>
@@ -32,7 +32,7 @@ ms.date: 10/17/2017
> - Download root cert
> - Download history of your signing operations
>
-> We will share detailed instructions and NuGet location before mid-September 2020. For any questions, please contact us at DGSSMigration@microsoft.com for more information on migration.
+> For any questions, please contact us at DGSSMigration@microsoft.com.
**Applies to**
diff --git a/store-for-business/distribute-offline-apps.md b/store-for-business/distribute-offline-apps.md
index 33b58da4ab..8a5ead4fe6 100644
--- a/store-for-business/distribute-offline-apps.md
+++ b/store-for-business/distribute-offline-apps.md
@@ -18,10 +18,10 @@ ms.date: 10/17/2017
# Distribute offline apps
-**Applies to**
+**Applies to:**
-- Windows 10
-- Windows 10 Mobile
+- Windows 10
+- Windows 10 Mobile
Offline licensing is a new licensing option for Windows 10 with Microsoft Store for Business and Microsoft Store for Education. With offline licenses, organizations can download apps and their licenses to deploy within their network, or on devices that are not connected to the Internet. ISVs or devs can opt-in their apps for offline licensing when they submit them to the Windows Dev Center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in Microsoft Store for Business and Microsoft Store for Education. This model allows organizations to deploy apps when users or devices do not have connectivity to the Store.
@@ -29,23 +29,23 @@ Offline licensing is a new licensing option for Windows 10 with Microsoft Store
Offline-licensed apps offer an alternative to online apps, and provide additional deployment options. Some reasons to use offline-licensed apps:
-- **You don't have access to Microsoft Store services** - If your employees don't have access to the internet and Microsoft Store services, downloading offline-licensed apps and deploying them with imaging is an alternative to online-licensed apps.
+- **You don't have access to Microsoft Store services** - If your employees don't have access to the Internet and Microsoft Store services, downloading offline-licensed apps and deploying them with imaging is an alternative to online-licensed apps.
-- **You use imaging to manage devices in your organization** - Offline-licensed apps can be added to images and deployed with Deployment Image Servicing and Management (DISM), or Windows Imaging and Configuration Designer (ICD).
+- **You use imaging to manage devices in your organization** - Offline-licensed apps can be added to images and deployed with Deployment Image Servicing and Management (DISM), or Windows Imaging and Configuration Designer (ICD).
-- **Your employees do not have Azure Active Directory (AD) accounts** - Azure AD accounts are required for employees that install apps assigned to them from Microsoft Store or that claim apps from a private store.
+- **Your employees do not have Azure Active Directory (AD) accounts** - Azure AD accounts are required for employees that install apps assigned to them from Microsoft Store or that claim apps from a private store.
## Distribution options for offline-licensed apps
You can't distribute offline-licensed apps directly from Microsoft Store. Once you download the items for the offline-licensed app, you have options for distributing the apps:
-- **Deployment Image Servicing and Management**. DISM is a command-line tool that is used to mount and service Microsoft Windows images before deployment. You can also use DISM to install, uninstall, configure, and update Windows features, packages, drivers, and international settings in a .wim file or VHD using the DISM servicing commands. DISM commands are used on offline images. For more information, see [Deployment Image Servicing and Management](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows).
+- **Deployment Image Servicing and Management**. DISM is a command-line tool that is used to mount and service Microsoft Windows images before deployment. You can also use DISM to install, uninstall, configure, and update Windows features, packages, drivers, and international settings in a .wim file or VHD using the DISM servicing commands. DISM commands are used on offline images. For more information, see [Deployment Image Servicing and Management](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows).
-- **Create provisioning package**. You can use Windows Imaging and Configuration Designer (ICD) to create a provisioning package for your offline app. Once you have the package, there are options to [apply the provisioning package](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-apply-package). For more information, see [Provisioning Packages for Windows 10](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-packages).
+- **Create provisioning package**. You can use Windows Imaging and Configuration Designer (ICD) to create a provisioning package for your offline app. Once you have the package, there are options to [apply the provisioning package](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-apply-package). For more information, see [Provisioning Packages for Windows 10](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-packages).
-- **Mobile device management provider or management server.** You can use a mobile device management (MDM) provider or management server to distribute offline apps. For more information, see these topics:
+- **Mobile device management provider or management server.** You can use a mobile device management (MDM) provider or management server to distribute offline apps. For more information, see these topics:
- [Manage apps from Microsoft Store for Business with Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business)
- - [Manage apps from Microsoft Store for Business with Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/manage-apps-you-purchased-from-the-windows-store-for-business-with-microsoft-intune)
+ - [Manage apps from Microsoft Store for Business with Microsoft Intune](https://docs.microsoft.com/mem/intune/apps/windows-store-for-business)
For third-party MDM providers or management servers, check your product documentation.
@@ -53,23 +53,22 @@ For third-party MDM providers or management servers, check your product document
There are several items to download or create for offline-licensed apps. The app package and app license are required; app metadata and app frameworks are optional. This section includes more info on each item, and tells you how to download an offline-licensed app.
-- **App metadata** - App metadata is optional. The metadata includes app details, links to icons, product id, localized product ids, and other items. Devs who plan to use an app as part of another app or tool, might want the app metadata.
+- **App metadata** - App metadata is optional. The metadata includes app details, links to icons, product id, localized product ids, and other items. Devs who plan to use an app as part of another app or tool, might want the app metadata.
-- **App package** - App packages are required for distributing offline apps. There are app packages for different combinations of app platform and device architecture. You'll need to know what device architectures you have in your organization to know if there are app packages to support your devices.
+- **App package** - App packages are required for distributing offline apps. There are app packages for different combinations of app platform and device architecture. You'll need to know what device architectures you have in your organization to know if there are app packages to support your devices.
-- **App license** - App licenses are required for distributing offline apps. Use encoded licenses when you distribute offline-licensed apps using a management tool or ICD. Use unencoded licenses when you distribute offline-licensed apps using DISM.
+- **App license** - App licenses are required for distributing offline apps. Use encoded licenses when you distribute offline-licensed apps using a management tool or ICD. Use unencoded licenses when you distribute offline-licensed apps using DISM.
-- **App frameworks** - App frameworks are optional. If you already have the required framework, you don't need to download another copy. The Store for Business will select the app framework needed for the app platform and architecture that you selected.
+- **App frameworks** - App frameworks are optional. If you already have the required framework, you don't need to download another copy. The Store for Business will select the app framework needed for the app platform and architecture that you selected.
-
-**To download an offline-licensed app**
+**To download an offline-licensed app**
-1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com/) or [Microsoft Store for Education](https://educationstore.microsoft.com).
-2. Click **Manage**.
-3. Click **Settings**.
-4. Click **Shop**. Search for the **Shopping experience** section, change the License type to **Offline**, and click **Get the app**, which will add the app to your inventory.
-5. Click **Manage**. You now have access to download the appx bundle package metadata and license file.
-6. Go to **Products & services**, and select **Apps & software**. (The list may be empty, but it will auto-populate after some time.)
+1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com/) or [Microsoft Store for Education](https://educationstore.microsoft.com).
+2. Click **Manage**.
+3. Click **Settings**.
+4. Click **Shop**. Search for the **Shopping experience** section, change the License type to **Offline**, and click **Get the app**, which will add the app to your inventory.
+5. Click **Manage**. You now have access to download the appx bundle package metadata and license file.
+6. Go to **Products & services**, and select **Apps & software**. (The list may be empty, but it will auto-populate after some time.)
- **To download app metadata**: Choose the language for the app metadata, and then click **Download**. Save the downloaded app metadata. This is optional.
- **To download app package**: Click to expand the package details information, choose the Platform and Architecture combination that you need for your organization, and then click **Download**. Save the downloaded app package. This is required.
@@ -78,16 +77,3 @@ There are several items to download or create for offline-licensed apps. The app
> [!NOTE]
> You need the framework to support your app package, but if you already have a copy, you don't need to download it again. Frameworks are backward compatible.
-
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/store-for-business/includes/store-for-business-content-updates.md b/store-for-business/includes/store-for-business-content-updates.md
new file mode 100644
index 0000000000..dbee2e62f1
--- /dev/null
+++ b/store-for-business/includes/store-for-business-content-updates.md
@@ -0,0 +1,10 @@
+
+
+
+
+## Week of March 15, 2021
+
+
+| Published On |Topic title | Change |
+|------|------------|--------|
+| 3/17/2021 | [Roles and permissions in Microsoft Store for Business and Education (Windows 10)](/microsoft-store/roles-and-permissions-microsoft-store-for-business) | modified |
diff --git a/store-for-business/index.md b/store-for-business/index.md
index 9ec42cc879..ff6016354d 100644
--- a/store-for-business/index.md
+++ b/store-for-business/index.md
@@ -2,21 +2,20 @@
title: Microsoft Store for Business and Education (Windows 10)
description: Welcome to the Microsoft Store for Business and Education. You can use Microsoft Store, to find, acquire, distribute, and manage apps for your organization or school.
ms.assetid: 527E611E-4D47-44F0-9422-DCC2D1ACBAB8
-manager: dansimp
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
-author: TrudyHa
-ms.author: TrudyHa
+ms.author: cmcatee
+author: cmcatee-MSFT
+manager: scotv
ms.topic: conceptual
ms.localizationpriority: high
-ms.date: 05/14/2020
+ms.date: 03/10/2021
---
# Microsoft Store for Business and Education
-
**Applies to**
- Windows 10
@@ -24,6 +23,11 @@ ms.date: 05/14/2020
Welcome to the Microsoft Store for Business and Education! You can use Microsoft Store to find, acquire, distribute, and manage apps for your organization or school.
+> [!IMPORTANT]
+> Starting April 14, 2021, all apps that charge a base price above free will no longer be available to buy in the Microsoft Store for Business and Education. If you’ve already bought a paid app, you can still use it, but no new purchases will be possible from businessstore.microsoft.com or educationstore.microsoft.com. Also, you won’t be able to buy additional licenses for apps you already bought. You can still assign and reassign licenses for apps that you already own and use the private store. Apps with a base price of “free” will still be available. This change doesn’t impact apps in the Microsoft Store on Windows 10.
+>
+> Also starting April 14, 2021, you must sign in with your Azure Active Directory (Azure AD) account before you browse Microsoft Store for Business and Education.
+
## In this section
| Topic | Description |
diff --git a/store-for-business/microsoft-store-for-business-overview.md b/store-for-business/microsoft-store-for-business-overview.md
index 4b9707b563..69f8d80a62 100644
--- a/store-for-business/microsoft-store-for-business-overview.md
+++ b/store-for-business/microsoft-store-for-business-overview.md
@@ -3,16 +3,16 @@ title: Microsoft Store for Business and Microsoft Store for Education overview (
description: With Microsoft Store for Business and Microsoft Store for Education, organizations and schools can make volume purchases of Windows apps.
ms.assetid: 9DA71F6B-654D-4121-9A40-D473CC654A1C
ms.reviewer:
-manager: dansimp
ms.prod: w10
ms.pagetype: store, mobile
ms.mktglfcycl: manage
ms.sitesec: library
-author: TrudyHa
-ms.author: TrudyHa
+ms.author: cmcatee
+author: cmcatee-MSFT
+manager: scotv
ms.topic: conceptual
ms.localizationpriority: medium
-ms.date: 10/17/2017
+ms.date: 03/10/2021
---
# Microsoft Store for Business and Microsoft Store for Education overview
@@ -22,7 +22,13 @@ ms.date: 10/17/2017
- Windows 10
- Windows 10 Mobile
-Designed for organizations, Microsoft Store for Business and Microsoft Store for Education give IT decision makers and administrators in businesses or schools a flexible way to find, acquire, manage, and distribute free and paid apps in select markets to Windows 10 devices in volume. IT administrators can manage Microsoft Store apps and private line-of-business apps in one inventory, plus assign and re-use licenses as needed. You can choose the best distribution method for your organization: directly assign apps to individuals and teams, publish apps to private pages in Microsoft Store, or connect with management solutions for more options.
+> [!IMPORTANT]
+> Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md).
+
+Designed for organizations, Microsoft Store for Business and Microsoft Store for Education give IT decision makers and administrators in businesses or schools a flexible way to find, acquire, manage, and distribute free and paid apps in select markets to Windows 10 devices in volume. IT administrators can manage Microsoft Store apps and private line-of-business apps in one inventory, plus assign and re-use licenses as needed. You can choose the best distribution method for your organization: directly assign apps to individuals and teams, publish apps to private pages in Microsoft Store, or connect with management solutions for more options.
+
+> [!IMPORTANT]
+> Customers who are in the Office 365 GCC environment or are eligible to buy with government pricing cannot use Microsoft Store for Business.
## Features
Organizations or schools of any size can benefit from using Microsoft Store for Business or Microsoft Store for Education:
@@ -77,8 +83,6 @@ While not required, you can use a management tool to distribute and manage apps.
The first step for getting your organization started with Store for Business and Education is signing up. Sign up using an existing account (the same one you use for Office 365, Dynamics 365, Intune, Azure, etc.) or we’ll quickly create an account for you. You must be a Global Administrator for your organization.
-For more information, see [Sign up for Store for Business and Education](sign-up-microsoft-store-for-business.md).
-
## Set up
After your admin signs up for the Store for Business and Education, they can assign roles to other employees in your company or school. The admin needs Azure AD User Admin permissions to assign Microsoft Store for Business and Education roles. These are the roles and their permissions.
diff --git a/store-for-business/prerequisites-microsoft-store-for-business.md b/store-for-business/prerequisites-microsoft-store-for-business.md
index 9d5a58c992..46b104c6f6 100644
--- a/store-for-business/prerequisites-microsoft-store-for-business.md
+++ b/store-for-business/prerequisites-microsoft-store-for-business.md
@@ -3,16 +3,16 @@ title: Prerequisites for Microsoft Store for Business and Education (Windows 10)
description: There are a few prerequisites for using Microsoft Store for Business or Microsoft Store for Education.
ms.assetid: CEBC6870-FFDD-48AD-8650-8B0DC6B2651D
ms.reviewer:
-manager: dansimp
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
-author: TrudyHa
-ms.author: TrudyHa
+ms.author: cmcatee
+author: cmcatee-MSFT
+manager: scotv
ms.topic: conceptual
ms.localizationpriority: medium
-ms.date: 10/13/2017
+ms.date: 03/10/2021
---
# Prerequisites for Microsoft Store for Business and Education
@@ -22,6 +22,12 @@ ms.date: 10/13/2017
- Windows 10
- Windows 10 Mobile
+> [!IMPORTANT]
+> Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md).
+
+> [!IMPORTANT]
+> Customers who are in the Office 365 GCC environment or are eligible to buy with government pricing cannot use Microsoft Store for Business.
+
There are a few prerequisites for using Microsoft Store for Business or Microsoft Store for Education.
## Prerequisites
diff --git a/store-for-business/roles-and-permissions-microsoft-store-for-business.md b/store-for-business/roles-and-permissions-microsoft-store-for-business.md
index 2163e6379a..5bab3cb32a 100644
--- a/store-for-business/roles-and-permissions-microsoft-store-for-business.md
+++ b/store-for-business/roles-and-permissions-microsoft-store-for-business.md
@@ -4,19 +4,28 @@ description: The first person to sign in to Microsoft Store for Business or Micr
keywords: roles, permissions
ms.assetid: CB6281E1-37B1-4B8B-991D-BC5ED361F1EE
ms.reviewer:
-manager: dansimp
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
-author: TrudyHa
-ms.author: TrudyHa
+ms.author: cmcatee
+author: cmcatee-MSFT
+manager: scotv
ms.topic: conceptual
ms.localizationpriority: medium
-ms.date: 03/01/2019
+ms.date: 03/16/2021
---
# Roles and permissions in Microsoft Store for Business and Education
+
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
+> [!IMPORTANT]
+> Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md).
+
The first person to sign in to Microsoft Store for Business or Microsoft Store for Education must be a Global Admin of the Azure Active Directory (AD) tenant. Once the Global Admin has signed in, they can give permissions to others employees.
Microsoft Store for Business and Education has a set of roles that help admins and employees manage access to apps and tasks for Microsoft Store. Employees with these roles will need to use their Azure AD account to access the Store. Global Administrators and global user accounts that are used with other Microsoft services, such as Azure, or Office 365 can sign in to Microsoft Store. Global user accounts have some permissions in Microsoft Store, and Microsoft Store has a set of roles that help IT admins and employees manage access to apps and tasks for Microsoft Store.
@@ -27,62 +36,65 @@ This table lists the global user accounts and the permissions they have in Micro
| | Global Administrator | Billing Administrator |
| ------------------------------ | --------------------- | --------------------- |
-| Sign up for Microsoft Store for Business and Education | X |
-| Modify company profile settings | X | |
-| Purchase apps | X | X |
+| Sign up for Microsoft Store for Business and Education | X | X |
+| Modify company profile settings | X | X |
+| Purchase apps | X | X |
| Distribute apps | X | X |
| Purchase subscription-based software | X | X |
-
-**Global Administrator** - IT Pros with this account have full access to Microsoft Store. They can do everything allowed in the Microsoft Store Admin role, plus they can sign up for Microsoft Store.
+- **Global Administrator** and **Billing Administrator** - IT Pros with these accounts have full access to Microsoft Store. They can do everything allowed in the Microsoft Store Admin role, plus they can sign up for Microsoft Store.
-**Billing Administrator** - IT Pros with this account have the same permissions as Microsoft Store Purchaser role.
+## Microsoft Store roles and permissions
-## Billing account roles and permissions
-There are a set of roles, managed at your billing account level, that help IT admins and employees manage access to and tasks for Microsoft Store. Employees with these roles will need to use their Azure AD account to access Microsoft Store for Business.
+Microsoft Store for Business has a set of roles that help IT admins and employees manage access to apps and tasks for Microsoft Store. Employees with these roles will need to use their Azure AD account to access Microsoft Store.
This table lists the roles and their permissions.
-| Role | Buy from
Microsoft Store | Assign
roles | Edit
account | Sign
agreements | View
account |
-| ------------------------| ------ | -------- | ------ | -------| -------- |
-| Billing account owner | X | X | X | X | X |
-| Billing account contributor | | | X | X | X |
-| Billing account reader | | | | | X |
-| Signatory | | | | X | X |
+| | Admin | Purchaser | Device Guard signer |
+| ------------------------------ | ------ | -------- | ------------------- |
+| Assign roles | X | | |
+| Manage Microsoft Store for Business and Education settings | X | | |
+| Acquire apps | X | X | |
+| Distribute apps | X | X | |
+| Sign policies and catalogs | X | | |
+| Sign Device Guard changes | X | | X |
-
-## Purchasing roles and permissions
-There are also a set of roles for purchasing and managing items bought.
-This table lists the roles and their permissions.
-
-| Role | Buy from
Microsoft Store | Manage all items | Manage items
I buy |
-| ------------| ------ | -------- | ------ |
-| Purchaser | X | X | |
-| Basic purchaser | X | | X |
-
-## Assign roles
**To assign roles to people**
-1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com).
+1. Sign in to Microsoft Store for Business or Microsoft Store for Education.
>[!Note]
- >You need to be a Global Administrator, or have the Billing account owner role to access **Permissions**.
-
-2. Select **Manage**, and then select **Permissions**.
-3. On **Roles**, or **Purchasing roles**, select **Assign roles**.
-4. Enter a name, choose the role you want to assign, and select **Save**.
- If you don't find the name you want, you might need to add people to your Azure AD directory. For more information, see [Manage user accounts](manage-users-and-groups-microsoft-store-for-business.md).
+ >You need to be a Global Administrator, or have the Microsoft Store Admin role to access the **Permissions** page.
+
+ To assign roles, you need to be a Global Administrator or a Store Administrator.
+
+2. Click **Settings**, and then choose **Permissions**.
+
+ OR
+
+ Click **Manage**, and then click **Permissions** on the left-hand menu.
+
+
+
+3. Click **Add people**, type a name, choose the role you want to assign, and click **Save**.
+
+
+
+4. If you don't find the name you want, you might need to add people to your Azure AD directory. For more information, see [Manage user accounts in Microsoft Store for Business and Education](manage-users-and-groups-microsoft-store-for-business.md).
\ No newline at end of file
diff --git a/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md b/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md
index e0acead8f1..6512584c76 100644
--- a/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md
+++ b/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md
@@ -18,10 +18,10 @@ ms.date: 10/17/2017
# Sign code integrity policy with Device Guard signing
> [!IMPORTANT]
-> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) will be available for consumption starting mid-September 2020, and you will have until the end of December 2020 to transition to DGSS v2. At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service between September and December 2020.
+> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until the end of December 2020 to transition to DGSS v2. At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by the end of December 2020.
>
> Following are the major changes we are making to the service:
-> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets will be available as a NuGet download.
+> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download, https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/.
> - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it).
> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired at the end of December 2020, you will no longer be able to download the leaf certificates used to sign your files.
>
@@ -32,7 +32,7 @@ ms.date: 10/17/2017
> - Download root cert
> - Download history of your signing operations
>
-> We will share detailed instructions and NuGet location before mid-September 2020. For any questions, please contact us at DGSSMigration@microsoft.com for more information on migration.
+> For any questions, please contact us at DGSSMigration@microsoft.com.
**Applies to**
diff --git a/store-for-business/sign-up-microsoft-store-for-business-overview.md b/store-for-business/sign-up-microsoft-store-for-business-overview.md
index 68548aeb8b..1ee40ab070 100644
--- a/store-for-business/sign-up-microsoft-store-for-business-overview.md
+++ b/store-for-business/sign-up-microsoft-store-for-business-overview.md
@@ -3,16 +3,16 @@ title: Sign up and get started (Windows 10)
description: IT admins can sign up for the Microsoft Store for Business or Microsoft Store for Education and get started working with apps.
ms.assetid: 87C6FA60-3AB9-4152-A85C-6A1588A20C7B
ms.reviewer:
-manager: dansimp
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
-author: TrudyHa
-ms.author: TrudyHa
+ms.author: cmcatee
+author: cmcatee-MSFT
+manager: scotv
ms.topic: conceptual
ms.localizationpriority: medium
-ms.date: 10/03/2019
+ms.date: 03/10/2021
---
# Sign up and get started
@@ -24,13 +24,15 @@ ms.date: 10/03/2019
IT admins can sign up for Microsoft Store for Business and Education, and get started working with apps.
+> [!IMPORTANT]
+> Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md).
+
## In this section
| Topic | Description |
| ----- | ----------- |
| [Microsoft Store for Business and Education overview](windows-store-for-business-overview.md) | Learn about Microsoft Store for Business. |
| [Prerequisites for Microsoft Store for Business and Education](https://docs.microsoft.com/microsoft-store/prerequisites-microsoft-store-for-business) | There are a few prerequisites for using Microsoft Store for Business and Education.](https://docs.microsoft.com/microsoft-store/prerequisites-microsoft-store-for-business) |
-| [Sign up for Microsoft Store for Business or Microsoft Store for Education](https://docs.microsoft.com/microsoft-store/sign-up-microsoft-store-for-business) | Before you sign up for Store for Business and Education, at a minimum, you'll need an Azure Active Directory (AD) or Office 365 account for your organization, and you'll need to be the global administrator for your organization. If your organization is already using Azure AD, you can go ahead and sign up for Store for Business. If not, we'll help you create an Azure AD or Office 365 account and directory as part of the sign up process. |
| [Roles and permissions in Microsoft Store for Business and Education](https://docs.microsoft.com/microsoft-store/roles-and-permissions-microsoft-store-for-business)| The first person to sign in to Microsoft Store for Business and Education must be a Global Admin of the Azure Active Directory (AD) tenant. Once the Global Admin has signed in, they can give permissions to others employees. |
| [Settings reference: Microsoft Store for Business and Education](https://docs.microsoft.com/microsoft-store/settings-reference-microsoft-store-for-business) | Microsoft Store for Business and Education has a group of settings that admins use to manage the store. |
diff --git a/store-for-business/sign-up-microsoft-store-for-business.md b/store-for-business/sign-up-microsoft-store-for-business.md
deleted file mode 100644
index 42f4df57b1..0000000000
--- a/store-for-business/sign-up-microsoft-store-for-business.md
+++ /dev/null
@@ -1,105 +0,0 @@
----
-title: Sign up for Microsoft Store for Business or Microsoft Store for Education (Windows 10)
-description: Before you sign up for Microsoft Store for Business or Microsoft Store for Education, at a minimum, you'll need an Azure Active Directory (AD) account for your organization, and you'll need to be the global administrator for your organization.
-ms.assetid: 296AAC02-5C79-4999-B221-4F5F8CEA1F12
-ms.reviewer:
-manager: dansimp
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: store
-author: TrudyHa
-ms.author: TrudyHa
-ms.topic: conceptual
-ms.localizationpriority: medium
-ms.date: 10/17/2017
----
-
-# Sign up for Microsoft Store for Business or Microsoft Store for Education
-
-
-**Applies to**
-
-- Windows 10
-- Windows 10 Mobile
-
-Before you sign up for Microsoft Store for Business or Microsoft Store for Education, you'll need an Azure Active Directory (AD) or Office 365 account for your organization, and you'll need to be the global administrator for your organization. If your organization is already using Azure AD, you can go ahead and sign up for Microsoft Store for Business or Microsoft Store for Education. If not, we'll help you create an Azure AD or Office 365 account and directory as part of the sign up process.
-
-## Sign up for Microsoft Store
-
-
-Before signing up for Microsoft Store, make sure you're the global administrator for your organization.
-
-**To sign up for Microsoft Store**
-
-1. Go to [https://www.microsoft.com/business-store](https://www.microsoft.com/business-store), or [https://www.microsoft.com/education-store](https://www.microsoft.com/education-store) and click **Sign up**.
-
- - If you start Microsoft Store sign-up process, and don't have an Azure AD directory for your organization, we'll help you create one. For more info, see [Sign up for Azure AD accounts](#o365-welcome).
-
-
-
- - If you already have an Azure AD directory, you'll [sign in to Store for Business](#sign-in), and then accept Store for Business terms.
-
- 
-
- **To sign up for Azure AD accounts through Office 365 for Business**
-
- - Signing up for Microsoft Store will create an Azure AD directory and global administrator account for you. There are just a few steps.
-
- Step 1: About you.
-
- Type the required info and click **Next.**
-
- 
-
- - Step 2: Create an ID.
-
- We'll use info you provided on the previous page to build your user ID. Check the info and click **Next**.
-
- 
-
- - Step 3: You're in.
-
- Let us know how you'd like to receive a verification code, and click either **Text me**, or **Call me**. We'll send you a verification code
-
- 
-
- - Verification.
-
- Type your verification code and click **Create my account**.
-
- 
-
- - Save this info.
-
- Be sure to save the portal sign-in page and your user ID info. Click **You're ready to go**.
-
- 
-
- - At this point, you'll have an Azure AD directory created with one user account. That user account is the global administrator. You can use that account to sign in to Store for Business.
-
-2. Sign in with your Azure AD account.
-
- 
-
-3. Read through and accept Microsoft Store for Business and Education terms.
-
-4. Welcome to the Store for Business. Click **Next** to continue.
-
- 
-
-## Next steps
-
-After signing up for Microsoft Store for Business or Microsoft Store for Education, you can:
-
-- **Add users to your Azure AD directory**. If you created your Azure AD directory during sign up, additional user accounts are required for employees to install apps you assign to them, or to browse the private store in Store app. For more information, see [Manage user accounts in Microsoft Store for Business and Education](manage-users-and-groups-microsoft-store-for-business.md).
-- **Assign roles to employees**. For more information, see [Roles and permissions in Microsoft Store for Business and Education](roles-and-permissions-microsoft-store-for-business.md).
-
-
-
-
-
-
-
-
-
diff --git a/windows/access-protection/docfx.json b/windows/access-protection/docfx.json
index 9df4554e37..3f6ef46e23 100644
--- a/windows/access-protection/docfx.json
+++ b/windows/access-protection/docfx.json
@@ -40,7 +40,16 @@
"depot_name": "MSDN.win-access-protection",
"folder_relative_path_in_docset": "./"
}
- }
+ },
+ "contributors_to_exclude": [
+ "rjagiewich",
+ "traya1",
+ "rmca14",
+ "claydetels19",
+ "jborsecnik",
+ "tiburd",
+ "garycentric"
+ ],
},
"fileMetadata": {},
"template": [],
diff --git a/windows/application-management/app-v/appv-connect-to-the-management-console.md b/windows/application-management/app-v/appv-connect-to-the-management-console.md
index 009019e015..dd38c101dd 100644
--- a/windows/application-management/app-v/appv-connect-to-the-management-console.md
+++ b/windows/application-management/app-v/appv-connect-to-the-management-console.md
@@ -1,7 +1,7 @@
---
title: How to connect to the Management Console (Windows 10)
description: In this article, learn the procedure for connecting to the App-V Management Console through your web browser.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-connection-group-virtual-environment.md b/windows/application-management/app-v/appv-connection-group-virtual-environment.md
index a16ae77ec8..743c824815 100644
--- a/windows/application-management/app-v/appv-connection-group-virtual-environment.md
+++ b/windows/application-management/app-v/appv-connection-group-virtual-environment.md
@@ -1,7 +1,7 @@
---
title: About the connection group virtual environment (Windows 10)
description: Learn how the connection group virtual environment works and how package priority is determined.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md b/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md
index 60c1c72c77..36691ab472 100644
--- a/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md
+++ b/windows/application-management/app-v/appv-convert-a-package-created-in-a-previous-version-of-appv.md
@@ -1,7 +1,7 @@
---
title: How to convert a package created in a previous version of App-V (Windows 10)
description: Use the package converter utility to convert a virtual application package created in a previous version of App-V.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md b/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md
index 312adeb09b..62787b9a7c 100644
--- a/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md
+++ b/windows/application-management/app-v/appv-create-a-connection-group-with-user-published-and-globally-published-packages.md
@@ -1,7 +1,7 @@
---
title: How to create a connection croup with user-published and globally published packages (Windows 10)
description: How to create a connection croup with user-published and globally published packages.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-create-a-connection-group.md b/windows/application-management/app-v/appv-create-a-connection-group.md
index 829708fe4f..509167b5f4 100644
--- a/windows/application-management/app-v/appv-create-a-connection-group.md
+++ b/windows/application-management/app-v/appv-create-a-connection-group.md
@@ -1,7 +1,7 @@
---
title: How to create a connection group (Windows 10)
description: Learn how to create a connection group with the App-V Management Console and where to find information about managing connection groups.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md b/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md
index 273b520a59..42081976ef 100644
--- a/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-create-a-custom-configuration-file-with-the-management-console.md
@@ -1,7 +1,7 @@
---
title: How to create a custom configuration file by using the App-V Management Console (Windows 10)
description: How to create a custom configuration file by using the App-V Management Console.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md
index 600df5f713..d6a62ddf52 100644
--- a/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md
+++ b/windows/application-management/app-v/appv-create-a-package-accelerator-with-powershell.md
@@ -1,7 +1,7 @@
---
title: How to create a package accelerator by using Windows PowerShell (Windows 10)
description: Learn how to create an App-v Package Accelerator by using Windows PowerShell. App-V Package Accelerators automatically sequence large, complex applications.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-create-a-package-accelerator.md b/windows/application-management/app-v/appv-create-a-package-accelerator.md
index db4fe23b68..d2c69c8afb 100644
--- a/windows/application-management/app-v/appv-create-a-package-accelerator.md
+++ b/windows/application-management/app-v/appv-create-a-package-accelerator.md
@@ -1,7 +1,7 @@
---
title: How to create a package accelerator (Windows 10)
description: Learn how to create App-V Package Accelerators to automatically generate new virtual application packages.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md b/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md
index c6983aab02..200f0481e4 100644
--- a/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md
+++ b/windows/application-management/app-v/appv-create-a-virtual-application-package-package-accelerator.md
@@ -1,7 +1,7 @@
---
title: How to create a virtual application package using an App-V Package Accelerator (Windows 10)
description: How to create a virtual application package using an App-V Package Accelerator.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-create-and-use-a-project-template.md b/windows/application-management/app-v/appv-create-and-use-a-project-template.md
index 54aa412604..0af67b340d 100644
--- a/windows/application-management/app-v/appv-create-and-use-a-project-template.md
+++ b/windows/application-management/app-v/appv-create-and-use-a-project-template.md
@@ -1,7 +1,7 @@
---
title: Create and apply an App-V project template to a sequenced App-V package (Windows 10)
description: Steps for how to create and apply an App-V project template (.appvt) to a sequenced App-V package.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
index b7ee707a61..30debd58c4 100644
--- a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
+++ b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
@@ -1,7 +1,7 @@
---
title: Creating and managing App-V virtualized applications (Windows 10)
description: Create and manage App-V virtualized applications to monitor and record the installation process for an application to be run as a virtualized application.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md b/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md
index aae5ad7d4c..ebbdf508c3 100644
--- a/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-customize-virtual-application-extensions-with-the-management-console.md
@@ -1,7 +1,7 @@
---
title: How to customize virtual application extensions for a specific AD group by using the Management Console (Windows 10)
description: How to customize virtual application extensions for a specific AD group by using the Management Console.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-delete-a-connection-group.md b/windows/application-management/app-v/appv-delete-a-connection-group.md
index 20c62b4398..60a5518fe9 100644
--- a/windows/application-management/app-v/appv-delete-a-connection-group.md
+++ b/windows/application-management/app-v/appv-delete-a-connection-group.md
@@ -1,7 +1,7 @@
---
title: How to delete a connection group (Windows 10)
description: Learn how to delete an existing App-V connection group in the App-V Management Console and where to find information about managing connection groups.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md b/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md
index 16a77e0287..27a1adeb35 100644
--- a/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md
@@ -1,7 +1,7 @@
---
title: How to delete a package in the Management Console (Windows 10)
description: Learn how to delete a package in the App-V Management Console and where to find information about operations for App-V.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md b/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md
index 4717b5e4ef..f7ccc22f58 100644
--- a/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md
+++ b/windows/application-management/app-v/appv-deploy-appv-databases-with-sql-scripts.md
@@ -1,7 +1,7 @@
---
title: How to Deploy the App-V Databases by Using SQL Scripts (Windows 10)
description: Learn how to use SQL scripts to install the App-V databases and upgrade the App-V databases to a later version.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md
index 3c47fd5076..29719a0f8c 100644
--- a/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md
+++ b/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md
@@ -1,7 +1,7 @@
---
title: How to deploy App-V packages using electronic software distribution (Windows 10)
description: Learn how use an electronic software distribution (ESD) system to deploy App-V virtual applications to App-V clients.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md b/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md
index 07407291fe..f2c8cc0af3 100644
--- a/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md
+++ b/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md
@@ -1,7 +1,7 @@
---
title: How to Deploy the App-V Server Using a Script (Windows 10)
description: 'Learn how to deploy the App-V server by using a script (appv_server_setup.exe) from the command line.'
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-deploy-the-appv-server.md b/windows/application-management/app-v/appv-deploy-the-appv-server.md
index 9284a9bfc6..ec7bcac622 100644
--- a/windows/application-management/app-v/appv-deploy-the-appv-server.md
+++ b/windows/application-management/app-v/appv-deploy-the-appv-server.md
@@ -1,7 +1,7 @@
---
title: How to Deploy the App-V Server (Windows 10)
description: Use these instructions to deploy the Application Virtualization (App-V) Server in App-V for Windows 10.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-deploying-appv.md b/windows/application-management/app-v/appv-deploying-appv.md
index 14493f0b25..5061447ca8 100644
--- a/windows/application-management/app-v/appv-deploying-appv.md
+++ b/windows/application-management/app-v/appv-deploying-appv.md
@@ -1,7 +1,7 @@
---
title: Deploying App-V (Windows 10)
description: App-V supports several different deployment options. Learn how to complete App-V deployment at different stages in your App-V deployment.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
index 736d772dfc..143b808f76 100644
--- a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
+++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md
@@ -1,7 +1,7 @@
---
title: Deploying Microsoft Office 2010 by Using App-V (Windows 10)
description: Create Office 2010 packages for Microsoft Application Virtualization (App-V) using the App-V Sequencer or the App-V Package Accelerator.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md
index fee5c296a1..d4567acef0 100644
--- a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md
+++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md
@@ -1,7 +1,7 @@
---
title: Deploying Microsoft Office 2013 by Using App-V (Windows 10)
description: Use Application Virtualization (App-V) to deliver Microsoft Office 2013 as a virtualized application to computers in your organization.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md
index ba7107286e..5a7bb4a95a 100644
--- a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md
+++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md
@@ -1,7 +1,7 @@
---
title: Deploying Microsoft Office 2016 by using App-V (Windows 10)
description: Use Application Virtualization (App-V) to deliver Microsoft Office 2016 as a virtualized application to computers in your organization.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md
index 37adcaae5e..5e3c484a69 100644
--- a/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md
+++ b/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md
@@ -1,7 +1,7 @@
---
title: Deploying App-V packages by using electronic software distribution (ESD)
description: Deploying App-V packages by using electronic software distribution (ESD)
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md
index 8cb954168b..15f8f520d4 100644
--- a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md
+++ b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md
@@ -1,7 +1,7 @@
---
title: Deploying the App-V Sequencer and configuring the client (Windows 10)
description: Learn how to deploy the App-V Sequencer and configure the client by using the ADMX template and Group Policy.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-deploying-the-appv-server.md b/windows/application-management/app-v/appv-deploying-the-appv-server.md
index 97f97275be..fad40ca584 100644
--- a/windows/application-management/app-v/appv-deploying-the-appv-server.md
+++ b/windows/application-management/app-v/appv-deploying-the-appv-server.md
@@ -1,7 +1,7 @@
---
title: Deploying the App-V Server (Windows 10)
description: Learn how to deploy the Application Virtualization (App-V) Server in App-V for Windows 10 by using different deployment configurations described in this article.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-deployment-checklist.md b/windows/application-management/app-v/appv-deployment-checklist.md
index d09d0141d8..e64dfcb45c 100644
--- a/windows/application-management/app-v/appv-deployment-checklist.md
+++ b/windows/application-management/app-v/appv-deployment-checklist.md
@@ -1,7 +1,7 @@
---
title: App-V Deployment Checklist (Windows 10)
description: Use the App-V deployment checklist to understand the recommended steps and items to consider when deploying App-V features.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-dynamic-configuration.md b/windows/application-management/app-v/appv-dynamic-configuration.md
index 196cb62ece..fac027c816 100644
--- a/windows/application-management/app-v/appv-dynamic-configuration.md
+++ b/windows/application-management/app-v/appv-dynamic-configuration.md
@@ -1,7 +1,7 @@
---
title: About App-V Dynamic Configuration (Windows 10)
description: Learn how to create or edit an existing Application Virtualization (App-V) dynamic configuration file.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md
index 601bfd8297..013c9bf60d 100644
--- a/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md
+++ b/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md
@@ -1,7 +1,7 @@
---
title: How to Enable Only Administrators to Publish Packages by Using an ESD (Windows 10)
description: Learn how to enable only administrators to publish packages by bsing an electronic software delivery (ESD).
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md
index 39a072c558..ba86d9400f 100644
--- a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md
+++ b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md
@@ -1,7 +1,7 @@
---
title: How to Enable Reporting on the App-V Client by Using Windows PowerShell (Windows 10)
description: How to Enable Reporting on the App-V Client by Using Windows PowerShell
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md b/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md
index c7985565d4..e9352f15ee 100644
--- a/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md
+++ b/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md
@@ -1,7 +1,7 @@
---
title: Enable the App-V in-box client (Windows 10)
description: Learn how to enable the Microsoft Application Virtualization (App-V) in-box client installed with Windows 10.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-evaluating-appv.md b/windows/application-management/app-v/appv-evaluating-appv.md
index 9eb57e8521..c5d8ac6964 100644
--- a/windows/application-management/app-v/appv-evaluating-appv.md
+++ b/windows/application-management/app-v/appv-evaluating-appv.md
@@ -1,7 +1,7 @@
---
title: Evaluating App-V (Windows 10)
description: Learn how to evaluate App-V for Windows 10 in a lab environment before deploying into a production environment.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-for-windows.md b/windows/application-management/app-v/appv-for-windows.md
index bec88a55bf..d089cb3371 100644
--- a/windows/application-management/app-v/appv-for-windows.md
+++ b/windows/application-management/app-v/appv-for-windows.md
@@ -1,7 +1,7 @@
---
title: Application Virtualization (App-V) (Windows 10)
description: See various topics that can help you administer Application Virtualization (App-V) and its components.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-getting-started.md b/windows/application-management/app-v/appv-getting-started.md
index 03f116312a..8fc9117868 100644
--- a/windows/application-management/app-v/appv-getting-started.md
+++ b/windows/application-management/app-v/appv-getting-started.md
@@ -1,7 +1,7 @@
---
title: Getting Started with App-V (Windows 10)
description: Get started with Microsoft Application Virtualization (App-V) for Windows 10. App-V for Windows 10 delivers Win32 applications to users as virtual applications.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-high-level-architecture.md b/windows/application-management/app-v/appv-high-level-architecture.md
index 941e4f58e7..cf81569563 100644
--- a/windows/application-management/app-v/appv-high-level-architecture.md
+++ b/windows/application-management/app-v/appv-high-level-architecture.md
@@ -1,7 +1,7 @@
---
title: High-level architecture for App-V (Windows 10)
description: Use the information in this article to simplify your Microsoft Application Virtualization (App-V) deployment.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md b/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md
index 82b6545be6..fed3c5c9ec 100644
--- a/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md
+++ b/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md
@@ -1,7 +1,7 @@
---
title: How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell (Windows 10)
description: How to Install the App-V Databases and Convert the Associated Security Identifiers by Using Windows PowerShell
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md b/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md
index ffffedff20..2b99c85da9 100644
--- a/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md
+++ b/windows/application-management/app-v/appv-install-the-management-and-reporting-databases-on-separate-computers.md
@@ -1,7 +1,7 @@
---
title: How to Install the Management and Reporting Databases on separate computers from the Management and Reporting Services (Windows 10)
description: How to install the Management and Reporting Databases on separate computers from the Management and Reporting Services.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md b/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md
index 44e1be2801..f8c387ecb8 100644
--- a/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md
+++ b/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md
@@ -1,7 +1,7 @@
---
title: How to install the Management Server on a Standalone Computer and Connect it to the Database (Windows 10)
description: How to install the Management Server on a Standalone Computer and Connect it to the Database
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md b/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md
index f08f5dfe4d..df6dc6c726 100644
--- a/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md
+++ b/windows/application-management/app-v/appv-install-the-publishing-server-on-a-remote-computer.md
@@ -1,7 +1,7 @@
---
title: Install the Publishing Server on a Remote Computer (Windows 10)
description: Use the procedures in this article to install the Microsoft Application Virtualization (App-V) publishing server on a separate computer.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md b/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md
index d476fda616..17251170f3 100644
--- a/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md
+++ b/windows/application-management/app-v/appv-install-the-reporting-server-on-a-standalone-computer.md
@@ -1,7 +1,7 @@
---
title: How to install the Reporting Server on a standalone computer and connect it to the database (Windows 10)
description: How to install the App-V Reporting Server on a Standalone Computer and Connect it to the Database
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-install-the-sequencer.md b/windows/application-management/app-v/appv-install-the-sequencer.md
index 7a13e789c6..0c3ae2e9a0 100644
--- a/windows/application-management/app-v/appv-install-the-sequencer.md
+++ b/windows/application-management/app-v/appv-install-the-sequencer.md
@@ -1,7 +1,7 @@
---
title: Install the App-V Sequencer (Windows 10)
description: Learn how to install the App-V Sequencer to convert Win32 applications into virtual packages for deployment to user devices.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md b/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md
index bc8cd9361e..4c3530ae6b 100644
--- a/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md
+++ b/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md
@@ -1,7 +1,7 @@
---
title: How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help (Windows 10)
description: How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-maintaining-appv.md b/windows/application-management/app-v/appv-maintaining-appv.md
index e03e524b5a..ca2c8811c9 100644
--- a/windows/application-management/app-v/appv-maintaining-appv.md
+++ b/windows/application-management/app-v/appv-maintaining-appv.md
@@ -1,7 +1,7 @@
---
title: Maintaining App-V (Windows 10)
description: After you have deployed App-V for Windows 10, you can use the following information to maintain the App-V infrastructure.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md
index c7f1214405..78190c4689 100644
--- a/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md
+++ b/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md
@@ -1,7 +1,7 @@
---
title: How to manage App-V packages running on a stand-alone computer by using Windows PowerShell (Windows 10)
description: How to manage App-V packages running on a stand-alone computer by using Windows PowerShell.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
index d4e01266f8..d6e03d17a6 100644
--- a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
+++ b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
@@ -1,7 +1,7 @@
---
title: How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell (Windows 10)
description: How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-managing-connection-groups.md b/windows/application-management/app-v/appv-managing-connection-groups.md
index 9b5aa14320..f308ee42da 100644
--- a/windows/application-management/app-v/appv-managing-connection-groups.md
+++ b/windows/application-management/app-v/appv-managing-connection-groups.md
@@ -1,7 +1,7 @@
---
title: Managing Connection Groups (Windows 10)
description: Connection groups can allow administrators to manage packages independently and avoid having to add the same application multiple times to a client computer.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
index a3600bfa4c..63e362cc4c 100644
--- a/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
+++ b/windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
@@ -1,7 +1,7 @@
---
title: Migrating to App-V from a Previous Version (Windows 10)
description: Learn how to migrate to Microsoft Application Virtualization (App-V) for Windows 10 from a previous version.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md b/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md
index c065c9a2a5..6a6da20d55 100644
--- a/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md
+++ b/windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md
@@ -1,7 +1,7 @@
---
title: How to Modify an Existing Virtual Application Package (Windows 10)
description: Learn how to modify an existing virtual application package and add a new application to an existing virtual application package.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md b/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md
index 816015f740..9b7fa5dc90 100644
--- a/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md
+++ b/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md
@@ -1,7 +1,7 @@
---
title: How to Modify Client Configuration by Using Windows PowerShell (Windows 10)
description: Learn how to modify the Application Virtualization (App-V) client configuration by using Windows PowerShell.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md b/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md
index e34dd4f7dc..8d46833f6d 100644
--- a/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md
+++ b/windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md
@@ -1,7 +1,7 @@
---
title: How to Move the App-V Server to Another Computer (Windows 10)
description: Learn how to create a new management server console in your environment and learn how to connect it to the App-V database.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-operations.md b/windows/application-management/app-v/appv-operations.md
index b68da536ab..a916d38776 100644
--- a/windows/application-management/app-v/appv-operations.md
+++ b/windows/application-management/app-v/appv-operations.md
@@ -1,7 +1,7 @@
---
title: Operations for App-V (Windows 10)
description: Learn about the various types of App-V administration and operating tasks that are typically performed by an administrator.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-performance-guidance.md b/windows/application-management/app-v/appv-performance-guidance.md
index ea4f11a42b..d7c8078b33 100644
--- a/windows/application-management/app-v/appv-performance-guidance.md
+++ b/windows/application-management/app-v/appv-performance-guidance.md
@@ -1,7 +1,7 @@
---
title: Performance Guidance for Application Virtualization (Windows 10)
description: Learn how to configure App-V for optimal performance, optimize virtual app packages, and provide a better user experience with RDS and VDI.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-planning-checklist.md b/windows/application-management/app-v/appv-planning-checklist.md
index 4c098ba090..e2d9776c2c 100644
--- a/windows/application-management/app-v/appv-planning-checklist.md
+++ b/windows/application-management/app-v/appv-planning-checklist.md
@@ -1,7 +1,7 @@
---
title: App-V Planning Checklist (Windows 10)
description: Learn about the recommended steps and items to consider when planning an Application Virtualization (App-V) deployment.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md b/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md
index 2a6724419a..0b9b995319 100644
--- a/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md
+++ b/windows/application-management/app-v/appv-planning-folder-redirection-with-appv.md
@@ -1,7 +1,7 @@
---
title: Planning to Use Folder Redirection with App-V (Windows 10)
description: Learn about folder redirection with App-V. Folder redirection enables users and administrators to redirect the path of a folder to a new location.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md b/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md
index 8aa07c226e..94b436fd53 100644
--- a/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md
+++ b/windows/application-management/app-v/appv-planning-for-appv-server-deployment.md
@@ -1,7 +1,7 @@
---
title: Planning for the App-V Server Deployment (Windows 10)
description: Learn what you need to know so you can plan for the Microsoft Application Virtualization (App-V) 5.1 server deployment.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-planning-for-appv.md b/windows/application-management/app-v/appv-planning-for-appv.md
index 0ebf3ccaf3..39d5199ea8 100644
--- a/windows/application-management/app-v/appv-planning-for-appv.md
+++ b/windows/application-management/app-v/appv-planning-for-appv.md
@@ -1,7 +1,7 @@
---
title: Planning for App-V (Windows 10)
description: Use the information in this article to plan to deploy App-V without disrupting your existing network or user experience.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md
index 29d772054e..9f01735aab 100644
--- a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md
+++ b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md
@@ -1,7 +1,7 @@
---
title: Planning for High Availability with App-V Server
description: Learn what you need to know so you can plan for high availability with Application Virtualization (App-V) server.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md b/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md
index 0f797ad9d7..52019b0496 100644
--- a/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md
+++ b/windows/application-management/app-v/appv-planning-for-sequencer-and-client-deployment.md
@@ -1,7 +1,7 @@
---
title: Planning for the App-V Sequencer and Client Deployment (Windows 10)
description: Learn what you need to do to plan for the App-V Sequencer and Client deployment, and where to find additional information about the deployment process.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md
index 91ade82d46..32b20fa1e6 100644
--- a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md
+++ b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md
@@ -1,7 +1,7 @@
---
title: Planning for Deploying App-V with Office (Windows 10)
description: Use the information in this article to plan how to deploy Office within Microsoft Application Virtualization (App-V).
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md
index 49e7266314..10fd13f4cc 100644
--- a/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md
+++ b/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md
@@ -1,7 +1,7 @@
---
title: Planning to Deploy App-V with an Electronic Software Distribution System (Windows 10)
description: Planning to Deploy App-V with an Electronic Software Distribution System
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-planning-to-deploy-appv.md b/windows/application-management/app-v/appv-planning-to-deploy-appv.md
index be621c72e2..f08a2b2b44 100644
--- a/windows/application-management/app-v/appv-planning-to-deploy-appv.md
+++ b/windows/application-management/app-v/appv-planning-to-deploy-appv.md
@@ -1,7 +1,7 @@
---
title: Planning to Deploy App-V (Windows 10)
description: Learn about the different deployment configurations and requirements to consider before you deploy App-V for Windows 10.
-author: lomayor
+author: dansimp
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md
index b1a6caca2c..3138fa3ab3 100644
--- a/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md
+++ b/windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md
@@ -44,7 +44,7 @@ Each method accomplishes essentially the same task, but some methods may be bett
To add a locally installed application to a package or to a connection group’s virtual environment, you add a subkey to the `RunVirtual` registry key in the Registry Editor, as described in the following sections.
-There is no Group Policy setting available to manage this registry key, so you have to use Microsoft Endpoint Configuration Manager or another electronic software distribution (ESD) system, or manually edit the registry.
+There is no Group Policy setting available to manage this registry key, so you have to use Microsoft Endpoint Manager or another electronic software distribution (ESD) system, or manually edit the registry.
Starting with App-V 5.0 SP3, when using RunVirtual, you can publish packages globally or to the user.
diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md
index 9d150d9583..31da1afc51 100644
--- a/windows/application-management/apps-in-windows-10.md
+++ b/windows/application-management/apps-in-windows-10.md
@@ -39,53 +39,53 @@ You can list all provisioned Windows apps with this PowerShell command:
Get-AppxProvisionedPackage -Online | Format-Table DisplayName, PackageName
```
-Here are the provisioned Windows apps in Windows 10 versions 1803, 1809, 1903, and 1909.
+Here are the provisioned Windows apps in Windows 10 versions 1803, 1809, 1903, 1909, and 2004.
-| Package name | App name | 1803 | 1809 | 1903 | 1909 | Uninstall through UI? |
-|----------------------------------------------|--------------------------------------------------------------------------------------------------------------------|:----:|:----:|:----:|:----:|:---------------------:|
-| Microsoft.3DBuilder | [3D Builder](ms-windows-store://pdp/?PFN=Microsoft.3DBuilder_8wekyb3d8bbwe) | | | | | Yes |
-| Microsoft.BingWeather | [MSN Weather](ms-windows-store://pdp/?PFN=Microsoft.BingWeather_8wekyb3d8bbwe) | x | x | x | x | Yes |
-| Microsoft.DesktopAppInstaller | [App Installer](ms-windows-store://pdp/?PFN=Microsoft.DesktopAppInstaller_8wekyb3d8bbwe) | x | x | x | x | Via Settings App |
-| Microsoft.GetHelp | [Get Help](ms-windows-store://pdp/?PFN=Microsoft.Gethelp_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.Getstarted | [Microsoft Tips](ms-windows-store://pdp/?PFN=Microsoft.Getstarted_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.HEIFImageExtension | [HEIF Image Extensions](ms-windows-store://pdp/?PFN=Microsoft.HEIFImageExtension_8wekyb3d8bbwe) | | x | x | x | No |
-| Microsoft.Messaging | [Microsoft Messaging](ms-windows-store://pdp/?PFN=Microsoft.Messaging_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.Microsoft3DViewer | [Mixed Reality Viewer](ms-windows-store://pdp/?PFN=Microsoft.Microsoft3DViewer_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.MicrosoftOfficeHub | [Office](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) | x | x | x | x | Yes |
-| Microsoft.MicrosoftSolitaireCollection | [Microsoft Solitaire Collection](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) | x | x | x | x | Yes |
-| Microsoft.MicrosoftStickyNotes | [Microsoft Sticky Notes](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.MixedReality.Portal | [Mixed Reality Portal](ms-windows-store://pdp/?PFN=Microsoft.MixedReality.Portal_8wekyb3d8bbwe) | | x | x | x | No |
-| Microsoft.MSPaint | [Paint 3D](ms-windows-store://pdp/?PFN=Microsoft.MSPaint_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.Office.OneNote | [OneNote for Windows 10](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe) | x | x | x | x | Yes |
-| Microsoft.OneConnect | [Mobile Plans](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.Outlook.DesktopIntegrationServices | | | | | x | |
-| Microsoft.People | [Microsoft People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.Print3D | [Print 3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.ScreenSketch | [Snip & Sketch](ms-windows-store://pdp/?PFN=Microsoft.ScreenSketch_8wekyb3d8bbwe) | | x | x | x | No |
-| Microsoft.SkypeApp | [Skype](ms-windows-store://pdp/?PFN=Microsoft.SkypeApp_kzf8qxf38zg5c) | x | x | x | x | No |
-| Microsoft.StorePurchaseApp | [Store Purchase App](ms-windows-store://pdp/?PFN=Microsoft.StorePurchaseApp_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.VP9VideoExtensions | | | x | x | x | No |
-| Microsoft.Wallet | [Microsoft Pay](ms-windows-store://pdp/?PFN=Microsoft.Wallet_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.WebMediaExtensions | [Web Media Extensions](ms-windows-store://pdp/?PFN=Microsoft.WebMediaExtensions_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.WebpImageExtension | [Webp Image Extension](ms-windows-store://pdp/?PFN=Microsoft.WebpImageExtension_8wekyb3d8bbwe) | | x | x | x | No |
-| Microsoft.Windows.Photos | [Microsoft Photos](ms-windows-store://pdp/?PFN=Microsoft.Windows.Photos_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.WindowsAlarms | [Windows Alarms & Clock](ms-windows-store://pdp/?PFN=Microsoft.WindowsAlarms_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.WindowsCalculator | [Windows Calculator](ms-windows-store://pdp/?PFN=Microsoft.WindowsCalculator_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.WindowsCamera | [Windows Camera](ms-windows-store://pdp/?PFN=Microsoft.WindowsCamera_8wekyb3d8bbwe) | x | x | x | x | No |
-| microsoft.windowscommunicationsapps | [Mail and Calendar](ms-windows-store://pdp/?PFN=microsoft.windowscommunicationsapps_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.WindowsFeedbackHub | [Feedback Hub](ms-windows-store://pdp/?PFN=Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.WindowsMaps | [Windows Maps](ms-windows-store://pdp/?PFN=Microsoft.WindowsMaps_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.WindowsSoundRecorder | [Windows Voice Recorder](ms-windows-store://pdp/?PFN=Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.WindowsStore | [Microsoft Store](ms-windows-store://pdp/?PFN=Microsoft.WindowsStore_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.Xbox.TCUI | [Xbox Live in-game experience](ms-windows-store://pdp/?PFN=Microsoft.Xbox.TCUI_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.XboxApp | [Xbox Console Companion](ms-windows-store://pdp/?PFN=Microsoft.XboxApp_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.XboxGameOverlay | [Xbox Game Bar Plugin](ms-windows-store://pdp/?PFN=Microsoft.XboxGameOverlay_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.XboxGamingOverlay | [Xbox Game Bar](ms-windows-store://pdp/?PFN=Microsoft.XboxGamingOverlay_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.XboxIdentityProvider | [Xbox Identity Provider](ms-windows-store://pdp/?PFN=Microsoft.XboxIdentityProvider_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.XboxSpeechToTextOverlay | | x | x | x | x | No |
-| Microsoft.YourPhone | [Your Phone](ms-windows-store://pdp/?PFN=Microsoft.YourPhone_8wekyb3d8bbwe) | | x | x | x | No |
-| Microsoft.ZuneMusic | [Groove Music](ms-windows-store://pdp/?PFN=Microsoft.ZuneMusic_8wekyb3d8bbwe) | x | x | x | x | No |
-| Microsoft.ZuneVideo | [Movies & TV](ms-windows-store://pdp/?PFN=Microsoft.ZuneVideo_8wekyb3d8bbwe) | x | x | x | x | No |
+| Package name | App name | 1803 | 1809 | 1903 | 1909 | 2004 | Uninstall through UI? |
+|----------------------------------------------|--------------------------------------------------------------------------------------------------------------------|:----:|:----:|:----:|:----:|:----:|:---------------------:|
+| Microsoft.3DBuilder | [3D Builder](ms-windows-store://pdp/?PFN=Microsoft.3DBuilder_8wekyb3d8bbwe) | | | | | | Yes |
+| Microsoft.BingWeather | [MSN Weather](ms-windows-store://pdp/?PFN=Microsoft.BingWeather_8wekyb3d8bbwe) | x | x | x | x | x | Yes |
+| Microsoft.DesktopAppInstaller | [App Installer](ms-windows-store://pdp/?PFN=Microsoft.DesktopAppInstaller_8wekyb3d8bbwe) | x | x | x | x | x | Via Settings App |
+| Microsoft.GetHelp | [Get Help](ms-windows-store://pdp/?PFN=Microsoft.Gethelp_8wekyb3d8bbwe) | x | x | x | x | x | No |
+| Microsoft.Getstarted | [Microsoft Tips](ms-windows-store://pdp/?PFN=Microsoft.Getstarted_8wekyb3d8bbwe) | x | x | x | x | x | No |
+| Microsoft.HEIFImageExtension | [HEIF Image Extensions](ms-windows-store://pdp/?PFN=Microsoft.HEIFImageExtension_8wekyb3d8bbwe) | | x | x | x | x | No |
+| Microsoft.Messaging | [Microsoft Messaging](ms-windows-store://pdp/?PFN=Microsoft.Messaging_8wekyb3d8bbwe) | x | x | x | x | x | No |
+| Microsoft.Microsoft3DViewer | [Mixed Reality Viewer](ms-windows-store://pdp/?PFN=Microsoft.Microsoft3DViewer_8wekyb3d8bbwe) | x | x | x | x | x | No |
+| Microsoft.MicrosoftOfficeHub | [Office](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) | x | x | x | x | x | Yes |
+| Microsoft.MicrosoftSolitaireCollection | [Microsoft Solitaire Collection](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) | x | x | x | x | x | Yes |
+| Microsoft.MicrosoftStickyNotes | [Microsoft Sticky Notes](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe) | x | x | x | x | x | No |
+| Microsoft.MixedReality.Portal | [Mixed Reality Portal](ms-windows-store://pdp/?PFN=Microsoft.MixedReality.Portal_8wekyb3d8bbwe) | | x | x | x | x | No |
+| Microsoft.MSPaint | [Paint 3D](ms-windows-store://pdp/?PFN=Microsoft.MSPaint_8wekyb3d8bbwe) | x | x | x | x | x | No |
+| Microsoft.Office.OneNote | [OneNote for Windows 10](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe) | x | x | x | x | x | Yes |
+| Microsoft.OneConnect | [Mobile Plans](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe) | x | x | x | x | x | No |
+| Microsoft.Outlook.DesktopIntegrationServices | | | | | x | x | |
+| Microsoft.People | [Microsoft People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe) | x | x | x | x | x | No |
+| Microsoft.Print3D | [Print 3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe) | x | x | x | x | x | No |
+| Microsoft.ScreenSketch | [Snip & Sketch](ms-windows-store://pdp/?PFN=Microsoft.ScreenSketch_8wekyb3d8bbwe) | | x | x | x | x | No |
+| Microsoft.SkypeApp | [Skype](ms-windows-store://pdp/?PFN=Microsoft.SkypeApp_kzf8qxf38zg5c) | x | x | x | x | x | No |
+| Microsoft.StorePurchaseApp | [Store Purchase App](ms-windows-store://pdp/?PFN=Microsoft.StorePurchaseApp_8wekyb3d8bbwe) | x | x | x | x | x | No |
+| Microsoft.VP9VideoExtensions | | | x | x | x | x | No |
+| Microsoft.Wallet | [Microsoft Pay](ms-windows-store://pdp/?PFN=Microsoft.Wallet_8wekyb3d8bbwe) | x | x | x | x | x | No |
+| Microsoft.WebMediaExtensions | [Web Media Extensions](ms-windows-store://pdp/?PFN=Microsoft.WebMediaExtensions_8wekyb3d8bbwe) | x | x | x | x | x | No |
+| Microsoft.WebpImageExtension | [Webp Image Extension](ms-windows-store://pdp/?PFN=Microsoft.WebpImageExtension_8wekyb3d8bbwe) | | x | x | x | x | No |
+| Microsoft.Windows.Photos | [Microsoft Photos](ms-windows-store://pdp/?PFN=Microsoft.Windows.Photos_8wekyb3d8bbwe) | x | x | x | x | x | No |
+| Microsoft.WindowsAlarms | [Windows Alarms & Clock](ms-windows-store://pdp/?PFN=Microsoft.WindowsAlarms_8wekyb3d8bbwe) | x | x | x | x | x | No |
+| Microsoft.WindowsCalculator | [Windows Calculator](ms-windows-store://pdp/?PFN=Microsoft.WindowsCalculator_8wekyb3d8bbwe) | x | x | x | x | x | No |
+| Microsoft.WindowsCamera | [Windows Camera](ms-windows-store://pdp/?PFN=Microsoft.WindowsCamera_8wekyb3d8bbwe) | x | x | x | x | x | No |
+| microsoft.windowscommunicationsapps | [Mail and Calendar](ms-windows-store://pdp/?PFN=microsoft.windowscommunicationsapps_8wekyb3d8bbwe) | x | x | x | x | x | No |
+| Microsoft.WindowsFeedbackHub | [Feedback Hub](ms-windows-store://pdp/?PFN=Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe) | x | x | x | x | x | No |
+| Microsoft.WindowsMaps | [Windows Maps](ms-windows-store://pdp/?PFN=Microsoft.WindowsMaps_8wekyb3d8bbwe) | x | x | x | x | x | No |
+| Microsoft.WindowsSoundRecorder | [Windows Voice Recorder](ms-windows-store://pdp/?PFN=Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe) | x | x | x | x | x | No |
+| Microsoft.WindowsStore | [Microsoft Store](ms-windows-store://pdp/?PFN=Microsoft.WindowsStore_8wekyb3d8bbwe) | x | x | x | x | x | No |
+| Microsoft.Xbox.TCUI | [Xbox Live in-game experience](ms-windows-store://pdp/?PFN=Microsoft.Xbox.TCUI_8wekyb3d8bbwe) | x | x | x | x | x | No |
+| Microsoft.XboxApp | [Xbox Console Companion](ms-windows-store://pdp/?PFN=Microsoft.XboxApp_8wekyb3d8bbwe) | x | x | x | x | x | No |
+| Microsoft.XboxGameOverlay | [Xbox Game Bar Plugin](ms-windows-store://pdp/?PFN=Microsoft.XboxGameOverlay_8wekyb3d8bbwe) | x | x | x | x | x | No |
+| Microsoft.XboxGamingOverlay | [Xbox Game Bar](ms-windows-store://pdp/?PFN=Microsoft.XboxGamingOverlay_8wekyb3d8bbwe) | x | x | x | x | x | No |
+| Microsoft.XboxIdentityProvider | [Xbox Identity Provider](ms-windows-store://pdp/?PFN=Microsoft.XboxIdentityProvider_8wekyb3d8bbwe) | x | x | x | x | x | No |
+| Microsoft.XboxSpeechToTextOverlay | | x | x | x | x | x | No |
+| Microsoft.YourPhone | [Your Phone](ms-windows-store://pdp/?PFN=Microsoft.YourPhone_8wekyb3d8bbwe) | | x | x | x | x | No |
+| Microsoft.ZuneMusic | [Groove Music](ms-windows-store://pdp/?PFN=Microsoft.ZuneMusic_8wekyb3d8bbwe) | x | x | x | x | x | No |
+| Microsoft.ZuneVideo | [Movies & TV](ms-windows-store://pdp/?PFN=Microsoft.ZuneVideo_8wekyb3d8bbwe) | x | x | x | x | x | No |
>[!NOTE]
>The Store app can't be removed. If you want to remove and reinstall the Store app, you can only bring Store back by either restoring your system from a backup or resetting your system. Instead of removing the Store app, you should use group policies to hide or disable it.
diff --git a/windows/application-management/docfx.json b/windows/application-management/docfx.json
index 09bd474c3e..460b8ecfdd 100644
--- a/windows/application-management/docfx.json
+++ b/windows/application-management/docfx.json
@@ -32,6 +32,7 @@
"externalReference": [],
"globalMetadata": {
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
+ "uhfHeaderId": "MSDocsHeader-M365-IT",
"ms.technology": "windows",
"audience": "ITPro",
"ms.topic": "article",
@@ -43,7 +44,17 @@
"folder_relative_path_in_docset": "./"
}
},
- "titleSuffix": "Windows Application Management"
+ "titleSuffix": "Windows Application Management",
+ "contributors_to_exclude": [
+ "rjagiewich",
+ "traya1",
+ "rmca14",
+ "claydetels19",
+ "jborsecnik",
+ "tiburd",
+ "garycentric"
+ ],
+ "searchScope": ["Windows 10"]
},
"fileMetadata": {},
"template": [],
diff --git a/windows/client-management/TOC.md b/windows/client-management/TOC.md
index b99a2d3ee4..aac950751a 100644
--- a/windows/client-management/TOC.md
+++ b/windows/client-management/TOC.md
@@ -1,5 +1,6 @@
# [Manage clients in Windows 10](index.md)
## [Administrative Tools in Windows 10](administrative-tools-in-windows-10.md)
+### [Use Quick Assist to help users](quick-assist.md)
## [Create mandatory user profiles](mandatory-user-profile.md)
## [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md)
## [Join Windows 10 Mobile to Azure Active Directory](join-windows-10-mobile-to-azure-active-directory.md)
diff --git a/windows/client-management/advanced-troubleshooting-802-authentication.md b/windows/client-management/advanced-troubleshooting-802-authentication.md
index 4af9868736..c27a78fa4c 100644
--- a/windows/client-management/advanced-troubleshooting-802-authentication.md
+++ b/windows/client-management/advanced-troubleshooting-802-authentication.md
@@ -17,17 +17,17 @@ ms.topic: troubleshooting
## Overview
-This is a general troubleshooting of 802.1X wireless and wired clients. With 802.1X and wireless troubleshooting, it's important to know how the flow of authentication works, and then figuring out where it's breaking. It involves a lot of third party devices and software. Most of the time, we have to identify where the problem is, and another vendor has to fix it. Since we don't make access points or switches, it won't be an end-to-end Microsoft solution.
+This article includes general troubleshooting for 802.1X wireless and wired clients. While troubleshooting 802.1X and wireless, it's important to know how the flow of authentication works, and then figure out where it's breaking. It involves a lot of third-party devices and software. Most of the time, we have to identify where the problem is, and another vendor has to fix it. We don't make access points or switches, so it's not an end-to-end Microsoft solution.
## Scenarios
-This troubleshooting technique applies to any scenario in which wireless or wired connections with 802.1X authentication is attempted and then fails to establish. The workflow covers Windows 7 - 10 for clients, and Windows Server 2008 R2 - 2012 R2 for NPS.
+This troubleshooting technique applies to any scenario in which wireless or wired connections with 802.1X authentication is attempted and then fails to establish. The workflow covers Windows 7 through Windows 10 for clients, and Windows Server 2008 R2 through Windows Server 2012 R2 for NPS.
-## Known Issues
+## Known issues
None
-## Data Collection
+## Data collection
See [Advanced troubleshooting 802.1X authentication data collection](data-collection-for-802-authentication.md).
@@ -35,11 +35,11 @@ See [Advanced troubleshooting 802.1X authentication data collection](data-collec
Viewing [NPS authentication status events](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735320(v%3dws.10)) in the Windows Security [event log](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc722404(v%3dws.11)) is one of the most useful troubleshooting methods to obtain information about failed authentications.
-NPS event log entries contain information on the connection attempt, including the name of the connection request policy that matched the connection attempt and the network policy that accepted or rejected the connection attempt. If you are not seeing both success and failure events, see the section below on [NPS audit policy](#audit-policy).
+NPS event log entries contain information about the connection attempt, including the name of the connection request policy that matched the connection attempt and the network policy that accepted or rejected the connection attempt. If you don't see both success and failure events, see the [NPS audit policy](#audit-policy) section later in this article.
-Check Windows Security Event log on the NPS Server for NPS events corresponding to rejected ([event ID 6273](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735399(v%3dws.10))) or accepted ([event ID 6272](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735388(v%3dws.10))) connection attempts.
+Check Windows Security Event log on the NPS Server for NPS events that correspond to rejected ([event ID 6273](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735399(v%3dws.10))) or accepted ([event ID 6272](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc735388(v%3dws.10))) connection attempts.
-In the event message, scroll to the very bottom, and check the [Reason Code](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197570(v%3dws.10)) field and the text associated with it.
+In the event message, scroll to the very bottom, and then check the [Reason Code](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197570(v%3dws.10)) field and the text that's associated with it.
*Example: event ID 6273 (Audit Failure)*
@@ -47,35 +47,35 @@ In the event message, scroll to the very bottom, and check the [Reason Code](htt
*Example: event ID 6272 (Audit Success)*
-The WLAN AutoConfig operational log lists information and error events based on conditions detected by or reported to the WLAN AutoConfig service. The operational log contains information about the wireless network adapter, the properties of the wireless connection profile, the specified network authentication, and, in the event of connectivity problems, the reason for the failure. For wired network access, Wired AutoConfig operational log is equivalent one.
+The WLAN AutoConfig operational log lists information and error events based on conditions detected by or reported to the WLAN AutoConfig service. The operational log contains information about the wireless network adapter, the properties of the wireless connection profile, the specified network authentication, and, in the event of connectivity problems, the reason for the failure. For wired network access, the Wired AutoConfig operational log is an equivalent one.
-On the client side, navigate to **Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\WLAN-AutoConfig/Operational** for wireless issues. For wired network access issues, navigate to **..\Wired-AutoConfig/Operational**. See the following example:
+On the client side, go to **Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\WLAN-AutoConfig/Operational** for wireless issues. For wired network access issues, go to **..\Wired-AutoConfig/Operational**. See the following example:
-Most 802.1X authentication issues are due to problems with the certificate that is used for client or server authentication (e.g. invalid certificate, expiration, chain verification failure, revocation check failure, etc.).
+Most 802.1X authentication issues are because of problems with the certificate that's used for client or server authentication. Examples include invalid certificate, expiration, chain verification failure, and revocation check failure.
-First, validate the type of EAP method being used:
+First, validate the type of EAP method that's used:
-If a certificate is used for its authentication method, check if the certificate is valid. For server (NPS) side, you can confirm what certificate is being used from the EAP property menu. In **NPS snap-in**, go to **Policies** > **Network Policies**. Right click on the policy and select **Properties**. In the pop-up window, go to the **Constraints** tab and select the **Authentication Methods** section.
+If a certificate is used for its authentication method, check whether the certificate is valid. For the server (NPS) side, you can confirm what certificate is being used from the EAP property menu. In **NPS snap-in**, go to **Policies** > **Network Policies**. Select and hold (or right-click) the policy, and then select **Properties**. In the pop-up window, go to the **Constraints** tab, and then select the **Authentication Methods** section.
-The CAPI2 event log will be useful for troubleshooting certificate-related issues.
-This log is not enabled by default. You can enable this log by expanding **Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\CAPI2**, right-clicking **Operational** and then clicking **Enable Log**.
+The CAPI2 event log is useful for troubleshooting certificate-related issues.
+By default, this log isn't enabled. To enable this log, expand **Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\CAPI2**, select and hold (or right-click) **Operational**, and then select **Enable Log**.
-The following article explains how to analyze CAPI2 event logs:
+For information about how to analyze CAPI2 event logs, see
[Troubleshooting PKI Problems on Windows Vista](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-vista/cc749296%28v=ws.10%29).
-When troubleshooting complex 802.1X authentication issues, it is important to understand the 802.1X authentication process. The following figure is an example of wireless connection process with 802.1X authentication:
+When troubleshooting complex 802.1X authentication issues, it's important to understand the 802.1X authentication process. Here's an example of wireless connection process with 802.1X authentication:
-If you [collect a network packet capture](troubleshoot-tcpip-netmon.md) on both the client and the server (NPS) side, you can see a flow like the one below. Type **EAPOL** in the Display Filter in for a client side capture, and **EAP** for an NPS side capture. See the following examples:
+If you [collect a network packet capture](troubleshoot-tcpip-netmon.md) on both the client and the server (NPS) side, you can see a flow like the one below. Type **EAPOL** in the Display Filter for a client-side capture, and **EAP** for an NPS-side capture. See the following examples:
*Client-side packet capture data*
@@ -85,16 +85,16 @@ If you [collect a network packet capture](troubleshoot-tcpip-netmon.md) on both
> [!NOTE]
-> If you have a wireless trace, you can also [view ETL files with network monitor](https://docs.microsoft.com/windows/desktop/ndf/using-network-monitor-to-view-etl-files) and apply the **ONEX_MicrosoftWindowsOneX** and **WLAN_MicrosoftWindowsWLANAutoConfig** Network Monitor filters. Follow the instructions under the **Help** menu in Network Monitor to load the reqired [parser](https://blogs.technet.microsoft.com/netmon/2010/06/04/parser-profiles-in-network-monitor-3-4/) if needed. See the example below.
+> If you have a wireless trace, you can also [view ETL files with network monitor](https://docs.microsoft.com/windows/desktop/ndf/using-network-monitor-to-view-etl-files) and apply the **ONEX_MicrosoftWindowsOneX** and **WLAN_MicrosoftWindowsWLANAutoConfig** Network Monitor filters. If you need to load the required [parser](https://blogs.technet.microsoft.com/netmon/2010/06/04/parser-profiles-in-network-monitor-3-4/), see the instructions under the **Help** menu in Network Monitor. Here's an example:
## Audit policy
-NPS audit policy (event logging) for connection success and failure is enabled by default. If you find that one or both types of logging are disabled, use the following steps to troubleshoot.
+By default, NPS audit policy (event logging) for connection success and failure is enabled. If you find that one or both types of logging are disabled, use the following steps to troubleshoot.
View the current audit policy settings by running the following command on the NPS server:
-```
+```console
auditpol /get /subcategory:"Network Policy Server"
```
@@ -106,13 +106,12 @@ Logon/Logoff
Network Policy Server Success and Failure
-If it shows ‘No auditing’, you can run this command to enable it:
-
-```
+If it says, "No auditing," you can run this command to enable it:
+```console
auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable
```
-Even if audit policy appears to be fully enabled, it sometimes helps to disable and then re-enable this setting. You can also enable Network Policy Server logon/logoff auditing via Group Policy. The success/failure setting can be found under **Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Logon/Logoff -> Audit Network Policy Server**.
+Even if audit policy appears to be fully enabled, it sometimes helps to disable and then re-enable this setting. You can also enable Network Policy Server logon/logoff auditing by using Group Policy. To get to the success/failure setting, select **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Advanced Audit Policy Configuration** > **Audit Policies** > **Logon/Logoff** > **Audit Network Policy Server**.
## Additional references
diff --git a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md
index ce50bd2b54..ff1064cbbf 100644
--- a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md
+++ b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md
@@ -86,14 +86,14 @@ See the [example ETW capture](#example-etw-capture) at the bottom of this articl
The following is a high-level view of the main wifi components in Windows.
-
diff --git a/windows/client-management/change-default-removal-policy-external-storage-media.md b/windows/client-management/change-default-removal-policy-external-storage-media.md
index ee8a044508..69fa51d4e4 100644
--- a/windows/client-management/change-default-removal-policy-external-storage-media.md
+++ b/windows/client-management/change-default-removal-policy-external-storage-media.md
@@ -4,10 +4,11 @@ description: In Windows 10, version 1809, the default removal policy for externa
ms.prod: w10
author: Teresa-Motiv
ms.author: v-tea
-ms.date: 12/13/2019
+ms.date: 11/25/2020
ms.topic: article
ms.custom:
- CI 111493
+- CI 125140
- CSSTroubleshooting
audience: ITPro
ms.localizationpriority: medium
@@ -44,6 +45,13 @@ To change the policy for an external storage device:
-6. Select **Policies**, and then select the policy you want to use.
+6. Select **Policies**.
+
+ > [!NOTE]
+ > Some recent versions of Windows may use a different arrangement of tabs in the disk properties dialog box.
+ >
+ > If you do not see the **Policies** tab, select **Hardware**, select the removable drive from the **All disk drives** list, and then select **Properties**. The **Policies** tab should now be available.
+
+7. Select the policy that you want to use.
diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md
index bc6f44d66e..3e360929de 100644
--- a/windows/client-management/connect-to-remote-aadj-pc.md
+++ b/windows/client-management/connect-to-remote-aadj-pc.md
@@ -22,76 +22,65 @@ ms.topic: article
- Windows 10
-From its release, Windows 10 has supported remote connections to PCs joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is [joined to Azure Active Directory (Azure AD)](https://docs.microsoft.com/azure/active-directory/user-help/device-management-azuread-joined-devices-setup).
+From its release, Windows 10 has supported remote connections to PCs joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is [joined to Azure Active Directory (Azure AD)](https://docs.microsoft.com/azure/active-directory/devices/concept-azure-ad-join). Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics).
-> [!TIP]
-> Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session.](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics)
-
## Set up
- Both PCs (local and remote) must be running Windows 10, version 1607 or later. Remote connections to an Azure AD-joined PC running earlier versions of Windows 10 are not supported.
-- Your local PC (where you are connecting from) must be either Azure AD joined or Hybrid Azure AD joined if using Windows 10 version 1607 and above, or Azure AD registered if using Windows 10 version 2004 and above. Remote connections to an Azure AD joined PC from an unjoined device or a non-Windows 10 device are not supported.
+- Your local PC (where you are connecting from) must be either Azure AD-joined or Hybrid Azure AD-joined if using Windows 10, version 1607 and above, or [Azure AD registered](https://docs.microsoft.com/azure/active-directory/devices/concept-azure-ad-register) if using Windows 10, version 2004 and above. Remote connections to an Azure AD-joined PC from an unjoined device or a non-Windows 10 device are not supported.
+- The local PC and remote PC must be in the same Azure AD tenant. Azure AD B2B guests are not supported for Remote desktop.
Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC you are using to connect to the remote PC.
- On the PC you want to connect to:
+
1. Open system properties for the remote PC.
+
2. Enable **Allow remote connections to this computer** and select **Allow connections only from computers running Remote Desktop with Network Level Authentication**.
- 
+ 
- 3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users to connect to the PC, you must allow remote connections for the local **Authenticated Users** group. Click **Select Users**.
+ 3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users or groups to connect to the PC, you must allow remote connections for the specified users or groups. Users can be added either manually or through MDM policies:
+
+ - Adding users manually
+
+ You can specify individual Azure AD accounts for remote connections by running the following PowerShell cmdlet:
+ ```powershell
+ net localgroup "Remote Desktop Users" /add "AzureAD\the-UPN-attribute-of-your-user"
+ ```
+ where *the-UPN-attribute-of-your-user* is the name of the user profile in C:\Users\, which is created based on the DisplayName attribute in Azure AD.
- > [!NOTE]
- > You can specify individual Azure AD accounts for remote connections by having the user sign in to the remote device at least once, and then running the following PowerShell cmdlet:
- > ```PowerShell
- > net localgroup "Remote Desktop Users" /add "AzureAD\the-UPN-attribute-of-your-user"
- > ```
- > where *the-UPN-attribute-of-your-user* is the name of the user profile in C:\Users\, which is created based on the DisplayName attribute in Azure AD.
- >
- > This command only works for AADJ device users already added to any of the local groups (administrators).
- > Otherwise this command throws the below error. For example:
- > - for cloud only user: "There is no such global user or group : *name*"
- > - for synced user: "There is no such global user or group : *name*"
- >
- > In Windows 10, version 1709, the user does not have to sign in to the remote device first.
- >
- > In Windows 10, version 1709, you can add other Azure AD users to the **Administrators** group on a device in **Settings** and restrict remote credentials to **Administrators**. If there is a problem connecting remotely, make sure that both devices are joined to Azure AD and that TPM is functioning properly on both devices.
+ This command only works for AADJ device users already added to any of the local groups (administrators).
+ Otherwise this command throws the below error. For example:
+ - for cloud only user: "There is no such global user or group : *name*"
+ - for synced user: "There is no such global user or group : *name*"
- 4. Enter **Authenticated Users**, then click **Check Names**. If the **Name Not Found** window opens, click **Locations** and select this PC.
+ > [!NOTE]
+ > For devices running Windows 10, version 1703 or earlier, the user must sign in to the remote device first before attempting remote connections.
+ >
+ > Starting in Windows 10, version 1709, you can add other Azure AD users to the **Administrators** group on a device in **Settings** and restrict remote credentials to **Administrators**. If there is a problem connecting remotely, make sure that both devices are joined to Azure AD and that TPM is functioning properly on both devices.
- > [!TIP]
- > When you connect to the remote PC, enter your account name in this format: `AzureAD UPN`. The local PC must either be domain-joined or Azure AD-joined. The local PC and remote PC must be in the same Azure AD tenant.
+ - Adding users using policy
+
+ Starting in Windows 10, version 2004, you can add users or Azure AD groups to the Remote Desktop Users using MDM policies as described in [How to manage the local administrators group on Azure AD joined devices](https://docs.microsoft.com/azure/active-directory/devices/assign-local-admin#manage-administrator-privileges-using-azure-ad-groups-preview).
-> [!Note]
-> If you cannot connect using Remote Desktop Connection 6.0, you must turn off the new features of RDP 6.0 and revert back to RDP 5.0 by making a few changes in the RDP file. See the details in the [support article](https://support.microsoft.com/help/941641/remote-desktop-connection-6-0-prompts-you-for-credentials-before-you-e).
+ > [!TIP]
+ > When you connect to the remote PC, enter your account name in this format: AzureAD\yourloginid@domain.com.
+
+ > [!NOTE]
+ > If you cannot connect using Remote Desktop Connection 6.0, you must turn off the new features of RDP 6.0 and revert back to RDP 5.0 by making a few changes in the RDP file. See the details in this [support article](https://support.microsoft.com/help/941641/remote-desktop-connection-6-0-prompts-you-for-credentials-before-you-e).
## Supported configurations
-In organizations using integrated Active Directory and Azure AD, you can connect from a Hybrid-joined PC to an Azure AD-joined PC by using any of the following:
+The table below lists the supported configurations for remotely connecting to an Azure AD-joined PC:
-- Password
-- Smartcards
-- Windows Hello for Business, if the domain is managed by Microsoft Endpoint Configuration Manager.
+| Criteria | RDP from Azure AD registered device| RDP from Azure AD joined device| RDP from hybrid Azure AD joined device |
+| - | - | - | - |
+| **Client operating systems**| Windows 10, version 2004 and above| Windows 10, version 1607 and above | Windows 10, version 1607 and above |
+| **Supported credentials**| Password, smartcard| Password, smartcard, Windows Hello for Business certificate trust | Password, smartcard, Windows Hello for Business certificate trust |
-In organizations using integrated Active Directory and Azure AD, you can connect from an Azure AD-joined PC to an AD-joined PC when the Azure AD-joined PC is on the corporate network by using any of the following:
-
-- Password
-- Smartcards
-- Windows Hello for Business, if the organization has a mobile device management (MDM) subscription.
-
-In organizations using integrated Active Directory and Azure AD, you can connect from an Azure AD-joined PC to another Azure AD-joined PC by using any of the following:
-
-- Password
-- Smartcards
-- Windows Hello for Business, with or without an MDM subscription.
-
-In organizations using only Azure AD, you can connect from an Azure AD-joined PC to another Azure AD-joined PC by using any of the following:
-
-- Password
-- Windows Hello for Business, with or without an MDM subscription.
> [!NOTE]
> If the RDP client is running Windows Server 2016 or Windows Server 2019, to be able to connect to Azure Active Directory-joined PCs, it must [allow Public Key Cryptography Based User-to-User (PKU2U) authentication requests to use online identities](https://docs.microsoft.com/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities).
diff --git a/windows/client-management/docfx.json b/windows/client-management/docfx.json
index ffd1c9d266..694a7e8b07 100644
--- a/windows/client-management/docfx.json
+++ b/windows/client-management/docfx.json
@@ -32,6 +32,7 @@
"externalReference": [],
"globalMetadata": {
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
+ "uhfHeaderId": "MSDocsHeader-M365-IT",
"ms.technology": "windows",
"audience": "ITPro",
"ms.topic": "article",
@@ -45,7 +46,17 @@
"folder_relative_path_in_docset": "./"
}
},
- "titleSuffix": "Windows Client Management"
+ "titleSuffix": "Windows Client Management",
+ "contributors_to_exclude": [
+ "rjagiewich",
+ "traya1",
+ "rmca14",
+ "claydetels19",
+ "jborsecnik",
+ "tiburd",
+ "garycentric"
+ ],
+ "searchScope": ["Windows 10"]
},
"fileMetadata": {},
"template": [],
diff --git a/windows/client-management/images/quick-assist-flow.png b/windows/client-management/images/quick-assist-flow.png
new file mode 100644
index 0000000000..5c1d83741f
Binary files /dev/null and b/windows/client-management/images/quick-assist-flow.png differ
diff --git a/windows/client-management/manage-settings-app-with-group-policy.md b/windows/client-management/manage-settings-app-with-group-policy.md
index dc31960057..2950a6c6d9 100644
--- a/windows/client-management/manage-settings-app-with-group-policy.md
+++ b/windows/client-management/manage-settings-app-with-group-policy.md
@@ -19,13 +19,13 @@ ms.topic: article
- Windows 10, Windows Server 2016
-You can now manage the pages that are shown in the Settings app by using Group Policy. This lets you hide specific pages from users. Before Windows 10, version 1703, you could either show everything in the Settings app or hide it completely.
-To make use of the Settings App group polices on Windows server 2016, install fix [4457127](https://support.microsoft.com/help/4457127/windows-10-update-kb4457127) or a later cumulative update.
+You can now manage the pages that are shown in the Settings app by using Group Policy. When you use Group Policy to manage pages, you can hide specific pages from users. Before Windows 10, version 1703, you could either show everything in the Settings app or hide it completely.
+To make use of the Settings App group policies on Windows server 2016, install fix [4457127](https://support.microsoft.com/help/4457127/windows-10-update-kb4457127) or a later cumulative update.
>[!Note]
>Each server that you want to manage access to the Settings App must be patched.
-To centrally manage the new policies copy the ControlPanel.admx and ControlPanel.adml file to [Central Store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) if your company uses one or the PolicyDefinitions folder of the Domain Controllers used for Group Policy management.
+If your company uses one or the PolicyDefinitions folder of the Domain Controllers used for Group Policy management, to centrally manage the new policies, copy the ControlPanel.admx and ControlPanel.adml file to [Central Store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra).
This policy is available for both User and Computer depending on the version of the OS. Windows Server 2016 with KB 4457127 applied will have both User and Computer policy. Windows 10, version 1703, added Computer policy for the Settings app. Windows 10, version 1809, added User policy for the Settings app.
@@ -39,7 +39,7 @@ Policy paths:
## Configuring the Group Policy
-The Group Policy can be configured in one of two ways: specify a list of pages that are shown or specify a list of pages to hide. To do this, add either **ShowOnly:** or **Hide:** followed by a semicolon delimited list of URIs in **Settings Page Visiblity**. For a full list of URIs, see the URI scheme reference section in [Launch the Windows Settings app](https://docs.microsoft.com/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference).
+The Group Policy can be configured in one of two ways: specify a list of pages that are shown or specify a list of pages to hide. To do this, add either **ShowOnly:** or **Hide:** followed by a semicolon-delimited list of URIs in **Settings Page Visibility**. For a full list of URIs, see the URI scheme reference section in [Launch the Windows Settings app](https://docs.microsoft.com/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference).
>[!NOTE]
> When you specify the URI in the Settings Page Visibility textbox, don't include **ms-settings:** in the string.
diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
index 45de1ade9b..f4a048f445 100644
--- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
+++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
@@ -53,7 +53,7 @@ As indicated in the diagram, Microsoft continues to provide support for deep man
With Windows 10, you can continue to use traditional OS deployment, but you can also “manage out of the box.” To transform new devices into fully-configured, fully-managed devices, you can:
-- Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management services such as [Microsoft Autopilot](https://docs.microsoft.com/windows/deployment/windows-10-auto-pilot) or [Microsoft Intune](https://docs.microsoft.com/intune/understand-explore/introduction-to-microsoft-intune).
+- Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management services such as [Microsoft Autopilot](https://docs.microsoft.com/windows/deployment/windows-10-auto-pilot) or [Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/).
- Create self-contained provisioning packages built with the [Windows Configuration Designer](https://technet.microsoft.com/itpro/windows/deploy/provisioning-packages).
@@ -69,7 +69,7 @@ You can envision user and device management as falling into these two categories
- **Corporate (CYOD) or personal (BYOD) devices used by mobile users for SaaS apps such as Office 365.** With Windows 10, your employees can self-provision their devices:
- - For corporate devices, they can set up corporate access with [Azure AD Join](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-overview/). When you offer them Azure AD Join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://blogs.technet.microsoft.com/ad/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/), all from the cloud.
The Windows Connection Manager (Wcmsvc) is closely associated with the UI controls (taskbar icon) to connect to various networks, including wireless networks. It accepts and processes input from the user and feeds it to the core wireless service. 
The WLAN Autoconfig Service (WlanSvc) handles the following core functions of wireless networks in windows:
+ The Windows Connection Manager (Wcmsvc) is closely associated with the UI controls (taskbar icon) to connect to various networks, including wireless networks. It accepts and processes input from the user and feeds it to the core wireless service. The WLAN Autoconfig Service (WlanSvc) handles the following core functions of wireless networks in windows:
- Scanning for wireless networks in range
- Managing connectivity of wireless networks 
The Media Specific Module (MSM) handles security aspects of connection being established. 
The Native WiFi stack consists of drivers and wireless APIs to interact with wireless miniports and the supporting user-mode Wlansvc. 
Third-party wireless miniport drivers interface with the upper wireless stack to provide notifications to and receive commands from Windows. The Media Specific Module (MSM) handles security aspects of connection being established. The Native WiFi stack consists of drivers and wireless APIs to interact with wireless miniports and the supporting user-mode Wlansvc. Third-party wireless miniport drivers interface with the upper wireless stack to provide notifications to and receive commands from Windows.
Azure AD Join is also a great solution for temporary staff, partners, or other part-time employees. These accounts can be kept separate from the on-premises AD domain but still access needed corporate resources.
+ - For corporate devices, they can set up corporate access with [Azure AD Join](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-overview/). When you offer them Azure AD Join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/windows-10-azure-ad-and-microsoft-intune-automatic-mdm/ba-p/244067), all from the cloud.
Azure AD Join is also a great solution for temporary staff, partners, or other part-time employees. These accounts can be kept separate from the on-premises AD domain but still access needed corporate resources.
- Likewise, for personal devices, employees can use a new, simplified [BYOD experience](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-windows10-devices/) to add their work account to Windows, then access work resources on the device.
@@ -135,6 +135,6 @@ There are a variety of steps you can take to begin the process of modernizing de
## Related topics
-- [What is Intune?](https://docs.microsoft.com/intune/introduction-intune)
+- [What is Intune?](https://docs.microsoft.com//mem/intune/fundamentals/what-is-intune)
- [Windows 10 Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider)
- [Windows 10 Configuration service Providers](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference)
diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/mandatory-user-profile.md
index 211519bdec..68d135449d 100644
--- a/windows/client-management/mandatory-user-profile.md
+++ b/windows/client-management/mandatory-user-profile.md
@@ -16,7 +16,6 @@ ms.topic: article
# Create mandatory user profiles
**Applies to**
-
- Windows 10
A mandatory user profile is a roaming user profile that has been pre-configured by an administrator to specify settings for users. Settings commonly defined in a mandatory profile include (but are not limited to): icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more. Configuration changes made during a user's session that are normally saved to a roaming user profile are not saved when a mandatory user profile is assigned.
@@ -76,7 +75,7 @@ First, you create a default user profile with the customizations that you want,
> [!TIP]
> If you receive an error message that says "Sysprep was not able to validate your Windows installation", open %WINDIR%\\System32\\Sysprep\\Panther\\setupact.log and look for an entry like the following:
>
- > 
+ > 
>
> Use the [Remove-AppxProvisionedPackage](https://docs.microsoft.com/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps) and [Remove-AppxPackage -AllUsers](https://docs.microsoft.com/powershell/module/appx/remove-appxpackage?view=win10-ps) cmdlet in Windows PowerShell to uninstall the app that is listed in the log.
@@ -86,20 +85,24 @@ First, you create a default user profile with the customizations that you want,
1. In **User Profiles**, click **Default Profile**, and then click **Copy To**.
- 
+
+ 
1. In **Copy To**, under **Permitted to use**, click **Change**.
- 
+ 
1. In **Select User or Group**, in the **Enter the object name to select** field, type `everyone`, click **Check Names**, and then click **OK**.
1. In **Copy To**, in the **Copy profile to** field, enter the path and folder name where you want to store the mandatory profile. The folder name must use the correct [extension](#profile-extension-for-each-windows-version) for the operating system version. For example, the folder name must end with ".v6" to identify it as a user profile folder for Windows 10, version 1607.
- If the device is joined to the domain and you are signed in with an account that has permissions to write to a shared folder on the network, you can enter the shared folder path.
+
+ 
+
- If the device is not joined to the domain, you can save the profile locally and then copy it to the shared folder location.
- 
+ 
1. Click **OK** to copy the default user profile.
diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md
index 201773d50c..149457d576 100644
--- a/windows/client-management/mdm/TOC.md
+++ b/windows/client-management/mdm/TOC.md
@@ -1,5 +1,6 @@
# [Mobile device management](index.md)
## [What's new in MDM enrollment and management](new-in-windows-mdm-enrollment-management.md)
+### [Change history for MDM documentation](change-history-for-mdm-documentation.md)
## [Mobile device enrollment](mobile-device-enrollment.md)
### [MDM enrollment of Windows devices](mdm-enrollment-of-windows-devices.md)
#### [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md)
@@ -158,69 +159,123 @@
### [Personalization CSP](personalization-csp.md)
#### [Personalization DDF file](personalization-ddf.md)
### [Policy CSP](policy-configuration-service-provider.md)
-#### [Policy DDF file](policy-ddf-file.md)
-#### [Policies in Policy CSP supported by Group Policy](policy-csps-supported-by-group-policy.md)
-#### [ADMX-backed policies in Policy CSP](policy-csps-admx-backed.md)
-#### [Policies in Policy CSP supported by HoloLens 2](policy-csps-supported-by-hololens2.md)
-#### [Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite](policy-csps-supported-by-hololens-1st-gen-commercial-suite.md)
-#### [Policies in Policy CSP supported by HoloLens (1st gen) Development Edition](policy-csps-supported-by-hololens-1st-gen-development-edition.md)
-#### [Policies in Policy CSP supported by Windows 10 IoT Enterprise](policy-csps-supported-by-iot-enterprise.md)
-#### [Policies in Policy CSP supported by Windows 10 IoT Core](policy-csps-supported-by-iot-core.md)
-#### [Policies in Policy CSP supported by Microsoft Surface Hub](policy-csps-supported-by-surface-hub.md)
-#### [Policy CSPs that can be set using Exchange Active Sync (EAS)](policy-csps-that-can-be-set-using-eas.md)
+#### [Policy CSP DDF file](policy-ddf-file.md)
+#### [Policies in Policy CSP supported by Group Policy](policies-in-policy-csp-supported-by-group-policy.md)
+#### [ADMX-backed policies in Policy CSP](policies-in-policy-csp-admx-backed.md)
+#### [Policies in Policy CSP supported by HoloLens 2](policies-in-policy-csp-supported-by-hololens2.md)
+#### [Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite](policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md)
+#### [Policies in Policy CSP supported by HoloLens (1st gen) Development Edition](policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md)
+#### [Policies in Policy CSP supported by Windows 10 IoT Enterprise](policies-in-policy-csp-supported-by-iot-enterprise.md)
+#### [Policies in Policy CSP supported by Windows 10 IoT Core](policies-in-policy-csp-supported-by-iot-core.md)
+#### [Policies in Policy CSP supported by Microsoft Surface Hub](policies-in-policy-csp-supported-by-surface-hub.md)
+#### [Policy CSPs that can be set using Exchange Active Sync (EAS)](policies-in-policy-csp-that-can-be-set-using-eas.md)
#### [AboveLock](policy-csp-abovelock.md)
#### [Accounts](policy-csp-accounts.md)
#### [ActiveXControls](policy-csp-activexcontrols.md)
+#### [ADMX_ActiveXInstallService](policy-csp-admx-activexinstallservice.md)
#### [ADMX_AddRemovePrograms](policy-csp-admx-addremoveprograms.md)
#### [ADMX_AppCompat](policy-csp-admx-appcompat.md)
+#### [ADMX_AppxPackageManager](policy-csp-admx-appxpackagemanager.md)
+#### [ADMX_AppXRuntime](policy-csp-admx-appxruntime.md)
+#### [ADMX_AttachmentManager](policy-csp-admx-attachmentmanager.md)
#### [ADMX_AuditSettings](policy-csp-admx-auditsettings.md)
+#### [ADMX_Bits](policy-csp-admx-bits.md)
#### [ADMX_CipherSuiteOrder](policy-csp-admx-ciphersuiteorder.md)
#### [ADMX_COM](policy-csp-admx-com.md)
+#### [ADMX_ControlPanel](policy-csp-admx-controlpanel.md)
+#### [ADMX_ControlPanelDisplay](policy-csp-admx-controlpaneldisplay.md)
#### [ADMX_Cpls](policy-csp-admx-cpls.md)
+#### [ADMX_CredentialProviders](policy-csp-admx-credentialproviders.md)
+#### [ADMX_CredSsp](policy-csp-admx-credssp.md)
+#### [ADMX_CredUI](policy-csp-admx-credui.md)
#### [ADMX_CtrlAltDel](policy-csp-admx-ctrlaltdel.md)
+#### [ADMX_DataCollection](policy-csp-admx-datacollection.md)
+#### [ADMX_Desktop](policy-csp-admx-desktop.md)
+#### [ADMX_DeviceInstallation](policy-csp-admx-deviceinstallation.md)
+#### [ADMX_DeviceSetup](policy-csp-admx-devicesetup.md)
#### [ADMX_DigitalLocker](policy-csp-admx-digitallocker.md)
#### [ADMX_DnsClient](policy-csp-admx-dnsclient.md)
#### [ADMX_DWM](policy-csp-admx-dwm.md)
+#### [ADMX_EAIME](policy-csp-admx-eaime.md)
#### [ADMX_EncryptFilesonMove](policy-csp-admx-encryptfilesonmove.md)
+#### [ADMX_EnhancedStorage](policy-csp-admx-enhancedstorage.md)
+#### [ADMX_ErrorReporting](policy-csp-admx-errorreporting.md)
#### [ADMX_EventForwarding](policy-csp-admx-eventforwarding.md)
+#### [ADMX_EventLog](policy-csp-admx-eventlog.md)
+#### [ADMX_Explorer](policy-csp-admx-explorer.md)
+#### [ADMX_FileRecovery](policy-csp-admx-filerecovery.md)
#### [ADMX_FileServerVSSProvider](policy-csp-admx-fileservervssprovider.md)
#### [ADMX_FileSys](policy-csp-admx-filesys.md)
#### [ADMX_FolderRedirection](policy-csp-admx-folderredirection.md)
+#### [ADMX_Globalization](policy-csp-admx-globalization.md)
+#### [ADMX_GroupPolicy](policy-csp-admx-grouppolicy.md)
#### [ADMX_Help](policy-csp-admx-help.md)
#### [ADMX_HelpAndSupport](policy-csp-admx-helpandsupport.md)
+#### [ADMX_ICM](policy-csp-admx-icm.md)
#### [ADMX_kdc](policy-csp-admx-kdc.md)
+#### [ADMX_Kerberos](policy-csp-admx-kerberos.md)
#### [ADMX_LanmanServer](policy-csp-admx-lanmanserver.md)
+#### [ADMX_LanmanWorkstation](policy-csp-admx-lanmanworkstation.md)
#### [ADMX_LinkLayerTopologyDiscovery](policy-csp-admx-linklayertopologydiscovery.md)
+#### [ADMX_Logon](policy-csp-admx-logon.md)
+#### [ADMX_MicrosoftDefenderAntivirus](policy-csp-admx-microsoftdefenderantivirus.md)
#### [ADMX_MMC](policy-csp-admx-mmc.md)
#### [ADMX_MMCSnapins](policy-csp-admx-mmcsnapins.md)
#### [ADMX_MSAPolicy](policy-csp-admx-msapolicy.md)
+#### [ADMX_msched](policy-csp-admx-msched.md)
+#### [ADMX_MSDT](policy-csp-admx-msdt.md)
+#### [ADMX_MSI](policy-csp-admx-msi.md)
#### [ADMX_nca](policy-csp-admx-nca.md)
#### [ADMX_NCSI](policy-csp-admx-ncsi.md)
#### [ADMX_Netlogon](policy-csp-admx-netlogon.md)
+#### [ADMX_NetworkConnections](policy-csp-admx-networkconnections.md)
#### [ADMX_OfflineFiles](policy-csp-admx-offlinefiles.md)
#### [ADMX_PeerToPeerCaching](policy-csp-admx-peertopeercaching.md)
#### [ADMX_PerformanceDiagnostics](policy-csp-admx-performancediagnostics.md)
+#### [ADMX_Power](policy-csp-admx-power.md)
+#### [ADMX_PowerShellExecutionPolicy](policy-csp-admx-powershellexecutionpolicy.md)
+#### [ADMX_Printing](policy-csp-admx-printing.md)
+#### [ADMX_Printing2](policy-csp-admx-printing2.md)
+#### [ADMX_Programs](policy-csp-admx-programs.md)
#### [ADMX_Reliability](policy-csp-admx-reliability.md)
+#### [ADMX_RemoteAssistance](policy-csp-admx-remoteassistance.md)
+#### [ADMX_RemovableStorage](policy-csp-admx-removablestorage.md)
+#### [ADMX_RPC](policy-csp-admx-rpc.md)
#### [ADMX_Scripts](policy-csp-admx-scripts.md)
#### [ADMX_sdiageng](policy-csp-admx-sdiageng.md)
#### [ADMX_Securitycenter](policy-csp-admx-securitycenter.md)
+#### [ADMX_Sensors](policy-csp-admx-sensors.md)
#### [ADMX_Servicing](policy-csp-admx-servicing.md)
+#### [ADMX_SettingSync](policy-csp-admx-settingsync.md)
#### [ADMX_SharedFolders](policy-csp-admx-sharedfolders.md)
#### [ADMX_Sharing](policy-csp-admx-sharing.md)
#### [ADMX_ShellCommandPromptRegEditTools](policy-csp-admx-shellcommandpromptregedittools.md)
+#### [ADMX_SkyDrive](policy-csp-admx-skydrive.md)
#### [ADMX_Smartcard](policy-csp-admx-smartcard.md)
#### [ADMX_Snmp](policy-csp-admx-snmp.md)
+#### [ADMX_StartMenu](policy-csp-admx-startmenu.md)
+#### [ADMX_SystemRestore](policy-csp-admx-systemrestore.md)
+#### [ADMX_Taskbar](policy-csp-admx-taskbar.md)
#### [ADMX_tcpip](policy-csp-admx-tcpip.md)
#### [ADMX_Thumbnails](policy-csp-admx-thumbnails.md)
#### [ADMX_TPM](policy-csp-admx-tpm.md)
#### [ADMX_UserExperienceVirtualization](policy-csp-admx-userexperiencevirtualization.md)
+#### [ADMX_UserProfiles](policy-csp-admx-userprofiles.md)
#### [ADMX_W32Time](policy-csp-admx-w32time.md)
+#### [ADMX_WCM](policy-csp-admx-wcm.md)
#### [ADMX_WinCal](policy-csp-admx-wincal.md)
#### [ADMX_WindowsAnytimeUpgrade](policy-csp-admx-windowsanytimeupgrade.md)
#### [ADMX_WindowsConnectNow](policy-csp-admx-windowsconnectnow.md)
+#### [ADMX_WindowsExplorer](policy-csp-admx-windowsexplorer.md)
+#### [ADMX_WindowsFileProtection](policy-csp-admx-windowsfileprotection.md)
#### [ADMX_WindowsMediaDRM](policy-csp-admx-windowsmediadrm.md)
#### [ADMX_WindowsMediaPlayer](policy-csp-admx-windowsmediaplayer.md)
+#### [ADMX_WindowsRemoteManagement](policy-csp-admx-windowsremotemanagement.md)
+#### [ADMX_WindowsStore](policy-csp-admx-windowsstore.md)
#### [ADMX_WinInit](policy-csp-admx-wininit.md)
+#### [ADMX_WinLogon](policy-csp-admx-winlogon.md)
+#### [ADMX_wlansvc](policy-csp-admx-wlansvc.md)
+#### [ADMX_WPN](policy-csp-admx-wpn.md)
#### [ApplicationDefaults](policy-csp-applicationdefaults.md)
#### [ApplicationManagement](policy-csp-applicationmanagement.md)
#### [AppRuntime](policy-csp-appruntime.md)
@@ -229,7 +284,7 @@
#### [Audit](policy-csp-audit.md)
#### [Authentication](policy-csp-authentication.md)
#### [Autoplay](policy-csp-autoplay.md)
-#### [Bitlocker](policy-csp-bitlocker.md)
+#### [BitLocker](policy-csp-bitlocker.md)
#### [BITS](policy-csp-bits.md)
#### [Bluetooth](policy-csp-bluetooth.md)
#### [Browser](policy-csp-browser.md)
@@ -267,12 +322,14 @@
#### [LanmanWorkstation](policy-csp-lanmanworkstation.md)
#### [Licensing](policy-csp-licensing.md)
#### [LocalPoliciesSecurityOptions](policy-csp-localpoliciessecurityoptions.md)
+#### [LocalUsersAndGroups](policy-csp-localusersandgroups.md)
#### [LockDown](policy-csp-lockdown.md)
#### [Maps](policy-csp-maps.md)
#### [Messaging](policy-csp-messaging.md)
#### [MixedReality](policy-csp-mixedreality.md)
#### [MSSecurityGuide](policy-csp-mssecurityguide.md)
#### [MSSLegacy](policy-csp-msslegacy.md)
+#### [Multitasking](policy-csp-multitasking.md)
#### [NetworkIsolation](policy-csp-networkisolation.md)
#### [Notifications](policy-csp-notifications.md)
#### [Power](policy-csp-power.md)
@@ -307,6 +364,7 @@
#### [WindowsInkWorkspace](policy-csp-windowsinkworkspace.md)
#### [WindowsLogon](policy-csp-windowslogon.md)
#### [WindowsPowerShell](policy-csp-windowspowershell.md)
+#### [WindowsSandbox](policy-csp-windowssandbox.md)
#### [WirelessDisplay](policy-csp-wirelessdisplay.md)
### [PolicyManager CSP](policymanager-csp.md)
### [Provisioning CSP](provisioning-csp.md)
diff --git a/windows/client-management/mdm/accounts-csp.md b/windows/client-management/mdm/accounts-csp.md
index 7a9545e09a..498abd7018 100644
--- a/windows/client-management/mdm/accounts-csp.md
+++ b/windows/client-management/mdm/accounts-csp.md
@@ -11,15 +11,24 @@ ms.reviewer:
manager: dansimp
---
-# Accounts CSP
+# Accounts Configuration Service Provider
The Accounts configuration service provider (CSP) is used by the enterprise (1) to rename a device, (2) to create a new local Windows account and join it to a local user group. This CSP was added in Windows 10, version 1803.
-The following diagram shows the Accounts configuration service provider in tree format.
+The following shows the Accounts configuration service provider in tree format.
-
+```
+./Device/Vendor/MSFT
+Accounts
+----Domain
+--------ComputerName
+----Users
+--------UserName
+------------Password
+------------LocalUserGroup
+```
**./Device/Vendor/MSFT/Accounts**
Root node.
@@ -52,6 +61,7 @@ This node specifies the username for a new local user account. This setting can
This node specifies the password for a new local user account. This setting can be managed remotely.
Supported operation is Add.
+GET operation is not supported. This setting will report as failed when deployed from the Endpoint Manager.
**Users/_UserName_/LocalUserGroup**
This optional node specifies the local user group that a local user account should be joined to. If the node is not set, the new local user account is joined just to the Standard Users group. Set the value to 2 for Administrators group. This setting can be managed remotely.
diff --git a/windows/client-management/mdm/activesync-csp.md b/windows/client-management/mdm/activesync-csp.md
index 37f6157570..927e9b9e0a 100644
--- a/windows/client-management/mdm/activesync-csp.md
+++ b/windows/client-management/mdm/activesync-csp.md
@@ -19,8 +19,8 @@ The ActiveSync configuration service provider is used to set up and change setti
Configuring Windows Live ActiveSync accounts through this configuration service provider is not supported.
-> **Note**
-The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the ./User/Vendor/MSFT/ActiveSync path.
+> [!NOTE]
+> The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the ./User/Vendor/MSFT/ActiveSync path.
On the desktop, only per user configuration (./User/Vendor/MSFT/ActiveSync) is supported. However, the ./Vendor/MSFT/ActiveSync path will work if the user is logged in. The CSP fails when no user is logged in.
@@ -28,15 +28,45 @@ The ./Vendor/MSFT/ActiveSync path is deprecated, but will continue to work in th
-The following diagram shows the ActiveSync configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM.
+The following shows the ActiveSync configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM.
-
+```
+./Vendor/MSFT
+ActiveSync
+----Accounts
+--------Account GUID
+------------EmailAddress
+------------Domain
+------------AccountIcon
+------------AccountType
+------------AccountName
+------------Password
+------------ServerName
+------------UserName
+------------Options
+----------------CalendarAgeFilter
+----------------Logging
+----------------MailBodyType
+----------------MailHTMLTruncation
+----------------MailPlainTextTruncation
+----------------Schedule
+----------------UseSSL
+----------------MailAgeFilter
+----------------ContentTypes
+--------------------Content Type GUID
+------------------------Enabled
+------------------------Name
+------------Policies
+----------------MailBodyType
+----------------MaxMailAgeFilter
+
+```
**./User/Vendor/MSFT/ActiveSync**
The root node for the ActiveSync configuration service provider.
-> **Note**
-The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the ./User/Vendor/MSFT/ActiveSync path.
+> [!NOTE]
+> The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the ./User/Vendor/MSFT/ActiveSync path.
On the desktop, only per user configuration (./User/Vendor/MSFT/ActiveSync) is supported. However, the ./Vendor/MSFT/ActiveSync will work if the user is logged in. The CSP fails when no user is logged in.
@@ -231,10 +261,10 @@ Valid values are one of the following:
**Options/ContentTypes/*Content Type GUID*/Name**
Required. A character string that specifies the name of the content type.
-> **Note** In Windows 10, this node is currently not working.
+> [!NOTE]
+> In Windows 10, this node is currently not working.
-
Supported operations are Get, Replace, and Add (cannot Add after the account is created).
When you use Add or Replace inside an atomic block in the SyncML, the CSP returns an error and provisioning fails. When you use Add or Replace outside of the atomic block, the error is ignored and the account is provisioned as expected.
diff --git a/windows/client-management/mdm/alljoynmanagement-csp.md b/windows/client-management/mdm/alljoynmanagement-csp.md
index e4d45bd4fd..3dfd62f711 100644
--- a/windows/client-management/mdm/alljoynmanagement-csp.md
+++ b/windows/client-management/mdm/alljoynmanagement-csp.md
@@ -17,8 +17,8 @@ ms.date: 06/26/2017
The AllJoynManagement configuration service provider (CSP) allows an IT administrator to enumerate the AllJoyn devices that are connected to the AllJoyn bus. The devices must support the Microsoft AllJoyn configuration interface (com.microsoft.alljoynmanagement.config). You can also push configuration files to the same devices. To populate the various nodes when setting new configuration, we recommend that you do a query first, to get the actual values for all the nodes in all the attached devices. You can then use the information from the query to set the node values when pushing the new configuration.
-> **Note**
-The AllJoynManagement configuration service provider (CSP) is only supported in Windows 10 IoT Core (IoT Core).
+> [!NOTE]
+> The AllJoynManagement configuration service provider (CSP) is only supported in Windows 10 IoT Core (IoT Core).
This CSP was added in Windows 10, version 1511.
@@ -26,9 +26,37 @@ This CSP was added in Windows 10, version 1511.
For the firewall settings, note that PublicProfile and PrivateProfile are mutually exclusive. The Private Profile must be set on the directly on the device itself, and the only supported operation is Get. For PublicProfile, both Add and Get are supported. This CSP is intended to be used in conjunction with the AllJoyn Device System Bridge, and an understanding of the bridge will help when determining when and how to use this CSP. For more information, see [Device System Bridge (DSB) Project](https://go.microsoft.com/fwlink/p/?LinkId=615876) and [AllJoyn Device System Bridge](https://go.microsoft.com/fwlink/p/?LinkId=615877).
-The following diagram shows the AllJoynManagement configuration service provider in tree format
+The following shows the AllJoynManagement configuration service provider in tree format
-
+```
+./Vendor/MSFT
+AllJoynManagement
+----Configurations
+--------ServiceID
+------------Port
+----------------PortNum
+--------------------ConfigurableObjects
+------------------------CfgObjectPath
+----Credentials
+--------ServiceID
+------------Key
+----Firewall
+--------PublicProfile
+--------PrivateProfile
+----Services
+--------ServiceID
+------------AppId
+------------DeviceId
+------------AppName
+------------Manufacturer
+------------ModelNumber
+------------Description
+------------SoftwareVersion
+------------AJSoftwareVersion
+------------HardwareVersion
+----Options
+--------QueryIdleTime
+```
The following list describes the characteristics and parameters.
diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md
index 2c64c89cd9..5bfdda98df 100644
--- a/windows/client-management/mdm/applicationcontrol-csp.md
+++ b/windows/client-management/mdm/applicationcontrol-csp.md
@@ -1,6 +1,6 @@
---
title: ApplicationControl CSP
-description: The ApplicationControl CSP allows you to manage multiple Windows Defender Application Control (WDAC) policies from a MDM server.
+description: The ApplicationControl CSP allows you to manage multiple Windows Defender Application Control (WDAC) policies from an MDM server.
keywords: security, malware
ms.author: dansimp
ms.topic: article
@@ -16,10 +16,33 @@ ms.date: 09/10/2020
Windows Defender Application Control (WDAC) policies can be managed from an MDM server or locally using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently does not schedule a reboot.
Existing WDAC policies deployed using the AppLocker CSP's CodeIntegrity node can now be deployed using the ApplicationControl CSP URI. Although WDAC policy deployment via the AppLocker CSP will continue to be supported, all new feature work will be done in the ApplicationControl CSP only.
-The following diagram shows the ApplicationControl CSP in tree format.
-
-
+The following shows the ApplicationControl CSP in tree format.
+```
+./Vendor/MSFT
+ApplicationControl
+----Policies
+--------Policy GUID
+------------Policy
+------------PolicyInfo
+----------------Version
+----------------IsEffective
+----------------IsDeployed
+----------------IsAuthorized
+----------------Status
+----------------FriendlyName
+------------Token
+----------------TokenID
+----Tokens
+--------ID
+------------Token
+------------TokenInfo
+----------------Status
+------------PolicyIDs
+----------------Policy GUID
+----TenantID
+----DeviceID
+```
**./Vendor/MSFT/ApplicationControl**
Defines the root node for the ApplicationControl CSP.
@@ -99,7 +122,7 @@ The following table provides the result of this policy based on different values
|False|False|True|Not Reachable.|
|False|False|False|*Not Reachable.|
-`*` denotes a valid intermediary state; however, if an MDM transaction results in this state configuration, the END_COMMAND_PROCESSING will result in a fail.
+\* denotes a valid intermediary state; however, if an MDM transaction results in this state configuration, the END_COMMAND_PROCESSING will result in a fail.
**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Status**
This node specifies whether the deployment of the policy indicated by the GUID was successful.
@@ -117,7 +140,7 @@ Value type is char.
## Microsoft Endpoint Manager (MEM) Intune Usage Guidance
-For customers using Intune standalone or hybrid management with Configuration Manager (MEMCM) to deploy custom policies via the ApplicationControl CSP, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune)
+For customers using Intune standalone or hybrid management with Configuration Manager (MEMCM) to deploy custom policies via the ApplicationControl CSP, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune).
## Generic MDM Server Usage Guidance
@@ -125,11 +148,11 @@ In order to leverage the ApplicationControl CSP without using Intune, you must:
1. Know a generated policy's GUID, which can be found in the policy xml as `
@@ -313,25 +359,22 @@ You can get the publisher name and product name of apps using a web API.
-
-
-~~~
Here is the example for Microsoft OneNote:
Request
-``` syntax
+```http
https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata
```
Result
-``` syntax
+```json
{
"packageFamilyName": "Microsoft.Office.OneNote_8wekyb3d8bbwe",
"packageIdentityName": "Microsoft.Office.OneNote",
@@ -339,7 +382,6 @@ Result
"publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
}
```
-~~~
-
https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/{app ID}/applockerdata
diff --git a/windows/client-management/mdm/cmpolicyenterprise-csp.md b/windows/client-management/mdm/cmpolicyenterprise-csp.md
index df773dcb43..3a5cc913a6 100644
--- a/windows/client-management/mdm/cmpolicyenterprise-csp.md
+++ b/windows/client-management/mdm/cmpolicyenterprise-csp.md
@@ -17,8 +17,8 @@ ms.date: 06/26/2017
The CMPolicyEnterprise configuration service provider is used by the enterprise to define rules that the Connection Manager uses to identify the correct connection for a connection request.
-> **Note**
-This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application.
+> [!NOTE]
+> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application.
@@ -28,10 +28,20 @@ Each policy entry identifies one or more applications in combination with a host
**Default Policies**: Policies are applied in order of their scope with the most specific policies considered before the more general policies. The phone’s default behavior applies to all applications and all domains and is only used when no other, more specific policy is available. The default policy is to use any available Wi-Fi network first and then any available APN.
-The following diagram shows the CMPolicyEnterprise configuration service provider management object in tree format as used by both Open Mobile Alliance (OMA) Client Provisioning and OMA Device Management.
-
-
-
+The following shows the CMPolicyEnterprise configuration service provider management object in tree format as used by both Open Mobile Alliance (OMA) Client Provisioning and OMA Device Management.
+```
+./Vendor/MSFT
+CMPolicy
+----PolicyName
+--------SID
+--------ClientType
+--------Host
+--------OrderedConnections
+--------Connections
+------------ConnXXX
+----------------ConnectionID
+----------------Type
+```
***policyName***
Defines the name of the policy.
diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md
index d064a375ca..dcf8eec173 100644
--- a/windows/client-management/mdm/configuration-service-provider-reference.md
+++ b/windows/client-management/mdm/configuration-service-provider-reference.md
@@ -2728,6 +2728,7 @@ The following list shows the CSPs supported in HoloLens devices:
| [DiagnosticLog CSP](diagnosticlog-csp.md) |  |  |  |
| [DMAcc CSP](dmacc-csp.md) |  |  |  |
| [DMClient CSP](dmclient-csp.md) |  |  |  |
+| [EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md) |  |  |  10 |
| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) |  |  |  |
| [NetworkProxy CSP](networkproxy-csp.md) |  |  |  |
| [NetworkQoSPolicy CSP](networkqospolicy-csp.md) |  |  |  8|
@@ -2737,6 +2738,7 @@ The following list shows the CSPs supported in HoloLens devices:
| [RemoteFind CSP](remotefind-csp.md) |  |  4 |  |
| [RemoteWipe CSP](remotewipe-csp.md) |  |  4 |  |
| [RootCATrustedCertificates CSP](rootcacertificates-csp.md) |  |  |  |
+| [TenantLockdown CSP](tenantlockdown-csp.md) |  |  |  10 |
| [Update CSP](update-csp.md) |  |  |  |
| [VPNv2 CSP](vpnv2-csp.md) |  |  |  |
| [WiFi CSP](wifi-csp.md) |  |  |  |
@@ -2745,7 +2747,9 @@ The following list shows the CSPs supported in HoloLens devices:
## CSPs supported in Microsoft Surface Hub
-- [Accounts CSP](accounts-csp.md)9 **Note:** Support in Surface Hub is limited to **Domain\ComputerName**.
+- [Accounts CSP](accounts-csp.md)9
+ > [!NOTE]
+ > Support in Surface Hub is limited to **Domain\ComputerName**.
- [AccountManagement CSP](accountmanagement-csp.md)
- [APPLICATION CSP](application-csp.md)
- [CertificateStore CSP](certificatestore-csp.md)
@@ -2813,3 +2817,4 @@ The following list shows the CSPs supported in HoloLens devices:
- 7 - Added in Windows 10, version 1909.
- 8 - Added in Windows 10, version 2004.
- 9 - Added in Windows 10 Team 2020 Update
+- 10 - Added in [Windows Holographic, version 20H2](https://docs.microsoft.com/hololens/hololens-release-notes#windows-holographic-version-20h2)
diff --git a/windows/client-management/mdm/customdeviceui-csp.md b/windows/client-management/mdm/customdeviceui-csp.md
index 17b165ed51..2645a75e3f 100644
--- a/windows/client-management/mdm/customdeviceui-csp.md
+++ b/windows/client-management/mdm/customdeviceui-csp.md
@@ -15,11 +15,18 @@ ms.date: 06/26/2017
# CustomDeviceUI CSP
The CustomDeviceUI configuration service provider allows OEMs to implement their custom foreground application, as well as the background tasks to run on an IoT device running IoT Core. Only one foreground application is supported per device. Multiple background tasks are supported.
-The following diagram shows the CustomDeviceUI configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning.
+The following shows the CustomDeviceUI configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning.
-> **Note** This configuration service provider only applies to Windows 10 IoT Core (IoT Core).
+> [!NOTE]
+> This configuration service provider only applies to Windows 10 IoT Core (IoT Core).
-
+```
+./Vendor/MSFT
+CustomDeviceUI
+----StartupAppID
+----BackgroundTasksToLaunch
+--------BackgroundTaskPackageName
+```
**./Vendor/MSFT/CustomDeviceUI**
The root node for the CustomDeviceUI configuration service provider. The supported operation is Get.
diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md
index da9959c0a2..8a3242f3d3 100644
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@@ -20,10 +20,49 @@ ms.date: 08/11/2020
The Windows Defender configuration service provider is used to configure various Windows Defender actions across the enterprise.
-The following image shows the Windows Defender configuration service provider in tree format.
-
-
-
+The following shows the Windows Defender configuration service provider in tree format.
+```
+./Vendor/MSFT
+Defender
+----Detections
+--------ThreatId
+------------Name
+------------URL
+------------Severity
+------------Category
+------------CurrentStatus
+------------ExecutionStatus
+------------InitialDetectionTime
+------------LastThreatStatusChangeTime
+------------NumberOfDetections
+----Health
+--------ProductStatus (Added in Windows 10 version 1809)
+--------ComputerState
+--------DefenderEnabled
+--------RtpEnabled
+--------NisEnabled
+--------QuickScanOverdue
+--------FullScanOverdue
+--------SignatureOutOfDate
+--------RebootRequired
+--------FullScanRequired
+--------EngineVersion
+--------SignatureVersion
+--------DefenderVersion
+--------QuickScanTime
+--------FullScanTime
+--------QuickScanSigVersion
+--------FullScanSigVersion
+--------TamperProtectionEnabled (Added in Windows 10, version 1903)
+--------IsVirtualMachine (Added in Windows 10, version 1903)
+----Configuration (Added in Windows 10, version 1903)
+--------TamperProetection (Added in Windows 10, version 1903)
+--------EnableFileHashcomputation (Added in Windows 10, version 1903)
+--------SupportLogLocation (Added in the next major release of Windows 10)
+----Scan
+----UpdateSignature
+----OfflineScan (Added in Windows 10 version 1803)
+```
**Detections**
An interior node to group all threats detected by Windows Defender.
@@ -390,6 +429,66 @@ Intune tamper protection setting UX supports three states:
When enabled or disabled exists on the client and admin moves the setting to not configured, it will not have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly.
+**Configuration/DisableLocalAdminMerge**
-
+
+
> [!NOTE]
> There is no device ID claim in the access token because the device may not yet be enrolled at this time.
@@ -352,7 +368,7 @@ To retrieve the list of group memberships for the user, you can use the [Azure A
Here's an example URL.
-```console
+```http
https://fabrikam.contosomdm.com/TermsOfUse?redirect_uri=ms-appx-web://ContosoMdm/ToUResponse&client-request-id=34be581c-6ebd-49d6-a4e1-150eff4b7213&api-version=1.0
Authorization: Bearer eyJ0eXAiOi
```
@@ -644,7 +660,7 @@ Alert sample:
## Determine when a user is logged in through polling
-An alert is send to the MDM server in DM package\#1.
+An alert is sent to the MDM server in DM package\#1.
- Alert type - com.microsoft/MDM/LoginStatus
- Alert format - chr
@@ -922,5 +938,3 @@ When a user is enrolled into MDM through Azure Active Directory Join and then di
-
-
diff --git a/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md b/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
index 706b102207..61ff7e767b 100644
--- a/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
+++ b/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
@@ -1,24 +1,29 @@
---
title: Azure AD and Microsoft Intune - Automatic MDM enrollment in the new Portal
-description: Azure AD and Microsoft Intune - Automatic MDM enrollment in the new Portal
+description: Azure AD and Microsoft Intune - Automatic MDM enrollment in the new portal
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: lomayor
-ms.date: 01/17/2018
+ms.date: 12/18/2020
ms.reviewer:
manager: dansimp
---
# Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal
-Go to your Azure AD Blade, select the Mobility (MDM and MAM) and there should be the Microsoft Intune "App" Visible, select the Microsoft Intune and configure the Blade
+> [!NOTE]
+> Microsoft Intune portal can be accessed at the following link: [https://endpoint.microsoft.com](https://endpoint.microsoft.com).
+
+1. Go to your Azure AD Blade.
+2. Select **Mobility (MDM and MAM)**, and find the Microsoft Intune app.
+3. Select **Microsoft Intune** and configure the blade.
-Configure the Blade
+Configure the blade
-Select all for allow all users to enroll a Device and make it Intune ready, or Some, then you can add a Group of Users.
+You can specify settings to allow all users to enroll a device and make it Intune ready, or choose to allow some users (and then add a group of users).
diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md
index 07f3aa7f0f..3db06e4963 100644
--- a/windows/client-management/mdm/bitlocker-csp.md
+++ b/windows/client-management/mdm/bitlocker-csp.md
@@ -16,7 +16,8 @@ manager: dansimp
The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. Starting in Windows 10, version 1809, it is also supported in Windows 10 Pro.
> [!NOTE]
-> Settings are enforced only at the time encryption is started. Encryption is not restarted with settings changes.
+> Settings are enforced only at the time encryption is started. Encryption is not restarted with settings changes.
+>
> You must send all the settings together in a single SyncML to be effective.
A Get operation on any of the settings, except for RequireDeviceEncryption and RequireStorageCardEncryption, returns
@@ -24,11 +25,29 @@ the setting configured by the admin.
For RequireDeviceEncryption and RequireStorageCardEncryption, the Get operation returns the actual status of enforcement to the admin, such as if Trusted Platform Module (TPM) protection is required and if encryption is required. And if the device has BitLocker enabled but with password protector, the status reported is 0. A Get operation on RequireDeviceEncryption does not verify that the a minimum PIN length is enforced (SystemDrivesMinimumPINLength).
-The following diagram shows the BitLocker configuration service provider in tree format.
-
-
-
-
+The following shows the BitLocker configuration service provider in tree format.
+```
+./Device/Vendor/MSFT
+BitLocker
+----RequireStorageCardEncryption
+----RequireDeviceEncryption
+----EncryptionMethodByDriveType
+----SystemDrivesRequireStartupAuthentication
+----SystemDrivesMinimumPINLength
+----SystemDrivesRecoveryMessage
+----SystemDrivesRecoveryOptions
+----FixedDrivesRecoveryOptions
+----FixedDrivesRequireEncryption
+----RemovableDrivesRequireEncryption
+----AllowWarningForOtherDiskEncryption
+----AllowStandardUserEncryption
+----ConfigureRecoveryPasswordRotation
+----RotateRecoveryPasswords
+----Status
+--------DeviceEncryptionStatus
+--------RotateRecoveryPasswordsStatus
+--------RotateRecoveryPasswordsRequestID
+```
**./Device/Vendor/MSFT/BitLocker**
Defines the root node for the BitLocker configuration service provider.
@@ -225,18 +244,18 @@ EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for remov
If you want to disable this policy use the following SyncML:
```xml
-
- [Multitasking/BrowserAltTabBlowout](policy-csp-multitasking.md#multitasking-browseralttabblowout) |
+| [SurfaceHub CSP](surfacehub-csp.md) | Added the following new node:
-Properties/SleepMode |
+
+## October 2020
+
+|New or updated article | Description|
+|--- | ---|
+| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policies
- [Experience/DisableCloudOptimizedContent](policy-csp-experience.md#experience-disablecloudoptimizedcontent)
- [LocalUsersAndGroups/Configure](policy-csp-localusersandgroups.md#localusersandgroups-configure)
- [MixedReality/AADGroupMembershipCacheValidityInDays](policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays)
- [MixedReality/BrightnessButtonDisabled](policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled)
- [MixedReality/FallbackDiagnostics](policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics)
- [MixedReality/MicrophoneDisabled](policy-csp-mixedreality.md#mixedreality-microphonedisabled)
- [MixedReality/VolumeButtonDisabled](policy-csp-mixedreality.md#mixedreality-volumebuttondisabled)
- [Update/DisableWUfBSafeguards](policy-csp-update.md#update-disablewufbsafeguards)
- [WindowsSandbox/AllowAudioInput](policy-csp-windowssandbox.md#windowssandbox-allowaudioinput)
- [WindowsSandbox/AllowClipboardRedirection](policy-csp-windowssandbox.md#windowssandbox-allowclipboardredirection)
- [WindowsSandbox/AllowNetworking](policy-csp-windowssandbox.md#windowssandbox-allownetworking)
- [WindowsSandbox/AllowPrinterRedirection](policy-csp-windowssandbox.md#windowssandbox-allowprinterredirection)
- [WindowsSandbox/AllowVGPU](policy-csp-windowssandbox.md#windowssandbox-allowvgpu)
- [WindowsSandbox/AllowVideoInput](policy-csp-windowssandbox.md#windowssandbox-allowvideoinput) |
+
+## September 2020
+
+|New or updated article | Description|
+|--- | ---|
+|[NetworkQoSPolicy CSP](networkqospolicy-csp.md)|Updated support information of the NetworkQoSPolicy CSP.|
+|[Policy CSP - LocalPoliciesSecurityOptions](policy-csp-localpoliciessecurityoptions.md)|Removed the following unsupported LocalPoliciesSecurityOptions policy settings from the documentation:
- RecoveryConsole_AllowAutomaticAdministrativeLogon
- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways
- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible
- DomainMember_DisableMachineAccountPasswordChanges
- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems
|
+
+## August 2020
+
+|New or updated article | Description|
+|--- | ---|
+|[Policy CSP - System](policy-csp-system.md)|Removed the following policy settings:
- System/AllowDesktopAnalyticsProcessing
- System/AllowMicrosoftManagedDesktopProcessing
- System/AllowUpdateComplianceProcessing
- System/AllowWUfBCloudProcessing
|
+
+## July 2020
+
+|New or updated article | Description|
+|--- | ---|
+|[Policy CSP - System](policy-csp-system.md)|Added the following new policy settings:
- System/AllowDesktopAnalyticsProcessing
- System/AllowMicrosoftManagedDesktopProcessing
- System/AllowUpdateComplianceProcessing
- System/AllowWUfBCloudProcessing
Updated the following policy setting:
- System/AllowCommercialDataPipeline
|
+
+## June 2020
+
+|New or updated article | Description|
+|--- | ---|
+|[BitLocker CSP](bitlocker-csp.md)|Added SKU support table for **AllowStandardUserEncryption**.|
+|[Policy CSP - NetworkIsolation](policy-csp-networkisolation.md)|Updated the description from Boolean to Integer for the following policy settings:
EnterpriseIPRangesAreAuthoritative, EnterpriseProxyServersAreAuthoritative.|
+
+## May 2020
+
+|New or updated article | Description|
+|--- | ---|
+|[BitLocker CSP](bitlocker-csp.md)|Added the bitmask table for the Status/DeviceEncryptionStatus node.|
+|[Policy CSP - RestrictedGroups](policy-csp-restrictedgroups.md)| Updated the topic with additional details. Added policy timeline table.
+
+## February 2020
+
+|New or updated article | Description|
+|--- | ---|
+|[CertificateStore CSP](certificatestore-csp.md)
[ClientCertificateInstall CSP](clientcertificateinstall-csp.md)|Added details about SubjectName value.|
+
+## January 2020
+
+|New or updated article | Description|
+|--- | ---|
+|[Policy CSP - Defender](policy-csp-defender.md)|Added descriptions for supported actions for Defender/ThreatSeverityDefaultAction.|
+
+## November 2019
+
+|New or updated article | Description|
+|--- | ---|
+|[Policy CSP - DeliveryOptimization](policy-csp-deliveryoptimization.md)|Added option 5 in the supported values list for DeliveryOptimization/DOGroupIdSource.|
+|[DiagnosticLog CSP](diagnosticlog-csp.md)|Added substantial updates to this CSP doc.|
+
+## October 2019
+
+|New or updated article | Description|
+|--- | ---|
+|[BitLocker CSP](bitlocker-csp.md)|Added the following new nodes:
ConfigureRecoveryPasswordRotation, RotateRecoveryPasswords, RotateRecoveryPasswordsStatus, RotateRecoveryPasswordsRequestID.|
+|[Defender CSP](defender-csp.md)|Added the following new nodes:
Health/TamperProtectionEnabled, Health/IsVirtualMachine, Configuration, Configuration/TamperProtection, Configuration/EnableFileHashComputation.|
+
+## September 2019
+
+|New or updated article | Description|
+|--- | ---|
+|[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)|Added the following new node:
IsStub.|
+|[Policy CSP - Defender](policy-csp-defender.md)|Updated the supported value list for Defender/ScheduleScanDay policy.|
+|[Policy CSP - DeviceInstallation](policy-csp-deviceinstallation.md)|Added the following new policies:
DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs, DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs.|
+
+## August 2019
+
+|New or updated article | Description|
+|--- | ---|
+|[DiagnosticLog CSP](diagnosticlog-csp.md)
[DiagnosticLog DDF](diagnosticlog-ddf.md)|Added version 1.4 of the CSP in Windows 10, version 1903. Added the new 1.4 version of the DDF. Added the following new nodes:
Policy, Policy/Channels, Policy/Channels/ChannelName, Policy/Channels/ChannelName/MaximumFileSize, Policy/Channels/ChannelName/SDDL, Policy/Channels/ChannelName/ActionWhenFull, Policy/Channels/ChannelName/Enabled, DiagnosticArchive, DiagnosticArchive/ArchiveDefinition, DiagnosticArchive/ArchiveResults.|
+|[Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md)|Enhanced the article to include additional reference links and the following two topics:
Verify auto-enrollment requirements and settings, Troubleshoot auto-enrollment of devices.|
+
+## July 2019
+
+|New or updated article | Description|
+|--- | ---|
+|[Policy CSP](policy-configuration-service-provider.md)|Added the following list:
Policies supported by HoloLens 2|
+|[ApplicationControl CSP](applicationcontrol-csp.md)|Added new CSP in Windows 10, version 1903.|
+|[PassportForWork CSP](passportforwork-csp.md)|Added the following new nodes in Windows 10, version 1903:
SecurityKey, SecurityKey/UseSecurityKeyForSignin|
+|[Policy CSP - Privacy](policy-csp-privacy.md)|Added the following new policies:
LetAppsActivateWithVoice, LetAppsActivateWithVoiceAboveLock|
+|Create a custom configuration service provider|Deleted the following documents from the CSP reference because extensibility via CSPs is not currently supported:
Create a custom configuration service provider
Design a custom configuration service provider
IConfigServiceProvider2
IConfigServiceProvider2::ConfigManagerNotification
IConfigServiceProvider2::GetNode
ICSPNode
ICSPNode::Add
ICSPNode::Clear
ICSPNode::Copy
ICSPNode::DeleteChild
ICSPNode::DeleteProperty
ICSPNode::Execute
ICSPNode::GetChildNodeNames
ICSPNode::GetProperty
ICSPNode::GetPropertyIdentifiers
ICSPNode::GetValue
ICSPNode::Move
ICSPNode::SetProperty
ICSPNode::SetValue
ICSPNodeTransactioning
ICSPValidate
Samples for writing a custom configuration service provider.|
+
+## June 2019
+
+|New or updated article | Description|
+|--- | ---|
+|[Policy CSP - DeviceHealthMonitoring](policy-csp-devicehealthmonitoring.md)|Added the following new policies:
AllowDeviceHealthMonitoring, ConfigDeviceHealthMonitoringScope, ConfigDeviceHealthMonitoringUploadDestination.|
+|[Policy CSP - TimeLanguageSettings](policy-csp-timelanguagesettings.md)|Added the following new policy:
ConfigureTimeZone.|
+
+## May 2019
+
+|New or updated article | Description|
+|--- | ---|
+|[DeviceStatus CSP](devicestatus-csp.md)|Updated description of the following nodes:
DeviceStatus/Antivirus/SignatureStatus, DeviceStatus/Antispyware/SignatureStatus.|
+|[EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md)|Added new CSP in Windows 10, version 1903.|
+|[Policy CSP - DeliveryOptimization](policy-csp-deliveryoptimization.md)|Added the following new policies:
DODelayCacheServerFallbackBackground, DODelayCacheServerFallbackForeground.
Updated description of the following policies:
DOMinRAMAllowedToPeer, DOMinFileSizeToCache, DOMinDiskSizeAllowedToPeer.|
+|[Policy CSP - Experience](policy-csp-experience.md)|Added the following new policy:
ShowLockOnUserTile.|
+|[Policy CSP - InternetExplorer](policy-csp-internetexplorer.md)|Added the following new policies:
AllowEnhancedSuggestionsInAddressBar, DisableActiveXVersionListAutoDownload, DisableCompatView, DisableFeedsBackgroundSync, DisableGeolocation, DisableWebAddressAutoComplete, NewTabDefaultPage.|
+|[Policy CSP - Power](policy-csp-power.md)|Added the following new policies:
EnergySaverBatteryThresholdOnBattery, EnergySaverBatteryThresholdPluggedIn, SelectLidCloseActionOnBattery, SelectLidCloseActionPluggedIn, SelectPowerButtonActionOnBattery, SelectPowerButtonActionPluggedIn, SelectSleepButtonActionOnBattery, SelectSleepButtonActionPluggedIn, TurnOffHybridSleepOnBattery, TurnOffHybridSleepPluggedIn, UnattendedSleepTimeoutOnBattery, UnattendedSleepTimeoutPluggedIn.|
+|[Policy CSP - Search](policy-csp-search.md)|Added the following new policy:
AllowFindMyFiles.|
+|[Policy CSP - ServiceControlManager](policy-csp-servicecontrolmanager.md)|Added the following new policy:
SvchostProcessMitigation.|
+|[Policy CSP - System](policy-csp-system.md)|Added the following new policies:
AllowCommercialDataPipeline, TurnOffFileHistory.|
+|[Policy CSP - Troubleshooting](policy-csp-troubleshooting.md)|Added the following new policy:
AllowRecommendations.|
+|[Policy CSP - Update](policy-csp-update.md)|Added the following new policies:
AutomaticMaintenanceWakeUp, ConfigureDeadlineForFeatureUpdates, ConfigureDeadlineForQualityUpdates, ConfigureDeadlineGracePeriod, ConfigureDeadlineNoAutoReboot.|
+|[Policy CSP - WindowsLogon](policy-csp-windowslogon.md)|Added the following new policies:
AllowAutomaticRestartSignOn, ConfigAutomaticRestartSignOn, EnableFirstLogonAnimation.
Removed the following policy:
SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart. This policy is replaced by AllowAutomaticRestartSignOn.|
+
+## April 2019
+
+| New or updated article | Description |
+|-------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md) | Added the following warning at the end of the Overview section:
Some operating system components have built in functionality to check devices for domain membership. MDM enforces the configured policy values only if the devices are domain joined, otherwise it does not. However, you can still import ADMX files and set ADMX-backed policies regardless of whether the device is domain joined or non-domain joined. |
+| [Policy CSP - UserRights](policy-csp-userrights.md) | Added a note stating if you use Intune custom profiles to assign UserRights policies, you must use the CDATA tag () to wrap the data fields. |
+
+## March 2019
+
+|New or updated article | Description|
+|--- | ---|
+|[Policy CSP - Storage](policy-csp-storage.md)|Updated ADMX Info of the following policies:
AllowStorageSenseGlobal, AllowStorageSenseTemporaryFilesCleanup, ConfigStorageSenseCloudContentDehydrationThreshold, ConfigStorageSenseDownloadsCleanupThreshold, ConfigStorageSenseGlobalCadence, ConfigStorageSenseRecycleBinCleanupThreshold.
Updated description of ConfigStorageSenseDownloadsCleanupThreshold.|
+
+## February 2019
+
+|New or updated article | Description|
+|--- | ---|
+|[Policy CSP](policy-configuration-service-provider.md)|Updated supported policies for Holographic.|
+
+## January 2019
+
+|New or updated article | Description|
+|--- | ---|
+|[Policy CSP - Storage](policy-csp-storage.md)|Added the following new policies: AllowStorageSenseGlobal, ConfigStorageSenseGlobalCadence, AllowStorageSenseTemporaryFilesCleanup, ConfigStorageSenseRecycleBinCleanupThreshold, ConfigStorageSenseDownloadsCleanupThreshold, and ConfigStorageSenseCloudContentCleanupThreshold.|
+|[SharedPC CSP](sharedpc-csp.md)|Updated values and supported operations.|
+|[Mobile device management](index.md)|Updated information about MDM Security Baseline.|
+
+## December 2018
+
+|New or updated article | Description|
+|--- | ---|
+|[BitLocker CSP](bitlocker-csp.md)|Updated AllowWarningForOtherDiskEncryption policy description to describe silent and non-silent encryption scenarios, as well as where and how the recovery key is backed up for each scenario.|
+
+## September 2018
+
+|New or updated article | Description|
+|--- | ---|
+|[Mobile device management](index.md#mmat) | Added information about the MDM Migration Analysis Tool (MMAT).|
+|[Policy CSP - DeviceGuard](policy-csp-deviceguard.md) | Updated ConfigureSystemGuardLaunch policy and replaced EnableSystemGuard with it.|
+
+## August 2018
+
+
+
+
+## July 2018
+
+
+
+
+
+New or updated article
+Description
+
+
+BitLocker CSP
+
+
+Office CSP
+
+
+RemoteWipe CSP
+
+
+TenantLockdown CSP
+
+
+WindowsDefenderApplicationGuard CSP
+
+
+Policy DDF file
+
+
+
+Policy CSP
+
+
+
+
+
+## June 2018
+
+
+
+
+
+New or updated article
+Description
+
+
+AssignedAccess CSP
+
+
+
+
+PassportForWork CSP
+
+
+EnterpriseModernAppManagement CSP
+
+
+Win32CompatibilityAppraiser CSP
+
+
+WindowsLicensing CSP
+
+
+SUPL CSP
+
+
+Defender CSP
+
+
+BitLocker CSP
+
+
+DevDetail CSP
+
+
+
+Policy CSP
+
+
+
+
+
+
+
+## May 2018
+
+
+
+
+
+New or updated article
+Description
+
+
+Wifi CSP
+
+
+Diagnose MDM failures in Windows 10
+
+
+
+
+BitLocker CSP
+
+
+Policy CSP
+
+
+
+
+
+
+
+WiredNetwork CSP
+New CSP added in Windows 10, version 1809.
+
+
+
+## April 2018
+
+
+
+
+
+New or updated article
+Description
+
+
+
+Policy DDF file
+
+
+
+## March 2018
+
+
+
+
+
+New or updated article
+Description
+
+
+WindowsDefenderApplicationGuard CSP
+
+
+
+
+NetworkProxy CSP
+
+
+
+
+Accounts CSP
+
+
+MDM Migration Analysis Tool (MMAT)
+
+
+CSP DDF files download
+
+
+
+Policy CSP
+
+
+
+
+
+## February 2018
+
+
+
+
+
+New or updated article
+Description
+
+
+eUICCs CSP
+
+
+
+
+DeviceStatus CSP
+
+
+
+
+Understanding ADMX-backed policies
+
+
+AccountManagement CSP
+
+
+RootCATrustedCertificates CSP
+
+
+
+
+Policy CSP
+
+
+
+
+
+
+
+
+Policy CSP - Bluetooth
+
+
+MultiSIM CSP
+
+
+
+RemoteWipe CSP
+
+
+
+## January 2018
+
+
+
+
+
+New or updated article
+Description
+
+
+Policy CSP
+
+
+
+
+VPNv2 ProfileXML XSD
+
+
+AssignedAccess CSP
+
+
+
+
+MultiSIM CSP
+
+
+
+EnterpriseModernAppManagement CSP
+
+
+
+
+
+## December 2017
+
+
+
+
+
+New or updated article
+Description
+
+
+Policy CSP
+
+
+
+
+
+
+BitLocker CSP
+
+
+EnterpriseModernAppManagement CSP
+
+
+DMClient CSP
+
+
+
+
+Defender CSP
+
+
+UEFI CSP
+
+
+
+Update CSP
+
+
+
+
+
+## November 2017
+
+
+
+
+
+New or updated article
+Description
+
+
+
+Configuration service provider reference
+
+
+
+## October 2017
+
+
+
+
+
+New or updated article
+Description
+
+
+
+Policy CSP
+
+
+
+
+
+
+
+## September 2017
+
+
+
+
+
+New or updated article
+Description
+
+
+Policy DDF file
+
+
+Policy CSP
+
+
+
+
+eUICCs CSP
+
+
+AssignedAccess CSP
+
+
+
+DMClient CSP
+
+
+
+## August 2017
+
+
+
+
+
+New or updated article
+Description
+
+
+Policy CSP
+
+
+
+
+AssignedAccess CSP
+
+
+Microsoft Store for Business and Microsoft Store
+
+
+The [MS-MDE2]: Mobile Device Enrollment Protocol Version 2
+
+
+
+
+EnterpriseAPN CSP
+
+
+VPNv2 CSP
+
+
+Enroll a Windows 10 device automatically using Group Policy
+
+
+
+MDM enrollment of Windows-based devices
+
+
+
+
diff --git a/windows/client-management/mdm/cleanpc-csp.md b/windows/client-management/mdm/cleanpc-csp.md
index c70da05dae..a4433c6dcf 100644
--- a/windows/client-management/mdm/cleanpc-csp.md
+++ b/windows/client-management/mdm/cleanpc-csp.md
@@ -15,10 +15,13 @@ manager: dansimp
The CleanPC configuration service provider (CSP) allows removal of user-installed and pre-installed applications, with the option to persist user data. This CSP was added in Windows 10, version 1703.
-The following diagram shows the CleanPC configuration service provider in tree format.
-
-
-
+The following shows the CleanPC configuration service provider in tree format.
+```
+./Device/Vendor/MSFT
+CleanPC
+----CleanPCWithoutRetainingUserData
+----CleanPCRetainingUserData
+```
**./Device/Vendor/MSFT/CleanPC**
+
+
+
+New or updated article
+Description
+
+
+Enable ADMX-backed policies in MDM
+
+
+Mobile device enrollment
+
+
+
+
+CM_CellularEntries CSP
+
+
+EnterpriseDataProtection CSP
+
+
+
+
+AppLocker CSP
+
+
+DeviceManageability CSP
+
+
+
+
+Office CSP
+
+
+
+
+BitLocker CSP
+Added information to the ADMX-backed policies. Changed the minimum personal identification number (PIN) length to 4 digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709.
+
+
+Firewall CSP
+Updated the CSP and DDF topics. Here are the changes:
+
+
+
+
+Policy DDF file
+Added another Policy DDF file download for the 8C release of Windows 10, version 1607, which added the following policies:
+
+
+
+
+
+Policy CSP
+
+
+
+
+
+
+
-
-
@@ -486,14 +496,14 @@ Adding a host-based mapping policy:
-
+This policy setting controls whether or not complex list settings configured by a local administrator are merged with managed settings. This setting applies to lists such as threats and exclusions.
+
+If you disable or do not configure this setting, unique items defined in preference settings configured by the local administrator will be merged into the resulting effective policy. In the case of conflicts, management settings will override preference settings.
+
+If you enable this setting, only items defined by management will be used in the resulting effective policy. Managed settings will override preference settings configured by the local administrator.
+
+> [!NOTE]
+> Applying this setting will not remove exclusions from the device registry, it will only prevent them from being applied/used. This is reflected in **Get-MpPreference**.
+
+Supported OS versions: Windows 10
+
+The data type is integer.
+
+Supported operations are Add, Delete, Get, Replace.
+
+Valid values are:
+- 1 – Enable.
+- 0 (default) – Disable.
+
+**Configuration/DisableCpuThrottleOnIdleScans**
+Indicates whether the CPU will be throttled for scheduled scans while the device is idle. This feature is enabled by default and will not throttle the CPU for scheduled scans performed when the device is otherwise idle, regardless of what ScanAvgCPULoadFactor is set to. For all other scheduled scans this flag will have no impact and normal throttling will occur.
+
+The data type is integer.
+
+Supported operations are Add, Delete, Get, Replace.
+
+Valid values are:
+- 1 – Enable.
+- 0 (default) – Disable.
+
+**Configuration/MeteredConnectionUpdates**
+Allow managed devices to update through metered connections. Data charges may apply.
+
+The data type is integer.
+
+Supported operations are Add, Delete, Get, Replace.
+
+Valid values are:
+- 1 – Enable.
+- 0 (default) – Disable.
+
+**Configuration/AllowNetworkProtectionOnWinServer**
+This settings controls whether Network Protection is allowed to be configured into block or audit mode on Windows Server. If false, the value of EnableNetworkProtection will be ignored.
+
+The data type is integer.
+
+Supported operations are Add, Delete, Get, Replace.
+
+Valid values are:
+- 1 – Enable.
+- 0 (default) – Disable.
+
+**Configuration/ExclusionIpAddress**
+Allows an administrator to explicitly disable network packet inspection made by wdnisdrv on a particular set of IP addresses.
+
+The data type is string.
+
+Supported operations are Add, Delete, Get, Replace.
+
**Configuration/EnableFileHashComputation**
Enables or disables file hash computation feature.
When this feature is enabled Windows defender will compute hashes for files it scans.
diff --git a/windows/client-management/mdm/devdetail-csp.md b/windows/client-management/mdm/devdetail-csp.md
index 11ab51bf9e..5337bb0cfd 100644
--- a/windows/client-management/mdm/devdetail-csp.md
+++ b/windows/client-management/mdm/devdetail-csp.md
@@ -21,10 +21,43 @@ The DevDetail configuration service provider handles the management object which
For the DevDetail CSP, you cannot use the Replace command unless the node already exists.
-The following diagram shows the DevDetail configuration service provider management object in tree format as used by OMA Device Management. The OMA Client Provisioning protocol is not supported for this configuration service provider.
-
-
-
+The following shows the DevDetail configuration service provider management object in tree format as used by OMA Device Management. The OMA Client Provisioning protocol is not supported for this configuration service provider.
+```
+.
+DevDetail
+----URI
+--------MaxDepth
+--------MaxTotLen
+--------MaxSegLen
+----DevTyp
+----OEM
+----FwV
+----SwV
+----HwV
+----LrgObj
+----Ext
+--------Microsoft
+------------MobileID
+------------RadioSwV
+------------Resolution
+------------CommercializationOperator
+------------ProcessorArchitecture
+------------ProcessorType
+------------OSPlatform
+------------LocalTime
+------------DeviceName
+------------DNSComputerName (Added in Windows 10, version 2004)
+------------TotalStorage
+------------TotalRAM
+------------SMBIOSSerialNumber (Added in Windows 10, version 1809)
+--------WLANMACAddress
+--------VoLTEServiceSetting
+--------WlanIPv4Address
+--------WlanIPv6Address
+--------WlanDnsSuffix
+--------WlanSubnetMask
+--------DeviceHardwareData (Added in Windows 10, version 1703)
+```
**DevTyp**
Required. Returns the device model name /SystemProductName as a string.
@@ -143,8 +176,10 @@ The following are the available naming macros:
Value type is string. Supported operations are Get and Replace.
-> [!Note]
-> On desktop PCs, this setting specifies the DNS hostname of the computer (Computer Name) up to 63 characters. Use `%RAND:x%` to generate x number of random digits in the name, where x must be a number less than 63. For domain joined computers, the unique name must use `%RAND:x%`. Use `%SERIAL%` to generate the name with the `computer"s` serial number embedded. If the serial number exceeds the character limit, it will be truncated from the beginning of the sequence. The character restriction limit does not count the length of the macros, `%RAND:x%` and `%SERIAL%`. This setting is supported only in Windows 10, version 1803 and later. To change this setting in Windows 10, version 1709 and earlier releases, use the **ComputerName** setting under **Accounts** > **ComputerAccount**.
+> [!NOTE]
+> We recommend using `%SERIAL%` or `%RAND:x%` with a high character limit to reduce the chance of name collision when generating a random name. This feature doesn't check if a particular name is already present in the environment.
+
+On desktop PCs, this setting specifies the DNS hostname of the computer (Computer Name) up to 63 characters. Use `%RAND:x%` to generate x number of random digits in the name, where x must be a number less than 63. For domain-joined computers, the unique name must use `%RAND:x%`. Use `%SERIAL%` to generate the name with the `computer's` serial number embedded. If the serial number exceeds the character limit, it will be truncated from the beginning of the sequence. The character restriction limit does not count the length of the macros, `%RAND:x%` and `%SERIAL%`. This setting is supported only in Windows 10, version 1803 and later. To change this setting in Windows 10, version 1709 and earlier releases, use the **ComputerName** setting under **Accounts** > **ComputerAccount**.
**Ext/Microsoft/TotalStorage**
Added in Windows 10, version 1511. Integer that specifies the total available storage in MB from first internal drive on the device (may be less than total physical storage).
@@ -215,6 +250,3 @@ Supported operation is Get.
-
-
-
diff --git a/windows/client-management/mdm/developersetup-csp.md b/windows/client-management/mdm/developersetup-csp.md
index 40e1d4d82e..382d2d379a 100644
--- a/windows/client-management/mdm/developersetup-csp.md
+++ b/windows/client-management/mdm/developersetup-csp.md
@@ -19,10 +19,21 @@ The DeveloperSetup configuration service provider (CSP) is used to configure Dev
> [!NOTE]
> The DeveloperSetup configuration service provider (CSP) is only supported in Windows 10 Holographic Enterprise edition and with runtime provisioning via provisioning packages. It is not supported in MDM.
-The following diagram shows the DeveloperSetup configuration service provider in tree format.
-
-
-
+The following shows the DeveloperSetup configuration service provider in tree format.
+```
+./Device/Vendor/MSFT
+DeveloperSetup
+----EnableDeveloperMode
+----DevicePortal
+--------Authentication
+------------Mode
+------------BasicAuth
+----------------Username
+----------------Password
+--------Connection
+------------HttpPort
+------------HttpsPort
+```
**DeveloperSetup**
-
-
The operation cost of running one or more instances of Server 2016 on-premises.
- Device Health Attestation - Enterprise Managed Cloud
-Device Health Attestation - Enterprise-Managed Cloud
+
- [Experience/DisableCloudOptimizedContent](policy-csp-experience.md#experience-disablecloudoptimizedcontent)
- [LocalUsersAndGroups/Configure](policy-csp-localusersandgroups.md#localusersandgroups-configure)
- [MixedReality/AADGroupMembershipCacheValidityInDays](policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays)
- [MixedReality/BrightnessButtonDisabled](policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled)
- [MixedReality/FallbackDiagnostics](policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics)
- [MixedReality/MicrophoneDisabled](policy-csp-mixedreality.md#mixedreality-microphonedisabled)
- [MixedReality/VolumeButtonDisabled](policy-csp-mixedreality.md#mixedreality-volumebuttondisabled)
- [Multitasking/BrowserAltTabBlowout](policy-csp-multitasking.md#multitasking-browseralttabblowout) |
+| [SurfaceHub CSP](surfacehub-csp.md) | Added the following new node:
-Properties/SleepMode |
+| [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md) | Updated the description of the following node:
- Settings/AllowWindowsDefenderApplicationGuard |
## What’s new in MDM for Windows 10, version 2004
-
-
+| New or updated article | Description |
+|-----|-----|
+| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policies in Windows 10, version 2004:
-
-
-
-New or updated topic
-Description
-
-
-Policy CSP
-
-
-
-
-DevDetail CSP
-
Ext/Microsoft/DNSComputerName
-
-EnterpriseModernAppManagement CSP
-
IsStub
-
-
-SUPL CSP
-
FullVersion
- [ApplicationManagement/BlockNonAdminUserInstall](policy-csp-applicationmanagement.md#applicationmanagement-blocknonadminuserinstall)
- [Bluetooth/SetMinimumEncryptionKeySize](policy-csp-bluetooth.md#bluetooth-setminimumencryptionkeysize)
- [DeliveryOptimization/DOCacheHostSource](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehostsource)
- [DeliveryOptimization/DOMaxBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxbackgrounddownloadbandwidth)
- [DeliveryOptimization/DOMaxForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxforegrounddownloadbandwidth)
- [Education/AllowGraphingCalculator](policy-csp-education.md#education-allowgraphingcalculator)
- [TextInput/ConfigureJapaneseIMEVersion](policy-csp-textinput.md#textinput-configurejapaneseimeversion)
- [TextInput/ConfigureSimplifiedChineseIMEVersion](policy-csp-textinput.md#textinput-configuresimplifiedchineseimeversion)
- [TextInput/ConfigureTraditionalChineseIMEVersion](policy-csp-textinput.md#textinput-configuretraditionalchineseimeversion)
Updated the following policy in Windows 10, version 2004:
- [DeliveryOptimization/DOCacheHost](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehost)
Deprecated the following policies in Windows 10, version 2004:
- [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth)
- [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth)
- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth) |
+| [DevDetail CSP](devdetail-csp.md) | Added the following new node:
- Ext/Microsoft/DNSComputerName |
+| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | Added the following new node:
- IsStub |
+| [SUPL CSP](supl-csp.md) | Added the following new node:
- FullVersion |
## What’s new in MDM for Windows 10, version 1909
-
-
+
+| New or updated article | Description |
+|-----|-----|
+| [BitLocker CSP](bitlocker-csp.md) | Added the following new nodes in Windows 10, version 1909:
-
-
-
-New or updated topic
-Description
-
-
-
-BitLocker CSP
-
Added the following new nodes in Windows 10, version 1909:
-ConfigureRecoveryPasswordRotation, RotateRecoveryPasswords, RotateRecoveryPasswordsStatus, RotateRecoveryPasswordsRequestID.
-
- ConfigureRecoveryPasswordRotation
- RotateRecoveryPasswords
- RotateRecoveryPasswordsStatus
- RotateRecoveryPasswordsRequestID|
## What’s new in MDM for Windows 10, version 1903
-
- [DeliveryOptimization/DODelayCacheServerFallbackBackground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackbackground)
- [DeliveryOptimization/DODelayCacheServerFallbackForeground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackforeground)
- [DeviceHealthMonitoring/AllowDeviceHealthMonitoring](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-allowdevicehealthmonitoring)
- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringscope)
- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringuploaddestination)
- [DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdeviceinstanceids)
- [DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofmatchingdeviceinstanceids)
- [Experience/ShowLockOnUserTile](policy-csp-experience.md#experience-showlockonusertile)
- [InternetExplorer/AllowEnhancedSuggestionsInAddressBar](policy-csp-internetexplorer.md#internetexplorer-allowenhancedsuggestionsinaddressbar)
- [InternetExplorer/DisableActiveXVersionListAutoDownload](policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload)
- [InternetExplorer/DisableCompatView](policy-csp-internetexplorer.md#internetexplorer-disablecompatview)
- [InternetExplorer/DisableFeedsBackgroundSync](policy-csp-internetexplorer.md#internetexplorer-disablefeedsbackgroundsync)
- [InternetExplorer/DisableGeolocation](policy-csp-internetexplorer.md#internetexplorer-disablegeolocation)
- [InternetExplorer/DisableWebAddressAutoComplete](policy-csp-internetexplorer.md#internetexplorer-disablewebaddressautocomplete)
- [InternetExplorer/NewTabDefaultPage](policy-csp-internetexplorer.md#internetexplorer-newtabdefaultpage)
- [Power/EnergySaverBatteryThresholdOnBattery](policy-csp-power.md#power-energysaverbatterythresholdonbattery)
- [Power/EnergySaverBatteryThresholdPluggedIn](policy-csp-power.md#power-energysaverbatterythresholdpluggedin)
- [Power/SelectLidCloseActionOnBattery](policy-csp-power.md#power-selectlidcloseactiononbattery)
- [Power/SelectLidCloseActionPluggedIn](policy-csp-power.md#power-selectlidcloseactionpluggedin)
- [Power/SelectPowerButtonActionOnBattery](policy-csp-power.md#power-selectpowerbuttonactiononbattery)
- [Power/SelectPowerButtonActionPluggedIn](policy-csp-power.md#power-selectpowerbuttonactionpluggedin)
- [Power/SelectSleepButtonActionOnBattery](policy-csp-power.md#power-selectsleepbuttonactiononbattery)
- [Power/SelectSleepButtonActionPluggedIn](policy-csp-power.md#power-selectsleepbuttonactionpluggedin)
- [Power/TurnOffHybridSleepOnBattery](policy-csp-power.md#power-turnoffhybridsleeponbattery)
- [Power/TurnOffHybridSleepPluggedIn](policy-csp-power.md#power-turnoffhybridsleeppluggedin)
- [Power/UnattendedSleepTimeoutOnBattery](policy-csp-power.md#power-unattendedsleeptimeoutonbattery)
- [Power/UnattendedSleepTimeoutPluggedIn](policy-csp-power.md#power-unattendedsleeptimeoutpluggedin)
- [Privacy/LetAppsActivateWithVoice](policy-csp-privacy.md#privacy-letappsactivatewithvoice)
- [Privacy/LetAppsActivateWithVoiceAboveLock](policy-csp-privacy.md#privacy-letappsactivatewithvoiceabovelock)
- [Search/AllowFindMyFiles](policy-csp-search.md#search-allowfindmyfiles)
- [ServiceControlManager/SvchostProcessMitigation](policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation)
- [System/AllowCommercialDataPipeline](policy-csp-system.md#system-allowcommercialdatapipeline)
- [System/TurnOffFileHistory](policy-csp-system.md#system-turnofffilehistory)
- [TimeLanguageSettings/ConfigureTimeZone](policy-csp-timelanguagesettings.md#timelanguagesettings-configuretimezone)
- [Troubleshooting/AllowRecommendations](policy-csp-troubleshooting.md#troubleshooting-allowrecommendations)
- [Update/AutomaticMaintenanceWakeUp](policy-csp-update.md#update-automaticmaintenancewakeup)
- [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#update-configuredeadlineforfeatureupdates)
- [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates)
- [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod)
- [WindowsLogon/AllowAutomaticRestartSignOn](policy-csp-windowslogon.md#windowslogon-allowautomaticrestartsignon)
- [WindowsLogon/ConfigAutomaticRestartSignOn](policy-csp-windowslogon.md#windowslogon-configautomaticrestartsignon)
- [WindowsLogon/EnableFirstLogonAnimation](policy-csp-windowslogon.md#windowslogon-enablefirstlogonanimation)|
+| [Policy CSP - Audit](policy-csp-audit.md) | Added the new Audit policy CSP. |
+| [ApplicationControl CSP](applicationcontrol-csp.md) | Added the new CSP. |
+| [Defender CSP](defender-csp.md) | Added the following new nodes:
- Health/TamperProtectionEnabled
- Health/IsVirtualMachine
- Configuration
- Configuration/TamperProtection
- Configuration/EnableFileHashComputation |
+| [DiagnosticLog CSP](diagnosticlog-csp.md)
[DiagnosticLog DDF](diagnosticlog-ddf.md) | Added version 1.4 of the CSP in Windows 10, version 1903.
Added the new 1.4 version of the DDF.
Added the following new nodes:
- Policy
- Policy/Channels
- Policy/Channels/ChannelName
- Policy/Channels/ChannelName/MaximumFileSize
- Policy/Channels/ChannelName/SDDL
- Policy/Channels/ChannelName/ActionWhenFull
- Policy/Channels/ChannelName/Enabled
- DiagnosticArchive
- DiagnosticArchive/ArchiveDefinition
- DiagnosticArchive/ArchiveResults |
+| [EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md) | Added the new CSP. |
+| [PassportForWork CSP](passportforwork-csp.md) | Added the following new nodes:
- SecurityKey
- SecurityKey/UseSecurityKeyForSignin |
+
## What’s new in MDM for Windows 10, version 1809
-
-
+| New or updated article | Description |
+|-----|-----|
+|[Policy CSP](policy-configuration-service-provider.md) | Added the following new policy settings in Windows 10, version 1809:
-
-
-
-New or updated topic
-Description
-
-
-Policy CSP
-
-
-
-
-PassportForWork CSP
-
-
-EnterpriseModernAppManagement CSP
-
-
-Win32CompatibilityAppraiser CSP
-
-
-WindowsLicensing CSP
-
-
-SUPL CSP
-
-
-Defender CSP
-
-
-BitLocker CSP
-
-
-DevDetail CSP
-
-
-Wifi CSP
-
-
-WindowsDefenderApplicationGuard CSP
-
-
-RemoteWipe CSP
-
-
-TenantLockdown CSP
-
-
-
-Office CSP
-
- ApplicationManagement/LaunchAppAfterLogOn
- ApplicationManagement/ScheduleForceRestartForUpdateFailures
- Authentication/EnableFastFirstSignIn (Preview mode only)
- Authentication/EnableWebSignIn (Preview mode only)
- Authentication/PreferredAadTenantDomainName
- Browser/AllowFullScreenMode
- Browser/AllowPrelaunch
- Browser/AllowPrinting
- Browser/AllowSavingHistory
- Browser/AllowSideloadingOfExtensions
- Browser/AllowTabPreloading
- Browser/AllowWebContentOnNewTabPage
- Browser/ConfigureFavoritesBar
- Browser/ConfigureHomeButton
- Browser/ConfigureKioskMode
- Browser/ConfigureKioskResetAfterIdleTimeout
- Browser/ConfigureOpenMicrosoftEdgeWith
- Browser/ConfigureTelemetryForMicrosoft365Analytics
- Browser/PreventCertErrorOverrides
- Browser/SetHomeButtonURL
- Browser/SetNewTabPageURL
- Browser/UnlockHomeButton
- Defender/CheckForSignaturesBeforeRunningScan
- Defender/DisableCatchupFullScan
- Defender/DisableCatchupQuickScan
- Defender/EnableLowCPUPriority
- Defender/SignatureUpdateFallbackOrder
- Defender/SignatureUpdateFileSharesSources
- DeviceGuard/ConfigureSystemGuardLaunch
- DeviceInstallation/AllowInstallationOfMatchingDeviceIDs
- DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses
- DeviceInstallation/PreventDeviceMetadataFromNetwork
- DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings
- DmaGuard/DeviceEnumerationPolicy
- Experience/AllowClipboardHistory
- Experience/DoNotSyncBrowserSettings
- Experience/PreventUsersFromTurningOnBrowserSyncing
- Kerberos/UPNNameHints
- Privacy/AllowCrossDeviceClipboard
- Privacy/DisablePrivacyExperience
- Privacy/UploadUserActivities
- Security/RecoveryEnvironmentAuthentication
- System/AllowDeviceNameInDiagnosticData
- System/ConfigureMicrosoft365UploadEndpoint
- System/DisableDeviceDelete
- System/DisableDiagnosticDataViewer
- Storage/RemovableDiskDenyWriteAccess
- TaskManager/AllowEndTask
- Update/DisableWUfBSafeguards
- Update/EngagedRestartDeadlineForFeatureUpdates
- Update/EngagedRestartSnoozeScheduleForFeatureUpdates
- Update/EngagedRestartTransitionScheduleForFeatureUpdates
- Update/SetDisablePauseUXAccess
- Update/SetDisableUXWUAccess
- WindowsDefenderSecurityCenter/DisableClearTpmButton
- WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning
- WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl
- WindowsLogon/DontDisplayNetworkSelectionUI |
+| [BitLocker CSP](bitlocker-csp.md) | Added a new node AllowStandardUserEncryption in Windows 10, version 1809. Added support for Windows 10 Pro. |
+| [Defender CSP](defender-csp.md) | Added a new node Health/ProductStatus in Windows 10, version 1809. |
+| [DevDetail CSP](devdetail-csp.md) | Added a new node SMBIOSSerialNumber in Windows 10, version 1809. |
+| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | Added NonRemovable setting under AppManagement node in Windows 10, version 1809. |
+| [Office CSP](office-csp.md) | Added FinalStatus setting in Windows 10, version 1809. |
+| [PassportForWork CSP](passportforwork-csp.md) | Added new settings in Windows 10, version 1809. |
+| [RemoteWipe CSP](remotewipe-csp.md) | Added new settings in Windows 10, version 1809. |
+| [SUPL CSP](supl-csp.md) | Added 3 new certificate nodes in Windows 10, version 1809. |
+| [TenantLockdown CSP](tenantlockdown-csp.md) | Added new CSP in Windows 10, version 1809. |
+| [Wifi CSP](wifi-csp.md) | Added a new node WifiCost in Windows 10, version 1809. |
+| [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md) | Added new settings in Windows 10, version 1809. |
+| [WindowsLicensing CSP](windowslicensing-csp.md) | Added S mode settings and SyncML examples in Windows 10, version 1809. |
+| [Win32CompatibilityAppraiser CSP](win32compatibilityappraiser-csp.md) | Added new configuration service provider in Windows 10, version 1809. |
+
## What’s new in MDM for Windows 10, version 1803
-
-
+| New or updated article | Description |
+|-----|-----|
+|[Policy CSP](policy-configuration-service-provider.md) | Added the following new policies for Windows 10, version 1803:
-
-
-
-New or updated topic
-Description
-
-
-Policy CSP
-
-
-
-
-BitLocker CSP
-
-
-DMClient CSP
-
-
-
-
-Defender CSP
-
-
-UEFI CSP
-
-
-Update CSP
-
-
-
-
-AssignedAccess CSP
-
-
-
-
-MultiSIM CSP
-
-
-EnterpriseModernAppManagement CSP
-
-
-
-
-eUICCs CSP
-
-
-
-
-DeviceStatus CSP
-
-
-
-
-AccountManagement CSP
-
-
-RootCATrustedCertificates CSP
-
-
-
-
-NetworkProxy CSP
-
-
-
-
-Accounts CSP
-
-
-MDM Migration Analysis Too (MMAT)
-
-
-
-CSP DDF files download
-
- ApplicationDefaults/EnableAppUriHandlers
- ApplicationManagement/MSIAllowUserControlOverInstall
- ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges
- Bluetooth/AllowPromptedProximalConnections
- Browser/AllowConfigurationUpdateForBooksLibrary
- Browser/AlwaysEnableBooksLibrary
- Browser/EnableExtendedBooksTelemetry
- Browser/UseSharedFolderForBooks
- Connectivity/AllowPhonePCLinking
- DeliveryOptimization/DODelayBackgroundDownloadFromHttp
- DeliveryOptimization/DODelayForegroundDownloadFromHttp
- DeliveryOptimization/DOGroupIdSource
- DeliveryOptimization/DOPercentageMaxBackDownloadBandwidth
- DeliveryOptimization/DOPercentageMaxForeDownloadBandwidth
- DeliveryOptimization/DORestrictPeerSelectionBy
- DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth
- DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth
- Display/DisablePerProcessDpiForApps
- Display/EnablePerProcessDpi
- Display/EnablePerProcessDpiForApps
- Experience/AllowWindowsSpotlightOnSettings
- KioskBrowser/BlockedUrlExceptions
- KioskBrowser/BlockedUrls
- KioskBrowser/DefaultURL
- KioskBrowser/EnableEndSessionButton
- KioskBrowser/EnableHomeButton
- KioskBrowser/EnableNavigationButtons
- KioskBrowser/RestartOnIdleTime
- LanmanWorkstation/EnableInsecureGuestLogons
- LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon
- LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia
- LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters
- LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly
- LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior
- LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees
- LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers
- LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways
- LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees
- LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts
- LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares
- LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares
- LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM
- LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange
- LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel
- LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers
- LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication
- LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic
- LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic
- LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers
- LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile
- LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation
- LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode
- Notifications/DisallowCloudNotification
- RestrictedGroups/ConfigureGroupMembership
- Search/AllowCortanaInAAD
- Search/DoNotUseWebResults
- Security/ConfigureWindowsPasswords
- Start/DisableContextMenus
- System/FeedbackHubAlwaysSaveDiagnosticsLocally
- SystemServices/ConfigureHomeGroupListenerServiceStartupMode
- SystemServices/ConfigureHomeGroupProviderServiceStartupMode
- SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode
- SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode
- SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode
- SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode
- TaskScheduler/EnableXboxGameSaveTask
- TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode
- TextInput/ForceTouchKeyboardDockedState
- TextInput/TouchKeyboardDictationButtonAvailability
- TextInput/TouchKeyboardEmojiButtonAvailability
- TextInput/TouchKeyboardFullModeAvailability
- TextInput/TouchKeyboardHandwritingModeAvailability
- TextInput/TouchKeyboardNarrowModeAvailability
- TextInput/TouchKeyboardSplitModeAvailability
- TextInput/TouchKeyboardWideModeAvailability
- Update/ConfigureFeatureUpdateUninstallPeriod
- Update/TargetReleaseVersion
- UserRights/AccessCredentialManagerAsTrustedCaller
- UserRights/AccessFromNetwork
- UserRights/ActAsPartOfTheOperatingSystem
- UserRights/AllowLocalLogOn
- UserRights/BackupFilesAndDirectories
- UserRights/ChangeSystemTime
- UserRights/CreateGlobalObjects
- UserRights/CreatePageFile
- UserRights/CreatePermanentSharedObjects
- UserRights/CreateSymbolicLinks
- UserRights/CreateToken
- UserRights/DebugPrograms
- UserRights/DenyAccessFromNetwork
- UserRights/DenyLocalLogOn
- UserRights/DenyRemoteDesktopServicesLogOn
- UserRights/EnableDelegation
- UserRights/GenerateSecurityAudits
- UserRights/ImpersonateClient
- UserRights/IncreaseSchedulingPriority
- UserRights/LoadUnloadDeviceDrivers
- UserRights/LockMemory
- UserRights/ManageAuditingAndSecurityLog
- UserRights/ManageVolume
- UserRights/ModifyFirmwareEnvironment
- UserRights/ModifyObjectLabel
- UserRights/ProfileSingleProcess
- UserRights/RemoteShutdown
- UserRights/RestoreFilesAndDirectories
- UserRights/TakeOwnership
- WindowsDefenderSecurityCenter/DisableAccountProtectionUI
- WindowsDefenderSecurityCenter/DisableDeviceSecurityUI
- WindowsDefenderSecurityCenter/HideRansomwareDataRecovery
- WindowsDefenderSecurityCenter/HideSecureBoot
- WindowsDefenderSecurityCenter/HideTPMTroubleshooting
- Security/RequireDeviceEncryption - updated to show it is supported in desktop. |
+| [Accounts CSP](accounts-csp.md) | Added a new CSP in Windows 10, version 1803. |
+| [AccountManagement CSP](accountmanagement-csp.md) | Added a new CSP in Windows 10, version 1803. |
+| [AssignedAccess CSP](assignedaccess-csp.md) | Added the following nodes in Windows 10, version 1803:
- Status
- ShellLauncher
- StatusConfiguration
Updated the AssigneAccessConfiguration schema. Starting in Windows 10, version 1803 AssignedAccess CSP is supported in HoloLens (1st gen) Commercial Suite. Added example for HoloLens (1st gen) Commercial Suite. |
+| [BitLocker CSP](bitlocker-csp.md) | Updated the description for AllowWarningForOtherDiskEncryption to describe changes added in Windows 10, version 1803. |
+| [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download) | Added the DDF download of Windows 10, version 1803 configuration service providers. |
+| [Defender CSP](defender-csp.md) | Added new node (OfflineScan) in Windows 10, version 1803. |
+| [DeviceStatus CSP](devicestatus-csp.md) | Added the following node in Windows 10, version 1803:
- OS/Mode |
+| [DMClient CSP](dmclient-csp.md) | Added ./User/Vendor/MSFT/DMClient/Provider/[ProviderID]/FirstSyncStatus node. Also added the following nodes in Windows 10, version 1803:
- AADSendDeviceToken
- BlockInStatusPage
- AllowCollectLogsButton
- CustomErrorText
- SkipDeviceStatusPage
- SkipUserStatusPage |
+| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | Added the following node in Windows 10, version 1803:
- MaintainProcessorArchitectureOnUpdate |
+| [eUICCs CSP](euiccs-csp.md) | Added the following node in Windows 10, version 1803:
- IsEnabled |
+| [MDM Migration Analysis Too (MMAT)](https://aka.ms/mmat) | MDM Migration Analysis Too (MMAT)
Updated version available. MMAT is a tool you can use to determine which Group Policies are set on a target user/computer and cross-reference them against the list of supported MDM policies. |
+| [MultiSIM CSP](multisim-csp.md) | Added a new CSP in Windows 10, version 1803. |
+| [NetworkProxy CSP](networkproxy-csp.md) | Added the following node in Windows 10, version 1803:
- ProxySettingsPerUser |
+| [RootCATrustedCertificates CSP](rootcacertificates-csp.md) | Added the following node in Windows 10, version 1803:
- UntrustedCertificates |
+| [UEFI CSP](uefi-csp.md) | Added a new CSP in Windows 10, version 1803. |
+| [Update CSP](update-csp.md) | Added the following nodes in Windows 10, version 1803:
- Rollback
- Rollback/FeatureUpdate
- Rollback/QualityUpdateStatus
- Rollback/FeatureUpdateStatus |
## What’s new in MDM for Windows 10, version 1709
-
-
+| New or updated article | Description |
+|-----|-----|
+| The [The [MS-MDE2]: Mobile Device Enrollment Protocol Version 2](https://docs.microsoft.com/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692?redirectedfrom=MSDN) | The Windows 10 enrollment protocol was updated. The following elements were added to the RequestSecurityToken message:
-
-
-
-Item
-Description
-
-
-The [MS-MDE2]: Mobile Device Enrollment Protocol Version 2
-
-
-
-
-Firewall CSP
-
-
-eUICCs CSP
-
-
-WindowsDefenderApplicationGuard CSP
-New CSP added in Windows 10, version 1709. Also added the DDF topic WindowsDefenderApplicationGuard DDF file.
-
-
-CM_ProxyEntries CSP and CMPolicy CSP
-In Windows 10, version 1709, support for desktop SKUs were added to these CSPs. The table of SKU information in the Configuration service provider reference was updated.
-
-
-WindowsDefenderApplicationGuard CSP
-New CSP added in Windows 10, version 1709. Also added the DDF topic WindowsDefenderApplicationGuard DDF file.
-
-
-VPNv2 CSP
-
-
-DeviceStatus CSP
-
-
-
-
-AssignedAccess CSP
-
-
-
-
-DeviceManageability CSP
-
-
-
-
-Office CSP
-
-
-
-
-DMClient CSP
-
-
-Bitlocker CSP
-
-
-ADMX-backed policies in Policy CSP
-
-
-Microsoft Store for Business and Microsoft Store
-MDM enrollment of Windows-based devices
-
-
-
-
-Enroll a Windows 10 device automatically using Group Policy
-
-
-
-Policy CSP
-
-
-
- UXInitiated - boolean value that indicates whether the enrollment is user initiated from the Settings page.
-ExternalMgmtAgentHint - a string the agent uses to give hints the enrollment server may need.
- DomainName - fully qualified domain name if the device is domain-joined. |
+| [Firewall CSP](firewall-csp.md) | Added new CSP in Windows 10, version 1709. |
+| [eUICCs CSP](euiccs-csp.md) | Added new CSP in Windows 10, version 1709. |
+| [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md)
[WindowsDefenderApplicationGuard DDF file](windowsdefenderapplicationguard-ddf-file.md) | New CSP added in Windows 10, version 1709. Also added the DDF topic. |
+| [CM_ProxyEntries CSP](cm-proxyentries-csp.md) and [CMPolicy CSP](cmpolicy-csp.md) | In Windows 10, version 1709, support for desktop SKUs were added to these CSPs. |
+| [VPNv2 CSP](vpnv2-csp.md) | Added DeviceTunnel and RegisterDNS settings in Windows 10, version 1709. |
+| [DeviceStatus CSP](devicestatus-csp.md) | Added the following settings in Windows 10, version 1709:
- DeviceStatus/DomainName
- DeviceStatus/DeviceGuard/VirtualizationBasedSecurityHwReq
- DeviceStatus/DeviceGuard/VirtualizationBasedSecurityStatus
- DeviceStatus/DeviceGuard/LsaCfgCredGuardStatus |
+| [AssignedAccess CSP](assignedaccess-csp.md) | Added the following setting in Windows 10, version 1709:
- Configuration
Starting in Windows 10, version 1709, AssignedAccess CSP is supported in Windows 10 Pro. |
+| [DeviceManageability CSP](devicemanageability-csp.md) | Added the following settings in Windows 10, version 1709:
- Provider/_ProviderID_/ConfigInfo
- Provider/_ProviderID_/EnrollmentInfo |
+| [Office CSP](office-csp.md) | Added the following setting in Windows 10, version 1709:
- Installation/CurrentStatus |
+| [DMClient CSP](dmclient-csp.md) | Added new nodes to the DMClient CSP in Windows 10, version 1709. Updated the CSP and DDF articles. |
+| [Bitlocker CSP](bitlocker-csp.md) | Changed the minimum personal identification number (PIN) length to 4 digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709. |
+| [ADMX-backed policies in Policy CSP](policy-csps-admx-backed.md) | Added new policies. |
+| Microsoft Store for Business and Microsoft Store | Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store. |
+| [MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md) | New features in the Settings app:
- User sees installation progress of critical policies during MDM enrollment.
- User knows what policies, profiles, apps MDM has configured
- IT helpdesk can get detailed MDM diagnostic information using client tools
For details, see [Managing connection](https://docs.microsoft.com/windows/client-management/mdm/mdm-enrollment-of-windows-devices#manage-connections) and [Collecting diagnostic logs](https://docs.microsoft.com/windows/client-management/mdm/mdm-enrollment-of-windows-devices#collecting-diagnostic-logs).|
+| [Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md) | Added new topic to introduce a new Group Policy for automatic MDM enrollment. |
+| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policies for Windows 10, version 1709:
- Authentication/AllowAadPasswordReset
- Authentication/AllowFidoDeviceSignon
- Browser/LockdownFavorites
- Browser/ProvisionFavorites
- Cellular/LetAppsAccessCellularData
- Cellular/LetAppsAccessCellularData_ForceAllowTheseApps
- Cellular/LetAppsAccessCellularData_ForceDenyTheseApps
- Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps
- CredentialProviders/DisableAutomaticReDeploymentCredentials
- DeviceGuard/EnableVirtualizationBasedSecurity
- DeviceGuard/RequirePlatformSecurityFeatures
- DeviceGuard/LsaCfgFlags
- DeviceLock/MinimumPasswordAge
- ExploitGuard/ExploitProtectionSettings
- Games/AllowAdvancedGamingServices
- Handwriting/PanelDefaultModeDocked
- LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts
- LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly
- LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount
- LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount
- LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked
- LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn
- LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn
- LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL
- LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit
- LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn
- LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn
- LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM
- LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests
- LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn
- LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation
- LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators
- LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers
- LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated
- LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations
- LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode
- LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation
- LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations
- Power/DisplayOffTimeoutOnBattery
- Power/DisplayOffTimeoutPluggedIn
- Power/HibernateTimeoutOnBattery
- Power/HibernateTimeoutPluggedIn
- Power/StandbyTimeoutOnBattery
- Power/StandbyTimeoutPluggedIn
- Privacy/EnableActivityFeed
- Privacy/PublishUserActivities
- Defender/AttackSurfaceReductionOnlyExclusions
- Defender/AttackSurfaceReductionRules
- Defender/CloudBlockLevel
- Defender/CloudExtendedTimeout
- Defender/ControlledFolderAccessAllowedApplications
- Defender/ControlledFolderAccessProtectedFolders
- Defender/EnableControlledFolderAccess
- Defender/EnableNetworkProtection
- Education/DefaultPrinterName
- Education/PreventAddingNewPrinters
- Education/PrinterNames
- Search/AllowCloudSearch
- Security/ClearTPMIfNotReady
- Settings/AllowOnlineTips
- Start/HidePeopleBar
- Storage/AllowDiskHealthModelUpdates
- System/DisableEnterpriseAuthProxy
- System/LimitEnhancedDiagnosticDataWindowsAnalytics
- Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork
- Update/DisableDualScan
- Update/ManagePreviewBuilds
- Update/ScheduledInstallEveryWeek
- Update/ScheduledInstallFirstWeek
- Update/ScheduledInstallFourthWeek
- Update/ScheduledInstallSecondWeek
- Update/ScheduledInstallThirdWeek
- WindowsDefenderSecurityCenter/CompanyName
- WindowsDefenderSecurityCenter/DisableAppBrowserUI
- WindowsDefenderSecurityCenter/DisableEnhancedNotifications
- WindowsDefenderSecurityCenter/DisableFamilyUI
- WindowsDefenderSecurityCenter/DisableHealthUI
- WindowsDefenderSecurityCenter/DisableNetworkUI
- WindowsDefenderSecurityCenter/DisableNotifications
- WindowsDefenderSecurityCenter/DisableVirusUI
- WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride
- WindowsDefenderSecurityCenter/Email
- WindowsDefenderSecurityCenter/EnableCustomizedToasts
- WindowsDefenderSecurityCenter/EnableInAppCustomization
- WindowsDefenderSecurityCenter/Phone
- WindowsDefenderSecurityCenter/URL
- WirelessDisplay/AllowMdnsAdvertisement
- WirelessDisplay/AllowMdnsDiscovery |
+
## What’s new in MDM for Windows 10, version 1703
-
-
-
+| New or updated article | Description |
+|-----|-----|
+| [Update CSP](update-csp.md) | Added the following nodes:
-
-
-
-Item
-Description
-
-
-
-
-
-
-
-CM_CellularEntries CSP
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-SecureAssessment CSP
-
-
-
-
-EnterpriseAPN CSP
-
-
-
-
-Messaging CSP
-
-
-Policy CSP
-
-
-
-DevDetail CSP
-
-
-
-
-CleanPC CSP
-
-
-DeveloperSetup CSP
-
-
-NetworkProxy CSP
-
-
-BitLocker CSP
-
-
-
-
-EnterpriseDataProtection CSP
-
-
-
-DynamicManagement CSP
-
-
-Implement server-side support for mobile application management on Windows
-
-
-
-
-
-
-Office CSP
-
-
-Personalization CSP
-
-
-EnterpriseAppVManagement CSP
-
-
-HealthAttestation CSP
-
-
-
-
-
-
-
-
-NetworkQoSPolicy CSP
-
-
-
-
-
-
-
-WindowsAdvancedThreatProtection CSP
-
-
-
-
-DMSessionActions CSP
-
-
-SharedPC CSP
-
-
-
-
-RemoteLock CSP
-
-
-
-
-NodeCache CSP
-
-
-
-
-Download all the DDF files for Windows 10, version 1703
-
-
-RemoteWipe CSP
-
-
-
-
-MDM Bridge WMI Provider
-Understanding ADMX-backed policies
-
-
-Win32 and Desktop Bridge app policy configuration
-New topic.
-
-
-Deploy and configure App-V apps using MDM
-
-
-EnterpriseDesktopAppManagement CSP
-
-
-
-
-Reporting CSP
-
-
-
-
-Connect your Windows 10-based device to work using a deep link
-
-
-
-
-MDM support for Windows 10 S
-
-
-
-TPMPolicy CSP
-New CSP added in Windows 10, version 1703.
-
- FailedUpdates/_Failed Update Guid_/RevisionNumber
- InstalledUpdates/_Installed Update Guid_/RevisionNumber
- PendingRebootUpdates/_Pending Reboot Update Guid_/RevisionNumber |
+| [CM_CellularEntries CSP](cm-cellularentries-csp.md) | To PurposeGroups setting, added the following values:
- Purchase - 95522B2B-A6D1-4E40-960B-05E6D3F962AB
- Administrative - 2FFD9261-C23C-4D27-8DCF-CDE4E14A3364 |
+| [CertificateStore CSP](certificatestore-csp.md) | Added the following setting:
- My/WSTEP/Renew/RetryAfterExpiryInterval |
+| [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) | Added the following setting:
- SCEP/UniqueID/Install/AADKeyIdentifierList |
+| [DMAcc CSP](dmacc-csp.md) | Added the following setting:
- AccountUID/EXT/Microsoft/InitiateSession |
+| [DMClient CSP](dmclient-csp.md) | Added the following nodes and settings:
- HWDevID
- Provider/ProviderID/ManagementServerToUpgradeTo
- Provider/ProviderID/CustomEnrollmentCompletePage
- Provider/ProviderID/CustomEnrollmentCompletePage/Title
- Provider/ProviderID/CustomEnrollmentCompletePage/BodyText
- Provider/ProviderID/CustomEnrollmentCompletePage/HyperlinkHref
- Provider/ProviderID/CustomEnrollmentCompletePage/HyperlinkText |
+| [CellularSettings CSP](cellularsettings-csp.md)
[CM_CellularEntries CSP](cm-cellularentries-csp.md)
[EnterpriseAPN CSP](enterpriseapn-csp.md) | For these CSPs, support was added for Windows 10 Home, Pro, Enterprise, and Education editions. |
+| [SecureAssessment CSP](secureassessment-csp.md) | Added the following settings:
- AllowTextSuggestions
- RequirePrinting |
+| [EnterpriseAPN CSP](enterpriseapn-csp.md) | Added the following setting:
- Roaming |
+| [Messaging CSP](messaging-csp.md) | Added new CSP. This CSP is only supported in Windows 10 Mobile and Mobile Enterprise editions. |
+| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policies:
- Accounts/AllowMicrosoftAccountSignInAssistant
- ApplicationDefaults/DefaultAssociationsConfiguration
- Browser/AllowAddressBarDropdown
- Browser/AllowFlashClickToRun
- Browser/AllowMicrosoftCompatibilityList
- Browser/AllowSearchEngineCustomization
- Browser/ClearBrowsingDataOnExit
- Browser/ConfigureAdditionalSearchEngines
- Browser/DisableLockdownOfStartPages
- Browser/PreventFirstRunPage
- Browser/PreventLiveTileDataCollection
- Browser/SetDefaultSearchEngine
- Browser/SyncFavoritesBetweenIEAndMicrosoftEdge
- Connectivity/AllowConnectedDevices
- DeliveryOptimization/DOAllowVPNPeerCaching
- DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload
- DeliveryOptimization/DOMinDiskSizeAllowedToPeer
- DeliveryOptimization/DOMinFileSizeToCache
- DeliveryOptimization/DOMinRAMAllowedToPeer
- DeviceLock/MaxInactivityTimeDeviceLockWithExternalDisplay
- Display/TurnOffGdiDPIScalingForApps
- Display/TurnOnGdiDPIScalingForApps
- EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint
- EnterpriseCloudPrint/CloudPrintOAuthAuthority
- EnterpriseCloudPrint/CloudPrintOAuthClientId
- EnterpriseCloudPrint/CloudPrintResourceId
- EnterpriseCloudPrint/DiscoveryMaxPrinterLimit
- EnterpriseCloudPrint/MopriaDiscoveryResourceId
- Experience/AllowFindMyDevice
- Experience/AllowTailoredExperiencesWithDiagnosticData
- Experience/AllowWindowsSpotlightOnActionCenter
- Experience/AllowWindowsSpotlightWindowsWelcomeExperience
- Location/EnableLocation
- Messaging/AllowMMS
- Messaging/AllowRCS
- Privacy/LetAppsAccessTasks
- Privacy/LetAppsAccessTasks_ForceAllowTheseApps
- Privacy/LetAppsAccessTasks_ForceDenyTheseApps
- Privacy/LetAppsAccessTasks_UserInControlOfTheseApps
- Privacy/LetAppsGetDiagnosticInfo
- Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps
- Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps
- Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps
- Privacy/LetAppsRunInBackground
- Privacy/LetAppsRunInBackground_ForceAllowTheseApps
- Privacy/LetAppsRunInBackground_ForceDenyTheseApps
- Privacy/LetAppsRunInBackground_UserInControlOfTheseApps
- Settings/ConfigureTaskbarCalendar
- Settings/PageVisibilityList
- SmartScreen/EnableAppInstallControl
- SmartScreen/EnableSmartScreenInShell
- SmartScreen/PreventOverrideForFilesInShell
- Start/AllowPinnedFolderDocuments
- Start/AllowPinnedFolderDownloads
- Start/AllowPinnedFolderFileExplorer
- Start/AllowPinnedFolderHomeGroup
- Start/AllowPinnedFolderMusic
- Start/AllowPinnedFolderNetwork
- Start/AllowPinnedFolderPersonalFolder
- Start/AllowPinnedFolderPictures
- Start/AllowPinnedFolderSettings
- Start/AllowPinnedFolderVideos
- Start/HideAppList
- Start/HideChangeAccountSettings
- Start/HideFrequentlyUsedApps
- Start/HideHibernate
- Start/HideLock
- Start/HidePowerButton
- Start/HideRecentJumplists
- Start/HideRecentlyAddedApps
- Start/HideRestart
- Start/HideShutDown
- Start/HideSignOut
- Start/HideSleep
- Start/HideSwitchAccount
- Start/HideUserTile
- Start/ImportEdgeAssets
- Start/NoPinningToTaskbar
- System/AllowFontProviders
- System/DisableOneDriveFileSync
- TextInput/AllowKeyboardTextSuggestions
- TimeLanguageSettings/AllowSet24HourClock
- Update/ActiveHoursMaxRange
- Update/AutoRestartDeadlinePeriodInDays
- Update/AutoRestartNotificationSchedule
- Update/AutoRestartRequiredNotificationDismissal
- Update/DetectionFrequency
- Update/EngagedRestartDeadline
- Update/EngagedRestartSnoozeSchedule
- Update/EngagedRestartTransitionSchedule
- Update/IgnoreMOAppDownloadLimit
- Update/IgnoreMOUpdateDownloadLimit
- Update/PauseFeatureUpdatesStartTime
- Update/PauseQualityUpdatesStartTime
- Update/SetAutoRestartNotificationDisable
- Update/SetEDURestart
- WiFi/AllowWiFiDirect
- WindowsLogon/HideFastUserSwitching
- WirelessDisplay/AllowProjectionFromPC
- WirelessDisplay/AllowProjectionFromPCOverInfrastructure
- WirelessDisplay/AllowProjectionToPCOverInfrastructure
- WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver
Removed TextInput/AllowLinguisticDataCollection
Starting in Windows 10, version 1703, Update/UpdateServiceUrl is not supported in Windows 10 Mobile Enterprise and IoT Enterprise
Starting in Windows 10, version 1703, the maximum value of Update/DeferFeatureUpdatesPeriodInDays has been increased from 180 days, to 365 days.
Starting in Windows 10, version 1703, in Browser/HomePages you can use the "<about:blank>" value if you don’t want to send traffic to Microsoft.
Starting in Windows 10, version 1703, Start/StartLayout can now be set on a per-device basis in addition to the pre-existing per-user basis.
Added the ConfigOperations/ADMXInstall node and setting, which is used to ingest ADMX files. |
+| [DevDetail CSP](devdetail-csp.md) | Added the following setting:
- DeviceHardwareData |
+| [CleanPC CSP](cleanpc-csp.md) | Added the new CSP. |
+| [DeveloperSetup CSP](developersetup-csp.md) | Added the new CSP. |
+| [NetworkProxy CSP](networkproxy-csp.md) | Added the new CSP. |
+| [BitLocker CSP](bitlocker-csp.md) | Added the new CSP.
- AllowWarningForOtherDiskEncryption |
+| [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) | Starting in Windows 10, version 1703, AllowUserDecryption is no longer supported.
Added the following settings:
- RevokeOnMDMHandoff
- SMBAutoEncryptedFileExtensions |
+| [DynamicManagement CSP](dynamicmanagement-csp.md) | Added the new CSP. |
+| [Implement server-side support for mobile application management on Windows](https://docs.microsoft.com/windows/client-management/mdm/implement-server-side-mobile-application-management) | New mobile application management (MAM) support added in Windows 10, version 1703. |
+| [PassportForWork CSP](passportforwork-csp.md) | Added the following new node and settings:
- _TenantId_/Policies/ExcludeSecurityDevices (only for ./Device/Vendor/MSFT)
- _TenantId_/Policies/ExcludeSecurityDevices/TPM12 (only for ./Device/Vendor/MSFT)
- _TenantId_/Policies/EnablePinRecovery |
+| [Office CSP](office-csp.md) | Added the new CSP. |
+| [Personalization CSP](personalization-csp.md) | Added the new CSP. |
+| [EnterpriseAppVManagement CSP](enterpriseappvmanagement-csp.md) | Added the new CSP. |
+| [HealthAttestation CSP](healthattestation-csp.md) | Added the following settings:
- HASEndpoint - added in Windows 10, version 1607, but not documented
- TpmReadyStatus - added in the March service release of Windows 10, version 1607 |
+| [SurfaceHub CSP](surfacehub-csp.md) | Added the following nodes and settings:
- InBoxApps/SkypeForBusiness
- InBoxApps/SkypeForBusiness/DomainName
- InBoxApps/Connect
- InBoxApps/Connect/AutoLaunch
- Properties/DefaultVolume
- Properties/ScreenTimeout
- Properties/SessionTimeout
- Properties/SleepTimeout
- Properties/AllowSessionResume
- Properties/AllowAutoProxyAuth
- Properties/DisableSigninSuggestions
- Properties/DoNotShowMyMeetingsAndFiles |
+| [NetworkQoSPolicy CSP](networkqospolicy-csp.md) | Added the new CSP. |
+| [WindowsLicensing CSP](windowslicensing-csp.md) | Added the following setting:
- ChangeProductKey |
+| [WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md) | Added the following setting:
- Configuration/TelemetryReportingFrequency |
+| [DMSessionActions CSP](dmsessionactions-csp.md) | Added the new CSP. |
+| [SharedPC CSP](dmsessionactions-csp.md) | Added new settings in Windows 10, version 1703:
- RestrictLocalStorage
- KioskModeAUMID
- KioskModeUserTileDisplayText
- InactiveThreshold
- MaxPageFileSizeMB
The default value for SetEduPolicies changed to false. The default value for SleepTimeout changed to 300. |
+| [RemoteLock CSP](remotelock-csp.md) | Added following setting:
- LockAndRecoverPIN |
+| [NodeCache CSP](nodecache-csp.md) | Added following settings:
- ChangedNodesData
- AutoSetExpectedValue |
+| [Download all the DDF files for Windows 10, version 1703](https://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) | Added a zip file containing the DDF XML files of the CSPs. The link to the download is available in the DDF articles of various CSPs. |
+| [RemoteWipe CSP](remotewipe-csp.md) | Added new setting in Windows 10, version 1703:
- doWipeProtected |
+| [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/hardware/dn905224) | Added new classes and properties. |
+| [Understanding ADMX-backed policies](https://docs.microsoft.com/windows/client-management/mdm/understanding-admx-backed-policies) | Added a section describing SyncML examples of various ADMX elements. |
+| [Win32 and Desktop Bridge app policy configuration](https://docs.microsoft.com/windows/client-management/mdm/win32-and-centennial-app-policy-configuration) | New article. |
+| [Deploy and configure App-V apps using MDM](https://docs.microsoft.com/windows/client-management/mdm/appv-deploy-and-config) | Added a new article describing how to deploy and configure App-V apps using MDM. |
+| [EnterpriseDesktopAppManagement CSP](enterprisedesktopappmanagement-csp.md) | Added new setting in the March service release of Windows 10, version 1607.
- MSI/UpgradeCode/[Guid] |
+| [Reporting CSP](reporting-csp.md) | Added new settings in Windows 10, version 1703.
- EnterpriseDataProtection/RetrieveByTimeRange/Type
- EnterpriseDataProtection/RetrieveByCount/Type |
+| [Connect your Windows 10-based device to work using a deep link](https://docs.microsoft.com/windows/client-management/mdm/mdm-enrollment-of-windows-devices#connect-your-windows-10-based-device-to-work-using-a-deep-link) | Added following deep link parameters to the table:
- Username
- Servername
- Accesstoken
- Deviceidentifier
- Tenantidentifier
- Ownership |
+| MDM support for Windows 10 S | Updated the following articles to indicate MDM support in Windows 10 S.
- [Configuration service provider reference](configuration-service-provider-reference.md)
- [Policy CSP](policy-configuration-service-provider.md) |
+| [TPMPolicy CSP](tpmpolicy-csp.md) | Added the new CSP. |
## What’s new in MDM for Windows 10, version 1607
-
-
+| New or updated article | Description |
+|-----|-----|
+| Sideloading of apps | Starting in Windows 10, version 1607, sideloading of apps is only allowed through [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md). Product keys (5x5) will no longer be supported to enable sideloading on Windows 10, version 1607 devices. |
+| [NodeCache CSP](nodecache-csp.md) | The value of NodeCache root node starting in Windows 10, version 1607 is com.microsoft/1.0/MDM/NodeCache. |
+| [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) | New CSP. |
+| [Policy CSP](policy-configuration-service-provider.md) | Removed the following policies:
-
-
-
-Item
-Description
-
-
-
-
-
-
-EnterpriseDataProtection CSP
-
-
-Policy CSP
-
-
-
-
-
-
-
-
-DMClient CSP
-
-
-
-
-DeviceManageability CSP
-
-
-DeviceStatus CSP
-
-
-
-AssignedAccess CSP
-
-
-EnterpriseAssignedAccess CSP
-
-
-
-SecureAssessment CSP
-
-
-DiagnosticLog CSP
-
-
-
-
-Reboot CSP
-
-
-CMPolicyEnterprise CSP
-
-
-VPNv2 CSP
-
-
-
-Win32AppInventory CSP
-
-
-
-SharedPC CSP
-
-
-WindowsAdvancedThreatProtection CSP
-
-
-MDM Bridge WMI Provider
-
-
-MDM enrollment of Windows devices
-
-
-UnifiedWriteFilter CSP
-
-
-
-
-CertificateStore CSP
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- DataProtection/AllowAzureRMSForEDP - moved this policy to [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)
- DataProtection/AllowUserDecryption - moved this policy to [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)
- DataProtection/EDPEnforcementLevel - moved this policy to [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)
- DataProtection/RequireProtectionUnderLockConfig - moved this policy to [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)
- DataProtection/RevokeOnUnenroll - moved this policy to [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)
- DataProtection/EnterpriseCloudResources - moved this policy to NetworkIsolation policy
- DataProtection/EnterpriseInternalProxyServers - moved this policy to NetworkIsolation policy
- DataProtection/EnterpriseIPRange - moved this policy to NetworkIsolation policy
- DataProtection/EnterpriseNetworkDomainNames - moved this policy to NetworkIsolation policy
- DataProtection/EnterpriseProxyServers - moved this policy to NetworkIsolation policy
- Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices - this policy has been deprecated.
Added the WiFi/AllowManualWiFiConfiguration and WiFi/AllowWiFi policies for Windows 10, version 1607:
- Windows 10 Pro
- Windows 10 Enterprise
- Windows 10 Education
Added the following new policies:
- AboveLock/AllowCortanaAboveLock
- ApplicationManagement/DisableStoreOriginatedApps
- Authentication/AllowSecondaryAuthenticationDevice
- Bluetooth/AllowPrepairing
- Browser/AllowExtensions
- Browser/PreventAccessToAboutFlagsInMicrosoftEdge
- Browser/ShowMessageWhenOpeningSitesInInternetExplorer
- DeliveryOptimization/DOAbsoluteMaxCacheSize
- DeliveryOptimization/DOMaxDownloadBandwidth
- DeliveryOptimization/DOMinBackgroundQoS
- DeliveryOptimization/DOModifyCacheDrive
- DeliveryOptimization/DOMonthlyUploadDataCap
- DeliveryOptimization/DOPercentageMaxDownloadBandwidth
- DeviceLock/EnforceLockScreenAndLogonImage
- DeviceLock/EnforceLockScreenProvider
- Defender/PUAProtection
- Experience/AllowThirdPartySuggestionsInWindowsSpotlight
- Experience/AllowWindowsSpotlight
- Experience/ConfigureWindowsSpotlightOnLockScreen
- Experience/DoNotShowFeedbackNotifications
- Licensing/AllowWindowsEntitlementActivation
- Licensing/DisallowKMSClientOnlineAVSValidation
- LockDown/AllowEdgeSwipe
- Maps/EnableOfflineMapsAutoUpdate
- Maps/AllowOfflineMapsDownloadOverMeteredConnection
- Messaging/AllowMessageSync
- NetworkIsolation/EnterpriseCloudResources
- NetworkIsolation/EnterpriseInternalProxyServers
- NetworkIsolation/EnterpriseIPRange
- NetworkIsolation/EnterpriseIPRangesAreAuthoritative
- NetworkIsolation/EnterpriseNetworkDomainNames
- NetworkIsolation/EnterpriseProxyServers
- NetworkIsolation/EnterpriseProxyServersAreAuthoritative
- NetworkIsolation/NeutralResources
- Notifications/DisallowNotificationMirroring
- Privacy/DisableAdvertisingId
- Privacy/LetAppsAccessAccountInfo
- Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps
- Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps
- Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps
- Privacy/LetAppsAccessCalendar
- Privacy/LetAppsAccessCalendar_ForceAllowTheseApps
- Privacy/LetAppsAccessCalendar_ForceDenyTheseApps
- Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps
- Privacy/LetAppsAccessCallHistory
- Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps
- Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps
- Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps
- Privacy/LetAppsAccessCamera
- Privacy/LetAppsAccessCamera_ForceAllowTheseApps
- Privacy/LetAppsAccessCamera_ForceDenyTheseApps
- Privacy/LetAppsAccessCamera_UserInControlOfTheseApps
- Privacy/LetAppsAccessContacts
- Privacy/LetAppsAccessContacts_ForceAllowTheseApps
- Privacy/LetAppsAccessContacts_ForceDenyTheseApps
- Privacy/LetAppsAccessContacts_UserInControlOfTheseApps
- Privacy/LetAppsAccessEmail
- Privacy/LetAppsAccessEmail_ForceAllowTheseApps
- Privacy/LetAppsAccessEmail_ForceDenyTheseApps
- Privacy/LetAppsAccessEmail_UserInControlOfTheseApps
- Privacy/LetAppsAccessLocation
- Privacy/LetAppsAccessLocation_ForceAllowTheseApps
- Privacy/LetAppsAccessLocation_ForceDenyTheseApps
- Privacy/LetAppsAccessLocation_UserInControlOfTheseApps
- Privacy/LetAppsAccessMessaging
- Privacy/LetAppsAccessMessaging_ForceAllowTheseApps
- Privacy/LetAppsAccessMessaging_ForceDenyTheseApps
- Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps
- Privacy/LetAppsAccessMicrophone
- Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps
- Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps
- Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps
- Privacy/LetAppsAccessMotion
- Privacy/LetAppsAccessMotion_ForceAllowTheseApps
- Privacy/LetAppsAccessMotion_ForceDenyTheseApps
- Privacy/LetAppsAccessMotion_UserInControlOfTheseApps
- Privacy/LetAppsAccessNotifications
- Privacy/LetAppsAccessNotifications_ForceAllowTheseApps
- Privacy/LetAppsAccessNotifications_ForceDenyTheseApps
- Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps
- Privacy/LetAppsAccessPhone
- Privacy/LetAppsAccessPhone_ForceAllowTheseApps
- Privacy/LetAppsAccessPhone_ForceDenyTheseApps
- Privacy/LetAppsAccessPhone_UserInControlOfTheseApps
- Privacy/LetAppsAccessRadios
- Privacy/LetAppsAccessRadios_ForceAllowTheseApps
- Privacy/LetAppsAccessRadios_ForceDenyTheseApps
- Privacy/LetAppsAccessRadios_UserInControlOfTheseApps
- Privacy/LetAppsAccessTrustedDevices
- Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps
- Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps
- Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps
- Privacy/LetAppsSyncWithDevices
- Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps
- Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps
- Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps
- Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices
- Settings/AllowEditDeviceName
- Speech/AllowSpeechModelUpdate
- System/TelemetryProxy
- Update/ActiveHoursStart
- Update/ActiveHoursEnd
- Update/AllowMUUpdateService
- Update/BranchReadinessLevel
- Update/DeferFeatureUpdatesPeriodInDays
- Update/DeferQualityUpdatesPeriodInDays
- Update/ExcludeWUDriversInQualityUpdate
- Update/PauseFeatureUpdates
- Update/PauseQualityUpdates
- Update/SetProxyBehaviorForUpdateDetection
- Update/UpdateServiceUrlAlternate (Added in the January service release of Windows 10, version 1607)
- WindowsInkWorkspace/AllowWindowsInkWorkspace
- WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace
- WirelessDisplay/AllowProjectionToPC
- WirelessDisplay/RequirePinForPairing
Updated the Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts description to remove outdated information.
Updated DeliveryOptimization/DODownloadMode to add new values.
Updated Experience/AllowCortana description to clarify what each supported value does.
Updated Security/AntiTheftMode description to clarify what each supported value does. |
+| [DMClient CSP](dmclient-csp.md) | Added the following settings:
- ManagementServerAddressList
- AADDeviceID
- EnrollmentType
- HWDevID
- CommercialID
Removed the EnrollmentID setting. |
+| [DeviceManageability CSP](devicemanageability-csp.md) | New CSP. |
+| [DeviceStatus CSP](devicestatus-csp.md) | Added the following new settings:
- DeviceStatus/TPM/SpecificationVersion
- DeviceStatus/OS/Edition
- DeviceStatus/Antivirus/SignatureStatus
- DeviceStatus/Antivirus/Status
- DeviceStatus/Antispyware/SignatureStatus
- DeviceStatus/Antispyware/Status
- DeviceStatus/Firewall/Status
- DeviceStatus/UAC/Status
- DeviceStatus/Battery/Status
- DeviceStatus/Battery/EstimatedChargeRemaining
- DeviceStatus/Battery/EstimatedRuntime |
+| [AssignedAccess CSP](assignedaccess-csp.md) | Added SyncML examples. |
+| [EnterpriseAssignedAccess CSP](enterpriseassignedaccess-csp.md) | Added a new Folder table entry in the AssignedAccess/AssignedAccessXml description.
Updated the DDF and XSD file sections. |
+| [SecureAssessment CSP](secureassessment-csp.md) | New CSP. |
+| [DiagnosticLog CSP](diagnosticlog-csp.md)
[DiagnosticLog DDF](diagnosticlog-ddf.md) | Added version 1.3 of the CSP with two new settings.
Added the new 1.3 version of the DDF.
Added the following new settings in Windows 10, version 1607
- DeviceStateData
- DeviceStateData/MdmConfiguration |
+| [Reboot CSP](reboot-csp.md) | New CSP. |
+| [CMPolicyEnterprise CSP](cmpolicyenterprise-csp.md) | New CSP. |
+| [VPNv2 CSP](vpnv2-csp.md) | Added the following settings for Windows 10, version 1607:
- _ProfileName_/RouteList/routeRowId/ExclusionRoute
- _ProfileName_/DomainNameInformationList/_dniRowId_/AutoTrigger
- _ProfileName_/DomainNameInformationList/dniRowId/Persistent
- _ProfileName_/ProfileXML
- _ProfileName_/DeviceCompliance/Enabled
- _ProfileName_/DeviceCompliance/Sso
- _ProfileName_/DeviceCompliance/Sso/Enabled
- _ProfileName_/DeviceCompliance/Sso/IssuerHash
- _ProfileName_/DeviceCompliance/Sso/Eku
- _ProfileName_/NativeProfile/CryptographySuite
- _ProfileName_/NativeProfile/CryptographySuite/AuthenticationTransformConstants
- _ProfileName_/NativeProfile/CryptographySuite/CipherTransformConstants
- _ProfileName_/NativeProfile/CryptographySuite/EncryptionMethod
- _ProfileName_/NativeProfile/CryptographySuite/IntegrityCheckMethod
- _ProfileName_/NativeProfile/CryptographySuite/DHGroup
- _ProfileName_/NativeProfile/CryptographySuite/PfsGroup
- _ProfileName_/NativeProfile/L2tpPsk |
+| [Win32AppInventory CSP](win32appinventory-csp.md) | New CSP. |
+| [SharedPC CSP](sharedpc-csp.md) | New CSP. |
+| [WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md) | New CSP. |
+| [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/hardware/dn905224) | Added new classes for Windows 10, version 1607. |
+| [MDM enrollment of Windows devices](mdm-enrollment-of-windows-devices.md) | Article renamed from "Enrollment UI".
Completely updated enrollment procedures and screenshots. |
+| [UnifiedWriteFilter CSP](unifiedwritefilter-csp.md)
[UnifiedWriteFilter DDF File](unifiedwritefilter-ddf.md) | Added the following new setting for Windows 10, version 1607:
- NextSession/HORMEnabled |
+| [CertificateStore CSP](certificatestore-csp.md)
[CertificateStore DDF file](certificatestore-ddf-file.md) | Added the following new settings in Windows 10, version 1607:
- My/WSTEP/Renew/LastRenewalAttemptTime
- My/WSTEP/Renew/RenewNow |
+| [WindowsLicensing CSP](windowslicensing-csp.md) | Added the following new node and settings in Windows 10, version 1607, but not documented:
- Subscriptions
- Subscriptions/SubscriptionId
- Subscriptions/SubscriptionId/Status
- Subscriptions/SubscriptionId/Name |
+| [WiFi CSP](wifi-csp.md) | Deprecated the following node in Windows 10, version 1607:
- DisableInternetConnectivityChecks |
## What’s new in MDM for Windows 10, version 1511
-
-
+| New or updated article | Description |
+|-----|-----|
+| New configuration service providers added in Windows 10, version 1511 | - [AllJoynManagement CSP](alljoynmanagement-csp.md)
-
-
-
-Item
-Description
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-MDM-GenericAlert: <AlertType1><AlertType2>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- [Maps CSP](maps-csp.md)
- [Reporting CSP](reporting-csp.md)
- [SurfaceHub CSP](surfacehub-csp.md)
- [WindowsSecurityAuditing CSP](windowssecurityauditing-csp.md) |
+| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policy settings:
- ApplicationManagement/AllowWindowsBridgeForAndroidAppsExecution
- Bluetooth/ServicesAllowedList
- DataProtection/AllowAzureRMSForEDP
- DataProtection/RevokeOnUnenroll
- DeviceLock/DevicePasswordExpiration
- DeviceLock/DevicePasswordHistory
- TextInput/AllowInputPanel
- Update/PauseDeferrals
- Update/RequireDeferUpdate
- Update/RequireUpdateApproval
Updated the following policy settings:
- System/AllowLocation
- Update/RequireDeferUpgrade
Deprecated the following policy settings:
- TextInput/AllowKoreanExtendedHanja
- WiFi/AllowWiFiHotSpotReporting |
+| Management tool for the Microsoft Store for Business | New articles. The Store for Business has a new web service designed for the enterprise to acquire, manage, and distribute applications in bulk. It enables several capabilities that are required for the enterprise to manage the lifecycle of applications from acquisition to updates. |
+| Custom header for generic alert | The MDM-GenericAlert is a new custom header that hosts one or more alert information provided in the http messages sent by the device to the server during an OMA DM session. The generic alert is sent if the session is triggered by the device due to one or more critical or fatal alerts. Here is alert format: `MDM-GenericAlert:
If present, the MDM-GenericAlert is presented in every the outgoing MDM message in the same OMA DM session. For more information about generic alerts, see section 8.7 in the OMA Device Management Protocol, Approved Version 1.2.1 in this [OMA website](https://go.microsoft.com/fwlink/p/?LinkId=267526). |
+| Alert message for slow client response | When the MDM server sends a configuration request, sometimes it takes the client longer than the HTTP timeout to get all information together and then the session ends unexpectedly due to timeout. By default, the MDM client does not send an alert that a DM request is pending.
To work around the timeout, you can use EnableOmaDmKeepAliveMessage setting to keep the session alive by sending a heartbeat message back to the server. This is achieved by sending a SyncML message with a specific device alert element in the body until the client is able to respond back to the server with the requested information. For details, see EnableOmaDmKeepAliveMessage node in the [DMClient CSP](dmclient-csp.md). |
+| [DMClient CSP](dmclient-csp.md) | Added a new node EnableOmaDmKeepAliveMessage to the [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) and updated the ManagementServerAddress to indicate that it can contain a list of URLs. |
+| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | Added the following new nodes:
- AppManagement/GetInventoryQuery
- AppManagement/GetInventoryResults
- .../_PackageFamilyName_/AppSettingPolicy/_SettingValue_
- AppLicenses/StoreLicenses/_LicenseID_/LicenseCategory
- AppLicenses/StoreLicenses/_LicenseID_/LicenseUsage
- AppLicenses/StoreLicenses/_LicenseID_/RequesterID
- AppLicenses/StoreLicenses/_LicenseID_/GetLicenseFromStore |
+| [EnterpriseExt CSP](enterpriseext-csp.md) | Added the following new nodes:
- DeviceCustomData (CustomID, CustomeString)
- Brightness (Default, MaxAuto)
- LedAlertNotification (State, Intensity, Period, DutyCycle, Cyclecount) |
+| [EnterpriseExtFileSystem CSP](enterpriseextfilessystem-csp.md) | Added the OemProfile node.
+| [PassportForWork CSP](passportforwork-csp.md) | Added the following new nodes:
- TenantId/Policies/PINComplexity/History
- TenantId/Policies/PINComplexity/Expiration
- TenantId/Policies/Remote/UseRemotePassport (only for ./Device/Vendor/MSFT)
- Biometrics/UseBiometrics (only for ./Device/Vendor/MSFT)
- Biometrics/FacialFeaturesUseEnhancedAntiSpoofing (only for ./Device/Vendor/MSFT) |
+| [EnterpriseAssignedAccess CSP](enterpriseassignedaccess-csp.md) | The following updates are done to the [EnterpriseAssignedAccess CSP](enterpriseassignedaccess-csp.md):
- In AssignedAccessXML node, added new page settings and quick action settings.
- In AssignedAccessXML node, added an example about how to pin applications in multiple app packages using the AUMID.
- Updated the [EnterpriseAssignedAccess XSD](enterpriseassignedaccess-xsd.md) article. |
+| [DevDetail CSP](devdetail-csp.md) | The following updates are done to [DevDetail CSP](devdetail-csp.md):
- Added TotalStore and TotalRAM settings.
- Added support for Replace command for the DeviceName setting. |
+| Handling large objects | Added support for the client to handle uploading of large objects to the server. |
## Breaking changes and known issues
@@ -1815,8 +331,7 @@ The following list describes the prerequisites for a certificate to be used with
The following XML sample explains the properties for the EAP TLS XML including certificate filtering.
> [!NOTE]
->For PEAP or TTLS Profiles the EAP TLS XML is embedded within some PEAP or TTLS specific elements.
-
+> For PEAP or TTLS Profiles the EAP TLS XML is embedded within some PEAP or TTLS specific elements.
```xml
- RecoveryConsole_AllowAutomaticAdministrativeLogon
- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways
- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible
- DomainMember_DisableMachineAccountPasswordChanges
- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems
|
-
-### August 2020
-|New or updated topic | Description|
-|--- | ---|
-|[Policy CSP - System](policy-csp-system.md)|Removed the following policy settings:
- System/AllowDesktopAnalyticsProcessing
- System/AllowMicrosoftManagedDesktopProcessing
- System/AllowUpdateComplianceProcessing
- System/AllowWUfBCloudProcessing
|
-
-### July 2020
-|New or updated topic | Description|
-|--- | ---|
-|[Policy CSP - System](policy-csp-system.md)|Added the following new policy settings:
- System/AllowDesktopAnalyticsProcessing
- System/AllowMicrosoftManagedDesktopProcessing
- System/AllowUpdateComplianceProcessing
- System/AllowWUfBCloudProcessing
Updated the following policy setting:
- System/AllowCommercialDataPipeline
|
-
-### June 2020
-|New or updated topic | Description|
-|--- | ---|
-|[BitLocker CSP](bitlocker-csp.md)|Added SKU support table for **AllowStandardUserEncryption**.|
-|[Policy CSP - NetworkIsolation](policy-csp-networkisolation.md)|Updated the description from Boolean to Integer for the following policy settings:
EnterpriseIPRangesAreAuthoritative, EnterpriseProxyServersAreAuthoritative.|
-
-### May 2020
-|New or updated topic | Description|
-|--- | ---|
-|[BitLocker CSP](bitlocker-csp.md)|Added the bitmask table for the Status/DeviceEncryptionStatus node.|
-|[Policy CSP - RestrictedGroups](policy-csp-restrictedgroups.md)| Updated the topic with additional details. Added policy timeline table.
-
-
-### February 2020
-|New or updated topic | Description|
-|--- | ---|
-|[CertificateStore CSP](certificatestore-csp.md)
[ClientCertificateInstall CSP](clientcertificateinstall-csp.md)|Added details about SubjectName value.|
-
-### January 2020
-|New or updated topic | Description|
-|--- | ---|
-|[Policy CSP - Defender](policy-csp-defender.md)|Added descriptions for supported actions for Defender/ThreatSeverityDefaultAction.|
-
-
-### November 2019
-
-|New or updated topic | Description|
-|--- | ---|
-|[Policy CSP - DeliveryOptimization](policy-csp-deliveryoptimization.md)|Added option 5 in the supported values list for DeliveryOptimization/DOGroupIdSource.|
-|[DiagnosticLog CSP](diagnosticlog-csp.md)|Added substantial updates to this CSP doc.|
-
-### October 2019
-
-|New or updated topic | Description|
-|--- | ---|
-|[BitLocker CSP](bitlocker-csp.md)|Added the following new nodes:
ConfigureRecoveryPasswordRotation, RotateRecoveryPasswords, RotateRecoveryPasswordsStatus, RotateRecoveryPasswordsRequestID.|
-|[Defender CSP](defender-csp.md)|Added the following new nodes:
Health/TamperProtectionEnabled, Health/IsVirtualMachine, Configuration, Configuration/TamperProtection, Configuration/EnableFileHashComputation.|
-
-### September 2019
-
-|New or updated topic | Description|
-|--- | ---|
-|[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)|Added the following new node:
IsStub.|
-|[Policy CSP - Defender](policy-csp-defender.md)|Updated the supported value list for Defender/ScheduleScanDay policy.|
-|[Policy CSP - DeviceInstallation](policy-csp-deviceinstallation.md)|Added the following new policies:
DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs, DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs.|
-
-### August 2019
-
-|New or updated topic | Description|
-|--- | ---|
-|[DiagnosticLog CSP](diagnosticlog-csp.md)
[DiagnosticLog DDF](diagnosticlog-ddf.md)|Added version 1.4 of the CSP in Windows 10, version 1903. Added the new 1.4 version of the DDF. Added the following new nodes:
Policy, Policy/Channels, Policy/Channels/ChannelName, Policy/Channels/ChannelName/MaximumFileSize, Policy/Channels/ChannelName/SDDL, Policy/Channels/ChannelName/ActionWhenFull, Policy/Channels/ChannelName/Enabled, DiagnosticArchive, DiagnosticArchive/ArchiveDefinition, DiagnosticArchive/ArchiveResults.|
-|[Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md)|Enhanced the article to include additional reference links and the following two topics:
Verify auto-enrollment requirements and settings, Troubleshoot auto-enrollment of devices.|
-
-### July 2019
-
-|New or updated topic | Description|
-|--- | ---|
-|[Policy CSP](policy-configuration-service-provider.md)|Added the following list:
Policies supported by HoloLens 2|
-|[ApplicationControl CSP](applicationcontrol-csp.md)|Added new CSP in Windows 10, version 1903.|
-|[PassportForWork CSP](passportforwork-csp.md)|Added the following new nodes in Windows 10, version 1903:
SecurityKey, SecurityKey/UseSecurityKeyForSignin|
-|[Policy CSP - Privacy](policy-csp-privacy.md)|Added the following new policies:
LetAppsActivateWithVoice, LetAppsActivateWithVoiceAboveLock|
-|Create a custom configuration service provider|Deleted the following documents from the CSP reference because extensibility via CSPs is not currently supported:
Create a custom configuration service provider
Design a custom configuration service provider
IConfigServiceProvider2
IConfigServiceProvider2::ConfigManagerNotification
IConfigServiceProvider2::GetNode
ICSPNode
ICSPNode::Add
ICSPNode::Clear
ICSPNode::Copy
ICSPNode::DeleteChild
ICSPNode::DeleteProperty
ICSPNode::Execute
ICSPNode::GetChildNodeNames
ICSPNode::GetProperty
ICSPNode::GetPropertyIdentifiers
ICSPNode::GetValue
ICSPNode::Move
ICSPNode::SetProperty
ICSPNode::SetValue
ICSPNodeTransactioning
ICSPValidate
Samples for writing a custom configuration service provider.|
-
-
-### June 2019
-
-|New or updated topic | Description|
-|--- | ---|
-|[Policy CSP - DeviceHealthMonitoring](policy-csp-devicehealthmonitoring.md)|Added the following new policies:
AllowDeviceHealthMonitoring, ConfigDeviceHealthMonitoringScope, ConfigDeviceHealthMonitoringUploadDestination.|
-|[Policy CSP - TimeLanguageSettings](policy-csp-timelanguagesettings.md)|Added the following new policy:
ConfigureTimeZone.|
-
-
-### May 2019
-
-|New or updated topic | Description|
-|--- | ---|
-|[DeviceStatus CSP](devicestatus-csp.md)|Updated description of the following nodes:
DeviceStatus/Antivirus/SignatureStatus, DeviceStatus/Antispyware/SignatureStatus.|
-|[EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md)|Added new CSP in Windows 10, version 1903.|
-|[Policy CSP - DeliveryOptimization](policy-csp-deliveryoptimization.md)|Added the following new policies:
DODelayCacheServerFallbackBackground, DODelayCacheServerFallbackForeground.
Updated description of the following policies:
DOMinRAMAllowedToPeer, DOMinFileSizeToCache, DOMinDiskSizeAllowedToPeer.|
-|[Policy CSP - Experience](policy-csp-experience.md)|Added the following new policy:
ShowLockOnUserTile.|
-|[Policy CSP - InternetExplorer](policy-csp-internetexplorer.md)|Added the following new policies:
AllowEnhancedSuggestionsInAddressBar, DisableActiveXVersionListAutoDownload, DisableCompatView, DisableFeedsBackgroundSync, DisableGeolocation, DisableWebAddressAutoComplete, NewTabDefaultPage.|
-|[Policy CSP - Power](policy-csp-power.md)|Added the following new policies:
EnergySaverBatteryThresholdOnBattery, EnergySaverBatteryThresholdPluggedIn, SelectLidCloseActionOnBattery, SelectLidCloseActionPluggedIn, SelectPowerButtonActionOnBattery, SelectPowerButtonActionPluggedIn, SelectSleepButtonActionOnBattery, SelectSleepButtonActionPluggedIn, TurnOffHybridSleepOnBattery, TurnOffHybridSleepPluggedIn, UnattendedSleepTimeoutOnBattery, UnattendedSleepTimeoutPluggedIn.|
-|[Policy CSP - Search](policy-csp-search.md)|Added the following new policy:
AllowFindMyFiles.|
-|[Policy CSP - ServiceControlManager](policy-csp-servicecontrolmanager.md)|Added the following new policy:
SvchostProcessMitigation.|
-|[Policy CSP - System](policy-csp-system.md)|Added the following new policies:
AllowCommercialDataPipeline, TurnOffFileHistory.|
-|[Policy CSP - Troubleshooting](policy-csp-troubleshooting.md)|Added the following new policy:
AllowRecommendations.|
-|[Policy CSP - Update](policy-csp-update.md)|Added the following new policies:
AutomaticMaintenanceWakeUp, ConfigureDeadlineForFeatureUpdates, ConfigureDeadlineForQualityUpdates, ConfigureDeadlineGracePeriod, ConfigureDeadlineNoAutoReboot.|
-|[Policy CSP - WindowsLogon](policy-csp-windowslogon.md)|Added the following new policies:
AllowAutomaticRestartSignOn, ConfigAutomaticRestartSignOn, EnableFirstLogonAnimation.
Removed the following policy:
SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart. This policy is replaced by AllowAutomaticRestartSignOn.|
-
-### April 2019
-
-| New or updated topic | Description |
-|-------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md) | Added the following warning at the end of the Overview section:
Some operating system components have built in functionality to check devices for domain membership. MDM enforces the configured policy values only if the devices are domain joined, otherwise it does not. However, you can still import ADMX files and set ADMX-backed policies regardless of whether the device is domain joined or non-domain joined. |
-| [Policy CSP - UserRights](policy-csp-userrights.md) | Added a note stating if you use Intune custom profiles to assign UserRights policies, you must use the CDATA tag () to wrap the data fields. |
-
-### March 2019
-
-|New or updated topic | Description|
-|--- | ---|
-|[Policy CSP - Storage](policy-csp-storage.md)|Updated ADMX Info of the following policies:
AllowStorageSenseGlobal, AllowStorageSenseTemporaryFilesCleanup, ConfigStorageSenseCloudContentDehydrationThreshold, ConfigStorageSenseDownloadsCleanupThreshold, ConfigStorageSenseGlobalCadence, ConfigStorageSenseRecycleBinCleanupThreshold.
Updated description of ConfigStorageSenseDownloadsCleanupThreshold.|
-
-
-### February 2019
-
-|New or updated topic | Description|
-|--- | ---|
-|[Policy CSP](policy-configuration-service-provider.md)|Updated supported policies for Holographic.|
-
-### January 2019
-
-|New or updated topic | Description|
-|--- | ---|
-|[Policy CSP - Storage](policy-csp-storage.md)|Added the following new policies: AllowStorageSenseGlobal, ConfigStorageSenseGlobalCadence, AllowStorageSenseTemporaryFilesCleanup, ConfigStorageSenseRecycleBinCleanupThreshold, ConfigStorageSenseDownloadsCleanupThreshold, and ConfigStorageSenseCloudContentCleanupThreshold.|
-|[SharedPC CSP](sharedpc-csp.md)|Updated values and supported operations.|
-|[Mobile device management](index.md)|Updated information about MDM Security Baseline.|
-
-### December 2018
-
-|New or updated topic | Description|
-|--- | ---|
-|[BitLocker CSP](bitlocker-csp.md)|Updated AllowWarningForOtherDiskEncryption policy description to describe silent and non-silent encryption scenarios, as well as where and how the recovery key is backed up for each scenario.|
-
-### September 2018
-
-|New or updated topic | Description|
-|--- | ---|
-|[Mobile device management](index.md#mmat) | Added information about the MDM Migration Analysis Tool (MMAT).|
-|[Policy CSP - DeviceGuard](policy-csp-deviceguard.md) | Updated ConfigureSystemGuardLaunch policy and replaced EnableSystemGuard with it.|
-
-### August 2018
-
-
-
-
-### July 2018
-
-
-
-
-
-New or updated topic
-Description
-
-
-BitLocker CSP
-
-
-Office CSP
-
-
-RemoteWipe CSP
-
-
-TenantLockdown CSP
-
-
-WindowsDefenderApplicationGuard CSP
-
-
-Policy DDF file
-
-
-
-Policy CSP
-
-
-
-
-
-### June 2018
-
-
-
-
-
-New or updated topic
-Description
-
-
-AssignedAccess CSP
-
-
-
-
-PassportForWork CSP
-
-
-EnterpriseModernAppManagement CSP
-
-
-Win32CompatibilityAppraiser CSP
-
-
-WindowsLicensing CSP
-
-
-SUPL CSP
-
-
-Defender CSP
-
-
-BitLocker CSP
-
-
-DevDetail CSP
-
-
-
-Policy CSP
-
-
-
-
-
-
-
-
-### May 2018
-
-
-
-
-
-New or updated topic
-Description
-
-
-Wifi CSP
-
-
-Diagnose MDM failures in Windows 10
-
-
-
-
-Bitlocker CSP
-
-
-Policy CSP
-
-
-
-
-
-
-
-WiredNetwork CSP
-New CSP added in Windows 10, version 1809.
-
-
-
-### April 2018
-
-
-
-
-
-New or updated topic
-Description
-
-
-
-Policy DDF file
-
-
-
-### March 2018
-
-
-
-
-
-New or updated topic
-Description
-
-
-WindowsDefenderApplicationGuard CSP
-
-
-
-
-NetworkProxy CSP
-
-
-
-
-Accounts CSP
-
-
-MDM Migration Analysis Too (MMAT)
-
-
-CSP DDF files download
-
-
-
-Policy CSP
-
-
-
-
-
-### February 2018
-
-
-
-
-
-New or updated topic
-Description
-
-
-eUICCs CSP
-
-
-
-
-DeviceStatus CSP
-
-
-
-
-Understanding ADMX-backed policies
-
-
-AccountManagement CSP
-
-
-RootCATrustedCertificates CSP
-
-
-
-
-Policy CSP
-
-
-
-
-
-
-
-
-Policy CSP - Bluetooth
-
-
-MultiSIM CSP
-
-
-
-RemoteWipe CSP
-
-
-
-### January 2018
-
-
-
-
-
-New or updated topic
-Description
-
-
-Policy CSP
-
-
-
-
-VPNv2 ProfileXML XSD
-
-
-AssignedAccess CSP
-
-
-
-
-MultiSIM CSP
-
-
-
-EnterpriseModernAppManagement CSP
-
-
-
-
-
-### December 2017
-
-
-
-
-
-New or updated topic
-Description
-
-
-Policy CSP
-
-
-
-
-
-
-BitLocker CSP
-
-
-EnterpriseModernAppManagement CSP
-
-
-DMClient CSP
-
-
-
-
-Defender CSP
-
-
-UEFI CSP
-
-
-
-Update CSP
-
-
-
-
-
-### November 2017
-
-
-
-
-
-New or updated topic
-Description
-
-
-
-Configuration service provider reference
-
-
-
-### October 2017
-
-
-
-
-
-New or updated topic
-Description
-
-
-
-Policy CSP
-
-
-
-
-
-
-
-
-### September 2017
-
-
-
-
-
-New or updated topic
-Description
-
-
-Policy DDF file
-
-
-Policy CSP
-
-
-
-
-eUICCs CSP
-
-
-AssignedAccess CSP
-
-
-
-DMClient CSP
-
-
-
-### August 2017
-
-
-
-
-
-New or updated topic
-Description
-
-
-Policy CSP
-
-
-
-
-AssignedAccess CSP
-
-
-Microsoft Store for Business and Microsoft Store
-
-
-The [MS-MDE2]: Mobile Device Enrollment Protocol Version 2
-
-
-
-
-EnterpriseAPN CSP
-
-
-VPNv2 CSP
-
-
-Enroll a Windows 10 device automatically using Group Policy
-
-
-
-MDM enrollment of Windows-based devices
-
-
-
-
+To know what's changed in MDM documentation, see [Change history for MDM documentation](change-history-for-mdm-documentation.md).
diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
index a26052c419..9f3f62b646 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
@@ -21,7 +21,8 @@ ms.date: 10/08/2020
>
- [ActiveXControls/ApprovedInstallationSites](./policy-csp-activexcontrols.md#activexcontrols-approvedinstallationsites)
-- [ADMX_AddRemovePrograms/DefaultCategory](/policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-defaultcategory)
+- [ADMX_ActiveXInstallService/AxISURLZonePolicies](./policy-csp-admx-activexinstallservice.md#admx-activexinstallservice-axisurlzonepolicies)
+- [ADMX_AddRemovePrograms/DefaultCategory](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-defaultcategory)
- [ADMX_AddRemovePrograms/NoAddFromCDorFloppy](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddfromcdorfloppy)
- [ADMX_AddRemovePrograms/NoAddFromInternet](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddfrominternet)
- [ADMX_AddRemovePrograms/NoAddFromNetwork](./policy-csp-admx-addremoveprograms.md#admx-addremoveprograms-noaddfromnetwork)
@@ -41,12 +42,124 @@ ms.date: 10/08/2020
- [ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_2](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffprogramcompatibilityassistant_2)
- [ADMX_AppCompat/AppCompatTurnOffUserActionRecord](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffuseractionrecord)
- [ADMX_AppCompat/AppCompatTurnOffProgramInventory](./policy-csp-admx-appcompat.md#admx-appcompat-appcompatturnoffprograminventory)
+- [ADMX_AppxPackageManager/AllowDeploymentInSpecialProfiles](./policy-csp-admx-appxpackagemanager.md#admx-appxpackagemanager-allowdeploymentinspecialprofiles)
+- [ADMX_AppXRuntime/AppxRuntimeApplicationContentUriRules](./policy-csp-admx-appxruntime.md#admx-appxruntime-appxruntimeapplicationcontenturirules)
+- [ADMX_AppXRuntime/AppxRuntimeBlockFileElevation](./policy-csp-admx-appxruntime.md#admx-appxruntime-appxruntimeblockfileelevation)
+- [ADMX_AppXRuntime/AppxRuntimeBlockHostedAppAccessWinRT](./policy-csp-admx-appxruntime.md#admx-appxruntime-appxruntimeblockhostedappaccesswinrt)
+- [ADMX_AppXRuntime/AppxRuntimeBlockProtocolElevation](./policy-csp-admx-appxruntime.md#admx-appxruntime-appxruntimeblockprotocolelevation)
+- [ADMX_AttachmentManager/AM_EstimateFileHandlerRisk](./policy-csp-admx-attachmentmanager.md#admx-attachmentmanager-am-estimatefilehandlerrisk)
+- [ADMX_AttachmentManager/AM_SetFileRiskLevel](./policy-csp-admx-attachmentmanager.md#admx-attachmentmanager-am-setfilerisklevel)
+- [ADMX_AttachmentManager/AM_SetHighRiskInclusion](./policy-csp-admx-attachmentmanager.md#admx-attachmentmanager-am-sethighriskinclusion)
+- [ADMX_AttachmentManager/AM_SetLowRiskInclusion](./policy-csp-admx-attachmentmanager.md#admx-attachmentmanager-am-setlowriskinclusion)
+- [ADMX_AttachmentManager/AM_SetModRiskInclusion](./policy-csp-admx-attachmentmanager.md#admx-attachmentmanager-am-setmodriskinclusion)
- [ADMX_AuditSettings/IncludeCmdLine](./policy-csp-admx-auditsettings.md#admx-auditsettings-includecmdline)
+- [ADMX_Bits/BITS_DisableBranchCache](./policy-csp-admx-bits.md#admx-bits-bits-disablebranchcache)
+- [ADMX_Bits/BITS_DisablePeercachingClient](./policy-csp-admx-bits.md#admx-bits-bits-disablepeercachingclient)
+- [ADMX_Bits/BITS_DisablePeercachingServer](./policy-csp-admx-bits.md#admx-bits-bits-disablepeercachingserver)
+- [ADMX_Bits/BITS_EnablePeercaching](./policy-csp-admx-bits.md#admx-bits-bits-enablepeercaching)
+- [ADMX_Bits/BITS_MaxBandwidthServedForPeers](./policy-csp-admx-bits.md#admx-bits-bits-maxbandwidthservedforpeers)
+- [ADMX_Bits/BITS_MaxBandwidthV2_Maintenance](./policy-csp-admx-bits.md#admx-bits-bits-maxbandwidthv2-maintenance)
+- [ADMX_Bits/BITS_MaxBandwidthV2_Work](./policy-csp-admx-bits.md#admx-bits-bits-maxbandwidthv2-work)
+- [ADMX_Bits/BITS_MaxCacheSize](./policy-csp-admx-bits.md#admx-bits-bits-maxcachesize)
+- [ADMX_Bits/BITS_MaxContentAge](./policy-csp-admx-bits.md#admx-bits-bits-maxcontentage)
+- [ADMX_Bits/BITS_MaxDownloadTime](./policy-csp-admx-bits.md#admx-bits-bits-maxdownloadtime)
+- [ADMX_Bits/BITS_MaxFilesPerJob](./policy-csp-admx-bits.md#admx-bits-bits-maxfilesperjob)
+- [ADMX_Bits/BITS_MaxJobsPerMachine](./policy-csp-admx-bits.md#admx-bits-bits-maxjobspermachine)
+- [ADMX_Bits/BITS_MaxJobsPerUser](./policy-csp-admx-bits.md#admx-bits-bits-maxjobsperuser)
+- [ADMX_Bits/BITS_MaxRangesPerFile](./policy-csp-admx-bits.md#admx-bits-bits-maxrangesperfile)
+- [ADMX_CipherSuiteOrder/SSLCipherSuiteOrder](./policy-csp-admx-ciphersuiteorder.md#admx-ciphersuiteorder-sslciphersuiteorder)
+- [ADMX_CipherSuiteOrder/SSLCurveOrder](./policy-csp-admx-ciphersuiteorder.md#admx-ciphersuiteorder-sslcurveorder)
+- [ADMX_COM/AppMgmt_COM_SearchForCLSID_1](./policy-csp-admx-com.md#admx-com-appmgmt-com-searchforclsid-1)
+- [ADMX_COM/AppMgmt_COM_SearchForCLSID_2](./policy-csp-admx-com.md#admx-com-appmgmt-com-searchforclsid-2)
+- [ADMX_ControlPanel/DisallowCpls](./policy-csp-admx-controlpanel.md#admx-controlpanel-disallowcpls)
+- [ADMX_ControlPanel/ForceClassicControlPanel](./policy-csp-admx-controlpanel.md#admx-controlpanel-forceclassiccontrolpanel)
+- [ADMX_ControlPanel/NoControlPanel](./policy-csp-admx-controlpanel.md#admx-controlpanel-nocontrolpanel)
+- [ADMX_ControlPanel/RestrictCpls](./policy-csp-admx-controlpanel.md#admx-controlpanel-restrictcpls)
+- [ADMX_ControlPanelDisplay/CPL_Display_Disable](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-display-disable)
+- [ADMX_ControlPanelDisplay/CPL_Display_HideSettings](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-display-hidesettings)
+- [ADMX_ControlPanelDisplay/CPL_Personalization_DisableColorSchemeChoice](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-disablecolorschemechoice)
+- [ADMX_ControlPanelDisplay/CPL_Personalization_DisableThemeChange](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-disablethemechange)
+- [ADMX_ControlPanelDisplay/CPL_Personalization_DisableVisualStyle](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-disablevisualstyle)
+- [ADMX_ControlPanelDisplay/CPL_Personalization_EnableScreenSaver](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-enablescreensaver)
+- [ADMX_ControlPanelDisplay/CPL_Personalization_ForceDefaultLockScreen](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-forcedefaultlockscreen)
+- [ADMX_ControlPanelDisplay/CPL_Personalization_LockFontSize](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-lockfontsize)
+- [ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingLockScreen](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nochanginglockscreen)
+- [ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingStartMenuBackground](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nochangingstartmenubackground)
+- [ADMX_ControlPanelDisplay/CPL_Personalization_NoColorAppearanceUI](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nocolorappearanceui)
+- [ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopBackgroundUI](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nodesktopbackgroundui)
+- [ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopIconsUI](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nodesktopiconsui)
+- [ADMX_ControlPanelDisplay/CPL_Personalization_NoLockScreen](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nolockscreen)
+- [ADMX_ControlPanelDisplay/CPL_Personalization_NoMousePointersUI](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nomousepointersui)
+- [ADMX_ControlPanelDisplay/CPL_Personalization_NoScreenSaverUI](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-noscreensaverui)
+- [ADMX_ControlPanelDisplay/CPL_Personalization_NoSoundSchemeUI](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-nosoundschemeui)
+- [ADMX_ControlPanelDisplay/CPL_Personalization_PersonalColors](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-personalcolors)
+- [ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverIsSecure](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-screensaverissecure)
+- [ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverTimeOut](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-screensavertimeout)
+- [ADMX_ControlPanelDisplay/CPL_Personalization_SetScreenSaver](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-setscreensaver)
+- [ADMX_ControlPanelDisplay/CPL_Personalization_SetTheme](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-settheme)
+- [ADMX_ControlPanelDisplay/CPL_Personalization_SetVisualStyle](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-setvisualstyle)
+- [ADMX_ControlPanelDisplay/CPL_Personalization_StartBackground](./policy-csp-admx-controlpaneldisplay.md#admx-controlpaneldisplay-cpl-personalization-startbackground)
- [ADMX_Cpls/UseDefaultTile](./policy-csp-admx-cpls.md#admx-cpls-usedefaulttile)
+- [ADMX_CredentialProviders/AllowDomainDelayLock](./policy-csp-admx-credentialproviders.md#admx-credentialproviders-allowdomaindelaylock)
+- [ADMX_CredentialProviders/DefaultCredentialProvider](./policy-csp-admx-credentialproviders.md#admx-credentialproviders-defaultcredentialprovider)
+- [ADMX_CredentialProviders/ExcludedCredentialProviders](./policy-csp-admx-credentialproviders.md#admx-credentialproviders-excludedcredentialproviders)
+- [ADMX_CredSsp/AllowDefCredentialsWhenNTLMOnly](./policy-csp-admx-credssp.md#admx-credssp-allowdefcredentialswhenntlmonly)
+- [ADMX_CredSsp/AllowDefaultCredentials](./policy-csp-admx-credssp.md#admx-credssp-allowdefaultcredentials)
+- [ADMX_CredSsp/AllowEncryptionOracle](./policy-csp-admx-credssp.md#admx-credssp-allowencryptionoracle)
+- [ADMX_CredSsp/AllowFreshCredentials](./policy-csp-admx-credssp.md#admx-credssp-allowfreshcredentials)
+- [ADMX_CredSsp/AllowFreshCredentialsWhenNTLMOnly](./policy-csp-admx-credssp.md#admx-credssp-allowfreshcredentialswhenntlmonly)
+- [ADMX_CredSsp/AllowSavedCredentials](./policy-csp-admx-credssp.md#admx-credssp-allowsavedcredentials)
+- [ADMX_CredSsp/AllowSavedCredentialsWhenNTLMOnly](./policy-csp-admx-credssp.md#admx-credssp-allowsavedcredentialswhenntlmonly)
+- [ADMX_CredSsp/DenyDefaultCredentials](./policy-csp-admx-credssp.md#admx-credssp-denydefaultcredentials)
+- [ADMX_CredSsp/DenyFreshCredentials](./policy-csp-admx-credssp.md#admx-credssp-denyfreshcredentials)
+- [ADMX_CredSsp/DenySavedCredentials](./policy-csp-admx-credssp.md#admx-credssp-denysavedcredentials)
+- [ADMX_CredSsp/RestrictedRemoteAdministration](./policy-csp-admx-credssp.md#admx-credssp-restrictedremoteadministration)
+- [ADMX_CredUI/EnableSecureCredentialPrompting](./policy-csp-admx-credui.md#admx-credui-enablesecurecredentialprompting)
+- [ADMX_CredUI/NoLocalPasswordResetQuestions](./policy-csp-admx-credui.md#admx-credui-nolocalpasswordresetquestions)
- [ADMX_CtrlAltDel/DisableChangePassword](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-disablechangepassword)
- [ADMX_CtrlAltDel/DisableLockComputer](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-disablelockcomputer)
- [ADMX_CtrlAltDel/DisableTaskMgr](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-disabletaskmgr)
- [ADMX_CtrlAltDel/NoLogoff](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-nologoff)
+- [ADMX_DataCollection/CommercialIdPolicy](./policy-csp-admx-datacollection.md#admx-datacollection-commercialidpolicy)
+- [ADMX_Desktop/AD_EnableFilter](./policy-csp-admx-desktop.md#admx-desktop-ad-enablefilter)
+- [ADMX_Desktop/AD_HideDirectoryFolder](./policy-csp-admx-desktop.md#admx-desktop-ad-hidedirectoryfolder)
+- [ADMX_Desktop/AD_QueryLimit](./policy-csp-admx-desktop.md#admx-desktop-ad-querylimit)
+- [ADMX_Desktop/ForceActiveDesktopOn](./policy-csp-admx-desktop.md#admx-desktop-forceactivedesktopon)
+- [ADMX_Desktop/NoActiveDesktop](./policy-csp-admx-desktop.md#admx-desktop-noactivedesktop)
+- [ADMX_Desktop/NoActiveDesktopChanges](./policy-csp-admx-desktop.md#admx-desktop-noactivedesktopchanges)
+- [ADMX_Desktop/NoDesktop](./policy-csp-admx-desktop.md#admx-desktop-nodesktop)
+- [ADMX_Desktop/NoDesktopCleanupWizard](./policy-csp-admx-desktop.md#admx-desktop-nodesktopcleanupwizard)
+- [ADMX_Desktop/NoInternetIcon](./policy-csp-admx-desktop.md#admx-desktop-nointerneticon)
+- [ADMX_Desktop/NoMyComputerIcon](./policy-csp-admx-desktop.md#admx-desktop-nomycomputericon)
+- [ADMX_Desktop/NoMyDocumentsIcon](./policy-csp-admx-desktop.md#admx-desktop-nomydocumentsicon)
+- [ADMX_Desktop/NoNetHood](./policy-csp-admx-desktop.md#admx-desktop-nonethood)
+- [ADMX_Desktop/NoPropertiesMyComputer](./policy-csp-admx-desktop.md#admx-desktop-nopropertiesmycomputer)
+- [ADMX_Desktop/NoPropertiesMyDocuments](./policy-csp-admx-desktop.md#admx-desktop-nopropertiesmydocuments)
+- [ADMX_Desktop/NoRecentDocsNetHood](./policy-csp-admx-desktop.md#admx-desktop-norecentdocsnethood)
+- [ADMX_Desktop/NoRecycleBinIcon](./policy-csp-admx-desktop.md#admx-desktop-norecyclebinicon)
+- [ADMX_Desktop/NoRecycleBinProperties](./policy-csp-admx-desktop.md#admx-desktop-norecyclebinproperties)
+- [ADMX_Desktop/NoSaveSettings](./policy-csp-admx-desktop.md#admx-desktop-nosavesettings)
+- [ADMX_Desktop/NoWindowMinimizingShortcuts](./policy-csp-admx-desktop.md#admx-desktop-nowindowminimizingshortcuts)
+- [ADMX_Desktop/Wallpaper](./policy-csp-admx-desktop.md#admx-desktop-wallpaper)
+- [ADMX_Desktop/sz_ATC_DisableAdd](./policy-csp-admx-desktop.md#admx-desktop-sz-atc-disableadd)
+- [ADMX_Desktop/sz_ATC_DisableClose](./policy-csp-admx-desktop.md#admx-desktop-sz-atc-disableclose)
+- [ADMX_Desktop/sz_ATC_DisableDel](./policy-csp-admx-desktop.md#admx-desktop-sz-atc-disabledel)
+- [ADMX_Desktop/sz_ATC_DisableEdit](./policy-csp-admx-desktop.md#admx-desktop-sz-atc-disableedit)
+- [ADMX_Desktop/sz_ATC_NoComponents](./policy-csp-admx-desktop.md#admx-desktop-sz-atc-nocomponents)
+- [ADMX_Desktop/sz_AdminComponents_Title](./policy-csp-admx-desktop.md#admx-desktop-sz-admincomponents-title)
+- [ADMX_Desktop/sz_DB_DragDropClose](./policy-csp-admx-desktop.md#admx-desktop-sz-db-dragdropclose)
+- [ADMX_Desktop/sz_DB_Moving](./policy-csp-admx-desktop.md#admx-desktop-sz-db-moving)
+- [ADMX_Desktop/sz_DWP_NoHTMLPaper](./policy-csp-admx-desktop.md#admx-desktop-sz-dwp-nohtmlpaper)
+- [ADMX_DeviceInstallation/DeviceInstall_AllowAdminInstall](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-allowadmininstall)
+- [ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_DetailText](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-deniedpolicy-detailtext)
+- [ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_SimpleText](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-deniedpolicy-simpletext)
+- [ADMX_DeviceInstallation/DeviceInstall_InstallTimeout](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-installtimeout)
+- [ADMX_DeviceInstallation/DeviceInstall_Policy_RebootTime](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-policy-reboottime)
+- [ADMX_DeviceInstallation/DeviceInstall_Removable_Deny](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-removable-deny)
+- [ADMX_DeviceInstallation/DeviceInstall_SystemRestore](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-systemrestore)
+- [ADMX_DeviceInstallation/DriverInstall_Classes_AllowUser](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-classes-allowuser)
+- [ADMX_DeviceSetup/DeviceInstall_BalloonTips](./policy-csp-admx-devicesetup.md#admx-devicesetup-deviceinstall-balloontips)
+- [ADMX_DeviceSetup/DriverSearchPlaces_SearchOrderConfiguration](./policy-csp-admx-devicesetup.md#admx-devicesetup-driversearchplaces-searchorderconfiguration)
- [ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_1](./policy-csp-admx-digitallocker.md#admx-digitallocker-digitalx-diableapplication-titletext-1)
- [ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_2](./policy-csp-admx-digitallocker.md#admx-digitallocker-digitalx-diableapplication-titletext-2)
- [ADMX_DnsClient/DNS_AllowFQDNNetBiosQueries](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-allowfqdnnetbiosqueries)
@@ -77,9 +190,83 @@ ms.date: 10/08/2020
- [ADMX_DWM/DwmDisallowAnimations_2](./policy-csp-admx-dwm.md#admx-dwm-dwmdisallowanimations-2)
- [ADMX_DWM/DwmDisallowColorizationColorChanges_1](./policy-csp-admx-dwm.md#admx-dwm-dwmdisallowcolorizationcolorchanges-1)
- [ADMX_DWM/DwmDisallowColorizationColorChanges_2](./policy-csp-admx-dwm.md#admx-dwm-dwmdisallowcolorizationcolorchanges-2)
+- [ADMX_EAIME/L_DoNotIncludeNonPublishingStandardGlyphInTheCandidateList](./policy-csp-admx-eaime.md#admx-eaime-l-donotincludenonpublishingstandardglyphinthecandidatelist)
+- [ADMX_EAIME/L_RestrictCharacterCodeRangeOfConversion](./policy-csp-admx-eaime.md#admx-eaime-l-restrictcharactercoderangeofconversion)
+- [ADMX_EAIME/L_TurnOffCustomDictionary](./policy-csp-admx-eaime.md#admx-eaime-l-turnoffcustomdictionary)
+- [ADMX_EAIME/L_TurnOffHistorybasedPredictiveInput](./policy-csp-admx-eaime.md#admx-eaime-l-turnoffhistorybasedpredictiveinput)
+- [ADMX_EAIME/L_TurnOffInternetSearchIntegration](./policy-csp-admx-eaime.md#admx-eaime-l-turnoffinternetsearchintegration)
+- [ADMX_EAIME/L_TurnOffOpenExtendedDictionary](./policy-csp-admx-eaime.md#admx-eaime-l-turnoffopenextendeddictionary)
+- [ADMX_EAIME/L_TurnOffSavingAutoTuningDataToFile](./policy-csp-admx-eaime.md#admx-eaime-l-turnoffsavingautotuningdatatofile)
+- [ADMX_EAIME/L_TurnOnCloudCandidate](./policy-csp-admx-eaime.md#admx-eaime-l-turnoncloudcandidate)
+- [ADMX_EAIME/L_TurnOnCloudCandidateCHS](./policy-csp-admx-eaime.md#admx-eaime-l-turnoncloudcandidatechs)
+- [ADMX_EAIME/L_TurnOnLexiconUpdate](./policy-csp-admx-eaime.md#admx-eaime-l-turnonlexiconupdate)
+- [ADMX_EAIME/L_TurnOnLiveStickers](./policy-csp-admx-eaime.md#admx-eaime-l-turnonlivestickers)
+- [ADMX_EAIME/L_TurnOnMisconversionLoggingForMisconversionReport](./policy-csp-admx-eaime.md#admx-eaime-l-turnonmisconversionloggingformisconversionreport)
- [ADMX_EncryptFilesonMove/NoEncryptOnMove](./policy-csp-admx-encryptfilesonmove.md#admx-encryptfilesonmove-noencryptonmove)
+- [ADMX_EnhancedStorage/ApprovedEnStorDevices](./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-approvedenstordevices)
+- [ADMX_EnhancedStorage/ApprovedSilos](./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-approvedsilos)
+- [ADMX_EnhancedStorage/DisablePasswordAuthentication](./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-disablepasswordauthentication)
+- [ADMX_EnhancedStorage/DisallowLegacyDiskDevices](./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-disallowlegacydiskdevices)
+- [ADMX_EnhancedStorage/LockDeviceOnMachineLock](./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-lockdeviceonmachinelock)
+- [ADMX_EnhancedStorage/RootHubConnectedEnStorDevices](./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-roothubconnectedenstordevices)
+- [ADMX_ErrorReporting/PCH_AllOrNoneDef](./policy-csp-admx-errorreporting.md#admx-errorreporting-pch-allornonedef)
+- [ADMX_ErrorReporting/PCH_AllOrNoneEx](./policy-csp-admx-errorreporting.md#admx-errorreporting-pch-allornoneex)
+- [ADMX_ErrorReporting/PCH_AllOrNoneInc](./policy-csp-admx-errorreporting.md#admx-errorreporting-pch-allornoneinc)
+- [ADMX_ErrorReporting/PCH_ConfigureReport](./policy-csp-admx-errorreporting.md#admx-errorreporting-pch-configurereport)
+- [ADMX_ErrorReporting/PCH_ReportOperatingSystemFaults](./policy-csp-admx-errorreporting.md#admx-errorreporting-pch-reportoperatingsystemfaults)
+- [ADMX_ErrorReporting/WerArchive_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werarchive-1)
+- [ADMX_ErrorReporting/WerArchive_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werarchive-2)
+- [ADMX_ErrorReporting/WerAutoApproveOSDumps_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werautoapproveosdumps-1)
+- [ADMX_ErrorReporting/WerAutoApproveOSDumps_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werautoapproveosdumps-2)
+- [ADMX_ErrorReporting/WerBypassDataThrottling_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypassdatathrottling-1)
+- [ADMX_ErrorReporting/WerBypassDataThrottling_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypassdatathrottling-2)
+- [ADMX_ErrorReporting/WerBypassNetworkCostThrottling_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypassnetworkcostthrottling-1)
+- [ADMX_ErrorReporting/WerBypassNetworkCostThrottling_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypassnetworkcostthrottling-2)
+- [ADMX_ErrorReporting/WerBypassPowerThrottling_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypasspowerthrottling-1)
+- [ADMX_ErrorReporting/WerBypassPowerThrottling_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werbypasspowerthrottling-2)
+- [ADMX_ErrorReporting/WerCER](./policy-csp-admx-errorreporting.md#admx-errorreporting-wercer)
+- [ADMX_ErrorReporting/WerConsentCustomize_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werconsentcustomize-1)
+- [ADMX_ErrorReporting/WerConsentOverride_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werconsentoverride-1)
+- [ADMX_ErrorReporting/WerConsentOverride_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werconsentoverride-2)
+- [ADMX_ErrorReporting/WerDefaultConsent_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werdefaultconsent-1)
+- [ADMX_ErrorReporting/WerDefaultConsent_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werdefaultconsent-2)
+- [ADMX_ErrorReporting/WerDisable_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werdisable-1)
+- [ADMX_ErrorReporting/WerExlusion_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werexlusion-1)
+- [ADMX_ErrorReporting/WerExlusion_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werexlusion-2)
+- [ADMX_ErrorReporting/WerNoLogging_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-wernologging-1)
+- [ADMX_ErrorReporting/WerNoLogging_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-wernologging-2)
+- [ADMX_ErrorReporting/WerNoSecondLevelData_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-wernosecondleveldata-1)
+- [ADMX_ErrorReporting/WerQueue_1](./policy-csp-admx-errorreporting.md#admx-errorreporting-werqueue-1)
+- [ADMX_ErrorReporting/WerQueue_2](./policy-csp-admx-errorreporting.md#admx-errorreporting-werqueue-2)
- [ADMX_EventForwarding/ForwarderResourceUsage](./policy-csp-admx-eventforwarding.md#admx_eventforwarding-forwarderresourceusage)
- [ADMX_EventForwarding/SubscriptionManager](./policy-csp-admx-eventforwarding.md#admx_eventforwarding-subscriptionmanager)
+- [ADMX_EventLog/Channel_LogEnabled](./policy-csp-admx-eventlog.md#admx-eventlog-channel-logenabled)
+- [ADMX_EventLog/Channel_LogFilePath_1](./policy-csp-admx-eventlog.md#admx-eventlog-channel-logfilepath-1)
+- [ADMX_EventLog/Channel_LogFilePath_2](./policy-csp-admx-eventlog.md#admx-eventlog-channel-logfilepath-2)
+- [ADMX_EventLog/Channel_LogFilePath_3](./policy-csp-admx-eventlog.md#admx-eventlog-channel-logfilepath-3)
+- [ADMX_EventLog/Channel_LogFilePath_4](./policy-csp-admx-eventlog.md#admx-eventlog-channel-logfilepath-4)
+- [ADMX_EventLog/Channel_LogMaxSize_3](./policy-csp-admx-eventlog.md#admx-eventlog-channel-logmaxsize-3)
+- [ADMX_EventLog/Channel_Log_AutoBackup_1](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-autobackup-1)
+- [ADMX_EventLog/Channel_Log_AutoBackup_2](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-autobackup-2)
+- [ADMX_EventLog/Channel_Log_AutoBackup_3](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-autobackup-3)
+- [ADMX_EventLog/Channel_Log_AutoBackup_4](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-autobackup-4)
+- [ADMX_EventLog/Channel_Log_FileLogAccess_1](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-1)
+- [ADMX_EventLog/Channel_Log_FileLogAccess_2](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-2)
+- [ADMX_EventLog/Channel_Log_FileLogAccess_3](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-3)
+- [ADMX_EventLog/Channel_Log_FileLogAccess_4](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-4)
+- [ADMX_EventLog/Channel_Log_FileLogAccess_5](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-5)
+- [ADMX_EventLog/Channel_Log_FileLogAccess_6](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-6)
+- [ADMX_EventLog/Channel_Log_FileLogAccess_7](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-7)
+- [ADMX_EventLog/Channel_Log_FileLogAccess_8](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-filelogaccess-8)
+- [ADMX_EventLog/Channel_Log_Retention_2](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-retention-2)
+- [ADMX_EventLog/Channel_Log_Retention_3](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-retention-3)
+- [ADMX_EventLog/Channel_Log_Retention_4](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-retention-4)
+- [ADMX_Explorer/AdminInfoUrl](./policy-csp-admx-explorer.md#admx-explorer-admininfourl)
+- [ADMX_Explorer/AlwaysShowClassicMenu](./policy-csp-admx-explorer.md#admx-explorer-alwaysshowclassicmenu)
+- [ADMX_Explorer/DisableRoamedProfileInit](./policy-csp-admx-explorer.md#admx-explorer-disableroamedprofileinit)
+- [ADMX_Explorer/PreventItemCreationInUsersFilesFolder](./policy-csp-admx-explorer.md#admx-explorer-preventitemcreationinusersfilesfolder)
+- [ADMX_Explorer/TurnOffSPIAnimations](./policy-csp-admx-explorer.md#admx-explorer-turnoffspianimations)
+- [ADMX_FileRecovery/WdiScenarioExecutionPolicy](./policy-csp-admx-filerecovery.md#admx-filerecovery-wdiscenarioexecutionpolicy)
- [ADMX_FileServerVSSProvider/Pol_EncryptProtocol](./policy-csp-admx-fileservervssprovider.md#admx-fileservervssprovider-pol-encryptprotocol)
- [ADMX_FileSys/DisableCompression](./policy-csp-admx-filesys.md#admx-filesys-disablecompression)
- [ADMX_FileSys/DisableDeleteNotification](./policy-csp-admx-filesys.md#admx-filesys-disabledeletenotification)
@@ -96,6 +283,73 @@ ms.date: 10/08/2020
- [ADMX_FolderRedirection/LocalizeXPRelativePaths_2](./policy-csp-admx-folderredirection.md#admx-folderredirection-localizexprelativepaths-2)
- [ADMX_FolderRedirection/PrimaryComputer_FR_1](./policy-csp-admx-folderredirection.md#admx-folderredirection-primarycomputer-fr-1)
- [ADMX_FolderRedirection/PrimaryComputer_FR_2](./policy-csp-admx-folderredirection.md#admx-folderredirection-primarycomputer-fr-2)
+- [ADMX_Globalization/BlockUserInputMethodsForSignIn](./policy-csp-admx-globalization.md#admx-globalization-blockuserinputmethodsforsignin)
+- [ADMX_Globalization/CustomLocalesNoSelect_1](./policy-csp-admx-globalization.md#admx-globalization-customlocalesnoselect-1)
+- [ADMX_Globalization/CustomLocalesNoSelect_2](./policy-csp-admx-globalization.md#admx-globalization-customlocalesnoselect-2)
+- [ADMX_Globalization/HideAdminOptions](./policy-csp-admx-globalization.md#admx-globalization-hideadminoptions)
+- [ADMX_Globalization/HideCurrentLocation](./policy-csp-admx-globalization.md#admx-globalization-hidecurrentlocation)
+- [ADMX_Globalization/HideLanguageSelection](./policy-csp-admx-globalization.md#admx-globalization-hidelanguageselection)
+- [ADMX_Globalization/HideLocaleSelectAndCustomize](./policy-csp-admx-globalization.md#admx-globalization-hidelocaleselectandcustomize)
+- [ADMX_Globalization/ImplicitDataCollectionOff_1](./policy-csp-admx-globalization.md#admx-globalization-implicitdatacollectionoff-1)
+- [ADMX_Globalization/ImplicitDataCollectionOff_2](./policy-csp-admx-globalization.md#admx-globalization-implicitdatacollectionoff-2)
+- [ADMX_Globalization/LocaleSystemRestrict](./policy-csp-admx-globalization.md#admx-globalization-localesystemrestrict)
+- [ADMX_Globalization/LocaleUserRestrict_1](./policy-csp-admx-globalization.md#admx-globalization-localeuserrestrict-1)
+- [ADMX_Globalization/LocaleUserRestrict_2](./policy-csp-admx-globalization.md#admx-globalization-localeuserrestrict-2)
+- [ADMX_Globalization/LockMachineUILanguage](./policy-csp-admx-globalization.md#admx-globalization-lockmachineuilanguage)
+- [ADMX_Globalization/LockUserUILanguage](./policy-csp-admx-globalization.md#admx-globalization-lockuseruilanguage)
+- [ADMX_Globalization/PreventGeoIdChange_1](./policy-csp-admx-globalization.md#admx-globalization-preventgeoidchange-1)
+- [ADMX_Globalization/PreventGeoIdChange_2](./policy-csp-admx-globalization.md#admx-globalization-preventgeoidchange-2)
+- [ADMX_Globalization/PreventUserOverrides_1](./policy-csp-admx-globalization.md#admx-globalization-preventuseroverrides-1)
+- [ADMX_Globalization/PreventUserOverrides_2](./policy-csp-admx-globalization.md#admx-globalization-preventuseroverrides-2)
+- [ADMX_Globalization/RestrictUILangSelect](./policy-csp-admx-globalization.md#admx-globalization-restrictuilangselect)
+- [ADMX_Globalization/TurnOffAutocorrectMisspelledWords](./policy-csp-admx-globalization.md#admx-globalization-turnoffautocorrectmisspelledwords)
+- [ADMX_Globalization/TurnOffHighlightMisspelledWords](./policy-csp-admx-globalization.md#admx-globalization-turnoffhighlightmisspelledwords)
+- [ADMX_Globalization/TurnOffInsertSpace](./policy-csp-admx-globalization.md#admx-globalization-turnoffinsertspace)
+- [ADMX_Globalization/TurnOffOfferTextPredictions](./policy-csp-admx-globalization.md#admx-globalization-turnoffoffertextpredictions)
+- [ADMX_Globalization/Y2K](./policy-csp-admx-globalization.md#admx-globalization-y2k)
+- [ADMX_GroupPolicy/AllowX-ForestPolicy-and-RUP](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-allowx-forestpolicy-and-rup)
+- [ADMX_GroupPolicy/CSE_AppMgmt](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-appmgmt)
+- [ADMX_GroupPolicy/CSE_DiskQuota](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-diskquota)
+- [ADMX_GroupPolicy/CSE_EFSRecovery](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-efsrecovery)
+- [ADMX_GroupPolicy/CSE_FolderRedirection](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-folderredirection)
+- [ADMX_GroupPolicy/CSE_IEM](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-iem)
+- [ADMX_GroupPolicy/CSE_IPSecurity](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-ipsecurity)
+- [ADMX_GroupPolicy/CSE_Registry](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-registry)
+- [ADMX_GroupPolicy/CSE_Scripts](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-scripts)
+- [ADMX_GroupPolicy/CSE_Security](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-security)
+- [ADMX_GroupPolicy/CSE_Wired](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-wired)
+- [ADMX_GroupPolicy/CSE_Wireless](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-cse-wireless)
+- [ADMX_GroupPolicy/CorpConnSyncWaitTime](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-corpconnsyncwaittime)
+- [ADMX_GroupPolicy/DenyRsopToInteractiveUser_1](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-denyrsoptointeractiveuser-1)
+- [ADMX_GroupPolicy/DenyRsopToInteractiveUser_2](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-denyrsoptointeractiveuser-2)
+- [ADMX_GroupPolicy/DisableAOACProcessing](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-disableaoacprocessing)
+- [ADMX_GroupPolicy/DisableAutoADMUpdate](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-disableautoadmupdate)
+- [ADMX_GroupPolicy/DisableBackgroundPolicy](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-disablebackgroundpolicy)
+- [ADMX_GroupPolicy/DisableLGPOProcessing](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-disablelgpoprocessing)
+- [ADMX_GroupPolicy/DisableUsersFromMachGP](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-disableusersfrommachgp)
+- [ADMX_GroupPolicy/EnableCDP](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-enablecdp)
+- [ADMX_GroupPolicy/EnableLogonOptimization](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-enablelogonoptimization)
+- [ADMX_GroupPolicy/EnableLogonOptimizationOnServerSKU](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-enablelogonoptimizationonserversku)
+- [ADMX_GroupPolicy/EnableMMX](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-enablemmx)
+- [ADMX_GroupPolicy/EnforcePoliciesOnly](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-enforcepoliciesonly)
+- [ADMX_GroupPolicy/FontMitigation](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-fontmitigation)
+- [ADMX_GroupPolicy/GPDCOptions](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-gpdcoptions)
+- [ADMX_GroupPolicy/GPTransferRate_1](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-gptransferrate-1)
+- [ADMX_GroupPolicy/GPTransferRate_2](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-gptransferrate-2)
+- [ADMX_GroupPolicy/GroupPolicyRefreshRate](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-grouppolicyrefreshrate)
+- [ADMX_GroupPolicy/GroupPolicyRefreshRateDC](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-grouppolicyrefreshratedc)
+- [ADMX_GroupPolicy/GroupPolicyRefreshRateUser](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-grouppolicyrefreshrateuser)
+- [ADMX_GroupPolicy/LogonScriptDelay](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-logonscriptdelay)
+- [ADMX_GroupPolicy/NewGPODisplayName](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-newgpodisplayname)
+- [ADMX_GroupPolicy/NewGPOLinksDisabled](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-newgpolinksdisabled)
+- [ADMX_GroupPolicy/OnlyUseLocalAdminFiles](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-onlyuselocaladminfiles)
+- [ADMX_GroupPolicy/ProcessMitigationOptions](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-processmitigationoptions)
+- [ADMX_GroupPolicy/RSoPLogging](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-rsoplogging)
+- [ADMX_GroupPolicy/ResetDfsClientInfoDuringRefreshPolicy](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-resetdfsclientinfoduringrefreshpolicy)
+- [ADMX_GroupPolicy/SlowLinkDefaultForDirectAccess](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-slowlinkdefaultfordirectaccess)
+- [ADMX_GroupPolicy/SlowlinkDefaultToAsync](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-slowlinkdefaulttoasync)
+- [ADMX_GroupPolicy/SyncWaitTime](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-syncwaittime)
+- [ADMX_GroupPolicy/UserPolicyMode](./policy-csp-admx-grouppolicy.md#admx-grouppolicy-userpolicymode)
- [ADMX_Help/DisableHHDEP](./policy-csp-admx-help.md#admx-help-disablehhdep)
- [ADMX_Help/HelpQualifiedRootDir_Comp](./policy-csp-admx-help.md#admx-help-helpqualifiedrootdir-comp)
- [ADMX_Help/RestrictRunFromHelp](./policy-csp-admx-help.md#admx-help-restrictrunfromhelp)
@@ -104,24 +358,302 @@ ms.date: 10/08/2020
- [ADMX_HelpAndSupport/HPExplicitFeedback](./policy-csp-admx-helpandsupport.md#admx-helpandsupport-hpexplicitfeedback)
- [ADMX_HelpAndSupport/HPImplicitFeedback](./policy-csp-admx-helpandsupport.md#admx-helpandsupport-hpimplicitfeedback)
- [ADMX_HelpAndSupport/HPOnlineAssistance](./policy-csp-admx-helpandsupport.md#admx-helpandsupport-hponlineassistance)
+- [ADMX_ICM/CEIPEnable](./policy-csp-admx-icm.md#admx-icm-ceipenable)
+- [ADMX_ICM/CertMgr_DisableAutoRootUpdates](./policy-csp-admx-icm.md#admx-icm-certmgr-disableautorootupdates)
+- [ADMX_ICM/DisableHTTPPrinting_1](./policy-csp-admx-icm.md#admx-icm-disablehttpprinting-1)
+- [ADMX_ICM/DisableWebPnPDownload_1](./policy-csp-admx-icm.md#admx-icm-disablewebpnpdownload-1)
+- [ADMX_ICM/DriverSearchPlaces_DontSearchWindowsUpdate](./policy-csp-admx-icm.md#admx-icm-driversearchplaces-dontsearchwindowsupdate)
+- [ADMX_ICM/EventViewer_DisableLinks](./policy-csp-admx-icm.md#admx-icm-eventviewer-disablelinks)
+- [ADMX_ICM/HSS_HeadlinesPolicy](./policy-csp-admx-icm.md#admx-icm-hss-headlinespolicy)
+- [ADMX_ICM/HSS_KBSearchPolicy](./policy-csp-admx-icm.md#admx-icm-hss-kbsearchpolicy)
+- [ADMX_ICM/InternetManagement_RestrictCommunication_1](./policy-csp-admx-icm.md#admx-icm-internetmanagement-restrictcommunication-1)
+- [ADMX_ICM/InternetManagement_RestrictCommunication_2](./policy-csp-admx-icm.md#admx-icm-internetmanagement-restrictcommunication-2)
+- [ADMX_ICM/NC_ExitOnISP](./policy-csp-admx-icm.md#admx-icm-nc-exitonisp)
+- [ADMX_ICM/NC_NoRegistration](./policy-csp-admx-icm.md#admx-icm-nc-noregistration)
+- [ADMX_ICM/PCH_DoNotReport](./policy-csp-admx-icm.md#admx-icm-pch-donotreport)
+- [ADMX_ICM/RemoveWindowsUpdate_ICM](./policy-csp-admx-icm.md#admx-icm-removewindowsupdate-icm)
+- [ADMX_ICM/SearchCompanion_DisableFileUpdates](./policy-csp-admx-icm.md#admx-icm-searchcompanion-disablefileupdates)
+- [ADMX_ICM/ShellNoUseInternetOpenWith_1](./policy-csp-admx-icm.md#admx-icm-shellnouseinternetopenwith-1)
+- [ADMX_ICM/ShellNoUseInternetOpenWith_2](./policy-csp-admx-icm.md#admx-icm-shellnouseinternetopenwith-2)
+- [ADMX_ICM/ShellNoUseStoreOpenWith_1](./policy-csp-admx-icm.md#admx-icm-shellnousestoreopenwith-1)
+- [ADMX_ICM/ShellNoUseStoreOpenWith_2](./policy-csp-admx-icm.md#admx-icm-shellnousestoreopenwith-2)
+- [ADMX_ICM/ShellPreventWPWDownload_1](./policy-csp-admx-icm.md#admx-icm-shellpreventwpwdownload-1)
+- [ADMX_ICM/ShellRemoveOrderPrints_1](./policy-csp-admx-icm.md#admx-icm-shellremoveorderprints-1)
+- [ADMX_ICM/ShellRemoveOrderPrints_2](./policy-csp-admx-icm.md#admx-icm-shellremoveorderprints-2)
+- [ADMX_ICM/ShellRemovePublishToWeb_1](./policy-csp-admx-icm.md#admx-icm-shellremovepublishtoweb-1)
+- [ADMX_ICM/ShellRemovePublishToWeb_2](./policy-csp-admx-icm.md#admx-icm-shellremovepublishtoweb-2)
+- [ADMX_ICM/WinMSG_NoInstrumentation_1](./policy-csp-admx-icm.md#admx-icm-winmsg_noinstrumentation-1)
+- [ADMX_ICM/WinMSG_NoInstrumentation_2](./policy-csp-admx-icm.md#admx-icm-winmsg_noinstrumentation-2)
- [ADMX_kdc/CbacAndArmor](./policy-csp-admx-kdc.md#admx-kdc-cbacandarmor)
- [ADMX_kdc/ForestSearch](./policy-csp-admx-kdc.md#admx-kdc-forestsearch)
- [ADMX_kdc/PKINITFreshness](./policy-csp-admx-kdc.md#admx-kdc-pkinitfreshness)
- [ADMX_kdc/RequestCompoundId](./policy-csp-admx-kdc.md#admx-kdc-requestcompoundid)
- [ADMX_kdc/TicketSizeThreshold](./policy-csp-admx-kdc.md#admx-kdc-ticketsizethreshold)
- [ADMX_kdc/emitlili](./policy-csp-admx-kdc.md#admx-kdc-emitlili)
+- [ADMX_Kerberos/AlwaysSendCompoundId](./policy-csp-admx-kerberos.md#admx-kerberos-alwayssendcompoundid)
+- [ADMX_Kerberos/DevicePKInitEnabled](./policy-csp-admx-kerberos.md#admx-kerberos-devicepkinitenabled)
+- [ADMX_Kerberos/HostToRealm](./policy-csp-admx-kerberos.md#admx-kerberos-hosttorealm)
+- [ADMX_Kerberos/KdcProxyDisableServerRevocationCheck](./policy-csp-admx-kerberos.md#admx-kerberos-kdcproxydisableserverrevocationcheck)
+- [ADMX_Kerberos/KdcProxyServer](./policy-csp-admx-kerberos.md#admx-kerberos-kdcproxyserver)
+- [ADMX_Kerberos/MitRealms](./policy-csp-admx-kerberos.md#admx-kerberos-mitrealms)
+- [ADMX_Kerberos/ServerAcceptsCompound](./policy-csp-admx-kerberos.md#admx-kerberos-serveracceptscompound)
+- [ADMX_Kerberos/StrictTarget](./policy-csp-admx-kerberos.md#admx-kerberos-stricttarget)
- [ADMX_LanmanServer/Pol_CipherSuiteOrder](./policy-csp-admx-lanmanserver.md#admx-lanmanserver-pol-ciphersuiteorder)
- [ADMX_LanmanServer/Pol_HashPublication](./policy-csp-admx-lanmanserver.md#admx-lanmanserver-pol-hashpublication)
- [ADMX_LanmanServer/Pol_HashSupportVersion](./policy-csp-admx-lanmanserver.md#admx-lanmanserver-pol-hashsupportversion)
- [ADMX_LanmanServer/Pol_HonorCipherSuiteOrder](./policy-csp-admx-lanmanserver.md#admx-lanmanserver-pol-honorciphersuiteorder)
+- [ADMX_LanmanWorkstation/Pol_CipherSuiteOrder](./policy-csp-admx-lanmanworkstation.md#admx-lanmanworkstation-pol-ciphersuiteorder)
+- [ADMX_LanmanWorkstation/Pol_EnableHandleCachingForCAFiles](./policy-csp-admx-lanmanworkstation.md#admx-lanmanworkstation-pol-enablehandlecachingforcafiles)
+- [ADMX_LanmanWorkstation/Pol_EnableOfflineFilesforCAShares](./policy-csp-admx-lanmanworkstation.md#admx-lanmanworkstation-pol-enableofflinefilesforcashares)
- [ADMX_LinkLayerTopologyDiscovery/LLTD_EnableLLTDIO](./policy-csp-admx-linklayertopologydiscovery.md#admx-linklayertopologydiscovery-lltd-enablelltdio)
- [ADMX_LinkLayerTopologyDiscovery/LLTD_EnableRspndr](./policy-csp-admx-linklayertopologydiscovery.md#admx-linklayertopologydiscovery-lltd-enablerspndr)
+- [ADMX_Logon/BlockUserFromShowingAccountDetailsOnSignin](./policy-csp-admx-logon.md#admx-logon-blockuserfromshowingaccountdetailsonsignin)
+- [ADMX_Logon/DisableAcrylicBackgroundOnLogon](./policy-csp-admx-logon.md#admx-logon-disableacrylicbackgroundonlogon)
+- [ADMX_Logon/DisableExplorerRunLegacy_1](./policy-csp-admx-logon.md#admx-logon-disableexplorerrunlegacy-1)
+- [ADMX_Logon/DisableExplorerRunLegacy_2](./policy-csp-admx-logon.md#admx-logon-disableexplorerrunlegacy-2)
+- [ADMX_Logon/DisableExplorerRunOnceLegacy_1](./policy-csp-admx-logon.md#admx-logon-disableexplorerrunoncelegacy-1)
+- [ADMX_Logon/DisableExplorerRunOnceLegacy_2](./policy-csp-admx-logon.md#admx-logon-disableexplorerrunoncelegacy-2)
+- [ADMX_Logon/DisableStatusMessages](./policy-csp-admx-logon.md#admx-logon-disablestatusmessages)
+- [ADMX_Logon/DontEnumerateConnectedUsers](./policy-csp-admx-logon.md#admx-logon-dontenumerateconnectedusers)
+- [ADMX_Logon/NoWelcomeTips_1](./policy-csp-admx-logon.md#admx-logon-nowelcometips-1)
+- [ADMX_Logon/NoWelcomeTips_2](./policy-csp-admx-logon.md#admx-logon-nowelcometips-2)
+- [ADMX_Logon/Run_1](./policy-csp-admx-logon.md#admx-logon-run-1)
+- [ADMX_Logon/Run_2](./policy-csp-admx-logon.md#admx-logon-run-2)
+- [ADMX_Logon/SyncForegroundPolicy](./policy-csp-admx-logon.md#admx-logon-syncforegroundpolicy)
+- [ADMX_Logon/UseOEMBackground](./policy-csp-admx-logon.md#admx-logon-useoembackground)
+- [ADMX_Logon/VerboseStatus](./policy-csp-admx-logon.md#admx-logon-verbosestatus)
+- [ADMX_MicrosoftDefenderAntivirus/AllowFastServiceStartup](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-allowfastservicestartup)
+- [ADMX_MicrosoftDefenderAntivirus/DisableAntiSpywareDefender](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disableantispywaredefender)
+- [ADMX_MicrosoftDefenderAntivirus/DisableAutoExclusions](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disableautoexclusions)
+- [ADMX_MicrosoftDefenderAntivirus/DisableBlockAtFirstSeen](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disableblockatfirstseen)
+- [ADMX_MicrosoftDefenderAntivirus/DisableLocalAdminMerge](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disablelocaladminmerge)
+- [ADMX_MicrosoftDefenderAntivirus/DisableRealtimeMonitoring](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disablerealtimemonitoring)
+- [ADMX_MicrosoftDefenderAntivirus/DisableRoutinelyTakingAction](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-disableroutinelytakingaction)
+- [ADMX_MicrosoftDefenderAntivirus/Exclusions_Extensions](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exclusions-extensions)
+- [ADMX_MicrosoftDefenderAntivirus/Exclusions_Paths](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exclusions-paths)
+- [ADMX_MicrosoftDefenderAntivirus/Exclusions_Processes](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exclusions-processes)
+- [ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_ASROnlyExclusions](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exploitguard-asr-asronlyexclusions)
+- [ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_Rules](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exploitguard-asr-rules)
+- [ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_AllowedApplications](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exploitguard-controlledfolderaccess-allowedapplications)
+- [ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_ProtectedFolders](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-exploitguard-controlledfolderaccess-protectedfolders)
+- [ADMX_MicrosoftDefenderAntivirus/MpEngine_EnableFileHashComputation](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-mpengine-enablefilehashcomputation)
+- [ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_DisableSignatureRetirement](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-nis-consumers-ips-disablesignatureretirement)
+- [ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_sku_differentiation_Signature_Set_Guid](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-nis-consumers-ips-sku-differentiation-signature-set-guid)
+- [ADMX_MicrosoftDefenderAntivirus/Nis_DisableProtocolRecognition](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-nis-disableprotocolrecognition)
+- [ADMX_MicrosoftDefenderAntivirus/ProxyBypass](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-proxybypass)
+- [ADMX_MicrosoftDefenderAntivirus/ProxyPacUrl](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-proxypacurl)
+- [ADMX_MicrosoftDefenderAntivirus/ProxyServer](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-proxyserver)
+- [ADMX_MicrosoftDefenderAntivirus/Quarantine_LocalSettingOverridePurgeItemsAfterDelay](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-quarantine-localsettingoverridepurgeitemsafterdelay)
+- [ADMX_MicrosoftDefenderAntivirus/Quarantine_PurgeItemsAfterDelay](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-quarantine-purgeitemsafterdelay)
+- [ADMX_MicrosoftDefenderAntivirus/RandomizeScheduleTaskTimes](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-randomizescheduletasktimes)
+- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableBehaviorMonitoring](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-disablebehaviormonitoring)
+- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableIOAVProtection](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-disableioavprotection)
+- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableOnAccessProtection](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-disableonaccessprotection)
+- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableRawWriteNotification](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-disablerawwritenotification)
+- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableScanOnRealtimeEnable](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-disablescanonrealtimeenable)
+- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_IOAVMaxSize](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-ioavmaxsize)
+- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableBehaviorMonitoring](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverridedisablebehaviormonitoring)
+- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableIOAVProtection](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverridedisableioavprotection)
+- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableOnAccessProtection](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverridedisableonaccessprotection)
+- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableRealtimeMonitoring](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverridedisablerealtimemonitoring)
+- [ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideRealtimeScanDirection](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-realtimeprotection-localsettingoverriderealtimescandirection)
+- [ADMX_MicrosoftDefenderAntivirus/Remediation_LocalSettingOverrideScan_ScheduleTime](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-remediation-localsettingoverridescan-scheduletime)
+- [ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleDay](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-remediation-scan-scheduleday)
+- [ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleTime](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-remediation-scan-scheduletime)
+- [ADMX_MicrosoftDefenderAntivirus/Reporting_AdditionalActionTimeout](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-additionalactiontimeout)
+- [ADMX_MicrosoftDefenderAntivirus/Reporting_CriticalFailureTimeout](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-criticalfailuretimeout)
+- [ADMX_MicrosoftDefenderAntivirus/Reporting_DisableEnhancedNotifications](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-disableenhancednotifications)
+- [ADMX_MicrosoftDefenderAntivirus/Reporting_DisablegenericrePorts](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-disablegenericreports)
+- [ADMX_MicrosoftDefenderAntivirus/Reporting_NonCriticalTimeout](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-noncriticaltimeout)
+- [ADMX_MicrosoftDefenderAntivirus/Reporting_RecentlyCleanedTimeout](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-recentlycleanedtimeout)
+- [ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingComponents](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-wpptracingcomponents)
+- [ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingLevel](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-reporting-wpptracinglevel)
+- [ADMX_MicrosoftDefenderAntivirus/Scan_AllowPause](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-allowpause)
+- [ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxDepth](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-archivemaxdepth)
+- [ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxSize](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-archivemaxsize)
+- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableArchiveScanning](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablearchivescanning)
+- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableEmailScanning](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disableemailscanning)
+- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableHeuristics](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disableheuristics)
+- [ADMX_MicrosoftDefenderAntivirus/Scan_DisablePackedExeScanning](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablepackedexescanning)
+- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableRemovableDriveScanning](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disableremovabledrivescanning)
+- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableReparsePointScanning](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablereparsepointscanning)
+- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableRestorePoint](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablerestorepoint)
+- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningMappedNetworkDrivesForFullScan](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablescanningmappednetworkdrivesforfullscan)
+- [ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningNetworkFiles](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-disablescanningnetworkfiles)
+- [ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideAvgCPULoadFactor](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-localsettingoverrideavgcpuloadfactor)
+- [ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScanParameters](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-localsettingoverridescanparameters)
+- [ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleDay](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-localsettingoverridescheduleday)
+- [ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleQuickScantime](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-localsettingoverrideschedulequickscantime)
+- [ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleTime](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-localsettingoverridescheduletime)
+- [ADMX_MicrosoftDefenderAntivirus/Scan_LowCpuPriority](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-lowcpupriority)
+- [ADMX_MicrosoftDefenderAntivirus/Scan_MissedScheduledScanCountBeforeCatchup](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-missedscheduledscancountbeforecatchup)
+- [ADMX_MicrosoftDefenderAntivirus/Scan_PurgeItemsAfterDelay](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-purgeitemsafterdelay)
+- [ADMX_MicrosoftDefenderAntivirus/Scan_QuickScanInterval](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-quickscaninterval)
+- [ADMX_MicrosoftDefenderAntivirus/Scan_ScanOnlyIfIdle](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-scanonlyifidle)
+- [ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleDay](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-scheduleday)
+- [ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleTime](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-scan-scheduletime)
+- [ADMX_MicrosoftDefenderAntivirus/ServiceKeepAlive](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-servicekeepalive)
+- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ASSignatureDue](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-assignaturedue)
+- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_AVSignatureDue](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-avsignaturedue)
+- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DefinitionUpdateFileSharesSources](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-definitionupdatefilesharessources)
+- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScanOnUpdate](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-disablescanonupdate)
+- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScheduledSignatureUpdateonBattery](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-disablescheduledsignatureupdateonbattery)
+- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableUpdateOnStartupWithoutEngine](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-disableupdateonstartupwithoutengine)
+- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_FallbackOrder](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-fallbackorder)
+- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ForceUpdateFromMU](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-forceupdatefrommu)
+- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_RealtimeSignatureDelivery](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-realtimesignaturedelivery)
+- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleDay](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-scheduleday)
+- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleTime](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-scheduletime)
+- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SharedSignaturesLocation](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-sharedsignatureslocation)
+- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureDisableNotification](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-signaturedisablenotification)
+- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureUpdateCatchupInterval](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-signatureupdatecatchupinterval)
+- [ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_UpdateOnStartup](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-signatureupdate-updateonstartup)
+- [ADMX_MicrosoftDefenderAntivirus/SpynetReporting](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-spynetreporting)
+- [ADMX_MicrosoftDefenderAntivirus/Spynet_LocalSettingOverrideSpynetReporting](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-spynet-localsettingoverridespynetreporting)
+- [ADMX_MicrosoftDefenderAntivirus/Threats_ThreatIdDefaultAction](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-threats-threatiddefaultaction)
+- [ADMX_MicrosoftDefenderAntivirus/UX_Configuration_CustomDefaultActionToastString](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-ux-configuration-customdefaultactiontoaststring)
+- [ADMX_MicrosoftDefenderAntivirus/UX_Configuration_Notification_Suppress](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-ux-configuration-notification-suppress)
+- [ADMX_MicrosoftDefenderAntivirus/UX_Configuration_SuppressRebootNotification](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-ux-configuration-suppressrebootnotification)
+- [ADMX_MicrosoftDefenderAntivirus/UX_Configuration_UILockdown](./policy-csp-admx-microsoftdefenderantivirus.md#admx-microsoftdefenderantivirus-ux-configuration-uilockdown)
- [ADMX_MMC/MMC_ActiveXControl](./policy-csp-admx-mmc.md#admx-mmc-mmc-activexcontrol)
- [ADMX_MMC/MMC_ExtendView](./policy-csp-admx-mmc.md#admx-mmc-mmc-extendview)
- [ADMX_MMC/MMC_LinkToWeb](./policy-csp-admx-mmc.md#admx-mmc-mmc-linktoweb)
- [ADMX_MMC/MMC_Restrict_Author](./policy-csp-admx-mmc.md#admx-mmc-mmc-restrict-author)
- [ADMX_MMC/MMC_Restrict_To_Permitted_Snapins](./policy-csp-admx-mmc.md#admx-mmc-mmc-restrict-to-permitted-snapins)
+- [ADMX_MMCSnapins/MMC_ADMComputers_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-admcomputers-1)
+- [ADMX_MMCSnapins/MMC_ADMComputers_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-admcomputers-2)
+- [ADMX_MMCSnapins/MMC_ADMUsers_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-admusers-1)
+- [ADMX_MMCSnapins/MMC_ADMUsers_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-admusers-2)
+- [ADMX_MMCSnapins/MMC_ADSI](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-adsi)
+- [ADMX_MMCSnapins/MMC_ActiveDirDomTrusts](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-activedirdomtrusts)
+- [ADMX_MMCSnapins/MMC_ActiveDirSitesServices](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-activedirsitesservices)
+- [ADMX_MMCSnapins/MMC_ActiveDirUsersComp](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-activediruserscomp)
+- [ADMX_MMCSnapins/MMC_AppleTalkRouting](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-appletalkrouting)
+- [ADMX_MMCSnapins/MMC_AuthMan](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-authman)
+- [ADMX_MMCSnapins/MMC_CertAuth](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-certauth)
+- [ADMX_MMCSnapins/MMC_CertAuthPolSet](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-certauthpolset)
+- [ADMX_MMCSnapins/MMC_Certs](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-certs)
+- [ADMX_MMCSnapins/MMC_CertsTemplate](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-certstemplate)
+- [ADMX_MMCSnapins/MMC_ComponentServices](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-componentservices)
+- [ADMX_MMCSnapins/MMC_ComputerManagement](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-computermanagement)
+- [ADMX_MMCSnapins/MMC_ConnectionSharingNAT](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-connectionsharingnat)
+- [ADMX_MMCSnapins/MMC_DCOMCFG](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-dcomcfg)
+- [ADMX_MMCSnapins/MMC_DFS](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-dfs)
+- [ADMX_MMCSnapins/MMC_DHCPRelayMgmt](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-dhcprelaymgmt)
+- [ADMX_MMCSnapins/MMC_DeviceManager_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-devicemanager-1)
+- [ADMX_MMCSnapins/MMC_DeviceManager_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-devicemanager-2)
+- [ADMX_MMCSnapins/MMC_DiskDefrag](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-diskdefrag)
+- [ADMX_MMCSnapins/MMC_DiskMgmt](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-diskmgmt)
+- [ADMX_MMCSnapins/MMC_EnterprisePKI](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-enterprisepki)
+- [ADMX_MMCSnapins/MMC_EventViewer_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-eventviewer-1)
+- [ADMX_MMCSnapins/MMC_EventViewer_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-eventviewer-2)
+- [ADMX_MMCSnapins/MMC_EventViewer_3](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-eventviewer-3)
+- [ADMX_MMCSnapins/MMC_EventViewer_4](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-eventviewer-4)
+- [ADMX_MMCSnapins/MMC_FAXService](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-faxservice)
+- [ADMX_MMCSnapins/MMC_FailoverClusters](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-failoverclusters)
+- [ADMX_MMCSnapins/MMC_FolderRedirection_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-folderredirection-1)
+- [ADMX_MMCSnapins/MMC_FolderRedirection_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-folderredirection-2)
+- [ADMX_MMCSnapins/MMC_FrontPageExt](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-frontpageext)
+- [ADMX_MMCSnapins/MMC_GroupPolicyManagementSnapIn](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-grouppolicymanagementsnapin)
+- [ADMX_MMCSnapins/MMC_GroupPolicySnapIn](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-grouppolicysnapin)
+- [ADMX_MMCSnapins/MMC_GroupPolicyTab](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-grouppolicytab)
+- [ADMX_MMCSnapins/MMC_HRA](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-hra)
+- [ADMX_MMCSnapins/MMC_IAS](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ias)
+- [ADMX_MMCSnapins/MMC_IASLogging](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-iaslogging)
+- [ADMX_MMCSnapins/MMC_IEMaintenance_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-iemaintenance-1)
+- [ADMX_MMCSnapins/MMC_IEMaintenance_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-iemaintenance-2)
+- [ADMX_MMCSnapins/MMC_IGMPRouting](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-igmprouting)
+- [ADMX_MMCSnapins/MMC_IIS](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-iis)
+- [ADMX_MMCSnapins/MMC_IPRouting](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-iprouting)
+- [ADMX_MMCSnapins/MMC_IPSecManage_GP](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ipsecmanage-gp)
+- [ADMX_MMCSnapins/MMC_IPXRIPRouting](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ipxriprouting)
+- [ADMX_MMCSnapins/MMC_IPXRouting](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ipxrouting)
+- [ADMX_MMCSnapins/MMC_IPXSAPRouting](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ipxsaprouting)
+- [ADMX_MMCSnapins/MMC_IndexingService](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-indexingservice)
+- [ADMX_MMCSnapins/MMC_IpSecManage](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ipsecmanage)
+- [ADMX_MMCSnapins/MMC_IpSecMonitor](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ipsecmonitor)
+- [ADMX_MMCSnapins/MMC_LocalUsersGroups](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-localusersgroups)
+- [ADMX_MMCSnapins/MMC_LogicalMappedDrives](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-logicalmappeddrives)
+- [ADMX_MMCSnapins/MMC_NPSUI](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-npsui)
+- [ADMX_MMCSnapins/MMC_NapSnap](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-napsnap)
+- [ADMX_MMCSnapins/MMC_NapSnap_GP](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-napsnap-gp)
+- [ADMX_MMCSnapins/MMC_Net_Framework](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-net-framework)
+- [ADMX_MMCSnapins/MMC_OCSP](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ocsp)
+- [ADMX_MMCSnapins/MMC_OSPFRouting](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ospfrouting)
+- [ADMX_MMCSnapins/MMC_PerfLogsAlerts](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-perflogsalerts)
+- [ADMX_MMCSnapins/MMC_PublicKey](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-publickey)
+- [ADMX_MMCSnapins/MMC_QoSAdmission](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-qosadmission)
+- [ADMX_MMCSnapins/MMC_RAS_DialinUser](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ras-dialinuser)
+- [ADMX_MMCSnapins/MMC_RIPRouting](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-riprouting)
+- [ADMX_MMCSnapins/MMC_RIS](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-ris)
+- [ADMX_MMCSnapins/MMC_RRA](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-rra)
+- [ADMX_MMCSnapins/MMC_RSM](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-rsm)
+- [ADMX_MMCSnapins/MMC_RemStore](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-remstore)
+- [ADMX_MMCSnapins/MMC_RemoteAccess](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-remoteaccess)
+- [ADMX_MMCSnapins/MMC_RemoteDesktop](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-remotedesktop)
+- [ADMX_MMCSnapins/MMC_ResultantSetOfPolicySnapIn](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-resultantsetofpolicysnapin)
+- [ADMX_MMCSnapins/MMC_Routing](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-routing)
+- [ADMX_MMCSnapins/MMC_SCA](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-sca)
+- [ADMX_MMCSnapins/MMC_SMTPProtocol](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-smtpprotocol)
+- [ADMX_MMCSnapins/MMC_SNMP](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-snmp)
+- [ADMX_MMCSnapins/MMC_ScriptsMachine_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-scriptsmachine-1)
+- [ADMX_MMCSnapins/MMC_ScriptsMachine_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-scriptsmachine-2)
+- [ADMX_MMCSnapins/MMC_ScriptsUser_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-scriptsuser-1)
+- [ADMX_MMCSnapins/MMC_ScriptsUser_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-scriptsuser-2)
+- [ADMX_MMCSnapins/MMC_SecuritySettings_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-securitysettings-1)
+- [ADMX_MMCSnapins/MMC_SecuritySettings_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-securitysettings-2)
+- [ADMX_MMCSnapins/MMC_SecurityTemplates](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-securitytemplates)
+- [ADMX_MMCSnapins/MMC_SendConsoleMessage](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-sendconsolemessage)
+- [ADMX_MMCSnapins/MMC_ServerManager](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-servermanager)
+- [ADMX_MMCSnapins/MMC_ServiceDependencies](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-servicedependencies)
+- [ADMX_MMCSnapins/MMC_Services](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-services)
+- [ADMX_MMCSnapins/MMC_SharedFolders](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-sharedfolders)
+- [ADMX_MMCSnapins/MMC_SharedFolders_Ext](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-sharedfolders-ext)
+- [ADMX_MMCSnapins/MMC_SoftwareInstalationComputers_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-softwareinstalationcomputers-1)
+- [ADMX_MMCSnapins/MMC_SoftwareInstalationComputers_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-softwareinstalationcomputers-2)
+- [ADMX_MMCSnapins/MMC_SoftwareInstallationUsers_1](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-softwareinstallationusers-1)
+- [ADMX_MMCSnapins/MMC_SoftwareInstallationUsers_2](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-softwareinstallationusers-2)
+- [ADMX_MMCSnapins/MMC_SysInfo](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-sysinfo)
+- [ADMX_MMCSnapins/MMC_SysProp](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-sysprop)
+- [ADMX_MMCSnapins/MMC_TPMManagement](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-tpmmanagement)
+- [ADMX_MMCSnapins/MMC_Telephony](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-telephony)
+- [ADMX_MMCSnapins/MMC_TerminalServices](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-terminalservices)
+- [ADMX_MMCSnapins/MMC_WMI](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-wmi)
+- [ADMX_MMCSnapins/MMC_WindowsFirewall](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-windowsfirewall)
+- [ADMX_MMCSnapins/MMC_WindowsFirewall_GP](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-windowsfirewall-gp)
+- [ADMX_MMCSnapins/MMC_WiredNetworkPolicy](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-wirednetworkpolicy)
+- [ADMX_MMCSnapins/MMC_WirelessMon](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-wirelessmon)
+- [ADMX_MMCSnapins/MMC_WirelessNetworkPolicy](./policy-csp-admx-mmcsnapins.md#admx-mmcsnapins-mmc-wirelessnetworkpolicy)
- [ADMX_MSAPolicy/IncludeMicrosoftAccount_DisableUserAuthCmdLine](./policy-csp-admx-msapolicy.md#admx-msapolicy-microsoftaccount-disableuserauth)
+- [ADMX_msched/ActivationBoundaryPolicy](./policy-csp-admx-msched.md#admx-msched-activationboundarypolicy)
+- [ADMX_msched/RandomDelayPolicy](./policy-csp-admx-msched.md#admx-msched-randomdelaypolicy)
+- [ADMX_MSDT/MsdtSupportProvider](./policy-csp-admx-msdt.md#admx-msdt-msdtsupportprovider)
+- [ADMX_MSDT/MsdtToolDownloadPolicy](./policy-csp-admx-msdt.md#admx-msdt-msdttooldownloadpolicy)
+- [ADMX_MSDT/WdiScenarioExecutionPolicy](./policy-csp-admx-msdt.md#admx-msdt-wdiscenarioexecutionpolicy)
+- [ADMX_MSI/AllowLockdownBrowse](./policy-csp-admx-msi.md#admx-msi-allowlockdownbrowse)
+- [ADMX_MSI/AllowLockdownMedia](./policy-csp-admx-msi.md#admx-msi-allowlockdownmedia)
+- [ADMX_MSI/AllowLockdownPatch](./policy-csp-admx-msi.md#admx-msi-allowlockdownpatch)
+- [ADMX_MSI/DisableAutomaticApplicationShutdown](./policy-csp-admx-msi.md#admx-msi-disableautomaticapplicationshutdown)
+- [ADMX_MSI/DisableBrowse](./policy-csp-admx-msi.md#admx-msi-disablebrowse)
+- [ADMX_MSI/DisableFlyweightPatching](./policy-csp-admx-msi.md#admx-msi-disableflyweightpatching)
+- [ADMX_MSI/DisableLoggingFromPackage](./policy-csp-admx-msi.md#admx-msi-disableloggingfrompackage)
+- [ADMX_MSI/DisableMSI](./policy-csp-admx-msi.md#admx-msi-disablemsi)
+- [ADMX_MSI/DisableMedia](./policy-csp-admx-msi.md#admx-msi-disablemedia)
+- [ADMX_MSI/DisablePatch](./policy-csp-admx-msi.md#admx-msi-disablepatch)
+- [ADMX_MSI/DisableRollback_1](./policy-csp-admx-msi.md#admx-msi-disablerollback-1)
+- [ADMX_MSI/DisableRollback_2](./policy-csp-admx-msi.md#admx-msi-disablerollback-2)
+- [ADMX_MSI/DisableSharedComponent](./policy-csp-admx-msi.md#admx-msi-disablesharedcomponent)
+- [ADMX_MSI/MSILogging](./policy-csp-admx-msi.md#admx-msi-msilogging)
+- [ADMX_MSI/MSI_DisableLUAPatching](./policy-csp-admx-msi.md#admx-msi-msi-disableluapatching)
+- [ADMX_MSI/MSI_DisablePatchUninstall](./policy-csp-admx-msi.md#admx-msi-msi-disablepatchuninstall)
+- [ADMX_MSI/MSI_DisableSRCheckPoints](./policy-csp-admx-msi.md#admx-msi-msi-disablesrcheckpoints)
+- [ADMX_MSI/MSI_DisableUserInstalls](./policy-csp-admx-msi.md#admx-msi-msi-disableuserinstalls)
+- [ADMX_MSI/MSI_EnforceUpgradeComponentRules](./policy-csp-admx-msi.md#admx-msi-msi-enforceupgradecomponentrules)
+- [ADMX_MSI/MSI_MaxPatchCacheSize](./policy-csp-admx-msi.md#admx-msi-msi-maxpatchcachesize)
+- [ADMX_MSI/MsiDisableEmbeddedUI](./policy-csp-admx-msi.md#admx-msi-msidisableembeddedui)
+- [ADMX_MSI/SafeForScripting](./policy-csp-admx-msi.md#admx-msi-safeforscripting)
+- [ADMX_MSI/SearchOrder](./policy-csp-admx-msi.md#admx-msi-searchorder)
+- [ADMX_MSI/TransformsSecure](./policy-csp-admx-msi.md#admx-msi-transformssecure)
- [ADMX_nca/CorporateResources](./policy-csp-admx-nca.md#admx-nca-corporateresources)
- [ADMX_nca/CustomCommands](./policy-csp-admx-nca.md#admx-nca-customcommands)
- [ADMX_nca/DTEs](./policy-csp-admx-nca.md#admx-nca-dtes)
@@ -172,6 +704,33 @@ ms.date: 10/08/2020
- [ADMX_Netlogon/Netlogon_SysvolShareCompatibilityMode](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-sysvolsharecompatibilitymode)
- [ADMX_Netlogon/Netlogon_TryNextClosestSite](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-trynextclosestsite)
- [ADMX_Netlogon/Netlogon_UseDynamicDns](./policy-csp-admx-netlogon.md#admx-netlogon-netlogon-usedynamicdns)
+- [ADMX_NetworkConnections/NC_AddRemoveComponents](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-addremovecomponents)
+- [ADMX_NetworkConnections/NC_AdvancedSettings](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-advancedsettings)
+- [ADMX_NetworkConnections/NC_AllowAdvancedTCPIPConfig](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-allowadvancedtcpipconfig)
+- [ADMX_NetworkConnections/NC_ChangeBindState](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-changebindstate)
+- [ADMX_NetworkConnections/NC_DeleteAllUserConnection](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-deletealluserconnection)
+- [ADMX_NetworkConnections/NC_DeleteConnection](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-deleteconnection)
+- [ADMX_NetworkConnections/NC_DialupPrefs](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-dialupprefs)
+- [ADMX_NetworkConnections/NC_DoNotShowLocalOnlyIcon](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-donotshowlocalonlyicon)
+- [ADMX_NetworkConnections/NC_EnableAdminProhibits](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-enableadminprohibits)
+- [ADMX_NetworkConnections/NC_ForceTunneling](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-forcetunneling)
+- [ADMX_NetworkConnections/NC_IpStateChecking](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-ipstatechecking)
+- [ADMX_NetworkConnections/NC_LanChangeProperties](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-lanchangeproperties)
+- [ADMX_NetworkConnections/NC_LanConnect](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-lanconnect)
+- [ADMX_NetworkConnections/NC_LanProperties](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-lanproperties)
+- [ADMX_NetworkConnections/NC_NewConnectionWizard](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-newconnectionwizard)
+- [ADMX_NetworkConnections/NC_PersonalFirewallConfig](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-personalfirewallconfig)
+- [ADMX_NetworkConnections/NC_RasAllUserProperties](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-rasalluserproperties)
+- [ADMX_NetworkConnections/NC_RasChangeProperties](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-raschangeproperties)
+- [ADMX_NetworkConnections/NC_RasConnect](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-rasconnect)
+- [ADMX_NetworkConnections/NC_RasMyProperties](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-rasmyproperties)
+- [ADMX_NetworkConnections/NC_RenameAllUserRasConnection](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-renamealluserrasconnection)
+- [ADMX_NetworkConnections/NC_RenameConnection](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-renameconnection)
+- [ADMX_NetworkConnections/NC_RenameLanConnection](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-renamelanconnection)
+- [ADMX_NetworkConnections/NC_RenameMyRasConnection](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-renamemyrasconnection)
+- [ADMX_NetworkConnections/NC_ShowSharedAccessUI](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-showsharedaccessui)
+- [ADMX_NetworkConnections/NC_Statistics](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-statistics)
+- [ADMX_NetworkConnections/NC_StdDomainUserSetLocation](./policy-csp-admx-networkconnections.md#admx-networkconnections-nc-stddomainusersetlocation)
- [ADMX_OfflineFiles/Pol_AlwaysPinSubFolders](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-alwayspinsubfolders)
- [ADMX_OfflineFiles/Pol_AssignedOfflineFiles_1](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-assignedofflinefiles-1)
- [ADMX_OfflineFiles/Pol_AssignedOfflineFiles_2](./policy-csp-admx-offlinefiles.md#admx-offlinefiles-pol-assignedofflinefiles-2)
@@ -231,10 +790,120 @@ ms.date: 10/08/2020
- [ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_2](./policy-csp-admx-performancediagnostics.md#admx-performancediagnostics-wdiscenarioexecutionpolicy-2)
- [ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_3](./policy-csp-admx-performancediagnostics.md#admx-performancediagnostics-wdiscenarioexecutionpolicy-3)
- [ADMX_PerformanceDiagnostics/WdiScenarioExecutionPolicy_4](./policy-csp-admx-performancediagnostics.md#admx-performancediagnostics-wdiscenarioexecutionpolicy-4)
+- [ADMX_Power/ACConnectivityInStandby_2](./policy-csp-admx-power.md#admx-power-acconnectivityinstandby-2)
+- [ADMX_Power/ACCriticalSleepTransitionsDisable_2](./policy-csp-admx-power.md#admx-power-accriticalsleeptransitionsdisable-2)
+- [ADMX_Power/ACStartMenuButtonAction_2](./policy-csp-admx-power.md#admx-power-acstartmenubuttonaction-2)
+- [ADMX_Power/AllowSystemPowerRequestAC](./policy-csp-admx-power.md#admx-power-allowsystempowerrequestac)
+- [ADMX_Power/AllowSystemPowerRequestDC](./policy-csp-admx-power.md#admx-power-allowsystempowerrequestdc)
+- [ADMX_Power/AllowSystemSleepWithRemoteFilesOpenAC](./policy-csp-admx-power.md#admx-power-allowsystemsleepwithremotefilesopenac)
+- [ADMX_Power/AllowSystemSleepWithRemoteFilesOpenDC](./policy-csp-admx-power.md#admx-power-allowsystemsleepwithremotefilesopendc)
+- [ADMX_Power/CustomActiveSchemeOverride_2](./policy-csp-admx-power.md#admx-power-customactiveschemeoverride-2)
+- [ADMX_Power/DCBatteryDischargeAction0_2](./policy-csp-admx-power.md#admx-power-dcbatterydischargeaction0-2)
+- [ADMX_Power/DCBatteryDischargeAction1_2](./policy-csp-admx-power.md#admx-power-dcbatterydischargeaction1-2)
+- [ADMX_Power/DCBatteryDischargeLevel0_2](./policy-csp-admx-power.md#admx-power-dcbatterydischargelevel0-2)
+- [ADMX_Power/DCBatteryDischargeLevel1UINotification_2](./policy-csp-admx-power.md#admx-power-dcbatterydischargelevel1uinotification-2)
+- [ADMX_Power/DCBatteryDischargeLevel1_2](./policy-csp-admx-power.md#admx-power-dcbatterydischargelevel1-2)
+- [ADMX_Power/DCConnectivityInStandby_2](./policy-csp-admx-power.md#admx-power-dcconnectivityinstandby-2)
+- [ADMX_Power/DCCriticalSleepTransitionsDisable_2](./policy-csp-admx-power.md#admx-power-dccriticalsleeptransitionsdisable-2)
+- [ADMX_Power/DCStartMenuButtonAction_2](./policy-csp-admx-power.md#admx-power-dcstartmenubuttonaction-2)
+- [ADMX_Power/DiskACPowerDownTimeOut_2](./policy-csp-admx-power.md#admx-power-diskacpowerdowntimeout-2)
+- [ADMX_Power/DiskDCPowerDownTimeOut_2](./policy-csp-admx-power.md#admx-power-diskdcpowerdowntimeout-2)
+- [ADMX_Power/Dont_PowerOff_AfterShutdown](./policy-csp-admx-power.md#admx-power-dont-poweroff-aftershutdown)
+- [ADMX_Power/EnableDesktopSlideShowAC](./policy-csp-admx-power.md#admx-power-enabledesktopslideshowac)
+- [ADMX_Power/EnableDesktopSlideShowDC](./policy-csp-admx-power.md#admx-power-enabledesktopslideshowdc)
+- [ADMX_Power/InboxActiveSchemeOverride_2](./policy-csp-admx-power.md#admx-power-inboxactiveschemeoverride-2)
+- [ADMX_Power/PW_PromptPasswordOnResume](./policy-csp-admx-power.md#admx-power-pw-promptpasswordonresume)
+- [ADMX_Power/PowerThrottlingTurnOff](./policy-csp-admx-power.md#admx-power-powerthrottlingturnoff)
+- [ADMX_Power/ReserveBatteryNotificationLevel](./policy-csp-admx-power.md#admx-power-reservebatterynotificationlevel)
+- [ADMX_PowerShellExecutionPolicy/EnableModuleLogging](./policy-csp-admx-powershellexecutionpolicy.md#admx-powershellexecutionpolicy-enablemodulelogging)
+- [ADMX_PowerShellExecutionPolicy/EnableScripts](./policy-csp-admx-powershellexecutionpolicy.md#admx-powershellexecutionpolicy-enablescripts)
+- [ADMX_PowerShellExecutionPolicy/EnableTranscripting](./policy-csp-admx-powershellexecutionpolicy.md#admx-powershellexecutionpolicy-enabletranscripting)
+- [ADMX_PowerShellExecutionPolicy/EnableUpdateHelpDefaultSourcePath](./policy-csp-admx-powershellexecutionpolicy.md#admx-powershellexecutionpolicy-enableupdatehelpdefaultsourcepath)
+- [ADMX_Printing/AllowWebPrinting](./policy-csp-admx-printing.md#admx-printing-allowwebprinting)
+- [ADMX_Printing/ApplicationDriverIsolation](./policy-csp-admx-printing.md#admx-printing-applicationdriverisolation)
+- [ADMX_Printing/CustomizedSupportUrl](./policy-csp-admx-printing.md#admx-printing-customizedsupporturl)
+- [ADMX_Printing/DoNotInstallCompatibleDriverFromWindowsUpdate](./policy-csp-admx-printing.md#admx-printing-donotinstallcompatibledriverfromwindowsupdate)
+- [ADMX_Printing/DomainPrinters](./policy-csp-admx-printing.md#admx-printing-domainprinters)
+- [ADMX_Printing/DownlevelBrowse](./policy-csp-admx-printing.md#admx-printing-downlevelbrowse)
+- [ADMX_Printing/EMFDespooling](./policy-csp-admx-printing.md#admx-printing-emfdespooling)
+- [ADMX_Printing/ForceSoftwareRasterization](./policy-csp-admx-printing.md#admx-printing-forcesoftwarerasterization)
+- [ADMX_Printing/IntranetPrintersUrl](./policy-csp-admx-printing.md#admx-printing-intranetprintersurl)
+- [ADMX_Printing/KMPrintersAreBlocked](./policy-csp-admx-printing.md#admx-printing-kmprintersareblocked)
+- [ADMX_Printing/LegacyDefaultPrinterMode](./policy-csp-admx-printing.md#admx-printing-legacydefaultprintermode)
+- [ADMX_Printing/MXDWUseLegacyOutputFormatMSXPS](./policy-csp-admx-printing.md#admx-printing-mxdwuselegacyoutputformatmsxps)
+- [ADMX_Printing/NoDeletePrinter](./policy-csp-admx-printing.md#admx-printing-nodeleteprinter)
+- [ADMX_Printing/NonDomainPrinters](./policy-csp-admx-printing.md#admx-printing-nondomainprinters)
+- [ADMX_Printing/PackagePointAndPrintOnly](./policy-csp-admx-printing.md#admx-printing-packagepointandprintonly)
+- [ADMX_Printing/PackagePointAndPrintOnly_Win7](./policy-csp-admx-printing.md#admx-printing-packagepointandprintonly-win7)
+- [ADMX_Printing/PackagePointAndPrintServerList](./policy-csp-admx-printing.md#admx-printing-packagepointandprintserverlist)
+- [ADMX_Printing/PackagePointAndPrintServerList_Win7](./policy-csp-admx-printing.md#admx-printing-packagepointandprintserverlist-win7)
+- [ADMX_Printing/PhysicalLocation](./policy-csp-admx-printing.md#admx-printing-physicallocation)
+- [ADMX_Printing/PhysicalLocationSupport](./policy-csp-admx-printing.md#admx-printing-physicallocationsupport)
+- [ADMX_Printing/PrintDriverIsolationExecutionPolicy](./policy-csp-admx-printing.md#admx-printing-printdriverisolationexecutionpolicy
+)
+- [ADMX_Printing/PrintDriverIsolationOverrideCompat](./policy-csp-admx-printing.md#admx-printing-printdriverisolationoverridecompat)
+- [ADMX_Printing/PrinterDirectorySearchScope](./policy-csp-admx-printing.md#admx-printing-printerdirectorysearchscope)
+- [ADMX_Printing/PrinterServerThread](./policy-csp-admx-printing.md#admx-printing-printerserverthread)
+- [ADMX_Printing/ShowJobTitleInEventLogs](./policy-csp-admx-printing.md#admx-printing-showjobtitleineventlogs)
+- [ADMX_Printing/V4DriverDisallowPrinterExtension](./policy-csp-admx-printing.md#admx-printing-v4driverdisallowprinterextension)
+- [ADMX_Printing2/AutoPublishing](./policy-csp-admx-printing2.md#admx-printing2-autopublishing)
+- [ADMX_Printing2/ImmortalPrintQueue](./policy-csp-admx-printing2.md#admx-printing2-immortalprintqueue)
+- [ADMX_Printing2/PruneDownlevel](./policy-csp-admx-printing2.md#admx-printing2-prunedownlevel)
+- [ADMX_Printing2/PruningInterval](./policy-csp-admx-printing2.md#admx-printing2-pruninginterval)
+- [ADMX_Printing2/PruningPriority](./policy-csp-admx-printing2.md#admx-printing2-pruningpriority)
+- [ADMX_Printing2/PruningRetries](./policy-csp-admx-printing2.md#admx-printing2-pruningretries)
+- [ADMX_Printing2/PruningRetryLog](./policy-csp-admx-printing2.md#admx-printing2-pruningretrylog)
+- [ADMX_Printing2/RegisterSpoolerRemoteRpcEndPoint](./policy-csp-admx-printing2.md#admx-printing2-registerspoolerremoterpcendpoint)
+- [ADMX_Printing2/VerifyPublishedState](./policy-csp-admx-printing2.md#admx-printing2-verifypublishedstate)
+- [ADMX_Programs/NoDefaultPrograms](./policy-csp-admx-programs.md#admx-programs-nodefaultprograms)
+- [ADMX_Programs/NoGetPrograms](./policy-csp-admx-programs.md#admx-programs-nogetprograms)
+- [ADMX_Programs/NoInstalledUpdates](./policy-csp-admx-programs.md#admx-programs-noinstalledupdates)
+- [ADMX_Programs/NoProgramsAndFeatures](./policy-csp-admx-programs.md#admx-programs-noprogramsandfeatures)
+- [ADMX_Programs/NoProgramsCPL](./policy-csp-admx-programs.md#admx-programs-noprogramscpl)
+- [ADMX_Programs/NoWindowsFeatures](./policy-csp-admx-programs.md#admx-programs-nowindowsfeatures)
+- [ADMX_Programs/NoWindowsMarketplace](./policy-csp-admx-programs.md#admx-programs-nowindowsmarketplace)
- [ADMX_Reliability/EE_EnablePersistentTimeStamp](./policy-csp-admx-reliability.md#admx-reliability-ee-enablepersistenttimestamp)
- [ADMX_Reliability/PCH_ReportShutdownEvents](./policy-csp-admx-reliability.md#admx-reliability-pch-reportshutdownevents)
- [ADMX_Reliability/ShutdownEventTrackerStateFile](./policy-csp-admx-reliability.md#admx-reliability-shutdowneventtrackerstatefile)
- [ADMX_Reliability/ShutdownReason](./policy-csp-admx-reliability.md#admx-reliability-shutdownreason)
+- [ADMX_RemoteAssistance/RA_EncryptedTicketOnly](./policy-csp-admx-remoteassistance.md#admx-remoteassistance-ra-encryptedticketonly)
+- [ADMX_RemoteAssistance/RA_Optimize_Bandwidth](./policy-csp-admx-remoteassistance.md#admx-remoteassistance-ra-optimize-bandwidth)
+- [ADMX_RemovableStorage/AccessRights_RebootTime_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-accessrights-reboottime-1)
+- [ADMX_RemovableStorage/AccessRights_RebootTime_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-accessrights-reboottime-2)
+- [ADMX_RemovableStorage/CDandDVD_DenyExecute_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-cdanddvd-denyexecute-access-2)
+- [ADMX_RemovableStorage/CDandDVD_DenyRead_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-cdanddvd-denyread-access-1)
+- [ADMX_RemovableStorage/CDandDVD_DenyRead_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-cdanddvd-denyread-access-2)
+- [ADMX_RemovableStorage/CDandDVD_DenyWrite_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-cdanddvd-denywrite-access-1)
+- [ADMX_RemovableStorage/CDandDVD_DenyWrite_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-cdanddvd-denywrite-access-2)
+- [ADMX_RemovableStorage/CustomClasses_DenyRead_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-customclasses-denyread-access-1)
+- [ADMX_RemovableStorage/CustomClasses_DenyRead_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-customclasses-denyread-access-2)
+- [ADMX_RemovableStorage/CustomClasses_DenyWrite_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-customclasses-denywrite-access-1)
+- [ADMX_RemovableStorage/CustomClasses_DenyWrite_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-customclasses-denywrite-access-2)
+- [ADMX_RemovableStorage/FloppyDrives_DenyExecute_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-floppydrives-denyexecute-access-2)
+- [ADMX_RemovableStorage/FloppyDrives_DenyRead_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-floppydrives-denyread-access-1)
+- [ADMX_RemovableStorage/FloppyDrives_DenyRead_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-floppydrives-denyread-access-2)
+- [ADMX_RemovableStorage/FloppyDrives_DenyWrite_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-floppydrives-denywrite-access-1)
+- [ADMX_RemovableStorage/FloppyDrives_DenyWrite_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-floppydrives-denywrite-access-2)
+- [ADMX_RemovableStorage/RemovableDisks_DenyExecute_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-removabledisks-denyexecute-access-2)
+- [ADMX_RemovableStorage/RemovableDisks_DenyRead_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-removabledisks-denyread-access-1)
+- [ADMX_RemovableStorage/RemovableDisks_DenyRead_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-removabledisks-denyread-access-2)
+- [ADMX_RemovableStorage/RemovableDisks_DenyWrite_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-removabledisks-denywrite-access-1)
+- [ADMX_RemovableStorage/RemovableStorageClasses_DenyAll_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-removablestorageclasses-denyall-access-1)
+- [ADMX_RemovableStorage/RemovableStorageClasses_DenyAll_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-removablestorageclasses-denyall-access-2)
+- [ADMX_RemovableStorage/Removable_Remote_Allow_Access](./policy-csp-admx-removablestorage.md#admx-removablestorage-removable-remote-allow-access)
+- [ADMX_RemovableStorage/TapeDrives_DenyExecute_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-tapedrives-denyexecute-access-2)
+- [ADMX_RemovableStorage/TapeDrives_DenyRead_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-tapedrives-denyread-access-1)
+- [ADMX_RemovableStorage/TapeDrives_DenyRead_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-tapedrives-denyread-access-2)
+- [ADMX_RemovableStorage/TapeDrives_DenyWrite_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-tapedrives-denywrite-access-1)
+- [ADMX_RemovableStorage/TapeDrives_DenyWrite_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-tapedrives-denywrite-access-2)
+- [ADMX_RemovableStorage/WPDDevices_DenyRead_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-wpddevices-denyread-access-1)
+- [ADMX_RemovableStorage/WPDDevices_DenyRead_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-wpddevices-denyread-access-2)
+- [ADMX_RemovableStorage/WPDDevices_DenyWrite_Access_1](./policy-csp-admx-removablestorage.md#admx-removablestorage-wpddevices-denywrite-access-1)
+- [ADMX_RemovableStorage/WPDDevices_DenyWrite_Access_2](./policy-csp-admx-removablestorage.md#admx-removablestorage-wpddevices-denywrite-access-2)
+- [ADMX_RPC/RpcExtendedErrorInformation](./policy-csp-admx-rpc.md#admx-rpc-rpcextendederrorinformation)
+- [ADMX_RPC/RpcIgnoreDelegationFailure](./policy-csp-admx-rpc.md#admx-rpc-rpcignoredelegationfailure)
+- [ADMX_RPC/RpcMinimumHttpConnectionTimeout](./policy-csp-admx-rpc.md#admx-rpc-rpcminimumhttpconnectiontimeout)
+- [ADMX_RPC/RpcStateInformation](./policy-csp-admx-rpc.md#admx-rpc-rpcstateinformation)
- [ADMX_Scripts/Allow_Logon_Script_NetbiosDisabled](./policy-csp-admx-scripts.md#admx-scripts-allow-logon-script-netbiosdisabled)
- [ADMX_Scripts/MaxGPOScriptWaitPolicy](./policy-csp-admx-scripts.md#admx-scripts-maxgposcriptwaitpolicy)
- [ADMX_Scripts/Run_Computer_PS_Scripts_First](./policy-csp-admx-scripts.md#admx-scripts-run-computer-ps-scripts-first)
@@ -251,7 +920,21 @@ ms.date: 10/08/2020
- [ADMX_sdiageng/ScriptedDiagnosticsExecutionPolicy](./policy-csp-admx-sdiageng.md#admx-sdiageng-scripteddiagnosticsexecutionpolicy)
- [ADMX_sdiageng/ScriptedDiagnosticsSecurityPolicy](./policy-csp-admx-sdiageng.md#admx-sdiageng-scripteddiagnosticssecuritypolicy)
- [ADMX_Securitycenter/SecurityCenter_SecurityCenterInDomain](/policy-csp-admx-securitycenter.md#admx-securitycenter-securitycenter-securitycenterindomain)
+- [ADMX_Sensors/DisableLocationScripting_1](./policy-csp-admx-sensors.md#admx-sensors-disablelocationscripting-1)
+- [ADMX_Sensors/DisableLocationScripting_2](./policy-csp-admx-sensors.md#admx-sensors-disablelocationscripting-2)
+- [ADMX_Sensors/DisableLocation_1](./policy-csp-admx-sensors.md#admx-sensors-disablelocation-1)
+- [ADMX_Sensors/DisableSensors_1](./policy-csp-admx-sensors.md#admx-sensors-disablesensors-1)
+- [ADMX_Sensors/DisableSensors_2](./policy-csp-admx-sensors.md#admx-sensors-disablesensors-2)
- [ADMX_Servicing/Servicing](./policy-csp-admx-servicing.md#admx-servicing-servicing)
+- [ADMX_SettingSync/DisableAppSyncSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disableappsyncsettingsync)
+- [ADMX_SettingSync/DisableApplicationSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disableapplicationsettingsync)
+- [ADMX_SettingSync/DisableCredentialsSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disablecredentialssettingsync)
+- [ADMX_SettingSync/DisableDesktopThemeSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disabledesktopthemesettingsync)
+- [ADMX_SettingSync/DisablePersonalizationSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disablepersonalizationsettingsync)
+- [ADMX_SettingSync/DisableSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disablesettingsync)
+- [ADMX_SettingSync/DisableStartLayoutSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disablestartlayoutsettingsync)
+- [ADMX_SettingSync/DisableSyncOnPaidNetwork](./policy-csp-admx-settingsync.md#admx-settingsync-disablesynconpaidnetwork)
+- [ADMX_SettingSync/DisableWindowsSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disablewindowssettingsync)
- [ADMX_SharedFolders/PublishDfsRoots](./policy-csp-admx-sharedfolders.md#admx-sharedfolders-publishdfsroots)
- [ADMX_SharedFolders/PublishSharedFolders](./policy-csp-admx-sharedfolders.md#admx-sharedfolders-publishsharedfolders)
- [ADMX_Sharing/NoInplaceSharing](./policy-csp-admx-sharing.md#admx-sharing-noinplacesharing)
@@ -259,6 +942,7 @@ ms.date: 10/08/2020
- [ADMX_ShellCommandPromptRegEditTools/DisableRegedit](./policy-csp-admx-shellcommandpromptregedittools.md#admx-shellcommandpromptregedittools-disableregedit)
- [ADMX_ShellCommandPromptRegEditTools/DisallowApps](./policy-csp-admx-shellcommandpromptregedittools.md#admx-shellcommandpromptregedittools-disallowapps)
- [ADMX_ShellCommandPromptRegEditTools/RestrictApps](./policy-csp-admx-shellcommandpromptregedittools.md#admx-shellcommandpromptregedittools-disablecmd)
+- [ADMX_SkyDrive/PreventNetworkTrafficPreUserSignIn](./policy-csp-admx-skydrive.md#admx-skydrive-preventnetworktrafficpreusersignin)
- [ADMX_Smartcard/AllowCertificatesWithNoEKU](./policy-csp-admx-smartcard.md#admx-smartcard-allowcertificateswithnoeku)
- [ADMX_Smartcard/AllowIntegratedUnblock](./policy-csp-admx-smartcard.md#admx-smartcard-allowintegratedunblock)
- [ADMX_Smartcard/AllowSignatureOnlyKeys](./policy-csp-admx-smartcard.md#admx-smartcard-allowsignatureonlykeys)
@@ -278,6 +962,96 @@ ms.date: 10/08/2020
- [ADMX_Snmp/SNMP_Communities](./policy-csp-admx-snmp.md#admx-snmp-snmp-communities)
- [ADMX_Snmp/SNMP_PermittedManagers](./policy-csp-admx-snmp.md#admx-snmp-snmp-permittedmanagers)
- [ADMX_Snmp/SNMP_Traps_Public](./policy-csp-admx-snmp.md#admx-snmp-snmp-traps-public)
+- [ADMX_StartMenu/AddSearchInternetLinkInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-addsearchinternetlinkinstartmenu)
+- [ADMX_StartMenu/ClearRecentDocsOnExit](./policy-csp-admx-startmenu.md#admx-startmenu-clearrecentdocsonexit)
+- [ADMX_StartMenu/ClearRecentProgForNewUserInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-clearrecentprogfornewuserinstartmenu)
+- [ADMX_StartMenu/ClearTilesOnExit](./policy-csp-admx-startmenu.md#admx-startmenu-cleartilesonexit)
+- [ADMX_StartMenu/DesktopAppsFirstInAppsView](./policy-csp-admx-startmenu.md#admx-startmenu-desktopappsfirstinappsview)
+- [ADMX_StartMenu/DisableGlobalSearchOnAppsView](./policy-csp-admx-startmenu.md#admx-startmenu-disableglobalsearchonappsview)
+- [ADMX_StartMenu/ForceStartMenuLogOff](./policy-csp-admx-startmenu.md#admx-startmenu-forcestartmenulogoff)
+- [ADMX_StartMenu/GoToDesktopOnSignIn](./policy-csp-admx-startmenu.md#admx-startmenu-gotodesktoponsignin)
+- [ADMX_StartMenu/GreyMSIAds](./policy-csp-admx-startmenu.md#admx-startmenu-greymsiads)
+- [ADMX_StartMenu/HidePowerOptions](./policy-csp-admx-startmenu.md#admx-startmenu-hidepoweroptions)
+- [ADMX_StartMenu/Intellimenus](./policy-csp-admx-startmenu.md#admx-startmenu-intellimenus)
+- [ADMX_StartMenu/LockTaskbar](./policy-csp-admx-startmenu.md#admx-startmenu-locktaskbar)
+- [ADMX_StartMenu/MemCheckBoxInRunDlg](./policy-csp-admx-startmenu.md#admx-startmenu-memcheckboxinrundlg)
+- [ADMX_StartMenu/NoAutoTrayNotify](./policy-csp-admx-startmenu.md#admx-startmenu-noautotraynotify)
+- [ADMX_StartMenu/NoBalloonTip](./policy-csp-admx-startmenu.md#admx-startmenu-noballoontip)
+- [ADMX_StartMenu/NoChangeStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nochangestartmenu)
+- [ADMX_StartMenu/NoClose](./policy-csp-admx-startmenu.md#admx-startmenu-noclose)
+- [ADMX_StartMenu/NoCommonGroups](./policy-csp-admx-startmenu.md#admx-startmenu-nocommongroups)
+- [ADMX_StartMenu/NoFavoritesMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nofavoritesmenu)
+- [ADMX_StartMenu/NoFind](./policy-csp-admx-startmenu.md#admx-startmenu-nofind)
+- [ADMX_StartMenu/NoGamesFolderOnStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nogamesfolderonstartmenu)
+- [ADMX_StartMenu/NoHelp](./policy-csp-admx-startmenu.md#admx-startmenu-nohelp)
+- [ADMX_StartMenu/NoInstrumentation](./policy-csp-admx-startmenu.md#admx-startmenu-noinstrumentation)
+- [ADMX_StartMenu/NoMoreProgramsList](./policy-csp-admx-startmenu.md#admx-startmenu-nomoreprogramslist)
+- [ADMX_StartMenu/NoNetAndDialupConnect](./policy-csp-admx-startmenu.md#admx-startmenu-nonetanddialupconnect)
+- [ADMX_StartMenu/NoPinnedPrograms](./policy-csp-admx-startmenu.md#admx-startmenu-nopinnedprograms)
+- [ADMX_StartMenu/NoRecentDocsMenu](./policy-csp-admx-startmenu.md#admx-startmenu-norecentdocsmenu)
+- [ADMX_StartMenu/NoResolveSearch](./policy-csp-admx-startmenu.md#admx-startmenu-noresolvesearch)
+- [ADMX_StartMenu/NoResolveTrack](./policy-csp-admx-startmenu.md#admx-startmenu-noresolvetrack)
+- [ADMX_StartMenu/NoRun](./policy-csp-admx-startmenu.md#admx-startmenu-norun)
+- [ADMX_StartMenu/NoSMConfigurePrograms](./policy-csp-admx-startmenu.md#admx-startmenu-nosmconfigureprograms)
+- [ADMX_StartMenu/NoSMMyDocuments](./policy-csp-admx-startmenu.md#admx-startmenu-nosmmydocuments)
+- [ADMX_StartMenu/NoSMMyMusic](./policy-csp-admx-startmenu.md#admx-startmenu-nosmmymusic)
+- [ADMX_StartMenu/NoSMMyNetworkPlaces](./policy-csp-admx-startmenu.md#admx-startmenu-nosmmynetworkplaces)
+- [ADMX_StartMenu/NoSMMyPictures](./policy-csp-admx-startmenu.md#admx-startmenu-nosmmypictures)
+- [ADMX_StartMenu/NoSearchCommInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nosearchcomminstartmenu)
+- [ADMX_StartMenu/NoSearchComputerLinkInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nosearchcomputerlinkinstartmenu)
+- [ADMX_StartMenu/NoSearchEverywhereLinkInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nosearcheverywherelinkinstartmenu)
+- [ADMX_StartMenu/NoSearchFilesInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nosearchfilesinstartmenu)
+- [ADMX_StartMenu/NoSearchInternetInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nosearchinternetinstartmenu)
+- [ADMX_StartMenu/NoSearchProgramsInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nosearchprogramsinstartmenu)
+- [ADMX_StartMenu/NoSetFolders](./policy-csp-admx-startmenu.md#admx-startmenu-nosetfolders)
+- [ADMX_StartMenu/NoSetTaskbar](./policy-csp-admx-startmenu.md#admx-startmenu-nosettaskbar)
+- [ADMX_StartMenu/NoStartMenuDownload](./policy-csp-admx-startmenu.md#admx-startmenu-nostartmenudownload)
+- [ADMX_StartMenu/NoStartMenuHomegroup](./policy-csp-admx-startmenu.md#admx-startmenu-nostartmenuhomegroup)
+- [ADMX_StartMenu/NoStartMenuRecordedTV](./policy-csp-admx-startmenu.md#admx-startmenu-nostartmenurecordedtv)
+- [ADMX_StartMenu/NoStartMenuSubFolders](./policy-csp-admx-startmenu.md#admx-startmenu-nostartmenusubfolders)
+- [ADMX_StartMenu/NoStartMenuVideos](./policy-csp-admx-startmenu.md#admx-startmenu-nostartmenuvideos)
+- [ADMX_StartMenu/NoStartPage](./policy-csp-admx-startmenu.md#admx-startmenu-nostartpage)
+- [ADMX_StartMenu/NoTaskBarClock](./policy-csp-admx-startmenu.md#admx-startmenu-notaskbarclock)
+- [ADMX_StartMenu/NoTaskGrouping](./policy-csp-admx-startmenu.md#admx-startmenu-notaskgrouping)
+- [ADMX_StartMenu/NoToolbarsOnTaskbar](./policy-csp-admx-startmenu.md#admx-startmenu-notoolbarsontaskbar)
+- [ADMX_StartMenu/NoTrayContextMenu](./policy-csp-admx-startmenu.md#admx-startmenu-notraycontextmenu)
+- [ADMX_StartMenu/NoTrayItemsDisplay](./policy-csp-admx-startmenu.md#admx-startmenu-notrayitemsdisplay)
+- [ADMX_StartMenu/NoUninstallFromStart](./policy-csp-admx-startmenu.md#admx-startmenu-nouninstallfromstart)
+- [ADMX_StartMenu/NoUserFolderOnStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nouserfolderonstartmenu)
+- [ADMX_StartMenu/NoUserNameOnStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-nousernameonstartmenu)
+- [ADMX_StartMenu/NoWindowsUpdate](./policy-csp-admx-startmenu.md#admx-startmenu-nowindowsupdate)
+- [ADMX_StartMenu/PowerButtonAction](./policy-csp-admx-startmenu.md#admx-startmenu-powerbuttonaction)
+- [ADMX_StartMenu/QuickLaunchEnabled](./policy-csp-admx-startmenu.md#admx-startmenu-quicklaunchenabled)
+- [ADMX_StartMenu/RemoveUnDockPCButton](./policy-csp-admx-startmenu.md#admx-startmenu-removeundockpcbutton)
+- [ADMX_StartMenu/ShowAppsViewOnStart](./policy-csp-admx-startmenu.md#admx-startmenu-showappsviewonstart)
+- [ADMX_StartMenu/ShowRunAsDifferentUserInStart](./policy-csp-admx-startmenu.md#admx-startmenu-showrunasdifferentuserinstart)
+- [ADMX_StartMenu/ShowRunInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-showruninstartmenu)
+- [ADMX_StartMenu/ShowStartOnDisplayWithForegroundOnWinKey](./policy-csp-admx-startmenu.md#admx-startmenu-showstartondisplaywithforegroundonwinkey)
+- [ADMX_StartMenu/StartMenuLogOff](./policy-csp-admx-startmenu.md#admx-startmenu-startmenulogoff)
+- [ADMX_StartMenu/StartPinAppsWhenInstalled](./policy-csp-admx-startmenu.md#admx-startmenu-startpinappswheninstalled)
+- [ADMX_SystemRestore/SR_DisableConfig](./policy-csp-admx-systemrestore.md#admx-systemrestore-sr-disableconfig)
+- [ADMX_Taskbar/DisableNotificationCenter](./policy-csp-admx-taskbar.md#admx-taskbar-disablenotificationcenter)
+- [ADMX_Taskbar/EnableLegacyBalloonNotifications](./policy-csp-admx-taskbar.md#admx-taskbar-enablelegacyballoonnotifications)
+- [ADMX_Taskbar/HideSCAHealth](./policy-csp-admx-taskbar.md#admx-taskbar-hidescahealth)
+- [ADMX_Taskbar/HideSCANetwork](./policy-csp-admx-taskbar.md#admx-taskbar-hidescanetwork)
+- [ADMX_Taskbar/HideSCAPower](./policy-csp-admx-taskbar.md#admx-taskbar-hidescapower)
+- [ADMX_Taskbar/HideSCAVolume](./policy-csp-admx-taskbar.md#admx-taskbar-hidescavolume)
+- [ADMX_Taskbar/NoBalloonFeatureAdvertisements](./policy-csp-admx-taskbar.md#admx-taskbar-noballoonfeatureadvertisements)
+- [ADMX_Taskbar/NoPinningStoreToTaskbar](./policy-csp-admx-taskbar.md#admx-taskbar-nopinningstoretotaskbar)
+- [ADMX_Taskbar/NoPinningToDestinations](./policy-csp-admx-taskbar.md#admx-taskbar-nopinningtodestinations)
+- [ADMX_Taskbar/NoPinningToTaskbar](./policy-csp-admx-taskbar.md#admx-taskbar-nopinningtotaskbar)
+- [ADMX_Taskbar/NoRemoteDestinations](./policy-csp-admx-taskbar.md#admx-taskbar-noremotedestinations)
+- [ADMX_Taskbar/NoSystraySystemPromotion](./policy-csp-admx-taskbar.md#admx-taskbar-nosystraysystempromotion)
+- [ADMX_Taskbar/ShowWindowsStoreAppsOnTaskbar](./policy-csp-admx-taskbar.md#admx-taskbar-showwindowsstoreappsontaskbar)
+- [ADMX_Taskbar/TaskbarLockAll](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarlockall)
+- [ADMX_Taskbar/TaskbarNoAddRemoveToolbar](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnoaddremovetoolbar)
+- [ADMX_Taskbar/TaskbarNoDragToolbar](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnodragtoolbar)
+- [ADMX_Taskbar/TaskbarNoMultimon](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnomultimon)
+- [ADMX_Taskbar/TaskbarNoNotification](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnonotification)
+- [ADMX_Taskbar/TaskbarNoPinnedList](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnopinnedlist)
+- [ADMX_Taskbar/TaskbarNoRedock](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnoredock)
+- [ADMX_Taskbar/TaskbarNoResize](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnoresize)
+- [ADMX_Taskbar/TaskbarNoThumbnail](./policy-csp-admx-taskbar.md#admx-taskbar-taskbarnothumbnail)
- [ADMX_tcpip/6to4_Router_Name](./policy-csp-admx-tcpip.md#admx-tcpip-6to4-router-name)
- [ADMX_tcpip/6to4_Router_Name_Resolution_Interval](./policy-csp-admx-tcpip.md#admx-tcpip-6to4-router-name-resolution-interval)
- [ADMX_tcpip/6to4_State](./policy-csp-admx-tcpip.md#admx-tcpip-6to4-state)
@@ -430,16 +1204,102 @@ ms.date: 10/08/2020
- [ADMX_UserExperienceVirtualization/Video](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-video)
- [ADMX_UserExperienceVirtualization/Weather](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-weather)
- [ADMX_UserExperienceVirtualization/Wordpad](./policy-csp-admx-userexperiencevirtualization.md#admx-userexperiencevirtualization-wordpad)
+- [ADMX_UserProfiles/CleanupProfiles](./policy-csp-admx-userprofiles.md#admx-userprofiles-cleanupprofiles)
+- [ADMX_UserProfiles/DontForceUnloadHive](./policy-csp-admx-userprofiles.md#admx-userprofiles-dontforceunloadhive)
+- [ADMX_UserProfiles/LeaveAppMgmtData](./policy-csp-admx-userprofiles.md#admx-userprofiles-leaveappmgmtdata)
+- [ADMX_UserProfiles/LimitSize](./policy-csp-admx-userprofiles.md#admx-userprofiles-limitsize)
+- [ADMX_UserProfiles/ProfileErrorAction](./policy-csp-admx-userprofiles.md#admx-userprofiles-profileerroraction)
+- [ADMX_UserProfiles/SlowLinkTimeOut](./policy-csp-admx-userprofiles.md#admx-userprofiles-slowlinktimeout)
+- [ADMX_UserProfiles/USER_HOME](./policy-csp-admx-userprofiles.md#admx-userprofiles-user-home)
+- [ADMX_UserProfiles/UserInfoAccessAction](./policy-csp-admx-userprofiles.md#admx-userprofiles-userinfoaccessaction)
- [ADMX_W32Time/W32TIME_POLICY_CONFIG](./policy-csp-admx-w32time.md#admx-w32time-policy-config)
- [ADMX_W32Time/W32TIME_POLICY_CONFIGURE_NTPCLIENT](./policy-csp-admx-w32time.md#admx-w32time-policy-configure-ntpclient)
- [ADMX_W32Time/W32TIME_POLICY_ENABLE_NTPCLIENT](./policy-csp-admx-w32time.md#admx-w32time-policy-enable-ntpclient)
- [ADMX_W32Time/W32TIME_POLICY_ENABLE_NTPSERVER](./policy-csp-admx-w32time.md#admx-w32time-policy-enable-ntpserver)
+- [ADMX_WCM/WCM_DisablePowerManagement](./policy-csp-admx-wcm.md#admx-wcm-wcm-disablepowermanagement)
+- [ADMX_WCM/WCM_EnableSoftDisconnect](./policy-csp-admx-wcm.md#admx-wcm-wcm-enablesoftdisconnect)
+- [ADMX_WCM/WCM_MinimizeConnections](./policy-csp-admx-wcm.md#admx-wcm-wcm-minimizeconnections)
- [ADMX_WinCal/TurnOffWinCal_1](./policy-csp-admx-wincal.md#admx-wincal-turnoffwincal-1)
- [ADMX_WinCal/TurnOffWinCal_2](./policy-csp-admx-wincal.md#admx-wincal-turnoffwincal-2)
- [ADMX_WindowsAnytimeUpgrade/Disabled](./policy-csp-admx-windowsanytimeupgrade.md#admx-windowsanytimeupgrade-disabled)
- [ADMX_WindowsConnectNow/WCN_DisableWcnUi_1](./policy-csp-admx-windowsconnectnow.md#admx-windowsconnectnow-wcn-disablewcnui-1)
- [ADMX_WindowsConnectNow/WCN_DisableWcnUi_2](./policy-csp-admx-windowsconnectnow.md#admx-windowsconnectnow-wcn-disablewcnui-2)
- [ADMX_WindowsConnectNow/WCN_EnableRegistrar](./policy-csp-admx-windowsconnectnow.md#admx-windowsconnectnow-wcn-enableregistrar)
+- [ADMX_WindowsExplorer/CheckSameSourceAndTargetForFRAndDFS](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-checksamesourceandtargetforfranddfs)
+- [ADMX_WindowsExplorer/ClassicShell](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-classicshell)
+- [ADMX_WindowsExplorer/ConfirmFileDelete](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-confirmfiledelete)
+- [ADMX_WindowsExplorer/DefaultLibrariesLocation](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-defaultlibrarieslocation)
+- [ADMX_WindowsExplorer/DisableBindDirectlyToPropertySetStorage](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-disablebinddirectlytopropertysetstorage)
+- [ADMX_WindowsExplorer/DisableIndexedLibraryExperience](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-disableindexedlibraryexperience)
+- [ADMX_WindowsExplorer/DisableKnownFolders](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-disableknownfolders)
+- [ADMX_WindowsExplorer/DisableSearchBoxSuggestions](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-disablesearchboxsuggestions)
+- [ADMX_WindowsExplorer/EnableShellShortcutIconRemotePath](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-enableshellshortcuticonremotepath)
+- [ADMX_WindowsExplorer/EnableSmartScreen](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-enablesmartscreen)
+- [ADMX_WindowsExplorer/EnforceShellExtensionSecurity](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-enforceshellextensionsecurity)
+- [ADMX_WindowsExplorer/ExplorerRibbonStartsMinimized](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-explorerribbonstartsminimized)
+- [ADMX_WindowsExplorer/HideContentViewModeSnippets](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-hidecontentviewmodesnippets)
+- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Internet](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-internet)
+- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_InternetLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-internetlockdown)
+- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Intranet](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-intranet)
+- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_IntranetLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-intranetlockdown)
+- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_LocalMachine](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-localmachine)
+- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_LocalMachineLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-localmachinelockdown)
+- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Restricted](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-restricted)
+- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_RestrictedLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-restrictedlockdown)
+- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Trusted](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-trusted)
+- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_TrustedLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchpreview-trustedlockdown)
+- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Internet](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-internet)
+- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_InternetLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-internetlockdown)
+- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Intranet](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-intranet)
+- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_IntranetLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-intranetlockdown)
+- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_LocalMachine](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-localmachine)
+- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_LocalMachineLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-localmachinelockdown)
+- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Restricted](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-restricted)
+- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_RestrictedLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-restrictedlockdown)
+- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Trusted](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-trusted)
+- [ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_TrustedLockdown](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-iz-policy-opensearchquery-trustedlockdown)
+- [ADMX_WindowsExplorer/LinkResolveIgnoreLinkInfo](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-linkresolveignorelinkinfo)
+- [ADMX_WindowsExplorer/MaxRecentDocs](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-maxrecentdocs)
+- [ADMX_WindowsExplorer/NoBackButton](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nobackbutton)
+- [ADMX_WindowsExplorer/NoCDBurning](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nocdburning)
+- [ADMX_WindowsExplorer/NoCacheThumbNailPictures](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nocachethumbnailpictures)
+- [ADMX_WindowsExplorer/NoChangeAnimation](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nochangeanimation)
+- [ADMX_WindowsExplorer/NoChangeKeyboardNavigationIndicators](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nochangekeyboardnavigationindicators)
+- [ADMX_WindowsExplorer/NoDFSTab](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nodfstab)
+- [ADMX_WindowsExplorer/NoDrives](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nodrives)
+- [ADMX_WindowsExplorer/NoEntireNetwork](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-noentirenetwork)
+- [ADMX_WindowsExplorer/NoFileMRU](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nofilemru)
+- [ADMX_WindowsExplorer/NoFileMenu](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nofilemenu)
+- [ADMX_WindowsExplorer/NoFolderOptions](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nofolderoptions)
+- [ADMX_WindowsExplorer/NoHardwareTab](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nohardwaretab)
+- [ADMX_WindowsExplorer/NoManageMyComputerVerb](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nomanagemycomputerverb)
+- [ADMX_WindowsExplorer/NoMyComputerSharedDocuments](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nomycomputershareddocuments)
+- [ADMX_WindowsExplorer/NoNetConnectDisconnect](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nonetconnectdisconnect)
+- [ADMX_WindowsExplorer/NoNewAppAlert](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nonewappalert)
+- [ADMX_WindowsExplorer/NoPlacesBar](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-noplacesbar)
+- [ADMX_WindowsExplorer/NoRecycleFiles](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-norecyclefiles)
+- [ADMX_WindowsExplorer/NoRunAsInstallPrompt](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-norunasinstallprompt)
+- [ADMX_WindowsExplorer/NoSearchInternetTryHarderButton](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nosearchinternettryharderbutton)
+- [ADMX_WindowsExplorer/NoSecurityTab](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nosecuritytab)
+- [ADMX_WindowsExplorer/NoShellSearchButton](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-noshellsearchbutton)
+- [ADMX_WindowsExplorer/NoStrCmpLogical](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nostrcmplogical)
+- [ADMX_WindowsExplorer/NoViewContextMenu](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-noviewcontextmenu)
+- [ADMX_WindowsExplorer/NoViewOnDrive](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-noviewondrive)
+- [ADMX_WindowsExplorer/NoWindowsHotKeys](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-nowindowshotkeys)
+- [ADMX_WindowsExplorer/NoWorkgroupContents](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-noworkgroupcontents)
+- [ADMX_WindowsExplorer/PlacesBar](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-placesbar)
+- [ADMX_WindowsExplorer/PromptRunasInstallNetPath](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-promptrunasinstallnetpath)
+- [ADMX_WindowsExplorer/RecycleBinSize](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-recyclebinsize)
+- [ADMX_WindowsExplorer/ShellProtocolProtectedModeTitle_1](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-shellprotocolprotectedmodetitle-1)
+- [ADMX_WindowsExplorer/ShellProtocolProtectedModeTitle_2](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-shellprotocolprotectedmodetitle-2)
+- [ADMX_WindowsExplorer/ShowHibernateOption](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-showhibernateoption)
+- [ADMX_WindowsExplorer/ShowSleepOption](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-showsleepoption)
+- [ADMX_WindowsExplorer/TryHarderPinnedLibrary](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-tryharderpinnedlibrary)
+- [ADMX_WindowsExplorer/TryHarderPinnedOpenSearch](./policy-csp-admx-windowsexplorer.md#admx-windowsexplorer-tryharderpinnedopensearch)
+- [ADMX_WindowsFileProtection/WFPShowProgress](./policy-csp-admx-windowsfileprotection.md#admx-windowsfileprotection-wfpshowprogress)
+- [ADMX_WindowsFileProtection/WFPQuota](./policy-csp-admx-windowsfileprotection.md#admx-windowsfileprotection-wfpquota)
+- [ADMX_WindowsFileProtection/WFPScan](./policy-csp-admx-windowsfileprotection.md#admx-windowsfileprotection-wfpscan)
+- [ADMX_WindowsFileProtection/WFPDllCacheDir](./policy-csp-admx-windowsfileprotection.md#admx-windowsfileprotection-wfpdllcachedir)
- [ADMX_WindowsMediaDRM/DisableOnline](./policy-csp-admx-windowsmediadrm.md#admx-windowsmediadrm-disableonline)
- [ADMX_WindowsMediaPlayer/ConfigureHTTPProxySettings](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-configurehttpproxysettings)
- [ADMX_WindowsMediaPlayer/ConfigureMMSProxySettings](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-configuremmsproxysettings)
@@ -462,9 +1322,31 @@ ms.date: 10/08/2020
- [ADMX_WindowsMediaPlayer/PreventWMPDeskTopShortcut](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-preventwmpdesktopshortcut)
- [ADMX_WindowsMediaPlayer/SkinLockDown](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-skinlockdown)
- [ADMX_WindowsMediaPlayer/WindowsStreamingMediaProtocols](./policy-csp-admx-windowsmediaplayer.md#admx-windowsmediaplayer-windowsstreamingmediaprotocols)
+- [ADMX_WindowsRemoteManagement/DisallowKerberos_1](./policy-csp-admx-windowsremotemanagement.md#admx-windowsremotemanagement-disallowkerberos-1)
+- [ADMX_WindowsRemoteManagement/DisallowKerberos_2](./policy-csp-admx-windowsremotemanagement.md#admx-windowsremotemanagement-disallowkerberos-2)
+- [ADMX_WindowsStore/DisableAutoDownloadWin8](./policy-csp-admx-windowsstore.md#admx-windowsstore-disableautodownloadwin8)
+- [ADMX_WindowsStore/DisableOSUpgrade_1](./policy-csp-admx-windowsstore.md#admx-windowsstore-disableosupgrade-1)
+- [ADMX_WindowsStore/DisableOSUpgrade_2](./policy-csp-admx-windowsstore.md#admx-windowsstore-disableosupgrade-2)
+- [ADMX_WindowsStore/RemoveWindowsStore_1](./policy-csp-admx-windowsstore.md#admx-windowsstore-removewindowsstore-1)
+- [ADMX_WindowsStore/RemoveWindowsStore_2](./policy-csp-admx-windowsstore.md#admx-windowsstore-removewindowsstore-2)
- [ADMX_WinInit/DisableNamedPipeShutdownPolicyDescription](./policy-csp-admx-wininit.md#admx-wininit-disablenamedpipeshutdownpolicydescription)
- [ADMX_WinInit/Hiberboot](./policy-csp-admx-wininit.md#admx-wininit-hiberboot)
- [ADMX_WinInit/ShutdownTimeoutHungSessionsDescription](./policy-csp-admx-wininit.md#admx-wininit-shutdowntimeouthungsessionsdescription)
+- [ADMX_WinLogon/CustomShell](./policy-csp-admx-winlogon.md#admx-winlogon-customshell)
+- [ADMX_WinLogon/DisplayLastLogonInfoDescription](./policy-csp-admx-winlogon.md#admx-winlogon-displaylastlogoninfodescription)
+- [ADMX_WinLogon/LogonHoursNotificationPolicyDescription](./policy-csp-admx-winlogon.md#admx-winlogon-logonhoursnotificationpolicydescription)
+- [ADMX_WinLogon/LogonHoursPolicyDescription](./policy-csp-admx-winlogon.md#admx-winlogon-logonhourspolicydescription)
+- [ADMX_WinLogon/ReportCachedLogonPolicyDescription](./policy-csp-admx-winlogon.md#admx-winlogon-reportcachedlogonpolicydescription)
+- [ADMX_WinLogon/SoftwareSASGeneration](./policy-csp-admx-winlogon.md#admx-winlogon-softwaresasgeneration)
+- [ADMX_wlansvc/SetCost](./policy-csp-admx-wlansvc.md#admx-wlansvc-setcost)
+- [ADMX_wlansvc/SetPINEnforced](./policy-csp-admx-wlansvc.md#admx-wlansvc-setpinenforced)
+- [ADMX_wlansvc/SetPINPreferred](./policy-csp-admx-wlansvc.md#admx-wlansvc-setpinpreferred)
+- [ADMX_WPN/NoCallsDuringQuietHours](./policy-csp-admx-wpn.md#admx-wpn-nocallsduringquiethours)
+- [ADMX_WPN/NoLockScreenToastNotification](./policy-csp-admx-wpn.md#admx-wpn-nolockscreentoastnotification)
+- [ADMX_WPN/NoQuietHours](./policy-csp-admx-wpn.md#admx-wpn-noquiethours)
+- [ADMX_WPN/NoToastNotification](./policy-csp-admx-wpn.md#admx-wpn-notoastnotification)
+- [ADMX_WPN/QuietHoursDailyBeginMinute](./policy-csp-admx-wpn.md#admx-wpn-quiethoursdailybeginminute)
+- [ADMX_WPN/QuietHoursDailyEndMinute](./policy-csp-admx-wpn.md#admx-wpn-quiethoursdailyendminute)
- [AppRuntime/AllowMicrosoftAccountsToBeOptional](./policy-csp-appruntime.md#appruntime-allowmicrosoftaccountstobeoptional)
- [AppVirtualization/AllowAppVClient](./policy-csp-appvirtualization.md#appvirtualization-allowappvclient)
- [AppVirtualization/AllowDynamicVirtualization](./policy-csp-appvirtualization.md#appvirtualization-allowdynamicvirtualization)
@@ -501,7 +1383,7 @@ ms.date: 10/08/2020
- [Autoplay/SetDefaultAutoRunBehavior](./policy-csp-autoplay.md#autoplay-setdefaultautorunbehavior)
- [Autoplay/TurnOffAutoPlay](./policy-csp-autoplay.md#autoplay-turnoffautoplay)
- [Cellular/ShowAppCellularAccessUI](./policy-csp-cellular.md#cellular-showappcellularaccessui)
-- [Connectivity/DiablePrintingOverHTTP](./policy-csp-connectivity.md#connectivity-diableprintingoverhttp)
+- [Connectivity/DiablePrintingOverHTTP](./policy-csp-connectivity.md#connectivity-disableprintingoverhttp)
- [Connectivity/DisableDownloadingOfPrintDriversOverHTTP](./policy-csp-connectivity.md#connectivity-disabledownloadingofprintdriversoverhttp)
- [Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](./policy-csp-connectivity.md#connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards)
- [Connectivity/HardenedUNCPaths](./policy-csp-connectivity.md#connectivity-hardeneduncpaths)
@@ -515,12 +1397,12 @@ ms.date: 10/08/2020
- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth)
- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth)
- [Desktop/PreventUserRedirectionOfProfileFolders](./policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders)
-- [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdeviceids)
-- [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdevicesetupclasses)
-- [DeviceInstallation/PreventDeviceMetadataFromNetwork](./policy-csp-deviceinstallation.md#deviceinstallation-preventdevicemetadatafromnetwork)
-- [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofdevicesnotdescribedbyotherpolicysettings)
-- [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdeviceids)
-- [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdevicesetupclasses)
+- [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdeviceids)
+- [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdevicesetupclasses)
+- [DeviceInstallation/PreventDeviceMetadataFromNetwork](./policy-csp-deviceinstallation.md#deviceinstallationpreventdevicemetadatafromnetwork)
+- [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](./policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofdevicesnotdescribedbyotherpolicysettings)
+- [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofmatchingdeviceids)
+- [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofmatchingdevicesetupclasses)
- [DeviceLock/PreventEnablingLockScreenCamera](./policy-csp-devicelock.md#devicelock-preventenablinglockscreencamera)
- [DeviceLock/PreventLockScreenSlideShow](./policy-csp-devicelock.md#devicelock-preventlockscreenslideshow)
- [ErrorReporting/CustomizeConsentSettings](./policy-csp-errorreporting.md#errorreporting-customizeconsentsettings)
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
index 09c680512c..14a994d0a3 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
@@ -137,7 +137,7 @@ ms.date: 07/18/2019
- [Cellular/ShowAppCellularAccessUI](./policy-csp-cellular.md#cellular-showappcellularaccessui)
- [Connectivity/AllowCellularDataRoaming](./policy-csp-connectivity.md#connectivity-allowcellulardataroaming)
- [Connectivity/AllowPhonePCLinking](./policy-csp-connectivity.md#connectivity-allowphonepclinking)
-- [Connectivity/DiablePrintingOverHTTP](./policy-csp-connectivity.md#connectivity-diableprintingoverhttp)
+- [Connectivity/DiablePrintingOverHTTP](./policy-csp-connectivity.md#connectivity-disableprintingoverhttp)
- [Connectivity/DisableDownloadingOfPrintDriversOverHTTP](./policy-csp-connectivity.md#connectivity-disabledownloadingofprintdriversoverhttp)
- [Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](./policy-csp-connectivity.md#connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards)
- [Connectivity/DisallowNetworkConnectivityActiveTests](./policy-csp-connectivity.md#connectivity-disallownetworkconnectivityactivetests)
@@ -220,12 +220,12 @@ ms.date: 07/18/2019
- [DeviceGuard/EnableVirtualizationBasedSecurity](./policy-csp-deviceguard.md#deviceguard-enablevirtualizationbasedsecurity)
- [DeviceGuard/LsaCfgFlags](./policy-csp-deviceguard.md#deviceguard-lsacfgflags)
- [DeviceGuard/RequirePlatformSecurityFeatures](./policy-csp-deviceguard.md#deviceguard-requireplatformsecurityfeatures)
-- [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdeviceids)
-- [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdevicesetupclasses)
-- [DeviceInstallation/PreventDeviceMetadataFromNetwork](./policy-csp-deviceinstallation.md#deviceinstallation-preventdevicemetadatafromnetwork)
-- [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofdevicesnotdescribedbyotherpolicysettings)
-- [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdeviceids)
-- [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdevicesetupclasses)
+- [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdeviceids)
+- [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdevicesetupclasses)
+- [DeviceInstallation/PreventDeviceMetadataFromNetwork](./policy-csp-deviceinstallation.md#deviceinstallationpreventdevicemetadatafromnetwork)
+- [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](./policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofdevicesnotdescribedbyotherpolicysettings)
+- [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofmatchingdeviceids)
+- [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofmatchingdevicesetupclasses)
- [DeviceLock/MinimumPasswordAge](./policy-csp-devicelock.md#devicelock-minimumpasswordage)
- [DeviceLock/PreventEnablingLockScreenCamera](./policy-csp-devicelock.md#devicelock-preventenablinglockscreencamera)
- [DeviceLock/PreventLockScreenSlideShow](./policy-csp-devicelock.md#devicelock-preventlockscreenslideshow)
@@ -731,7 +731,6 @@ ms.date: 07/18/2019
- [RemoteShell/SpecifyMaxRemoteShells](./policy-csp-remoteshell.md#remoteshell-specifymaxremoteshells)
- [RemoteShell/SpecifyShellTimeout](./policy-csp-remoteshell.md#remoteshell-specifyshelltimeout)
- [Search/AllowCloudSearch](./policy-csp-search.md#search-allowcloudsearch)
-- [Search/AllowCortanaInAAD](./policy-csp-search.md#search-allowcortanainaad)
- [Search/AllowFindMyFiles](./policy-csp-search.md#search-allowfindmyfiles)
- [Search/AllowIndexingEncryptedStoresOrItems](./policy-csp-search.md#search-allowindexingencryptedstoresoritems)
- [Search/AllowSearchToUseLocation](./policy-csp-search.md#search-allowsearchtouselocation)
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md
index 20d7139bc6..bd4bcafd21 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md
@@ -50,17 +50,17 @@ ms.date: 10/08/2020
- [DeviceLock/MinDevicePasswordLength](policy-csp-devicelock.md#devicelock-mindevicepasswordlength)
- [Experience/AllowCortana](policy-csp-experience.md#experience-allowcortana)
- [Experience/AllowManualMDMUnenrollment](policy-csp-experience.md#experience-allowmanualmdmunenrollment)
-- [MixedReality/AADGroupMembershipCacheValidityInDays](./policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays)
-- [MixedReality/BrightnessButtonDisabled](./policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled)
-- [MixedReality/FallbackDiagnostics](./policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics)
-- [MixedReality/MicrophoneDisabled](./policy-csp-mixedreality.md#mixedreality-microphonedisabled)
-- [MixedReality/VolumeButtonDisabled](./policy-csp-mixedreality.md#mixedreality-volumebuttondisabled)
-- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery)
-- [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#power-displayofftimeoutpluggedin)
-- [Power/EnergySaverBatteryThresholdOnBattery](./policy-csp-power.md#power-energysaverbatterythresholdonbattery)
-- [Power/EnergySaverBatteryThresholdPluggedIn](./policy-csp-power.md#power-energysaverbatterythresholdpluggedin)
-- [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#power-standbytimeoutonbattery)
-- [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#power-standbytimeoutpluggedin)
+- [MixedReality/AADGroupMembershipCacheValidityInDays](./policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays) 9
+- [MixedReality/BrightnessButtonDisabled](./policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled) 9
+- [MixedReality/FallbackDiagnostics](./policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics) 9
+- [MixedReality/MicrophoneDisabled](./policy-csp-mixedreality.md#mixedreality-microphonedisabled) 9
+- [MixedReality/VolumeButtonDisabled](./policy-csp-mixedreality.md#mixedreality-volumebuttondisabled) 9
+- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery) 9
+- [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#power-displayofftimeoutpluggedin) 9
+- [Power/EnergySaverBatteryThresholdOnBattery](./policy-csp-power.md#power-energysaverbatterythresholdonbattery) 9
+- [Power/EnergySaverBatteryThresholdPluggedIn](./policy-csp-power.md#power-energysaverbatterythresholdpluggedin) 9
+- [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#power-standbytimeoutonbattery) 9
+- [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#power-standbytimeoutpluggedin) 9
- [Privacy/AllowInputPersonalization](policy-csp-privacy.md#privacy-allowinputpersonalization)
- [Privacy/LetAppsAccessAccountInfo](policy-csp-privacy.md#privacy-letappsaccessaccountinfo)
- [Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps](policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forceallowtheseapps)
@@ -83,21 +83,22 @@ ms.date: 10/08/2020
- [Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps](policy-csp-privacy.md#privacy-letappsaccessmicrophone-forceallowtheseapps) 8
- [Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](policy-csp-privacy.md#privacy-letappsaccessmicrophone-forcedenytheseapps) 8
- [Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps](policy-csp-privacy.md#privacy-letappsaccessmicrophone-userincontroloftheseapps) 8
+- [RemoteLock/Lock](https://docs.microsoft.com/windows/client-management/mdm/remotelock-csp) 9
- [Search/AllowSearchToUseLocation](policy-csp-search.md#search-allowsearchtouselocation)
-- [Security/AllowAddProvisioningPackage](policy-csp-security.md#security-allowaddprovisioningpackage)
-- [Security/AllowRemoveProvisioningPackage](policy-csp-security.md#security-allowremoveprovisioningpackage)
-- [Security/RequireDeviceEncryption](policy-csp-security.md#security-requiredeviceencryption)
+- [Security/AllowAddProvisioningPackage](policy-csp-security.md#security-allowaddprovisioningpackage) 9
+- [Security/AllowRemoveProvisioningPackage](policy-csp-security.md#security-allowremoveprovisioningpackage) 9
- [Settings/AllowDateTime](policy-csp-settings.md#settings-allowdatetime)
- [Settings/AllowVPN](policy-csp-settings.md#settings-allowvpn)
+- [Settings/PageVisibilityList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-settings#settings-pagevisibilitylist) 9
- [Speech/AllowSpeechModelUpdate](policy-csp-speech.md#speech-allowspeechmodelupdate)
- [System/AllowCommercialDataPipeline](policy-csp-system.md#system-allowcommercialdatapipeline)
- [System/AllowLocation](policy-csp-system.md#system-allowlocation)
- [System/AllowStorageCard](policy-csp-system.md#system-allowstoragecard)
- [System/AllowTelemetry](policy-csp-system.md#system-allowtelemetry)
-- [TimeLanguageSettings/ConfigureTimeZone](./policy-csp-timelanguagesettings.md#timelanguagesettings-configuretimezone)
-- [Update/ActiveHoursEnd](./policy-csp-update.md#update-activehoursend)
-- [Update/ActiveHoursMaxRange](./policy-csp-update.md#update-activehoursmaxrange)
-- [Update/ActiveHoursStart](./policy-csp-update.md#update-activehoursstart)
+- [TimeLanguageSettings/ConfigureTimeZone](./policy-csp-timelanguagesettings.md#timelanguagesettings-configuretimezone) 9
+- [Update/ActiveHoursEnd](./policy-csp-update.md#update-activehoursend) 9
+- [Update/ActiveHoursMaxRange](./policy-csp-update.md#update-activehoursmaxrange) 9
+- [Update/ActiveHoursStart](./policy-csp-update.md#update-activehoursstart) 9
- [Update/AllowAutoUpdate](policy-csp-update.md#update-allowautoupdate)
- [Update/AllowUpdateService](policy-csp-update.md#update-allowupdateservice)
- [Update/BranchReadinessLevel](policy-csp-update.md#update-branchreadinesslevel)
@@ -123,6 +124,7 @@ Footnotes:
- 6 - Available in Windows 10, version 1903.
- 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004.
+- 9 - Available in [Windows Holographic, version 20H2](https://docs.microsoft.com/hololens/hololens-release-notes#windows-holographic-version-20h2)
## Related topics
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md
index f3143ed222..e19d3350a5 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md
@@ -16,7 +16,6 @@ ms.date: 09/16/2019
> [!div class="op_single_selector"]
>
-> - [IoT Enterprise](policy-csps-supported-by-iot-enterprise.md)
> - [IoT Core](policy-csps-supported-by-iot-core.md)
>
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-enterprise.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-enterprise.md
deleted file mode 100644
index afb79c5bfe..0000000000
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-enterprise.md
+++ /dev/null
@@ -1,73 +0,0 @@
----
-title: Policies in Policy CSP supported by Windows 10 IoT Enterprise
-description: Policies in Policy CSP supported by Windows 10 IoT Enterprise
-ms.reviewer:
-manager: dansimp
-ms.author: dansimp
-ms.topic: article
-ms.prod: w10
-ms.technology: windows
-author: manikadhiman
-ms.localizationpriority: medium
-ms.date: 07/18/2019
----
-
-# Policies in Policy CSP supported by Windows 10 IoT Enterprise
-
-> [!div class="op_single_selector"]
->
-> - [IoT Enterprise](policy-csps-supported-by-iot-enterprise.md)
-> - [IoT Core](policy-csps-supported-by-iot-core.md)
->
-
-- [InternetExplorer/AllowEnhancedSuggestionsInAddressBar](policy-csp-internetexplorer.md#internetexplorer-allowenhancedsuggestionsinaddressbar)
-- [InternetExplorer/DisableActiveXVersionListAutoDownload](policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload)
-- [InternetExplorer/DisableCompatView](policy-csp-internetexplorer.md#internetexplorer-disablecompatview)
-- [InternetExplorer/DisableFeedsBackgroundSync](policy-csp-internetexplorer.md#internetexplorer-disablefeedsbackgroundsync)
-- [InternetExplorer/DisableGeolocation](policy-csp-internetexplorer.md#internetexplorer-disablegeolocation)
-- [InternetExplorer/DisableWebAddressAutoComplete](policy-csp-internetexplorer.md#internetexplorer-disablewebaddressautocomplete)
-- [InternetExplorer/NewTabDefaultPage](policy-csp-internetexplorer.md#internetexplorer-newtabdefaultpage)
-- [DeliveryOptimization/DOAbsoluteMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize)
-- [DeliveryOptimization/DOAllowVPNPeerCaching](policy-csp-deliveryoptimization.md#deliveryoptimization-doallowvpnpeercaching)
-- [DeliveryOptimization/DOCacheHost](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehost)
-- [DeliveryOptimization/DOCacheHostSource](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehostsource)
-- [DeliveryOptimization/DODelayBackgroundDownloadFromHttp](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaybackgrounddownloadfromhttp)
-- [DeliveryOptimization/DODelayForegroundDownloadFromHttp](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelayforegrounddownloadfromhttp)
-- [DeliveryOptimization/DODelayCacheServerFallbackBackground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackbackground)
-- [DeliveryOptimization/DODelayCacheServerFallbackForeground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackforeground)
-- [DeliveryOptimization/DODownloadMode](policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode)
-- [DeliveryOptimization/DOGroupId](policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupid)
-- [DeliveryOptimization/DOGroupIdSource](policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupidsource)
-- [DeliveryOptimization/DOMaxBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxbackgrounddownloadbandwidth)
-- [DeliveryOptimization/DOMaxCacheAge](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcacheage)
-- [DeliveryOptimization/DOMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcachesize)
-- [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth) (deprecated)
-- [DeliveryOptimization/DOMaxForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxforegrounddownloadbandwidth)
-- [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth) (deprecated)
-- [DeliveryOptimization/DOMinBackgroundQos](policy-csp-deliveryoptimization.md#deliveryoptimization-dominbackgroundqos)
-- [DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload](policy-csp-deliveryoptimization.md#deliveryoptimization-dominbatterypercentageallowedtoupload)
-- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-domindisksizeallowedtopeer)
-- [DeliveryOptimization/DOMinFileSizeToCache](policy-csp-deliveryoptimization.md#deliveryoptimization-dominfilesizetocache)
-- [DeliveryOptimization/DOMinRAMAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-dominramallowedtopeer)
-- [DeliveryOptimization/DOModifyCacheDrive](policy-csp-deliveryoptimization.md#deliveryoptimization-domodifycachedrive)
-- [DeliveryOptimization/DOMonthlyUploadDataCap](policy-csp-deliveryoptimization.md#deliveryoptimization-domonthlyuploaddatacap)
-- [DeliveryOptimization/DOPercentageMaxBackgroundBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxbackgroundbandwidth)
-- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth) (deprecated)
-- [DeliveryOptimization/DOPercentageMaxForegroundBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxforegroundbandwidth)
-- [DeliveryOptimization/DORestrictPeerSelectionBy](policy-csp-deliveryoptimization.md#deliveryoptimization-dorestrictpeerselectionby)
-- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth)
-- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth)
-- [DeviceHealthMonitoring/AllowDeviceHealthMonitoring](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-allowdevicehealthmonitoring)
-- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringscope)
-- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringuploaddestination)
-- [Privacy/LetAppsActivateWithVoice](policy-csp-privacy.md#privacy-letappsactivatewithvoice)
-- [Privacy/LetAppsActivateWithVoiceAboveLock](policy-csp-privacy.md#privacy-letappsactivatewithvoiceabovelock)
-- [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#update-configuredeadlineforfeatureupdates)
-- [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates)
-- [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod)
-- [Update/ConfigureDeadlineNoAutoReboot](policy-csp-update.md#update-configuredeadlinenoautoreboot)
-- [Update/SetProxyBehaviorForUpdateDetection](policy-csp-update.md#update-setproxybehaviorforupdatedetection)
-
-## Related topics
-
-[Policy CSP](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index ad1f407c70..071df833d0 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -168,6 +168,14 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_ActiveXInstallService policies
+
+
+
### ADMX_AddRemovePrograms policies
-
-
-
-New or updated topic
-Description
-
-
-Enable ADMX-backed policies in MDM
-
-
-Mobile device enrollment
-
-
-
-
-CM_CellularEntries CSP
-
-
-EnterpriseDataProtection CSP
-
-
-
-
-AppLocker CSP
-
-
-DeviceManageability CSP
-
-
-
-
-Office CSP
-
-
-
-
-BitLocker CSP
-Added information to the ADMX-backed policies. Changed the minimum personal identification number (PIN) length to 4 digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709.
-
-
-Firewall CSP
-Updated the CSP and DDF topics. Here are the changes:
-
-
-
-
-Policy DDF file
-Added another Policy DDF file download for the 8C release of Windows 10, version 1607, which added the following policies:
-
-
-
-
-
-Policy CSP
-
-
-
-
-
-
-
+### ADMX_AppxPackageManager policies
+
+
+
+### ADMX_AppXRuntime policies
+
+
+
+
+### ADMX_AttachmentManager policies
+
+
+
+
### ADMX_AuditSettings policies
@@ -245,6 +298,170 @@ The following diagram shows the Policy configuration service provider in tree fo
+
+### ADMX_Bits policies
+
+
+
+
+### ADMX_CipherSuiteOrder policies
+
+
+
+### ADMX_COM policies
+
+
+
+### ADMX_ControlPanel policies
+
+
+
+
+### ADMX_ControlPanelDisplay policies
+
+
+
+
### ADMX_Cpls policies
@@ -262,6 +479,66 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_CredentialProviders policies
+
+
+
+
+### ADMX_CredSsp policies
+
+
+
+### ADMX_DataCollection policies
+
+
+
+### ADMX_Desktop policies
+
+
@@ -270,6 +547,146 @@ The following diagram shows the Policy configuration service provider in tree fo
+
+
+### ADMX_DeviceInstallation policies
+
+
+
+
+### ADMX_DeviceSetup policies
+
+
+
+
### ADMX_DigitalLocker policies
+### ADMX_EAIME policies
+
+
+
+
### ADMX_EncryptFilesonMove policies
+### ADMX_EnhancedStorage policies
+
+
+
+
+### ADMX_ErrorReporting policies
+
+
+
+
### ADMX_EventForwarding policies
@@ -392,6 +965,101 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_EventLog policies
+
+
+
+
+### ADMX_Explorer policies
+
+
+
+
+### ADMX_FileRecovery policies
+
+
### ADMX_FileServerVSSProvider policies
+### ADMX_Globalization policies
+
+
+
+
+### ADMX_GroupPolicy policies
+
+
+
+
### ADMX_HelpAndSupport policies
+## ADMX_ICM policies
+
+
+
+
### ADMX_kdc policies
+### ADMX_Kerberos policies
+
+
+
+
### ADMX_LanmanServer policies
+### ADMX_LanmanWorkstation policies
+
+
+
+
### ADMX_LinkLayerTopologyDiscovery policies
+### ADMX_Logon policies
+
+
+
+
+### ADMX_MicrosoftDefenderAntivirus policies
+
+
+
+
### ADMX_MMC policies
+### ADMX_MMCSnapins policies
+
+
+
+
### ADMX_MSAPolicy policies
+### ADMX_Power policies
+
+
+
+
+### ADMX_MSI policies
+
+
+
+
### ADMX_nca policies
+### ADMX_NetworkConnections policies
+
+
+
+
### ADMX_OfflineFiles policies
+
+
+### ADMX_PowerShellExecutionPolicy policies
+
+
+
+
+### ADMX_Printing policies
+
+
+
+
+### ADMX_Printing2 policies
+
+
+
+
+### ADMX_Programs policies
+
+
+
+
### ADMX_Reliability policies
@@ -929,6 +3012,135 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_RemoteAssistance policies
+
+
+
+
+### ADMX_RemovableStorage policies
+
+
+
+
+### ADMX_RPC policies
+
+
+
+
### ADMX_Scripts policies
@@ -992,6 +3204,26 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_Sensors policies
+
+
+
+
### ADMX_Servicing policies
@@ -1000,6 +3232,38 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_SettingSync policies
+
+
+
+
### ADMX_SharedFolders policies
@@ -1019,7 +3283,7 @@ The following diagram shows the Policy configuration service provider in tree fo
-### ADMX_ShellCommandPromptRegEditTools policies
+## ADMX_ShellCommandPromptRegEditTools policies
+### ADMX_SkyDrive policies
+
+
+
### ADMX_Smartcard policies
@@ -1089,7 +3361,7 @@ The following diagram shows the Policy configuration service provider in tree fo
-## ADMX_Snmp policies
+### ADMX_Snmp policies
-## ADMX_tcpip policies
+### ADMX_StartMenu policies
+
+
+
+
+### ADMX_SystemRestore policies
+
+
+
+### ADMX_Taskbar policies
+
+
+
+
+### ADMX_tcpip policies
-## ADMX_Thumbnails policies
+### ADMX_Thumbnails policies
+### ADMX_UserProfiles policies
+
+
+
+
### ADMX_W32Time policies
@@ -1596,6 +4182,20 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_WCM policies
+
+
+
+
### ADMX_WinCal policies
@@ -1615,7 +4215,7 @@ The following diagram shows the Policy configuration service provider in tree fo
-## ADMX_WindowsConnectNow policies
+### ADMX_WindowsConnectNow policies
+
+### ADMX_WindowsExplorer policies
+
+
+
+
### ADMX_WindowsMediaDRM policies
@@ -1705,6 +4524,37 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_WindowsRemoteManagement policies
+
+
+
+
+### ADMX_WindowsStore policies
+
+
+
+
### ADMX_WinInit policies
@@ -1719,6 +4569,66 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_WinLogon policies
+
+
+
+
+### ADMX_wlansvc policies
+
+
+
+
+### ADMX_WPN policies
+
+
+
+
### ApplicationDefaults policies
@@ -2393,7 +5303,7 @@ The following diagram shows the Policy configuration service provider in tree fo
Connectivity/AllowVPNRoamingOverCellular
+### LocalUsersAndGroups policies
+
@@ -2983,6 +5893,9 @@ The following diagram shows the Policy configuration service provider in tree fo
+
### LockDown policies
@@ -4095,6 +7014,14 @@ The following diagram shows the Policy configuration service provider in tree fo
+### Multitasking policies
+
+
+
### NetworkIsolation policies
@@ -4651,9 +7578,6 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_WindowsFileProtection policies
+
+
+
+
### WindowsInkWorkspace policies
@@ -5575,6 +8519,29 @@ The following diagram shows the Policy configuration service provider in tree fo
+### WindowsSandbox policies
+
+
+
+
### WirelessDisplay policies
@@ -5617,7 +8584,6 @@ The following diagram shows the Policy configuration service provider in tree fo
- [Policies in Policy CSP supported by HoloLens (1st gen) Development Edition](policy-csps-supported-by-hololens-1st-gen-development-edition.md)
## Policies in Policy CSP supported by Windows 10 IoT
-- [Policies in Policy CSP supported by Windows 10 IoT Enterprise](policy-csps-supported-by-iot-enterprise.md)
- [Policies in Policy CSP supported by Windows 10 IoT Core](policy-csps-supported-by-iot-core.md)
## Policies in Policy CSP supported by Microsoft Surface Hub
diff --git a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md
new file mode 100644
index 0000000000..2b4c414ae7
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md
@@ -0,0 +1,120 @@
+---
+title: Policy CSP - ADMX_ActiveXInstallService
+description: Policy CSP - ADMX_ActiveXInstallService
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 11/09/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_ActiveXInstallService
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_ActiveXInstallService policies
+
+
+
+
+
+
+
+**ADMX_ActiveXInstallService/AxISURLZonePolicies**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+ 
+
+Pro
+
+
+Business
+
+
+Enterprise
+ 
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls the installation of ActiveX controls for sites in Trusted zone.
+
+If you enable this policy setting, ActiveX controls are installed according to the settings defined by this policy setting.
+
+If you disable or do not configure this policy setting, ActiveX controls prompt the user before installation.
+
+If the trusted site uses the HTTPS protocol, this policy setting can also control how ActiveX Installer Service responds to certificate errors. By default all HTTPS connections must supply a server certificate that passes all validation criteria. If you are aware that a trusted site has a certificate error but you want to trust it anyway you can select the certificate errors that you want to ignore.
+
+> [!NOTE]
+> This policy setting applies to all sites in Trusted zones.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Establish ActiveX installation policy for sites in Trusted zones*
+- GP name: *AxISURLZonePolicies*
+- GP path: *Windows Components\ActiveX Installer Service*
+- GP ADMX file name: *ActiveXInstallService.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md
index 36128621e3..0c6e0067ac 100644
--- a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md
+++ b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md
@@ -106,7 +106,7 @@ manager: dansimp
-Available in Windows 10 Insider Preview Build 20185. The policy setting specifies the category of programs that appears when users open the "Add New Programs" page. If you enable this setting, only the programs in the category you specify are displayed when the "Add New Programs" page opens. You can use the Category box on the "Add New Programs" page to display programs in other categories.
+Available in the latest Windows 10 Insider Preview Build. The policy setting specifies the category of programs that appears when users open the "Add New Programs" page. If you enable this setting, only the programs in the category you specify are displayed when the "Add New Programs" page opens. You can use the Category box on the "Add New Programs" page to display programs in other categories.
To use this setting, type the name of a category in the Category box for this setting. You must enter a category that is already defined in Add or Remove Programs. To define a category, use Software Installation.
@@ -189,7 +189,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting removes the "Add a program from CD-ROM or floppy disk" section from the Add New Programs page. This prevents users from using Add or Remove Programs to install programs from removable media.
+Available in the latest Windows 10 Insider Preview Build. This policy setting removes the "Add a program from CD-ROM or floppy disk" section from the Add New Programs page. This prevents users from using Add or Remove Programs to install programs from removable media.
If you disable this setting or do not configure it, the "Add a program from CD-ROM or floppy disk" option is available to all users. This setting does not prevent users from using other tools and methods to add or remove program components.
@@ -270,7 +270,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting removes the "Add programs from Microsoft" section from the Add New Programs page. This setting prevents users from using Add or Remove Programs to connect to Windows Update.
+Available in the latest Windows 10 Insider Preview Build. This policy setting removes the "Add programs from Microsoft" section from the Add New Programs page. This setting prevents users from using Add or Remove Programs to connect to Windows Update.
If you disable this setting or do not configure it, "Add programs from Microsoft" is available to all users. This setting does not prevent users from using other tools and methods to connect to Windows Update.
@@ -351,7 +351,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from viewing or installing published programs. This setting removes the "Add programs from your network" section from the Add New Programs page. The "Add programs from your network" section lists published programs and provides an easy way to install them. Published programs are those programs that the system administrator has explicitly made available to the user with a tool such as Windows Installer. Typically, system administrators publish programs to notify users that the programs are available, to recommend their use, or to enable users to install them without having to search for installation files.
+Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from viewing or installing published programs. This setting removes the "Add programs from your network" section from the Add New Programs page. The "Add programs from your network" section lists published programs and provides an easy way to install them. Published programs are those programs that the system administrator has explicitly made available to the user with a tool such as Windows Installer. Typically, system administrators publish programs to notify users that the programs are available, to recommend their use, or to enable users to install them without having to search for installation files.
If you enable this setting, users cannot tell which programs have been published by the system administrator, and they cannot use Add or Remove Programs to install published programs. However, they can still install programs by using other methods, and they can view and install assigned (partially installed) programs that are offered on the desktop or on the Start menu.
@@ -433,7 +433,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting removes the Add New Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. The Add New Programs button lets users install programs published or assigned by a system administrator.
+Available in the latest Windows 10 Insider Preview Build. This policy setting removes the Add New Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. The Add New Programs button lets users install programs published or assigned by a system administrator.
If you disable this setting or do not configure it, the Add New Programs button is available to all users. This setting does not prevent users from using other tools and methods to install programs.
@@ -511,7 +511,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from using Add or Remove Programs. This setting removes Add or Remove Programs from Control Panel and removes the Add or Remove Programs item from menus. Add or Remove Programs lets users install, uninstall, repair, add, and remove features and components of Windows 2000 Professional and a wide variety of Windows programs. Programs published or assigned to the user appear in Add or Remove Programs.
+Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from using Add or Remove Programs. This setting removes Add or Remove Programs from Control Panel and removes the Add or Remove Programs item from menus. Add or Remove Programs lets users install, uninstall, repair, add, and remove features and components of Windows 2000 Professional and a wide variety of Windows programs. Programs published or assigned to the user appear in Add or Remove Programs.
If you disable this setting or do not configure it, Add or Remove Programs is available to all users. When enabled, this setting takes precedence over the other settings in this folder. This setting does not prevent users from using other tools and methods to install or uninstall programs.
@@ -589,7 +589,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting removes the Set Program Access and Defaults button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. The Set Program Access and Defaults button lets administrators specify default programs for certain activities, such as Web browsing or sending e-mail, as well as which programs are accessible from the Start menu, desktop, and other locations.
+Available in the latest Windows 10 Insider Preview Build. This policy setting removes the Set Program Access and Defaults button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. The Set Program Access and Defaults button lets administrators specify default programs for certain activities, such as Web browsing or sending e-mail, as well as which programs are accessible from the Start menu, desktop, and other locations.
If you disable this setting or do not configure it, the Set Program Access and Defaults button is available to all users. This setting does not prevent users from using other tools and methods to change program access or defaults. This setting does not prevent the Set Program Access and Defaults icon from appearing on the Start menu. See the "Remove Set Program Access and Defaults from Start menu" setting.
@@ -668,7 +668,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting removes the Change or Remove Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. The Change or Remove Programs button lets users uninstall, repair, add, or remove features of installed programs.
+Available in the latest Windows 10 Insider Preview Build. This policy setting removes the Change or Remove Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. The Change or Remove Programs button lets users uninstall, repair, add, or remove features of installed programs.
If you disable this setting or do not configure it, the Change or Remove Programs page is available to all users. This setting does not prevent users from using other tools and methods to delete or uninstall programs.
@@ -746,7 +746,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from using Add or Remove Programs to configure installed services. This setting removes the "Set up services" section of the Add/Remove Windows Components page. The "Set up services" section lists system services that have not been configured and offers users easy access to the configuration tools.
+Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from using Add or Remove Programs to configure installed services. This setting removes the "Set up services" section of the Add/Remove Windows Components page. The "Set up services" section lists system services that have not been configured and offers users easy access to the configuration tools.
If you disable this setting or do not configure it, "Set up services" appears only when there are unconfigured system services. If you enable this setting, "Set up services" never appears. This setting does not prevent users from using other methods to configure services.
@@ -827,7 +827,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting removes links to the Support Info dialog box from programs on the Change or Remove Programs page. Programs listed on the Change or Remove Programs page can include a "Click here for support information" hyperlink. When clicked, the hyperlink opens a dialog box that displays troubleshooting information, including a link to the installation files and data that users need to obtain product support, such as the Product ID and version number of the program. The dialog box also includes a hyperlink to support information on the Internet, such as the Microsoft Product Support Services Web page.
+Available in the latest Windows 10 Insider Preview Build. This policy setting removes links to the Support Info dialog box from programs on the Change or Remove Programs page. Programs listed on the Change or Remove Programs page can include a "Click here for support information" hyperlink. When clicked, the hyperlink opens a dialog box that displays troubleshooting information, including a link to the installation files and data that users need to obtain product support, such as the Product ID and version number of the program. The dialog box also includes a hyperlink to support information on the Internet, such as the Microsoft Product Support Services Web page.
If you disable this setting or do not configure it, the Support Info hyperlink appears.
@@ -908,7 +908,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting removes the Add/Remove Windows Components button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. The Add/Remove Windows Components button lets users configure installed services and use the Windows Component Wizard to add, remove, and configure components of Windows from the installation files.
+Available in the latest Windows 10 Insider Preview Build. This policy setting removes the Add/Remove Windows Components button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. The Add/Remove Windows Components button lets users configure installed services and use the Windows Component Wizard to add, remove, and configure components of Windows from the installation files.
If you disable this setting or do not configure it, the Add/Remove Windows Components button is available to all users. This setting does not prevent users from using other tools and methods to configure services or add or remove program components. However, this setting blocks user access to the Windows Component Wizard.
@@ -941,14 +941,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-appcompat.md b/windows/client-management/mdm/policy-csp-admx-appcompat.md
index ef0f985661..b626e67721 100644
--- a/windows/client-management/mdm/policy-csp-admx-appcompat.md
+++ b/windows/client-management/mdm/policy-csp-admx-appcompat.md
@@ -108,7 +108,7 @@ manager: dansimp
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether to prevent the MS-DOS subsystem (**ntvdm.exe**) from running on this computer. This setting affects the launching of 16-bit applications in the operating system.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to prevent the MS-DOS subsystem (**ntvdm.exe**) from running on this computer. This setting affects the launching of 16-bit applications in the operating system.
You can use this setting to turn off the MS-DOS subsystem, which will reduce resource usage and prevent users from running 16-bit applications. To run any 16-bit application or any application with 16-bit components, **ntvdm.exe** must be allowed to run. The MS-DOS subsystem starts when the first 16-bit application is launched. While the MS-DOS subsystem is running, any subsequent 16-bit applications launch faster, but overall resource usage on the system is increased.
@@ -185,7 +185,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting controls the visibility of the Program Compatibility property page shell extension. This shell extension is visible on the property context-menu of any program shortcut or executable file.
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls the visibility of the Program Compatibility property page shell extension. This shell extension is visible on the property context-menu of any program shortcut or executable file.
The compatibility property page displays a list of options that can be selected and applied to the application to resolve the most common issues affecting legacy applications.
@@ -256,7 +256,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. The policy setting controls the state of the Application Telemetry engine in the system.
+Available in the latest Windows 10 Insider Preview Build. The policy setting controls the state of the Application Telemetry engine in the system.
Application Telemetry is a mechanism that tracks anonymous usage of specific Windows system components by applications.
@@ -331,7 +331,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. The policy setting controls the state of the Switchback compatibility engine in the system.
+Available in the latest Windows 10 Insider Preview Build. The policy setting controls the state of the Switchback compatibility engine in the system.
Switchback is a mechanism that provides generic compatibility mitigations to older applications by providing older behavior to old applications and new behavior to new applications.
@@ -407,7 +407,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting controls the state of the application compatibility engine in the system.
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls the state of the application compatibility engine in the system.
The engine is part of the loader and looks through a compatibility database every time an application is started on the system. If a match for the application is found it provides either run-time solutions or compatibility fixes, or displays an Application Help message if the application has a know problem.
@@ -485,7 +485,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting exists only for backward compatibility, and is not valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility.
+Available in the latest Windows 10 Insider Preview Build. This policy setting exists only for backward compatibility, and is not valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility.
@@ -552,7 +552,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting controls the state of the Program Compatibility Assistant (PCA). The PCA monitors applications run by the user. When a potential compatibility issue with an application is detected, the PCA will prompt the user with recommended solutions. To configure the diagnostic settings for the PCA, go to System->Troubleshooting and Diagnostics->Application Compatibility Diagnostics.
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls the state of the Program Compatibility Assistant (PCA). The PCA monitors applications run by the user. When a potential compatibility issue with an application is detected, the PCA will prompt the user with recommended solutions. To configure the diagnostic settings for the PCA, go to System->Troubleshooting and Diagnostics->Application Compatibility Diagnostics.
If you enable this policy setting, the PCA will be turned off. The user will not be presented with solutions to known compatibility issues when running applications. Turning off the PCA can be useful for system administrators who require better performance and are already aware of application compatibility issues.
@@ -626,7 +626,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting controls the state of Steps Recorder.
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls the state of Steps Recorder.
Steps Recorder keeps a record of steps taken by the user. The data generated by Steps Recorder can be used in feedback systems such as Windows Error Reporting to help developers understand and fix problems. The data includes user actions such as keyboard input and mouse input, user interface data, and screenshots. Steps Recorder includes an option to turn on and off data collection.
@@ -699,7 +699,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting controls the state of the Inventory Collector.
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls the state of the Inventory Collector.
The Inventory Collector inventories applications, files, devices, and drivers on the system and sends the information to Microsoft. This information is used to help diagnose compatibility problems.
@@ -731,14 +731,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md
new file mode 100644
index 0000000000..086c0dafc1
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md
@@ -0,0 +1,121 @@
+---
+title: Policy CSP - ADMX_AppxPackageManager
+description: Policy CSP - ADMX_AppxPackageManager
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 11/10/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_AppxPackageManager
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_AppxPackageManager policies
+
+
+
+
+
+
+
+**ADMX_AppxPackageManager/AllowDeploymentInSpecialProfiles**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the deployment of Windows Store apps when the user is signed in using a special profile.
+
+Special profiles are the following user profiles, where changes are discarded after the user signs off:
+
+- Roaming user profiles to which the "Delete cached copies of roaming profiles" Group Policy setting applies
+- Mandatory user profiles and super-mandatory profiles, which are created by an administrator
+- Temporary user profiles, which are created when an error prevents the correct profile from loading
+- User profiles for the Guest account and members of the Guests group
+
+If you enable this policy setting, Group Policy allows deployment operations (adding, registering, staging, updating, or removing an app package) of Windows Store apps when using a special profile.
+
+If you disable or do not configure this policy setting, Group Policy blocks deployment operations of Windows Store apps when using a special profile.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow deployment operations in special profiles*
+- GP name: *AllowDeploymentInSpecialProfiles*
+- GP path: *Windows Components\App Package Deployment*
+- GP ADMX file name: *AppxPackageManager.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-appxruntime.md b/windows/client-management/mdm/policy-csp-admx-appxruntime.md
new file mode 100644
index 0000000000..6d76bd5f74
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-appxruntime.md
@@ -0,0 +1,339 @@
+---
+title: Policy CSP - ADMX_AppXRuntime
+description: Policy CSP - ADMX_AppXRuntime
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 11/10/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_AppXRuntime
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_AppXRuntime policies
+
+
+
+
+
+
+
+
+**ADMX_AppXRuntime/AppxRuntimeApplicationContentUriRules**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting lets you turn on Content URI Rules to supplement the static Content URI Rules that were defined as part of the app manifest and apply to all Windows Store apps that use the enterpriseAuthentication capability on a computer.
+
+If you enable this policy setting, you can define additional Content URI Rules that all Windows Store apps that use the enterpriseAuthentication capability on a computer can use.
+
+If you disable or don't set this policy setting, Windows Store apps will only use the static Content URI Rules.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn on dynamic Content URI Rules for Windows store apps*
+- GP name: *AppxRuntimeApplicationContentUriRules*
+- GP path: *Windows Components\App runtime*
+- GP ADMX file name: *AppXRuntime.admx*
+
+
+
+
+
+
+**ADMX_AppXRuntime/AppxRuntimeBlockFileElevation**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting lets you control whether Windows Store apps can open files using the default desktop app for a file type. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a Windows Store app might compromise the system by opening a file in the default desktop app for a file type.
+
+If you enable this policy setting, Windows Store apps cannot open files in the default desktop app for a file type; they can open files only in other Windows Store apps.
+
+If you disable or do not configure this policy setting, Windows Store apps can open files in the default desktop app for a file type.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Block launching desktop apps associated with a file.*
+- GP name: *AppxRuntimeBlockFileElevation*
+- GP path: *Windows Components\App runtime*
+- GP ADMX file name: *AppXRuntime.admx*
+
+
+
+
+
+
+**ADMX_AppXRuntime/AppxRuntimeBlockHostedAppAccessWinRT**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether Universal Windows apps with Windows Runtime API access directly from web content can be launched.
+
+If you enable this policy setting, Universal Windows apps which declare Windows Runtime API access in ApplicationContentUriRules section of the manifest cannot be launched; Universal Windows apps which have not declared Windows Runtime API access in the manifest are not affected.
+
+If you disable or do not configure this policy setting, all Universal Windows apps can be launched.
+
+> [!WARNING]
+> This policy should not be enabled unless recommended by Microsoft as a security response because it can cause severe app compatibility issues.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Block launching Universal Windows apps with Windows Runtime API access from hosted content.*
+- GP name: *AppxRuntimeBlockHostedAppAccessWinRT*
+- GP path: *Windows Components\App runtime*
+- GP ADMX file name: *AppXRuntime.admx*
+
+
+
+
+
+
+**ADMX_AppXRuntime/AppxRuntimeBlockProtocolElevation**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting lets you control whether Windows Store apps can open URIs using the default desktop app for a URI scheme. Because desktop apps run at a higher integrity level than Windows Store apps, there is a risk that a URI scheme launched by a Windows Store app might compromise the system by launching a desktop app.
+
+If you enable this policy setting, Windows Store apps cannot open URIs in the default desktop app for a URI scheme; they can open URIs only in other Windows Store apps.
+
+If you disable or do not configure this policy setting, Windows Store apps can open URIs in the default desktop app for a URI scheme.
+
+> [!NOTE]
+> Enabling this policy setting does not block Windows Store apps from opening the default desktop app for the http, https, and mailto URI schemes. The handlers for these URI schemes are hardened against URI-based vulnerabilities from untrusted sources, reducing the associated risk.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Block launching desktop apps associated with a URI scheme*
+- GP name: *AppxRuntimeBlockProtocolElevation*
+- GP path: *Windows Components\App runtime*
+- GP ADMX file name: *AppXRuntime.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md b/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md
new file mode 100644
index 0000000000..895402efef
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md
@@ -0,0 +1,423 @@
+---
+title: Policy CSP - ADMX_AttachmentManager
+description: Policy CSP - ADMX_AttachmentManager
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 11/10/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_AttachmentManager
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_AttachmentManager policies
+
+
+
+
+
+
+
+
+**ADMX_AttachmentManager/AM_EstimateFileHandlerRisk**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the logic that Windows uses to determine the risk for file attachments.
+
+Preferring the file handler instructs Windows to use the file handler data over the file type data. For example, trust notepad.exe, but don't trust .txt files.
+
+Preferring the file type instructs Windows to use the file type data over the file handler data. For example, trust .txt files, regardless of the file handler. Using both the file handler and type data is the most restrictive option. Windows chooses the more restrictive recommendation which will cause users to see more trust prompts than choosing the other options.
+
+If you enable this policy setting, you can choose the order in which Windows processes risk assessment data.
+
+If you disable this policy setting, Windows uses its default trust logic, which prefers the file handler over the file type.
+
+If you do not configure this policy setting, Windows uses its default trust logic, which prefers the file handler over the file type.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Trust logic for file attachments*
+- GP name: *AM_EstimateFileHandlerRisk*
+- GP path: *Windows Components\Attachment Manager*
+- GP ADMX file name: *AttachmentManager.admx*
+
+
+
+
+
+
+**ADMX_AttachmentManager/AM_SetFileRiskLevel**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the default risk level for file types. To fully customize the risk level for file attachments, you may also need to configure the trust logic for file attachments.
+
+High Risk: If the attachment is in the list of high-risk file types and is from the restricted zone, Windows blocks the user from accessing the file. If the file is from the Internet zone, Windows prompts the user before accessing the file.
+
+Moderate Risk: If the attachment is in the list of moderate-risk file types and is from the restricted or Internet zone, Windows prompts the user before accessing the file.
+
+Low Risk: If the attachment is in the list of low-risk file types, Windows will not prompt the user before accessing the file, regardless of the file's zone information.
+
+If you enable this policy setting, you can specify the default risk level for file types.
+
+If you disable this policy setting, Windows sets the default risk level to moderate.
+
+If you do not configure this policy setting, Windows sets the default risk level to moderate.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Default risk level for file attachments*
+- GP name: *AM_SetFileRiskLevel*
+- GP path: *Windows Components\Attachment Manager*
+- GP ADMX file name: *AttachmentManager.admx*
+
+
+
+
+
+
+**ADMX_AttachmentManager/AM_SetHighRiskInclusion**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the list of high-risk file types. If the file attachment is in the list of high-risk file types and is from the restricted zone, Windows blocks the user from accessing the file. If the file is from the Internet zone, Windows prompts the user before accessing the file. This inclusion list takes precedence over the medium-risk and low-risk inclusion lists (where an extension is listed in more than one inclusion list).
+
+If you enable this policy setting, you can create a custom list of high-risk file types.
+
+If you disable this policy setting, Windows uses its built-in list of file types that pose a high risk.
+
+If you do not configure this policy setting, Windows uses its built-in list of high-risk file types.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Inclusion list for high risk file types*
+- GP name: *AM_SetHighRiskInclusion*
+- GP path: *Windows Components\Attachment Manager*
+- GP ADMX file name: *AttachmentManager.admx*
+
+
+
+
+
+
+**ADMX_AttachmentManager/AM_SetLowRiskInclusion**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the list of low-risk file types. If the attachment is in the list of low-risk file types, Windows will not prompt the user before accessing the file, regardless of the file's zone information. This inclusion list overrides the list of high-risk file types built into Windows and has a lower precedence than the high-risk or medium-risk inclusion lists (where an extension is listed in more than one inclusion list).
+
+If you enable this policy setting, you can specify file types that pose a low risk.
+
+If you disable this policy setting, Windows uses its default trust logic.
+
+If you do not configure this policy setting, Windows uses its default trust logic.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Inclusion list for low file types*
+- GP name: *AM_SetLowRiskInclusion*
+- GP path: *Windows Components\Attachment Manager*
+- GP ADMX file name: *AttachmentManager.admx*
+
+
+
+
+
+
+**ADMX_AttachmentManager/AM_SetModRiskInclusion**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the list of moderate-risk file types. If the attachment is in the list of moderate-risk file types and is from the restricted or Internet zone, Windows prompts the user before accessing the file. This inclusion list overrides the list of potentially high-risk file types built into Windows and it takes precedence over the low-risk inclusion list but has a lower precedence than the high-risk inclusion list (where an extension is listed in more than one inclusion list).
+
+If you enable this policy setting, you can specify file types which pose a moderate risk.
+
+If you disable this policy setting, Windows uses its default trust logic.
+
+If you do not configure this policy setting, Windows uses its default trust logic.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Inclusion list for moderate risk file types*
+- GP name: *AM_SetModRiskInclusion*
+- GP path: *Windows Components\Attachment Manager*
+- GP ADMX file name: *AttachmentManager.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-auditsettings.md b/windows/client-management/mdm/policy-csp-admx-auditsettings.md
index 1aa77b30da..2564a91801 100644
--- a/windows/client-management/mdm/policy-csp-admx-auditsettings.md
+++ b/windows/client-management/mdm/policy-csp-admx-auditsettings.md
@@ -74,7 +74,7 @@ manager: dansimp
-Available in Windows 10 Insider Preview Build 20185. This policy setting determines what information is logged in security audit events when a new process has been created. This setting only applies when the Audit Process Creation policy is enabled.
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines what information is logged in security audit events when a new process has been created. This setting only applies when the Audit Process Creation policy is enabled.
If you enable this policy setting, the command line information for every process will be logged in plain text in the security event log as part of the Audit Process Creation event 4688, "a new process has been created," on the workstations and servers on which this policy setting is applied.
@@ -106,14 +106,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-bits.md b/windows/client-management/mdm/policy-csp-admx-bits.md
new file mode 100644
index 0000000000..35597b677e
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-bits.md
@@ -0,0 +1,1102 @@
+---
+title: Policy CSP - ADMX_Bits
+description: Policy CSP - ADMX_Bits
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 10/20/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_Bits
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_Bits policies
+
+
+
+
+
+
+
+
+**ADMX_Bits/BITS_DisableBranchCache**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This setting affects whether the BITS client is allowed to use Windows Branch Cache. If the Windows Branch Cache component is installed and enabled on a computer, BITS jobs on that computer can use Windows Branch Cache by default.
+
+If you enable this policy setting, the BITS client does not use Windows Branch Cache.
+
+If you disable or do not configure this policy setting, the BITS client uses Windows Branch Cache.
+
+> [!NOTE]
+> This policy setting does not affect the use of Windows Branch Cache by applications other than BITS. This policy setting does not apply to BITS transfers over SMB. This setting has no effect if the computer's administrative settings for Windows Branch Cache disable its use entirely.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not allow the BITS client to use Windows Branch Cache*
+- GP name: *BITS_DisableBranchCache*
+- GP path: *Network\Background Intelligent Transfer Service (BITS)*
+- GP ADMX file name: *Bits.admx*
+
+
+
+
+
+
+**ADMX_Bits/BITS_DisablePeercachingClient**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the computer will act as a BITS peer caching client. By default, when BITS peer caching is enabled, the computer acts as both a peer caching server (offering files to its peers) and a peer caching client (downloading files from its peers).
+
+If you enable this policy setting, the computer will no longer use the BITS peer caching feature to download files; files will be downloaded only from the origin server. However, the computer will still make files available to its peers.
+
+If you disable or do not configure this policy setting, the computer attempts to download peer-enabled BITS jobs from peer computers before reverting to the origin server.
+
+> [!NOTE]
+> This policy setting has no effect if the "Allow BITS peer caching" policy setting is disabled or not configured.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not allow the computer to act as a BITS Peercaching client*
+- GP name: *BITS_DisablePeercachingClient*
+- GP path: *Network\Background Intelligent Transfer Service (BITS)*
+- GP ADMX file name: *Bits.admx*
+
+
+
+
+
+
+**ADMX_Bits/BITS_DisablePeercachingServer**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the computer will act as a BITS peer caching server. By default, when BITS peer caching is enabled, the computer acts as both a peer caching server (offering files to its peers) and a peer caching client (downloading files from its peers).
+
+If you enable this policy setting, the computer will no longer cache downloaded files and offer them to its peers. However, the computer will still download files from peers.
+
+If you disable or do not configure this policy setting, the computer will offer downloaded and cached files to its peers.
+
+> [!NOTE]
+> This setting has no effect if the "Allow BITS peer caching" setting is disabled or not configured.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not allow the computer to act as a BITS Peercaching server*
+- GP name: *BITS_DisablePeercachingServer*
+- GP path: *Network\Background Intelligent Transfer Service (BITS)*
+- GP ADMX file name: *Bits.admx*
+
+
+
+
+
+
+
+**ADMX_Bits/BITS_EnablePeercaching**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines if the Background Intelligent Transfer Service (BITS) peer caching feature is enabled on a specific computer. By default, the files in a BITS job are downloaded only from the origin server specified by the job's owner.
+
+If BITS peer caching is enabled, BITS caches downloaded files and makes them available to other BITS peers. When transferring a download job, BITS first requests the files for the job from its peers in the same IP subnet. If none of the peers in the subnet have the requested files, BITS downloads them from the origin server.
+
+If you enable this policy setting, BITS downloads files from peers, caches the files, and responds to content requests from peers. Using the "Do not allow the computer to act as a BITS peer caching server" and "Do not allow the computer to act as a BITS peer caching client" policy settings, it is possible to control BITS peer caching functionality at a more detailed level. However, it should be noted that the "Allow BITS peer caching" policy setting must be enabled for the other two policy settings to have any effect.
+
+If you disable or do not configure this policy setting, the BITS peer caching feature will be disabled, and BITS will download files directly from the origin server.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow BITS Peercaching*
+- GP name: *BITS_EnablePeercaching*
+- GP path: *Network\Background Intelligent Transfer Service (BITS)*
+- GP ADMX file name: *Bits.admx*
+
+
+
+
+
+
+
+**ADMX_Bits/BITS_MaxBandwidthServedForPeers**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting limits the network bandwidth that BITS uses for peer cache transfers (this setting does not affect transfers from the origin server).
+
+To prevent any negative impact to a computer caused by serving other peers, by default BITS will use up to 30 percent of the bandwidth of the slowest active network interface. For example, if a computer has both a 100 Mbps network card and a 56 Kbps modem, and both are active, BITS will use a maximum of 30 percent of 56 Kbps.
+
+You can change the default behavior of BITS, and specify a fixed maximum bandwidth that BITS will use for peer caching.
+
+If you enable this policy setting, you can enter a value in bits per second (bps) between 1048576 and 4294967200 to use as the maximum network bandwidth used for peer caching.
+
+If you disable this policy setting or do not configure it, the default value of 30 percent of the slowest active network interface will be used.
+
+> [!NOTE]
+> This setting has no effect if the "Allow BITS peer caching" policy setting is disabled or not configured.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Limit the maximum network bandwidth used for Peercaching*
+- GP name: *BITS_MaxBandwidthServedForPeers*
+- GP path: *Network\Background Intelligent Transfer Service (BITS)*
+- GP ADMX file name: *Bits.admx*
+
+
+
+
+
+
+**ADMX_Bits/BITS_MaxBandwidthV2_Maintenance**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers during the maintenance days and hours. Maintenance schedules further limit the network bandwidth that is used for background transfers.
+
+If you enable this policy setting, you can define a separate set of network bandwidth limits and set up a schedule for the maintenance period.
+
+You can specify a limit to use for background jobs during a maintenance schedule. For example, if normal priority jobs are currently limited to 256 Kbps on a work schedule, you can further limit the network bandwidth of normal priority jobs to 0 Kbps from 8:00 A.M. to 10:00 A.M. on a maintenance schedule.
+
+If you disable or do not configure this policy setting, the limits defined for work or non-work schedules will be used.
+
+> [!NOTE]
+> The bandwidth limits that are set for the maintenance period supersede any limits defined for work and other schedules.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Set up a maintenance schedule to limit the maximum network bandwidth used for BITS background transfers*
+- GP name: *BITS_MaxBandwidthV2_Maintenance*
+- GP path: *Network\Background Intelligent Transfer Service (BITS)*
+- GP ADMX file name: *Bits.admx*
+
+
+
+
+
+
+
+**ADMX_Bits/BITS_MaxBandwidthV2_Work**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers during the work and non-work days and hours. The work schedule is defined using a weekly calendar, which consists of days of the week and hours of the day. All hours and days that are not defined in a work schedule are considered non-work hours.
+
+If you enable this policy setting, you can set up a schedule for limiting network bandwidth during both work and non-work hours. After the work schedule is defined, you can set the bandwidth usage limits for each of the three BITS background priority levels: high, normal, and low.
+
+You can specify a limit to use for background jobs during a work schedule. For example, you can limit the network bandwidth of low priority jobs to 128 Kbps from 8:00 A.M. to 5:00 P.M. on Monday through Friday, and then set the limit to 512 Kbps for non-work hours.
+
+If you disable or do not configure this policy setting, BITS uses all available unused bandwidth for background job transfers.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Set up a work schedule to limit the maximum network bandwidth used for BITS background transfers*
+- GP name: *BITS_MaxBandwidthV2_Work*
+- GP path: *Network\Background Intelligent Transfer Service (BITS)*
+- GP ADMX file name: *Bits.admx*
+
+
+
+
+
+
+
+**ADMX_Bits/BITS_MaxCacheSize**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting limits the maximum amount of disk space that can be used for the BITS peer cache, as a percentage of the total system disk size. BITS will add files to the peer cache and make those files available to peers until the cache content reaches the specified cache size. By default, BITS will use 1 percent of the total system disk for the peercache.
+
+If you enable this policy setting, you can enter the percentage of disk space to be used for the BITS peer cache. You can enter a value between 1 percent and 80 percent.
+
+If you disable or do not configure this policy setting, the default size of the BITS peer cache is 1 percent of the total system disk size.
+
+> [!NOTE]
+> This policy setting has no effect if the "Allow BITS peer caching" setting is disabled or not configured.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Limit the BITS Peercache size*
+- GP name: *BITS_MaxCacheSize*
+- GP path: *Network\Background Intelligent Transfer Service (BITS)*
+- GP ADMX file name: *Bits.admx*
+
+
+
+
+
+
+**ADMX_Bits/BITS_MaxContentAge**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting limits the maximum age of files in the Background Intelligent Transfer Service (BITS) peer cache. In order to make the most efficient use of disk space, by default BITS removes any files in the peer cache that have not been accessed in the past 90 days.
+
+If you enable this policy setting, you can specify in days the maximum age of files in the cache. You can enter a value between 1 and 120 days.
+
+If you disable or do not configure this policy setting, files that have not been accessed for the past 90 days will be removed from the peer cache.
+
+> [!NOTE]
+> This policy setting has no effect if the "Allow BITS Peercaching" policy setting is disabled or not configured.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Limit the age of files in the BITS Peercache*
+- GP name: *BITS_MaxContentAge*
+- GP path: *Network\Background Intelligent Transfer Service (BITS)*
+- GP ADMX file name: *Bits.admx*
+
+
+
+
+
+
+**ADMX_Bits/BITS_MaxDownloadTime**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting limits the amount of time that Background Intelligent Transfer Service (BITS) will take to download the files in a BITS job.
+
+The time limit applies only to the time that BITS is actively downloading files. When the cumulative download time exceeds this limit, the job is placed in the error state.
+
+By default BITS uses a maximum download time of 90 days (7,776,000 seconds).
+
+If you enable this policy setting, you can set the maximum job download time to a specified number of seconds.
+
+If you disable or do not configure this policy setting, the default value of 90 days (7,776,000 seconds) will be used.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Limit the maximum BITS job download time*
+- GP name: *BITS_MaxDownloadTime*
+- GP path: *Network\Background Intelligent Transfer Service (BITS)*
+- GP ADMX file name: *Bits.admx*
+
+
+
+
+
+
+**ADMX_Bits/BITS_MaxFilesPerJob**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting limits the number of files that a BITS job can contain. By default, a BITS job is limited to 200 files. You can use this setting to raise or lower the maximum number of files a BITS jobs can contain.
+
+If you enable this policy setting, BITS will limit the maximum number of files a job can contain to the specified number.
+
+If you disable or do not configure this policy setting, BITS will use the default value of 200 for the maximum number of files a job can contain.
+
+> [!NOTE]
+> BITS Jobs created by services and the local administrator account do not count toward this limit.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Limit the maximum number of files allowed in a BITS job*
+- GP name: *BITS_MaxFilesPerJob*
+- GP path: *Network\Background Intelligent Transfer Service (BITS)*
+- GP ADMX file name: *Bits.admx*
+
+
+
+
+
+
+**ADMX_Bits/BITS_MaxJobsPerMachine**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting limits the number of BITS jobs that can be created for all users of the computer. By default, BITS limits the total number of jobs that can be created on the computer to 300 jobs. You can use this policy setting to raise or lower the maximum number of user BITS jobs.
+
+If you enable this policy setting, BITS will limit the maximum number of BITS jobs to the specified number.
+
+If you disable or do not configure this policy setting, BITS will use the default BITS job limit of 300 jobs.
+
+> [!NOTE]
+> BITS jobs created by services and the local administrator account do not count toward this limit.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Limit the maximum number of BITS jobs for this computer*
+- GP name: *BITS_MaxJobsPerMachine*
+- GP path: *Network\Background Intelligent Transfer Service (BITS)*
+- GP ADMX file name: *Bits.admx*
+
+
+
+
+
+
+**ADMX_Bits/BITS_MaxJobsPerUser**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting limits the number of BITS jobs that can be created by a user. By default, BITS limits the total number of jobs that can be created by a user to 60 jobs. You can use this setting to raise or lower the maximum number of BITS jobs a user can create.
+
+If you enable this policy setting, BITS will limit the maximum number of BITS jobs a user can create to the specified number.
+
+If you disable or do not configure this policy setting, BITS will use the default user BITS job limit of 300 jobs.
+
+> [!NOTE]
+> This limit must be lower than the setting specified in the "Maximum number of BITS jobs for this computer" policy setting, or 300 if the "Maximum number of BITS jobs for this computer" policy setting is not configured. BITS jobs created by services and the local administrator account do not count toward this limit.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Limit the maximum number of BITS jobs for each user*
+- GP name: *BITS_MaxJobsPerUser*
+- GP path: *Network\Background Intelligent Transfer Service (BITS)*
+- GP ADMX file name: *Bits.admx*
+
+
+
+
+
+
+**ADMX_Bits/BITS_MaxRangesPerFile**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting limits the number of ranges that can be added to a file in a BITS job. By default, files in a BITS job are limited to 500 ranges per file. You can use this setting to raise or lower the maximum number ranges per file.
+
+If you enable this policy setting, BITS will limit the maximum number of ranges that can be added to a file to the specified number.
+
+If you disable or do not configure this policy setting, BITS will limit ranges to 500 ranges per file.
+
+> [!NOTE]
+> BITS Jobs created by services and the local administrator account do not count toward this limit.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Limit the maximum number of ranges that can be added to the file in a BITS job*
+- GP name: *BITS_MaxRangesPerFile*
+- GP path: *Network\Background Intelligent Transfer Service (BITS)*
+- GP ADMX file name: *Bits.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md b/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md
index 649079a937..e8a57b01bf 100644
--- a/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md
+++ b/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md
@@ -78,7 +78,7 @@ manager: dansimp
-Available in Windows 10 Insider Preview Build 20185. This policy setting determines the cipher suites used by the Secure Socket Layer (SSL).
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines the cipher suites used by the Secure Socket Layer (SSL).
If you enable this policy setting, SSL cipher suites are prioritized in the order specified.
@@ -151,7 +151,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting determines the priority order of ECC curves used with ECDHE cipher suites.
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines the priority order of ECC curves used with ECDHE cipher suites.
If you enable this policy setting, ECC curves are prioritized in the order specified. Enter one curve name per line.
@@ -190,14 +190,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-com.md b/windows/client-management/mdm/policy-csp-admx-com.md
index 1da39a32a3..aaaa28a510 100644
--- a/windows/client-management/mdm/policy-csp-admx-com.md
+++ b/windows/client-management/mdm/policy-csp-admx-com.md
@@ -78,7 +78,7 @@ manager: dansimp
-Available in Windows 10 Insider Preview Build 20185. This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that a program requires.
+Available in the latest Windows 10 Insider Preview Build. This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that a program requires.
Many Windows programs, such as the MMC snap-ins, use the interfaces provided by the COM components. These programs cannot perform all their functions unless Windows has internally registered the required components.
@@ -153,7 +153,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that a program requires.
+Available in the latest Windows 10 Insider Preview Build. This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that a program requires.
Many Windows programs, such as the MMC snap-ins, use the interfaces provided by the COM components. These programs cannot perform all their functions unless Windows has internally registered the required components.
@@ -184,14 +184,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-controlpanel.md b/windows/client-management/mdm/policy-csp-admx-controlpanel.md
new file mode 100644
index 0000000000..4a340834f9
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-controlpanel.md
@@ -0,0 +1,363 @@
+---
+title: Policy CSP - ADMX_ControlPanel
+description: Policy CSP - ADMX_ControlPanel
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 11/05/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_ControlPanel
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_ControlPanel policies
+
+
+
+
+
+
+
+
+**ADMX_ControlPanel/DisallowCpls**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This setting allows you to display or hide specified Control Panel items, such as Mouse, System, or Personalization, from the Control Panel window and the Start screen. The setting affects the Start screen and Control Panel window, as well as other ways to access Control Panel items, such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings.
+
+If you enable this setting, you can select specific items not to display on the Control Panel window and the Start screen.
+
+To hide a Control Panel item, enable this policy setting and click Show to access the list of disallowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter Microsoft.Mouse, Microsoft.System, or Microsoft.Personalization.
+
+> [!NOTE]
+> For Windows Vista, Windows Server 2008, and earlier versions of Windows, the module name should be entered, for example timedate.cpl or inetcpl.cpl. If a Control Panel item does not have a CPL file, or the CPL file contains multiple applets, then its module name and string resource identification number should be entered, for example @systemcpl.dll,-1 for System, or @themecpl.dll,-1 for Personalization. A complete list of canonical and module names can be found in MSDN by searching "Control Panel items".
+
+If both the "Hide specified Control Panel items" setting and the "Show only specified Control Panel items" setting are enabled, the "Show only specified Control Panel items" setting is ignored.
+
+> [!NOTE]
+> The Display Control Panel item cannot be hidden in the Desktop context menu by using this setting. To hide the Display Control Panel item and prevent users from modifying the computer's display settings use the "Disable Display Control Panel" setting instead. Note: To hide pages in the System Settings app, use the "Settings Page Visibility" setting under Computer Configuration.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Hide specified Control Panel items*
+- GP name: *DisallowCpls*
+- GP path: *Control Panel*
+- GP ADMX file name: *ControlPanel.admx*
+
+
+
+
+
+
+**ADMX_ControlPanel/ForceClassicControlPanel**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls the default Control Panel view, whether by category or icons.
+
+If this policy setting is enabled, the Control Panel opens to the icon view.
+
+If this policy setting is disabled, the Control Panel opens to the category view.
+
+If this policy setting is not configured, the Control Panel opens to the view used in the last Control Panel session.
+
+> [!NOTE]
+> Icon size is dependent upon what the user has set it to in the previous session.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Always open All Control Panel Items when opening Control Panel*
+- GP name: *ForceClassicControlPanel*
+- GP path: *Control Panel*
+- GP ADMX file name: *ControlPanel.admx*
+
+
+
+
+
+
+**ADMX_ControlPanel/NoControlPanel**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Disables all Control Panel programs and the PC settings app.
+
+This setting prevents Control.exe and SystemSettings.exe, the program files for Control Panel and PC settings, from starting. As a result, users cannot start Control Panel or PC settings, or run any of their items.
+
+This setting removes Control Panel from:
+
+- The Start screen
+- File Explorer
+
+This setting removes PC settings from:
+
+- The Start screen
+- Settings charm
+- Account picture
+- Search results
+
+If users try to select a Control Panel item from the Properties item on a context menu, a message appears explaining that a setting prevents the action.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prohibit access to Control Panel and PC settings*
+- GP name: *NoControlPanel*
+- GP path: *Control Panel*
+- GP ADMX file name: *ControlPanel.admx*
+
+
+
+
+
+
+**ADMX_ControlPanel/RestrictCpls**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls which Control Panel items such as Mouse, System, or Personalization, are displayed on the Control Panel window and the Start screen. The only items displayed in Control Panel are those you specify in this setting. This setting affects the Start screen and Control Panel, as well as other ways to access Control Panel items such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings.
+
+To display a Control Panel item, enable this policy setting and click Show to access the list of allowed Control Panel items. In the Show Contents dialog box in the Value column, enter the Control Panel item's canonical name. For example, enter Microsoft.Mouse, Microsoft.System, or Microsoft.Personalization.
+
+> [!NOTE]
+> For Windows Vista, Windows Server 2008, and earlier versions of Windows, the module name, for example timedate.cpl or inetcpl.cpl, should be entered. If a Control Panel item does not have a CPL file, or the CPL file contains multiple applets, then its module name and string resource identification number should be entered. For example, enter @systemcpl.dll,-1 for System or @themecpl.dll,-1 for Personalization. A complete list of canonical and module names of Control Panel items can be found in MSDN by searching "Control Panel items".
+
+If both the "Hide specified Control Panel items" setting and the "Show only specified Control Panel items" setting are enabled, the "Show only specified Control Panel items" setting is ignored.
+
+> [!NOTE]
+> The Display Control Panel item cannot be hidden in the Desktop context menu by using this setting. To hide the Display Control Panel item and prevent users from modifying the computer's display settings use the "Disable Display Control Panel" setting instead.
+>
+> To hide pages in the System Settings app, use the "Settings Page Visibility" setting under Computer Configuration.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Show only specified Control Panel items*
+- GP name: *RestrictCpls*
+- GP path: *Control Panel*
+- GP ADMX file name: *ControlPanel.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md
new file mode 100644
index 0000000000..a03950bfdc
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md
@@ -0,0 +1,1826 @@
+---
+title: Policy CSP - ADMX_ControlPanelDisplay
+description: Policy CSP - ADMX_ControlPanelDisplay
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 11/05/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_ControlPanelDisplay
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_ControlPanelDisplay policies
+
+
+
+
+
+
+
+
+**ADMX_ControlPanelDisplay/CPL_Display_Disable**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Disables the Display Control Panel.
+
+If you enable this setting, the Display Control Panel does not run. When users try to start Display, a message appears explaining that a setting prevents the action.
+
+Also, see the "Prohibit access to the Control Panel" (User Configuration\Administrative Templates\Control Panel) and "Remove programs on Settings menu" (User Configuration\Administrative Templates\Start Menu & Taskbar) settings.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Disable the Display Control Panel*
+- GP name: *CPL_Display_Disable*
+- GP path: *Control Panel\Display*
+- GP ADMX file name: *ControlPanelDisplay.admx*
+
+
+
+
+
+
+**ADMX_ControlPanelDisplay/CPL_Display_HideSettings**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Removes the Settings tab from Display in Control Panel.
+
+This setting prevents users from using Control Panel to add, configure, or change the display settings on the computer.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Hide Settings tab*
+- GP name: *CPL_Display_HideSettings*
+- GP path: *Control Panel\Display*
+- GP ADMX file name: *ControlPanelDisplay.admx*
+
+
+
+
+
+
+**ADMX_ControlPanelDisplay/CPL_Personalization_DisableColorSchemeChoice**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This setting forces the theme color scheme to be the default color scheme.
+
+If you enable this setting, a user cannot change the color scheme of the current desktop theme.
+
+If you disable or do not configure this setting, a user may change the color scheme of the current desktop theme.
+
+For Windows 7 and later, use the "Prevent changing color and appearance" setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prevent changing color scheme*
+- GP name: *CPL_Personalization_DisableColorSchemeChoice*
+- GP path: *Control Panel\Personalization*
+- GP ADMX file name: *ControlPanelDisplay.admx*
+
+
+
+
+
+
+**ADMX_ControlPanelDisplay/CPL_Personalization_DisableThemeChange**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This setting disables the theme gallery in the Personalization Control Panel.
+
+If you enable this setting, users cannot change or save a theme. Elements of a theme such as the desktop background, color, sounds, and screen saver can still be changed (unless policies are set to turn them off).
+
+If you disable or do not configure this setting, there is no effect.
+
+> [!NOTE]
+> If you enable this setting but do not specify a theme using the "load a specific theme" setting, the theme defaults to whatever the user previously set or the system default.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prevent changing theme*
+- GP name: *CPL_Personalization_DisableThemeChange*
+- GP path: *Control Panel\Personalization*
+- GP ADMX file name: *ControlPanelDisplay.admx*
+
+
+
+
+
+
+**ADMX_ControlPanelDisplay/CPL_Personalization_DisableVisualStyle**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Prevents users or applications from changing the visual style of the windows and buttons displayed on their screens.
+
+When enabled on Windows XP, this setting disables the "Windows and buttons" drop-down list on the Appearance tab in Display Properties.
+
+When enabled on Windows XP and later systems, this setting prevents users and applications from changing the visual style through the command line. Also, a user may not apply a different visual style when changing themes.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prevent changing visual style for windows and buttons*
+- GP name: *CPL_Personalization_DisableVisualStyle*
+- GP path: *Control Panel\Personalization*
+- GP ADMX file name: *ControlPanelDisplay.admx*
+
+
+
+
+
+
+**ADMX_ControlPanelDisplay/CPL_Personalization_EnableScreenSaver**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Enables desktop screen savers.
+
+If you disable this setting, screen savers do not run. Also, this setting disables the Screen Saver section of the Screen Saver dialog in the Personalization or Display Control Panel. As a result, users cannot change the screen saver options.
+
+If you do not configure it, this setting has no effect on the system.
+
+If you enable it, a screen saver runs, provided the following two conditions hold: First, a valid screen saver on the client is specified through the "Screen Saver executable name" setting or through Control Panel on the client computer. Second, the screen saver timeout is set to a nonzero value through the setting or Control Panel.
+
+Also, see the "Prevent changing Screen Saver" setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Enable screen saver*
+- GP name: *CPL_Personalization_EnableScreenSaver*
+- GP path: *Control Panel\Personalization*
+- GP ADMX file name: *ControlPanelDisplay.admx*
+
+
+
+
+
+
+**ADMX_ControlPanelDisplay/CPL_Personalization_ForceDefaultLockScreen**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This setting allows you to force a specific default lock screen and logon image by entering the path (location) of the image file. The same image will be used for both the lock and logon screens.
+
+This setting lets you specify the default lock screen and logon image shown when no user is signed in, and also sets the specified image as the default for all users (it replaces the inbox default image).
+
+To use this setting, type the fully qualified path and name of the file that stores the default lock screen and logon image. You can type a local path, such as C:\Windows\Web\Screen\img104.jpg or a UNC path, such as `\\Server\Share\Corp.jpg`.
+
+This can be used in conjunction with the "Prevent changing lock screen and logon image" setting to always force the specified lock screen and logon image to be shown.
+
+Note: This setting only applies to Enterprise, Education, and Server SKUs.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Force a specific default lock screen and logon image*
+- GP name: *CPL_Personalization_ForceDefaultLockScreen*
+- GP path: *Control Panel\Personalization*
+- GP ADMX file name: *ControlPanelDisplay.admx*
+
+
+
+
+
+
+**ADMX_ControlPanelDisplay/CPL_Personalization_LockFontSize**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the size of the font in the windows and buttons displayed on their screens.
+
+If this setting is enabled, the "Font size" drop-down list on the Appearance tab in Display Properties is disabled.
+
+If you disable or do not configure this setting, a user may change the font size using the "Font size" drop-down list on the Appearance tab.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prohibit selection of visual style font size*
+- GP name: *CPL_Personalization_LockFontSize*
+- GP path: *Control Panel\Personalization*
+- GP ADMX file name: *ControlPanelDisplay.admx*
+
+
+
+
+
+
+**ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingLockScreen**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the background image shown when the machine is locked or when on the logon screen.
+
+By default, users can change the background image shown when the machine is locked or displaying the logon screen.
+
+If you enable this setting, the user will not be able to change their lock screen and logon image, and they will instead see the default image.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prevent changing lock screen and logon image*
+- GP name: *CPL_Personalization_NoChangingLockScreen*
+- GP path: *Control Panel\Personalization*
+- GP ADMX file name: *ControlPanelDisplay.admx*
+
+
+
+
+
+
+**ADMX_ControlPanelDisplay/CPL_Personalization_NoChangingStartMenuBackground**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the look of their start menu background, such as its color or accent.
+
+By default, users can change the look of their start menu background, such as its color or accent.
+
+If you enable this setting, the user will be assigned the default start menu background and colors and will not be allowed to change them.
+
+If the "Force a specific background and accent color" policy is also set on a supported version of Windows, then those colors take precedence over this policy.
+
+If the "Force a specific Start background" policy is also set on a supported version of Windows, then that background takes precedence over this policy.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prevent changing start menu background*
+- GP name: *CPL_Personalization_NoChangingStartMenuBackground*
+- GP path: *Control Panel\Personalization*
+- GP ADMX file name: *ControlPanelDisplay.admx*
+
+
+
+
+
+
+**ADMX_ControlPanelDisplay/CPL_Personalization_NoColorAppearanceUI**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Disables the Color (or Window Color) page in the Personalization Control Panel, or the Color Scheme dialog in the Display Control Panel on systems where the Personalization feature is not available.
+
+This setting prevents users from using Control Panel to change the window border and taskbar color (on Windows 8), glass color (on Windows Vista and Windows 7), system colors, or color scheme of the desktop and windows.
+
+If this setting is disabled or not configured, the Color (or Window Color) page or Color Scheme dialog is available in the Personalization or Display Control Panel.
+
+For systems prior to Windows Vista, this setting hides the Appearance and Themes tabs in the in Display in Control Panel.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prevent changing color and appearance*
+- GP name: *CPL_Personalization_NoColorAppearanceUI*
+- GP path: *Control Panel\Personalization*
+- GP ADMX file name: *ControlPanelDisplay.admx*
+
+
+
+
+
+
+**ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopBackgroundUI**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Prevents users from adding or changing the background design of the desktop.
+
+By default, users can use the Desktop Background page in the Personalization or Display Control Panel to add a background design (wallpaper) to their desktop.
+
+If you enable this setting, none of the Desktop Background settings can be changed by the user.
+
+To specify wallpaper for a group, use the "Desktop Wallpaper" setting.
+
+Note: You must also enable the "Desktop Wallpaper" setting to prevent users from changing the desktop wallpaper. Refer to KB article: Q327998 for more information.
+
+Also, see the "Allow only bitmapped wallpaper" setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prevent changing desktop background*
+- GP name: *CPL_Personalization_NoDesktopBackgroundUI*
+- GP path: *Control Panel\Personalization*
+- GP ADMX file name: *ControlPanelDisplay.admx*
+
+
+
+
+
+
+**ADMX_ControlPanelDisplay/CPL_Personalization_NoDesktopIconsUI**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the desktop icons.
+
+By default, users can use the Desktop Icon Settings dialog in the Personalization or Display Control Panel to show, hide, or change the desktop icons.
+
+If you enable this setting, none of the desktop icons can be changed by the user.
+
+For systems prior to Windows Vista, this setting also hides the Desktop tab in the Display Control Panel.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prevent changing desktop icons*
+- GP name: *CPL_Personalization_NoDesktopIconsUI*
+- GP path: *Control Panel\Personalization*
+- GP ADMX file name: *ControlPanelDisplay.admx*
+
+
+
+
+
+
+**ADMX_ControlPanelDisplay/CPL_Personalization_NoLockScreen**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether the lock screen appears for users.
+
+If you enable this policy setting, users that are not required to press CTRL + ALT + DEL before signing in will see their selected tile after locking their PC.
+
+If you disable or do not configure this policy setting, users that are not required to press CTRL + ALT + DEL before signing in will see a lock screen after locking their PC. They must dismiss the lock screen using touch, the keyboard, or by dragging it with the mouse.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not display the lock screen*
+- GP name: *CPL_Personalization_NoLockScreen*
+- GP path: *Control Panel\Personalization*
+- GP ADMX file name: *ControlPanelDisplay.admx*
+
+
+
+
+
+
+**ADMX_ControlPanelDisplay/CPL_Personalization_NoMousePointersUI**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the mouse pointers.
+
+By default, users can use the Pointers tab in the Mouse Control Panel to add, remove, or change the mouse pointers.
+
+If you enable this setting, none of the mouse pointer scheme settings can be changed by the user.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prevent changing mouse pointers*
+- GP name: *CPL_Personalization_NoMousePointersUI*
+- GP path: *Control Panel\Personalization*
+- GP ADMX file name: *ControlPanelDisplay.admx*
+
+
+
+
+
+
+**ADMX_ControlPanelDisplay/CPL_Personalization_NoScreenSaverUI**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Prevents the Screen Saver dialog from opening in the Personalization or Display Control Panel.
+
+This setting prevents users from using Control Panel to add, configure, or change the screen saver on the computer. It does not prevent a screen saver from running.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prevent changing screen saver*
+- GP name: *CPL_Personalization_NoScreenSaverUI*
+- GP path: *Control Panel\Personalization*
+- GP ADMX file name: *ControlPanelDisplay.admx*
+
+
+
+
+
+
+**ADMX_ControlPanelDisplay/CPL_Personalization_NoSoundSchemeUI**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the sound scheme.
+
+By default, users can use the Sounds tab in the Sound Control Panel to add, remove, or change the system Sound Scheme.
+
+If you enable this setting, none of the Sound Scheme settings can be changed by the user.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prevent changing sounds*
+- GP name: *CPL_Personalization_NoSoundSchemeUI*
+- GP path: *Control Panel\Personalization*
+- GP ADMX file name: *ControlPanelDisplay.admx*
+
+
+
+
+
+
+**ADMX_ControlPanelDisplay/CPL_Personalization_PersonalColors**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Forces Windows to use the specified colors for the background and accent. The color values are specified in hex as #RGB.
+
+By default, users can change the background and accent colors.
+
+If this setting is enabled, the background and accent colors of Windows will be set to the specified colors and users cannot change those colors. This setting will not be applied if the specified colors do not meet a contrast ratio of 2:1 with white text.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Force a specific background and accent color*
+- GP name: *CPL_Personalization_PersonalColors*
+- GP path: *Control Panel\Personalization*
+- GP ADMX file name: *ControlPanelDisplay.admx*
+
+
+
+
+
+
+**ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverIsSecure**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Determines whether screen savers used on the computer are password protected.
+
+If you enable this setting, all screen savers are password protected. If you disable this setting, password protection cannot be set on any screen saver.
+
+This setting also disables the "Password protected" checkbox on the Screen Saver dialog in the Personalization or Display Control Panel, preventing users from changing the password protection setting.
+
+If you do not configure this setting, users can choose whether or not to set password protection on each screen saver.
+
+To ensure that a computer will be password protected, enable the "Enable Screen Saver" setting and specify a timeout via the "Screen Saver timeout" setting.
+
+> [!NOTE]
+> To remove the Screen Saver dialog, use the "Prevent changing Screen Saver" setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Password protect the screen saver*
+- GP name: *CPL_Personalization_ScreenSaverIsSecure*
+- GP path: *Control Panel\Personalization*
+- GP ADMX file name: *ControlPanelDisplay.admx*
+
+
+
+
+
+
+**ADMX_ControlPanelDisplay/CPL_Personalization_ScreenSaverTimeOut**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Specifies how much user idle time must elapse before the screen saver is launched.
+
+When configured, this idle time can be set from a minimum of 1 second to a maximum of 86,400 seconds, or 24 hours. If set to zero, the screen saver will not be started.
+
+This setting has no effect under any of the following circumstances:
+
+- The setting is disabled or not configured.
+
+- The wait time is set to zero.
+
+- The "Enable Screen Saver" setting is disabled.
+
+- Neither the "Screen saver executable name" setting nor the Screen Saver dialog of the client computer's Personalization or Display Control Panel specifies a valid existing screen saver program on the client.
+
+When not configured, whatever wait time is set on the client through the Screen Saver dialog in the Personalization or Display Control Panel is used. The default is 15 minutes.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Screen saver timeout*
+- GP name: *CPL_Personalization_ScreenSaverTimeOut*
+- GP path: *Control Panel\Personalization*
+- GP ADMX file name: *ControlPanelDisplay.admx*
+
+
+
+
+
+
+**ADMX_ControlPanelDisplay/CPL_Personalization_SetScreenSaver**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Specifies the screen saver for the user's desktop.
+
+If you enable this setting, the system displays the specified screen saver on the user's desktop. Also, this setting disables the drop-down list of screen savers in the Screen Saver dialog in the Personalization or Display Control Panel, which prevents users from changing the screen saver.
+
+If you disable this setting or do not configure it, users can select any screen saver.
+
+If you enable this setting, type the name of the file that contains the screen saver, including the .scr file name extension. If the screen saver file is not in the %Systemroot%\System32 directory, type the fully qualified path to the file.
+
+If the specified screen saver is not installed on a computer to which this setting applies, the setting is ignored.
+
+> [!NOTE]
+> This setting can be superseded by the "Enable Screen Saver" setting. If the "Enable Screen Saver" setting is disabled, this setting is ignored, and screen savers do not run.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Force specific screen saver*
+- GP name: *CPL_Personalization_SetScreenSaver*
+- GP path: *Control Panel\Personalization*
+- GP ADMX file name: *ControlPanelDisplay.admx*
+
+
+
+
+
+
+**ADMX_ControlPanelDisplay/CPL_Personalization_SetTheme**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Specifies which theme file is applied to the computer the first time a user logs on.
+
+If you enable this setting, the theme that you specify will be applied when a new user logs on for the first time. This policy does not prevent the user from changing the theme or any of the theme elements such as the desktop background, color, sounds, or screen saver after the first logon.
+
+If you disable or do not configure this setting, the default theme will be applied at the first logon.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Load a specific theme*
+- GP name: *CPL_Personalization_SetTheme*
+- GP path: *Control Panel\Personalization*
+- GP ADMX file name: *ControlPanelDisplay.admx*
+
+
+
+
+
+
+**ADMX_ControlPanelDisplay/CPL_Personalization_SetVisualStyle**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This setting allows you to force a specific visual style file by entering the path (location) of the visual style file.
+
+This can be a local computer visual style (aero.msstyles), or a file located on a remote server using a UNC path (\\Server\Share\aero.msstyles).
+
+If you enable this setting, the visual style file that you specify will be used. Also, a user may not apply a different visual style when changing themes.
+
+If you disable or do not configure this setting, the users can select the visual style that they want to use by changing themes (if the Personalization Control Panel is available).
+
+> [!NOTE]
+> If this setting is enabled and the file is not available at user logon, the default visual style is loaded.
+>
+> When running Windows XP, you can select the Luna visual style by typing %windir%\resources\Themes\Luna\Luna.msstyles.
+>
+> To select the Windows Classic visual style, leave the box blank beside "Path to Visual Style:" and enable this setting. When running Windows 8 or Windows RT, you cannot apply the Windows Classic visual style.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Force a specific visual style file or force Windows Classic*
+- GP name: *CPL_Personalization_SetVisualStyle*
+- GP path: *Control Panel\Personalization*
+- GP ADMX file name: *ControlPanelDisplay.admx*
+
+
+
+
+
+
+**ADMX_ControlPanelDisplay/CPL_Personalization_StartBackground**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Forces the Start screen to use one of the available backgrounds, 1 through 20, and prevents the user from changing it.
+
+If this setting is set to zero or not configured, then Start uses the default background, and users can change it.
+
+If this setting is set to a nonzero value, then Start uses the specified background, and users cannot change it. If the specified background is not supported, the default background is used.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Force a specific Start background*
+- GP name: *CPL_Personalization_StartBackground*
+- GP path: *Control Panel\Personalization*
+- GP ADMX file name: *ControlPanelDisplay.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-cpls.md b/windows/client-management/mdm/policy-csp-admx-cpls.md
index 21bf8792f1..d198e617ff 100644
--- a/windows/client-management/mdm/policy-csp-admx-cpls.md
+++ b/windows/client-management/mdm/policy-csp-admx-cpls.md
@@ -74,7 +74,7 @@ manager: dansimp
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows an administrator to standardize the account pictures for all users on a system to the default account picture. One application for this policy setting is to standardize the account pictures to a company logo.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows an administrator to standardize the account pictures for all users on a system to the default account picture. One application for this policy setting is to standardize the account pictures to a company logo.
> [!NOTE]
> The default account picture is stored at %PROGRAMDATA%\Microsoft\User Account Pictures\user.jpg. The default guest picture is stored at %PROGRAMDATA%\Microsoft\User Account Pictures\guest.jpg. If the default pictures do not exist, an empty frame is displayed.
@@ -104,14 +104,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-credentialproviders.md b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md
new file mode 100644
index 0000000000..dcaa5fa29f
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md
@@ -0,0 +1,270 @@
+---
+title: Policy CSP - ADMX_CredentialProviders
+description: Policy CSP - ADMX_CredentialProviders
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 11/11/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_CredentialProviders
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_CredentialProviders policies
+
+
+
+
+
+
+
+
+**ADMX_CredentialProviders/AllowDomainDelayLock**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control whether a user can change the time before a password is required when a Connected Standby device screen turns off.
+
+If you enable this policy setting, a user on a Connected Standby device can change the amount of time after the device's screen turns off before a password is required when waking the device. The time is limited by any EAS settings or Group Policies that affect the maximum idle time before a device locks. Additionally, if a password is required when a screensaver turns on, the screensaver timeout will limit the options the user may choose.
+
+If you disable this policy setting, a user cannot change the amount of time after the device's screen turns off before a password is required when waking the device. Instead, a password is required immediately after the screen turns off.
+
+If you don't configure this policy setting on a domain-joined device, a user cannot change the amount of time after the device's screen turns off before a password is required when waking the device. Instead, a password is required immediately after the screen turns off.
+
+If you don't configure this policy setting on a workgroup device, a user on a Connected Standby device can change the amount of time after the device's screen turns off before a password is required when waking the device. The time is limited by any EAS settings or Group Policies that affect the maximum idle time before a device locks. Additionally, if a password is required when a screensaver turns on, the screensaver timeout will limit the options the user may choose.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow users to select when a password is required when resuming from connected standby*
+- GP name: *AllowDomainDelayLock*
+- GP path: *System\Logon*
+- GP ADMX file name: *CredentialProviders.admx*
+
+
+
+
+
+
+**ADMX_CredentialProviders/DefaultCredentialProvider**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows the administrator to assign a specified credential provider as the default credential provider.
+
+If you enable this policy setting, the specified credential provider is selected on other user tile.
+
+If you disable or do not configure this policy setting, the system picks the default credential provider on other user tile.
+
+> [!NOTE]
+> A list of registered credential providers and their GUIDs can be found in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Assign a default credential provider*
+- GP name: *DefaultCredentialProvider*
+- GP path: *System\Logon*
+- GP ADMX file name: *CredentialProviders.admx*
+
+
+
+
+
+
+
+**ADMX_CredentialProviders/ExcludedCredentialProviders**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows the administrator to exclude the specified credential providers from use during authentication.
+
+> [!NOTE]
+> Credential providers are used to process and validate user credentials during logon or when authentication is required. Windows Vista provides two default credential providers: Password and Smart Card. An administrator can install additional credential providers for different sets of credentials (for example, to support biometric authentication).
+
+If you enable this policy, an administrator can specify the CLSIDs of the credential providers to exclude from the set of installed credential providers available for authentication purposes.
+
+If you disable or do not configure this policy, all installed and otherwise enabled credential providers are available for authentication purposes.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Exclude credential providers*
+- GP name: *ExcludedCredentialProviders*
+- GP path: *System\Logon*
+- GP ADMX file name: *CredentialProviders.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-credssp.md b/windows/client-management/mdm/policy-csp-admx-credssp.md
new file mode 100644
index 0000000000..7cf1e14d14
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-credssp.md
@@ -0,0 +1,970 @@
+---
+title: Policy CSP - ADMX_CredSsp
+description: Policy CSP - ADMX_CredSsp
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 11/12/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_CredSsp
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_CredSsp policies
+
+
+
+
+
+
+
+
+**ADMX_CredSsp/AllowDefCredentialsWhenNTLMOnly**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection).
+
+This policy setting applies when server authentication was achieved via NTLM.
+
+If you enable this policy setting, you can specify the servers to which the user's default credentials can be delegated (default credentials are those that you use when first logging on to Windows).
+
+If you disable or do not configure (by default) this policy setting, delegation of default credentials is not permitted to any machine.
+
+> [!NOTE]
+> The "Allow delegating default credentials with NTLM-only server authentication" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN.
+>
+> For Example:
+>
+> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine
+> - TERMSRV/* Remote Desktop Session Host running on all machines.
+> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow delegating default credentials with NTLM-only server authentication*
+- GP name: *AllowDefCredentialsWhenNTLMOnly*
+- GP path: *System\Credentials Delegation*
+- GP ADMX file name: *CredSsp.admx*
+
+
+
+
+
+
+**ADMX_CredSsp/AllowDefaultCredentials**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection).
+
+This policy setting applies when server authentication was achieved by using a trusted X509 certificate or Kerberos.
+
+If you enable this policy setting, you can specify the servers to which the user's default credentials can be delegated (default credentials are those that you use when first logging on to Windows).
+
+The policy becomes effective the next time the user signs on to a computer running Windows.
+
+If you disable or do not configure (by default) this policy setting, delegation of default credentials is not permitted to any computer. Applications depending upon this delegation behavior might fail authentication. For more information, see KB.
+
+FWlink for KB:
+https://go.microsoft.com/fwlink/?LinkId=301508
+
+> [!NOTE]
+> The "Allow delegating default credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN.
+>
+> For Example:
+>
+> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine
+> - TERMSRV/* Remote Desktop Session Host running on all machines.
+> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow delegating default credentials*
+- GP name: *AllowDefaultCredentials*
+- GP path: *System\Credentials Delegation*
+- GP ADMX file name: *CredSsp.admx*
+
+
+
+
+
+
+**ADMX_CredSsp/AllowEncryptionOracle**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the CredSSP component (for example: Remote Desktop Connection).
+
+Some versions of the CredSSP protocol are vulnerable to an encryption oracle attack against the client. This policy controls compatibility with vulnerable clients and servers. This policy allows you to set the level of protection desired for the encryption oracle vulnerability.
+
+If you enable this policy setting, CredSSP version support will be selected based on the following options:
+
+- Force Updated Clients: Client applications which use CredSSP will not be able to fall back to the insecure versions and services using CredSSP will not accept unpatched clients.
+
+ > [!NOTE]
+ > This setting should not be deployed until all remote hosts support the newest version.
+
+- Mitigated: Client applications which use CredSSP will not be able to fall back to the insecure version but services using CredSSP will accept unpatched clients. See the link below for important information about the risk posed by remaining unpatched clients.
+
+- Vulnerable: Client applications which use CredSSP will expose the remote servers to attacks by supporting fall back to the insecure versions and services using CredSSP will accept unpatched clients.
+
+For more information about the vulnerability and servicing requirements for protection, see https://go.microsoft.com/fwlink/?linkid=866660
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Encryption Oracle Remediation*
+- GP name: *AllowEncryptionOracle*
+- GP path: *System\Credentials Delegation*
+- GP ADMX file name: *CredSsp.admx*
+
+
+
+
+
+
+**ADMX_CredSsp/AllowFreshCredentials**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection).
+
+This policy setting applies when server authentication was achieved via a trusted X509 certificate or Kerberos.
+
+If you enable this policy setting, you can specify the servers to which the user's fresh credentials can be delegated (fresh credentials are those that you are prompted for when executing the application).
+
+If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*).
+
+If you disable this policy setting, delegation of fresh credentials is not permitted to any machine.
+
+> [!NOTE]
+> The "Allow delegating fresh credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard is permitted when specifying the SPN.
+>
+> For Example:
+>
+> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine
+> - TERMSRV/* Remote Desktop Session Host running on all machines.
+> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow delegating fresh credentials*
+- GP name: *AllowFreshCredentials*
+- GP path: *System\Credentials Delegation*
+- GP ADMX file name: *CredSsp.admx*
+
+
+
+
+
+
+**ADMX_CredSsp/AllowFreshCredentialsWhenNTLMOnly**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection).
+
+This policy setting applies when server authentication was achieved via NTLM.
+
+If you enable this policy setting, you can specify the servers to which the user's fresh credentials can be delegated (fresh credentials are those that you are prompted for when executing the application).
+
+If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*).
+
+If you disable this policy setting, delegation of fresh credentials is not permitted to any machine.
+
+> [!NOTE]
+> The "Allow delegating fresh credentials with NTLM-only server authentication" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN.
+>
+> For Example:
+>
+> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine
+> - TERMSRV/* Remote Desktop Session Host running on all machines.
+> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow delegating fresh credentials with NTLM-only server authentication*
+- GP name: *AllowFreshCredentialsWhenNTLMOnly*
+- GP path: *System\Credentials Delegation*
+- GP ADMX file name: *CredSsp.admx*
+
+
+
+
+
+
+**ADMX_CredSsp/AllowSavedCredentials**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection).
+
+This policy setting applies when server authentication was achieved via a trusted X509 certificate or Kerberos.
+
+If you enable this policy setting, you can specify the servers to which the user's saved credentials can be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager).
+
+If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of saved credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*).
+
+If you disable this policy setting, delegation of saved credentials is not permitted to any machine.
+
+> [!NOTE]
+> The "Allow delegating saved credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN.
+>
+> For Example:
+>
+> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine
+> - TERMSRV/* Remote Desktop Session Host running on all machines.
+> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow delegating saved credentials*
+- GP name: *AllowSavedCredentials*
+- GP path: *System\Credentials Delegation*
+- GP ADMX file name: *CredSsp.admx*
+
+
+
+
+
+
+**ADMX_CredSsp/AllowSavedCredentialsWhenNTLMOnly**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection).
+
+This policy setting applies when server authentication was achieved via NTLM.
+
+If you enable this policy setting, you can specify the servers to which the user's saved credentials can be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager).
+
+If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of saved credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*) if the client machine is not a member of any domain. If the client is domain-joined, by default the delegation of saved credentials is not permitted to any machine.
+
+If you disable this policy setting, delegation of saved credentials is not permitted to any machine.
+
+> [!NOTE]
+> The "Allow delegating saved credentials with NTLM-only server authentication" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN.
+>
+> For Example:
+>
+> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine
+> - TERMSRV/* Remote Desktop Session Host running on all machines.
+> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.com
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow delegating saved credentials with NTLM-only server authentication*
+- GP name: *AllowSavedCredentialsWhenNTLMOnly*
+- GP path: *System\Credentials Delegation*
+- GP ADMX file name: *CredSsp.admx*
+
+
+
+
+
+
+**ADMX_CredSsp/DenyDefaultCredentials**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection).
+
+If you enable this policy setting, you can specify the servers to which the user's default credentials cannot be delegated (default credentials are those that you use when first logging on to Windows).
+
+If you disable or do not configure (by default) this policy setting, this policy setting does not specify any server.
+
+> [!NOTE]
+> The "Deny delegating default credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard character is permitted when specifying the SPN.
+>
+> For Example:
+>
+> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine
+> - TERMSRV/* Remote Desktop Session Host running on all machines.
+> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com
+
+This policy setting can be used in combination with the "Allow delegating default credentials" policy setting to define exceptions for specific servers that are otherwise permitted when using wildcard characters in the "Allow delegating default credentials" server list.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Deny delegating default credentials*
+- GP name: *DenyDefaultCredentials*
+- GP path: *System\Credentials Delegation*
+- GP ADMX file name: *CredSsp.admx*
+
+
+
+
+
+
+**ADMX_CredSsp/DenyFreshCredentials**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection).
+
+If you enable this policy setting, you can specify the servers to which the user's fresh credentials cannot be delegated (fresh credentials are those that you are prompted for when executing the application).
+
+If you disable or do not configure (by default) this policy setting, this policy setting does not specify any server.
+
+> [!NOTE]
+> The "Deny delegating fresh credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard character is permitted when specifying the SPN.
+>
+> For Example:
+>
+> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine
+> - TERMSRV/* Remote Desktop Session Host running on all machines.
+> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com
+
+This policy setting can be used in combination with the "Allow delegating fresh credentials" policy setting to define exceptions for specific servers that are otherwise permitted when using wildcard characters in the "Allow delegating fresh credentials" server list.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Deny delegating fresh credentials*
+- GP name: *DenyFreshCredentials*
+- GP path: *System\Credentials Delegation*
+- GP ADMX file name: *CredSsp.admx*
+
+
+
+
+
+
+**ADMX_CredSsp/DenySavedCredentials**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection).
+
+If you enable this policy setting, you can specify the servers to which the user's saved credentials cannot be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager).
+
+If you disable or do not configure (by default) this policy setting, this policy setting does not specify any server.
+
+> [!NOTE]
+> The "Deny delegating saved credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard character is permitted when specifying the SPN.
+>
+> For Example:
+>
+> - TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machine
+> - TERMSRV/* Remote Desktop Session Host running on all machines.
+> - TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com
+
+This policy setting can be used in combination with the "Allow delegating saved credentials" policy setting to define exceptions for specific servers that are otherwise permitted when using wildcard characters in the "Allow delegating saved credentials" server list.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Deny delegating saved credentials*
+- GP name: *DenySavedCredentials*
+- GP path: *System\Credentials Delegation*
+- GP ADMX file name: *CredSsp.admx*
+
+
+
+
+
+
+**ADMX_CredSsp/RestrictedRemoteAdministration**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. When running in Restricted Admin or Remote Credential Guard mode, participating apps do not expose signed in or supplied credentials to a remote host. Restricted Admin limits access to resources located on other servers or networks from the remote host because credentials are not delegated. Remote Credential Guard does not limit access to resources because it redirects all requests back to the client device.
+
+Participating apps:
+Remote Desktop Client
+
+If you enable this policy setting, the following options are supported:
+
+- Restrict credential delegation: Participating applications must use Restricted Admin or Remote Credential Guard to connect to remote hosts.
+- Require Remote Credential Guard: Participating applications must use Remote Credential Guard to connect to remote hosts.
+- Require Restricted Admin: Participating applications must use Restricted Admin to connect to remote hosts.
+
+If you disable or do not configure this policy setting, Restricted Admin and Remote Credential Guard mode are not enforced and participating apps can delegate credentials to remote devices.
+
+> [!NOTE]
+> To disable most credential delegation, it may be sufficient to deny delegation in Credential Security Support Provider (CredSSP) by modifying Administrative template settings (located at Computer Configuration\Administrative Templates\System\Credentials Delegation).
+>
+> On Windows 8.1 and Windows Server 2012 R2, enabling this policy will enforce Restricted Administration mode, regardless of the mode chosen. These versions do not support Remote Credential Guard.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Restrict delegation of credentials to remote servers*
+- GP name: *RestrictedRemoteAdministration*
+- GP path: *System\Credentials Delegation*
+- GP ADMX file name: *CredSsp.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-credui.md b/windows/client-management/mdm/policy-csp-admx-credui.md
new file mode 100644
index 0000000000..cf430cc22f
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-credui.md
@@ -0,0 +1,186 @@
+---
+title: Policy CSP - ADMX_CredUI
+description: Policy CSP - ADMX_CredUI
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 11/09/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_CredUI
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_CredUI policies
+
+
+
+
+
+
+
+**ADMX_CredUI/EnableSecureCredentialPrompting**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting requires the user to enter Microsoft Windows credentials using a trusted path, to prevent a Trojan horse or other types of malicious code from stealing the user’s Windows credentials.
+
+> [!NOTE]
+> This policy affects nonlogon authentication tasks only. As a security best practice, this policy should be enabled.
+
+If you enable this policy setting, users will be required to enter Windows credentials on the Secure Desktop by means of the trusted path mechanism.
+
+If you disable or do not configure this policy setting, users will enter Windows credentials within the user’s desktop session, potentially allowing malicious code access to the user’s Windows credentials.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Require trusted path for credential entry*
+- GP name: *EnableSecureCredentialPrompting*
+- GP path: *Windows Components\Credential User Interface*
+- GP ADMX file name: *CredUI.admx*
+
+
+
+
+
+
+**ADMX_CredUI/NoLocalPasswordResetQuestions**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. If you turn this policy setting on, local users won’t be able to set up and use security questions to reset their passwords.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prevent the use of security questions for local accounts*
+- GP name: *NoLocalPasswordResetQuestions*
+- GP path: *Windows Components\Credential User Interface*
+- GP ADMX file name: *CredUI.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md b/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md
index 9ecc74d2e9..7ec6bdd7bc 100644
--- a/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md
+++ b/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md
@@ -83,7 +83,7 @@ manager: dansimp
-Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from changing their Windows password on demand.
+Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from changing their Windows password on demand.
If you enable this policy setting, the 'Change Password' button on the Windows Security dialog box will not appear when you press Ctrl+Alt+Del.
@@ -153,7 +153,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from locking the system.
+Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from locking the system.
While locked, the desktop is hidden and the system cannot be used. Only the user who locked the system or the system administrator can unlock it.
@@ -226,7 +226,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from starting Task Manager.
+Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from starting Task Manager.
Task Manager (**taskmgr.exe**) lets users start and stop programs, monitor the performance of their computers, view and monitor all programs running on their computers, including system services, find the executable names of programs, and change the priority of the process in which programs run.
@@ -297,7 +297,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting disables or removes all menu items and buttons that log the user off the system.
+Available in the latest Windows 10 Insider Preview Build. This policy setting disables or removes all menu items and buttons that log the user off the system.
If you enable this policy setting, users will not see the Log off menu item when they press Ctrl+Alt+Del. This will prevent them from logging off unless they restart or shutdown the computer, or clicking Log off from the Start menu.
@@ -326,14 +326,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-datacollection.md b/windows/client-management/mdm/policy-csp-admx-datacollection.md
new file mode 100644
index 0000000000..b550db06f6
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-datacollection.md
@@ -0,0 +1,115 @@
+---
+title: Policy CSP - ADMX_DataCollection
+description: Policy CSP - ADMX_DataCollection
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 12/01/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_DataCollection
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_DataCollection policies
+
+
+
+
+
+
+
+**ADMX_DataCollection/CommercialIdPolicy**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting defines the identifier used to uniquely associate this device’s telemetry data as belonging to a given organization.
+
+If your organization is participating in a program that requires this device to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program.
+
+If you disable or do not configure this policy setting, then Microsoft will not be able to use this identifier to associate this machine and its telemetry data with your organization.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure the Commercial ID*
+- GP name: *CommercialIdPolicy*
+- GP path: *Windows Components\Data Collection and Preview Builds*
+- GP ADMX file name: *DataCollection.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-desktop.md b/windows/client-management/mdm/policy-csp-admx-desktop.md
new file mode 100644
index 0000000000..8c3fd1a932
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-desktop.md
@@ -0,0 +1,2183 @@
+---
+title: Policy CSP - ADMX_Desktop
+description: Policy CSP - ADMX_Desktop
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 12/02/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_Desktop
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_Desktop policies
+
+
+
+
+
+
+
+
+**ADMX_Desktop/AD_EnableFilter**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Displays the filter bar above the results of an Active Directory search. The filter bar consists of buttons for applying additional filters to search results.
+
+If you enable this setting, the filter bar appears when the Active Directory Find dialog box opens, but users can hide it.
+
+If you disable this setting or do not configure it, the filter bar does not appear, but users can display it by selecting "Filter" on the "View" menu.
+
+To see the filter bar, open Network Locations, click Entire Network, and then click Directory. Right-click the name of a Windows domain, and click Find. Type the name of an object in the directory, such as "Administrator." If the filter bar does not appear above the resulting display, on the View menu, click Filter.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Enable filter in Find dialog box*
+- GP name: *AD_EnableFilter*
+- GP path: *Desktop\Active Directory*
+- GP ADMX file name: *Desktop.admx*
+
+
+
+
+
+
+**ADMX_Desktop/AD_HideDirectoryFolder**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Hides the Active Directory folder in Network Locations.
+
+The Active Directory folder displays Active Directory objects in a browse window.
+
+If you enable this setting, the Active Directory folder does not appear in the Network Locations folder.
+
+If you disable this setting or do not configure it, the Active Directory folder appears in the Network Locations folder.
+
+This setting is designed to let users search Active Directory but not tempt them to casually browse Active Directory.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Hide Active Directory folder*
+- GP name: *AD_HideDirectoryFolder*
+- GP path: *Desktop\Active Directory*
+- GP ADMX file name: *Desktop.admx*
+
+
+
+
+
+
+**ADMX_Desktop/AD_QueryLimit**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Specifies the maximum number of objects the system displays in response to a command to browse or search Active Directory. This setting affects all browse displays associated with Active Directory, such as those in Local Users and Groups, Active Directory Users and Computers, and dialog boxes used to set permissions for user or group objects in Active Directory.
+
+If you enable this setting, you can use the "Number of objects returned" box to limit returns from an Active Directory search.
+
+If you disable this setting or do not configure it, the system displays up to 10,000 objects. This consumes approximately 2 MB of memory or disk space.
+
+This setting is designed to protect the network and the domain controller from the effect of expansive searches.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Maximum size of Active Directory searches*
+- GP name: *AD_QueryLimit*
+- GP path: *Desktop\Active Directory*
+- GP ADMX file name: *Desktop.admx*
+
+
+
+
+
+
+**ADMX_Desktop/ForceActiveDesktopOn**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Enables Active Desktop and prevents users from disabling it.
+
+This setting prevents users from trying to enable or disable Active Desktop while a policy controls it.
+
+If you disable this setting or do not configure it, Active Desktop is disabled by default, but users can enable it.
+
+> [!NOTE]
+> If both the "Enable Active Desktop" setting and the "Disable Active Desktop" setting are enabled, the "Disable Active Desktop" setting is ignored. If the "Turn on Classic Shell" setting (in User Configuration\Administrative Templates\Windows Components\Windows Explorer) is enabled, Active Desktop is disabled, and both of these policies are ignored.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Enable Active Desktop*
+- GP name: *ForceActiveDesktopOn*
+- GP path: *Desktop\Desktop*
+- GP ADMX file name: *Desktop.admx*
+
+
+
+
+
+
+**ADMX_Desktop/NoActiveDesktop**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Disables Active Desktop and prevents users from enabling it.
+
+This setting prevents users from trying to enable or disable Active Desktop while a policy controls it.
+
+If you disable this setting or do not configure it, Active Desktop is disabled by default, but users can enable it.
+
+> [!NOTE]
+> If both the "Enable Active Desktop" setting and the "Disable Active Desktop" setting are enabled, the "Disable Active Desktop" setting is ignored. If the "Turn on Classic Shell" setting (in User Configuration\Administrative Templates\Windows Components\Windows Explorer) is enabled, Active Desktop is disabled, and both these policies are ignored.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Disable Active Desktop*
+- GP name: *NoActiveDesktop*
+- GP path: *Desktop\Desktop*
+- GP ADMX file name: *Desktop.admx*
+
+
+
+
+
+
+**ADMX_Desktop/NoActiveDesktopChanges**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Prevents the user from enabling or disabling Active Desktop or changing the Active Desktop configuration.
+
+This is a comprehensive setting that locks down the configuration you establish by using other policies in this folder. This setting removes the Web tab from Display in Control Panel. As a result, users cannot enable or disable Active Desktop. If Active Desktop is already enabled, users cannot add, remove, or edit Web content or disable, lock, or synchronize Active Desktop components.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prohibit changes*
+- GP name: *NoActiveDesktopChanges*
+- GP path: *Desktop\Desktop*
+- GP ADMX file name: *Desktop.admx*
+
+
+
+
+
+
+**ADMX_Desktop/NoDesktop**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Removes icons, shortcuts, and other default and user-defined items from the desktop, including Briefcase, Recycle Bin, Computer, and Network Locations.
+
+Removing icons and shortcuts does not prevent the user from using another method to start the programs or opening the items they represent.
+
+Also, see "Items displayed in Places Bar" in User Configuration\Administrative Templates\Windows Components\Common Open File Dialog to remove the Desktop icon from the Places Bar. This will help prevent users from saving data to the Desktop.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Hide and disable all items on the desktop*
+- GP name: *NoDesktop*
+- GP path: *Desktop*
+- GP ADMX file name: *Desktop.admx*
+
+
+
+
+
+
+**ADMX_Desktop/NoDesktopCleanupWizard**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Prevents users from using the Desktop Cleanup Wizard.
+
+If you enable this setting, the Desktop Cleanup wizard does not automatically run on a users workstation every 60 days. The user will also not be able to access the Desktop Cleanup Wizard.
+
+If you disable this setting or do not configure it, the default behavior of the Desktop Clean Wizard running every 60 days occurs.
+
+> [!NOTE]
+> When this setting is not enabled, users can run the Desktop Cleanup Wizard, or have it run automatically every 60 days from Display, by clicking the Desktop tab and then clicking the Customize Desktop button.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove the Desktop Cleanup Wizard*
+- GP name: *NoDesktopCleanupWizard*
+- GP path: *Desktop*
+- GP ADMX file name: *Desktop.admx*
+
+
+
+
+
+
+**ADMX_Desktop/NoInternetIcon**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Removes the Internet Explorer icon from the desktop and from the Quick Launch bar on the taskbar.
+
+This setting does not prevent the user from starting Internet Explorer by using other methods.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Hide Internet Explorer icon on desktop*
+- GP name: *NoInternetIcon*
+- GP path: *Desktop*
+- GP ADMX file name: *Desktop.admx*
+
+
+
+
+
+
+**ADMX_Desktop/NoMyComputerIcon**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This setting hides Computer from the desktop and from the new Start menu. It also hides links to Computer in the Web view of all Explorer windows, and it hides Computer in the Explorer folder tree pane. If the user navigates into Computer via the "Up" button while this setting is enabled, they view an empty Computer folder. This setting allows administrators to restrict their users from seeing Computer in the shell namespace, allowing them to present their users with a simpler desktop environment.
+
+If you enable this setting, Computer is hidden on the desktop, the new Start menu, the Explorer folder tree pane, and the Explorer Web views. If the user manages to navigate to Computer, the folder will be empty.
+
+If you disable this setting, Computer is displayed as usual, appearing as normal on the desktop, Start menu, folder tree pane, and Web views, unless restricted by another setting.
+
+If you do not configure this setting, the default is to display Computer as usual.
+
+> [!NOTE]
+> In operating systems earlier than Microsoft Windows Vista, this policy applies to the My Computer icon. Hiding Computer and its contents does not hide the contents of the child folders of Computer. For example, if the users navigate into one of their hard drives, they see all of their folders and files there, even if this setting is enabled.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove Computer icon on the desktop*
+- GP name: *NoMyComputerIcon*
+- GP path: *Desktop*
+- GP ADMX file name: *Desktop.admx*
+
+
+
+
+
+
+**ADMX_Desktop/NoMyDocumentsIcon**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Removes most occurrences of the My Documents icon.
+
+This setting removes the My Documents icon from the desktop, from File Explorer, from programs that use the File Explorer windows, and from the standard Open dialog box.
+
+This setting does not prevent the user from using other methods to gain access to the contents of the My Documents folder.
+
+This setting does not remove the My Documents icon from the Start menu. To do so, use the "Remove My Documents icon from Start Menu" setting.
+
+> [!NOTE]
+> To make changes to this setting effective, you must log off from and log back on to Windows 2000 Professional.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove My Documents icon on the desktop*
+- GP name: *NoMyDocumentsIcon*
+- GP path: *Desktop*
+- GP ADMX file name: *Desktop.admx*
+
+
+
+
+
+
+**ADMX_Desktop/NoNetHood**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Removes the Network Locations icon from the desktop.
+
+This setting only affects the desktop icon. It does not prevent users from connecting to the network or browsing for shared computers on the network.
+
+> [!NOTE]
+> In operating systems earlier than Microsoft Windows Vista, this policy applies to the My Network Places icon.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Hide Network Locations icon on desktop*
+- GP name: *NoNetHood*
+- GP path: *Desktop*
+- GP ADMX file name: *Desktop.admx*
+
+
+
+
+
+
+**ADMX_Desktop/NoPropertiesMyComputer**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This setting hides Properties on the context menu for Computer.
+
+If you enable this setting, the Properties option will not be present when the user right-clicks My Computer or clicks Computer and then goes to the File menu. Likewise, Alt-Enter does nothing when Computer is selected.
+
+If you disable or do not configure this setting, the Properties option is displayed as usual.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove Properties from the Computer icon context menu*
+- GP name: *NoPropertiesMyComputer*
+- GP path: *Desktop*
+- GP ADMX file name: *Desktop.admx*
+
+
+
+
+
+
+**ADMX_Desktop/NoPropertiesMyDocuments**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting hides the Properties menu command on the shortcut menu for the My Documents icon.
+
+If you enable this policy setting, the Properties menu command will not be displayed when the user does any of the following:
+
+- Right-clicks the My Documents icon.
+- Clicks the My Documents icon, and then opens the File menu.
+- Clicks the My Documents icon, and then presses ALT+ENTER.
+
+If you disable or do not configure this policy setting, the Properties menu command is displayed.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove Properties from the Documents icon context menu*
+- GP name: *NoPropertiesMyDocuments*
+- GP path: *Desktop*
+- GP ADMX file name: *Desktop.admx*
+
+
+
+
+
+
+**ADMX_Desktop/NoRecentDocsNetHood**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Remote shared folders are not added to Network Locations whenever you open a document in the shared folder.
+
+If you disable this setting or do not configure it, when you open a document in a remote shared folder, the system adds a connection to the shared folder to Network Locations.
+
+If you enable this setting, shared folders are not added to Network Locations automatically when you open a document in the shared folder.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not add shares of recently opened documents to Network Locations*
+- GP name: *NoRecentDocsNetHood*
+- GP path: *Desktop*
+- GP ADMX file name: *Desktop.admx*
+
+
+
+
+
+
+**ADMX_Desktop/NoRecycleBinIcon**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Removes most occurrences of the Recycle Bin icon.
+
+This setting removes the Recycle Bin icon from the desktop, from File Explorer, from programs that use the File Explorer windows, and from the standard Open dialog box.
+
+This setting does not prevent the user from using other methods to gain access to the contents of the Recycle Bin folder.
+
+> [!NOTE]
+> To make changes to this setting effective, you must log off and then log back on.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove Recycle Bin icon from desktop*
+- GP name: *NoRecycleBinIcon*
+- GP path: *Desktop*
+- GP ADMX file name: *Desktop.admx*
+
+
+
+
+
+
+**ADMX_Desktop/NoRecycleBinProperties**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Removes the Properties option from the Recycle Bin context menu.
+
+If you enable this setting, the Properties option will not be present when the user right-clicks on Recycle Bin or opens Recycle Bin and then clicks File. Likewise, Alt-Enter does nothing when Recycle Bin is selected.
+
+If you disable or do not configure this setting, the Properties option is displayed as usual.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove Properties from the Recycle Bin context menu*
+- GP name: *NoRecycleBinProperties*
+- GP path: *Desktop*
+- GP ADMX file name: *Desktop.admx*
+
+
+
+
+
+
+**ADMX_Desktop/NoSaveSettings**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Prevents users from saving certain changes to the desktop.
+
+If you enable this setting, users can change the desktop, but some changes, such as the position of open windows or the size and position of the taskbar, are not saved when users log off. However, shortcuts placed on the desktop are always saved.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Don't save settings at exit*
+- GP name: *NoSaveSettings*
+- GP path: *Desktop*
+- GP ADMX file name: *Desktop.admx*
+
+
+
+
+
+
+**ADMX_Desktop/NoWindowMinimizingShortcuts**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Prevents windows from being minimized or restored when the active window is shaken back and forth with the mouse.
+
+If you enable this policy, application windows will not be minimized or restored when the active window is shaken back and forth with the mouse.
+
+If you disable or do not configure this policy, this window minimizing and restoring gesture will apply.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off Aero Shake window minimizing mouse gesture*
+- GP name: *NoWindowMinimizingShortcuts*
+- GP path: *Desktop*
+- GP ADMX file name: *Desktop.admx*
+
+
+
+
+
+
+**ADMX_Desktop/Wallpaper**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Specifies the desktop background ("wallpaper") displayed on all users' desktops.
+
+This setting lets you specify the wallpaper on users' desktops and prevents users from changing the image or its presentation. The wallpaper you specify can be stored in a bitmap (*.bmp) or JPEG (*.jpg) file.
+
+To use this setting, type the fully qualified path and name of the file that stores the wallpaper image. You can type a local path, such as C:\Windows\web\wallpaper\home.jpg or a UNC path, such as \\\Server\Share\Corp.jpg. If the specified file is not available when the user logs on, no wallpaper is displayed. Users cannot specify alternative wallpaper. You can also use this setting to specify that the wallpaper image be centered, tiled, or stretched. Users cannot change this specification.
+
+If you disable this setting or do not configure it, no wallpaper is displayed. However, users can select the wallpaper of their choice.
+
+Also, see the "Allow only bitmapped wallpaper" in the same location, and the "Prevent changing wallpaper" setting in User Configuration\Administrative Templates\Control Panel.
+
+> [!NOTE]
+> This setting does not apply to remote desktop server sessions.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Desktop Wallpaper*
+- GP name: *Wallpaper*
+- GP path: *Desktop\Desktop*
+- GP ADMX file name: *Desktop.admx*
+
+
+
+
+
+
+**ADMX_Desktop/sz_ATC_DisableAdd**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Prevents users from adding Web content to their Active Desktop.
+
+This setting removes the "New" button from Web tab in Display in Control Panel. As a result, users cannot add Web pages or pictures from the Internet or an intranet to the desktop. This setting does not remove existing Web content from their Active Desktop, or prevent users from removing existing Web content.
+
+Also, see the "Disable all items" setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prohibit adding items*
+- GP name: *sz_ATC_DisableAdd*
+- GP path: *Desktop\Desktop*
+- GP ADMX file name: *Desktop.admx*
+
+
+
+
+
+
+**ADMX_Desktop/sz_ATC_DisableClose**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Prevents users from removing Web content from their Active Desktop.
+
+In Active Desktop, you can add items to the desktop but close them so they are not displayed.
+
+If you enable this setting, items added to the desktop cannot be closed; they always appear on the desktop. This setting removes the check boxes from items on the Web tab in Display in Control Panel.
+
+> [!NOTE]
+> This setting does not prevent users from deleting items from their Active Desktop.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prohibit closing items*
+- GP name: *sz_ATC_DisableClose*
+- GP path: *Desktop\Desktop*
+- GP ADMX file name: *Desktop.admx*
+
+
+
+
+
+
+**ADMX_Desktop/sz_ATC_DisableDel**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Prevents users from deleting Web content from their Active Desktop.
+
+This setting removes the Delete button from the Web tab in Display in Control Panel. As a result, users can temporarily remove, but not delete, Web content from their Active Desktop.
+
+This setting does not prevent users from adding Web content to their Active Desktop.
+
+Also, see the "Prohibit closing items" and "Disable all items" settings.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prohibit deleting items*
+- GP name: *sz_ATC_DisableDel*
+- GP path: *Desktop\Desktop*
+- GP ADMX file name: *Desktop.admx*
+
+
+
+
+
+
+**ADMX_Desktop/sz_ATC_DisableEdit**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Prevents users from changing the properties of Web content items on their Active Desktop.
+
+This setting disables the Properties button on the Web tab in Display in Control Panel. Also, it removes the Properties item from the menu for each item on the Active Desktop. As a result, users cannot change the properties of an item, such as its synchronization schedule, password, or display characteristics.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prohibit editing items*
+- GP name: *sz_ATC_DisableEdit*
+- GP path: *Desktop\Desktop*
+- GP ADMX file name: *Desktop.admx*
+
+
+
+
+
+
+**ADMX_Desktop/sz_ATC_NoComponents**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Removes Active Desktop content and prevents users from adding Active Desktop content.
+
+This setting removes all Active Desktop items from the desktop. It also removes the Web tab from Display in Control Panel. As a result, users cannot add Web pages or pictures from the Internet or an intranet to the desktop.
+
+> [!NOTE]
+> This setting does not disable Active Desktop. Users can still use image formats, such as JPEG and GIF, for their desktop wallpaper.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Disable all items*
+- GP name: *sz_ATC_NoComponents*
+- GP path: *Desktop\Desktop*
+- GP ADMX file name: *Desktop.admx*
+
+
+
+
+
+
+**ADMX_Desktop/sz_AdminComponents_Title**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Adds and deletes specified Web content items.
+
+You can use the "Add" box in this setting to add particular Web-based items or shortcuts to users' desktops. Users can close or delete the items (if settings allow), but the items are added again each time the setting is refreshed.
+
+You can also use this setting to delete particular Web-based items from users' desktops. Users can add the item again (if settings allow), but the item is deleted each time the setting is refreshed.
+
+> [!NOTE]
+> Removing an item from the "Add" list for this setting is not the same as deleting it. Items that are removed from the "Add" list are not removed from the desktop. They are simply not added again.
+
+> [!NOTE]
+> For this setting to take affect, you must log off and log on to the system.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Add/Delete items*
+- GP name: *sz_AdminComponents_Title*
+- GP path: *Desktop\Desktop*
+- GP ADMX file name: *Desktop.admx*
+
+
+
+
+
+
+**ADMX_Desktop/sz_DB_DragDropClose**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Prevents users from manipulating desktop toolbars.
+
+If you enable this setting, users cannot add or remove toolbars from the desktop. Also, users cannot drag toolbars on to or off of docked toolbars.
+
+> [!NOTE]
+> If users have added or removed toolbars, this setting prevents them from restoring the default configuration.
+
+> [!TIP]
+> To view the toolbars that can be added to the desktop, right-click a docked toolbar (such as the taskbar beside the Start button), and point to "Toolbars."
+
+Also, see the "Prohibit adjusting desktop toolbars" setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prevent adding, dragging, dropping and closing the Taskbar's toolbars*
+- GP name: *sz_DB_DragDropClose*
+- GP path: *Desktop*
+- GP ADMX file name: *Desktop.admx*
+
+
+
+
+
+
+**ADMX_Desktop/sz_DB_Moving**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Prevents users from adjusting the length of desktop toolbars. Also, users cannot reposition items or toolbars on docked toolbars.
+
+This setting does not prevent users from adding or removing toolbars on the desktop.
+
+> [!NOTE]
+> If users have adjusted their toolbars, this setting prevents them from restoring the default configuration.
+
+Also, see the "Prevent adding, dragging, dropping and closing the Taskbar's toolbars" setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prohibit adjusting desktop toolbars*
+- GP name: *sz_DB_Moving*
+- GP path: *Desktop*
+- GP ADMX file name: *Desktop.admx*
+
+
+
+
+
+
+**ADMX_Desktop/sz_DWP_NoHTMLPaper**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Permits only bitmap images for wallpaper. This setting limits the desktop background ("wallpaper") to bitmap (.bmp) files. If users select files with other image formats, such as JPEG, GIF, PNG, or HTML, through the Browse button on the Desktop tab, the wallpaper does not load. Files that are autoconverted to a .bmp format, such as JPEG, GIF, and PNG, can be set as Wallpaper by right-clicking the image and selecting "Set as Wallpaper".
+
+Also, see the "Desktop Wallpaper" and the "Prevent changing wallpaper" (in User Configuration\Administrative Templates\Control Panel\Display) settings.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow only bitmapped wallpaper*
+- GP name: *sz_DWP_NoHTMLPaper*
+- GP path: *Desktop\Desktop*
+- GP ADMX file name: *Desktop.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md b/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md
new file mode 100644
index 0000000000..69e459d10c
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md
@@ -0,0 +1,619 @@
+---
+title: Policy CSP - ADMX_DeviceInstallation
+description: Policy CSP - ADMX_DeviceInstallation
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 11/19/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_DeviceInstallation
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_DeviceInstallation policies
+
+
+
+
+
+
+
+
+**ADMX_DeviceInstallation/DeviceInstall_AllowAdminInstall**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to determine whether members of the Administrators group can install and update the drivers for any device, regardless of other policy settings.
+
+If you enable this policy setting, members of the Administrators group can use the Add Hardware wizard or the Update Driver wizard to install and update the drivers for any device. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
+
+If you disable or do not configure this policy setting, members of the Administrators group are subject to all policy settings that restrict device installation.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow administrators to override Device Installation Restriction policies*
+- GP name: *DeviceInstall_AllowAdminInstall*
+- GP path: *System\Device Installation\Device Installation Restrictions*
+- GP ADMX file name: *DeviceInstallation.admx*
+
+
+
+
+
+
+**ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_DetailText**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to display a custom message to users in a notification when a device installation is attempted and a policy setting prevents the installation.
+
+If you enable this policy setting, Windows displays the text you type in the Detail Text box when a policy setting prevents device installation.
+
+If you disable or do not configure this policy setting, Windows displays a default message when a policy setting prevents device installation.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Display a custom message when installation is prevented by a policy setting*
+- GP name: *DeviceInstall_DeniedPolicy_DetailText*
+- GP path: *System\Device Installation\Device Installation Restrictions*
+- GP ADMX file name: *DeviceInstallation.admx*
+
+
+
+
+
+
+**ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_SimpleText**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to display a custom message title in a notification when a device installation is attempted and a policy setting prevents the installation.
+
+If you enable this policy setting, Windows displays the text you type in the Main Text box as the title text of a notification when a policy setting prevents device installation.
+
+If you disable or do not configure this policy setting, Windows displays a default title in a notification when a policy setting prevents device installation.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Display a custom message title when device installation is prevented by a policy setting*
+- GP name: *DeviceInstall_DeniedPolicy_SimpleText*
+- GP path: *System\Device Installation\Device Installation Restrictions*
+- GP ADMX file name: *DeviceInstallation.admx*
+
+
+
+
+
+
+**ADMX_DeviceInstallation/DeviceInstall_InstallTimeout**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the number of seconds Windows waits for a device installation task to complete.
+
+If you enable this policy setting, Windows waits for the number of seconds you specify before terminating the installation.
+
+If you disable or do not configure this policy setting, Windows waits 240 seconds for a device installation task to complete before terminating the installation.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure device installation time-out*
+- GP name: *DeviceInstall_InstallTimeout*
+- GP path: *System\Device Installation*
+- GP ADMX file name: *DeviceInstallation.admx*
+
+
+
+
+
+
+**ADMX_DeviceInstallation/DeviceInstall_Policy_RebootTime**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting establishes the amount of time (in seconds) that the system will wait to reboot in order to enforce a change in device installation restriction policies.
+
+If you enable this policy setting, set the amount of seconds you want the system to wait until a reboot.
+
+If you disable or do not configure this policy setting, the system does not force a reboot.
+
+Note: If no reboot is forced, the device installation restriction right will not take effect until the system is restarted.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Time (in seconds) to force reboot when required for policy changes to take effect*
+- GP name: *DeviceInstall_Policy_RebootTime*
+- GP path: *System\Device Installation\Device Installation Restrictions*
+- GP ADMX file name: *DeviceInstallation.admx*
+
+
+
+
+
+
+**ADMX_DeviceInstallation/DeviceInstall_Removable_Deny**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent Windows from installing removable devices. A device is considered removable when the driver for the device to which it is connected indicates that the device is removable. For example, a Universal Serial Bus (USB) device is reported to be removable by the drivers for the USB hub to which the device is connected. This policy setting takes precedence over any other policy setting that allows Windows to install a device.
+
+If you enable this policy setting, Windows is prevented from installing removable devices and existing removable devices cannot have their drivers updated. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of removable devices from a remote desktop client to the remote desktop server.
+
+If you disable or do not configure this policy setting, Windows can install and update device drivers for removable devices as allowed or prevented by other policy settings.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prevent installation of removable devices*
+- GP name: *DeviceInstall_Removable_Deny*
+- GP path: *System\Device Installation\Device Installation Restrictions*
+- GP ADMX file name: *DeviceInstallation.admx*
+
+
+
+
+
+
+**ADMX_DeviceInstallation/DeviceInstall_SystemRestore**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent Windows from creating a system restore point during device activity that would normally prompt Windows to create a system restore point. Windows normally creates restore points for certain driver activity, such as the installation of an unsigned driver. A system restore point enables you to more easily restore your system to its state before the activity.
+
+If you enable this policy setting, Windows does not create a system restore point when one would normally be created.
+
+If you disable or do not configure this policy setting, Windows creates a system restore point as it normally would.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prevent creation of a system restore point during device activity that would normally prompt creation of a restore point*
+- GP name: *DeviceInstall_SystemRestore*
+- GP path: *System\Device Installation*
+- GP ADMX file name: *DeviceInstallation.admx*
+
+
+
+
+
+
+**ADMX_DeviceInstallation/DriverInstall_Classes_AllowUser**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies a list of device setup class GUIDs describing device drivers that non-administrator members of the built-in Users group may install on the system.
+
+If you enable this policy setting, members of the Users group may install new drivers for the specified device setup classes. The drivers must be signed according to Windows Driver Signing Policy, or be signed by publishers already in the TrustedPublisher store.
+
+If you disable or do not configure this policy setting, only members of the Administrators group are allowed to install new device drivers on the system.
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow non-administrators to install drivers for these device setup classes*
+- GP name: *DriverInstall_Classes_AllowUser*
+- GP path: *System\Device Installation*
+- GP ADMX file name: *DeviceInstallation.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-devicesetup.md b/windows/client-management/mdm/policy-csp-admx-devicesetup.md
new file mode 100644
index 0000000000..5da6627e8f
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-devicesetup.md
@@ -0,0 +1,188 @@
+---
+title: Policy CSP - ADMX_DeviceSetup
+description: Policy CSP - ADMX_DeviceSetup
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 11/19/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_DeviceSetup
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_DeviceSetup policies
+
+
+
+
+
+
+
+
+**ADMX_DeviceSetup/DeviceInstall_BalloonTips**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off "Found New Hardware" balloons during device installation.
+
+If you enable this policy setting, "Found New Hardware" balloons do not appear while a device is being installed.
+
+If you disable or do not configure this policy setting, "Found New Hardware" balloons appear while a device is being installed, unless the driver for the device suppresses the balloons.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off "Found New Hardware" balloons during device installation*
+- GP name: *DeviceInstall_BalloonTips*
+- GP path: *System\Device Installation*
+- GP ADMX file name: *DeviceSetup.admx*
+
+
+
+
+
+
+**ADMX_DeviceSetup/DriverSearchPlaces_SearchOrderConfiguration**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the order in which Windows searches source locations for device drivers.
+
+If you enable this policy setting, you can select whether Windows searches for drivers on Windows Update unconditionally, only if necessary, or not at all.
+
+Note that searching always implies that Windows will attempt to search Windows Update exactly one time. With this setting, Windows will not continually search for updates. This setting is used to ensure that the best software will be found for the device, even if the network is temporarily available. If the setting for searching only if needed is specified, then Windows will search for a driver only if a driver is not locally available on the system.
+
+If you disable or do not configure this policy setting, members of the Administrators group can determine the priority order in which Windows searches source locations for device drivers.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Specify search order for device driver source locations*
+- GP name: *DriverSearchPlaces_SearchOrderConfiguration*
+- GP path: *System\Device Installation*
+- GP ADMX file name: *DeviceSetup.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-digitallocker.md b/windows/client-management/mdm/policy-csp-admx-digitallocker.md
index 43d6152747..08a7dab278 100644
--- a/windows/client-management/mdm/policy-csp-admx-digitallocker.md
+++ b/windows/client-management/mdm/policy-csp-admx-digitallocker.md
@@ -77,7 +77,7 @@ manager: dansimp
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether Digital Locker can run.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Digital Locker can run.
Digital Locker is a dedicated download manager associated with Windows Marketplace and a feature of Windows that can be used to manage and download products acquired and stored in the user's Windows Marketplace Digital Locker.
@@ -148,7 +148,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether Digital Locker can run.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Digital Locker can run.
Digital Locker is a dedicated download manager associated with Windows Marketplace and a feature of Windows that can be used to manage and download products acquired and stored in the user's Windows Marketplace Digital Locker.
@@ -177,14 +177,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-dnsclient.md b/windows/client-management/mdm/policy-csp-admx-dnsclient.md
index 79b48babf1..9aba6d0482 100644
--- a/windows/client-management/mdm/policy-csp-admx-dnsclient.md
+++ b/windows/client-management/mdm/policy-csp-admx-dnsclient.md
@@ -137,7 +137,7 @@ manager: dansimp
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies that NetBIOS over TCP/IP (NetBT) queries are issued for fully qualified domain names.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that NetBIOS over TCP/IP (NetBT) queries are issued for fully qualified domain names.
If you enable this policy setting, NetBT queries will be issued for multi-label and fully qualified domain names, such as "www.example.com" in addition to single-label names.
@@ -205,7 +205,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies that computers may attach suffixes to an unqualified multi-label name before sending subsequent DNS queries if the original name query fails.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that computers may attach suffixes to an unqualified multi-label name before sending subsequent DNS queries if the original name query fails.
A name containing dots, but not dot-terminated, is called an unqualified multi-label name, for example "server.corp" is an unqualified multi-label name. The name "server.corp.contoso.com." is an example of a fully qualified name because it contains a terminating dot.
@@ -282,7 +282,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies a connection-specific DNS suffix. This policy setting supersedes local connection-specific DNS suffixes, and those configured using DHCP. To use this policy setting, click Enabled, and then enter a string value representing the DNS suffix.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies a connection-specific DNS suffix. This policy setting supersedes local connection-specific DNS suffixes, and those configured using DHCP. To use this policy setting, click Enabled, and then enter a string value representing the DNS suffix.
If you enable this policy setting, the DNS suffix that you enter will be applied to all network connections used by computers that receive this policy setting.
@@ -351,7 +351,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies if the devolution level that DNS clients will use if they perform primary DNS suffix devolution during the name resolution process.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if the devolution level that DNS clients will use if they perform primary DNS suffix devolution during the name resolution process.
With devolution, a DNS client creates queries by appending a single-label, unqualified domain name with the parent suffix of the primary DNS suffix name, and the parent of that suffix, and so on, stopping if the name is successfully resolved or at a level determined by devolution settings. Devolution can be used when a user or application submits a query for a single-label domain name.
@@ -438,7 +438,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to Punycode when the computer is on non-domain networks with no WINS servers configured.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to Punycode when the computer is on non-domain networks with no WINS servers configured.
If this policy setting is enabled, IDNs are not converted to Punycode.
@@ -507,7 +507,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to the Nameprep form, a canonical Unicode representation of the string.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to the Nameprep form, a canonical Unicode representation of the string.
If this policy setting is enabled, IDNs are converted to the Nameprep form.
@@ -576,7 +576,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting defines the DNS servers to which a computer sends queries when it attempts to resolve names. This policy setting supersedes the list of DNS servers configured locally and those configured using DHCP.
+Available in the latest Windows 10 Insider Preview Build. This policy setting defines the DNS servers to which a computer sends queries when it attempts to resolve names. This policy setting supersedes the list of DNS servers configured locally and those configured using DHCP.
To use this policy setting, click Enabled, and then enter a space-delimited list of IP addresses in the available field. To use this policy setting, you must enter at least one IP address.
@@ -647,7 +647,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies that responses from link local name resolution protocols received over a network interface that is higher in the binding order are preferred over DNS responses from network interfaces lower in the binding order. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT).
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that responses from link local name resolution protocols received over a network interface that is higher in the binding order are preferred over DNS responses from network interfaces lower in the binding order. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT).
If you enable this policy setting, responses from link local protocols will be preferred over DNS responses if the local responses are from a network with a higher binding order.
@@ -720,7 +720,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the primary DNS suffix used by computers in DNS name registration and DNS name resolution.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the primary DNS suffix used by computers in DNS name registration and DNS name resolution.
To use this policy setting, click Enabled and enter the entire primary DNS suffix you want to assign. For example: microsoft.com.
@@ -795,7 +795,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies if a computer performing dynamic DNS registration will register A and PTR resource records with a concatenation of its computer name and a connection-specific DNS suffix, in addition to registering these records with a concatenation of its computer name and the primary DNS suffix.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if a computer performing dynamic DNS registration will register A and PTR resource records with a concatenation of its computer name and a connection-specific DNS suffix, in addition to registering these records with a concatenation of its computer name and the primary DNS suffix.
By default, a DNS client performing dynamic DNS registration registers A and PTR resource records with a concatenation of its computer name and the primary DNS suffix. For example, a computer name of mycomputer and a primary DNS suffix of microsoft.com will be registered as: mycomputer.microsoft.com.
@@ -869,7 +869,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies if DNS client computers will register PTR resource records.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if DNS client computers will register PTR resource records.
By default, DNS clients configured to perform dynamic DNS registration will attempt to register PTR resource record only if they successfully registered the corresponding A resource record.
@@ -945,7 +945,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies if DNS dynamic update is enabled. Computers configured for DNS dynamic update automatically register and update their DNS resource records with a DNS server.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if DNS dynamic update is enabled. Computers configured for DNS dynamic update automatically register and update their DNS resource records with a DNS server.
If you enable this policy setting, or you do not configure this policy setting, computers will attempt to use dynamic DNS registration on all network connections that have connection-specific dynamic DNS registration enabled. For a dynamic DNS registration to be enabled on a network connection, the connection-specific configuration must allow dynamic DNS registration, and this policy setting must not be disabled.
@@ -1014,7 +1014,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether dynamic updates should overwrite existing resource records that contain conflicting IP addresses.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether dynamic updates should overwrite existing resource records that contain conflicting IP addresses.
This policy setting is designed for computers that register address (A) resource records in DNS zones that do not use Secure Dynamic Updates. Secure Dynamic Update preserves ownership of resource records and does not allow a DNS client to overwrite records that are registered by other computers.
@@ -1087,7 +1087,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the interval used by DNS clients to refresh registration of A and PTR resource. This policy setting only applies to computers performing dynamic DNS updates.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the interval used by DNS clients to refresh registration of A and PTR resource. This policy setting only applies to computers performing dynamic DNS updates.
Computers configured to perform dynamic DNS registration of A and PTR resource records periodically reregister their records with DNS servers, even if the record has not changed. This reregistration is required to indicate to DNS servers that records are current and should not be automatically removed (scavenged) when a DNS server is configured to delete stale records.
@@ -1163,7 +1163,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the value of the time to live (TTL) field in A and PTR resource records that are registered by computers to which this policy setting is applied.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the value of the time to live (TTL) field in A and PTR resource records that are registered by computers to which this policy setting is applied.
To specify the TTL, click Enabled and then enter a value in seconds (for example, 900 is 15 minutes).
@@ -1234,7 +1234,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the DNS suffixes to attach to an unqualified single-label name before submission of a DNS query for that name.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the DNS suffixes to attach to an unqualified single-label name before submission of a DNS query for that name.
An unqualified single-label name contains no dots. The name "example" is a single-label name. This is different from a fully qualified domain name such as "example.microsoft.com."
@@ -1310,7 +1310,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies that a multi-homed DNS client should optimize name resolution across networks. The setting improves performance by issuing parallel DNS, link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT) queries across all networks. In the event that multiple positive responses are received, the network binding order is used to determine which response to accept.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that a multi-homed DNS client should optimize name resolution across networks. The setting improves performance by issuing parallel DNS, link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT) queries across all networks. In the event that multiple positive responses are received, the network binding order is used to determine which response to accept.
If you enable this policy setting, the DNS client will not perform any optimizations. DNS queries will be issued across all networks first. LLMNR queries will be issued if the DNS queries fail, followed by NetBT queries if LLMNR queries fail.
@@ -1379,7 +1379,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies that the DNS client should prefer responses from link local name resolution protocols on non-domain networks over DNS responses when issuing queries for flat names. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT).
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that the DNS client should prefer responses from link local name resolution protocols on non-domain networks over DNS responses when issuing queries for flat names. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT).
If you enable this policy setting, the DNS client will prefer DNS responses, followed by LLMNR, followed by NetBT for all networks.
@@ -1451,7 +1451,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the security level for dynamic DNS updates.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security level for dynamic DNS updates.
To use this policy setting, click Enabled and then select one of the following values:
@@ -1526,7 +1526,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies if computers may send dynamic updates to zones with a single label name. These zones are also known as top-level domain zones, for example: "com."
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if computers may send dynamic updates to zones with a single label name. These zones are also known as top-level domain zones, for example: "com."
By default, a DNS client that is configured to perform dynamic DNS update will update the DNS zone that is authoritative for its DNS resource records unless the authoritative zone is a top-level domain or root zone.
@@ -1597,7 +1597,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies if the DNS client performs primary DNS suffix devolution during the name resolution process.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies if the DNS client performs primary DNS suffix devolution during the name resolution process.
With devolution, a DNS client creates queries by appending a single-label, unqualified domain name with the parent suffix of the primary DNS suffix name, and the parent of that suffix, and so on, stopping if the name is successfully resolved or at a level determined by devolution settings. Devolution can be used when a user or application submits a query for a single-label domain name.
@@ -1684,7 +1684,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies that link local multicast name resolution (LLMNR) is disabled on client computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that link local multicast name resolution (LLMNR) is disabled on client computers.
LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR does not require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution is not possible.
@@ -1712,14 +1712,14 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-dwm.md b/windows/client-management/mdm/policy-csp-admx-dwm.md
index ff5b9de5cc..71f9b3638f 100644
--- a/windows/client-management/mdm/policy-csp-admx-dwm.md
+++ b/windows/client-management/mdm/policy-csp-admx-dwm.md
@@ -89,7 +89,7 @@ manager: dansimp
-Available in Windows 10 Insider Preview Build 20185. This policy setting controls the default color for window frames when the user does not specify a color.
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls the default color for window frames when the user does not specify a color.
If you enable this policy setting and specify a default color, this color is used in glass window frames, if the user does not specify a color.
@@ -162,7 +162,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting controls the default color for window frames when the user does not specify a color.
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls the default color for window frames when the user does not specify a color.
If you enable this policy setting and specify a default color, this color is used in glass window frames, if the user does not specify a color.
@@ -234,7 +234,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting controls the appearance of window animations such as those found when restoring, minimizing, and maximizing windows.
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls the appearance of window animations such as those found when restoring, minimizing, and maximizing windows.
If you enable this policy setting, window animations are turned off.
@@ -305,7 +305,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting controls the appearance of window animations such as those found when restoring, minimizing, and maximizing windows.
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls the appearance of window animations such as those found when restoring, minimizing, and maximizing windows.
If you enable this policy setting, window animations are turned off.
@@ -376,7 +376,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting controls the ability to change the color of window frames.
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls the ability to change the color of window frames.
If you enable this policy setting, you prevent users from changing the default window frame color.
@@ -448,7 +448,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting controls the ability to change the color of window frames.
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls the ability to change the color of window frames.
If you enable this policy setting, you prevent users from changing the default window frame color.
@@ -478,14 +478,14 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-eaime.md b/windows/client-management/mdm/policy-csp-admx-eaime.md
new file mode 100644
index 0000000000..b56ce8c52a
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-eaime.md
@@ -0,0 +1,972 @@
+---
+title: Policy CSP - ADMX_EAIME
+description: Policy CSP - ADMX_EAIME
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 11/19/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_EAIME
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_EAIME policies
+
+
+
+
+
+
+
+
+**ADMX_EAIME/L_DoNotIncludeNonPublishingStandardGlyphInTheCandidateList**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to include the Non-Publishing Standard Glyph in the candidate list when Publishing Standard Glyph for the word exists.
+
+If you enable this policy setting, Non-Publishing Standard Glyph is not included in the candidate list when Publishing Standard Glyph for the word exists.
+
+If you disable or do not configure this policy setting, both Publishing Standard Glyph and Non-Publishing Standard Glyph are included in the candidate list.
+
+This policy setting applies to Japanese Microsoft IME only.
+
+> [!NOTE]
+> Changes to this setting will not take effect until the user logs off.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not include Non-Publishing Standard Glyph in the candidate list*
+- GP name: *L_DoNotIncludeNonPublishingStandardGlyphInTheCandidateList*
+- GP path: *Windows Components\IME*
+- GP ADMX file name: *EAIME.admx*
+
+
+
+
+
+
+**ADMX_EAIME/L_RestrictCharacterCodeRangeOfConversion**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to restrict character code range of conversion by setting character filter.
+
+If you enable this policy setting, then only the character code ranges specified by this policy setting are used for conversion of IME. You can specify multiple ranges by setting a value combined with a bitwise OR of following values:
+
+- 0x0001 // JIS208 area
+- 0x0002 // NEC special char code
+- 0x0004 // NEC selected IBM extended code
+- 0x0008 // IBM extended code
+- 0x0010 // Half width katakana code
+- 0x0100 // EUDC(GAIJI)
+- 0x0200 // S-JIS unmapped area
+- 0x0400 // Unicode char
+- 0x0800 // surrogate char
+- 0x1000 // IVS char
+- 0xFFFF // no definition.
+
+If you disable or do not configure this policy setting, no range of characters are filtered by default.
+
+This policy setting applies to Japanese Microsoft IME only.
+
+> [!NOTE]
+> Changes to this setting will not take effect until the user logs off.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Restrict character code range of conversion*
+- GP name: *L_RestrictCharacterCodeRangeOfConversion*
+- GP path: *Windows Components\IME*
+- GP ADMX file name: *EAIME.admx*
+
+
+
+
+
+
+**ADMX_EAIME/L_TurnOffCustomDictionary**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off the ability to use a custom dictionary.
+
+If you enable this policy setting, you cannot add, edit, and delete words in the custom dictionary either with GUI tools or APIs. A word registered in the custom dictionary before enabling this policy setting can continue to be used for conversion.
+
+If you disable or do not configure this policy setting, the custom dictionary can be used by default.
+
+For Japanese Microsoft IME, [Clear auto-tuning information] works, even if this policy setting is enabled, and it clears self-tuned words from the custom dictionary.
+
+This policy setting is applied to Japanese Microsoft IME.
+
+> [!NOTE]
+> Changes to this setting will not take effect until the user logs off.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off custom dictionary*
+- GP name: *L_TurnOffCustomDictionary*
+- GP path: *Windows Components\IME*
+- GP ADMX file name: *EAIME.admx*
+
+
+
+
+
+
+**ADMX_EAIME/L_TurnOffHistorybasedPredictiveInput**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off history-based predictive input.
+
+If you enable this policy setting, history-based predictive input is turned off.
+
+If you disable or do not configure this policy setting, history-based predictive input is on by default.
+
+This policy setting applies to Japanese Microsoft IME only.
+
+> [!NOTE]
+> Changes to this setting will not take effect until the user logs off.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off history-based predictive input*
+- GP name: *L_TurnOffHistorybasedPredictiveInput*
+- GP path: *Windows Components\IME*
+- GP ADMX file name: *EAIME.admx*
+
+
+
+
+
+
+**ADMX_EAIME/L_TurnOffInternetSearchIntegration**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off Internet search integration.
+
+Search integration includes both using Search Provider (Japanese Microsoft IME) and performing Bing search from predictive input for Japanese Microsoft IME.
+
+If you enable this policy setting, you cannot use search integration.
+
+If you disable or do not configure this policy setting, the search integration function can be used by default.
+
+This policy setting applies to Japanese Microsoft IME.
+
+> [!NOTE]
+> Changes to this setting will not take effect until the user logs off.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off Internet search integration*
+- GP name: *L_TurnOffInternetSearchIntegration*
+- GP path: *Windows Components\IME*
+- GP ADMX file name: *EAIME.admx*
+
+
+
+
+
+
+**ADMX_EAIME/L_TurnOffOpenExtendedDictionary**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off Open Extended Dictionary.
+
+If you enable this policy setting, Open Extended Dictionary is turned off. You cannot add a new Open Extended Dictionary.
+
+For Japanese Microsoft IME, an Open Extended Dictionary that is added before enabling this policy setting is not used for conversion.
+
+If you disable or do not configure this policy setting, Open Extended Dictionary can be added and used by default.
+
+This policy setting is applied to Japanese Microsoft IME.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off Open Extended Dictionary*
+- GP name: *L_TurnOffOpenExtendedDictionary*
+- GP path: *Windows Components\IME*
+- GP ADMX file name: *EAIME.admx*
+
+
+
+
+
+
+**ADMX_EAIME/L_TurnOffSavingAutoTuningDataToFile**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off saving the auto-tuning result to file.
+
+If you enable this policy setting, the auto-tuning data is not saved to file.
+
+If you disable or do not configure this policy setting, auto-tuning data is saved to file by default.
+
+This policy setting applies to Japanese Microsoft IME only.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off saving auto-tuning data to file*
+- GP name: *L_TurnOffSavingAutoTuningDataToFile*
+- GP path: *Windows Components\IME*
+- GP ADMX file name: *EAIME.admx*
+
+
+
+
+
+
+**ADMX_EAIME/L_TurnOnCloudCandidate**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls the cloud candidates feature, which uses an online service to provide input suggestions that don't exist in a PC's local dictionary.
+
+If you enable this policy setting, the functionality associated with this feature is turned on, the user's keyboard input is sent to Microsoft to generate the suggestions, and the user won't be able to turn it off.
+
+If you disable this policy setting, the functionality associated with this feature is turned off, and the user won't be able to turn it on.
+
+If you don't configure this policy setting, it will be turned off by default, and the user can turn on and turn off the cloud candidates feature.
+
+This Policy setting applies to Microsoft CHS Pinyin IME and JPN IME.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn on cloud candidate*
+- GP name: *L_TurnOnCloudCandidate*
+- GP path: *Windows Components\IME*
+- GP ADMX file name: *EAIME.admx*
+
+
+
+
+
+
+**ADMX_EAIME/L_TurnOnCloudCandidateCHS**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls the cloud candidates feature, which uses an online service to provide input suggestions that don't exist in a PC's local dictionary.
+
+If you enable this policy setting, the functionality associated with this feature is turned on, the user's keyboard input is sent to Microsoft to generate the suggestions, and the user won't be able to turn it off.
+
+If you disable this policy setting, the functionality associated with this feature is turned off, and the user won't be able to turn it on.
+
+If you don't configure this policy setting, it will be turned off by default, and the user can turn on and turn off the cloud candidates feature.
+
+This Policy setting applies only to Microsoft CHS Pinyin IME.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn on cloud candidate for CHS*
+- GP name: *L_TurnOnCloudCandidateCHS*
+- GP path: *Windows Components\IME*
+- GP ADMX file name: *EAIME.admx*
+
+
+
+
+
+
+**ADMX_EAIME/L_TurnOnLexiconUpdate**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls the lexicon update feature, which downloads hot and popular words lexicon to local PC.
+
+If you enable this policy setting, the functionality associated with this feature is turned on, hot and popular words lexicon can be downloaded to local PC, the user is able to turn it on or off in settings.
+
+If you disable this policy setting, the functionality associated with this feature is turned off, and the user won't be able to turn it on.
+
+If you don't configure this policy setting, it will be turned on by default, and the user can turn on and turn off the lexicon update feature.
+
+This Policy setting applies only to Microsoft CHS Pinyin IME.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn on lexicon update*
+- GP name: *L_TurnOnLexiconUpdate*
+- GP path: *Windows Components\IME*
+- GP ADMX file name: *EAIME.admx*
+
+
+
+
+
+
+**ADMX_EAIME/L_TurnOnLiveStickers**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls the live sticker feature, which uses an online service to provide stickers online.
+
+If you enable this policy setting, the functionality associated with this feature is turned on, the user's keyboard input is sent to Microsoft to generate the live stickers, and the user won't be able to turn it off.
+
+If you disable this policy setting, the functionality associated with this feature is turned off, and the user won't be able to turn it on.
+
+If you don't configure this policy setting, it will be turned off by default, and the user can turn on and turn off the live sticker feature.
+
+This Policy setting applies only to Microsoft CHS Pinyin IME.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn on Live Sticker*
+- GP name: *L_TurnOnLiveStickers*
+- GP path: *Windows Components\IME*
+- GP ADMX file name: *EAIME.admx*
+
+
+
+
+
+
+**ADMX_EAIME/L_TurnOnMisconversionLoggingForMisconversionReport**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn on logging of misconversion for the misconversion report.
+
+If you enable this policy setting, misconversion logging is turned on.
+
+If you disable or do not configure this policy setting, misconversion logging is turned off.
+
+This policy setting applies to Japanese Microsoft IME and Traditional Chinese IME.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn on misconversion logging for misconversion report*
+- GP name: *L_TurnOnMisconversionLoggingForMisconversionReport*
+- GP path: *Windows Components\IME*
+- GP ADMX file name: *EAIME.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md b/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md
index ec7948b584..1dd5a4e6cb 100644
--- a/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md
+++ b/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md
@@ -74,7 +74,7 @@ manager: dansimp
-Available in Windows 10 Insider Preview Build 20185. This policy setting prevents File Explorer from encrypting files that are moved to an encrypted folder.
+Available in the latest Windows 10 Insider Preview Build. This policy setting prevents File Explorer from encrypting files that are moved to an encrypted folder.
If you enable this policy setting, File Explorer will not automatically encrypt files that are moved to an encrypted folder.
@@ -103,14 +103,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md b/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md
new file mode 100644
index 0000000000..7e217f1364
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md
@@ -0,0 +1,477 @@
+---
+title: Policy CSP - ADMX_EnhancedStorage
+description: Policy CSP - ADMX_EnhancedStorage
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 11/23/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_EnhancedStorage
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_EnhancedStorage policies
+
+
+
+
+
+
+
+
+**ADMX_EnhancedStorage/ApprovedEnStorDevices**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure a list of Enhanced Storage devices by manufacturer and product ID that are usable on your computer.
+
+If you enable this policy setting, only Enhanced Storage devices that contain a manufacturer and product ID specified in this policy are usable on your computer.
+
+If you disable or do not configure this policy setting, all Enhanced Storage devices are usable on your computer.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure list of Enhanced Storage devices usable on your computer*
+- GP name: *ApprovedEnStorDevices*
+- GP path: *System\Enhanced Storage Access*
+- GP ADMX file name: *EnhancedStorage.admx*
+
+
+
+
+
+
+**ADMX_EnhancedStorage/ApprovedSilos**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to create a list of IEEE 1667 silos, compliant with the Institute of Electrical and Electronics Engineers, Inc. (IEEE) 1667 specification, that are usable on your computer.
+
+If you enable this policy setting, only IEEE 1667 silos that match a silo type identifier specified in this policy are usable on your computer.
+
+If you disable or do not configure this policy setting, all IEEE 1667 silos on Enhanced Storage devices are usable on your computer.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure list of IEEE 1667 silos usable on your computer*
+- GP name: *ApprovedSilos*
+- GP path: *System\Enhanced Storage Access*
+- GP ADMX file name: *EnhancedStorage.admx*
+
+
+
+
+
+
+**ADMX_EnhancedStorage/DisablePasswordAuthentication**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures whether or not a password can be used to unlock an Enhanced Storage device.
+
+If you enable this policy setting, a password cannot be used to unlock an Enhanced Storage device.
+
+If you disable or do not configure this policy setting, a password can be used to unlock an Enhanced Storage device.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not allow password authentication of Enhanced Storage devices*
+- GP name: *DisablePasswordAuthentication*
+- GP path: *System\Enhanced Storage Access*
+- GP ADMX file name: *EnhancedStorage.admx*
+
+
+
+
+
+
+**ADMX_EnhancedStorage/DisallowLegacyDiskDevices**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures whether or not non-Enhanced Storage removable devices are allowed on your computer.
+
+If you enable this policy setting, non-Enhanced Storage removable devices are not allowed on your computer.
+
+If you disable or do not configure this policy setting, non-Enhanced Storage removable devices are allowed on your computer.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not allow non-Enhanced Storage removable devices*
+- GP name: *DisallowLegacyDiskDevices*
+- GP path: *System\Enhanced Storage Access*
+- GP ADMX file name: *EnhancedStorage.admx*
+
+
+
+
+
+
+**ADMX_EnhancedStorage/LockDeviceOnMachineLock**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting locks Enhanced Storage devices when the computer is locked.
+
+This policy setting is supported in Windows Server SKUs only.
+
+If you enable this policy setting, the Enhanced Storage device remains locked when the computer is locked.
+
+If you disable or do not configure this policy setting, the Enhanced Storage device state is not changed when the computer is locked.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Lock Enhanced Storage when the computer is locked*
+- GP name: *LockDeviceOnMachineLock*
+- GP path: *System\Enhanced Storage Access*
+- GP ADMX file name: *EnhancedStorage.admx*
+
+
+
+
+
+
+**ADMX_EnhancedStorage/RootHubConnectedEnStorDevices**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures whether or not only USB root hub connected Enhanced Storage devices are allowed. Allowing only root hub connected Enhanced Storage devices minimizes the risk of an unauthorized USB device reading data on an Enhanced Storage device.
+
+If you enable this policy setting, only USB root hub connected Enhanced Storage devices are allowed.
+
+If you disable or do not configure this policy setting, USB Enhanced Storage devices connected to both USB root hubs and non-root hubs will be allowed.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow only USB root hub connected Enhanced Storage devices*
+- GP name: *RootHubConnectedEnStorDevices*
+- GP path: *System\Enhanced Storage Access*
+- GP ADMX file name: *EnhancedStorage.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-errorreporting.md b/windows/client-management/mdm/policy-csp-admx-errorreporting.md
new file mode 100644
index 0000000000..5f3fc5e33b
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-errorreporting.md
@@ -0,0 +1,2202 @@
+---
+title: Policy CSP - ADMX_ErrorReporting
+description: Policy CSP - ADMX_ErrorReporting
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 11/23/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_ErrorReporting
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_ErrorReporting policies
+
+
+
+
+
+
+
+
+**ADMX_ErrorReporting/PCH_AllOrNoneDef**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether errors in general applications are included in reports when Windows Error Reporting is enabled.
+
+If you enable this policy setting, you can instruct Windows Error Reporting in the Default pull-down menu to report either all application errors (the default setting), or no application errors.
+
+If the Report all errors in Microsoft applications check box is filled, all errors in Microsoft applications are reported, regardless of the setting in the Default pull-down menu. When the Report all errors in Windows check box is filled, all errors in Windows applications are reported, regardless of the setting in the Default dropdown list. The Windows applications category is a subset of Microsoft applications.
+
+If you disable or do not configure this policy setting, users can enable or disable Windows Error Reporting in Control Panel. The default setting in Control Panel is Upload all applications.
+
+This policy setting is ignored if the Configure Error Reporting policy setting is disabled or not configured.
+
+For related information, see the Configure Error Reporting and Report Operating System Errors policy settings.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Default application reporting settings*
+- GP name: *PCH_AllOrNoneDef*
+- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings*
+- GP ADMX file name: *ErrorReporting.admx*
+
+
+
+
+
+
+**ADMX_ErrorReporting/PCH_AllOrNoneEx**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on.
+
+If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show under the Exclude errors for applications on this list setting, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. Errors that are generated by applications in this list are not reported, even if the Default Application Reporting Settings policy setting is configured to report all application errors.
+
+If this policy setting is enabled, the Exclude errors for applications on this list setting takes precedence. If an application is listed both in the List of applications to always report errors for policy setting, and in the exclusion list in this policy setting, the application is excluded from error reporting. You can also use the exclusion list in this policy setting to exclude specific Microsoft applications or parts of Windows if the check boxes for these categories are filled in the Default application reporting settings policy setting.
+
+If you disable or do not configure this policy setting, the Default application reporting settings policy setting takes precedence.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *List of applications to never report errors for*
+- GP name: *PCH_AllOrNoneEx*
+- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings*
+- GP ADMX file name: *ErrorReporting.admx*
+
+
+
+
+
+
+**ADMX_ErrorReporting/PCH_AllOrNoneInc**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies applications for which Windows Error Reporting should always report errors.
+
+To create a list of applications for which Windows Error Reporting never reports errors, click Show under the Exclude errors for applications on this list setting, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). Errors that are generated by applications in this list are not reported, even if the Default Application Reporting Settings policy setting is configured to report all application errors.
+
+If you enable this policy setting, you can create a list of applications that are always included in error reporting. To add applications to the list, click Show under the Report errors for applications on this list setting, and edit the list of application file names in the Show Contents dialog box. The file names must include the .exe file name extension (for example, notepad.exe). Errors that are generated by applications on this list are always reported, even if the Default dropdown in the Default application reporting policy setting is set to report no application errors.
+
+If the Report all errors in Microsoft applications or Report all errors in Windows components check boxes in the Default Application Reporting policy setting are filled, Windows Error Reporting reports errors as if all applications in these categories were added to the list in this policy setting. (Note: The Microsoft applications category includes the Windows components category.)
+
+If you disable this policy setting or do not configure it, the Default application reporting settings policy setting takes precedence.
+
+Also see the "Default Application Reporting" and "Application Exclusion List" policies.
+
+This setting will be ignored if the 'Configure Error Reporting' setting is disabled or not configured.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *List of applications to always report errors for*
+- GP name: *PCH_AllOrNoneInc*
+- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings*
+- GP ADMX file name: *ErrorReporting.admx*
+
+
+
+
+
+
+**ADMX_ErrorReporting/PCH_ConfigureReport**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures how errors are reported to Microsoft, and what information is sent when Windows Error Reporting is enabled.
+
+This policy setting does not enable or disable Windows Error Reporting. To turn Windows Error Reporting on or off, see the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings.
+
+> [!IMPORTANT]
+> If the Turn off Windows Error Reporting policy setting is not configured, then Control Panel settings for Windows Error Reporting override this policy setting.
+
+If you enable this policy setting, the setting overrides any user changes made to Windows Error Reporting settings in Control Panel, and default values are applied for any Windows Error Reporting policy settings that are not configured (even if users have changed settings by using Control Panel). If you enable this policy setting, you can configure the following settings in the policy setting:
+
+- "Do not display links to any Microsoft ‘More information’ websites": Select this option if you do not want error dialog boxes to display links to Microsoft websites.
+
+- "Do not collect additional files": Select this option if you do not want additional files to be collected and included in error reports.
+
+- "Do not collect additional computer data": Select this if you do not want additional information about the computer to be collected and included in error reports.
+
+- "Force queue mode for application errors": Select this option if you do not want users to report errors. When this option is selected, errors are stored in a queue directory, and the next administrator to log on to the computer can send the error reports to Microsoft.
+
+- "Corporate file path": Type a UNC path to enable Corporate Error Reporting. All errors are stored at the specified location instead of being sent directly to Microsoft, and the next administrator to log onto the computer can send the error reports to Microsoft.
+
+- "Replace instances of the word ‘Microsoft’ with": You can specify text with which to customize your error report dialog boxes. The word ""Microsoft"" is replaced with the specified text.
+
+If you do not configure this policy setting, users can change Windows Error Reporting settings in Control Panel. By default, these settings are Enable Reporting on computers that are running Windows XP, and Report to Queue on computers that are running Windows Server 2003.
+
+If you disable this policy setting, configuration settings in the policy setting are left blank.
+
+See related policy settings Display Error Notification (same folder as this policy setting), and Turn off Windows Error Reporting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure Error Reporting*
+- GP name: *PCH_ConfigureReport*
+- GP path: *Windows Components\Windows Error Reporting*
+- GP ADMX file name: *ErrorReporting.admx*
+
+
+
+
+
+
+**ADMX_ErrorReporting/PCH_ReportOperatingSystemFaults**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether errors in the operating system are included Windows Error Reporting is enabled.
+
+If you enable this policy setting, Windows Error Reporting includes operating system errors.
+
+If you disable this policy setting, operating system errors are not included in error reports.
+
+If you do not configure this policy setting, users can change this setting in Control Panel. By default, Windows Error Reporting settings in Control Panel are set to upload operating system errors.
+
+See also the Configure Error Reporting policy setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Report operating system errors*
+- GP name: *PCH_ReportOperatingSystemFaults*
+- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings*
+- GP ADMX file name: *ErrorReporting.admx*
+
+
+
+
+
+
+**ADMX_ErrorReporting/WerArchive_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls the behavior of the Windows Error Reporting archive.
+
+If you enable this policy setting, you can configure Windows Error Reporting archiving behavior. If Archive behavior is set to Store all, all data collected for each error report is stored in the appropriate location. If Archive behavior is set to Store parameters only, only the minimum information required to check for an existing solution is stored. The Maximum number of reports to store setting determines how many reports are stored before older reports are automatically deleted.
+
+If you disable or do not configure this policy setting, no Windows Error Reporting information is stored.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure Report Archive*
+- GP name: *WerArchive_1*
+- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings*
+- GP ADMX file name: *ErrorReporting.admx*
+
+
+
+
+
+
+**ADMX_ErrorReporting/WerArchive_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls the behavior of the Windows Error Reporting archive.
+
+If you enable this policy setting, you can configure Windows Error Reporting archiving behavior. If Archive behavior is set to Store all, all data collected for each error report is stored in the appropriate location. If Archive behavior is set to Store parameters only, only the minimum information required to check for an existing solution is stored. The Maximum number of reports to store setting determines how many reports are stored before older reports are automatically deleted.
+
+If you disable or do not configure this policy setting, no Windows Error Reporting information is stored.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure Report Archive*
+- GP name: *WerArchive_2*
+- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings*
+- GP ADMX file name: *ErrorReporting.admx*
+
+
+
+
+
+
+**ADMX_ErrorReporting/WerAutoApproveOSDumps_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps.
+
+If you enable or do not configure this policy setting, any memory dumps generated for error reports by Microsoft Windows are automatically uploaded, without notification to the user.
+
+If you disable this policy setting, then all memory dumps are uploaded according to the default consent and notification settings.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Automatically send memory dumps for OS-generated error reports*
+- GP name: *WerAutoApproveOSDumps_1*
+- GP path: *Windows Components\Windows Error Reporting*
+- GP ADMX file name: *ErrorReporting.admx*
+
+
+
+
+
+
+**ADMX_ErrorReporting/WerAutoApproveOSDumps_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps.
+
+If you enable or do not configure this policy setting, any memory dumps generated for error reports by Microsoft Windows are automatically uploaded, without notification to the user.
+
+If you disable this policy setting, then all memory dumps are uploaded according to the default consent and notification settings.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Automatically send memory dumps for OS-generated error reports*
+- GP name: *WerAutoApproveOSDumps_2*
+- GP path: *Windows Components\Windows Error Reporting*
+- GP ADMX file name: *ErrorReporting.admx*
+
+
+
+
+
+
+**ADMX_ErrorReporting/WerBypassDataThrottling_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows Error Reporting (WER) sends additional, second-level report data even if a CAB file containing data about the same event types has already been uploaded to the server.
+
+If you enable this policy setting, WER does not throttle data; that is, WER uploads additional CAB files that can contain data about the same event types as an earlier uploaded report.
+
+If you disable or do not configure this policy setting, WER throttles data by default; that is, WER does not upload more than one CAB file for a report that contains data about the same event types.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not throttle additional data*
+- GP name: *WerBypassDataThrottling_1*
+- GP path: *Windows Components\Windows Error Reporting*
+- GP ADMX file name: *ErrorReporting.admx*
+
+
+
+
+
+
+**ADMX_ErrorReporting/WerBypassDataThrottling_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows Error Reporting (WER) sends additional, second-level report data even if a CAB file containing data about the same event types has already been uploaded to the server.
+
+If you enable this policy setting, WER does not throttle data; that is, WER uploads additional CAB files that can contain data about the same event types as an earlier uploaded report.
+
+If you disable or do not configure this policy setting, WER throttles data by default; that is, WER does not upload more than one CAB file for a report that contains data about the same event types.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not throttle additional data*
+- GP name: *WerBypassDataThrottling_2*
+- GP path: *Windows Components\Windows Error Reporting*
+- GP ADMX file name: *ErrorReporting.admx*
+
+
+
+
+
+
+**ADMX_ErrorReporting/WerBypassNetworkCostThrottling_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows Error Reporting (WER) checks for a network cost policy that restricts the amount of data that is sent over the network.
+
+If you enable this policy setting, WER does not check for network cost policy restrictions, and transmits data even if network cost is restricted.
+
+If you disable or do not configure this policy setting, WER does not send data, but will check the network cost policy again if the network profile is changed.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Send data when on connected to a restricted/costed network*
+- GP name: *WerBypassNetworkCostThrottling_1*
+- GP path: *Windows Components\Windows Error Reporting*
+- GP ADMX file name: *ErrorReporting.admx*
+
+
+
+
+
+
+**ADMX_ErrorReporting/WerBypassNetworkCostThrottling_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows Error Reporting (WER) checks for a network cost policy that restricts the amount of data that is sent over the network.
+
+If you enable this policy setting, WER does not check for network cost policy restrictions, and transmits data even if network cost is restricted.
+
+If you disable or do not configure this policy setting, WER does not send data, but will check the network cost policy again if the network profile is changed.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Send data when on connected to a restricted/costed network*
+- GP name: *WerBypassNetworkCostThrottling_2*
+- GP path: *Windows Components\Windows Error Reporting*
+- GP ADMX file name: *ErrorReporting.admx*
+
+
+
+
+
+
+**ADMX_ErrorReporting/WerBypassPowerThrottling_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows Error Reporting (WER) checks if the computer is running on battery power. By default, when a computer is running on battery power, WER only checks for solutions, but does not upload additional report data until the computer is connected to a more permanent power source.
+
+If you enable this policy setting, WER does not determine whether the computer is running on battery power, but checks for solutions and uploads report data normally.
+
+If you disable or do not configure this policy setting, WER checks for solutions while a computer is running on battery power, but does not upload report data until the computer is connected to a more permanent power source.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Send additional data when on battery power*
+- GP name: *WerBypassPowerThrottling_1*
+- GP path: *Windows Components\Windows Error Reporting*
+- GP ADMX file name: *ErrorReporting.admx*
+
+
+
+
+
+
+**ADMX_ErrorReporting/WerBypassPowerThrottling_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows Error Reporting (WER) checks if the computer is running on battery power. By default, when a computer is running on battery power, WER only checks for solutions, but does not upload additional report data until the computer is connected to a more permanent power source.
+
+If you enable this policy setting, WER does not determine whether the computer is running on battery power, but checks for solutions and uploads report data normally.
+
+If you disable or do not configure this policy setting, WER checks for solutions while a computer is running on battery power, but does not upload report data until the computer is connected to a more permanent power source.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Send additional data when on battery power*
+- GP name: *WerBypassPowerThrottling_2*
+- GP path: *Windows Components\Windows Error Reporting*
+- GP ADMX file name: *ErrorReporting.admx*
+
+
+
+
+
+
+**ADMX_ErrorReporting/WerCER**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies a corporate server to which Windows Error Reporting sends reports (if you do not want to send error reports to Microsoft).
+
+If you enable this policy setting, you can specify the name or IP address of an error report destination server on your organization’s network. You can also select Connect using SSL to transmit error reports over a Secure Sockets Layer (SSL) connection, and specify a port number on the destination server for transmission.
+
+If you disable or do not configure this policy setting, Windows Error Reporting sends error reports to Microsoft.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure Corporate Windows Error Reporting*
+- GP name: *WerCER*
+- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings*
+- GP ADMX file name: *ErrorReporting.admx*
+
+
+
+
+
+
+**ADMX_ErrorReporting/WerConsentCustomize_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines the consent behavior of Windows Error Reporting for specific event types.
+
+If you enable this policy setting, you can add specific event types to a list by clicking Show, and typing event types in the Value Name column of the Show Contents dialog box. Event types are those for generic, non-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a consent level of 0, 1, 2, 3, or 4.
+
+- 0 (Disable): Windows Error Reporting sends no data to Microsoft for this event type.
+
+- 1 (Always ask before sending data): Windows prompts the user for consent to send reports.
+
+- 2 (Send parameters): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and Windows prompts the user for consent to send any additional data requested by Microsoft.
+
+- 3 (Send parameters and safe additional data): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, as well as data which Windows has determined (within a high probability) does not contain personally identifiable data, and prompts the user for consent to send any additional data requested by Microsoft.
+
+- 4 (Send all data): Any data requested by Microsoft is sent automatically.
+
+If you disable or do not configure this policy setting, then the default consent settings that are applied are those specified by the user in Control Panel, or in the Configure Default Consent policy setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Customize consent settings*
+- GP name: *WerConsentCustomize_1*
+- GP path: *Windows Components\Windows Error Reporting\Consent*
+- GP ADMX file name: *ErrorReporting.admx*
+
+
+
+
+
+
+**ADMX_ErrorReporting/WerConsentOverride_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines the behavior of the Configure Default Consent setting in relation to custom consent settings.
+
+If you enable this policy setting, the default consent levels of Windows Error Reporting always override any other consent policy setting.
+
+If you disable or do not configure this policy setting, custom consent policy settings for error reporting determine the consent level for specified event types, and the default consent setting determines only the consent level of any other error reports.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Ignore custom consent settings*
+- GP name: *WerConsentOverride_1*
+- GP path: *Windows Components\Windows Error Reporting\Consent*
+- GP ADMX file name: *ErrorReporting.admx*
+
+
+
+
+
+
+**ADMX_ErrorReporting/WerConsentOverride_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines the behavior of the Configure Default Consent setting in relation to custom consent settings.
+
+If you enable this policy setting, the default consent levels of Windows Error Reporting always override any other consent policy setting.
+
+If you disable or do not configure this policy setting, custom consent policy settings for error reporting determine the consent level for specified event types, and the default consent setting determines only the consent level of any other error reports.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Ignore custom consent settings*
+- GP name: *WerConsentOverride_2*
+- GP path: *Windows Components\Windows Error Reporting\Consent*
+- GP ADMX file name: *ErrorReporting.admx*
+
+
+
+
+
+
+**ADMX_ErrorReporting/WerDefaultConsent_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines the default consent behavior of Windows Error Reporting.
+
+If you enable this policy setting, you can set the default consent handling for error reports. The following list describes the Consent level settings that are available in the pull-down menu in this policy setting:
+
+- Always ask before sending data: Windows prompts users for consent to send reports.
+
+- Send parameters: Only the minimum data that is required to check for an existing solution is sent automatically, and Windows prompts users for consent to send any additional data that is requested by Microsoft.
+
+- Send parameters and safe additional data: the minimum data that is required to check for an existing solution, along with data which Windows has determined (within a high probability) does not contain personally-identifiable information is sent automatically, and Windows prompts the user for consent to send any additional data that is requested by Microsoft.
+
+- Send all data: any error reporting data requested by Microsoft is sent automatically.
+
+If this policy setting is disabled or not configured, then the consent level defaults to the highest-privacy setting: Always ask before sending data.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure Default consent*
+- GP name: *WerDefaultConsent_1*
+- GP path: *Windows Components\Windows Error Reporting\Consent*
+- GP ADMX file name: *ErrorReporting.admx*
+
+
+
+
+
+
+**ADMX_ErrorReporting/WerDefaultConsent_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines the default consent behavior of Windows Error Reporting.
+
+If you enable this policy setting, you can set the default consent handling for error reports. The following list describes the Consent level settings that are available in the pull-down menu in this policy setting:
+
+- Always ask before sending data: Windows prompts users for consent to send reports.
+
+- Send parameters: Only the minimum data that is required to check for an existing solution is sent automatically, and Windows prompts users for consent to send any additional data that is requested by Microsoft.
+
+- Send parameters and safe additional data: the minimum data that is required to check for an existing solution, along with data which Windows has determined (within a high probability) does not contain personally-identifiable information is sent automatically, and Windows prompts the user for consent to send any additional data that is requested by Microsoft.
+
+- Send all data: any error reporting data requested by Microsoft is sent automatically.
+
+If this policy setting is disabled or not configured, then the consent level defaults to the highest-privacy setting: Always ask before sending data.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure Default consent*
+- GP name: *WerDefaultConsent_2*
+- GP path: *Windows Components\Windows Error Reporting\Consent*
+- GP ADMX file name: *ErrorReporting.admx*
+
+
+
+
+
+
+**ADMX_ErrorReporting/WerDisable_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting turns off Windows Error Reporting, so that reports are not collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails.
+
+If you enable this policy setting, Windows Error Reporting does not send any problem information to Microsoft. Additionally, solution information is not available in Security and Maintenance in Control Panel.
+
+If you disable or do not configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Disable Windows Error Reporting*
+- GP name: *WerDisable_1*
+- GP path: *Windows Components\Windows Error Reporting*
+- GP ADMX file name: *ErrorReporting.admx*
+
+
+
+
+
+
+**ADMX_ErrorReporting/WerExlusion_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting limits Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on.
+
+If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. To remove an application from the list, click the name, and then press DELETE. If this policy setting is enabled, the Exclude errors for applications on this list setting takes precedence.
+
+If you disable or do not configure this policy setting, errors are reported on all Microsoft and Windows applications by default.
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *List of applications to be excluded*
+- GP name: *WerExlusion_1*
+- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings*
+- GP ADMX file name: *ErrorReporting.admx*
+
+
+
+
+
+
+**ADMX_ErrorReporting/WerExlusion_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting limits Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on.
+
+If you enable this policy setting, you can create a list of applications that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors, click Show, and then add or remove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. To remove an application from the list, click the name, and then press DELETE. If this policy setting is enabled, the Exclude errors for applications on this list setting takes precedence.
+
+If you disable or do not configure this policy setting, errors are reported on all Microsoft and Windows applications by default.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *List of applications to be excluded*
+- GP name: *WerExlusion_2*
+- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings*
+- GP ADMX file name: *ErrorReporting.admx*
+
+
+
+
+
+
+**ADMX_ErrorReporting/WerNoLogging_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether Windows Error Reporting saves its own events and error messages to the system event log.
+
+If you enable this policy setting, Windows Error Reporting events are not recorded in the system event log.
+
+If you disable or do not configure this policy setting, Windows Error Reporting events and errors are logged to the system event log, as with other Windows-based programs.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Disable logging*
+- GP name: *WerNoLogging_1*
+- GP path: *Windows Components\Windows Error Reporting*
+- GP ADMX file name: *ErrorReporting.admx*
+
+
+
+
+
+
+**ADMX_ErrorReporting/WerNoLogging_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether Windows Error Reporting saves its own events and error messages to the system event log.
+
+If you enable this policy setting, Windows Error Reporting events are not recorded in the system event log.
+
+If you disable or do not configure this policy setting, Windows Error Reporting events and errors are logged to the system event log, as with other Windows-based programs.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Disable logging*
+- GP name: *WerNoLogging_2*
+- GP path: *Windows Components\Windows Error Reporting*
+- GP ADMX file name: *ErrorReporting.admx*
+
+
+
+
+
+
+**ADMX_ErrorReporting/WerNoSecondLevelData_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether additional data in support of error reports can be sent to Microsoft automatically.
+
+If you enable this policy setting, any additional data requests from Microsoft in response to a Windows Error Reporting report are automatically declined, without notification to the user.
+
+If you disable or do not configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not send additional data*
+- GP name: *WerNoSecondLevelData_1*
+- GP path: *Windows Components\Windows Error Reporting*
+- GP ADMX file name: *ErrorReporting.admx*
+
+
+
+
+
+
+**ADMX_ErrorReporting/WerQueue_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines the behavior of the Windows Error Reporting report queue.
+
+If you enable this policy setting, you can configure report queue behavior by using the controls in the policy setting. When the Queuing behavior pull-down list is set to Default, Windows determines, when a problem occurs, whether the report should be placed in the reporting queue, or the user should be prompted to send it immediately. When Queuing behavior is set to Always queue, all reports are added to the queue until the user is prompted to send the reports, or until the user sends problem reports by using the Solutions to Problems page in Control Panel.
+
+The Maximum number of reports to queue setting determines how many reports can be queued before older reports are automatically deleted. The setting for Number of days between solution check reminders determines the interval time between the display of system notifications that remind the user to check for solutions to problems. A value of 0 disables the reminder.
+
+If you disable or do not configure this policy setting, Windows Error Reporting reports are not queued, and users can only send reports at the time that a problem occurs.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure Report Queue*
+- GP name: *WerQueue_1*
+- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings*
+- GP ADMX file name: *ErrorReporting.admx*
+
+
+
+
+
+
+**ADMX_ErrorReporting/WerQueue_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines the behavior of the Windows Error Reporting report queue.
+
+If you enable this policy setting, you can configure report queue behavior by using the controls in the policy setting. When the Queuing behavior pull-down list is set to Default, Windows determines, when a problem occurs, whether the report should be placed in the reporting queue, or the user should be prompted to send it immediately. When Queuing behavior is set to Always queue, all reports are added to the queue until the user is prompted to send the reports, or until the user sends problem reports by using the Solutions to Problems page in Control Panel. If Queuing behavior is set to Always queue for administrator, reports are queued until an administrator is prompted to send them, or until the administrator sends them by using the Solutions to Problems page in Control Panel.
+
+The Maximum number of reports to queue setting determines how many reports can be queued before older reports are automatically deleted. The setting for Number of days between solution check reminders determines the interval time between the display of system notifications that remind the user to check for solutions to problems. A value of 0 disables the reminder.
+
+If you disable or do not configure this policy setting, Windows Error Reporting reports are not queued, and users can only send reports at the time that a problem occurs.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure Report Queue*
+- GP name: *WerQueue_2*
+- GP path: *Windows Components\Windows Error Reporting\Advanced Error Reporting Settings*
+- GP ADMX file name: *ErrorReporting.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-eventforwarding.md b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md
index e47d548237..449bed0b21 100644
--- a/windows/client-management/mdm/policy-csp-admx-eventforwarding.md
+++ b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md
@@ -78,7 +78,7 @@ manager: dansimp
-Available in Windows 10 Insider Preview Build 20185. This policy setting controls resource usage for the forwarder (source computer) by controlling the events/per second sent to the Event Collector.
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls resource usage for the forwarder (source computer) by controlling the events/per second sent to the Event Collector.
If you enable this policy setting, you can control the volume of events sent to the Event Collector by the source computer. This may be required in high volume environments.
@@ -151,7 +151,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure the server address, refresh interval, and issuer certificate authority (CA) of a target Subscription Manager.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the server address, refresh interval, and issuer certificate authority (CA) of a target Subscription Manager.
If you enable this policy setting, you can configure the Source Computer to contact a specific FQDN (Fully Qualified Domain Name) or IP Address and request subscription specifics.
@@ -187,14 +187,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-eventlog.md b/windows/client-management/mdm/policy-csp-admx-eventlog.md
new file mode 100644
index 0000000000..ea4b084c38
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-eventlog.md
@@ -0,0 +1,1589 @@
+---
+title: Policy CSP - ADMX_EventLog
+description: Policy CSP - ADMX_EventLog
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 12/01/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_EventLog
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_EventLog policies
+
+
+
+
+
+
+
+
+**ADMX_EventLog/Channel_LogEnabled**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting turns on logging.
+
+If you enable or do not configure this policy setting, then events can be written to this log.
+
+If the policy setting is disabled, then no new events can be logged. Events can always be read from the log, regardless of this policy setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn on logging*
+- GP name: *Channel_LogEnabled*
+- GP path: *Windows Components\Event Log Service\Setup*
+- GP ADMX file name: *EventLog.admx*
+
+
+
+
+
+
+**ADMX_EventLog/Channel_LogFilePath_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators.
+
+If you enable this policy setting, the Event Log uses the path specified in this policy setting.
+
+If you disable or do not configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Control the location of the log file*
+- GP name: *Channel_LogFilePath_1*
+- GP path: *Windows Components\Event Log Service\Application*
+- GP ADMX file name: *EventLog.admx*
+
+
+
+
+
+
+**ADMX_EventLog/Channel_LogFilePath_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators.
+
+If you enable this policy setting, the Event Log uses the path specified in this policy setting.
+
+If you disable or do not configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Control the location of the log file*
+- GP name: *Channel_LogFilePath_2*
+- GP path: *Windows Components\Event Log Service\Security*
+- GP ADMX file name: *EventLog.admx*
+
+
+
+
+
+
+**ADMX_EventLog/Channel_LogFilePath_3**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators.
+
+If you enable this policy setting, the Event Log uses the path specified in this policy setting.
+
+If you disable or do not configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Control the location of the log file*
+- GP name: *Channel_LogFilePath_3*
+- GP path: *Windows Components\Event Log Service\Setup*
+- GP ADMX file name: *EventLog.admx*
+
+
+
+
+
+
+**ADMX_EventLog/Channel_LogFilePath_4**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators.
+
+If you enable this policy setting, the Event Log uses the path specified in this policy setting.
+
+If you disable or do not configure this policy setting, the Event Log uses the folder %SYSTEMROOT%\System32\winevt\Logs.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn on logging*
+- GP name: *Channel_LogFilePath_4*
+- GP path: *Windows Components\Event Log Service\System*
+- GP ADMX file name: *EventLog.admx*
+
+
+
+
+
+
+**ADMX_EventLog/Channel_LogMaxSize_3**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the maximum size of the log file in kilobytes.
+
+If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes), in kilobyte increments.
+
+If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 1 megabyte.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Specify the maximum log file size (KB)*
+- GP name: *Channel_LogMaxSize_3*
+- GP path: *Windows Components\Event Log Service\Setup*
+- GP ADMX file name: *EventLog.admx*
+
+
+
+
+
+
+**ADMX_EventLog/Channel_Log_AutoBackup_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled.
+
+If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started.
+
+If you disable this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and old events are retained.
+
+If you do not configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Back up log automatically when full*
+- GP name: *Channel_Log_AutoBackup_1*
+- GP path: *Windows Components\Event Log Service\Application*
+- GP ADMX file name: *EventLog.admx*
+
+
+
+
+
+
+**ADMX_EventLog/Channel_Log_AutoBackup_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled.
+
+If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started.
+
+If you disable this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and old events are retained.
+
+If you do not configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Back up log automatically when full*
+- GP name: *Channel_Log_AutoBackup_2*
+- GP path: *Windows Components\Event Log Service\Security*
+- GP ADMX file name: *EventLog.admx*
+
+
+
+
+
+
+**ADMX_EventLog/Channel_Log_AutoBackup_3**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled.
+
+If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started.
+
+If you disable this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and old events are retained.
+
+If you do not configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Back up log automatically when full*
+- GP name: *Channel_Log_AutoBackup_3*
+- GP path: *Windows Components\Event Log Service\Setup*
+- GP ADMX file name: *EventLog.admx*
+
+
+
+
+
+
+**ADMX_EventLog/Channel_Log_AutoBackup_4**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events" policy setting is enabled.
+
+If you enable this policy setting and the "Retain old events" policy setting is enabled, the Event Log file is automatically closed and renamed when it is full. A new file is then started.
+
+If you disable this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and old events are retained.
+
+If you do not configure this policy setting and the "Retain old events" policy setting is enabled, new events are discarded and the old events are retained.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Back up log automatically when full*
+- GP name: *Channel_Log_AutoBackup_4*
+- GP path: *Windows Components\Event Log Service\System*
+- GP ADMX file name: *EventLog.admx*
+
+
+
+
+
+
+**ADMX_EventLog/Channel_Log_FileLogAccess_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string.
+
+If you enable this policy setting, only those users matching the security descriptor can access the log.
+
+If you disable or do not configure this policy setting, all authenticated users and system services can write, read, or clear this log.
+
+> [!NOTE]
+> If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure log access*
+- GP name: *Channel_Log_FileLogAccess_1*
+- GP path: *Windows Components\Event Log Service\Application*
+- GP ADMX file name: *EventLog.admx*
+
+
+
+
+
+
+**ADMX_EventLog/Channel_Log_FileLogAccess_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You cannot configure write permissions for this log. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools.
+
+If you enable this policy setting, only those users whose security descriptor matches the configured specified value can access the log.
+
+If you disable or do not configure this policy setting, only system software and administrators can read or clear this log.
+
+> [!NOTE]
+> If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure log access*
+- GP name: *Channel_Log_FileLogAccess_2*
+- GP path: *Windows Components\Event Log Service\Security*
+- GP ADMX file name: *EventLog.admx*
+
+
+
+
+
+
+**ADMX_EventLog/Channel_Log_FileLogAccess_3**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string.
+
+If you enable this policy setting, only those users matching the security descriptor can access the log.
+
+If you disable or do not configure this policy setting, all authenticated users and system services can write, read, or clear this log.
+
+> [!NOTE]
+> If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure log access*
+- GP name: *Channel_Log_FileLogAccess_3*
+- GP path: *Windows Components\Event Log Service\Setup*
+- GP ADMX file name: *EventLog.admx*
+
+
+
+
+
+
+**ADMX_EventLog/Channel_Log_FileLogAccess_4**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools.
+
+If you enable this policy setting, only users whose security descriptor matches the configured value can access the log.
+
+If you disable or do not configure this policy setting, only system software and administrators can write or clear this log, and any authenticated user can read events from it.
+
+> [!NOTE]
+> If you enable this policy setting, some tools and APIs may ignore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure log access*
+- GP name: *Channel_Log_FileLogAccess_4*
+- GP path: *Windows Components\Event Log Service\System*
+- GP ADMX file name: *EventLog.admx*
+
+
+
+
+
+
+**ADMX_EventLog/Channel_Log_FileLogAccess_5**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools.
+
+If you enable this policy setting, only those users matching the security descriptor can access the log.
+
+If you disable this policy setting, all authenticated users and system services can write, read, or clear this log.
+
+If you do not configure this policy setting, the previous policy setting configuration remains in effect.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure log access (legacy)*
+- GP name: *Channel_Log_FileLogAccess_5*
+- GP path: *Windows Components\Event Log Service\Application*
+- GP ADMX file name: *EventLog.admx*
+
+
+
+
+
+
+**ADMX_EventLog/Channel_Log_FileLogAccess_6**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You cannot configure write permissions for this log.
+
+If you enable this policy setting, only those users whose security descriptor matches the configured specified value can access the log.
+
+If you disable this policy setting, only system software and administrators can read or clear this log.
+
+If you do not configure this policy setting, the previous policy setting configuration remains in effect.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure log access (legacy)*
+- GP name: *Channel_Log_FileLogAccess_6*
+- GP path: *Windows Components\Event Log Service\Security*
+- GP ADMX file name: *EventLog.admx*
+
+
+
+
+
+
+**ADMX_EventLog/Channel_Log_FileLogAccess_7**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy tools.
+
+If you enable this policy setting, only those users matching the security descriptor can access the log.
+
+If you disable this policy setting, all authenticated users and system services can write, read, or clear this log.
+
+If you do not configure this policy setting, the previous policy setting configuration remains in effect.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure log access (legacy)*
+- GP name: *Channel_Log_FileLogAccess_7*
+- GP path: *Windows Components\Event Log Service\Setup*
+- GP ADMX file name: *EventLog.admx*
+
+
+
+
+
+
+**ADMX_EventLog/Channel_Log_FileLogAccess_8**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string.
+
+If you enable this policy setting, only users whose security descriptor matches the configured value can access the log.
+
+If you disable this policy setting, only system software and administrators can write or clear this log, and any authenticated user can read events from it.
+
+If you do not configure this policy setting, the previous policy setting configuration remains in effect.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure log access (legacy)*
+- GP name: *Channel_Log_FileLogAccess_8*
+- GP path: *Windows Components\Event Log Service\System*
+- GP ADMX file name: *EventLog.admx*
+
+
+
+
+
+
+**ADMX_EventLog/Channel_Log_Retention_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size.
+
+If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost.
+
+If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events.
+
+Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Control Event Log behavior when the log file reaches its maximum size*
+- GP name: *Channel_Log_Retention_2*
+- GP path: *Windows Components\Event Log Service\Security*
+- GP ADMX file name: *EventLog.admx*
+
+
+
+
+
+
+**ADMX_EventLog/Channel_Log_Retention_3**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size.
+
+If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost.
+
+If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events.
+
+Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Control Event Log behavior when the log file reaches its maximum size*
+- GP name: *Channel_Log_Retention_3*
+- GP path: *Windows Components\Event Log Service\Setup*
+- GP ADMX file name: *EventLog.admx*
+
+
+
+
+
+
+**ADMX_EventLog/Channel_Log_Retention_4**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls Event Log behavior when the log file reaches its maximum size.
+
+If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost.
+
+If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events.
+
+Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Control Event Log behavior when the log file reaches its maximum size*
+- GP name: *Channel_Log_Retention_4*
+- GP path: *Windows Components\Event Log Service\System*
+- GP ADMX file name: *EventLog.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-explorer.md b/windows/client-management/mdm/policy-csp-admx-explorer.md
new file mode 100644
index 0000000000..da74235b97
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-explorer.md
@@ -0,0 +1,400 @@
+---
+title: Policy CSP - ADMX_Explorer
+description: Policy CSP - ADMX_Explorer
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 12/08/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_Explorer
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_Explorer policies
+
+
+
+
+
+
+
+
+**ADMX_Explorer/AdminInfoUrl**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Sets the target of the More Information link that will be displayed when the user attempts to run a program that is blocked by policy.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Set a support web page link*
+- GP name: *AdminInfoUrl*
+- GP path: *Windows Components\File Explorer*
+- GP ADMX file name: *Explorer.admx*
+
+
+
+
+
+
+**ADMX_Explorer/AlwaysShowClassicMenu**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures File Explorer to always display the menu bar.
+
+> [!NOTE]
+> By default, the menu bar is not displayed in File Explorer.
+
+If you enable this policy setting, the menu bar will be displayed in File Explorer.
+
+If you disable or do not configure this policy setting, the menu bar will not be displayed in File Explorer.
+
+> [!NOTE]
+> When the menu bar is not displayed, users can access the menu bar by pressing the 'ALT' key.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Display the menu bar in File Explorer*
+- GP name: *AlwaysShowClassicMenu*
+- GP path: *Windows Components\File Explorer*
+- GP ADMX file name: *Explorer.admx*
+
+
+
+
+
+
+**ADMX_Explorer/DisableRoamedProfileInit**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows administrators who have configured roaming profile in conjunction with Delete Cached Roaming Profile Group Policy setting to ensure that Explorer will not reinitialize default program associations and other settings to default values.
+
+If you enable this policy setting on a machine that does not contain all programs installed in the same manner as it was on the machine on which the user had last logged on, unexpected behavior could occur.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not reinitialize a pre-existing roamed user profile when it is loaded on a machine for the first time*
+- GP name: *DisableRoamedProfileInit*
+- GP path: *Windows Components\File Explorer*
+- GP ADMX file name: *Explorer.admx*
+
+
+
+
+
+
+**ADMX_Explorer/PreventItemCreationInUsersFilesFolder**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows administrators to prevent users from adding new items such as files or folders to the root of their Users Files folder in File Explorer.
+
+If you enable this policy setting, users will no longer be able to add new items such as files or folders to the root of their Users Files folder in File Explorer.
+
+If you disable or do not configure this policy setting, users will be able to add new items such as files or folders to the root of their Users Files folder in File Explorer.
+
+> [!NOTE]
+> Enabling this policy setting does not prevent the user from being able to add new items such as files and folders to their actual file system profile folder at %userprofile%.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prevent users from adding files to the root of their Users Files folder.*
+- GP name: *PreventItemCreationInUsersFilesFolder*
+- GP path: *Windows Components\File Explorer*
+- GP ADMX file name: *Explorer.admx*
+
+
+
+
+
+
+**ADMX_Explorer/TurnOffSPIAnimations**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy is similar to settings directly available to computer users. Disabling animations can improve usability for users with some visual disabilities as well as improving performance and battery life in some scenarios.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off common control and window animations*
+- GP name: *TurnOffSPIAnimations*
+- GP path: *Windows Components\File Explorer*
+- GP ADMX file name: *Explorer.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-filerecovery.md b/windows/client-management/mdm/policy-csp-admx-filerecovery.md
new file mode 100644
index 0000000000..8a327a33a4
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-filerecovery.md
@@ -0,0 +1,125 @@
+---
+title: Policy CSP - ADMX_FileRecovery
+description: Policy CSP - ADMX_FileRecovery
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 03/02/2021
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_FileRecovery
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_FileRecovery policies
+
+
+
+
+
+
+
+**ADMX_FileRecovery/WdiScenarioExecutionPolicy**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Machine
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting substitutes custom alert text in the disk diagnostic message shown to users when a disk reports a S.M.A.R.T. fault.
+
+If you enable this policy setting, Windows displays custom alert text in the disk diagnostic message. The custom text may not exceed 512 characters.
+
+If you disable or do not configure this policy setting, Windows displays the default alert text in the disk diagnostic message.
+
+No reboots or service restarts are required for this policy setting to take effect: changes take effect immediately.
+
+This policy setting only takes effect if the Disk Diagnostic scenario policy setting is enabled or not configured and the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, diagnostic scenarios are not executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console.
+
+> [!NOTE]
+> For Windows Server systems, this policy setting applies only if the Desktop Experience optional component is installed and the Remote Desktop Services role is not installed.
+
+> [!NOTE]
+> This policy setting applies to all sites in Trusted zones.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Disk Diagnostic: Configure execution level*
+- GP name: *WdiScenarioExecutionPolicy*
+- GP path: *System\Troubleshooting and Diagnostics\Disk Diagnostic*
+- GP ADMX file name: *FileRecovery.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md b/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md
index 37b6b9a826..a1b52fa8fd 100644
--- a/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md
+++ b/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md
@@ -74,7 +74,7 @@ manager: dansimp
-Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether the RPC protocol messages used by VSS for SMB2 File Shares feature is enabled.
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the RPC protocol messages used by VSS for SMB2 File Shares feature is enabled.
VSS for SMB2 File Shares feature enables VSS aware backup applications to perform application consistent backup and restore of VSS aware applications storing data on SMB2 File Shares.
@@ -104,14 +104,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-filesys.md b/windows/client-management/mdm/policy-csp-admx-filesys.md
index fbdc148b37..768b9ea68d 100644
--- a/windows/client-management/mdm/policy-csp-admx-filesys.md
+++ b/windows/client-management/mdm/policy-csp-admx-filesys.md
@@ -93,7 +93,7 @@ manager: dansimp
-Available in Windows 10 Insider Preview Build 20185. Compression can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creation of compressed files.
+Available in the latest Windows 10 Insider Preview Build. Compression can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creation of compressed files.
> [!TIP]
@@ -157,7 +157,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. Delete notification is a feature that notifies the underlying storage device of clusters that are freed due to a file delete operation.
+Available in the latest Windows 10 Insider Preview Build. Delete notification is a feature that notifies the underlying storage device of clusters that are freed due to a file delete operation.
A value of 0, the default, will enable delete notifications for all volumes.
@@ -224,7 +224,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. Encryption can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creation of encrypted files.
+Available in the latest Windows 10 Insider Preview Build. Encryption can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creation of encrypted files.
> [!TIP]
@@ -287,7 +287,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. Encrypting the page file prevents malicious users from reading data that has been paged to disk, but also adds processing overhead for filesystem operations. Enabling this setting will cause the page files to be encrypted.
+Available in the latest Windows 10 Insider Preview Build. Encrypting the page file prevents malicious users from reading data that has been paged to disk, but also adds processing overhead for filesystem operations. Enabling this setting will cause the page files to be encrypted.
> [!TIP]
@@ -350,7 +350,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. Enabling Win32 long paths will allow manifested win32 applications and Windows Store applications to access paths beyond the normal 260 character limit per node on file systems that support it. Enabling this setting will cause the long paths to be accessible within the process.
+Available in the latest Windows 10 Insider Preview Build. Enabling Win32 long paths will allow manifested win32 applications and Windows Store applications to access paths beyond the normal 260 character limit per node on file systems that support it. Enabling this setting will cause the long paths to be accessible within the process.
> [!TIP]
@@ -413,7 +413,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting provides control over whether or not short names are generated during file creation. Some applications require short names for compatibility, but short names have a negative performance impact on the system.
+Available in the latest Windows 10 Insider Preview Build. This policy setting provides control over whether or not short names are generated during file creation. Some applications require short names for compatibility, but short names have a negative performance impact on the system.
If you enable short names on all volumes then short names will always be generated. If you disable them on all volumes then they will never be generated. If you set short name creation to be configurable on a per volume basis then an on-disk flag will determine whether or not short names are created on a given volume. If you disable short name creation on all data volumes then short names will only be generated for files created on the system volume.
@@ -479,7 +479,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. Symbolic links can introduce vulnerabilities in certain applications. To mitigate this issue, you can selectively enable or disable the evaluation of these types of symbolic links:
+Available in the latest Windows 10 Insider Preview Build. Symbolic links can introduce vulnerabilities in certain applications. To mitigate this issue, you can selectively enable or disable the evaluation of these types of symbolic links:
- Local Link to a Local Target
- Local Link to a Remote Target
@@ -552,7 +552,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. TXF deprecated features included savepoints, secondary RM, miniversion and roll forward. Enable it if you want to use the APIs.
+Available in the latest Windows 10 Insider Preview Build. TXF deprecated features included savepoints, secondary RM, miniversion and roll forward. Enable it if you want to use the APIs.
> [!TIP]
@@ -575,14 +575,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-folderredirection.md b/windows/client-management/mdm/policy-csp-admx-folderredirection.md
index 845c514983..c1b7ee3ab0 100644
--- a/windows/client-management/mdm/policy-csp-admx-folderredirection.md
+++ b/windows/client-management/mdm/policy-csp-admx-folderredirection.md
@@ -91,7 +91,7 @@ manager: dansimp
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to control whether all redirected shell folders, such as Contacts, Documents, Desktop, Favorites, Music, Pictures, Videos, Start Menu, and AppData\Roaming, are available offline by default.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control whether all redirected shell folders, such as Contacts, Documents, Desktop, Favorites, Music, Pictures, Videos, Start Menu, and AppData\Roaming, are available offline by default.
If you enable this policy setting, users must manually select the files they wish to make available offline.
@@ -166,7 +166,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to control whether individual redirected shell folders are available offline by default.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control whether individual redirected shell folders are available offline by default.
For the folders affected by this setting, users must manually select the files they wish to make available offline.
@@ -240,7 +240,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting controls whether the contents of redirected folders is copied from the old location to the new location or simply renamed in the Offline Files cache when a folder is redirected to a new location.
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether the contents of redirected folders is copied from the old location to the new location or simply renamed in the Offline Files cache when a folder is redirected to a new location.
If you enable this policy setting, when the path to a redirected folder is changed from one network location to another and Folder Redirection is configured to move the content to the new location, instead of copying the content to the new location, the cached content is renamed in the local cache and not copied to the new location. To use this policy setting, you must move or restore the server content to the new network location using a method that preserves the state of the files, including their timestamps, before updating the Folder Redirection location.
@@ -309,7 +309,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows the administrator to define whether Folder Redirection should use localized names for the All Programs, Startup, My Music, My Pictures, and My Videos subfolders when redirecting the parent Start Menu and legacy My Documents folder respectively.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows the administrator to define whether Folder Redirection should use localized names for the All Programs, Startup, My Music, My Pictures, and My Videos subfolders when redirecting the parent Start Menu and legacy My Documents folder respectively.
If you enable this policy setting, Windows Vista, Windows 7, Windows 8, and Windows Server 2012 will use localized folder names for these subfolders when redirecting the Start Menu or legacy My Documents folder.
@@ -381,7 +381,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows the administrator to define whether Folder Redirection should use localized names for the All Programs, Startup, My Music, My Pictures, and My Videos subfolders when redirecting the parent Start Menu and legacy My Documents folder respectively.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows the administrator to define whether Folder Redirection should use localized names for the All Programs, Startup, My Music, My Pictures, and My Videos subfolders when redirecting the parent Start Menu and legacy My Documents folder respectively.
If you enable this policy setting, Windows Vista, Windows 7, Windows 8, and Windows Server 2012 will use localized folder names for these subfolders when redirecting the Start Menu or legacy My Documents folder.
@@ -452,7 +452,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting controls whether folders are redirected on a user's primary computers only. This policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want to download private data, such as on a meeting room computer or on a computer in a remote office.
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether folders are redirected on a user's primary computers only. This policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want to download private data, such as on a meeting room computer or on a computer in a remote office.
To designate a user's primary computers, an administrator must use management software or a script to add primary computer attributes to the user's account in Active Directory Domain Services (AD DS). This policy setting also requires the Windows Server 2012 version of the Active Directory schema to function.
@@ -525,7 +525,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting controls whether folders are redirected on a user's primary computers only. This policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want to download private data, such as on a meeting room computer or on a computer in a remote office.
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether folders are redirected on a user's primary computers only. This policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want to download private data, such as on a meeting room computer or on a computer in a remote office.
To designate a user's primary computers, an administrator must use management software or a script to add primary computer attributes to the user's account in Active Directory Domain Services (AD DS). This policy setting also requires the Windows Server 2012 version of the Active Directory schema to function.
@@ -557,14 +557,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-globalization.md b/windows/client-management/mdm/policy-csp-admx-globalization.md
new file mode 100644
index 0000000000..4a4c00cd36
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-globalization.md
@@ -0,0 +1,1897 @@
+---
+title: Policy CSP - ADMX_Globalization
+description: Policy CSP - ADMX_Globalization
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 12/14/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_Globalization
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_Globalization policies
+
+
+
+
+
+
+
+
+**ADMX_Globalization/BlockUserInputMethodsForSignIn**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy prevents automatic copying of user input methods to the system account for use on the sign-in screen. The user is restricted to the set of input methods that are enabled in the system account.
+
+Note this does not affect the availability of user input methods on the lock screen or with the UAC prompt.
+
+If the policy is Enabled, then the user will get input methods enabled for the system account on the sign-in page.
+
+If the policy is Disabled or Not Configured, then the user will be able to use input methods enabled for their user account on the sign-in page.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Disallow copying of user input methods to the system account for sign-in*
+- GP name: *BlockUserInputMethodsForSignIn*
+- GP path: *System\Locale Services*
+- GP ADMX file name: *Globalization.admx*
+
+
+
+
+
+
+**ADMX_Globalization/CustomLocalesNoSelect_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting prevents a user from selecting a supplemental custom locale as their user locale. The user is restricted to the set of locales that are installed with the operating system.
+
+This does not affect the selection of replacement locales. To prevent the selection of replacement locales, adjust the permissions of the %windir%\Globalization directory to prevent the installation of locales by unauthorized users.
+
+The policy setting "Restrict user locales" can also be enabled to disallow selection of a custom locale, even if this policy setting is not configured.
+
+If you enable this policy setting, the user cannot select a custom locale as their user locale, but they can still select a replacement locale if one is installed.
+
+If you disable or do not configure this policy setting, the user can select a custom locale as their user locale.
+
+If this policy setting is enabled at the machine level, it cannot be disabled by a per-user policy setting. If this policy setting is disabled at the machine level, the per-user policy setting will be ignored. If this policy setting is not configured at the machine level, restrictions will be based on per-user policy settings.
+
+To set this policy setting on a per-user basis, make sure that you do not configure the per-machine policy setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Disallow selection of Custom Locales*
+- GP name: *CustomLocalesNoSelect_1*
+- GP path: *System\Locale Services*
+- GP ADMX file name: *Globalization.admx*
+
+
+
+
+
+
+**ADMX_Globalization/CustomLocalesNoSelect_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting prevents a user from selecting a supplemental custom locale as their user locale. The user is restricted to the set of locales that are installed with the operating system.
+
+This does not affect the selection of replacement locales. To prevent the selection of replacement locales, adjust the permissions of the %windir%\Globalization directory to prevent the installation of locales by unauthorized users.
+
+The policy setting "Restrict user locales" can also be enabled to disallow selection of a custom locale, even if this policy setting is not configured.
+
+If you enable this policy setting, the user cannot select a custom locale as their user locale, but they can still select a replacement locale if one is installed.
+
+If you disable or do not configure this policy setting, the user can select a custom locale as their user locale.
+
+If this policy setting is enabled at the machine level, it cannot be disabled by a per-user policy setting. If this policy setting is disabled at the machine level, the per-user policy setting will be ignored. If this policy setting is not configured at the machine level, restrictions will be based on per-user policy settings.
+
+To set this policy setting on a per-user basis, make sure that you do not configure the per-machine policy setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Disallow selection of Custom Locales*
+- GP name: *CustomLocalesNoSelect_2*
+- GP path: *System\Locale Services*
+- GP ADMX file name: *Globalization.admx*
+
+
+
+
+
+
+**ADMX_Globalization/HideAdminOptions**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting removes the Administrative options from the Region settings control panel.
+
+Administrative options include interfaces for setting system locale and copying settings to the default user. This policy setting does not, however, prevent an administrator or another application from changing these values programmatically.
+
+This policy setting is used only to simplify the Regional Options control panel.
+
+If you enable this policy setting, the user cannot see the Administrative options.
+
+If you disable or do not configure this policy setting, the user can see the Administrative options.
+
+> [!NOTE]
+> Even if a user can see the Administrative options, other policies may prevent them from modifying the values.
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Hide Regional and Language Options administrative options*
+- GP name: *HideAdminOptions*
+- GP path: *Control Panel\Regional and Language Options*
+- GP ADMX file name: *Globalization.admx*
+
+
+
+
+
+
+**ADMX_Globalization/HideCurrentLocation**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting removes the option to change the user's geographical location (GeoID) from the Region settings control panel.
+
+This policy setting is used only to simplify the Regional Options control panel.
+
+If you enable this policy setting, the user does not see the option to change the GeoID. This does not prevent the user or an application from changing the GeoID programmatically.
+
+If you disable or do not configure this policy setting, the user sees the option for changing the user location (GeoID).
+
+> [!NOTE]
+> Even if a user can see the GeoID option, the "Disallow changing of geographical location" option can prevent them from actually changing their current geographical location.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Hide the geographic location option*
+- GP name: *HideCurrentLocation*
+- GP path: *Control Panel\Regional and Language Options*
+- GP ADMX file name: *Globalization.admx*
+
+
+
+
+
+
+**ADMX_Globalization/HideLanguageSelection**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting removes the option to change the user's menus and dialogs (UI) language from the Language and Regional Options control panel.
+
+This policy setting is used only to simplify the Regional Options control panel.
+
+If you enable this policy setting, the user does not see the option for changing the UI language. This does not prevent the user or an application from changing the UI language programmatically. If you disable or do not configure this policy setting, the user sees the option for changing the UI language.
+
+> [!NOTE]
+> Even if a user can see the option to change the UI language, other policy settings can prevent them from changing their UI language.
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Hide the select language group options*
+- GP name: *HideLanguageSelection*
+- GP path: *Control Panel\Regional and Language Options*
+- GP ADMX file name: *Globalization.admx*
+
+
+
+
+
+
+**ADMX_Globalization/HideLocaleSelectAndCustomize**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting removes the regional formats interface from the Region settings control panel.
+
+This policy setting is used only to simplify the Regional and Language Options control panel.
+
+If you enable this policy setting, the user does not see the regional formats options. This does not prevent the user or an application from changing their user locale or user overrides programmatically.
+
+If you disable or do not configure this policy setting, the user sees the regional formats options for changing and customizing the user locale.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Hide user locale selection and customization options*
+- GP name: *HideLocaleSelectAndCustomize*
+- GP path: *Control Panel\Regional and Language Options*
+- GP ADMX file name: *Globalization.admx*
+
+
+
+
+
+
+**ADMX_Globalization/ImplicitDataCollectionOff_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting turns off the automatic learning component of handwriting recognition personalization.
+
+Automatic learning enables the collection and storage of text and ink written by the user in order to help adapt handwriting recognition to the vocabulary and handwriting style of the user. Text that is collected includes all outgoing messages in Windows Mail, and MAPI enabled email clients, as well as URLs from the Internet Explorer browser history. The information that is stored includes word frequency and new words not already known to the handwriting recognition engines (for example, proper names and acronyms). Deleting email content or the browser history does not delete the stored personalization data. Ink entered through Input Panel is collected and stored.
+
+> [!NOTE]
+> Automatic learning of both text and ink might not be available for all languages, even when handwriting personalization is available. See Tablet PC Help for more information.
+
+If you enable this policy setting, automatic learning stops and any stored data is deleted. Users cannot configure this setting in Control Panel.
+
+If you disable this policy setting, automatic learning is turned on. Users cannot configure this policy setting in Control Panel. Collected data is only used for handwriting recognition, if handwriting personalization is turned on.
+
+If you do not configure this policy, users can choose to enable or disable automatic learning either from the Handwriting tab in the Tablet Settings in Control Panel or from the opt-in dialog.
+
+This policy setting is related to the "Turn off handwriting personalization" policy setting.
+
+> [!NOTE]
+> The amount of stored ink is limited to 50 MB and the amount of text information to approximately 5 MB. When these limits are reached and new data is collected, old data is deleted to make room for more recent data.
+>
+> Handwriting personalization works only for Microsoft handwriting recognizers, and not with third-party recognizers.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off automatic learning*
+- GP name: *ImplicitDataCollectionOff_1*
+- GP path: *Control Panel\Regional and Language Options\Handwriting personalization*
+- GP ADMX file name: *Globalization.admx*
+
+
+
+
+
+
+**ADMX_Globalization/ImplicitDataCollectionOff_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting turns off the automatic learning component of handwriting recognition personalization.
+
+Automatic learning enables the collection and storage of text and ink written by the user in order to help adapt handwriting recognition to the vocabulary and handwriting style of the user. Text that is collected includes all outgoing messages in Windows Mail, and MAPI enabled email clients, as well as URLs from the Internet Explorer browser history. The information that is stored includes word frequency and new words not already known to the handwriting recognition engines (for example, proper names and acronyms). Deleting email content or the browser history does not delete the stored personalization data. Ink entered through Input Panel is collected and stored.
+
+> [!NOTE]
+> Automatic learning of both text and ink might not be available for all languages, even when handwriting personalization is available. See Tablet PC Help for more information.
+
+If you enable this policy setting, automatic learning stops and any stored data is deleted. Users cannot configure this setting in Control Panel.
+
+If you disable this policy setting, automatic learning is turned on. Users cannot configure this policy setting in Control Panel. Collected data is only used for handwriting recognition, if handwriting personalization is turned on.
+
+If you do not configure this policy, users can choose to enable or disable automatic learning either from the Handwriting tab in the Tablet Settings in Control Panel or from the opt-in dialog.
+
+This policy setting is related to the "Turn off handwriting personalization" policy setting.
+
+> [!NOTE]
+> The amount of stored ink is limited to 50 MB and the amount of text information to approximately 5 MB. When these limits are reached and new data is collected, old data is deleted to make room for more recent data.
+>
+> Handwriting personalization works only for Microsoft handwriting recognizers, and not with third-party recognizers.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off automatic learning*
+- GP name: *ImplicitDataCollectionOff_2*
+- GP path: *Control Panel\Regional and Language Options\Handwriting personalization*
+- GP ADMX file name: *Globalization.admx*
+
+
+
+
+
+
+**ADMX_Globalization/LocaleSystemRestrict**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting restricts the permitted system locales to the specified list. If the list is empty, it locks the system locale to its current value. This policy setting does not change the existing system locale; however, the next time that an administrator attempts to change the computer's system locale, they will be restricted to the specified list.
+
+The locale list is specified using language names, separated by a semicolon (;). For example, en-US is English (United States). Specifying "en-US;en-CA" would restrict the system locale to English (United States) and English (Canada).
+
+If you enable this policy setting, administrators can select a system locale only from the specified system locale list.
+
+If you disable or do not configure this policy setting, administrators can select any system locale shipped with the operating system.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Restrict system locales*
+- GP name: *LocaleSystemRestrict*
+- GP path: *System\Locale Services*
+- GP ADMX file name: *Globalization.admx*
+
+
+
+
+
+
+**ADMX_Globalization/LocaleUserRestrict_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting restricts users on a computer to the specified list of user locales. If the list is empty, it locks all user locales to their current values. This policy setting does not change existing user locale settings; however, the next time a user attempts to change their user locale, their choices will be restricted to locales in this list.
+
+To set this policy setting on a per-user basis, make sure that you do not configure the per-computer policy setting.
+
+The locale list is specified using language tags, separated by a semicolon (;). For example, en-US is English (United States). Specifying "en-CA;fr-CA" would restrict the user locale to English (Canada) and French (Canada).
+
+If you enable this policy setting, only locales in the specified locale list can be selected by users.
+
+If you disable or do not configure this policy setting, users can select any locale installed on the computer, unless restricted by the "Disallow selection of Custom Locales" policy setting. If this policy setting is enabled at the computer level, it cannot be disabled by a per-user policy. If this policy setting is disabled at the computer level, the per-user policy is ignored. If this policy setting is not configured at the computer level, restrictions are based on per-user policies.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Restrict user locales*
+- GP name: *LocaleUserRestrict_1*
+- GP path: *System\Locale Services*
+- GP ADMX file name: *Globalization.admx*
+
+
+
+
+
+
+**ADMX_Globalization/LocaleUserRestrict_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting restricts users on a computer to the specified list of user locales. If the list is empty, it locks all user locales to their current values. This policy setting does not change existing user locale settings; however, the next time a user attempts to change their user locale, their choices will be restricted to locales in this list.
+
+To set this policy setting on a per-user basis, make sure that you do not configure the per-computer policy setting.
+
+The locale list is specified using language tags, separated by a semicolon (;). For example, en-US is English (United States). Specifying "en-CA;fr-CA" would restrict the user locale to English (Canada) and French (Canada).
+
+If you enable this policy setting, only locales in the specified locale list can be selected by users.
+
+If you disable or do not configure this policy setting, users can select any locale installed on the computer, unless restricted by the "Disallow selection of Custom Locales" policy setting.
+
+If this policy setting is enabled at the computer level, it cannot be disabled by a per-user policy. If this policy setting is disabled at the computer level, the per-user policy is ignored. If this policy setting is not configured at the computer level, restrictions are based on per-user policies.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Restrict user locales*
+- GP name: *LocaleUserRestrict_2*
+- GP path: *System\Locale Services*
+- GP ADMX file name: *Globalization.admx*
+
+
+
+
+
+
+**ADMX_Globalization/LockMachineUILanguage**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting restricts the Windows UI language for all users.
+
+This is a policy setting for computers with more than one UI language installed.
+
+If you enable this policy setting, the UI language of Windows menus and dialogs for systems with more than one language will follow the language specified by the administrator as the system UI languages. The UI language selected by the user will be ignored if it is different than any of the system UI languages.
+
+If you disable or do not configure this policy setting, the user can specify which UI language is used.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Restricts the UI language Windows uses for all logged users*
+- GP name: *LockMachineUILanguage*
+- GP path: *Control Panel\Regional and Language Options*
+- GP ADMX file name: *Globalization.admx*
+
+
+
+
+
+
+**ADMX_Globalization/LockUserUILanguage**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting restricts the Windows UI language for specific users.
+
+This policy setting applies to computers with more than one UI language installed.
+
+If you enable this policy setting, the UI language of Windows menus and dialogs for systems with more than one language is restricted to a specified language for the selected user. If the specified language is not installed on the target computer or you disable this policy setting, the language selection defaults to the language selected by the user.
+
+If you disable or do not configure this policy setting, there is no restriction on which language users should use.
+
+To enable this policy setting in Windows Server 2003, Windows XP, or Windows 2000, to use the "Restrict selection of Windows menus and dialogs language" policy setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Restricts the UI languages Windows should use for the selected user*
+- GP name: *LockUserUILanguage*
+- GP path: *Control Panel\Regional and Language Options*
+- GP ADMX file name: *Globalization.admx*
+
+
+
+
+
+
+**ADMX_Globalization/PreventGeoIdChange_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from changing their user geographical location (GeoID).
+
+If you enable this policy setting, users cannot change their GeoID.
+
+If you disable or do not configure this policy setting, users may select any GeoID.
+
+If you enable this policy setting at the computer level, it cannot be disabled by a per-user policy setting. If you disable this policy setting at the computer level, the per-user policy is ignored. If you do not configure this policy setting at the computer level, restrictions are based on per-user policy settings.
+
+To set this policy setting on a per-user basis, make sure that the per-computer policy setting is not configured.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Disallow changing of geographic location*
+- GP name: *PreventGeoIdChange_1*
+- GP path: *System\Locale Services*
+- GP ADMX file name: *Globalization.admx*
+
+
+
+
+
+
+**ADMX_Globalization/PreventGeoIdChange_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from changing their user geographical location (GeoID).
+
+If you enable this policy setting, users cannot change their GeoID.
+
+If you disable or do not configure this policy setting, users may select any GeoID.
+
+If you enable this policy setting at the computer level, it cannot be disabled by a per-user policy setting. If you disable this policy setting at the computer level, the per-user policy is ignored. If you do not configure this policy setting at the computer level, restrictions are based on per-user policy settings.
+
+To set this policy setting on a per-user basis, make sure that the per-computer policy setting is not configured.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Disallow changing of geographic location*
+- GP name: *PreventGeoIdChange_2*
+- GP path: *System\Locale Services*
+- GP ADMX file name: *Globalization.admx*
+
+
+
+
+
+
+**ADMX_Globalization/PreventUserOverrides_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting prevents the user from customizing their locale by changing their user overrides.
+
+Any existing overrides in place when this policy is enabled will be frozen. To remove existing user overrides, first reset the user(s) values to the defaults and then apply this policy.
+
+When this policy setting is enabled, users can still choose alternate locales installed on the system unless prevented by other policies, however, they will be unable to customize those choices.
+
+The user cannot customize their user locale with user overrides.
+
+If this policy setting is disabled or not configured, then the user can customize their user locale overrides.
+
+If this policy is set to Enabled at the computer level, then it cannot be disabled by a per-User policy. If this policy is set to Disabled at the computer level, then the per-User policy will be ignored. If this policy is set to Not Configured at the computer level, then restrictions will be based on per-User policies.
+
+To set this policy on a per-user basis, make sure that the per-computer policy is set to Not Configured.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Disallow user override of locale settings*
+- GP name: *PreventUserOverrides_1*
+- GP path: *System\Locale Services*
+- GP ADMX file name: *Globalization.admx*
+
+
+
+
+
+
+**ADMX_Globalization/PreventUserOverrides_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting prevents the user from customizing their locale by changing their user overrides.
+
+Any existing overrides in place when this policy is enabled will be frozen. To remove existing user overrides, first reset the user(s) values to the defaults and then apply this policy.
+
+When this policy setting is enabled, users can still choose alternate locales installed on the system unless prevented by other policies, however, they will be unable to customize those choices.
+
+The user cannot customize their user locale with user overrides.
+
+If this policy setting is disabled or not configured, then the user can customize their user locale overrides.
+
+If this policy is set to Enabled at the computer level, then it cannot be disabled by a per-User policy. If this policy is set to Disabled at the computer level, then the per-User policy will be ignored. If this policy is set to Not Configured at the computer level, then restrictions will be based on per-User policies.
+
+To set this policy on a per-user basis, make sure that the per-computer policy is set to Not Configured.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Disallow user override of locale settings*
+- GP name: *PreventUserOverrides_2*
+- GP path: *System\Locale Services*
+- GP ADMX file name: *Globalization.admx*
+
+
+
+
+
+
+**ADMX_Globalization/RestrictUILangSelect**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting restricts users to the specified language by disabling the menus and dialog box controls in the Region settings control panel. If the specified language is not installed on the target computer, the language selection defaults to English.
+
+If you enable this policy setting, the dialog box controls in the Regional and Language Options control panel are not accessible to the logged on user. This prevents users from specifying a language different than the one used.
+
+To enable this policy setting in Windows Vista, use the "Restricts the UI languages Windows should use for the selected user" policy setting.
+
+If you disable or do not configure this policy setting, the logged-on user can access the dialog box controls in the Regional and Language Options control panel to select any available UI language.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Restrict selection of Windows menus and dialogs language*
+- GP name: *RestrictUILangSelect*
+- GP path: *Control Panel\Regional and Language Options*
+- GP ADMX file name: *Globalization.admx*
+
+
+
+
+
+
+**ADMX_Globalization/TurnOffAutocorrectMisspelledWords**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy turns off the autocorrect misspelled words option. This does not, however, prevent the user or an application from changing the setting programmatically.
+
+The autocorrect misspelled words option controls whether or not errors in typed text will be automatically corrected.
+
+If the policy is Enabled, then the option will be locked to not autocorrect misspelled words.
+
+If the policy is Disabled or Not Configured, then the user will be free to change the setting according to their preference.
+
+Note that the availability and function of this setting is dependent on supported languages being enabled.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off autocorrect misspelled words*
+- GP name: *TurnOffAutocorrectMisspelledWords*
+- GP path: *Control Panel\Regional and Language Options*
+- GP ADMX file name: *Globalization.admx*
+
+
+
+
+
+
+**ADMX_Globalization/TurnOffHighlightMisspelledWords**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy turns off the highlight misspelled words option. This does not, however, prevent the user or an application from changing the setting programmatically.
+
+The highlight misspelled words option controls whether or next spelling errors in typed text will be highlighted.
+
+If the policy is Enabled, then the option will be locked to not highlight misspelled words.
+
+If the policy is Disabled or Not Configured, then the user will be free to change the setting according to their preference.
+
+Note that the availability and function of this setting is dependent on supported languages being enabled.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off highlight misspelled words*
+- GP name: *TurnOffHighlightMisspelledWords*
+- GP path: *Control Panel\Regional and Language Options*
+- GP ADMX file name: *Globalization.admx*
+
+
+
+
+
+
+**ADMX_Globalization/TurnOffInsertSpace**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy turns off the insert a space after selecting a text prediction option. This does not, however, prevent the user or an application from changing the setting programmatically.
+
+The insert a space after selecting a text prediction option controls whether or not a space will be inserted after the user selects a text prediction candidate when using the on-screen keyboard.
+
+If the policy is Enabled, then the option will be locked to not insert a space after selecting a text prediction.
+
+If the policy is Disabled or Not Configured, then the user will be free to change the setting according to their preference.
+
+Note that the availability and function of this setting is dependent on supported languages being enabled.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off insert a space after selecting a text prediction*
+- GP name: *TurnOffInsertSpace*
+- GP path: *Control Panel\Regional and Language Options*
+- GP ADMX file name: *Globalization.admx*
+
+
+
+
+
+
+**ADMX_Globalization/TurnOffOfferTextPredictions**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy turns off the offer text predictions as I type option. This does not, however, prevent the user or an application from changing the setting programmatically.
+
+The offer text predictions as I type option controls whether or not text prediction suggestions will be presented to the user on the on-screen keyboard.
+
+If the policy is Enabled, then the option will be locked to not offer text predictions.
+
+If the policy is Disabled or Not Configured, then the user will be free to change the setting according to their preference.
+
+Note that the availability and function of this setting is dependent on supported languages being enabled.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off offer text predictions as I type*
+- GP name: *TurnOffOfferTextPredictions*
+- GP path: *Control Panel\Regional and Language Options*
+- GP ADMX file name: *Globalization.admx*
+
+
+
+
+
+
+**ADMX_Globalization/Y2K**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines how programs interpret two-digit years.
+
+This policy setting affects only the programs that use this Windows feature to interpret two-digit years. If a program does not interpret two-digit years correctly, consult the documentation or manufacturer of the program.
+
+If you enable this policy setting, the system specifies the largest two-digit year interpreted as being preceded by 20. All numbers less than or equal to the specified value are interpreted as being preceded by 20. All numbers greater than the specified value are interpreted as being preceded by 19.
+
+For example, the default value, 2029, specifies that all two-digit years less than or equal to 29 (00 to 29) are interpreted as being preceded by 20, that is 2000 to 2029. Conversely, all two-digit years greater than 29 (30 to 99) are interpreted as being preceded by 19, that is, 1930 to 1999.
+
+If you disable or do not configure this policy setting, Windows does not interpret two-digit year formats using this scheme for the program.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Century interpretation for Year 2000*
+- GP name: *Y2K*
+- GP path: *System*
+- GP ADMX file name: *Globalization.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-grouppolicy.md b/windows/client-management/mdm/policy-csp-admx-grouppolicy.md
new file mode 100644
index 0000000000..1b089bd628
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-grouppolicy.md
@@ -0,0 +1,3411 @@
+---
+title: Policy CSP - ADMX_GroupPolicy
+description: Policy CSP - ADMX_GroupPolicy
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 12/21/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_GroupPolicy
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_GroupPolicy policies
+
+
+
+
+
+
+
+
+**ADMX_GroupPolicy/AllowX-ForestPolicy-and-RUP**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows user-based policy processing, roaming user profiles, and user object logon scripts for interactive logons across forests.
+
+This policy setting affects all user accounts that interactively log on to a computer in a different forest when a trust across forests or a two-way forest trust exists.
+
+If you do not configure this policy setting:
+
+- No user-based policy settings are applied from the user's forest.
+- Users do not receive their roaming profiles; they receive a local profile on the computer from the local forest. A warning message appears to the user, and an event log message (1529) is posted.
+- Loopback Group Policy processing is applied, using the Group Policy Objects (GPOs) that are scoped to the computer.
+- An event log message (1109) is posted, stating that loopback was invoked in Replace mode.
+
+If you enable this policy setting, the behavior is exactly the same as in Windows 2000: user policy is applied, and a roaming user profile is allowed from the trusted forest.
+
+If you disable this policy setting, the behavior is the same as if it is not configured.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow cross-forest user policy and roaming user profiles*
+- GP name: *AllowX-ForestPolicy-and-RUP*
+- GP path: *System\Group Policy*
+- GP ADMX file name: *GroupPolicy.admx*
+
+
+
+
+
+
+**ADMX_GroupPolicy/CSE_AppMgmt**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines when software installation policies are updated.
+
+This policy setting affects all policy settings that use the software installation component of Group Policy, such as policy settings in Software Settings\Software Installation. You can set software installation policy only for Group Policy Objects stored in Active Directory, not for Group Policy Objects on the local computer.
+
+This policy setting overrides customized settings that the program implementing the software installation policy set when it was installed.
+
+If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system.
+
+The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays.
+
+The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy setting implementations specify that they are updated only when changed. However, you might want to update unchanged policy settings, such as reapplying a desired policies in case a user has changed it.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure software Installation policy processing*
+- GP name: *CSE_AppMgmt*
+- GP path: *System\Group Policy*
+- GP ADMX file name: *GroupPolicy.admx*
+
+
+
+
+
+
+**ADMX_GroupPolicy/CSE_DiskQuota**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines when disk quota policies are updated.
+
+This policy setting affects all policies that use the disk quota component of Group Policy, such as those in Computer Configuration\Administrative Templates\System\Disk Quotas.
+
+This policy setting overrides customized settings that the program implementing the disk quota policy set when it was installed.
+
+If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system.
+
+The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays.
+
+The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart.
+
+The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure disk quota policy processing*
+- GP name: *CSE_DiskQuota*
+- GP path: *System\Group Policy*
+- GP ADMX file name: *GroupPolicy.admx*
+
+
+
+
+
+
+**ADMX_GroupPolicy/CSE_EFSRecovery**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines when encryption policies are updated.
+
+This policy setting affects all policies that use the encryption component of Group Policy, such as policies related to encryption in Windows Settings\Security Settings.
+
+It overrides customized settings that the program implementing the encryption policy set when it was installed.
+
+If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system.
+
+The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays.
+
+The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart.
+
+The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure EFS recovery policy processing*
+- GP name: *CSE_EFSRecovery*
+- GP path: *System\Group Policy*
+- GP ADMX file name: *GroupPolicy.admx*
+
+
+
+
+
+
+**ADMX_GroupPolicy/CSE_FolderRedirection**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines when folder redirection policies are updated.
+
+This policy setting affects all policies that use the folder redirection component of Group Policy, such as those in WindowsSettings\Folder Redirection. You can only set folder redirection policy for Group Policy objects, stored in Active Directory, not for Group Policy objects on the local computer.
+
+This policy setting overrides customized settings that the program implementing the folder redirection policy setting set when it was installed.
+
+If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system.
+
+The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays.
+
+The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure folder redirection policy processing*
+- GP name: *CSE_FolderRedirection*
+- GP path: *System\Group Policy*
+- GP ADMX file name: *GroupPolicy.admx*
+
+
+
+
+
+
+**ADMX_GroupPolicy/CSE_IEM**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines when Internet Explorer Maintenance policies are updated.
+
+This policy setting affects all policies that use the Internet Explorer Maintenance component of Group Policy, such as those in Windows Settings\Internet Explorer Maintenance.
+
+This policy setting overrides customized settings that the program implementing the Internet Explorer Maintenance policy set when it was installed.
+
+If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system.
+
+The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays.
+
+The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart.
+
+The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure Internet Explorer Maintenance policy processing*
+- GP name: *CSE_IEM*
+- GP path: *System\Group Policy*
+- GP ADMX file name: *GroupPolicy.admx*
+
+
+
+
+
+
+**ADMX_GroupPolicy/CSE_IPSecurity**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines when IP security policies are updated.
+
+This policy setting affects all policies that use the IP security component of Group Policy, such as policies in Computer Configuration\Windows Settings\Security Settings\IP Security Policies on Local Machine.
+
+This policy setting overrides customized settings that the program implementing the IP security policy set when it was installed.
+
+If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system.
+
+The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays.
+
+The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart.
+
+The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure IP security policy processing*
+- GP name: *CSE_IPSecurity*
+- GP path: *System\Group Policy*
+- GP ADMX file name: *GroupPolicy.admx*
+
+
+
+
+
+
+**ADMX_GroupPolicy/CSE_Registry**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines when registry policies are updated.
+
+This policy setting affects all policies in the Administrative Templates folder and any other policies that store values in the registry. It overrides customized settings that the program implementing a registry policy set when it was installed.
+
+If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system.
+
+The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart.
+
+The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure registry policy processing*
+- GP name: *CSE_Registry*
+- GP path: *System\Group Policy*
+- GP ADMX file name: *GroupPolicy.admx*
+
+
+
+
+
+
+**ADMX_GroupPolicy/CSE_Scripts**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines when policies that assign shared scripts are updated.
+
+This policy setting affects all policies that use the scripts component of Group Policy, such as those in WindowsSettings\Scripts. It overrides customized settings that the program implementing the scripts policy set when it was installed.
+
+If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this setting, it has no effect on the system.
+
+The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays.
+
+The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart.
+
+The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure scripts policy processing*
+- GP name: *CSE_Scripts*
+- GP path: *System\Group Policy*
+- GP ADMX file name: *GroupPolicy.admx*
+
+
+
+
+
+
+**ADMX_GroupPolicy/CSE_Security**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines when security policies are updated.
+
+This policy setting affects all policies that use the security component of Group Policy, such as those in Windows Settings\Security Settings.
+
+This policy setting overrides customized settings that the program implementing the security policy set when it was installed.
+
+If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system.
+
+The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart.
+
+The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they be updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure security policy processing*
+- GP name: *CSE_Security*
+- GP path: *System\Group Policy*
+- GP ADMX file name: *GroupPolicy.admx*
+
+
+
+
+
+
+**ADMX_GroupPolicy/CSE_Wired**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines when policies that assign wired network settings are updated.
+
+This policy setting affects all policies that use the wired network component of Group Policy, such as those in Windows Settings\Wired Network Policies.
+
+It overrides customized settings that the program implementing the wired network set when it was installed.
+
+If you enable this policy, you can use the check boxes provided to change the options.
+
+If you disable this setting or do not configure it, it has no effect on the system.
+
+The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays.
+
+The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart.
+
+The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure wired policy processing*
+- GP name: *CSE_Wired*
+- GP path: *System\Group Policy*
+- GP ADMX file name: *GroupPolicy.admx*
+
+
+
+
+
+
+**ADMX_GroupPolicy/CSE_Wireless**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines when policies that assign wireless network settings are updated.
+
+This policy setting affects all policies that use the wireless network component of Group Policy, such as those in WindowsSettings\Wireless Network Policies.
+
+It overrides customized settings that the program implementing the wireless network set when it was installed.
+
+If you enable this policy, you can use the check boxes provided to change the options.
+
+If you disable this setting or do not configure it, it has no effect on the system.
+
+The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays.
+
+The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart.
+
+The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure wireless policy processing*
+- GP name: *CSE_Wireless*
+- GP path: *System\Group Policy*
+- GP ADMX file name: *GroupPolicy.admx*
+
+
+
+
+
+
+**ADMX_GroupPolicy/CorpConnSyncWaitTime**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies how long Group Policy should wait for workplace connectivity notifications during startup policy processing. If the startup policy processing is synchronous, the computer is blocked until workplace connectivity is available or the wait time is reached. If the startup policy processing is asynchronous, the computer is not blocked and policy processing will occur in the background. In either case, configuring this policy setting overrides any system-computed wait times.
+
+If you enable this policy setting, Group Policy uses this administratively configured maximum wait time for workplace connectivity, and overrides any default or system-computed wait time.
+
+If you disable or do not configure this policy setting, Group Policy will use the default wait time of 60 seconds on computers running Windows operating systems greater than Windows 7 configured for workplace connectivity.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Specify workplace connectivity wait time for policy processing*
+- GP name: *CorpConnSyncWaitTime*
+- GP path: *System\Group Policy*
+- GP ADMX file name: *GroupPolicy.admx*
+
+
+
+
+
+
+**ADMX_GroupPolicy/DenyRsopToInteractiveUser_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls the ability of users to view their Resultant Set of Policy (RSoP) data.
+
+By default, interactively logged on users can view their own Resultant Set of Policy (RSoP) data.
+
+If you enable this policy setting, interactive users cannot generate RSoP data.
+
+If you disable or do not configure this policy setting, interactive users can generate RSoP.
+
+> [!NOTE]
+> This policy setting does not affect administrators. If you enable or disable this policy setting, by default administrators can view RSoP data.
+>
+> To view RSoP data on a client computer, use the RSoP snap-in for the Microsoft Management Console. You can launch the RSoP snap-in from the command line by typing RSOP.msc.
+>
+> This policy setting exists as both a User Configuration and Computer Configuration setting. Also, see the "Turn off Resultant set of Policy logging" policy setting in Computer Configuration\Administrative Templates\System\GroupPolicy.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Determine if interactive users can generate Resultant Set of Policy data*
+- GP name: *DenyRsopToInteractiveUser_1*
+- GP path: *System\Group Policy*
+- GP ADMX file name: *GroupPolicy.admx*
+
+
+
+
+
+
+**ADMX_GroupPolicy/DenyRsopToInteractiveUser_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls the ability of users to view their Resultant Set of Policy (RSoP) data.
+
+By default, interactively logged on users can view their own Resultant Set of Policy (RSoP) data.
+
+If you enable this policy setting, interactive users cannot generate RSoP data.
+
+If you disable or do not configure this policy setting, interactive users can generate RSoP
+
+> [!NOTE]
+> This policy setting does not affect administrators. If you enable or disable this policy setting, by default administrators can view RSoP data.
+>
+> To view RSoP data on a client computer, use the RSoP snap-in for the Microsoft Management Console. You can launch the RSoP snap-in from the command line by typing RSOP.msc.
+>
+> This policy setting exists as both a User Configuration and Computer Configuration setting. Also, see the "Turn off Resultant set of Policy logging" policy setting in Computer Configuration\Administrative Templates\System\GroupPolicy.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Determine if interactive users can generate Resultant Set of Policy data*
+- GP name: *DenyRsopToInteractiveUser_2*
+- GP path: *System\Group Policy*
+- GP ADMX file name: *GroupPolicy.admx*
+
+
+
+
+
+
+**ADMX_GroupPolicy/DisableAOACProcessing**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting prevents the Group Policy Client Service from stopping when idle.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off Group Policy Client Service AOAC optimization*
+- GP name: *DisableAOACProcessing*
+- GP path: *System\Group Policy*
+- GP ADMX file name: *GroupPolicy.admx*
+
+
+
+
+
+
+**ADMX_GroupPolicy/DisableAutoADMUpdate**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Prevents the system from updating the Administrative Templates source files automatically when you open the Group Policy Object Editor.
+
+Administrators might want to use this if they are concerned about the amount of space used on the system volume of a DC.
+
+By default, when you start the Group Policy Object Editor, a timestamp comparison is performed on the source files in the local %SYSTEMROOT%\inf directory and the source files stored in the GPO.
+
+If the local files are newer, they are copied into the GPO.
+
+Changing the status of this setting to Enabled will keep any source files from copying to the GPO.
+
+Changing the status of this setting to Disabled will enforce the default behavior.
+
+Files will always be copied to the GPO if they have a later timestamp.
+
+> [!NOTE]
+> If the Computer Configuration policy setting, "Always use local ADM files for the Group Policy Object Editor" is enabled, the state of this setting is ignored and always treated as Enabled.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off automatic update of ADM files*
+- GP name: *DisableAutoADMUpdate*
+- GP path: *System\Group Policy*
+- GP ADMX file name: *GroupPolicy.admx*
+
+
+
+
+
+
+**ADMX_GroupPolicy/DisableBackgroundPolicy**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting prevents Group Policy from being updated while the computer is in use. This policy setting applies to Group Policy for computers, users, and domain controllers.
+
+If you enable this policy setting, the system waits until the current user logs off the system before updating the computer and user settings.
+
+If you disable or do not configure this policy setting, updates can be applied while users are working. The frequency of updates is determined by the "Set Group Policy refresh interval for computers" and "Set Group Policy refresh interval for users" policy settings.
+
+> [!NOTE]
+> If you make changes to this policy setting, you must restart your computer for it to take effect.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off background refresh of Group Policy*
+- GP name: *DisableBackgroundPolicy*
+- GP path: *System\Group Policy*
+- GP ADMX file name: *GroupPolicy.admx*
+
+
+
+
+
+
+**ADMX_GroupPolicy/DisableLGPOProcessing**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting prevents Local Group Policy Objects (Local GPOs) from being applied.
+
+By default, the policy settings in Local GPOs are applied before any domain-based GPO policy settings. These policy settings can apply to both users and the local computer. You can disable the processing and application of all Local GPOs to ensure that only domain-based GPOs are applied.
+
+If you enable this policy setting, the system does not process and apply any Local GPOs.
+
+If you disable or do not configure this policy setting, Local GPOs continue to be applied.
+
+> [!NOTE]
+> For computers joined to a domain, it is strongly recommended that you only configure this policy setting in domain-based GPOs. This policy setting will be ignored on computers that are joined to a workgroup.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off Local Group Policy Objects processing*
+- GP name: *DisableLGPOProcessing*
+- GP path: *System\Group Policy*
+- GP ADMX file name: *GroupPolicy.admx*
+
+
+
+
+
+
+**ADMX_GroupPolicy/DisableUsersFromMachGP**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control a user's ability to invoke a computer policy refresh.
+
+If you enable this policy setting, users are not able to invoke a refresh of computer policy. Computer policy will still be applied at startup or when an official policy refresh occurs.
+
+If you disable or do not configure this policy setting, the default behavior applies. By default, computer policy is applied when the computer starts up. It also applies at a specified refresh interval or when manually invoked by the user.
+
+Note: This policy setting applies only to non-administrators. Administrators can still invoke a refresh of computer policy at any time, no matter how this policy setting is configured.
+
+Also, see the "Set Group Policy refresh interval for computers" policy setting to change the policy refresh interval.
+
+> [!NOTE]
+> If you make changes to this policy setting, you must restart your computer for it to take effect.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove users' ability to invoke machine policy refresh*
+- GP name: *DisableUsersFromMachGP*
+- GP path: *System\Group Policy*
+- GP ADMX file name: *GroupPolicy.admx*
+
+
+
+
+
+
+**ADMX_GroupPolicy/EnableCDP**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the Windows device is allowed to participate in cross-device experiences (continue experiences).
+
+If you enable this policy setting, the Windows device is discoverable by other Windows devices that belong to the same user, and can participate in cross-device experiences.
+
+If you disable this policy setting, the Windows device is not discoverable by other devices, and cannot participate in cross-device experiences.
+
+If you do not configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Continue experiences on this device*
+- GP name: *EnableCDP*
+- GP path: *System\Group Policy*
+- GP ADMX file name: *GroupPolicy.admx*
+
+
+
+
+
+
+**ADMX_GroupPolicy/EnableLogonOptimization**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure Group Policy caching behavior.
+
+If you enable or do not configure this policy setting, Group Policy caches policy information after every background processing session. This cache saves applicable GPOs and the settings contained within them. When Group Policy runs in synchronous foreground mode, it refers to this cache, which enables it to run faster. When the cache is read, Group Policy attempts to contact a logon domain controller to determine the link speed. When Group Policy runs in background mode or asynchronous foreground mode, it continues to download the latest version of the policy information, and it uses a bandwidth estimate to determine slow link thresholds. (See the “Configure Group Policy Slow Link Detection” policy setting to configure asynchronous foreground behavior.)
+
+The slow link value that is defined in this policy setting determines how long Group Policy will wait for a response from the domain controller before reporting the link speed as slow. The default is 500 milliseconds.
+
+The timeout value that is defined in this policy setting determines how long Group Policy will wait for a response from the domain controller before determining that there is no network connectivity. This stops the current Group Policy processing. Group Policy will run in the background the next time a connection to a domain controller is established. Setting this value too high might result in longer waits for the user at boot or logon. The default is 5000 milliseconds.
+
+If you disable this policy setting, the Group Policy client will not cache applicable GPOs or settings that are contained within the GPOs. When Group Policy runs synchronously, it downloads the latest version of the policy from the network and uses bandwidth estimates to determine slow link thresholds. (See the “Configure Group Policy Slow Link Detection” policy setting to configure asynchronous foreground behavior.)
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure Group Policy Caching*
+- GP name: *EnableLogonOptimization*
+- GP path: *System\Group Policy*
+- GP ADMX file name: *GroupPolicy.admx*
+
+
+
+
+
+
+**ADMX_GroupPolicy/EnableLogonOptimizationOnServerSKU**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure Group Policy caching behavior on Windows Server machines.
+
+If you enable this policy setting, Group Policy caches policy information after every background processing session. This cache saves applicable GPOs and the settings contained within them. When Group Policy runs in synchronous foreground mode, it refers to this cache, which enables it to run faster. When the cache is read, Group Policy attempts to contact a logon domain controller to determine the link speed. When Group Policy runs in background mode or asynchronous foreground mode, it continues to download the latest version of the policy information, and it uses a bandwidth estimate to determine slow link thresholds. (See the “Configure Group Policy Slow Link Detection” policy setting to configure asynchronous foreground behavior.)
+
+The slow link value that is defined in this policy setting determines how long Group Policy will wait for a response from the domain controller before reporting the link speed as slow. The default is 500 milliseconds.
+
+The timeout value that is defined in this policy setting determines how long Group Policy will wait for a response from the domain controller before determining that there is no network connectivity. This stops the current Group Policy processing. Group Policy will run in the background the next time a connection to a domain controller is established. Setting this value too high might result in longer waits for the user at boot or logon. The default is 5000 milliseconds.
+
+If you disable or do not configure this policy setting, the Group Policy client will not cache applicable GPOs or settings that are contained within the GPOs. When Group Policy runs synchronously, it downloads the latest version of the policy from the network and uses bandwidth estimates to determine slow link thresholds. (See the “Configure Group Policy Slow Link Detection” policy setting to configure asynchronous foreground behavior.)
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Enable Group Policy Caching for Servers*
+- GP name: *EnableLogonOptimizationOnServerSKU*
+- GP path: *System\Group Policy*
+- GP ADMX file name: *GroupPolicy.admx*
+
+
+
+
+
+
+**ADMX_GroupPolicy/EnableMMX**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy allows IT admins to turn off the ability to Link a Phone with a PC to continue reading, emailing and other tasks that requires linking between Phone and PC.
+
+If you enable this policy setting, the Windows device will be able to enroll in Phone-PC linking functionality and participate in Continue on PC experiences.
+
+If you disable this policy setting, the Windows device is not allowed to be linked to Phones, will remove itself from the device list of any linked Phones, and cannot participate in Continue on PC experiences.
+
+If you do not configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Phone-PC linking on this device*
+- GP name: *EnableMMX*
+- GP path: *System\Group Policy*
+- GP ADMX file name: *GroupPolicy.admx*
+
+
+
+
+
+
+**ADMX_GroupPolicy/EnforcePoliciesOnly**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting prevents administrators from viewing or using Group Policy preferences.
+
+A Group Policy administration (.adm) file can contain both true settings and preferences. True settings, which are fully supported by Group Policy, must use registry entries in the Software\Policies or Software\Microsoft\Windows\CurrentVersion\Policies registry subkeys. Preferences, which are not fully supported, use registry entries in other subkeys.
+
+If you enable this policy setting, the "Show Policies Only" command is turned on, and administrators cannot turn it off. As a result, Group Policy Object Editor displays only true settings; preferences do not appear.
+
+If you disable or do not configure this policy setting, the "Show Policies Only" command is turned on by default, but administrators can view preferences by turning off the "Show Policies Only" command.
+
+> [!NOTE]
+> To find the "Show Policies Only" command, in Group Policy Object Editor, click the Administrative Templates folder (either one), right-click the same folder, and then point to "View."
+
+In Group Policy Object Editor, preferences have a red icon to distinguish them from true settings, which have a blue icon.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Enforce Show Policies Only*
+- GP name: *EnforcePoliciesOnly*
+- GP path: *System\Group Policy*
+- GP ADMX file name: *GroupPolicy.admx*
+
+
+
+
+
+
+**ADMX_GroupPolicy/FontMitigation**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This security feature provides a global setting to prevent programs from loading untrusted fonts. Untrusted fonts are any font installed outside of the %windir%\Fonts directory.
+
+This feature can be configured to be in 3 modes: On, Off, and Audit. By default, it is Off and no fonts are blocked. If you aren't quite ready to deploy this feature into your organization, you can run it in Audit mode to see if blocking untrusted fonts causes any usability or compatibility issues.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Untrusted Font Blocking*
+- GP name: *DisableUsersFromMachGP*
+- GP path: *System\Mitigation Options*
+- GP ADMX file name: *GroupPolicy.admx*
+
+
+
+
+
+
+**ADMX_GroupPolicy/GPDCOptions**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines which domain controller the Group Policy Object Editor snap-in uses.
+
+If you enable this setting, you can which domain controller is used according to these options:
+
+"Use the Primary Domain Controller" indicates that the Group Policy Object Editor snap-in reads and writes changes to the domain controller designated as the PDC Operations Master for the domain.
+
+"Inherit from Active Directory Snap-ins" indicates that the Group Policy Object Editor snap-in reads and writes changes to the domain controller that Active Directory Users and Computers or Active Directory Sites and Services snap-ins use.
+
+"Use any available domain controller" indicates that the Group Policy Object Editor snap-in can read and write changes to any available domain controller.
+
+If you disable this setting or do not configure it, the Group Policy Object Editor snap-in uses the domain controller designated as the PDC Operations Master for the domain.
+
+> [!NOTE]
+> To change the PDC Operations Master for a domain, in Active Directory Users and Computers, right-click a domain, and then click "Operations Masters."
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure Group Policy domain controller selection*
+- GP name: *GPDCOptions*
+- GP path: *System\Group Policy*
+- GP ADMX file name: *GroupPolicy.admx*
+
+
+
+
+
+
+**ADMX_GroupPolicy/GPTransferRate_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting defines a slow connection for purposes of applying and updating Group Policy.
+
+If the rate at which data is transferred from the domain controller providing a policy update to the computers in this group is slower than the rate specified by this setting, the system considers the connection to be slow.
+
+The system's response to a slow policy connection varies among policies. The program implementing the policy can specify the response to a slow link. Also, the policy processing settings in this folder lets you override the programs' specified responses to slow links.
+
+If you enable this setting, you can, in the "Connection speed" box, type a decimal number between 0 and 4,294,967,200, indicating a transfer rate in kilobits per second. Any connection slower than this rate is considered to be slow. If you type 0, all connections are considered to be fast.
+
+If you disable this setting or do not configure it, the system uses the default value of 500 kilobits per second.
+
+This setting appears in the Computer Configuration and User Configuration folders. The setting in Computer Configuration defines a slow link for policies in the Computer Configuration folder. The setting in User Configuration defines a slow link for settings in the User Configuration folder.
+
+Also, see the "Do not detect slow network connections" and related policies in Computer Configuration\Administrative Templates\System\User Profile. Note: If the profile server has IP connectivity, the connection speed setting is used. If the profile server does not have IP connectivity, the SMB timing is used.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure Group Policy slow link detection*
+- GP name: *GPTransferRate_1*
+- GP path: *System\Group Policy*
+- GP ADMX file name: *GroupPolicy.admx*
+
+
+
+
+
+
+**ADMX_GroupPolicy/GPTransferRate_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting defines a slow connection for purposes of applying and updating Group Policy.
+
+If the rate at which data is transferred from the domain controller providing a policy update to the computers in this group is slower than the rate specified by this setting, the system considers the connection to be slow.
+
+The system's response to a slow policy connection varies among policies. The program implementing the policy can specify the response to a slow link. Also, the policy processing settings in this folder lets you override the programs' specified responses to slow links.
+
+If you enable this setting, you can, in the "Connection speed" box, type a decimal number between 0 and 4,294,967,200, indicating a transfer rate in kilobits per second. Any connection slower than this rate is considered to be slow. If you type 0, all connections are considered to be fast.
+
+If you disable this setting or do not configure it, the system uses the default value of 500 kilobits per second.
+
+This setting appears in the Computer Configuration and User Configuration folders. The setting in Computer Configuration defines a slow link for policies in the Computer Configuration folder. The setting in User Configuration defines a slow link for settings in the User Configuration folder.
+
+Also, see the "Do not detect slow network connections" and related policies in Computer Configuration\Administrative Templates\System\User Profile. Note: If the profile server has IP connectivity, the connection speed setting is used. If the profile server does not have IP connectivity, the SMB timing is used.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure Group Policy slow link detection*
+- GP name: *GPTransferRate_2*
+- GP path: *System\Group Policy*
+- GP ADMX file name: *GroupPolicy.admx*
+
+
+
+
+
+
+**ADMX_GroupPolicy/GroupPolicyRefreshRate**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies how often Group Policy for computers is updated while the computer is in use (in the background). This setting specifies a background update rate only for Group Policies in the Computer Configuration folder.
+
+In addition to background updates, Group Policy for the computer is always updated when the system starts.
+
+By default, computer Group Policy is updated in the background every 90 minutes, with a random offset of 0 to 30 minutes.
+
+If you enable this setting, you can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the computer tries to update Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, very short update intervals are not appropriate for most installations.
+
+If you disable this setting, Group Policy is updated every 90 minutes (the default). To specify that Group Policy should never be updated while the computer is in use, select the "Turn off background refresh of Group Policy" policy.
+
+The Set Group Policy refresh interval for computers policy also lets you specify how much the actual update interval varies. To prevent clients with the same update interval from requesting updates simultaneously, the system varies the update interval for each client by a random number of minutes. The number you type in the random time box sets the upper limit for the range of variance. For example, if you type 30 minutes, the system selects a variance of 0 to 30 minutes. Typing a large number establishes a broad range and makes it less likely that client requests overlap. However, updates might be delayed significantly.
+
+This setting establishes the update rate for computer Group Policy. To set an update rate for user policies, use the "Set Group Policy refresh interval for users" setting (located in User Configuration\Administrative Templates\System\Group Policy).
+
+This setting is only used when the "Turn off background refresh of Group Policy" setting is not enabled.
+
+> [!NOTE]
+> Consider notifying users that their policy is updated periodically so that they recognize the signs of a policy update. When Group Policy is updated, the Windows desktop is refreshed; it flickers briefly and closes open menus. Also, restrictions imposed by Group Policies, such as those that limit the programs users can run, might interfere with tasks in progress.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Set Group Policy refresh interval for computers*
+- GP name: *GroupPolicyRefreshRate*
+- GP path: *System\Group Policy*
+- GP ADMX file name: *GroupPolicy.admx*
+
+
+
+
+
+
+**ADMX_GroupPolicy/GroupPolicyRefreshRateDC**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies how often Group Policy is updated on domain controllers while they are running (in the background). The updates specified by this setting occur in addition to updates performed when the system starts.
+
+By default, Group Policy on the domain controllers is updated every five minutes.
+
+If you enable this setting, you can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the domain controller tries to update Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, very short update intervals are not appropriate for most installations.
+
+If you disable or do not configure this setting, the domain controller updates Group Policy every 5 minutes (the default). To specify that Group Policies for users should never be updated while the computer is in use, select the "Turn off background refresh of Group Policy" setting.
+
+This setting also lets you specify how much the actual update interval varies. To prevent domain controllers with the same update interval from requesting updates simultaneously, the system varies the update interval for each controller by a random number of minutes. The number you type in the random time box sets the upper limit for the range of variance. For example, if you type 30 minutes, the system selects a variance of 0 to 30 minutes. Typing a large number establishes a broad range and makes it less likely that update requests overlap. However, updates might be delayed significantly.
+
+> [!NOTE]
+> This setting is used only when you are establishing policy for a domain, site, organizational unit (OU), or customized group. If you are establishing policy for a local computer only, the system ignores this setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Set Group Policy refresh interval for domain controllers*
+- GP name: *GroupPolicyRefreshRateDC*
+- GP path: *System\Group Policy*
+- GP ADMX file name: *GroupPolicy.admx*
+
+
+
+
+
+
+**ADMX_GroupPolicy/GroupPolicyRefreshRateUser**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies how often Group Policy for users is updated while the computer is in use (in the background). This setting specifies a background update rate only for the Group Policies in the User Configuration folder.
+
+In addition to background updates, Group Policy for users is always updated when users log on.
+
+By default, user Group Policy is updated in the background every 90 minutes, with a random offset of 0 to 30 minutes.
+
+If you enable this setting, you can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the computer tries to update user Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, very short update intervals are not appropriate for most installations.
+
+If you disable this setting, user Group Policy is updated every 90 minutes (the default). To specify that Group Policy for users should never be updated while the computer is in use, select the "Turn off background refresh of Group Policy" setting.
+
+This setting also lets you specify how much the actual update interval varies. To prevent clients with the same update interval from requesting updates simultaneously, the system varies the update interval for each client by a random number of minutes. The number you type in the random time box sets the upper limit for the range of variance. For example, if you type 30 minutes, the system selects a variance of 0 to 30 minutes. Typing a large number establishes a broad range and makes it less likely that client requests overlap. However, updates might be delayed significantly.
+
+> [!IMPORTANT]
+> If the "Turn off background refresh of Group Policy" setting is enabled, this setting is ignored.
+
+> [!NOTE]
+> This setting establishes the update rate for user Group Policies. To set an update rate for computer Group Policies, use the "Group Policy refresh interval for computers" setting (located in Computer Configuration\Administrative Templates\System\Group Policy).
+
+> [!TIP]
+> Consider notifying users that their policy is updated periodically so that they recognize the signs of a policy update. When Group Policy is updated, the Windows desktop is refreshed; it flickers briefly and closes open menus. Also, restrictions imposed by Group Policies, such as those that limit the programs a user can run, might interfere with tasks in progress.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Set Group Policy refresh interval for users*
+- GP name: *GroupPolicyRefreshRateUser*
+- GP path: *System\Group Policy*
+- GP ADMX file name: *GroupPolicy.admx*
+
+
+
+
+
+
+**ADMX_GroupPolicy/LogonScriptDelay**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Enter “0” to disable Logon Script Delay.
+
+This policy setting allows you to configure how long the Group Policy client waits after logon before running scripts.
+
+By default, the Group Policy client waits five minutes before running logon scripts. This helps create a responsive desktop environment by preventing disk contention.
+
+If you enable this policy setting, Group Policy will wait for the specified amount of time before running logon scripts.
+
+If you disable this policy setting, Group Policy will run scripts immediately after logon.
+
+If you do not configure this policy setting, Group Policy will wait five minutes before running logon scripts.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure Logon Script Delay*
+- GP name: *LogonScriptDelay*
+- GP path: *System\Group Policy*
+- GP ADMX file name: *GroupPolicy.admx*
+
+
+
+
+
+
+**ADMX_GroupPolicy/NewGPODisplayName**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to set the default display name for new Group Policy objects.
+
+This setting allows you to specify the default name for new Group Policy objects created from policy compliant Group Policy Management tools including the Group Policy tab in Active Directory tools and the GPO browser.
+
+The display name can contain environment variables and can be a maximum of 255 characters long.
+
+If this setting is Disabled or Not Configured, the default display name of New Group Policy object is used.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Set default name for new Group Policy objects*
+- GP name: *NewGPODisplayName*
+- GP path: *System\Group Policy*
+- GP ADMX file name: *GroupPolicy.admx*
+
+
+
+
+
+
+**ADMX_GroupPolicy/NewGPOLinksDisabled**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to create new Group Policy object links in the disabled state.
+
+If you enable this setting, you can create all new Group Policy object links in the disabled state by default. After you configure and test the new object links by using a policy compliant Group Policy management tool such as Active Directory Users and Computers or Active Directory Sites and Services, you can enable the object links for use on the system.
+
+If you disable this setting or do not configure it, new Group Policy object links are created in the enabled state. If you do not want them to be effective until they are configured and tested, you must disable the object link.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Create new Group Policy Object links disabled by default*
+- GP name: *NewGPOLinksDisabled*
+- GP path: *System\Group Policy*
+- GP ADMX file name: *GroupPolicy.admx*
+
+
+
+
+
+
+**ADMX_GroupPolicy/OnlyUseLocalAdminFiles**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting lets you always use local ADM files for the Group Policy snap-in.
+
+By default, when you edit a Group Policy Object (GPO) using the Group Policy Object Editor snap-in, the ADM files are loaded from that GPO into the Group Policy Object Editor snap-in. This allows you to use the same version of the ADM files that were used to create the GPO while editing this GPO.
+
+This leads to the following behavior:
+
+- If you originally created the GPO with, for example, an English system, the GPO contains English ADM files.
+
+- If you later edit the GPO from a different-language system, you get the English ADM files as they were in the GPO.
+
+You can change this behavior by using this setting.
+
+If you enable this setting, the Group Policy Object Editor snap-in always uses local ADM files in your %windir%\inf directory when editing GPOs.
+
+This leads to the following behavior:
+
+- If you had originally created the GPO with an English system, and then you edit the GPO with a Japanese system, the Group Policy Object Editor snap-in uses the local Japanese ADM files, and you see the text in Japanese under Administrative Templates.
+
+If you disable or do not configure this setting, the Group Policy Object Editor snap-in always loads all ADM files from the actual GPO.
+
+> [!NOTE]
+> If the ADMs that you require are not all available locally in your %windir%\inf directory, you might not be able to see all the settings that have been configured in the GPO that you are editing.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Always use local ADM files for Group Policy Object Editor*
+- GP name: *OnlyUseLocalAdminFiles*
+- GP path: *System\Group Policy*
+- GP ADMX file name: *GroupPolicy.admx*
+
+
+
+
+
+
+**ADMX_GroupPolicy/ProcessMitigationOptions**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This security feature provides a means to override individual process MitigationOptions settings. This can be used to enforce a number of security policies specific to applications. The application name is specified as the Value name, including extension. The Value is specified as a bit field with a series of flags in particular positions. Bits can be set to either 0 (setting is forced off), 1 (setting is forced on), or ? (setting retains its existing value prior to GPO evaluation). The recognized bit locations are:
+
+PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE (0x00000001)
+Enables data execution prevention (DEP) for the child process
+
+PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE (0x00000002)
+Enables DEP-ATL thunk emulation for the child process. DEP-ATL thunk emulation causes the system to intercept NX faults that originate from the Active Template Library (ATL) thunk layer.
+
+PROCESS_CREATION_MITIGATION_POLICY_SEHOP_ENABLE (0x00000004)
+Enables structured exception handler overwrite protection (SEHOP) for the child process. SEHOP blocks exploits that use the structured exception handler (SEH) overwrite technique.
+
+PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON (0x00000100)
+The force Address Space Layout Randomization (ASLR) policy forcibly rebases images that are not dynamic base compatible by acting as though an image base collision happened at load time. If relocations are required, images that do not have a base relocation section will not be loaded.
+
+PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON (0x00010000)
+PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF (0x00020000)
+The bottom-up randomization policy, which includes stack randomization options, causes a random location to be used as the lowest user address.
+
+For instance, to enable PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE and PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON, disable PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF, and to leave all other options at their default values, specify a value of:
+???????????????0???????1???????1
+
+Setting flags not specified here to any value other than ? results in undefined behavior.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Process Mitigation Options*
+- GP name: *ProcessMitigationOptions*
+- GP path: *System\Mitigation Options*
+- GP ADMX file name: *GroupPolicy.admx*
+
+
+
+
+
+
+**ADMX_GroupPolicy/RSoPLogging**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This setting allows you to enable or disable Resultant Set of Policy (RSoP) logging on a client computer.
+
+RSoP logs information on Group Policy settings that have been applied to the client. This information includes details such as which Group Policy Objects (GPO) were applied, where they came from, and the client-side extension settings that were included.
+
+If you enable this setting, RSoP logging is turned off.
+
+If you disable or do not configure this setting, RSoP logging is turned on. By default, RSoP logging is always on.
+
+> [!NOTE]
+> To view the RSoP information logged on a client computer, you can use the RSoP snap-in in the Microsoft Management Console (MMC).
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off Resultant Set of Policy logging*
+- GP name: *RSoPLogging*
+- GP path: *System\Group Policy*
+- GP ADMX file name: *GroupPolicy.admx*
+
+
+
+
+
+
+**ADMX_GroupPolicy/ResetDfsClientInfoDuringRefreshPolicy**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Enabling this setting will cause the Group Policy Client to connect to the same domain controller for DFS shares as is being used for Active Directory.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Enable AD/DFS domain controller synchronization during policy refresh*
+- GP name: *ResetDfsClientInfoDuringRefreshPolicy*
+- GP path: *System\Group Policy*
+- GP ADMX file name: *GroupPolicy.admx*
+
+
+
+
+
+
+**ADMX_GroupPolicy/SlowLinkDefaultForDirectAccess**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows an administrator to define the Direct Access connection to be considered a fast network connection for the purposes of applying and updating Group Policy.
+
+When Group Policy detects the bandwidth speed of a Direct Access connection, the detection can sometimes fail to provide any bandwidth speed information. If Group Policy detects a bandwidth speed, Group Policy will follow the normal rules for evaluating if the Direct Access connection is a fast or slow network connection. If no bandwidth speed is detected, Group Policy will default to a slow network connection. This policy setting allows the administrator the option to override the default to slow network connection and instead default to using a fast network connection in the case that no network bandwidth speed is determined.
+
+> [!NOTE]
+> When Group Policy detects a slow network connection, Group Policy will only process those client side extensions configured for processing across a slow link (slow network connection).
+
+If you enable this policy, when Group Policy cannot determine the bandwidth speed across Direct Access, Group Policy will evaluate the network connection as a fast link and process all client side extensions.
+
+If you disable this setting or do not configure it, Group Policy will evaluate the network connection as a slow link and process only those client side extensions configured to process over a slow link.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure Direct Access connections as a fast network connection*
+- GP name: *SlowLinkDefaultForDirectAccess*
+- GP path: *System\Group Policy*
+- GP ADMX file name: *GroupPolicy.admx*
+
+
+
+
+
+
+**ADMX_GroupPolicy/SlowlinkDefaultToAsync**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy directs Group Policy processing to skip processing any client side extension that requires synchronous processing (that is, whether computers wait for the network to be fully initialized during computer startup and user logon) when a slow network connection is detected.
+
+If you enable this policy setting, when a slow network connection is detected, Group Policy processing will always run in an asynchronous manner.
+Client computers will not wait for the network to be fully initialized at startup and logon. Existing users will be logged on using cached credentials,
+which will result in shorter logon times. Group Policy will be applied in the background after the network becomes available.
+Note that because this is a background refresh, extensions requiring synchronous processing such as Software Installation, Folder Redirection
+and Drive Maps preference extension will not be applied.
+
+> [!NOTE]
+> There are two conditions that will cause Group Policy to be processed synchronously even if this policy setting is enabled:
+>
+> - 1 - At the first computer startup after the client computer has joined the domain.
+> - 2 - If the policy setting "Always wait for the network at computer startup and logon" is enabled.
+
+If you disable or do not configure this policy setting, detecting a slow network connection will not affect whether Group Policy processing will be synchronous or asynchronous.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Change Group Policy processing to run asynchronously when a slow network connection is detected.*
+- GP name: *SlowlinkDefaultToAsync*
+- GP path: *System\Group Policy*
+- GP ADMX file name: *GroupPolicy.admx*
+
+
+
+
+
+
+**ADMX_GroupPolicy/SyncWaitTime**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies how long Group Policy should wait for network availability notifications during startup policy processing. If the startup policy processing is synchronous, the computer is blocked until the network is available or the default wait time is reached. If the startup policy processing is asynchronous, the computer is not blocked and policy processing will occur in the background. In either case, configuring this policy setting overrides any system-computed wait times.
+
+If you enable this policy setting, Group Policy will use this administratively configured maximum wait time and override any default or system-computed wait time.
+
+If you disable or do not configure this policy setting, Group Policy will use the default wait time of 30 seconds on computers running Windows Vista operating system.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Specify startup policy processing wait time*
+- GP name: *SyncWaitTime*
+- GP path: *System\Group Policy*
+- GP ADMX file name: *GroupPolicy.admx*
+
+
+
+
+
+
+**ADMX_GroupPolicy/UserPolicyMode**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting directs the system to apply the set of Group Policy objects for the computer to any user who logs on to a computer affected by this setting. It is intended for special-use computers, such as those in public places, laboratories, and classrooms, where you must modify the user setting based on the computer that is being used.
+
+By default, the user's Group Policy Objects determine which user settings apply. If this setting is enabled, then, when a user logs on to this computer, the computer's Group Policy Objects determine which set of Group Policy Objects applies.
+
+If you enable this setting, you can select one of the following modes from the Mode box:
+
+"Replace" indicates that the user settings defined in the computer's Group Policy Objects replace the user settings normally applied to the user.
+
+"Merge" indicates that the user settings defined in the computer's Group Policy Objects and the user settings normally applied to the user are combined. If the settings conflict, the user settings in the computer's Group Policy Objects take precedence over the user's normal settings.
+
+If you disable this setting or do not configure it, the user's Group Policy Objects determines which user settings apply.
+
+> [!NOTE]
+> This setting is effective only when both the computer account and the user account are in at least Windows 2000 domains.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure user Group Policy loopback processing mode*
+- GP name: *UserPolicyMode*
+- GP path: *System\Group Policy*
+- GP ADMX file name: *GroupPolicy.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-help.md b/windows/client-management/mdm/policy-csp-admx-help.md
index d705d091a0..3b42429ea9 100644
--- a/windows/client-management/mdm/policy-csp-admx-help.md
+++ b/windows/client-management/mdm/policy-csp-admx-help.md
@@ -18,7 +18,7 @@ manager: dansimp
-
+
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to exclude HTML Help Executable from being monitored by software-enforced Data Execution Prevention.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to exclude HTML Help Executable from being monitored by software-enforced Data Execution Prevention.
Data Execution Prevention (DEP) is designed to block malicious code that takes advantage of exception-handling mechanisms in Windows by monitoring your programs to make sure that they use system memory safely.
@@ -154,7 +154,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to restrict certain HTML Help commands to function only in HTML Help (.chm) files within specified folders and their subfolders. Alternatively, you can disable these commands on the entire system. It is strongly recommended that only folders requiring administrative privileges be added to this policy setting.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to restrict certain HTML Help commands to function only in HTML Help (.chm) files within specified folders and their subfolders. Alternatively, you can disable these commands on the entire system. It is strongly recommended that only folders requiring administrative privileges be added to this policy setting.
If you enable this policy setting, the commands function only for .chm files in the specified folders and their subfolders.
@@ -237,7 +237,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to restrict programs from being run from online Help.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to restrict programs from being run from online Help.
If you enable this policy setting, you can prevent specified programs from being run from Help. When you enable this policy setting, enter the file names names of the programs you want to restrict, separated by commas.
@@ -311,7 +311,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to restrict programs from being run from online Help.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to restrict programs from being run from online Help.
If you enable this policy setting, you can prevent specified programs from being run from Help. When you enable this policy setting, enter the file names names of the programs you want to restrict, separated by commas.
@@ -342,14 +342,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-helpandsupport.md b/windows/client-management/mdm/policy-csp-admx-helpandsupport.md
index 10d08651fc..ca46354852 100644
--- a/windows/client-management/mdm/policy-csp-admx-helpandsupport.md
+++ b/windows/client-management/mdm/policy-csp-admx-helpandsupport.md
@@ -83,7 +83,7 @@ manager: dansimp
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether active content links in trusted assistance content are rendered. By default, the Help viewer renders trusted assistance content with active elements such as ShellExecute links and Guided Help links.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether active content links in trusted assistance content are rendered. By default, the Help viewer renders trusted assistance content with active elements such as ShellExecute links and Guided Help links.
If you enable this policy setting, active content links are not rendered. The text is displayed, but there are no clickable links for these elements.
@@ -152,7 +152,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether users can provide ratings for Help content.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether users can provide ratings for Help content.
If you enable this policy setting, ratings controls are not added to Help content.
@@ -222,7 +222,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether users can participate in the Help Experience Improvement program. The Help Experience Improvement program collects information about how customers use Windows Help so that Microsoft can improve it.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether users can participate in the Help Experience Improvement program. The Help Experience Improvement program collects information about how customers use Windows Help so that Microsoft can improve it.
If you enable this policy setting, users cannot participate in the Help Experience Improvement program.
@@ -291,7 +291,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether users can search and view content from Windows Online in Help and Support. Windows Online provides the most up-to-date Help content for Windows.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether users can search and view content from Windows Online in Help and Support. Windows Online provides the most up-to-date Help content for Windows.
If you enable this policy setting, users are prevented from accessing online assistance content from Windows Online.
@@ -318,14 +318,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-icm.md b/windows/client-management/mdm/policy-csp-admx-icm.md
new file mode 100644
index 0000000000..63e72f5539
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-icm.md
@@ -0,0 +1,1991 @@
+---
+title: Policy CSP - ADMX_ICM
+description: Policy CSP - ADMX_ICM
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 12/17/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_ICM
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_ICM policies
+
+
+
+
+
+
+
+
+**ADMX_ICM/CEIPEnable**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting turns off the Windows Customer Experience Improvement Program. The Windows Customer Experience Improvement Program collects information about your hardware configuration and how you use our software and services to identify trends and usage patterns. Microsoft will not collect your name, address, or any other personally identifiable information. There are no surveys to complete, no salesperson will call, and you can continue working without interruption. It is simple and user-friendly.
+
+If you enable this policy setting, all users are opted out of the Windows Customer Experience Improvement Program.
+
+If you disable this policy setting, all users are opted into the Windows Customer Experience Improvement Program.
+
+If you do not configure this policy setting, the administrator can use the Problem Reports and Solutions component in Control Panel to enable Windows Customer Experience Improvement Program for all users.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off Windows Customer Experience Improvement Program*
+- GP name: *CEIPEnable*
+- GP path: *System\Internet Communication Management\Internet Communication settings*
+- GP ADMX file name: *ICM.admx*
+
+
+
+
+
+
+**ADMX_ICM/CertMgr_DisableAutoRootUpdates**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to automatically update root certificates using the Windows Update website.
+
+Typically, a certificate is used when you use a secure website or when you send and receive secure email. Anyone can issue certificates, but to have transactions that are as secure as possible, certificates must be issued by a trusted certificate authority (CA). Microsoft has included a list in Windows XP and other products of companies and organizations that it considers trusted authorities.
+
+If you enable this policy setting, when you are presented with a certificate issued by an untrusted root authority, your computer will not contact the Windows Update website to see if Microsoft has added the CA to its list of trusted authorities.
+
+If you disable or do not configure this policy setting, your computer will contact the Windows Update website.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off Automatic Root Certificates Update*
+- GP name: *CertMgr_DisableAutoRootUpdates*
+- GP path: *System\Internet Communication Management\Internet Communication settings*
+- GP ADMX file name: *ICM.admx*
+
+
+
+
+
+
+**ADMX_ICM/DisableHTTPPrinting_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to allow printing over HTTP from this client.
+
+Printing over HTTP allows a client to print to printers on the intranet as well as the Internet.
+
+> [!NOTE]
+> This policy setting affects the client side of Internet printing only. It does not prevent this computer from acting as an Internet Printing server and making its shared printers available via HTTP.
+
+If you enable this policy setting, it prevents this client from printing to Internet printers over HTTP.
+
+If you disable or do not configure this policy setting, users can choose to print to Internet printers over HTTP. Also, see the "Web-based printing" policy setting in Computer Configuration/Administrative Templates/Printers.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off printing over HTTP*
+- GP name: *DisableHTTPPrinting_1*
+- GP path: *System\Internet Communication Management\Internet Communication settings*
+- GP ADMX file name: *ICM.admx*
+
+
+
+
+
+
+**ADMX_ICM/DisableWebPnPDownload_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to allow this client to download print driver packages over HTTP.
+
+To set up HTTP printing, non-inbox drivers need to be downloaded over HTTP.
+
+> [!NOTE]
+> This policy setting does not prevent the client from printing to printers on the Intranet or the Internet over HTTP.
+
+It only prohibits downloading drivers that are not already installed locally.
+
+If you enable this policy setting, print drivers cannot be downloaded over HTTP.
+
+If you disable or do not configure this policy setting, users can download print drivers over HTTP.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off downloading of print drivers over HTTP*
+- GP name: *DisableWebPnPDownload_1*
+- GP path: *System\Internet Communication Management\Internet Communication settings*
+- GP ADMX file name: *ICM.admx*
+
+
+
+
+
+
+**ADMX_ICM/DriverSearchPlaces_DontSearchWindowsUpdate**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Windows searches Windows Update for device drivers when no local drivers for a device are present.
+
+If you enable this policy setting, Windows Update is not searched when a new device is installed.
+
+If you disable this policy setting, Windows Update is always searched for drivers when no local drivers are present.
+
+If you do not configure this policy setting, searching Windows Update is optional when installing a device.
+
+Also see "Turn off Windows Update device driver search prompt" in "Administrative Templates/System," which governs whether an administrator is prompted before searching Windows Update for device drivers if a driver is not found locally.
+
+> [!NOTE]
+> This policy setting is replaced by "Specify Driver Source Search Order" in "Administrative Templates/System/Device Installation" on newer versions of Windows.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off Windows Update device driver searching*
+- GP name: *DriverSearchPlaces_DontSearchWindowsUpdate*
+- GP path: *System\Internet Communication Management\Internet Communication settings*
+- GP ADMX file name: *ICM.admx*
+
+
+
+
+
+
+**ADMX_ICM/EventViewer_DisableLinks**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether "Events.asp" hyperlinks are available for events within the Event Viewer application.
+
+The Event Viewer normally makes all HTTP(S) URLs into hyperlinks that activate the Internet browser when clicked. In addition, "More Information" is placed at the end of the description text if the event is created by a Microsoft component. This text contains a link (URL) that, if clicked, sends information about the event to Microsoft, and allows users to learn more about why that event occurred.
+
+If you enable this policy setting, event description hyperlinks are not activated and the text "More Information" is not displayed at the end of the description.
+
+If you disable or do not configure this policy setting, the user can click the hyperlink, which prompts the user and then sends information about the event over the Internet to Microsoft.
+
+Also, see "Events.asp URL", "Events.asp program", and "Events.asp Program Command Line Parameters" settings in "Administrative Templates/Windows Components/Event Viewer".
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off Event Viewer "Events.asp" links*
+- GP name: *EventViewer_DisableLinks*
+- GP path: *System\Internet Communication Management\Internet Communication settings*
+- GP ADMX file name: *ICM.admx*
+
+
+
+
+
+
+**ADMX_ICM/HSS_HeadlinesPolicy**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to show the "Did you know?" section of Help and Support Center.
+
+This content is dynamically updated when users who are connected to the Internet open Help and Support Center, and provides up-to-date information about Windows and the computer.
+
+If you enable this policy setting, the Help and Support Center no longer retrieves nor displays "Did you know?" content.
+
+If you disable or do not configure this policy setting, the Help and Support Center retrieves and displays "Did you know?" content.
+
+You might want to enable this policy setting for users who do not have Internet access, because the content in the "Did you know?" section will remain static indefinitely without an Internet connection.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off Help and Support Center "Did you know?" content*
+- GP name: *HSS_HeadlinesPolicy*
+- GP path: *System\Internet Communication Management\Internet Communication settings*
+- GP ADMX file name: *ICM.admx*
+
+
+
+
+
+
+**ADMX_ICM/HSS_KBSearchPolicy**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether users can perform a Microsoft Knowledge Base search from the Help and Support Center.
+
+The Knowledge Base is an online source of technical support information and self-help tools for Microsoft products, and is searched as part of all Help and Support Center searches with the default search options.
+
+If you enable this policy setting, it removes the Knowledge Base section from the Help and Support Center "Set search options" page, and only Help content on the local computer is searched.
+
+If you disable or do not configure this policy setting, the Knowledge Base is searched if the user has a connection to the Internet and has not disabled the Knowledge Base search from the Search Options page.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off Help and Support Center Microsoft Knowledge Base search*
+- GP name: *HSS_KBSearchPolicy*
+- GP path: *System\Internet Communication Management\Internet Communication settings*
+- GP ADMX file name: *ICM.admx*
+
+
+
+
+
+
+**ADMX_ICM/InternetManagement_RestrictCommunication_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Windows can access the Internet to accomplish tasks that require Internet resources.
+
+If you enable this setting, all of the the policy settings listed in the "Internet Communication settings" section are set such that their respective features cannot access the Internet.
+
+If you disable this policy setting, all of the the policy settings listed in the "Internet Communication settings" section are set such that their respective features can access the Internet.
+
+If you do not configure this policy setting, all of the the policy settings in the "Internet Communication settings" section are set to not configured.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Restrict Internet communication*
+- GP name: *InternetManagement_RestrictCommunication_1*
+- GP path: *System\Internet Communication Management*
+- GP ADMX file name: *ICM.admx*
+
+
+
+
+
+
+**ADMX_ICM/InternetManagement_RestrictCommunication_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Windows can access the Internet to accomplish tasks that require Internet resources.
+
+If you enable this setting, all of the the policy settings listed in the "Internet Communication settings" section are set such that their respective features cannot access the Internet.
+
+If you disable this policy setting, all of the the policy settings listed in the "Internet Communication settings" section are set such that their respective features can access the Internet.
+
+If you do not configure this policy setting, all of the the policy settings in the "Internet Communication settings" section are set to not configured.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Restrict Internet communication*
+- GP name: *InternetManagement_RestrictCommunication_2*
+- GP path: *System\Internet Communication Management*
+- GP ADMX file name: *ICM.admx*
+
+
+
+
+
+
+**ADMX_ICM/NC_ExitOnISP**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the Internet Connection Wizard can connect to Microsoft to download a list of Internet Service Providers (ISPs).
+
+If you enable this policy setting, the "Choose a list of Internet Service Providers" path in the Internet Connection Wizard causes the wizard to exit. This prevents users from retrieving the list of ISPs, which resides on Microsoft servers.
+
+If you disable or do not configure this policy setting, users can connect to Microsoft to download a list of ISPs for their area.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com*
+- GP name: *NC_ExitOnISP*
+- GP path: *System\Internet Communication Management\Internet Communication settings*
+- GP ADMX file name: *ICM.admx*
+
+
+
+
+
+
+**ADMX_ICM/NC_NoRegistration**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the Windows Registration Wizard connects to Microsoft.com for online registration.
+
+If you enable this policy setting, it blocks users from connecting to Microsoft.com for online registration and users cannot register their copy of Windows online.
+
+If you disable or do not configure this policy setting, users can connect to Microsoft.com to complete the online Windows Registration.
+
+Note that registration is optional and involves submitting some personal information to Microsoft. However, Windows Product Activation is required but does not involve submitting any personal information (except the country/region you live in).
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off Registration if URL connection is referring to Microsoft.com*
+- GP name: *NC_NoRegistration*
+- GP path: *System\Internet Communication Management\Internet Communication settings*
+- GP ADMX file name: *ICM.admx*
+
+
+
+
+
+
+**ADMX_ICM/PCH_DoNotReport**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether or not errors are reported to Microsoft.
+
+Error Reporting is used to report information about a system or application that has failed or has stopped responding and is used to improve the quality of the product.
+
+If you enable this policy setting, users are not given the option to report errors.
+
+If you disable or do not configure this policy setting, the errors may be reported to Microsoft via the Internet or to a corporate file share.
+
+This policy setting overrides any user setting made from the Control Panel for error reporting.
+
+Also see the "Configure Error Reporting", "Display Error Notification" and "Disable Windows Error Reporting" policy settings under Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off Windows Error Reporting*
+- GP name: *PCH_DoNotReport*
+- GP path: *System\Internet Communication Management\Internet Communication settings*
+- GP ADMX file name: *ICM.admx*
+
+
+
+
+
+
+**ADMX_ICM/RemoveWindowsUpdate_ICM**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove access to Windows Update.
+
+If you enable this policy setting, all Windows Update features are removed. This includes blocking access to the Windows Update website at https://windowsupdate.microsoft.com, from the Windows Update hyperlink on the Start menu, and also on the Tools menu in Internet Explorer. Windows automatic updating is also disabled; you will neither be notified about nor will you receive critical updates from Windows Update. This policy setting also prevents Device Manager from automatically installing driver updates from the Windows Update website.
+
+If you disable or do not configure this policy setting, users can access the Windows Update website and enable automatic updating to receive notifications and critical updates from Windows Update.
+
+> [!NOTE]
+> This policy applies only when this PC is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off access to all Windows Update features*
+- GP name: *RemoveWindowsUpdate_ICM*
+- GP path: *System\Internet Communication Management\Internet Communication settings*
+- GP ADMX file name: *ICM.admx*
+
+
+
+
+
+
+**ADMX_ICM/SearchCompanion_DisableFileUpdates**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches.
+
+When users search the local computer or the Internet, Search Companion occasionally connects to Microsoft to download an updated privacy policy and additional content files used to format and display results.
+
+If you enable this policy setting, Search Companion does not download content updates during searches.
+
+If you disable or do not configure this policy setting, Search Companion downloads content updates unless the user is using Classic Search.
+
+> [!NOTE]
+> Internet searches still send the search text and information about the search to Microsoft and the chosen search provider. Choosing Classic Search turns off the Search Companion feature completely.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off Search Companion content file updates*
+- GP name: *SearchCompanion_DisableFileUpdates*
+- GP path: *System\Internet Communication Management\Internet Communication settings*
+- GP ADMX file name: *ICM.admx*
+
+
+
+
+
+
+**ADMX_ICM/ShellNoUseInternetOpenWith_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to use the Microsoft Web service for finding an application to open a file with an unhandled file association.
+
+When a user opens a file that has an extension that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Web service to find an application.
+
+If you enable this policy setting, the link and the dialog for using the Web service to open an unhandled file association are removed.
+
+If you disable or do not configure this policy setting, the user is allowed to use the Web service.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off Internet File Association service*
+- GP name: *ShellNoUseInternetOpenWith_1*
+- GP path: *System\Internet Communication Management\Internet Communication settings*
+- GP ADMX file name: *ICM.admx*
+
+
+
+
+
+
+**ADMX_ICM/ShellNoUseInternetOpenWith_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to use the Microsoft Web service for finding an application to open a file with an unhandled file association.
+
+When a user opens a file that has an extension that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Web service to find an application.
+
+If you enable this policy setting, the link and the dialog for using the Web service to open an unhandled file association are removed.
+
+If you disable or do not configure this policy setting, the user is allowed to use the Web service.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off Internet File Association service*
+- GP name: *ShellNoUseInternetOpenWith_2*
+- GP path: *System\Internet Communication Management\Internet Communication settings*
+- GP ADMX file name: *ICM.admx*
+
+
+
+
+
+
+**ADMX_ICM/ShellNoUseStoreOpenWith_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protocol association.
+
+When a user opens a file type or protocol that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Store service to find an application.
+
+If you enable this policy setting, the "Look for an app in the Store" item in the Open With dialog is removed.
+
+If you disable or do not configure this policy setting, the user is allowed to use the Store service and the Store item is available in the Open With dialog.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off access to the Store*
+- GP name: *ShellNoUseStoreOpenWith_1*
+- GP path: *System\Internet Communication Management\Internet Communication settings*
+- GP ADMX file name: *ICM.admx*
+
+
+
+
+
+
+**ADMX_ICM/ShellNoUseStoreOpenWith_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protocol association.
+
+When a user opens a file type or protocol that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Store service to find an application.
+
+If you enable this policy setting, the "Look for an app in the Store" item in the Open With dialog is removed.
+
+If you disable or do not configure this policy setting, the user is allowed to use the Store service and the Store item is available in the Open With dialog.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off access to the Store*
+- GP name: *ShellNoUseStoreOpenWith_2*
+- GP path: *System\Internet Communication Management\Internet Communication settings*
+- GP ADMX file name: *ICM.admx*
+
+
+
+
+
+
+**ADMX_ICM/ShellPreventWPWDownload_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Windows should download a list of providers for the web publishing and online ordering wizards. These wizards allow users to select from a list of companies that provide services such as online storage and photographic printing. By default, Windows displays providers downloaded from a Windows website in addition to providers specified in the registry.
+
+If you enable this policy setting, Windows does not download providers, and only the service providers that are cached in the local registry are displayed.
+
+If you disable or do not configure this policy setting, a list of providers are downloaded when the user uses the web publishing or online ordering wizards.
+
+See the documentation for the web publishing and online ordering wizards for more information, including details on specifying service providers in the registry.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off Internet download for Web publishing and online ordering wizards*
+- GP name: *ShellPreventWPWDownload_1*
+- GP path: *System\Internet Communication Management\Internet Communication settings*
+- GP ADMX file name: *ICM.admx*
+
+
+
+
+
+
+**ADMX_ICM/ShellRemoveOrderPrints_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the "Order Prints Online" task is available from Picture Tasks in Windows folders.
+
+The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online. If you enable this policy setting, the task "Order Prints Online" is removed from Picture Tasks in File Explorer folders.
+
+If you disable or do not configure this policy setting, the task is displayed.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off the "Order Prints" picture task*
+- GP name: *ShellRemoveOrderPrints_1*
+- GP path: *System\Internet Communication Management\Internet Communication settings*
+- GP ADMX file name: *ICM.admx*
+
+
+
+
+
+
+**ADMX_ICM/ShellRemoveOrderPrints_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the "Order Prints Online" task is available from Picture Tasks in Windows folders.
+
+The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online.
+
+If you enable this policy setting, the task "Order Prints Online" is removed from Picture Tasks in File Explorer folders.
+
+If you disable or do not configure this policy setting, the task is displayed.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off the "Order Prints" picture task*
+- GP name: *ShellRemoveOrderPrints_2*
+- GP path: *System\Internet Communication Management\Internet Communication settings*
+- GP ADMX file name: *ICM.admx*
+
+
+
+
+
+
+**ADMX_ICM/ShellRemovePublishToWeb_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the tasks "Publish this file to the Web," "Publish this folder to the Web," and "Publish the selected items to the Web" are available from File and Folder Tasks in Windows folders.
+
+The Web Publishing Wizard is used to download a list of providers and allow users to publish content to the web.
+
+If you enable this policy setting, these tasks are removed from the File and Folder tasks in Windows folders. If you disable or do not configure this policy setting, the tasks are shown.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off the "Publish to Web" task for files and folders*
+- GP name: *ShellRemovePublishToWeb_1*
+- GP path: *System\Internet Communication Management\Internet Communication settings*
+- GP ADMX file name: *ICM.admx*
+
+
+
+
+
+
+**ADMX_ICM/ShellRemovePublishToWeb_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the tasks "Publish this file to the Web," "Publish this folder to the Web," and "Publish the selected items to the Web" are available from File and Folder Tasks in Windows folders.
+
+The Web Publishing Wizard is used to download a list of providers and allow users to publish content to the web.
+
+If you enable this policy setting, these tasks are removed from the File and Folder tasks in Windows folders.
+
+If you disable or do not configure this policy setting, the tasks are shown.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off the "Publish to Web" task for files and folders*
+- GP name: *ShellRemovePublishToWeb_2*
+- GP path: *System\Internet Communication Management\Internet Communication settings*
+- GP ADMX file name: *ICM.admx*
+
+
+
+
+
+
+**ADMX_ICM/WinMSG_NoInstrumentation_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Windows Messenger collects anonymous information about how Windows Messenger software and service is used.
+
+With the Customer Experience Improvement program, users can allow Microsoft to collect anonymous information about how the product is used.
+
+This information is used to improve the product in future releases.
+
+If you enable this policy setting, Windows Messenger does not collect usage information, and the user settings to enable the collection of usage information are not shown.
+
+If you disable this policy setting, Windows Messenger collects anonymous usage information, and the setting is not shown. If you do not configure this policy setting, users have the choice to opt in and allow information to be collected.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off the Windows Messenger Customer Experience Improvement Program*
+- GP name: *WinMSG_NoInstrumentation_1*
+- GP path: *System\Internet Communication Management\Internet Communication settings*
+- GP ADMX file name: *ICM.admx*
+
+
+
+
+
+
+**ADMX_ICM/WinMSG_NoInstrumentation_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Windows Messenger collects anonymous information about how Windows Messenger software and service is used.
+
+With the Customer Experience Improvement program, users can allow Microsoft to collect anonymous information about how the product is used.
+
+This information is used to improve the product in future releases.
+
+If you enable this policy setting, Windows Messenger does not collect usage information, and the user settings to enable the collection of usage information are not shown.
+
+If you disable this policy setting, Windows Messenger collects anonymous usage information, and the setting is not shown.
+
+If you do not configure this policy setting, users have the choice to opt in and allow information to be collected.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off the Windows Messenger Customer Experience Improvement Program*
+- GP name: *WinMSG_NoInstrumentation_2*
+- GP path: *System\Internet Communication Management\Internet Communication settings*
+- GP ADMX file name: *ICM.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-kdc.md b/windows/client-management/mdm/policy-csp-admx-kdc.md
index 4a63715208..ec9b9e660a 100644
--- a/windows/client-management/mdm/policy-csp-admx-kdc.md
+++ b/windows/client-management/mdm/policy-csp-admx-kdc.md
@@ -89,7 +89,7 @@ manager: dansimp
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure a domain controller to support claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure a domain controller to support claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication.
If you enable this policy setting, client computers that support claims and compound authentication for Dynamic Access Control and are Kerberos armor-aware will use this feature for Kerberos authentication messages. This policy should be applied to all domain controllers to ensure consistent application of this policy in the domain.
@@ -185,7 +185,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting defines the list of trusting forests that the Key Distribution Center (KDC) searches when attempting to resolve two-part service principal names (SPNs).
+Available in the latest Windows 10 Insider Preview Build. This policy setting defines the list of trusting forests that the Key Distribution Center (KDC) searches when attempting to resolve two-part service principal names (SPNs).
If you enable this policy setting, the KDC will search the forests in this list if it is unable to resolve a two-part SPN in the local forest. The forest search is performed by using a global catalog or name suffix hints. If a match is found, the KDC will return a referral ticket to the client for the appropriate domain.
@@ -256,7 +256,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. Support for PKInit Freshness Extension requires Windows Server 2016 domain functional level (DFL). If the domain controller’s domain is not at Windows Server 2016 DFL or higher this policy will not be applied.
+Available in the latest Windows 10 Insider Preview Build. Support for PKInit Freshness Extension requires Windows Server 2016 domain functional level (DFL). If the domain controller’s domain is not at Windows Server 2016 DFL or higher this policy will not be applied.
This policy setting allows you to configure a domain controller (DC) to support the PKInit Freshness Extension.
@@ -331,7 +331,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure a domain controller to request compound authentication.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure a domain controller to request compound authentication.
> [!NOTE]
> For a domain controller to request compound authentication, the policy "KDC support for claims, compound authentication, and Kerberos armoring" must be configured and enabled.
@@ -403,7 +403,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure at what size Kerberos tickets will trigger the warning event issued during Kerberos authentication. The ticket size warnings are logged in the System log.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure at what size Kerberos tickets will trigger the warning event issued during Kerberos authentication. The ticket size warnings are logged in the System log.
If you enable this policy setting, you can set the threshold limit for Kerberos ticket which trigger the warning events. If set too high, then authentication failures might be occurring even though warning events are not being logged. If set too low, then there will be too many ticket warnings in the log to be useful for analysis. This value should be set to the same value as the Kerberos policy "Set maximum Kerberos SSPI context token buffer size" or the smallest MaxTokenSize used in your environment if you are not configuring using Group Policy.
@@ -472,7 +472,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting controls whether the domain controller provides information about previous logons to client computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether the domain controller provides information about previous logons to client computers.
If you enable this policy setting, the domain controller provides the information message about previous logons.
@@ -504,14 +504,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-kerberos.md b/windows/client-management/mdm/policy-csp-admx-kerberos.md
new file mode 100644
index 0000000000..7f36359852
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-kerberos.md
@@ -0,0 +1,641 @@
+---
+title: Policy CSP - ADMX_Kerberos
+description: Policy CSP - ADMX_Kerberos
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 11/12/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_Kerberos
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_Kerberos policies
+
+
+
+
+
+
+
+
+**ADMX_Kerberos/AlwaysSendCompoundId**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether a device always sends a compound authentication request when the resource domain requests compound identity.
+
+> [!NOTE]
+> For a domain controller to request compound authentication, the policies "KDC support for claims, compound authentication, and Kerberos armoring" and "Request compound authentication" must be configured and enabled in the resource account domain.
+
+If you enable this policy setting and the resource domain requests compound authentication, devices that support compound authentication always send a compound authentication request.
+
+If you disable or do not configure this policy setting and the resource domain requests compound authentication, devices will send a non-compounded authentication request first then a compound authentication request when the service requests compound authentication.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Always send compound authentication first*
+- GP name: *AlwaysSendCompoundId*
+- GP path: *System\Kerberos*
+- GP ADMX file name: *Kerberos.admx*
+
+
+
+
+
+
+**ADMX_Kerberos/DevicePKInitEnabled**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Support for device authentication using certificate will require connectivity to a DC in the device account domain which supports certificate authentication for computer accounts.
+
+This policy setting allows you to set support for Kerberos to attempt authentication using the certificate for the device to the domain.
+
+If you enable this policy setting, the device's credentials will be selected based on the following options:
+
+- Automatic: Device will attempt to authenticate using its certificate. If the DC does not support computer account authentication using certificates then authentication with password will be attempted.
+- Force: Device will always authenticate using its certificate. If a DC cannot be found which support computer account authentication using certificates then authentication will fail.
+
+If you disable this policy setting, certificates will never be used.
+
+If you do not configure this policy setting, Automatic will be used.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Support device authentication using certificate*
+- GP name: *DevicePKInitEnabled*
+- GP path: *System\Kerberos*
+- GP ADMX file name: *Kerberos.admx*
+
+
+
+
+
+
+**ADMX_Kerberos/HostToRealm**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify which DNS host names and which DNS suffixes are mapped to a Kerberos realm.
+
+If you enable this policy setting, you can view and change the list of DNS host names and DNS suffixes mapped to a Kerberos realm as defined by Group Policy. To view the list of mappings, enable the policy setting and then click the Show button. To add a mapping, enable the policy setting, note the syntax, and then click Show. In the Show Contents dialog box in the Value Name column, type a realm name. In the Value column, type the list of DNS host names and DNS suffixes using the appropriate syntax format. To remove a mapping from the list, click the mapping entry to be removed, and then press the DELETE key. To edit a mapping, remove the current entry from the list and add a new one with different parameters.
+
+If you disable this policy setting, the host name-to-Kerberos realm mappings list defined by Group Policy is deleted.
+
+If you do not configure this policy setting, the system uses the host name-to-Kerberos realm mappings that are defined in the local registry, if they exist.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Define host name-to-Kerberos realm mappings*
+- GP name: *HostToRealm*
+- GP path: *System\Kerberos*
+- GP ADMX file name: *Kerberos.admx*
+
+
+
+
+
+
+**ADMX_Kerberos/KdcProxyDisableServerRevocationCheck**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to disable revocation check for the SSL certificate of the targeted KDC proxy server.
+
+If you enable this policy setting, revocation check for the SSL certificate of the KDC proxy server is ignored by the Kerberos client. This policy setting should only be used in troubleshooting KDC proxy connections.
+Warning: When revocation check is ignored, the server represented by the certificate is not guaranteed valid.
+
+If you disable or do not configure this policy setting, the Kerberos client enforces the revocation check for the SSL certificate. The connection to the KDC proxy server is not established if the revocation check fails.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Disable revocation checking for the SSL certificate of KDC proxy servers*
+- GP name: *KdcProxyDisableServerRevocationCheck*
+- GP path: *System\Kerberos*
+- GP ADMX file name: *Kerberos.admx*
+
+
+
+
+
+
+**ADMX_Kerberos/KdcProxyServer**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the Kerberos client's mapping to KDC proxy servers for domains based on their DNS suffix names.
+
+If you enable this policy setting, the Kerberos client will use the KDC proxy server for a domain when a domain controller cannot be located based on the configured mappings. To map a KDC proxy server to a domain, enable the policy setting, click Show, and then map the KDC proxy server name(s) to the DNS name for the domain using the syntax described in the options pane. In the Show Contents dialog box in the Value Name column, type a DNS suffix name. In the Value column, type the list of proxy servers using the appropriate syntax format. To view the list of mappings, enable the policy setting and then click the Show button. To remove a mapping from the list, click the mapping entry to be removed, and then press the DELETE key. To edit a mapping, remove the current entry from the list and add a new one with different parameters.
+
+If you disable or do not configure this policy setting, the Kerberos client does not have KDC proxy servers settings defined by Group Policy.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Specify KDC proxy servers for Kerberos clients*
+- GP name: *KdcProxyServer*
+- GP path: *System\Kerberos*
+- GP ADMX file name: *Kerberos.admx*
+
+
+
+
+
+
+**ADMX_Kerberos/MitRealms**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the Kerberos client so that it can authenticate with interoperable Kerberos V5 realms, as defined by this policy setting.
+
+If you enable this policy setting, you can view and change the list of interoperable Kerberos V5 realms and their settings. To view the list of interoperable Kerberos V5 realms, enable the policy setting and then click the Show button. To add an interoperable Kerberos V5 realm, enable the policy setting, note the syntax, and then click Show. In the Show Contents dialog box in the Value Name column, type the interoperable Kerberos V5 realm name. In the Value column, type the realm flags and host names of the host KDCs using the appropriate syntax format. To remove an interoperable Kerberos V5 realm Value Name or Value entry from the list, click the entry, and then press the DELETE key. To edit a mapping, remove the current entry from the list and add a new one with different parameters.
+
+If you disable this policy setting, the interoperable Kerberos V5 realm settings defined by Group Policy are deleted.
+
+If you do not configure this policy setting, the system uses the interoperable Kerberos V5 realm settings that are defined in the local registry, if they exist.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Define interoperable Kerberos V5 realm settings*
+- GP name: *MitRealms*
+- GP path: *System\Kerberos*
+- GP ADMX file name: *Kerberos.admx*
+
+
+
+
+
+
+**ADMX_Kerberos/ServerAcceptsCompound**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls configuring the device's Active Directory account for compound authentication.
+
+Support for providing compound authentication which is used for access control will require enough domain controllers in the resource account domains to support the requests. The Domain Administrator must configure the policy "Support Dynamic Access Control and Kerberos armoring" on all the domain controllers to support this policy.
+
+If you enable this policy setting, the device's Active Directory account will be configured for compound authentication by the following options:
+
+- Never: Compound authentication is never provided for this computer account.
+- Automatic: Compound authentication is provided for this computer account when one or more applications are configured for Dynamic Access Control.
+- Always: Compound authentication is always provided for this computer account.
+
+If you disable this policy setting, Never will be used.
+
+If you do not configure this policy setting, Automatic will be used.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Support compound authentication*
+- GP name: *ServerAcceptsCompound*
+- GP path: *System\Kerberos*
+- GP ADMX file name: *Kerberos.admx*
+
+
+
+
+
+
+**ADMX_Kerberos/StrictTarget**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure this server so that Kerberos can decrypt a ticket that contains this system-generated SPN. When an application attempts to make a remote procedure call (RPC) to this server with a NULL value for the service principal name (SPN), computers running Windows 7 or later attempt to use Kerberos by generating an SPN.
+
+If you enable this policy setting, only services running as LocalSystem or NetworkService are allowed to accept these connections. Services running as identities different from LocalSystem or NetworkService might fail to authenticate.
+
+If you disable or do not configure this policy setting, any service is allowed to accept incoming connections by using this system-generated SPN.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Require strict target SPN match on remote procedure calls*
+- GP name: *StrictTarget*
+- GP path: *System\Kerberos*
+- GP ADMX file name: *Kerberos.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-lanmanserver.md b/windows/client-management/mdm/policy-csp-admx-lanmanserver.md
index ddaddd01f1..74d7cb2b32 100644
--- a/windows/client-management/mdm/policy-csp-admx-lanmanserver.md
+++ b/windows/client-management/mdm/policy-csp-admx-lanmanserver.md
@@ -83,7 +83,7 @@ manager: dansimp
-Available in Windows 10 Insider Preview Build 20185. This policy setting determines the cipher suites used by the SMB server.
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines the cipher suites used by the SMB server.
If you enable this policy setting, cipher suites are prioritized in the order specified.
@@ -172,7 +172,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether a hash generation service generates hashes, also called content information, for data that is stored in shared folders. This policy setting must be applied to server computers that have the File Services role and both the File Server and the BranchCache for Network Files role services installed.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether a hash generation service generates hashes, also called content information, for data that is stored in shared folders. This policy setting must be applied to server computers that have the File Services role and both the File Server and the BranchCache for Network Files role services installed.
Policy configuration
@@ -255,7 +255,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether the BranchCache hash generation service supports version 1 (V1) hashes, version 2 (V2) hashes, or both V1 and V2 hashes. Hashes, also called content information, are created based on the data in shared folders where BranchCache is enabled.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the BranchCache hash generation service supports version 1 (V1) hashes, version 2 (V2) hashes, or both V1 and V2 hashes. Hashes, also called content information, are created based on the data in shared folders where BranchCache is enabled.
If you specify only one version that is supported, content information for that version is the only type that is generated by BranchCache, and it is the only type of content information that can be retrieved by client computers. For example, if you enable support for V1 hashes, BranchCache generates only V1 hashes and client computers can retrieve only V1 hashes.
@@ -338,7 +338,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting determines how the SMB server selects a cipher suite when negotiating a new connection with an SMB client.
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines how the SMB server selects a cipher suite when negotiating a new connection with an SMB client.
If you enable this policy setting, the SMB server will select the cipher suite it most prefers from the list of client-supported cipher suites, ignoring the client's preferences.
@@ -367,15 +367,15 @@ ADMX Info:
Footnotes:
-
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md b/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md
new file mode 100644
index 0000000000..96da8caef4
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md
@@ -0,0 +1,285 @@
+---
+title: Policy CSP - ADMX_LanmanWorkstation
+description: Policy CSP - ADMX_LanmanWorkstation
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 12/08/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_LanmanWorkstation
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_LanmanWorkstation policies
+
+
+
+
+
+
+
+
+**ADMX_LanmanWorkstation/Pol_CipherSuiteOrder**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines the cipher suites used by the SMB client.
+
+If you enable this policy setting, cipher suites are prioritized in the order specified.
+
+If you enable this policy setting and do not specify at least one supported cipher suite, or if you disable or do not configure this policy setting, the default cipher suite order is used.
+
+SMB 3.11 cipher suites:
+
+- AES_128_GCM
+- AES_128_CCM
+- AES_256_GCM
+- AES_256_CCM
+
+> [!NOTE]
+> AES_256 is not supported on Windows 10 version 20H2 and lower. If you enter only AES_256 crypto lines, the older clients will not be able to connect anymore.
+
+SMB 3.0 and 3.02 cipher suites:
+
+- AES_128_CCM
+
+How to modify this setting:
+
+Arrange the desired cipher suites in the edit box, one cipher suite per line, in order from most to least preferred, with the most preferred cipher suite at the top. Remove any cipher suites you don't want to use.
+
+> [!NOTE]
+> When configuring this security setting, changes will not take effect until you restart Windows.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Cipher suite order*
+- GP name: *Pol_CipherSuiteOrder*
+- GP path: *Network\Lanman Workstation*
+- GP ADMX file name: *LanmanWorkstation.admx*
+
+
+
+
+
+
+**ADMX_LanmanWorkstation/Pol_EnableHandleCachingForCAFiles**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines the behavior of SMB handle caching for clients connecting to an SMB share where the Continuous Availability (CA) flag is enabled.
+
+If you enable this policy setting, the SMB client will allow cached handles to files on CA shares. This may lead to better performance when repeatedly accessing a large number of unstructured data files on CA shares running in Microsoft Azure Files.
+
+If you disable or do not configure this policy setting, Windows will prevent use of cached handles to files opened through CA shares.
+
+> [!NOTE]
+> This policy has no effect when connecting Scale-out File Server shares provided by a Windows Server. Microsoft does not recommend enabling this policy for clients that routinely connect to files hosted on a Windows Failover Cluster with the File Server for General Use role, as it can lead to adverse failover times and increased memory and CPU usage.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Handle Caching on Continuous Availability Shares*
+- GP name: *Pol_EnableHandleCachingForCAFiles*
+- GP path: *Network\Lanman Workstation*
+- GP ADMX file name: *LanmanWorkstation.admx*
+
+
+
+
+
+
+**ADMX_LanmanWorkstation/Pol_EnableOfflineFilesforCAShares**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines the behavior of Offline Files on clients connecting to an SMB share where the Continuous Availability (CA) flag is enabled.
+
+If you enable this policy setting, the "Always Available offline" option will appear in the File Explorer menu on a Windows computer when connecting to a CA-enabled share. Pinning of files on CA-enabled shares using client-side caching will also be possible.
+
+If you disable or do not configure this policy setting, Windows will prevent use of Offline Files with CA-enabled shares.
+
+> [!NOTE]
+> Microsoft does not recommend enabling this group policy. Use of CA with Offline Files will lead to very long transition times between the online and offline states.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Offline Files Availability on Continuous Availability Shares*
+- GP name: *Pol_EnableOfflineFilesforCAShares*
+- GP path: *Network\Lanman Workstation*
+- GP ADMX file name: *LanmanWorkstation.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md b/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md
index d4f25831ab..d8eee0b351 100644
--- a/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md
+++ b/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md
@@ -77,7 +77,7 @@ manager: dansimp
-Available in Windows 10 Insider Preview Build 20185. This policy setting changes the operational behavior of the Mapper I/O network protocol driver.
+Available in the latest Windows 10 Insider Preview Build. This policy setting changes the operational behavior of the Mapper I/O network protocol driver.
LLTDIO allows a computer to discover the topology of a network it's connected to. It also allows a computer to initiate Quality-of-Service requests such as bandwidth estimation and network health analysis.
@@ -148,7 +148,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting changes the operational behavior of the Responder network protocol driver.
+Available in the latest Windows 10 Insider Preview Build. This policy setting changes the operational behavior of the Responder network protocol driver.
The Responder allows a computer to participate in Link Layer Topology Discovery requests so that it can be discovered and located on the network. It also allows a computer to participate in Quality-of-Service activities such as bandwidth estimation and network health analysis.
@@ -177,14 +177,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-logon.md b/windows/client-management/mdm/policy-csp-admx-logon.md
new file mode 100644
index 0000000000..b463924f33
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-logon.md
@@ -0,0 +1,1208 @@
+---
+title: Policy CSP - ADMX_Logon
+description: Policy CSP - ADMX_Logon
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 12/21/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_Logon
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_Logon policies
+
+
+
+
+
+
+
+
+**ADMX_Logon/BlockUserFromShowingAccountDetailsOnSignin**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy prevents the user from showing account details (email address or user name) on the sign-in screen.
+
+If you enable this policy setting, the user cannot choose to show account details on the sign-in screen.
+
+If you disable or do not configure this policy setting, the user may choose to show account details on the sign-in screen.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Block user from showing account details on sign-in*
+- GP name: *BlockUserFromShowingAccountDetailsOnSignin*
+- GP path: *System\Logon*
+- GP ADMX file name: *Logon.admx*
+
+
+
+
+
+
+**ADMX_Logon/DisableAcrylicBackgroundOnLogon**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting disables the acrylic blur effect on logon background image.
+
+If you enable this policy, the logon background image shows without blur.
+
+If you disable or do not configure this policy, the logon background image adopts the acrylic blur effect.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Show clear logon background*
+- GP name: *DisableAcrylicBackgroundOnLogon*
+- GP path: *System\Logon*
+- GP ADMX file name: *Logon.admx*
+
+
+
+
+
+
+**ADMX_Logon/DisableExplorerRunLegacy_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting ignores the customized run list.
+
+You can create a customized list of additional programs and documents that the system starts automatically when it runs on Windows Vista, Windows XP Professional, and Windows 2000 Professional. These programs are added to the standard run list of programs and services that the system starts.
+
+If you enable this policy setting, the system ignores the run list for Windows Vista, Windows XP Professional, and Windows 2000 Professional.
+
+If you disable or do not configure this policy setting, Windows Vista adds any customized run list configured to its run list.
+
+This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration.
+
+> [!NOTE]
+> To create a customized run list by using a policy setting, use the "Run these applications at startup" policy setting. Also, see the "Do not process the run once list" policy setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not process the legacy run list*
+- GP name: *DisableExplorerRunLegacy_1*
+- GP path: *System\Logon*
+- GP ADMX file name: *Logon.admx*
+
+
+
+
+
+
+**ADMX_Logon/DisableExplorerRunLegacy_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting ignores the customized run list.
+
+You can create a customized list of additional programs and documents that the system starts automatically when it runs on Windows Vista, Windows XP Professional, and Windows 2000 Professional. These programs are added to the standard run list of programs and services that the system starts.
+
+If you enable this policy setting, the system ignores the run list for Windows Vista, Windows XP Professional, and Windows 2000 Professional.
+
+If you disable or do not configure this policy setting, Windows Vista adds any customized run list configured to its run list.
+
+This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration.
+
+> [!NOTE]
+> To create a customized run list by using a policy setting, use the "Run these applications at startup" policy setting. Also, see the "Do not process the run once list" policy setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not process the legacy run list*
+- GP name: *DisableExplorerRunLegacy_2*
+- GP path: *System\Logon*
+- GP ADMX file name: *Logon.admx*
+
+
+
+
+
+
+**ADMX_Logon/DisableExplorerRunOnceLegacy_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting ignores customized run-once lists.
+
+You can create a customized list of additional programs and documents that are started automatically the next time the system starts (but not thereafter). These programs are added to the standard list of programs and services that the system starts.
+
+If you enable this policy setting, the system ignores the run-once list.
+
+If you disable or do not configure this policy setting, the system runs the programs in the run-once list.
+
+This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration.
+
+> [!NOTE]
+> Customized run-once lists are stored in the registry in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce. Also, see the "Do not process the legacy run list" policy setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not process the run once list*
+- GP name: *DisableExplorerRunOnceLegacy_1*
+- GP path: *System\Logon*
+- GP ADMX file name: *Logon.admx*
+
+
+
+
+
+
+**ADMX_Logon/DisableExplorerRunOnceLegacy_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting ignores customized run-once lists.
+
+You can create a customized list of additional programs and documents that are started automatically the next time the system starts (but not thereafter). These programs are added to the standard list of programs and services that the system starts.
+
+If you enable this policy setting, the system ignores the run-once list.
+
+If you disable or do not configure this policy setting, the system runs the programs in the run-once list.
+
+This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration.
+
+> [!NOTE]
+> Customized run-once lists are stored in the registry in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce. Also, see the "Do not process the legacy run list" policy setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not process the run once list*
+- GP name: *DisableExplorerRunOnceLegacy_2*
+- GP path: *System\Logon*
+- GP ADMX file name: *Logon.admx*
+
+
+
+
+
+
+**ADMX_Logon/DisableStatusMessages**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting suppresses system status messages.
+
+If you enable this setting, the system does not display a message reminding users to wait while their system starts or shuts down, or while users log on or off.
+
+If you disable or do not configure this policy setting, the system displays the message reminding users to wait while their system starts or shuts down, or while users log on or off.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove Boot / Shutdown / Logon / Logoff status messages*
+- GP name: *DisableStatusMessages*
+- GP path: *System*
+- GP ADMX file name: *Logon.admx*
+
+
+
+
+
+
+**ADMX_Logon/DontEnumerateConnectedUsers**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting prevents connected users from being enumerated on domain-joined computers.
+
+If you enable this policy setting, the Logon UI will not enumerate any connected users on domain-joined computers.
+
+If you disable or do not configure this policy setting, connected users will be enumerated on domain-joined computers.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not enumerate connected users on domain-joined computers*
+- GP name: *DontEnumerateConnectedUsers*
+- GP path: *System\Logon*
+- GP ADMX file name: *Logon.admx*
+
+
+
+
+
+
+**ADMX_Logon/NoWelcomeTips_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting hides the welcome screen that is displayed on Windows 2000 Professional each time the user logs on.
+
+If you enable this policy setting, the welcome screen is hidden from the user logging on to a computer where this policy is applied.
+
+Users can still display the welcome screen by selecting it on the Start menu or by typing "Welcome" in the Run dialog box.
+
+If you disable or do not configure this policy, the welcome screen is displayed each time a user logs on to the computer.
+
+This setting applies only to Windows 2000 Professional. It does not affect the "Configure Your Server on a Windows 2000 Server" screen on Windows 2000 Server.
+
+> [!NOTE]
+> This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.
+
+> [!TIP]
+> To display the welcome screen, click Start, point to Programs, point to Accessories, point to System Tools, and then click "Getting Started." To suppress the welcome screen without specifying a setting, clear the "Show this screen at startup" check box on the welcome screen.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not display the Getting Started welcome screen at logon*
+- GP name: *NoWelcomeTips_1*
+- GP path: *System*
+- GP ADMX file name: *Logon.admx*
+
+
+
+
+
+
+
+**ADMX_Logon/NoWelcomeTips_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting hides the welcome screen that is displayed on Windows 2000 Professional each time the user logs on.
+
+If you enable this policy setting, the welcome screen is hidden from the user logging on to a computer where this policy is applied.
+
+Users can still display the welcome screen by selecting it on the Start menu or by typing "Welcome" in the Run dialog box.
+
+If you disable or do not configure this policy, the welcome screen is displayed each time a user logs on to the computer. This setting applies only to Windows 2000 Professional. It does not affect the "Configure Your Server on a Windows 2000 Server" screen on Windows 2000 Server.
+
+> [!NOTE]
+> This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.
+
+> [!TIP]
+> To display the welcome screen, click Start, point to Programs, point to Accessories, point to System Tools, and then click "Getting Started." To suppress the welcome screen without specifying a setting, clear the "Show this screen at startup" check box on the welcome screen.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not display the Getting Started welcome screen at logon*
+- GP name: *NoWelcomeTips_2*
+- GP path: *System\Logon*
+- GP ADMX file name: *Logon.admx*
+
+
+
+
+
+
+**ADMX_Logon/Run_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies additional programs or documents that Windows starts automatically when a user logs on to the system.
+
+If you enable this policy setting, you can specify which programs can run at the time the user logs on to this computer that has this policy applied.
+
+To specify values for this policy setting, click Show. In the Show Contents dialog box in the Value column, type the name of the executable program (.exe) file or document file. To specify another name, press ENTER, and type the name. Unless the file is located in the %Systemroot% directory, you must specify the fully qualified path to the file.
+
+If you disable or do not configure this policy setting, the user will have to start the appropriate programs after logon.
+
+> [!NOTE]
+> This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the system starts the programs specified in the Computer Configuration setting just before it starts the programs specified in the User Configuration setting.
+
+Also, see the "Do not process the legacy run list" and the "Do not process the run once list" settings.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Run these programs at user logon*
+- GP name: *Run_1*
+- GP path: *System\Logon*
+- GP ADMX file name: *Logon.admx*
+
+
+
+
+
+
+**ADMX_Logon/Run_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies additional programs or documents that Windows starts automatically when a user logs on to the system.
+
+If you enable this policy setting, you can specify which programs can run at the time the user logs on to this computer that has this policy applied.
+
+To specify values for this policy setting, click Show. In the Show Contents dialog box in the Value column, type the name of the executable program (.exe) file or document file. To specify another name, press ENTER, and type the name. Unless the file is located in the %Systemroot% directory, you must specify the fully qualified path to the file.
+
+If you disable or do not configure this policy setting, the user will have to start the appropriate programs after logon.
+
+> [!NOTE]
+> This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the system starts the programs specified in the Computer Configuration setting just before it starts the programs specified in the User Configuration setting.
+
+Also, see the "Do not process the legacy run list" and the "Do not process the run once list" settings.
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Run these programs at user logon*
+- GP name: *Run_2*
+- GP path: *System\Logon*
+- GP ADMX file name: *Logon.admx*
+
+
+
+
+
+
+**ADMX_Logon/SyncForegroundPolicy**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Group Policy processing is synchronous (that is, whether computers wait for the network to be fully initialized during computer startup and user logon). By default, on client computers, Group Policy processing is not synchronous; client computers typically do not wait for the network to be fully initialized at startup and logon. Existing users are logged on using cached credentials, which results in shorter logon times. Group Policy is applied in the background after the network becomes available.
+
+Note that because this is a background refresh, extensions such as Software Installation and Folder Redirection take two logons to apply changes. To be able to operate safely, these extensions require that no users be logged on. Therefore, they must be processed in the foreground before users are actively using the computer. In addition, changes that are made to the user object, such as adding a roaming profile path, home directory, or user object logon script, may take up to two logons to be detected.
+
+If a user with a roaming profile, home directory, or user object logon script logs on to a computer, computers always wait for the network to be initialized before logging the user on. If a user has never logged on to this computer before, computers always wait for the network to be initialized.
+
+If you enable this policy setting, computers wait for the network to be fully initialized before users are logged on. Group Policy is applied in the foreground, synchronously.
+
+On servers running Windows Server 2008 or later, this policy setting is ignored during Group Policy processing at computer startup and Group Policy processing will be synchronous (these servers wait for the network to be initialized during computer startup).
+
+If the server is configured as follows, this policy setting takes effect during Group Policy processing at user logon:
+
+- The server is configured as a terminal server (that is, the Terminal Server role service is installed and configured on the server); and
+- The “Allow asynchronous user Group Policy processing when logging on through Terminal Services” policy setting is enabled. This policy setting is located under Computer Configuration\Policies\Administrative templates\System\Group Policy\\.
+
+If this configuration is not implemented on the server, this policy setting is ignored. In this case, Group Policy processing at user logon is synchronous (these servers wait for the network to be initialized during user logon).
+
+If you disable or do not configure this policy setting and users log on to a client computer or a server running Windows Server 2008 or later and that is configured as described earlier, the computer typically does not wait for the network to be fully initialized. In this case, users are logged on with cached credentials. Group Policy is applied asynchronously in the background.
+
+> [!NOTE]
+>
+> - If you want to guarantee the application of Folder Redirection, Software Installation, or roaming user profile settings in just one logon, enable this policy setting to ensure that Windows waits for the network to be available before applying policy.
+> - If Folder Redirection policy will apply during the next logon, security policies will be applied asynchronously during the next update cycle, if network connectivity is available.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Always wait for the network at computer startup and logon*
+- GP name: *SyncForegroundPolicy*
+- GP path: *System\Logon*
+- GP ADMX file name: *Logon.admx*
+
+
+
+
+
+
+**ADMX_Logon/UseOEMBackground**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting ignores Windows Logon Background.
+
+This policy setting may be used to make Windows give preference to a custom logon background. If you enable this policy setting, the logon screen always attempts to load a custom background instead of the Windows-branded logon background.
+
+If you disable or do not configure this policy setting, Windows uses the default Windows logon background or custom background.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Always use custom logon background*
+- GP name: *UseOEMBackground*
+- GP path: *System\Logon*
+- GP ADMX file name: *Logon.admx*
+
+
+
+
+
+
+**ADMX_Logon/VerboseStatus**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting directs the system to display highly detailed status messages.
+
+This policy setting is designed for advanced users who require this information.
+
+If you enable this policy setting, the system displays status messages that reflect each step in the process of starting, shutting down, logging on, or logging off the system.
+
+If you disable or do not configure this policy setting, only the default status messages are displayed to the user during these processes.
+
+> [!NOTE]
+> This policy setting is ignored if the "Remove Boot/Shutdown/Logon/Logoff status messages" policy setting is enabled.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Display highly detailed status messages*
+- GP name: *VerboseStatus*
+- GP path: *System*
+- GP ADMX file name: *Logon.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
new file mode 100644
index 0000000000..619444116c
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
@@ -0,0 +1,6862 @@
+---
+title: Policy CSP - ADMX_MicrosoftDefenderAntivirus
+description: Policy CSP - ADMX_MicrosoftDefenderAntivirus
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 12/02/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_MicrosoftDefenderAntivirus
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_MicrosoftDefenderAntivirus policies
+
+
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/AllowFastServiceStartup**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls the load priority for the antimalware service. Increasing the load priority will allow for faster service startup, but may impact performance.
+
+If you enable or do not configure this setting, the antimalware service will load as a normal priority task.
+
+If you disable this setting, the antimalware service will load as a low priority task.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow antimalware service to startup with normal priority*
+- GP name: *AllowFastServiceStartup*
+- GP path: *Windows Components\Microsoft Defender Antivirus*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/DisableAntiSpywareDefender**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting turns off Microsoft Defender Antivirus.
+
+If you enable this policy setting, Microsoft Defender Antivirus does not run, and will not scan computers for malware or other potentially unwanted software.
+
+If you disable this policy setting, Microsoft Defender Antivirus will run regardless of any other installed antivirus product.
+
+If you do not configure this policy setting, Windows will internally manage Microsoft Defender Antivirus. If you install another antivirus program, Windows automatically disables Microsoft Defender Antivirus. Otherwise, Microsoft Defender Antivirus will scan your computers for malware and other potentially unwanted software.
+
+Enabling or disabling this policy may lead to unexpected or unsupported behavior. It is recommended that you leave this policy setting unconfigured.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off Microsoft Defender Antivirus*
+- GP name: *DisableAntiSpywareDefender*
+- GP path: *Windows Components\Microsoft Defender Antivirus*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/DisableAutoExclusions**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Allows an administrator to specify if Automatic Exclusions feature for Server SKUs should be turned off.
+
+Disabled (Default):
+Microsoft Defender will exclude pre-defined list of paths from the scan to improve performance.
+
+Enabled:
+Microsoft Defender will not exclude pre-defined list of paths from scans. This can impact machine performance in some scenarios.
+
+Not configured:
+Same as Disabled.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off Auto Exclusions*
+- GP name: *DisableAutoExclusions*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Exclusions*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/DisableBlockAtFirstSeen**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This feature ensures the device checks in real time with the Microsoft Active Protection Service (MAPS) before allowing certain content to be run or accessed. If this feature is disabled, the check will not occur, which will lower the protection state of the device.
+
+Enabled – The Block at First Sight setting is turned on.
+Disabled – The Block at First Sight setting is turned off.
+
+This feature requires these Group Policy settings to be set as follows:
+
+- MAPS -> The “Join Microsoft MAPS” must be enabled or the “Block at First Sight” feature will not function.
+- MAPS -> The “Send file samples when further analysis is required” should be set to 1 (Send safe samples) or 3 (Send all samples). Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the “Block at First Sight” feature will not function.
+- Real-time Protection -> The “Scan all downloaded files and attachments” policy must be enabled or the “Block at First Sight” feature will not function.
+- Real-time Protection -> Do not enable the “Turn off real-time protection” policy or the “Block at First Sight” feature will not function.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure the 'Block at First Sight' feature*
+- GP name: *DisableBlockAtFirstSeen*
+- GP path: *Windows Components\Microsoft Defender Antivirus\MAPS*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/DisableLocalAdminMerge**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether or not complex list settings configured by a local administrator are merged with Group Policy settings. This setting applies to lists such as threats and Exclusions.
+
+If you enable or do not configure this setting, unique items defined in Group Policy and in preference settings configured by the local administrator will be merged into the resulting effective policy. In the case of conflicts, Group policy Settings will override preference settings.
+
+If you disable this setting, only items defined by Group Policy will be used in the resulting effective policy. Group Policy settings will override preference settings configured by the local administrator.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure local administrator merge behavior for lists*
+- GP name: *DisableLocalAdminMerge*
+- GP path: *Windows Components\Microsoft Defender Antivirus*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/DisableRealtimeMonitoring**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting turns off real-time protection prompts for known malware detection.
+
+Microsoft Defender Antivirus alerts you when malware or potentially unwanted software attempts to install itself or to run on your computer.
+
+If you enable this policy setting, Microsoft Defender Antivirus will not prompt users to take actions on malware detections.
+
+If you disable or do not configure this policy setting, Microsoft Defender Antivirus will prompt users to take actions on malware detections.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off real-time protection*
+- GP name: *DisableRealtimeMonitoring*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/DisableRoutinelyTakingAction**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure whether Microsoft Defender Antivirus automatically takes action on all detected threats. The action to be taken on a particular threat is determined by the combination of the policy-defined action, user-defined action, and the signature-defined action.
+
+If you enable this policy setting, Microsoft Defender Antivirus does not automatically take action on the detected threats, but prompts users to choose from the actions available for each threat.
+
+If you disable or do not configure this policy setting, Microsoft Defender Antivirus automatically takes action on all detected threats after a nonconfigurable delay of approximately five seconds.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off routine remediation*
+- GP name: *DisableRoutinelyTakingAction*
+- GP path: *Windows Components\Microsoft Defender Antivirus*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/Exclusions_Extensions**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you specify a list of file types that should be excluded from scheduled, custom, and real-time scanning. File types should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the file type extension (such as "obj" or "lib"). The value is not used and it is recommended that this be set to 0.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Extension Exclusions*
+- GP name: *Exclusions_Extensions*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Exclusions*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/Exclusions_Paths**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to disable scheduled and real-time scanning for files under the paths specified or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a path or a fully qualified resource name.
+
+As an example, a path might be defined as: "c:\Windows" to exclude all files in this directory. A fully qualified resource name might be defined as: "C:\Windows\App.exe". The value is not used and it is recommended that this be set to 0.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Path Exclusions*
+- GP name: *Exclusions_Paths*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Exclusions*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/Exclusions_Processes**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to disable scheduled and real-time scanning for any file opened by any of the specified processes. The process itself will not be excluded. To exclude the process, use the Path exclusion. Processes should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the path to the process image. Note that only executables can be excluded. For example, a process might be defined as: "c:\windows\app.exe". The value is not used and it is recommended that this be set to 0.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Process Exclusions*
+- GP name: *Exclusions_Processes*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Exclusions*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_ASROnlyExclusions**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Exclude files and paths from Attack Surface Reduction (ASR) rules.
+
+Enabled:
+Specify the folders or files and resources that should be excluded from ASR rules in the Options section.
+Enter each rule on a new line as a name-value pair:
+
+- Name column: Enter a folder path or a fully qualified resource name. For example, "C:\Windows" will exclude all files in that directory. "C:\Windows\App.exe" will exclude only that specific file in that specific folder
+- Value column: Enter "0" for each item
+
+Disabled:
+No exclusions will be applied to the ASR rules.
+
+Not configured:
+Same as Disabled.
+
+You can configure ASR rules in the Configure Attack Surface Reduction rules GP setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Exclude files and paths from Attack Surface Reduction Rules*
+- GP name: *ExploitGuard_ASR_ASROnlyExclusions*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Attack Surface Reduction*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ASR_Rules**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Set the state for each Attack Surface Reduction (ASR) rule.
+
+After enabling this setting, you can set each rule to the following in the Options section:
+
+- Block: the rule will be applied
+- Audit Mode: if the rule would normally cause an event, then it will be recorded (although the rule will not actually be applied)
+- Off: the rule will not be applied
+
+Enabled:
+Specify the state for each ASR rule under the Options section for this setting.
+Enter each rule on a new line as a name-value pair:
+
+- Name column: Enter a valid ASR rule ID
+- Value column: Enter the status ID that relates to state you want to specify for the associated rule
+
+The following status IDs are permitted under the value column:
+- 1 (Block)
+- 0 (Off)
+- 2 (Audit)
+
+Example:
+xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 0
+xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 1
+xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 2
+
+Disabled:
+No ASR rules will be configured.
+
+Not configured:
+Same as Disabled.
+
+You can exclude folders or files in the "Exclude files and paths from Attack Surface Reduction Rules" GP setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure Attack Surface Reduction rules*
+- GP name: *ExploitGuard_ASR_Rules*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Attack Surface Reduction*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_AllowedApplications**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Add additional applications that should be considered "trusted" by controlled folder access.
+
+These applications are allowed to modify or delete files in controlled folder access folders.
+
+Microsoft Defender Antivirus automatically determines which applications should be trusted. You can configure this setting to add additional applications.
+
+Enabled:
+Specify additional allowed applications in the Options section..
+
+Disabled:
+No additional applications will be added to the trusted list.
+
+Not configured:
+Same as Disabled.
+
+You can enable controlled folder access in the Configure controlled folder access GP setting.
+
+Default system folders are automatically guarded, but you can add folders in the configure protected folders GP setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure allowed applications*
+- GP name: *ExploitGuard_ControlledFolderAccess_AllowedApplications*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Controlled Folder Access*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/ExploitGuard_ControlledFolderAccess_ProtectedFolders**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Specify additional folders that should be guarded by the Controlled folder access feature.
+
+Files in these folders cannot be modified or deleted by untrusted applications.
+
+Default system folders are automatically protected. You can configure this setting to add additional folders.
+The list of default system folders that are protected is shown in Windows Security.
+
+Enabled:
+Specify additional folders that should be protected in the Options section.
+
+Disabled:
+No additional folders will be protected.
+
+Not configured:
+Same as Disabled.
+
+You can enable controlled folder access in the Configure controlled folder access GP setting.
+
+Microsoft Defender Antivirus automatically determines which applications can be trusted. You can add additional trusted applications in the Configure allowed applications GP setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure protected folders*
+- GP name: *ExploitGuard_ControlledFolderAccess_ProtectedFolders*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Controlled Folder Access*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/MpEngine_EnableFileHashComputation**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Enable or disable file hash computation feature.
+
+Enabled:
+When this feature is enabled Microsoft Defender will compute hash value for files it scans.
+
+Disabled:
+File hash value is not computed
+
+Not configured:
+Same as Disabled.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Enable file hash computation feature*
+- GP name: *MpEngine_EnableFileHashComputation*
+- GP path: *Windows Components\Microsoft Defender Antivirus\MpEngine*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_DisableSignatureRetirement**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure definition retirement for network protection against exploits of known vulnerabilities. Definition retirement checks to see if a computer has the required security updates necessary to protect it against a particular vulnerability. If the system is not vulnerable to the exploit detected by a definition, then that definition is "retired". If all security intelligence for a given protocol are retired then that protocol is no longer parsed. Enabling this feature helps to improve performance. On a computer that is up-to-date with all the latest security updates, network protection will have no impact on network performance.
+
+If you enable or do not configure this setting, definition retirement will be enabled.
+
+If you disable this setting, definition retirement will be disabled.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn on definition retirement*
+- GP name: *Nis_Consumers_IPS_DisableSignatureRetirement*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Network Inspection System*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/Nis_Consumers_IPS_sku_differentiation_Signature_Set_Guid**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting defines additional definition sets to enable for network traffic inspection. Definition set GUIDs should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a definition set GUID. As an example, the definition set GUID to enable test security intelligence is defined as: “{b54b6ac9-a737-498e-9120-6616ad3bf590}”. The value is not used and it is recommended that this be set to 0.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Specify additional definition sets for network traffic inspection*
+- GP name: *Nis_Consumers_IPS_sku_differentiation_Signature_Set_Guid*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Network Inspection System*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/Nis_DisableProtocolRecognition**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure protocol recognition for network protection against exploits of known vulnerabilities.
+
+If you enable or do not configure this setting, protocol recognition will be enabled.
+
+If you disable this setting, protocol recognition will be disabled.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn on protocol recognition*
+- GP name: *Nis_DisableProtocolRecognition*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Network Inspection System*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/ProxyBypass**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy, if defined, will prevent antimalware from using the configured proxy server when communicating with the specified IP addresses. The address value should be entered as a valid URL.
+
+If you enable this setting, the proxy server will be bypassed for the specified addresses.
+
+If you disable or do not configure this setting, the proxy server will not be bypassed for the specified addresses.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Define addresses to bypass proxy server*
+- GP name: *ProxyBypass*
+- GP path: *Windows Components\Microsoft Defender Antivirus*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/ProxyPacUrl**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting defines the URL of a proxy .pac file that should be used when the client attempts to connect the network for security intelligence updates and MAPS reporting. If the proxy auto-config fails or if there is no proxy auto-config specified, the client will fall back to the alternative options (in order):
+
+1. Proxy server (if specified)
+2. Proxy .pac URL (if specified)
+3. None
+4. Internet Explorer proxy settings
+5. Autodetect
+
+If you enable this setting, the proxy setting will be set to use the specified proxy .pac according to the order specified above.
+
+If you disable or do not configure this setting, the proxy will skip over this fallback step according to the order specified above.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Define proxy auto-config (.pac) for connecting to the network*
+- GP name: *ProxyPacUrl*
+- GP path: *Windows Components\Microsoft Defender Antivirus*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/ProxyServer**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the named proxy that should be used when the client attempts to connect to the network for security intelligence updates and MAPS reporting. If the named proxy fails or if there is no proxy specified, the client will fall back to the alternative options (in order):
+
+1. Proxy server (if specified)
+2. Proxy .pac URL (if specified)
+3. None
+4. Internet Explorer proxy settings
+5. Autodetect
+
+If you enable this setting, the proxy will be set to the specified URL according to the order specified above. The URL should be proceeded with either http:// or https://.
+
+If you disable or do not configure this setting, the proxy will skip over this fallback step according to the order specified above.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Define proxy server for connecting to the network*
+- GP name: *ProxyServer*
+- GP path: *Windows Components\Microsoft Defender Antivirus*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/Quarantine_LocalSettingOverridePurgeItemsAfterDelay**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of the number of days items should be kept in the Quarantine folder before being removed. This setting can only be set by Group Policy.
+
+If you enable this setting, the local preference setting will take priority over Group Policy.
+
+If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure local setting override for the removal of items from Quarantine folder*
+- GP name: *Quarantine_LocalSettingOverridePurgeItemsAfterDelay*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Quarantine*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/Quarantine_PurgeItemsAfterDelay**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting defines the number of days items should be kept in the Quarantine folder before being removed.
+
+If you enable this setting, items will be removed from the Quarantine folder after the number of days specified.
+
+If you disable or do not configure this setting, items will be kept in the quarantine folder indefinitely and will not be automatically removed.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure removal of items from Quarantine folder*
+- GP name: *Quarantine_PurgeItemsAfterDelay*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Quarantine*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/RandomizeScheduleTaskTimes**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to enable or disable randomization of the scheduled scan start time and the scheduled security intelligence update start time. This setting is used to distribute the resource impact of scanning. For example, it could be used in guest virtual machines sharing a host, to prevent multiple guest virtual machines from undertaking a disk-intensive operation at the same time.
+
+If you enable or do not configure this setting, scheduled tasks will begin at a random time within an interval of 30 minutes before and after the specified start time.
+
+If you disable this setting, scheduled tasks will begin at the specified start time.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Randomize scheduled task times*
+- GP name: *RandomizeScheduleTaskTimes*
+- GP path: *Windows Components\Microsoft Defender Antivirus*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableBehaviorMonitoring**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure behavior monitoring.
+
+If you enable or do not configure this setting, behavior monitoring will be enabled.
+
+If you disable this setting, behavior monitoring will be disabled.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn on behavior monitoring*
+- GP name: *RealtimeProtection_DisableBehaviorMonitoring*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableIOAVProtection**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure scanning for all downloaded files and attachments.
+
+If you enable or do not configure this setting, scanning for all downloaded files and attachments will be enabled.
+
+If you disable this setting, scanning for all downloaded files and attachments will be disabled.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Scan all downloaded files and attachments*
+- GP name: *RealtimeProtection_DisableIOAVProtection*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableOnAccessProtection**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure monitoring for file and program activity.
+
+If you enable or do not configure this setting, monitoring for file and program activity will be enabled.
+
+If you disable this setting, monitoring for file and program activity will be disabled.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Monitor file and program activity on your computer*
+- GP name: *RealtimeProtection_DisableOnAccessProtection*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableRawWriteNotification**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether raw volume write notifications are sent to behavior monitoring.
+
+If you enable or do not configure this setting, raw write notifications will be enabled.
+
+If you disable this setting, raw write notifications be disabled.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn on raw volume write notifications*
+- GP name: *RealtimeProtection_DisableRawWriteNotification*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_DisableScanOnRealtimeEnable**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure process scanning when real-time protection is turned on. This helps to catch malware which could start when real-time protection is turned off.
+
+If you enable or do not configure this setting, a process scan will be initiated when real-time protection is turned on.
+
+If you disable this setting, a process scan will not be initiated when real-time protection is turned on.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn on process scanning whenever real-time protection is enabled*
+- GP name: *RealtimeProtection_DisableScanOnRealtimeEnable*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_IOAVMaxSize**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting defines the maximum size (in kilobytes) of downloaded files and attachments that will be scanned.
+
+If you enable this setting, downloaded files and attachments smaller than the size specified will be scanned.
+
+If you disable or do not configure this setting, a default size will be applied.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Define the maximum size of downloaded files and attachments to be scanned*
+- GP name: *RealtimeProtection_IOAVMaxSize*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableBehaviorMonitoring**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of behavior monitoring. This setting can only be set by Group Policy.
+
+If you enable this setting, the local preference setting will take priority over Group Policy.
+
+If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure local setting override for turn on behavior monitoring*
+- GP name: *RealtimeProtection_LocalSettingOverrideDisableBehaviorMonitoring*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableIOAVProtection**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of scanning for all downloaded files and attachments. This setting can only be set by Group Policy.
+
+If you enable this setting, the local preference setting will take priority over Group Policy.
+
+If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure local setting override for scanning all downloaded files and attachments*
+- GP name: *RealtimeProtection_LocalSettingOverrideDisableIOAVProtection*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableOnAccessProtection**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of monitoring for file and program activity on your computer. This setting can only be set by Group Policy.
+
+If you enable this setting, the local preference setting will take priority over Group Policy.
+
+If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure local setting override for monitoring file and program activity on your computer*
+- GP name: *RealtimeProtection_LocalSettingOverrideDisableOnAccessProtection*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideDisableRealtimeMonitoring**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration to turn on real-time protection. This setting can only be set by Group Policy.
+
+If you enable this setting, the local preference setting will take priority over Group Policy.
+
+If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure local setting override to turn on real-time protection*
+- GP name: *RealtimeProtection_LocalSettingOverrideDisableRealtimeMonitoring*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/RealtimeProtection_LocalSettingOverrideRealtimeScanDirection**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of monitoring for incoming and outgoing file activity. This setting can only be set by Group Policy.
+
+If you enable this setting, the local preference setting will take priority over Group Policy.
+
+If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure local setting override for monitoring for incoming and outgoing file activity*
+- GP name: *RealtimeProtection_LocalSettingOverrideRealtimeScanDirection*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Real-time Protection*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/Remediation_LocalSettingOverrideScan_ScheduleTime**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of the time to run a scheduled full scan to complete remediation. This setting can only be set by Group Policy.
+
+If you enable this setting, the local preference setting will take priority over Group Policy.
+
+If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure local setting override for the time of day to run a scheduled full scan to complete remediation*
+- GP name: *Remediation_LocalSettingOverrideScan_ScheduleTime*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Remediation*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleDay**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the day of the week on which to perform a scheduled full scan in order to complete remediation. The scan can also be configured to run every day or to never run at all.
+
+This setting can be configured with the following ordinal number values:
+
+- (0x0) Every Day
+- (0x1) Sunday
+- (0x2) Monday
+- (0x3) Tuesday
+- (0x4) Wednesday
+- (0x5) Thursday
+- (0x6) Friday
+- (0x7) Saturday
+- (0x8) Never (default)
+
+If you enable this setting, a scheduled full scan to complete remediation will run at the frequency specified.
+
+If you disable or do not configure this setting, a scheduled full scan to complete remediation will run at a default frequency.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Specify the day of the week to run a scheduled full scan to complete remediation*
+- GP name: *Remediation_Scan_ScheduleDay*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Remediation*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/Remediation_Scan_ScheduleTime**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the time of day at which to perform a scheduled full scan in order to complete remediation. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. The schedule is based on local time on the computer where the scan is executing.
+
+If you enable this setting, a scheduled full scan to complete remediation will run at the time of day specified.
+
+If you disable or do not configure this setting, a scheduled full scan to complete remediation will run at a default time.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Specify the time of day to run a scheduled full scan to complete remediation*
+- GP name: *Remediation_Scan_ScheduleTime*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Remediation*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/Reporting_AdditionalActionTimeout**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the time in minutes before a detection in the "additional action" state moves to the "cleared" state.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure time out for detections requiring additional action*
+- GP name: *Reporting_AdditionalActionTimeout*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/Reporting_CriticalFailureTimeout**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the time in minutes before a detection in the “critically failed” state to moves to either the “additional action” state or the “cleared” state.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure time out for detections in critically failed state*
+- GP name: *Reporting_CriticalFailureTimeout*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/Reporting_DisableEnhancedNotifications**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Use this policy setting to specify if you want Microsoft Defender Antivirus enhanced notifications to display on clients.
+
+If you disable or do not configure this setting, Microsoft Defender Antivirus enhanced notifications will display on clients.
+
+If you enable this setting, Microsoft Defender Antivirus enhanced notifications will not display on clients.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off enhanced notifications*
+- GP name: *Reporting_DisableEnhancedNotifications*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/Reporting_DisablegenericrePorts**
+
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure whether or not Watson events are sent.
+
+If you enable or do not configure this setting, Watson events will be sent.
+
+If you disable this setting, Watson events will not be sent.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure Watson events*
+- GP name: *Reporting_DisablegenericrePorts*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/Reporting_NonCriticalTimeout**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the time in minutes before a detection in the "non-critically failed" state moves to the "cleared" state.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure time out for detections in non-critical failed state*
+- GP name: *Reporting_NonCriticalTimeout*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/Reporting_RecentlyCleanedTimeout**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the time in minutes before a detection in the "completed" state moves to the "cleared" state.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure time out for detections in recently remediated state*
+- GP name: *Reporting_RecentlyCleanedTimeout*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingComponents**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy configures Windows software trace preprocessor (WPP Software Tracing) components.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure Windows software trace preprocessor components*
+- GP name: *Reporting_WppTracingComponents*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/Reporting_WppTracingLevel**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy allows you to configure tracing levels for Windows software trace preprocessor (WPP Software Tracing).
+
+Tracing levels are defined as:
+
+- 1 - Error
+- 2 - Warning
+- 3 - Info
+- 4 - Debug
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure WPP tracing level*
+- GP name: *Reporting_WppTracingLevel*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Reporting*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/Scan_AllowPause**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether or not end users can pause a scan in progress.
+
+If you enable or do not configure this setting, a new context menu will be added to the task tray icon to allow the user to pause a scan.
+
+If you disable this setting, users will not be able to pause scans.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow users to pause scan*
+- GP name: *Scan_AllowPause*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxDepth**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the maximum directory depth level into which archive files such as .ZIP or .CAB are unpacked during scanning. The default directory depth level is 0.
+
+If you enable this setting, archive files will be scanned to the directory depth level specified.
+
+If you disable or do not configure this setting, archive files will be scanned to the default directory depth level.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Specify the maximum depth to scan archive files*
+- GP name: *Scan_ArchiveMaxDepth*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/Scan_ArchiveMaxSize**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the maximum size of archive files such as .ZIP or .CAB that will be scanned. The value represents file size in kilobytes (KB). The default value is 0 and represents no limit to archive size for scanning.
+
+If you enable this setting, archive files less than or equal to the size specified will be scanned.
+
+If you disable or do not configure this setting, archive files will be scanned according to the default value.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Specify the maximum size of archive files to be scanned*
+- GP name: *Scan_ArchiveMaxSize*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/Scan_DisableArchiveScanning**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as .ZIP or .CAB files.
+
+If you enable or do not configure this setting, archive files will be scanned.
+
+If you disable this setting, archive files will not be scanned.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Scan archive files*
+- GP name: *Scan_DisableArchiveScanning*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/Scan_DisableEmailScanning**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments. Several e-mail formats are currently supported, for example: pst (Outlook), dbx, mbx, mime (Outlook Express), binhex (Mac).
+
+If you enable this setting, e-mail scanning will be enabled.
+
+If you disable or do not configure this setting, e-mail scanning will be disabled.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn on e-mail scanning*
+- GP name: *Scan_DisableEmailScanning*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/Scan_DisableHeuristics**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure heuristics. Suspicious detections will be suppressed right before reporting to the engine client. Turning off heuristics will reduce the capability to flag new threats. It is recommended that you do not turn off heuristics.
+
+If you enable or do not configure this setting, heuristics will be enabled.
+
+If you disable this setting, heuristics will be disabled.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn on heuristics*
+- GP name: *Scan_DisableHeuristics*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/Scan_DisablePackedExeScanning**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure scanning for packed executables. It is recommended that this type of scanning remain enabled.
+
+If you enable or do not configure this setting, packed executables will be scanned.
+
+If you disable this setting, packed executables will not be scanned.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Scan packed executables*
+- GP name: *Scan_DisablePackedExeScanning*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/Scan_DisableRemovableDriveScanning**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan.
+
+If you enable this setting, removable drives will be scanned during any type of scan.
+
+If you disable or do not configure this setting, removable drives will not be scanned during a full scan. Removable drives may still be scanned during quick scan and custom scan.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Scan removable drives*
+- GP name: *Scan_DisableRemovableDriveScanning*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/Scan_DisableReparsePointScanning**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure reparse point scanning. If you allow reparse points to be scanned, there is a possible risk of recursion. However, the engine supports following reparse points to a maximum depth so at worst scanning could be slowed. Reparse point scanning is disabled by default and this is the recommended state for this functionality.
+
+If you enable this setting, reparse point scanning will be enabled.
+
+If you disable or do not configure this setting, reparse point scanning will be disabled.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn on reparse point scanning*
+- GP name: *Scan_DisableReparsePointScanning*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/Scan_DisableRestorePoint**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to create a system restore point on the computer on a daily basis prior to cleaning.
+
+If you enable this setting, a system restore point will be created.
+
+If you disable or do not configure this setting, a system restore point will not be created.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Create a system restore point*
+- GP name: *Scan_DisableRestorePoint*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningMappedNetworkDrivesForFullScan**
+
+
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure scanning mapped network drives.
+
+If you enable this setting, mapped network drives will be scanned.
+
+If you disable or do not configure this setting, mapped network drives will not be scanned.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Run full scan on mapped network drives*
+- GP name: *Scan_DisableScanningMappedNetworkDrivesForFullScan*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningNetworkFiles**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure scanning for network files. It is recommended that you do not enable this setting.
+
+If you enable this setting, network files will be scanned.
+
+If you disable or do not configure this setting, network files will not be scanned.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Scan network files*
+- GP name: *Scan_DisableScanningNetworkFiles*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideAvgCPULoadFactor**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of maximum percentage of CPU utilization during scan. This setting can only be set by Group Policy.
+
+If you enable this setting, the local preference setting will take priority over Group Policy.
+
+If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure local setting override for maximum percentage of CPU utilization*
+- GP name: *Scan_LocalSettingOverrideAvgCPULoadFactor*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScanParameters**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of the scan type to use during a scheduled scan. This setting can only be set by Group Policy.
+
+If you enable this setting, the local preference setting will take priority over Group Policy.
+
+If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure local setting override for the scan type to use for a scheduled scan*
+- GP name: *Scan_LocalSettingOverrideScanParameters*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleDay**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of scheduled scan day. This setting can only be set by Group Policy.
+
+If you enable this setting, the local preference setting will take priority over Group Policy.
+
+If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure local setting override for schedule scan day*
+- GP name: *Scan_LocalSettingOverrideScheduleDay*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleQuickScantime**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of scheduled quick scan time. This setting can only be set by Group Policy.
+
+If you enable this setting, the local preference setting will take priority over Group Policy.
+
+If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure local setting override for scheduled quick scan time*
+- GP name: *Scan_LocalSettingOverrideScheduleQuickScantime*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/Scan_LocalSettingOverrideScheduleTime**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration of scheduled scan time. This setting can only be set by Group Policy.
+
+If you enable this setting, the local preference setting will take priority over Group Policy.
+
+If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure local setting override for scheduled scan time*
+- GP name: *Scan_LocalSettingOverrideScheduleTime*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/Scan_LowCpuPriority**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to enable or disable low CPU priority for scheduled scans.
+
+If you enable this setting, low CPU priority will be used during scheduled scans.
+
+If you disable or do not configure this setting, not changes will be made to CPU priority for scheduled scans.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure low CPU priority for scheduled scans*
+- GP name: *Scan_LowCpuPriority*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/Scan_MissedScheduledScanCountBeforeCatchup**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to define the number of consecutive scheduled scans that can be missed after which a catch-up scan will be forced. By default, the value of this setting is 2 consecutive scheduled scans.
+
+If you enable this setting, a catch-up scan will occur after the specified number consecutive missed scheduled scans.
+
+If you disable or do not configure this setting, a catch-up scan will occur after the 2 consecutive missed scheduled scans.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Define the number of days after which a catch-up scan is forced*
+- GP name: *Scan_MissedScheduledScanCountBeforeCatchup*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/Scan_PurgeItemsAfterDelay**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting defines the number of days items should be kept in the scan history folder before being permanently removed. The value represents the number of days to keep items in the folder. If set to zero, items will be kept forever and will not be automatically removed. By default, the value is set to 30 days.
+
+If you enable this setting, items will be removed from the scan history folder after the number of days specified.
+
+If you disable or do not configure this setting, items will be kept in the scan history folder for the default number of days.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn on removal of items from scan history folder*
+- GP name: *Scan_PurgeItemsAfterDelay*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/Scan_QuickScanInterval**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify an interval at which to perform a quick scan. The time value is represented as the number of hours between quick scans. Valid values range from 1 (every hour) to 24 (once per day). If set to zero, interval quick scans will not occur. By default, this setting is set to 0.
+
+If you enable this setting, a quick scan will run at the interval specified.
+
+If you disable or do not configure this setting, a quick scan will run at a default time.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Specify the interval to run quick scans per day*
+- GP name: *Scan_QuickScanInterval*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/Scan_ScanOnlyIfIdle**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure scheduled scans to start only when your computer is on but not in use.
+
+If you enable or do not configure this setting, scheduled scans will only run when the computer is on but not in use.
+
+If you disable this setting, scheduled scans will run at the scheduled time.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Start the scheduled scan only when computer is on but not in use*
+- GP name: *Scan_ScanOnlyIfIdle*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleDay**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the day of the week on which to perform a scheduled scan. The scan can also be configured to run every day or to never run at all.
+
+This setting can be configured with the following ordinal number values:
+
+- (0x0) Every Day
+- (0x1) Sunday
+- (0x2) Monday
+- (0x3) Tuesday
+- (0x4) Wednesday
+- (0x5) Thursday
+- (0x6) Friday
+- (0x7) Saturday
+- (0x8) Never (default)
+
+If you enable this setting, a scheduled scan will run at the frequency specified.
+
+If you disable or do not configure this setting, a scheduled scan will run at a default frequency.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Specify the day of the week to run a scheduled scan*
+- GP name: *Scan_ScheduleDay*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/Scan_ScheduleTime**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the time of day at which to perform a scheduled scan. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default, this setting is set to a time value of 2:00 AM. The schedule is based on local time on the computer where the scan is executing.
+
+If you enable this setting, a scheduled scan will run at the time of day specified.
+
+If you disable or do not configure this setting, a scheduled scan will run at a default time.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Specify the time of day to run a scheduled scan*
+- GP name: *Scan_ScheduleTime*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Scan*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/ServiceKeepAlive**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure whether or not the antimalware service remains running when antivirus and antispyware security intelligence is disabled. It is recommended that this setting remain disabled.
+
+If you enable this setting, the antimalware service will always remain running even if both antivirus and antispyware security intelligence is disabled.
+
+If you disable or do not configure this setting, the antimalware service will be stopped when both antivirus and antispyware security intelligence is disabled. If the computer is restarted, the service will be started if it is set to Automatic startup. After the service has started, there will be a check to see if antivirus and antispyware security intelligence is enabled. If at least one is enabled, the service will remain running. If both are disabled, the service will be stopped.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow antimalware service to remain running always*
+- GP name: *ServiceKeepAlive*
+- GP path: *Windows Components\Microsoft Defender Antivirus*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ASSignatureDue**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to define the number of days that must pass before spyware security intelligence is considered out of date. If security intelligence is determined to be out of date, this state may trigger several additional actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 14 days.
+
+If you enable this setting, spyware security intelligence will be considered out of date after the number of days specified have passed without an update.
+
+If you disable or do not configure this setting, spyware security intelligence will be considered out of date after the default number of days have passed without an update.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Define the number of days before spyware security intelligence is considered out of date*
+- GP name: *SignatureUpdate_ASSignatureDue*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_AVSignatureDue**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to define the number of days that must pass before virus security intelligence is considered out of date. If security intelligence is determined to be out of date, this state may trigger several additional actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 14 days.
+
+If you enable this setting, virus security intelligence will be considered out of date after the number of days specified have passed without an update.
+
+If you disable or do not configure this setting, virus security intelligence will be considered out of date after the default number of days have passed without an update.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Define the number of days before virus security intelligence is considered out of date*
+- GP name: *SignatureUpdate_AVSignatureDue*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DefinitionUpdateFileSharesSources**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure UNC file share sources for downloading security intelligence updates. Sources will be contacted in the order specified. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources. For example: "{\\\unc1 | \\\unc2 }". The list is empty by default.
+
+If you enable this setting, the specified sources will be contacted for security intelligence updates. Once security intelligence updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted.
+
+If you disable or do not configure this setting, the list will remain empty by default and no sources will be contacted.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Define file shares for downloading security intelligence updates*
+- GP name: *SignatureUpdate_DefinitionUpdateFileSharesSources*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScanOnUpdate**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the automatic scan which starts after a security intelligence update has occurred.
+
+If you enable or do not configure this setting, a scan will start following a security intelligence update.
+
+If you disable this setting, a scan will not start following a security intelligence update.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn on scan after security intelligence update*
+- GP name: *SignatureUpdate_DisableScanOnUpdate*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableScheduledSignatureUpdateonBattery**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure security intelligence updates when the computer is running on battery power.
+
+If you enable or do not configure this setting, security intelligence updates will occur as usual regardless of power state.
+
+If you disable this setting, security intelligence updates will be turned off while the computer is running on battery power.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow security intelligence updates when running on battery power*
+- GP name: *SignatureUpdate_DisableScheduledSignatureUpdateonBattery*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_DisableUpdateOnStartupWithoutEngine**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure security intelligence updates on startup when there is no antimalware engine present.
+
+If you enable or do not configure this setting, security intelligence updates will be initiated on startup when there is no antimalware engine present.
+
+If you disable this setting, security intelligence updates will not be initiated on startup when there is no antimalware engine present.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Initiate security intelligence update on startup*
+- GP name: *SignatureUpdate_DisableUpdateOnStartupWithoutEngine*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_FallbackOrder**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to define the order in which different security intelligence update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources in order. Possible values are: “InternalDefinitionUpdateServer”, “MicrosoftUpdateServer”, “MMPC”, and “FileShares”.
+
+For example: { InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC }
+
+If you enable this setting, security intelligence update sources will be contacted in the order specified. Once security intelligence updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted.
+
+If you disable or do not configure this setting, security intelligence update sources will be contacted in a default order.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Define the order of sources for downloading security intelligence updates*
+- GP name: *SignatureUpdate_FallbackOrder*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ForceUpdateFromMU**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to enable download of security intelligence updates from Microsoft Update even if the Automatic Updates default server is configured to another download source such as Windows Update.
+
+If you enable this setting, security intelligence updates will be downloaded from Microsoft Update.
+
+If you disable or do not configure this setting, security intelligence updates will be downloaded from the configured download source.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow security intelligence updates from Microsoft Update*
+- GP name: *SignatureUpdate_ForceUpdateFromMU*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_RealtimeSignatureDelivery**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to enable real-time security intelligence updates in response to reports sent to Microsoft MAPS. If the service reports a file as an unknown and Microsoft MAPS finds that the latest security intelligence update has security intelligence for a threat involving that file, the service will receive all of the latest security intelligence for that threat immediately. You must have configured your computer to join Microsoft MAPS for this functionality to work.
+
+If you enable or do not configure this setting, real-time security intelligence updates will be enabled.
+
+If you disable this setting, real-time security intelligence updates will disabled.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow real-time security intelligence updates based on reports to Microsoft MAPS*
+- GP name: *SignatureUpdate_RealtimeSignatureDelivery*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleDay**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the day of the week on which to check for security intelligence updates. The check can also be configured to run every day or to never run at all.
+
+This setting can be configured with the following ordinal number values:
+
+- (0x0) Every Day (default)
+- (0x1) Sunday
+- (0x2) Monday
+- (0x3) Tuesday
+- (0x4) Wednesday
+- (0x5) Thursday
+- (0x6) Friday
+- (0x7) Saturday
+- (0x8) Never
+
+If you enable this setting, the check for security intelligence updates will occur at the frequency specified.
+
+If you disable or do not configure this setting, the check for security intelligence updates will occur at a default frequency.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Specify the day of the week to check for security intelligence updates*
+- GP name: *SignatureUpdate_ScheduleDay*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ScheduleTime**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the time of day at which to check for security intelligence updates. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default this setting is configured to check for security intelligence updates 15 minutes before the scheduled scan time. The schedule is based on local time on the computer where the check is occurring.
+
+If you enable this setting, the check for security intelligence updates will occur at the time of day specified.
+
+If you disable or do not configure this setting, the check for security intelligence updates will occur at the default time.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Specify the time to check for security intelligence updates*
+- GP name: *SignatureUpdate_ScheduleTime*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SharedSignaturesLocation**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to define the security intelligence location for VDI-configured computers.
+
+If you disable or do not configure this setting, security intelligence will be referred from the default local source.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Define security intelligence location for VDI clients.*
+- GP name: *SignatureUpdate_SharedSignaturesLocation*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureDisableNotification**
+
+
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the antimalware service to receive notifications to disable individual security intelligence in response to reports it sends to Microsoft MAPS. Microsoft MAPS uses these notifications to disable security intelligence that are causing false positive reports. You must have configured your computer to join Microsoft MAPS for this functionality to work.
+
+If you enable this setting or do not configure, the antimalware service will receive notifications to disable security intelligence.
+
+If you disable this setting, the antimalware service will not receive notifications to disable security intelligence.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow notifications to disable security intelligence based reports to Microsoft MAPS*
+- GP name: *SignatureUpdate_SignatureDisableNotification*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureUpdateCatchupInterval**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to define the number of days after which a catch-up security intelligence update will be required. By default, the value of this setting is 1 day.
+
+If you enable this setting, a catch-up security intelligence update will occur after the specified number of days.
+
+If you disable or do not configure this setting, a catch-up security intelligence update will be required after the default number of days.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Define the number of days after which a catch-up security intelligence update is required*
+- GP name: *SignatureUpdate_SignatureUpdateCatchupInterval*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_UpdateOnStartup**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a check for new virus and spyware security intelligence will occur immediately after service startup.
+
+If you enable this setting, a check for new security intelligence will occur after service startup.
+
+If you disable this setting or do not configure this setting, a check for new security intelligence will not occur after service startup.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Check for the latest virus and spyware security intelligence on startup*
+- GP name: *SignatureUpdate_UpdateOnStartup*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/SpynetReporting**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to join Microsoft MAPS. Microsoft MAPS is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections.
+
+You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new security intelligence and help it to protect your computer. This information can include things like location of detected items on your computer if harmful software was removed. The information will be automatically collected and sent. In some instances, personal information might unintentionally be sent to Microsoft. However, Microsoft will not use this information to identify you or contact you.
+
+Possible options are:
+
+- (0x0) Disabled (default)
+- (0x1) Basic membership
+- (0x2) Advanced membership
+
+Basic membership will send basic information to Microsoft about software that has been detected, including where the software came from, the actions that you apply or that are applied automatically, and whether the actions were successful.
+
+Advanced membership, in addition to basic information, will send more information to Microsoft about malicious software, spyware, and potentially unwanted software, including the location of the software, file names, how the software operates, and how it has impacted your computer.
+
+If you enable this setting, you will join Microsoft MAPS with the membership specified.
+
+If you disable or do not configure this setting, you will not join Microsoft MAPS.
+
+In Windows 10, Basic membership is no longer available, so setting the value to 1 or 2 enrolls the device into Advanced membership.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Join Microsoft MAPS*
+- GP name: *SpynetReporting*
+- GP path: *Windows Components\Microsoft Defender Antivirus\MAPS*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/Spynet_LocalSettingOverrideSpynetReporting**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures a local override for the configuration to join Microsoft MAPS. This setting can only be set by Group Policy.
+
+If you enable this setting, the local preference setting will take priority over Group Policy.
+
+If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure local setting override for reporting to Microsoft MAPS*
+- GP name: *Spynet_LocalSettingOverrideSpynetReporting*
+- GP path: *Windows Components\Microsoft Defender Antivirus\MAPS*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/Threats_ThreatIdDefaultAction**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting customize which remediation action will be taken for each listed Threat ID when it is detected during a scan. Threats should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid Threat ID, while the value contains the action ID for the remediation action that should be taken.
+
+Valid remediation action values are:
+
+- 2 = Quarantine
+- 3 = Remove
+- 6 = Ignore
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Specify threats upon which default action should not be taken when detected*
+- GP name: *Threats_ThreatIdDefaultAction*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Threats*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/UX_Configuration_CustomDefaultActionToastString**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure whether or not to display additional text to clients when they need to perform an action. The text displayed is a custom administrator-defined string. For example, the phone number to call the company help desk. The client interface will only display a maximum of 1024 characters. Longer strings will be truncated before display.
+
+If you enable this setting, the additional text specified will be displayed.
+
+If you disable or do not configure this setting, there will be no additional text displayed.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Display additional text to clients when they need to perform an action*
+- GP name: *UX_Configuration_CustomDefaultActionToastString*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Client Interface*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/UX_Configuration_Notification_Suppress**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Use this policy setting to specify if you want Microsoft Defender Antivirus notifications to display on clients.
+
+If you disable or do not configure this setting, Microsoft Defender Antivirus notifications will display on clients.
+
+If you enable this setting, Microsoft Defender Antivirus notifications will not display on clients.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Suppress all notifications*
+- GP name: *UX_Configuration_Notification_Suppress*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Client Interface*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/UX_Configuration_SuppressRebootNotification**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows user to suppress reboot notifications in UI only mode (for cases where UI can't be in lockdown mode).
+
+If you enable this setting AM UI won't show reboot notifications.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Suppresses reboot notifications*
+- GP name: *UX_Configuration_SuppressRebootNotification*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Client Interface*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+
+**ADMX_MicrosoftDefenderAntivirus/UX_Configuration_UILockdown**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure whether or not to display AM UI to the users.
+
+If you enable this setting AM UI won't be available to users.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Enable headless UI mode*
+- GP name: *UX_Configuration_UILockdown*
+- GP path: *Windows Components\Microsoft Defender Antivirus\Client Interface*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-mmc.md b/windows/client-management/mdm/policy-csp-admx-mmc.md
index a86907a534..dc9f501685 100644
--- a/windows/client-management/mdm/policy-csp-admx-mmc.md
+++ b/windows/client-management/mdm/policy-csp-admx-mmc.md
@@ -86,7 +86,7 @@ manager: dansimp
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits use of this snap-in.
If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.
@@ -165,7 +165,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits use of this snap-in.
If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.
@@ -244,7 +244,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits use of this snap-in.
If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.
@@ -323,7 +323,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from entering author mode.
+Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from entering author mode.
This setting prevents users from opening the Microsoft Management Console (MMC) in author mode, explicitly opening console files in author mode, and opening any console files that open in author mode by default.
@@ -396,7 +396,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting lets you selectively permit or prohibit the use of Microsoft Management Console (MMC) snap-ins.
+Available in the latest Windows 10 Insider Preview Build. This policy setting lets you selectively permit or prohibit the use of Microsoft Management Console (MMC) snap-ins.
- If you enable this setting, all snap-ins are prohibited, except those that you explicitly permit. Use this setting if you plan to prohibit use of most snap-ins.
@@ -432,14 +432,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md b/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md
index cdd93c1d97..dcbb289b4b 100644
--- a/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md
+++ b/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md
@@ -383,7 +383,7 @@ manager: dansimp
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -460,7 +460,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -538,7 +538,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -616,7 +616,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -694,7 +694,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -772,7 +772,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -850,7 +850,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -928,7 +928,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -1006,7 +1006,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -1084,7 +1084,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -1162,7 +1162,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -1240,7 +1240,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -1317,7 +1317,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -1394,7 +1394,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -1471,7 +1471,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -1548,7 +1548,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -1625,7 +1625,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -1702,7 +1702,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -1779,7 +1779,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -1856,7 +1856,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -1933,7 +1933,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -2010,7 +2010,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -2087,7 +2087,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -2164,7 +2164,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -2241,7 +2241,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -2318,7 +2318,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -2395,7 +2395,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -2472,7 +2472,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -2549,7 +2549,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -2627,7 +2627,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -2704,7 +2704,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -2781,7 +2781,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -2858,7 +2858,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -2935,7 +2935,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -3012,7 +3012,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -3089,7 +3089,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -3166,7 +3166,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -3243,7 +3243,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits use of the Group Policy tab in property sheets for the Active Directory Users and Computers and Active Directory Sites and Services snap-ins.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits use of the Group Policy tab in property sheets for the Active Directory Users and Computers and Active Directory Sites and Services snap-ins.
If you enable this setting, the Group Policy tab is displayed in the property sheet for a site, domain, or organizational unit displayed by the Active Directory Users and Computers and Active Directory Sites and Services snap-ins. If you disable the setting, the Group Policy tab is not displayed in those snap-ins.
@@ -3322,7 +3322,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -3399,7 +3399,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -3476,7 +3476,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -3553,7 +3553,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -3630,7 +3630,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -3707,7 +3707,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -3784,7 +3784,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -3861,7 +3861,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -3938,7 +3938,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -4015,7 +4015,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -4092,7 +4092,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -4169,7 +4169,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -4246,7 +4246,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -4323,7 +4323,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -4400,7 +4400,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -4477,7 +4477,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -4554,7 +4554,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -4631,7 +4631,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -4708,7 +4708,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -4785,7 +4785,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -4862,7 +4862,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -4939,7 +4939,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -5016,7 +5016,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -5093,7 +5093,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -5170,7 +5170,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -5247,7 +5247,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -5324,7 +5324,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -5401,7 +5401,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -5478,7 +5478,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -5555,7 +5555,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -5632,7 +5632,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -5709,7 +5709,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -5786,7 +5786,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -5863,7 +5863,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -5940,7 +5940,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -6017,7 +6017,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -6094,7 +6094,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -6171,7 +6171,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -6248,7 +6248,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -6325,7 +6325,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -6402,7 +6402,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -6479,7 +6479,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -6556,7 +6556,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -6633,7 +6633,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -6710,7 +6710,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -6787,7 +6787,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -6864,7 +6864,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -6941,7 +6941,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -7018,7 +7018,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -7095,7 +7095,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -7172,7 +7172,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -7249,7 +7249,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -7326,7 +7326,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -7403,7 +7403,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -7480,7 +7480,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -7557,7 +7557,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -7634,7 +7634,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -7711,7 +7711,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -7788,7 +7788,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -7865,7 +7865,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -7942,7 +7942,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -8019,7 +8019,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -8096,7 +8096,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -8173,7 +8173,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -8250,7 +8250,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -8327,7 +8327,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -8404,7 +8404,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits or prohibits the use of this snap-in.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits or prohibits the use of this snap-in.
If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
@@ -8437,14 +8437,14 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-msapolicy.md b/windows/client-management/mdm/policy-csp-admx-msapolicy.md
index e8c35ac22e..3532d29c56 100644
--- a/windows/client-management/mdm/policy-csp-admx-msapolicy.md
+++ b/windows/client-management/mdm/policy-csp-admx-msapolicy.md
@@ -74,7 +74,7 @@ manager: dansimp
-Available in Windows 10 Insider Preview Build 20185. This policy setting controls whether users can provide Microsoft accounts for authentication for applications or services. If this setting is enabled, all applications and services on the device are prevented from using Microsoft accounts for authentication.
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether users can provide Microsoft accounts for authentication for applications or services. If this setting is enabled, all applications and services on the device are prevented from using Microsoft accounts for authentication.
This applies both to existing users of a device and new users who may be added. However, any application or service that has already authenticated a user will not be affected by enabling this setting until the authentication cache expires.
@@ -103,14 +103,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-msched.md b/windows/client-management/mdm/policy-csp-admx-msched.md
new file mode 100644
index 0000000000..c5cb159658
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-msched.md
@@ -0,0 +1,192 @@
+---
+title: Policy CSP - ADMX_msched
+description: Policy CSP - ADMX_msched
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 12/08/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_msched
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_msched policies
+
+
+
+
+
+
+
+**ADMX_msched/ActivationBoundaryPolicy**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure Automatic Maintenance activation boundary. The maintenance activation boundary is the daily scheduled time at which Automatic Maintenance starts.
+
+If you enable this policy setting, this will override the default daily scheduled time as specified in Security and Maintenance/Automatic Maintenance Control Panel.
+
+If you disable or do not configure this policy setting, the daily scheduled time as specified in Security and Maintenance/Automatic Maintenance Control Panel will apply.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Automatic Maintenance Activation Boundary*
+- GP name: *ActivationBoundaryPolicy*
+- GP path: *Windows Components\Maintenance Scheduler*
+- GP ADMX file name: *msched.admx*
+
+
+
+
+
+
+**ADMX_msched/RandomDelayPolicy**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure Automatic Maintenance activation random delay.
+
+The maintenance random delay is the amount of time up to which Automatic Maintenance will delay starting from its Activation Boundary.
+
+If you enable this policy setting, Automatic Maintenance will delay starting from its Activation Boundary, by up to this time.
+
+If you do not configure this policy setting, 4 hour random delay will be applied to Automatic Maintenance.
+
+If you disable this policy setting, no random delay will be applied to Automatic Maintenance.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Automatic Maintenance Random Delay*
+- GP name: *RandomDelayPolicy*
+- GP path: *Windows Components\Maintenance Scheduler*
+- GP ADMX file name: *msched.admx*
+
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-msdt.md b/windows/client-management/mdm/policy-csp-admx-msdt.md
new file mode 100644
index 0000000000..e6ab53acce
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-msdt.md
@@ -0,0 +1,289 @@
+---
+title: Policy CSP - ADMX_MSDT
+description: Policy CSP - ADMX_MSDT
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 12/09/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_MSDT
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_MSDT policies
+
+
+
+
+
+
+
+
+**ADMX_MSDT/MsdtSupportProvider**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures Microsoft Support Diagnostic Tool (MSDT) interactive communication with the support provider. MSDT gathers diagnostic data for analysis by support professionals.
+
+If you enable this policy setting, users can use MSDT to collect and send diagnostic data to a support professional to resolve a problem.
+
+By default, the support provider is set to Microsoft Corporation.
+
+If you disable this policy setting, MSDT cannot run in support mode, and no data can be collected or sent to the support provider.
+
+If you do not configure this policy setting, MSDT support mode is enabled by default.
+
+No reboots or service restarts are required for this policy setting to take effect. Changes take effect immediately.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider*
+- GP name: *MsdtSupportProvider*
+- GP path: *System\Troubleshooting and Diagnostics\Microsoft Support Diagnostic Tool*
+- GP ADMX file name: *MSDT.admx*
+
+
+
+
+
+
+**ADMX_MSDT/MsdtToolDownloadPolicy**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting restricts the tool download policy for Microsoft Support Diagnostic Tool.
+
+Microsoft Support Diagnostic Tool (MSDT) gathers diagnostic data for analysis by support professionals.
+
+For some problems, MSDT may prompt the user to download additional tools for troubleshooting. These tools are required to completely troubleshoot the problem.
+
+If tool download is restricted, it may not be possible to find the root cause of the problem.
+
+If you enable this policy setting for remote troubleshooting, MSDT prompts the user to download additional tools to diagnose problems on remote computers only.
+
+If you enable this policy setting for local and remote troubleshooting, MSDT always prompts for additional tool downloading.
+
+If you disable this policy setting, MSDT never downloads tools, and is unable to diagnose problems on remote computers.
+
+If you do not configure this policy setting, MSDT prompts the user before downloading any additional tools. No reboots or service restarts are required for this policy setting to take effect. Changes take effect immediately.
+
+This policy setting will take effect only when MSDT is enabled.
+
+This policy setting will only take effect when the Diagnostic Policy Service (DPS) is in the running state.
+
+When the service is stopped or disabled, diagnostic scenarios are not executed.
+
+The DPS can be configured with the Services snap-in to the Microsoft Management Console.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Microsoft Support Diagnostic Tool: Restrict tool download*
+- GP name: *MsdtToolDownloadPolicy*
+- GP path: *System\Troubleshooting and Diagnostics\Microsoft Support Diagnostic Tool*
+- GP ADMX file name: *MSDT.admx*
+
+
+
+
+
+
+**ADMX_MSDT/WdiScenarioExecutionPolicy**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines the execution level for Microsoft Support Diagnostic Tool.
+
+Microsoft Support Diagnostic Tool (MSDT) gathers diagnostic data for analysis by support professionals. If you enable this policy setting, administrators can use MSDT to collect and send diagnostic data to a support professional to resolve a problem.
+
+If you disable this policy setting, MSDT cannot gather diagnostic data. If you do not configure this policy setting, MSDT is turned on by default.
+
+This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured.
+
+No reboots or service restarts are required for this policy setting to take effect. Changes take effect immediately.
+
+This policy setting will only take effect when the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Microsoft Support Diagnostic Tool: Configure execution level*
+- GP name: *WdiScenarioExecutionPolicy*
+- GP path: *System\Troubleshooting and Diagnostics\Microsoft Support Diagnostic Tool*
+- GP ADMX file name: *MSDT.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-msi.md b/windows/client-management/mdm/policy-csp-admx-msi.md
new file mode 100644
index 0000000000..3e2094f298
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-msi.md
@@ -0,0 +1,1875 @@
+---
+title: Policy CSP - ADMX_MSI
+description: Policy CSP - ADMX_MSI
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 12/16/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_MSI
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_MSI policies
+
+
+
+
+
+
+
+**ADMX_MSI/AllowLockdownBrowse**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows users to search for installation files during privileged installations.
+
+If you enable this policy setting, the Browse button in the "Use feature from" dialog box is enabled. As a result, users can search for installation files even when the installation program is running with elevated system privileges.
+
+Because the installation is running with elevated system privileges, users can browse through directories that their own permissions would not allow.
+
+This policy setting does not affect installations that run in the user's security context. Also, see the "Remove browse dialog box for new source" policy setting.
+
+If you disable or do not configure this policy setting, by default, only system administrators can browse during installations with elevated privileges, such as installations offered on the desktop or displayed in Add or Remove Programs.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow users to browse for source while elevated*
+- GP name: *AllowLockdownBrowse*
+- GP path: *Windows Components\Windows Installer*
+- GP ADMX file name: *MSI.admx*
+
+
+
+
+
+
+
+**ADMX_MSI/AllowLockdownMedia**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows users to install programs from removable media during privileged installations.
+
+If you enable this policy setting, all users are permitted to install programs from removable media, such as floppy disks and CD-ROMs, even when the installation program is running with elevated system privileges.
+
+This policy setting does not affect installations that run in the user's security context. By default, users can install from removable media when the installation runs in their own security context.
+
+If you disable or do not configure this policy setting, by default, users can install programs from removable media only when the installation runs in the user's security context. During privileged installations, such as those offered on the desktop or displayed in Add or Remove Programs, only system administrators can install from removable media.
+
+Also, see the "Prevent removable media source for any install" policy setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow users to use media source while elevated*
+- GP name: *AllowLockdownMedia*
+- GP path: *Windows Components\Windows Installer*
+- GP ADMX file name: *MSI.admx*
+
+
+
+
+
+
+
+**ADMX_MSI/AllowLockdownPatch**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows users to patch elevated products.
+
+If you enable this policy setting, all users are permitted to install patches, even when the installation program is running with elevated system privileges. Patches are updates or upgrades that replace only those program files that have changed. Because patches can easily be vehicles for malicious programs, some installations prohibit their use.
+
+If you disable or do not configure this policy setting, by default, only system administrators can apply patches during installations with elevated privileges, such as installations offered on the desktop or displayed in Add or Remove Programs.
+
+This policy setting does not affect installations that run in the user's security context. By default, users can install patches to programs that run in their own security context. Also, see the "Prohibit patching" policy setting.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow users to patch elevated products*
+- GP name: *AllowLockdownPatch*
+- GP path: *Windows Components\Windows Installer*
+- GP ADMX file name: *MSI.admx*
+
+
+
+
+
+
+
+**ADMX_MSI/DisableAutomaticApplicationShutdown**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls Windows Installer's interaction with the Restart Manager. The Restart Manager API can eliminate or reduce the number of system restarts that are required to complete an installation or update.
+
+If you enable this policy setting, you can use the options in the Prohibit Use of Restart Manager box to control file in use detection behavior.
+
+- The "Restart Manager On" option instructs Windows Installer to use Restart Manager to detect files in use and mitigate a system restart, when possible.
+
+- The "Restart Manager Off" option turns off Restart Manager for file in use detection and the legacy file in use behavior is used.
+
+- The "Restart Manager Off for Legacy App Setup" option applies to packages that were created for Windows Installer versions lesser than 4.0. This option lets those packages display the legacy files in use UI while still using Restart Manager for detection.
+
+If you disable or do not configure this policy setting, Windows Installer will use Restart Manager to detect files in use and mitigate a system restart, when possible.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prohibit use of Restart Manager*
+- GP name: *DisableAutomaticApplicationShutdown*
+- GP path: *Windows Components\Windows Installer*
+- GP ADMX file name: *MSI.admx*
+
+
+
+
+
+
+
+**ADMX_MSI/DisableBrowse**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from searching for installation files when they add features or components to an installed program.
+
+If you enable this policy setting, the Browse button beside the "Use feature from" list in the Windows Installer dialog box is disabled. As a result, users must select an installation file source from the "Use features from" list that the system administrator configures.
+
+This policy setting applies even when the installation is running in the user's security context.
+
+If you disable or do not configure this policy setting, the Browse button is enabled when an installation is running in the user's security context. But only system administrators can browse when an installation is running with elevated system privileges, such as installations offered on the desktop or in Add or Remove Programs.
+
+This policy setting affects Windows Installer only. It does not prevent users from selecting other browsers, such as File Explorer or Network Locations, to search for installation files.
+
+Also, see the "Enable user to browse for source while elevated" policy setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove browse dialog box for new source*
+- GP name: *DisableBrowse*
+- GP path: *Windows Components\Windows Installer*
+- GP ADMX file name: *MSI.admx*
+
+
+
+
+
+
+
+**ADMX_MSI/DisableFlyweightPatching**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls the ability to turn off all patch optimizations.
+
+If you enable this policy setting, all Patch Optimization options are turned off during the installation.
+
+If you disable or do not configure this policy setting, it enables faster application of patches by removing execution of unnecessary actions. The flyweight patching mode is primarily designed for patches that just update a few files or registry values. The Installer will analyze the patch for specific changes to determine if optimization is possible. If so, the patch will be applied using a minimal set of processing.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prohibit flyweight patching*
+- GP name: *DisableFlyweightPatching*
+- GP path: *Windows Components\Windows Installer*
+- GP ADMX file name: *MSI.admx*
+
+
+
+
+
+
+
+**ADMX_MSI/DisableLoggingFromPackage**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls Windows Installer's processing of the MsiLogging property. The MsiLogging property in an installation package can be used to enable automatic logging of all install operations for the package.
+
+If you enable this policy setting, you can use the options in the Disable logging via package settings box to control automatic logging via package settings behavior.
+
+- The "Logging via package settings on" option instructs Windows Installer to automatically generate log files for packages that include the MsiLogging property.
+
+- The "Logging via package settings off" option turns off the automatic logging behavior when specified via the MsiLogging policy. Log files can still be generated using the logging command line switch or the Logging policy.
+
+If you disable or do not configure this policy setting, Windows Installer will automatically generate log files for those packages that include the MsiLogging property.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off logging via package settings*
+- GP name: *DisableLoggingFromPackage*
+- GP path: *Windows Components\Windows Installer*
+- GP ADMX file name: *MSI.admx*
+
+
+
+
+
+
+
+**ADMX_MSI/DisableMSI**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting restricts the use of Windows Installer.
+
+If you enable this policy setting, you can prevent users from installing software on their systems or permit users to install only those programs offered by a system administrator. You can use the options in the Disable Windows Installer box to establish an installation setting.
+
+- The "Never" option indicates Windows Installer is fully enabled. Users can install and upgrade software. This is the default behavior for Windows Installer on Windows 2000 Professional, Windows XP Professional and Windows Vista when the policy is not configured.
+
+- The "For non-managed applications only" option permits users to install only those programs that a system administrator assigns (offers on the desktop) or publishes (adds them to Add or Remove Programs). This is the default behavior of Windows Installer on Windows Server 2003 family when the policy is not configured.
+
+- The "Always" option indicates that Windows Installer is disabled.
+
+This policy setting affects Windows Installer only. It does not prevent users from using other methods to install and upgrade programs.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off Windows Installer*
+- GP name: *DisableMSI*
+- GP path: *Windows Components\Windows Installer*
+- GP ADMX file name: *MSI.admx*
+
+
+
+
+
+
+
+**ADMX_MSI/DisableMedia**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from installing any programs from removable media.
+
+If you enable this policy setting, if a user tries to install a program from removable media, such as CD-ROMs, floppy disks, and DVDs, a message appears stating that the feature cannot be found.
+
+This policy setting applies even when the installation is running in the user's security context.
+
+If you disable or do not configure this policy setting, users can install from removable media when the installation is running in their own security context, but only system administrators can use removable media when an installation is running with elevated system privileges, such as installations offered on the desktop or in Add or Remove Programs.
+
+Also, see the "Enable user to use media source while elevated" and "Hide the 'Add a program from CD-ROM or floppy disk' option" policy settings.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prevent removable media source for any installation*
+- GP name: *DisableMedia*
+- GP path: *Windows Components\Windows Installer*
+- GP ADMX file name: *MSI.admx*
+
+
+
+
+
+
+
+**ADMX_MSI/DisablePatch**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from using Windows Installer to install patches.
+
+If you enable this policy setting, users are prevented from using Windows Installer to install patches. Patches are updates or upgrades that replace only those program files that have changed. Because patches can be easy vehicles for malicious programs, some installations prohibit their use.
+
+> [!NOTE]
+> This policy setting applies only to installations that run in the user's security context.
+
+If you disable or do not configure this policy setting, by default, users who are not system administrators cannot apply patches to installations that run with elevated system privileges, such as those offered on the desktop or in Add or Remove Programs.
+
+Also, see the "Enable user to patch elevated products" policy setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prevent users from using Windows Installer to install updates and upgrades*
+- GP name: *DisablePatch*
+- GP path: *Windows Components\Windows Installer*
+- GP ADMX file name: *MSI.admx*
+
+
+
+
+
+
+
+**ADMX_MSI/DisableRollback_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation.
+
+If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer cannot restore the computer to its original state if the installation does not complete.
+
+This policy setting is designed to reduce the amount of temporary disk space required to install programs. Also, it prevents malicious users from interrupting an installation to gather data about the internal state of the computer or to search secure system files. However, because an incomplete installation can render the system or a program inoperable, do not use this policy setting unless it is essential.
+
+This policy setting appears in the Computer Configuration and User Configuration folders. If the policy setting is enabled in either folder, it is considered be enabled, even if it is explicitly disabled in the other folder.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prohibit rollback*
+- GP name: *DisableRollback_1*
+- GP path: *Windows Components\Windows Installer*
+- GP ADMX file name: *MSI.admx*
+
+
+
+
+
+
+
+**ADMX_MSI/DisableRollback_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation.
+
+If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer cannot restore the computer to its original state if the installation does not complete.
+
+This policy setting is designed to reduce the amount of temporary disk space required to install programs. Also, it prevents malicious users from interrupting an installation to gather data about the internal state of the computer or to search secure system files. However, because an incomplete installation can render the system or a program inoperable, do not use this policy setting unless it is essential.
+
+This policy setting appears in the Computer Configuration and User Configuration folders. If the policy setting is enabled in either folder, it is considered be enabled, even if it is explicitly disabled in the other folder.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prohibit rollback*
+- GP name: *DisableRollback_2*
+- GP path: *Windows Components\Windows Installer*
+- GP ADMX file name: *MSI.admx*
+
+
+
+
+
+
+
+**ADMX_MSI/DisableSharedComponent**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls the ability to turn off shared components.
+
+If you enable this policy setting, no packages on the system get the shared component functionality enabled by the msidbComponentAttributesShared attribute in the Component Table.
+
+If you disable or do not configure this policy setting, by default, the shared component functionality is allowed.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off shared components*
+- GP name: *DisableSharedComponent*
+- GP path: *Windows Components\Windows Installer*
+- GP ADMX file name: *MSI.admx*
+
+
+
+
+
+
+
+**ADMX_MSI/MSILogging**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Specifies the types of events that Windows Installer records in its transaction log for each installation. The log, Msi.log, appears in the Temp directory of the system volume.
+
+When you enable this policy setting, you can specify the types of events you want Windows Installer to record. To indicate that an event type is recorded, type the letter representing the event type. You can type the letters in any order and list as many or as few event types as you want.
+
+To disable logging, delete all of the letters from the box.
+
+If you disable or do not configure this policy setting, Windows Installer logs the default event types, represented by the letters "iweap."
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Specify the types of events Windows Installer records in its transaction log*
+- GP name: *MSILogging*
+- GP path: *Windows Components\Windows Installer*
+- GP ADMX file name: *MSI.admx*
+
+
+
+
+
+
+
+
+**ADMX_MSI/MSI_DisableLUAPatching**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls the ability of non-administrators to install updates that have been digitally signed by the application vendor.
+
+Non-administrator updates provide a mechanism for the author of an application to create digitally signed updates that can be applied by non-privileged users.
+
+If you enable this policy setting, only administrators or users with administrative privileges can apply updates to Windows Installer based applications.
+
+If you disable or do not configure this policy setting, users without administrative privileges can install non-administrator updates.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prohibit non-administrators from applying vendor signed updates*
+- GP name: *MSI_DisableLUAPatching*
+- GP path: *Windows Components\Windows Installer*
+- GP ADMX file name: *MSI.admx*
+
+
+
+
+
+
+
+
+**ADMX_MSI/MSI_DisablePatchUninstall**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls the ability for users or administrators to remove Windows Installer based updates.
+
+This policy setting should be used if you need to maintain a tight control over updates. One example is a lockdown environment where you want to ensure that updates once installed cannot be removed by users or administrators.
+
+If you enable this policy setting, updates cannot be removed from the computer by a user or an administrator. The Windows Installer can still remove an update that is no longer applicable to the product.
+
+If you disable or do not configure this policy setting, a user can remove an update from the computer only if the user has been granted privileges to remove the update. This can depend on whether the user is an administrator, whether "Disable Windows Installer" and "Always install with elevated privileges" policy settings are set, and whether the update was installed in a per-user managed, per-user unmanaged, or per-machine context."
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prohibit removal of updates*
+- GP name: *MSI_DisablePatchUninstall*
+- GP path: *Windows Components\Windows Installer*
+- GP ADMX file name: *MSI.admx*
+
+
+
+
+
+
+
+
+**ADMX_MSI/MSI_DisableSRCheckPoints**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting prevents Windows Installer from creating a System Restore checkpoint each time an application is installed. System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files.
+
+If you enable this policy setting, the Windows Installer does not generate System Restore checkpoints when installing applications.
+
+If you disable or do not configure this policy setting, by default, the Windows Installer automatically creates a System Restore checkpoint each time an application is installed, so that users can restore their computer to the state it was in before installing the application.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off creation of System Restore checkpoints*
+- GP name: *MSI_DisableSRCheckPoints*
+- GP path: *Windows Components\Windows Installer*
+- GP ADMX file name: *MSI.admx*
+
+
+
+
+
+
+
+
+**ADMX_MSI/MSI_DisableUserInstalls**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure user installs. To configure this policy setting, set it to enabled and use the drop-down list to select the behavior you want.
+
+If you do not configure this policy setting, or if the policy setting is enabled and "Allow User Installs" is selected, the installer allows and makes use of products that are installed per user, and products that are installed per computer. If the installer finds a per-user install of an application, this hides a per-computer installation of that same product.
+
+If you enable this policy setting and "Hide User Installs" is selected, the installer ignores per-user applications. This causes a per-computer installed application to be visible to users, even if those users have a per-user install of the product registered in their user profile.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prohibit User Installs*
+- GP name: *MSI_DisableUserInstalls*
+- GP path: *Windows Components\Windows Installer*
+- GP ADMX file name: *MSI.admx*
+
+
+
+
+
+
+
+
+**ADMX_MSI/MSI_EnforceUpgradeComponentRules**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting causes the Windows Installer to enforce strict rules for component upgrades.
+
+If you enable this policy setting, strict upgrade rules will be enforced by the Windows Installer which may cause some upgrades to fail. Upgrades can fail if they attempt to do one of the following:
+
+(1) Remove a component from a feature.
+This can also occur if you change the GUID of a component. The component identified by the original GUID appears to be removed and the component as identified by the new GUID appears as a new component.
+
+(2) Add a new feature to the top or middle of an existing feature tree.
+The new feature must be added as a new leaf feature to an existing feature tree.
+
+If you disable or do not configure this policy setting, the Windows Installer will use less restrictive rules for component upgrades.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Enforce upgrade component rules*
+- GP name: *MSI_EnforceUpgradeComponentRules*
+- GP path: *Windows Components\Windows Installer*
+- GP ADMX file name: *MSI.admx*
+
+
+
+
+
+
+
+**ADMX_MSI/MSI_MaxPatchCacheSize**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy controls the percentage of disk space available to the Windows Installer baseline file cache.
+
+The Windows Installer uses the baseline file cache to save baseline files modified by binary delta difference updates. The cache is used to retrieve the baseline file for future updates. The cache eliminates user prompts for source media when new updates are applied.
+
+If you enable this policy setting you can modify the maximum size of the Windows Installer baseline file cache.
+
+If you set the baseline cache size to 0, the Windows Installer will stop populating the baseline cache for new updates. The existing cached files will remain on disk and will be deleted when the product is removed.
+
+If you set the baseline cache to 100, the Windows Installer will use available free space for the baseline file cache.
+
+If you disable or do not configure this policy setting, the Windows Installer will uses a default value of 10 percent for the baseline file cache maximum size.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Control maximum size of baseline file cache*
+- GP name: *MSI_MaxPatchCacheSize*
+- GP path: *Windows Components\Windows Installer*
+- GP ADMX file name: *MSI.admx*
+
+
+
+
+
+
+
+**ADMX_MSI/MsiDisableEmbeddedUI**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls the ability to prevent embedded UI.
+
+If you enable this policy setting, no packages on the system can run embedded UI.
+
+If you disable or do not configure this policy setting, embedded UI is allowed to run.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prevent embedded UI*
+- GP name: *MsiDisableEmbeddedUI*
+- GP path: *Windows Components\Windows Installer*
+- GP ADMX file name: *MSI.admx*
+
+
+
+
+
+
+
+**ADMX_MSI/SafeForScripting**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows Web-based programs to install software on the computer without notifying the user.
+
+If you disable or do not configure this policy setting, by default, when a script hosted by an Internet browser tries to install a program on the system, the system warns users and allows them to select or refuse the installation.
+
+If you enable this policy setting, the warning is suppressed and allows the installation to proceed.
+
+This policy setting is designed for enterprises that use Web-based tools to distribute programs to their employees. However, because this policy setting can pose a security risk, it should be applied cautiously.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prevent Internet Explorer security prompt for Windows Installer scripts*
+- GP name: *SafeForScripting*
+- GP path: *Windows Components\Windows Installer*
+- GP ADMX file name: *MSI.admx*
+
+
+
+
+
+
+
+**ADMX_MSI/SearchOrder**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the order in which Windows Installer searches for installation files.
+
+If you disable or do not configure this policy setting, by default, the Windows Installer searches the network first, then removable media (floppy drive, CD-ROM, or DVD), and finally, the Internet (URL).
+
+If you enable this policy setting, you can change the search order by specifying the letters representing each file source in the order that you want Windows Installer to search:
+
+- "n" represents the network
+- "m" represents media
+- "u" represents URL, or the Internet
+
+To exclude a file source, omit or delete the letter representing that source type.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Specify the order in which Windows Installer searches for installation files*
+- GP name: *SearchOrder*
+- GP path: *Windows Components\Windows Installer*
+- GP ADMX file name: *MSI.admx*
+
+
+
+
+
+
+
+**ADMX_MSI/TransformsSecure**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting saves copies of transform files in a secure location on the local computer.
+
+Transform files consist of instructions to modify or customize a program during installation.
+
+If you enable this policy setting, the transform file is saved in a secure location on the user's computer.
+
+If you do not configure this policy setting on Windows Server 2003, Windows Installer requires the transform file in order to repeat an installation in which the transform file was used, therefore, the user must be using the same computer or be connected to the original or identical media to reinstall, remove, or repair the installation.
+
+This policy setting is designed for enterprises to prevent unauthorized or malicious editing of transform files.
+
+If you disable this policy setting, Windows Installer stores transform files in the Application Data directory in the user's profile.
+
+If you do not configure this policy setting on Windows 2000 Professional, Windows XP Professional and Windows Vista, when a user reinstalls, removes, or repairs an installation, the transform file is available, even if the user is on a different computer or is not connected to the network.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Save copies of transform files in a secure location on workstation*
+- GP name: *TransformsSecure*
+- GP path: *Windows Components\Windows Installer*
+- GP ADMX file name: *MSI.admx*
+
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-nca.md b/windows/client-management/mdm/policy-csp-admx-nca.md
index 840af17067..aaa011b575 100644
--- a/windows/client-management/mdm/policy-csp-admx-nca.md
+++ b/windows/client-management/mdm/policy-csp-admx-nca.md
@@ -95,7 +95,7 @@ manager: dansimp
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies resources on your intranet that are normally accessible to DirectAccess clients. Each entry is a string that identifies the type of resource and the location of the resource.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies resources on your intranet that are normally accessible to DirectAccess clients. Each entry is a string that identifies the type of resource and the location of the resource.
Each string can be one of the following types:
@@ -174,7 +174,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies commands configured by the administrator for custom logging. These commands will run in addition to default log commands.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies commands configured by the administrator for custom logging. These commands will run in addition to default log commands.
> [!TIP]
@@ -239,7 +239,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the IPv6 addresses of the endpoints of the Internet Protocol security (IPsec) tunnels that enable DirectAccess. NCA attempts to access the resources that are specified in the Corporate Resources setting through these configured tunnel endpoints.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the IPv6 addresses of the endpoints of the Internet Protocol security (IPsec) tunnels that enable DirectAccess. NCA attempts to access the resources that are specified in the Corporate Resources setting through these configured tunnel endpoints.
By default, NCA uses the same DirectAccess server that the DirectAccess client computer connection is using. In default configurations of DirectAccess, there are typically two IPsec tunnel endpoints: one for the infrastructure tunnel and one for the intranet tunnel. You should configure one endpoint for each tunnel.
@@ -310,7 +310,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the string that appears for DirectAccess connectivity when the user clicks the Networking notification area icon. For example, you can specify “Contoso Intranet Access” for the DirectAccess clients of the Contoso Corporation.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the string that appears for DirectAccess connectivity when the user clicks the Networking notification area icon. For example, you can specify “Contoso Intranet Access” for the DirectAccess clients of the Contoso Corporation.
If this setting is not configured, the string that appears for DirectAccess connectivity is “Corporate Connection”.
@@ -377,7 +377,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether the user has Connect and Disconnect options for the DirectAccess entry when the user clicks the Networking notification area icon.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the user has Connect and Disconnect options for the DirectAccess entry when the user clicks the Networking notification area icon.
If the user clicks the Disconnect option, NCA removes the DirectAccess rules from the Name Resolution Policy Table (NRPT) and the DirectAccess client computer uses whatever normal name resolution is available to the client computer in its current network configuration, including sending all DNS queries to the local intranet or Internet DNS servers. Note that NCA does not remove the existing IPsec tunnels and users can still access intranet resources across the DirectAccess server by specifying IPv6 addresses rather than names.
@@ -453,7 +453,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether NCA service runs in Passive Mode or not.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether NCA service runs in Passive Mode or not.
Set this to Disabled to keep NCA probing actively all the time. If this setting is not configured, NCA probing is in active mode by default.
@@ -519,7 +519,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether an entry for DirectAccess connectivity appears when the user clicks the Networking notification area icon.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether an entry for DirectAccess connectivity appears when the user clicks the Networking notification area icon.
Set this to Disabled to prevent user confusion when you are just using DirectAccess to remotely manage DirectAccess client computers from your intranet and not providing seamless intranet access.
@@ -588,7 +588,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the e-mail address to be used when sending the log files that are generated by NCA to the network administrator.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the e-mail address to be used when sending the log files that are generated by NCA to the network administrator.
When the user sends the log files to the Administrator, NCA uses the default e-mail client to open a new message with the support email address in the To: field of the message, then attaches the generated log files as a .html file. The user can review the message and add additional information before sending the message.
@@ -613,14 +613,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-ncsi.md b/windows/client-management/mdm/policy-csp-admx-ncsi.md
index 3e575f3fdf..2dc203705f 100644
--- a/windows/client-management/mdm/policy-csp-admx-ncsi.md
+++ b/windows/client-management/mdm/policy-csp-admx-ncsi.md
@@ -92,7 +92,7 @@ manager: dansimp
-Available in Windows 10 Insider Preview Build 20185. This policy setting enables you to specify the expected address of the host name used for the DNS probe. Successful resolution of the host name to this address indicates corporate connectivity.
+Available in the latest Windows 10 Insider Preview Build. This policy setting enables you to specify the expected address of the host name used for the DNS probe. Successful resolution of the host name to this address indicates corporate connectivity.
> [!TIP]
@@ -157,7 +157,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting enables you to specify the host name of a computer known to be on the corporate network. Successful resolution of this host name to the expected address indicates corporate connectivity.
+Available in the latest Windows 10 Insider Preview Build. This policy setting enables you to specify the host name of a computer known to be on the corporate network. Successful resolution of this host name to the expected address indicates corporate connectivity.
> [!TIP]
@@ -222,7 +222,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting enables you to specify the list of IPv6 corporate site prefixes to monitor for corporate connectivity. Reachability of addresses with any of these prefixes indicates corporate connectivity.
+Available in the latest Windows 10 Insider Preview Build. This policy setting enables you to specify the list of IPv6 corporate site prefixes to monitor for corporate connectivity. Reachability of addresses with any of these prefixes indicates corporate connectivity.
> [!TIP]
@@ -287,7 +287,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting enables you to specify the URL of the corporate website, against which an active probe is performed.
+Available in the latest Windows 10 Insider Preview Build. This policy setting enables you to specify the URL of the corporate website, against which an active probe is performed.
> [!TIP]
@@ -355,7 +355,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting enables you to specify the HTTPS URL of the corporate website that clients use to determine the current domain location (i.e. whether the computer is inside or outside the corporate network). Reachability of the URL destination indicates that the client location is inside corporate network; otherwise it is outside the network.
+Available in the latest Windows 10 Insider Preview Build. This policy setting enables you to specify the HTTPS URL of the corporate website that clients use to determine the current domain location (i.e. whether the computer is inside or outside the corporate network). Reachability of the URL destination indicates that the client location is inside corporate network; otherwise it is outside the network.
> [!TIP]
@@ -420,7 +420,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting enables you to specify DNS binding behavior. NCSI by default will restrict DNS lookups to the interface it is currently probing on. If you enable this setting, NCSI will allow the DNS lookups to happen on any interface.
+Available in the latest Windows 10 Insider Preview Build. This policy setting enables you to specify DNS binding behavior. NCSI by default will restrict DNS lookups to the interface it is currently probing on. If you enable this setting, NCSI will allow the DNS lookups to happen on any interface.
> [!TIP]
@@ -485,7 +485,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This Policy setting enables you to specify passive polling behavior. NCSI polls various measurements throughout the network stack on a frequent interval to determine if network connectivity has been lost. Use the options to control the passive polling behavior.
+Available in the latest Windows 10 Insider Preview Build. This Policy setting enables you to specify passive polling behavior. NCSI polls various measurements throughout the network stack on a frequent interval to determine if network connectivity has been lost. Use the options to control the passive polling behavior.
> [!TIP]
@@ -508,14 +508,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-netlogon.md b/windows/client-management/mdm/policy-csp-admx-netlogon.md
index 782b57ba8c..45405c7cc2 100644
--- a/windows/client-management/mdm/policy-csp-admx-netlogon.md
+++ b/windows/client-management/mdm/policy-csp-admx-netlogon.md
@@ -176,7 +176,7 @@ manager: dansimp
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures how a domain controller (DC) behaves when responding to a client whose IP address does not map to any configured site.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures how a domain controller (DC) behaves when responding to a client whose IP address does not map to any configured site.
Domain controllers use the client IP address during a DC locator ping request to compute which Active Directory site the client belongs to. If no site mapping can be computed, the DC may do an address lookup on the client network name to discover other IP addresses which may then be used to compute a matching site for the client.
@@ -253,7 +253,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting determines the type of IP address that is returned for a domain controller. The DC Locator APIs return the IP address of the DC with the other parts of information. Before the support of IPv6, the returned DC IP address was IPv4. But with the support of IPv6, the DC Locator APIs can return IPv6 DC address. The returned IPv6 DC address may not be correctly handled by some of the existing applications. So this policy is provided to support such scenarios.
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines the type of IP address that is returned for a domain controller. The DC Locator APIs return the IP address of the DC with the other parts of information. Before the support of IPv6, the returned DC IP address was IPv4. But with the support of IPv6, the DC Locator APIs can return IPv6 DC address. The returned IPv6 DC address may not be correctly handled by some of the existing applications. So this policy is provided to support such scenarios.
By default, DC Locator APIs can return IPv4/IPv6 DC address. But if some applications are broken due to the returned IPv6 DC address, this policy can be used to disable the default behavior and enforce to return only IPv4 DC address. Once applications are fixed, this policy can be used to enable the default behavior.
@@ -328,7 +328,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether the computers to which this setting is applied attempts DNS name resolution of single-label domain names, by appending different registered DNS suffixes, and uses NetBIOS name resolution only if DNS name resolution fails. This policy, including the specified default behavior, is not used if the AllowSingleLabelDnsDomain policy setting is enabled.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the computers to which this setting is applied attempts DNS name resolution of single-label domain names, by appending different registered DNS suffixes, and uses NetBIOS name resolution only if DNS name resolution fails. This policy, including the specified default behavior, is not used if the AllowSingleLabelDnsDomain policy setting is enabled.
By default, when no setting is specified for this policy, the behavior is the same as explicitly enabling this policy, unless the AllowSingleLabelDnsDomain policy setting is enabled.
@@ -401,7 +401,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting controls whether the Net Logon service will allow the use of older cryptography algorithms that are used in Windows NT 4.0. The cryptography algorithms used in Windows NT 4.0 and earlier are not as secure as newer algorithms used in Windows 2000 or later, including this version of Windows.
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether the Net Logon service will allow the use of older cryptography algorithms that are used in Windows NT 4.0. The cryptography algorithms used in Windows NT 4.0 and earlier are not as secure as newer algorithms used in Windows 2000 or later, including this version of Windows.
By default, Net Logon will not allow the older cryptography algorithms to be used and will not include them in the negotiation of cryptography algorithms. Therefore, computers running Windows NT 4.0 will not be able to establish a connection to this domain controller.
@@ -476,7 +476,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether the computers to which this setting is applied attempt DNS name resolution of a single-label domain names.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the computers to which this setting is applied attempt DNS name resolution of a single-label domain names.
By default, the behavior specified in the AllowDnsSuffixSearch is used. If the AllowDnsSuffixSearch policy is disabled, then NetBIOS name resolution is used exclusively, to locate a domain controller hosting an Active Directory domain specified with a single-label name.
@@ -551,7 +551,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether domain controllers (DC) will dynamically register DC Locator site-specific SRV records for the closest sites where no DC for the same domain exists (or no Global Catalog for the same forest exists). These DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC.
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether domain controllers (DC) will dynamically register DC Locator site-specific SRV records for the closest sites where no DC for the same domain exists (or no Global Catalog for the same forest exists). These DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC.
If you enable this policy setting, the DCs to which this setting is applied dynamically register DC Locator site-specific DNS SRV records for the closest sites where no DC for the same domain, or no Global Catalog for the same forest, exists.
@@ -624,7 +624,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to control the domain controller (DC) location algorithm. By default, the DC location algorithm prefers DNS-based discovery if the DNS domain name is known. If DNS-based discovery fails and the NetBIOS domain name is known, the algorithm then uses NetBIOS-based discovery as a fallback mechanism.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control the domain controller (DC) location algorithm. By default, the DC location algorithm prefers DNS-based discovery if the DNS domain name is known. If DNS-based discovery fails and the NetBIOS domain name is known, the algorithm then uses NetBIOS-based discovery as a fallback mechanism.
NetBIOS-based discovery uses a WINS server and mailslot messages but does not use site information. Hence it does not ensure that clients will discover the closest DC. It also allows a hub-site client to discover a branch-site DC even if the branch-site DC only registers site-specific DNS records (as recommended). For these reasons, NetBIOS-based discovery is not recommended.
@@ -700,7 +700,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting defines whether a domain controller (DC) should attempt to verify the password provided by a client with the PDC emulator if the DC failed to validate the password.
+Available in the latest Windows 10 Insider Preview Build. This policy setting defines whether a domain controller (DC) should attempt to verify the password provided by a client with the PDC emulator if the DC failed to validate the password.
Contacting the PDC emulator is useful in case the client’s password was recently changed and did not propagate to the DC yet. Users may want to disable this feature if the PDC emulator is located over a slow WAN connection.
@@ -775,7 +775,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting determines the amount of time (in seconds) to wait before the first retry for applications that perform periodic searches for domain controllers (DC) that are unable to find a DC.
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines the amount of time (in seconds) to wait before the first retry for applications that perform periodic searches for domain controllers (DC) that are unable to find a DC.
The default value for this setting is 10 minutes (10*60).
@@ -853,7 +853,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting determines the maximum retry interval allowed when applications performing periodic searches for Domain Controllers (DCs) are unable to find a DC.
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines the maximum retry interval allowed when applications performing periodic searches for Domain Controllers (DCs) are unable to find a DC.
For example, the retry intervals may be set at 10 minutes, then 20 minutes and then 40 minutes, but when the interval reaches the value set in this setting, that value becomes the retry interval for all subsequent retries until the value set in Final DC Discovery Retry Setting is reached.
@@ -933,7 +933,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting determines when retries are no longer allowed for applications that perform periodic searches for domain controllers (DC) are unable to find a DC. For example, retires may be set to occur according to the Use maximum DC discovery retry interval policy setting, but when the value set in this policy setting is reached, no more retries occur. If a value for this policy setting is smaller than the value in the Use maximum DC discovery retry interval policy setting, the value for Use maximum DC discovery retry interval policy setting is used.
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines when retries are no longer allowed for applications that perform periodic searches for domain controllers (DC) are unable to find a DC. For example, retires may be set to occur according to the Use maximum DC discovery retry interval policy setting, but when the value set in this policy setting is reached, no more retries occur. If a value for this policy setting is smaller than the value in the Use maximum DC discovery retry interval policy setting, the value for Use maximum DC discovery retry interval policy setting is used.
The default value for this setting is to not quit retrying (0). The maximum value for this setting is 49 days (0x49*24*60*60=4233600). The minimum value for this setting is 0.
@@ -1005,7 +1005,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs that periodically attempt to locate DCs, and it is applied before returning the DC information to the caller program. The default value for this setting is infinite (4294967200). The maximum value for this setting is (4294967200), while the maximum that is not treated as infinity is 49 days (49*24*60*60=4233600). Any larger value is treated as infinity. The minimum value for this setting is to always refresh (0).
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs that periodically attempt to locate DCs, and it is applied before returning the DC information to the caller program. The default value for this setting is infinite (4294967200). The maximum value for this setting is (4294967200), while the maximum that is not treated as infinity is 49 days (49*24*60*60=4233600). Any larger value is treated as infinity. The minimum value for this setting is to always refresh (0).
> [!TIP]
@@ -1072,7 +1072,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the level of debug output for the Net Logon service.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the level of debug output for the Net Logon service.
The Net Logon service outputs debug information to the log file netlogon.log in the directory %windir%\debug. By default, no debug information is logged.
@@ -1147,7 +1147,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting determines which DC Locator DNS records are not registered by the Net Logon service.
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines which DC Locator DNS records are not registered by the Net Logon service.
If you enable this policy setting, select Enabled and specify a list of space-delimited mnemonics (instructions) for the DC Locator DNS records that will not be registered by the DCs to which this setting is applied.
@@ -1246,7 +1246,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the Refresh Interval of the DC Locator DNS resource records for DCs to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used by the DC Locator algorithm to locate the DC. This setting may be applied only to DCs using dynamic update.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the Refresh Interval of the DC Locator DNS resource records for DCs to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used by the DC Locator algorithm to locate the DC. This setting may be applied only to DCs using dynamic update.
DCs configured to perform dynamic registration of the DC Locator DNS resource records periodically reregister their records with DNS servers, even if their records’ data has not changed. If authoritative DNS servers are configured to perform scavenging of the stale records, this reregistration is required to instruct the DNS servers configured to automatically remove (scavenge) stale records that these records are current and should be preserved in the database.
@@ -1322,7 +1322,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures whether the domain controllers to which this setting is applied will lowercase their DNS host name when registering SRV records.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures whether the domain controllers to which this setting is applied will lowercase their DNS host name when registering SRV records.
If enabled, domain controllers will lowercase their DNS host name when registering domain controller SRV records. A best-effort attempt will be made to delete any previously registered SRV records that contain mixed-case DNS host names. For more information and potential manual cleanup procedures, see the link below.
@@ -1398,7 +1398,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the value for the Time-To-Live (TTL) field in SRV resource records that are registered by the Net Logon service. These DNS records are dynamically registered, and they are used to locate the domain controller (DC).
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the value for the Time-To-Live (TTL) field in SRV resource records that are registered by the Net Logon service. These DNS records are dynamically registered, and they are used to locate the domain controller (DC).
To specify the TTL for DC Locator DNS records, click Enabled, and then enter a value in seconds (for example, the value "900" is 15 minutes).
@@ -1468,7 +1468,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the additional time for the computer to wait for the domain controller’s (DC) response when logging on to the network.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the additional time for the computer to wait for the domain controller’s (DC) response when logging on to the network.
To specify the expected dial-up delay at logon, click Enabled, and then enter the desired value in seconds (for example, the value "60" is 1 minute).
@@ -1539,7 +1539,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting determines the interval for when a Force Rediscovery is carried out by DC Locator.
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines the interval for when a Force Rediscovery is carried out by DC Locator.
The Domain Controller Locator (DC Locator) service is used by clients to find domain controllers for their Active Directory domain. When DC Locator finds a domain controller, it caches domain controllers to improve the efficiency of the location algorithm. As long as the cached domain controller meets the requirements and is running, DC Locator will continue to return it. If a new domain controller is introduced, existing clients will only discover it when a Force Rediscovery is carried out by DC Locator. To adapt to changes in network conditions DC Locator will by default carry out a Force Rediscovery according to a specific time interval and maintain efficient load-balancing of clients across all available domain controllers in all domains or forests. The default time interval for Force Rediscovery by DC Locator is 12 hours. Force Rediscovery can also be triggered if a call to DC Locator uses the DS_FORCE_REDISCOVERY flag. Rediscovery resets the timer on the cached domain controller entries.
@@ -1614,7 +1614,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the sites for which the global catalogs (GC) should register site-specific GC locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the GC resides, and records registered by a GC configured to register GC Locator DNS SRV records for those sites without a GC that are closest to it.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the sites for which the global catalogs (GC) should register site-specific GC locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the GC resides, and records registered by a GC configured to register GC Locator DNS SRV records for those sites without a GC that are closest to it.
The GC Locator DNS records and the site-specific SRV records are dynamically registered by the Net Logon service, and they are used to locate the GC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication. A GC is a domain controller that contains a partial replica of every domain in Active Directory.
@@ -1687,7 +1687,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to control the processing of incoming mailslot messages by a local domain controller (DC).
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control the processing of incoming mailslot messages by a local domain controller (DC).
> [!NOTE]
> To locate a remote DC based on its NetBIOS (single-label) domain name, DC Locator first gets the list of DCs from a WINS server that is configured in its local client settings. DC Locator then sends a mailslot message to each remote DC to get more information. DC location succeeds only if a remote DC responds to the mailslot message.
@@ -1763,7 +1763,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the Priority field in the SRV resource records registered by domain controllers (DC) to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used to locate the DC.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the Priority field in the SRV resource records registered by domain controllers (DC) to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used to locate the DC.
The Priority field in the SRV record sets the preference for target hosts (specified in the SRV record’s Target field). DNS clients that query for SRV resource records attempt to contact the first reachable host with the lowest priority number listed.
@@ -1836,7 +1836,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the Weight field in the SRV resource records registered by the domain controllers (DC) to which this setting is applied. These DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the Weight field in the SRV resource records registered by the domain controllers (DC) to which this setting is applied. These DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC.
The Weight field in the SRV record can be used in addition to the Priority value to provide a load-balancing mechanism where multiple servers are specified in the SRV records Target field and are all set to the same priority. The probability with which the DNS client randomly selects the target host to be contacted is proportional to the Weight field value in the SRV record.
@@ -1909,7 +1909,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the maximum size in bytes of the log file netlogon.log in the directory %windir%\debug when logging is enabled.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the maximum size in bytes of the log file netlogon.log in the directory %windir%\debug when logging is enabled.
By default, the maximum size of the log file is 20MB. If you enable this policy setting, the maximum size of the log file is set to the specified size. Once this size is reached the log file is saved to netlogon.bak and netlogon.log is truncated. A reasonable value based on available storage should be specified.
@@ -1980,7 +1980,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the sites for which the domain controllers (DC) that host the application directory partition should register the site-specific, application directory partition-specific DC Locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the DC resides, and records registered by a DC configured to register DC Locator DNS SRV records for those sites without a DC that are closest to it.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the sites for which the domain controllers (DC) that host the application directory partition should register the site-specific, application directory partition-specific DC Locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the DC resides, and records registered by a DC configured to register DC Locator DNS SRV records for those sites without a DC that are closest to it.
The application directory partition DC Locator DNS records and the site-specific SRV records are dynamically registered by the Net Logon service, and they are used to locate the application directory partition-specific DC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication.
@@ -2053,7 +2053,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the amount of time (in seconds) the DC locator remembers that a domain controller (DC) could not be found in a domain. When a subsequent attempt to locate the DC occurs within the time set in this setting, DC Discovery immediately fails, without attempting to find the DC.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the amount of time (in seconds) the DC locator remembers that a domain controller (DC) could not be found in a domain. When a subsequent attempt to locate the DC occurs within the time set in this setting, DC Discovery immediately fails, without attempting to find the DC.
The default value for this setting is 45 seconds. The maximum value for this setting is 7 days (7*24*60*60). The minimum value for this setting is 0.
@@ -2125,7 +2125,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting controls whether or not the Netlogon share created by the Net Logon service on a domain controller (DC) should support compatibility in file sharing semantics with earlier applications.
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether or not the Netlogon share created by the Net Logon service on a domain controller (DC) should support compatibility in file sharing semantics with earlier applications.
If you enable this policy setting, the Netlogon share will honor file sharing semantics that grant requests for exclusive read access to files on the share even when the caller has only read permission.
@@ -2203,7 +2203,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs that do not periodically attempt to locate DCs, and it is applied before the returning the DC information to the caller program. This policy setting is relevant to only those callers of DsGetDcName that have not specified the DS_BACKGROUND_ONLY flag.
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs that do not periodically attempt to locate DCs, and it is applied before the returning the DC information to the caller program. This policy setting is relevant to only those callers of DsGetDcName that have not specified the DS_BACKGROUND_ONLY flag.
The default value for this setting is 30 minutes (1800). The maximum value for this setting is (4294967200), while the maximum that is not treated as infinity is 49 days (49*24*60*60=4233600). Any larger value will be treated as infinity. The minimum value for this setting is to always refresh (0).
@@ -2272,7 +2272,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures whether the computers to which this setting is applied are more aggressive when trying to locate a domain controller (DC).
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures whether the computers to which this setting is applied are more aggressive when trying to locate a domain controller (DC).
When an environment has a large number of DCs running both old and new operating systems, the default DC locator discovery behavior may be insufficient to find DCs running a newer operating system. This policy setting can be enabled to configure DC locator to be more aggressive about trying to locate a DC in such an environment, by pinging DCs at a higher frequency. Enabling this setting may result in additional network traffic and increased load on DCs. You should disable this setting once all DCs are running the same OS version.
@@ -2350,7 +2350,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting determines the interval at which Netlogon performs the following scavenging operations:
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines the interval at which Netlogon performs the following scavenging operations:
- Checks if a password on a secure channel needs to be modified, and modifies it if necessary.
@@ -2427,7 +2427,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the sites for which the domain controllers (DC) register the site-specific DC Locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the DC resides, and records registered by a DC configured to register DC Locator DNS SRV records for those sites without a DC that are closest to it.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the sites for which the domain controllers (DC) register the site-specific DC Locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the DC resides, and records registered by a DC configured to register DC Locator DNS SRV records for those sites without a DC that are closest to it.
The DC Locator DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication.
@@ -2500,7 +2500,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the Active Directory site to which computers belong.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the Active Directory site to which computers belong.
An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication.
@@ -2573,7 +2573,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting controls whether or not the SYSVOL share created by the Net Logon service on a domain controller (DC) should support compatibility in file sharing semantics with earlier applications.
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether or not the SYSVOL share created by the Net Logon service on a domain controller (DC) should support compatibility in file sharing semantics with earlier applications.
When this setting is enabled, the SYSVOL share will honor file sharing semantics that grant requests for exclusive read access to files on the share even when the caller has only read permission.
@@ -2651,7 +2651,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting enables DC Locator to attempt to locate a DC in the nearest site based on the site link cost if a DC in same the site is not found. In scenarios with multiple sites, failing over to the try next closest site during DC Location streamlines network traffic more effectively.
+Available in the latest Windows 10 Insider Preview Build. This policy setting enables DC Locator to attempt to locate a DC in the nearest site based on the site link cost if a DC in same the site is not found. In scenarios with multiple sites, failing over to the try next closest site during DC Location streamlines network traffic more effectively.
The DC Locator service is used by clients to find domain controllers for their Active Directory domain. The default behavior for DC Locator is to find a DC in the same site. If none are found in the same site, a DC in another site, which might be several site-hops away, could be returned by DC Locator. Site proximity between two sites is determined by the total site-link cost between them. A site is closer if it has a lower site link cost than another site with a higher site link cost.
@@ -2726,7 +2726,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting determines if dynamic registration of the domain controller (DC) locator DNS resource records is enabled. These DNS records are dynamically registered by the Net Logon service and are used by the Locator algorithm to locate the DC.
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines if dynamic registration of the domain controller (DC) locator DNS resource records is enabled. These DNS records are dynamically registered by the Net Logon service and are used by the Locator algorithm to locate the DC.
If you enable this policy setting, DCs to which this setting is applied dynamically register DC Locator DNS resource records through dynamic DNS update-enabled network connections.
@@ -2755,14 +2755,14 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-networkconnections.md b/windows/client-management/mdm/policy-csp-admx-networkconnections.md
new file mode 100644
index 0000000000..7e542154a7
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-networkconnections.md
@@ -0,0 +1,2200 @@
+---
+title: Policy CSP - ADMX_NetworkConnections
+description: Policy CSP - ADMX_NetworkConnections
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 10/21/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_NetworkConnections
+
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_NetworkConnections policies
+
+
+
+
+
+
+
+
+**ADMX_NetworkConnections/NC_AddRemoveComponents**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether administrators can add and remove network components for a LAN or remote access connection. This setting has no effect on nonadministrators.
+
+If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Install and Uninstall buttons for components of connections are disabled, and administrators are not permitted to access network components in the Windows Components Wizard.
+
+If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers.
+
+If you disable this setting or do not configure it, the Install and Uninstall buttons for components of connections in the Network Connections folder are enabled. Also, administrators can gain access to network components in the Windows Components Wizard.
+
+The Install button opens the dialog boxes used to add network components. Clicking the Uninstall button removes the selected component in the components list (above the button).
+
+The Install and Uninstall buttons appear in the properties dialog box for connections. These buttons are on the General tab for LAN connections and on the Networking tab for remote access connections.
+
+> [!NOTE]
+> When the "Prohibit access to properties of a LAN connection", "Ability to change properties of an all user remote access connection", or "Prohibit changing properties of a private remote access connection" settings are set to deny access to the connection properties dialog box, the Install and Uninstall buttons for connections are blocked.
+>
+> Nonadministrators are already prohibited from adding and removing connection components, regardless of this setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prohibit adding and removing components for a LAN or remote access connection*
+- GP name: *NC_AddRemoveComponents*
+- GP path: *Network\Network Connections*
+- GP ADMX file name: *NetworkConnections.admx*
+
+
+
+
+
+
+**ADMX_NetworkConnections/NC_AdvancedSettings**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the Advanced Settings item on the Advanced menu in Network Connections is enabled for administrators.
+
+The Advanced Settings item lets users view and change bindings and view and change the order in which the computer accesses connections, network providers, and print providers.
+
+If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Advanced Settings item is disabled for administrators.
+
+If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers.
+
+If you disable this setting or do not configure it, the Advanced Settings item is enabled for administrators.
+
+> [!NOTE]
+> Nonadministrators are already prohibited from accessing the Advanced Settings dialog box, regardless of this setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prohibit access to the Advanced Settings item on the Advanced menu*
+- GP name: *NC_AdvancedSettings*
+- GP path: *Network\Network Connections*
+- GP ADMX file name: *NetworkConnections.admx*
+
+
+
+
+
+
+**ADMX_NetworkConnections/NC_AllowAdvancedTCPIPConfig**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can configure advanced TCP/IP settings.
+
+If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Advanced button on the Internet Protocol (TCP/IP) Properties dialog box is disabled for all users (including administrators). As a result, users cannot open the Advanced TCP/IP Settings Properties page and modify IP settings, such as DNS and WINS server information.
+
+If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers.
+
+If you disable this setting, the Advanced button is enabled, and all users can open the Advanced TCP/IP Setting dialog box.
+
+This setting is superseded by settings that prohibit access to properties of connections or connection components. When these policies are set to deny access to the connection properties dialog box or Properties button for connection components, users cannot gain access to the Advanced button for TCP/IP configuration.
+
+Changing this setting from Enabled to Not Configured does not enable the Advanced button until the user logs off.
+
+> [!NOTE]
+> Nonadministrators (excluding Network Configuration Operators) do not have permission to access TCP/IP advanced configuration for a LAN connection, regardless of this setting.
+
+> [!TIP]
+> To open the Advanced TCP/IP Setting dialog box, in the Network Connections folder, right-click a connection icon, and click Properties. For remote access connections, click the Networking tab. In the "Components checked are used by this connection" box, click Internet Protocol (TCP/IP), click the Properties button, and then click the Advanced button.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prohibit TCP/IP advanced configuration*
+- GP name: *NC_AllowAdvancedTCPIPConfig*
+- GP path: *Network\Network Connections*
+- GP ADMX file name: *NetworkConnections.admx*
+
+
+
+
+
+
+**ADMX_NetworkConnections/NC_ChangeBindState**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting Determines whether administrators can enable and disable the components used by LAN connections.
+
+If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the check boxes for enabling and disabling components are disabled. As a result, administrators cannot enable or disable the components that a connection uses.
+
+If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers.
+
+If you disable this setting or do not configure it, the Properties dialog box for a connection includes a check box beside the name of each component that the connection uses. Selecting the check box enables the component, and clearing the check box disables the component.
+
+> [!NOTE]
+> When the "Prohibit access to properties of a LAN connection" setting is enabled, users are blocked from accessing the check boxes for enabling and disabling the components of a LAN connection.
+>
+> Nonadministrators are already prohibited from enabling or disabling components for a LAN connection, regardless of this setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prohibit Enabling/Disabling components of a LAN connection*
+- GP name: *NC_ChangeBindState*
+- GP path: *Network\Network Connections*
+- GP ADMX file name: *NetworkConnections.admx*
+
+
+
+
+
+
+**ADMX_NetworkConnections/NC_DeleteAllUserConnection**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can delete all user remote access connections.
+
+To create an all-user remote access connection, on the Connection Availability page in the New Connection Wizard, click the "For all users" option.
+
+If you enable this setting, all users can delete shared remote access connections. In addition, if your file system is NTFS, users need to have Write access to Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk to delete a shared remote access connection.
+
+If you disable this setting (and enable the "Enable Network Connections settings for Administrators" setting), users (including administrators) cannot delete all-user remote access connections. (By default, users can still delete their private connections, but you can change the default by using the "Prohibit deletion of remote access connections" setting.)
+
+If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers.
+
+If you do not configure this setting, only Administrators and Network Configuration Operators can delete all user remote access connections.
+
+When enabled, the "Prohibit deletion of remote access connections" setting takes precedence over this setting. Users (including administrators) cannot delete any remote access connections, and this setting is ignored.
+
+> [!NOTE]
+> LAN connections are created and deleted automatically by the system when a LAN adapter is installed or removed. You cannot use the Network Connections folder to create or delete a LAN connection.
+>
+> This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Ability to delete all user remote access connections*
+- GP name: *NC_DeleteAllUserConnection*
+- GP path: *Network\Network Connections*
+- GP ADMX file name: *NetworkConnections.admx*
+
+
+
+
+
+
+**ADMX_NetworkConnections/NC_DeleteConnection**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can delete remote access connections.
+
+If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), users (including administrators) cannot delete any remote access connections. This setting also disables the Delete option on the context menu for a remote access connection and on the File menu in the Network Connections folder.
+
+If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers.
+
+If you disable this setting or do not configure it, all users can delete their private remote access connections. Private connections are those that are available only to one user. (By default, only Administrators and Network Configuration Operators can delete connections available to all users, but you can change the default by using the "Ability to delete all user remote access connections" setting.)
+
+When enabled, this setting takes precedence over the "Ability to delete all user remote access connections" setting. Users cannot delete any remote access connections, and the "Ability to delete all user remote access connections" setting is ignored.
+
+> [!NOTE]
+> LAN connections are created and deleted automatically when a LAN adapter is installed or removed. You cannot use the Network Connections folder to create or delete a LAN connection.
+>
+> This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting.
+>
+> This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prohibit deletion of remote access connections*
+- GP name: *NC_DeleteConnection*
+- GP path: *Network\Network Connections*
+- GP ADMX file name: *NetworkConnections.admx*
+
+
+
+
+
+
+**ADMX_NetworkConnections/NC_DialupPrefs**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the Remote Access Preferences item on the Advanced menu in Network Connections folder is enabled.
+
+The Remote Access Preferences item lets users create and change connections before logon and configure automatic dialing and callback features.
+
+If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Remote Access Preferences item is disabled for all users (including administrators).
+
+If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers.
+
+If you disable this setting or do not configure it, the Remote Access Preferences item is enabled for all users.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prohibit access to the Remote Access Preferences item on the Advanced menu*
+- GP name: *NC_DialupPrefs*
+- GP path: *Network\Network Connections*
+- GP ADMX file name: *NetworkConnections.admx*
+
+
+
+
+
+
+**ADMX_NetworkConnections/NC_DoNotShowLocalOnlyIcon**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether or not the "local access only" network icon will be shown.
+
+When enabled, the icon for Internet access will be shown in the system tray even when a user is connected to a network with local access only.
+
+If you disable this setting or do not configure it, the "local access only" icon will be used when a user is connected to a network with local access only.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not show the "local access only" network icon*
+- GP name: *NC_DoNotShowLocalOnlyIcon*
+- GP path: *Network\Network Connections*
+- GP ADMX file name: *NetworkConnections.admx*
+
+
+
+
+
+
+**ADMX_NetworkConnections/NC_EnableAdminProhibits**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether settings that existed in Windows 2000 Server family will apply to Administrators.
+
+The set of Network Connections group settings that existed in Windows 2000 Professional also exists in Windows XP Professional. In Windows 2000 Professional, all of these settings had the ability to prohibit the use of certain features from Administrators.
+
+By default, Network Connections group settings in Windows XP Professional do not have the ability to prohibit the use of features from Administrators.
+
+If you enable this setting, the Windows XP settings that existed in Windows 2000 Professional will have the ability to prohibit Administrators from using certain features. These settings are "Ability to rename LAN connections or remote access connections available to all users", "Prohibit access to properties of components of a LAN connection", "Prohibit access to properties of components of a remote access connection", "Ability to access TCP/IP advanced configuration", "Prohibit access to the Advanced Settings Item on the Advanced Menu", "Prohibit adding and removing components for a LAN or remote access connection", "Prohibit access to properties of a LAN connection", "Prohibit Enabling/Disabling components of a LAN connection", "Ability to change properties of an all user remote access connection", "Prohibit changing properties of a private remote access connection", "Prohibit deletion of remote access connections", "Ability to delete all user remote access connections", "Prohibit connecting and disconnecting a remote access connection", "Ability to Enable/Disable a LAN connection", "Prohibit access to the New Connection Wizard", "Prohibit renaming private remote access connections", "Prohibit access to the Remote Access Preferences item on the Advanced menu", "Prohibit viewing of status for an active connection". When this setting is enabled, settings that exist in both Windows 2000 Professional and Windows XP Professional behave the same for administrators.
+
+If you disable this setting or do not configure it, Windows XP settings that existed in Windows 2000 will not apply to administrators.
+
+> [!NOTE]
+> This setting is intended to be used in a situation in which the Group Policy object that these settings are being applied to contains both Windows 2000 Professional and Windows XP Professional computers, and identical Network Connections policy behavior is required between all Windows 2000 Professional and Windows XP Professional computers.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Enable Windows 2000 Network Connections settings for Administrators*
+- GP name: *NC_EnableAdminProhibits*
+- GP path: *Network\Network Connections*
+- GP ADMX file name: *NetworkConnections.admx*
+
+
+
+
+
+
+**ADMX_NetworkConnections/NC_ForceTunneling**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether a remote client computer routes Internet traffic through the internal network or whether the client accesses the Internet directly.
+
+When a remote client computer connects to an internal network using DirectAccess, it can access the Internet in two ways: through the secure tunnel that DirectAccess establishes between the computer and the internal network, or directly through the local default gateway.
+
+If you enable this policy setting, all traffic between a remote client computer running DirectAccess and the Internet is routed through the internal network.
+
+If you disable this policy setting, traffic between remote client computers running DirectAccess and the Internet is not routed through the internal network.
+
+If you do not configure this policy setting, traffic between remote client computers running DirectAccess and the Internet is not routed through the internal network.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Route all traffic through the internal network*
+- GP name: *NC_ForceTunneling*
+- GP path: *Network\Network Connections*
+- GP ADMX file name: *NetworkConnections.admx*
+
+
+
+
+
+
+**ADMX_NetworkConnections/NC_IpStateChecking**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether notifications are shown to the user when a DHCP-configured connection is unable to retrieve an IP address from a DHCP server. This is often signified by the assignment of an automatic private IP address"(i.e. an IP address in the range 169.254.*.*). This indicates that a DHCP server could not be reached or the DHCP server was reached but unable to respond to the request with a valid IP address. By default, a notification is displayed providing the user with information on how the problem can be resolved.
+
+If you enable this policy setting, this condition will not be reported as an error to the user.
+
+If you disable or do not configure this policy setting, a DHCP-configured connection that has not been assigned an IP address will be reported via a notification, providing the user with information as to how the problem can be resolved.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off notifications when a connection has only limited or no connectivity*
+- GP name: *NC_IpStateChecking*
+- GP path: *Network\Network Connections*
+- GP ADMX file name: *NetworkConnections.admx*
+
+
+
+
+
+
+**ADMX_NetworkConnections/NC_LanChangeProperties**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Administrators and Network Configuration Operators can change the properties of components used by a LAN connection.
+
+This setting determines whether the Properties button for components of a LAN connection is enabled.
+
+If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Properties button is disabled for Administrators. Network Configuration Operators are prohibited from accessing connection components, regardless of the "Enable Network Connections settings for Administrators" setting.
+
+If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting does not apply to administrators on post-Windows 2000 computers.
+
+If you disable this setting or do not configure it, the Properties button is enabled for administrators and Network Configuration Operators.
+
+The Local Area Connection Properties dialog box includes a list of the network components that the connection uses. To view or change the properties of a component, click the name of the component, and then click the Properties button beneath the component list.
+
+> [!NOTE]
+> Not all network components have configurable properties. For components that are not configurable, the Properties button is always disabled.
+>
+> When the "Prohibit access to properties of a LAN connection" setting is enabled, users are blocked from accessing the Properties button for LAN connection components.
+>
+> Network Configuration Operators only have permission to change TCP/IP properties. Properties for all other components are unavailable to these users.
+>
+> Nonadministrators are already prohibited from accessing properties of components for a LAN connection, regardless of this setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prohibit access to properties of components of a LAN connection*
+- GP name: *NC_LanChangeProperties*
+- GP path: *Network\Network Connections*
+- GP ADMX file name: *NetworkConnections.admx*
+
+
+
+
+
+
+**ADMX_NetworkConnections/NC_LanConnect**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can enable/disable LAN connections.
+
+If you enable this setting, the Enable and Disable options for LAN connections are available to users (including nonadministrators). Users can enable/disable a LAN connection by double-clicking the icon representing the connection, by right-clicking it, or by using the File menu.
+
+If you disable this setting (and enable the "Enable Network Connections settings for Administrators" setting), double-clicking the icon has no effect, and the Enable and Disable menu items are disabled for all users (including administrators).
+
+If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers.
+
+If you do not configure this setting, only Administrators and Network Configuration Operators can enable/disable LAN connections.
+
+> [!NOTE]
+> Administrators can still enable/disable LAN connections from Device Manager when this setting is disabled.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Ability to Enable/Disable a LAN connection*
+- GP name: *NC_LanConnect*
+- GP path: *Network\Network Connections*
+- GP ADMX file name: *NetworkConnections.admx*
+
+
+
+
+
+
+**ADMX_NetworkConnections/NC_LanProperties**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can change the properties of a LAN connection.
+
+This setting determines whether the Properties menu item is enabled, and thus, whether the Local Area Connection Properties dialog box is available to users.
+
+If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Properties menu items are disabled for all users, and users cannot open the Local Area Connection Properties dialog box.
+
+If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers.
+
+If you disable this setting or do not configure it, a Properties menu item appears when users right-click the icon representing a LAN connection. Also, when users select the connection, Properties is enabled on the File menu.
+
+> [!NOTE]
+> This setting takes precedence over settings that manipulate the availability of features inside the Local Area Connection Properties dialog box. If this setting is enabled, nothing within the properties dialog box for a LAN connection is available to users.
+>
+> Nonadministrators have the right to view the properties dialog box for a connection but not to make changes, regardless of this setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prohibit access to properties of a LAN connection*
+- GP name: *NC_LanProperties*
+- GP path: *Network\Network Connections*
+- GP ADMX file name: *NetworkConnections.admx*
+
+
+
+
+
+
+**ADMX_NetworkConnections/NC_NewConnectionWizard**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can use the New Connection Wizard, which creates new network connections.
+
+If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Make New Connection icon does not appear in the Start Menu on in the Network Connections folder. As a result, users (including administrators) cannot start the New Connection Wizard.
+
+If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers.
+
+If you disable this setting or do not configure it, the Make New Connection icon appears in the Start menu and in the Network Connections folder for all users. Clicking the Make New Connection icon starts the New Connection Wizard.
+
+> [!NOTE]
+> Changing this setting from Enabled to Not Configured does not restore the Make New Connection icon until the user logs off or on. When other changes to this setting are applied, the icon does not appear or disappear in the Network Connections folder until the folder is refreshed.
+>
+> This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prohibit access to the New Connection Wizard*
+- GP name: *NC_NewConnectionWizard*
+- GP path: *Network\Network Connections*
+- GP ADMX file name: *NetworkConnections.admx*
+
+
+
+
+
+
+**ADMX_NetworkConnections/NC_PersonalFirewallConfig**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting prohibits use of Internet Connection Firewall on your DNS domain network.
+
+Determines whether users can enable the Internet Connection Firewall feature on a connection, and if the Internet Connection Firewall service can run on a computer.
+
+> [!IMPORTANT]
+> This setting is location aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is connected to a DNS domain network other than the one it was connected to when the setting was refreshed, this setting does not apply.
+
+The Internet Connection Firewall is a stateful packet filter for home and small office users to protect them from Internet network security threats.
+
+If you enable this setting, Internet Connection Firewall cannot be enabled or configured by users (including administrators), and the Internet Connection Firewall service cannot run on the computer. The option to enable the Internet Connection Firewall through the Advanced tab is removed. In addition, the Internet Connection Firewall is not enabled for remote access connections created through the Make New Connection Wizard. The Network Setup Wizard is disabled.
+
+If you enable the "Windows Firewall: Protect all network connections" policy setting, the "Prohibit use of Internet Connection Firewall on your DNS domain network" policy setting has no effect on computers that are running Windows Firewall, which replaces Internet Connection Firewall when you install Windows XP Service Pack 2.
+
+If you disable this setting or do not configure it, the Internet Connection Firewall is disabled when a LAN Connection or VPN connection is created, but users can use the Advanced tab in the connection properties to enable it. The Internet Connection Firewall is enabled by default on the connection for which Internet Connection Sharing is enabled. In addition, remote access connections created through the Make New Connection Wizard have the Internet Connection Firewall enabled.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prohibit use of Internet Connection Firewall on your DNS domain network*
+- GP name: *NC_PersonalFirewallConfig*
+- GP path: *Network\Network Connections*
+- GP ADMX file name: *NetworkConnections.admx*
+
+
+
+
+
+
+**ADMX_NetworkConnections/NC_RasAllUserProperties**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether a user can view and change the properties of remote access connections that are available to all users of the computer.
+
+To create an all-user remote access connection, on the Connection Availability page in the New Connection Wizard, click the "For all users" option.
+
+This setting determines whether the Properties menu item is enabled, and thus, whether the Remote Access Connection Properties dialog box is available to users.
+
+If you enable this setting, a Properties menu item appears when any user right-clicks the icon for a remote access connection. Also, when any user selects the connection, Properties appears on the File menu.
+
+If you disable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Properties menu items are disabled, and users (including administrators) cannot open the remote access connection properties dialog box.
+
+If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers.
+
+If you do not configure this setting, only Administrators and Network Configuration Operators can change properties of all-user remote access connections.
+
+> [!NOTE]
+> This setting takes precedence over settings that manipulate the availability of features inside the Remote Access Connection Properties dialog box. If this setting is disabled, nothing within the properties dialog box for a remote access connection will be available to users.
+>
+> This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Ability to change properties of an all user remote access connection*
+- GP name: *NC_RasAllUserProperties*
+- GP path: *Network\Network Connections*
+- GP ADMX file name: *NetworkConnections.admx*
+
+
+
+
+
+
+**ADMX_NetworkConnections/NC_RasChangeProperties**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can view and change the properties of components used by a private or all-user remote access connection.
+
+This setting determines whether the Properties button for components used by a private or all-user remote access connection is enabled.
+
+If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Properties button is disabled for all users (including administrators).
+
+If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting does not apply to administrators on post-Windows 2000 computers.
+
+If you disable this setting or do not configure it, the Properties button is enabled for all users.
+
+The Networking tab of the Remote Access Connection Properties dialog box includes a list of the network components that the connection uses. To view or change the properties of a component, click the name of the component, and then click the Properties button beneath the component list.
+
+> [NOTE]
+> Not all network components have configurable properties. For components that are not configurable, the Properties button is always disabled.
+>
+> When the "Ability to change properties of an all user remote access connection" or "Prohibit changing properties of a private remote access connection" settings are set to deny access to the Remote Access Connection Properties dialog box, the Properties button for remote access connection components is blocked.
+>
+> This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prohibit access to properties of components of a remote access connection*
+- GP name: *NC_RasChangeProperties*
+- GP path: *Network\Network Connections*
+- GP ADMX file name: *NetworkConnections.admx*
+
+
+
+
+
+
+**ADMX_NetworkConnections/NC_RasConnect**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can connect and disconnect remote access connections.
+
+If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), double-clicking the icon has no effect, and the Connect and Disconnect menu items are disabled for all users (including administrators).
+
+If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers.
+
+If you disable this setting or do not configure it, the Connect and Disconnect options for remote access connections are available to all users. Users can connect or disconnect a remote access connection by double-clicking the icon representing the connection, by right-clicking it, or by using the File menu.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prohibit connecting and disconnecting a remote access connection*
+- GP name: *NC_RasConnect*
+- GP path: *Network\Network Connections*
+- GP ADMX file name: *NetworkConnections.admx*
+
+
+
+
+
+
+**ADMX_NetworkConnections/NC_RasMyProperties**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can view and change the properties of their private remote access connections.
+
+Private connections are those that are available only to one user. To create a private connection, on the Connection Availability page in the New Connection Wizard, click the "Only for myself" option.
+
+This setting determines whether the Properties menu item is enabled, and thus, whether the Remote Access Connection Properties dialog box for a private connection is available to users.
+
+If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Properties menu items are disabled, and no users (including administrators) can open the Remote Access Connection Properties dialog box for a private connection.
+
+If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers.
+
+If you disable this setting or do not configure it, a Properties menu item appears when any user right-clicks the icon representing a private remote access connection. Also, when any user selects the connection, Properties appears on the File menu.
+
+> [!NOTE]
+> This setting takes precedence over settings that manipulate the availability of features in the Remote Access Connection Properties dialog box. If this setting is enabled, nothing within the properties dialog box for a remote access connection will be available to users.
+>
+> This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prohibit changing properties of a private remote access connection*
+- GP name: *NC_RasMyProperties*
+- GP path: *Network\Network Connections*
+- GP ADMX file name: *NetworkConnections.admx*
+
+
+
+
+
+
+**ADMX_NetworkConnections/NC_RenameAllUserRasConnection**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether nonadministrators can rename all-user remote access connections.
+
+To create an all-user connection, on the Connection Availability page in the New Connection Wizard, click the "For all users" option.
+
+If you enable this setting, the Rename option is enabled for all-user remote access connections. Any user can rename all-user connections by clicking an icon representing the connection or by using the File menu.
+
+If you disable this setting, the Rename option is disabled for nonadministrators only.
+
+If you do not configure the setting, only Administrators and Network Configuration Operators can rename all-user remote access connections.
+
+> [!NOTE]
+> This setting does not apply to Administrators.
+
+When the "Ability to rename LAN connections or remote access connections available to all users" setting is configured (set to either Enabled or Disabled), this setting does not apply.
+
+This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Ability to rename all user remote access connections*
+- GP name: *NC_RenameAllUserRasConnection*
+- GP path: *Network\Network Connections*
+- GP ADMX file name: *NetworkConnections.admx*
+
+
+
+
+
+
+**ADMX_NetworkConnections/NC_RenameConnection**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting Determines whether users can rename LAN or all user remote access connections.
+
+If you enable this setting, the Rename option is enabled for all users. Users can rename connections by clicking the icon representing a connection or by using the File menu.
+
+If you disable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Rename option for LAN and all user remote access connections is disabled for all users (including Administrators and Network Configuration Operators).
+
+If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers.
+
+If this setting is not configured, only Administrators and Network Configuration Operators have the right to rename LAN or all user remote access connections.
+
+> [!NOTE]
+> When configured, this setting always takes precedence over the "Ability to rename LAN connections" and "Ability to rename all user remote access connections" settings.
+>
+> This setting does not prevent users from using other programs, such as Internet Explorer, to rename remote access connections.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Ability to rename LAN connections or remote access connections available to all users*
+- GP name: *NC_RenameConnection*
+- GP path: *Network\Network Connections*
+- GP ADMX file name: *NetworkConnections.admx*
+
+
+
+
+
+
+**ADMX_NetworkConnections/NC_RenameLanConnection**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether nonadministrators can rename a LAN connection.
+
+If you enable this setting, the Rename option is enabled for LAN connections. Nonadministrators can rename LAN connections by clicking an icon representing the connection or by using the File menu.
+
+If you disable this setting, the Rename option is disabled for nonadministrators only.
+
+If you do not configure this setting, only Administrators and Network Configuration Operators can rename LAN connections
+
+> [!NOTE]
+> This setting does not apply to Administrators.
+
+When the "Ability to rename LAN connections or remote access connections available to all users" setting is configured (set to either enabled or disabled), this setting does not apply.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Ability to rename LAN connections*
+- GP name: *NC_RenameLanConnection*
+- GP path: *Network\Network Connections*
+- GP ADMX file name: *NetworkConnections.admx*
+
+
+
+
+
+
+**ADMX_NetworkConnections/NC_RenameMyRasConnection**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can rename their private remote access connections.
+
+Private connections are those that are available only to one user. To create a private connection, on the Connection Availability page in the New Connection Wizard, click the "Only for myself" option.
+
+If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting), the Rename option is disabled for all users (including administrators).
+
+If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers.
+
+If you disable this setting or do not configure it, the Rename option is enabled for all users' private remote access connections. Users can rename their private connection by clicking an icon representing the connection or by using the File menu.
+
+> [!NOTE]
+> This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prohibit renaming private remote access connections*
+- GP name: *NC_RenameMyRasConnection*
+- GP path: *Network\Network Connections*
+- GP ADMX file name: *NetworkConnections.admx*
+
+
+
+
+
+
+**ADMX_NetworkConnections/NC_ShowSharedAccessUI**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether administrators can enable and configure the Internet Connection Sharing (ICS) feature of an Internet connection and if the ICS service can run on the computer.
+
+ICS lets administrators configure their system as an Internet gateway for a small network and provides network services, such as name resolution and addressing through DHCP, to the local private network.
+
+If you enable this setting, ICS cannot be enabled or configured by administrators, and the ICS service cannot run on the computer. The Advanced tab in the Properties dialog box for a LAN or remote access connection is removed. The Internet Connection Sharing page is removed from the New Connection Wizard. The Network Setup Wizard is disabled.
+
+If you disable this setting or do not configure it and have two or more connections, administrators can enable ICS. The Advanced tab in the properties dialog box for a LAN or remote access connection is available. In addition, the user is presented with the option to enable Internet Connection Sharing in the Network Setup Wizard and Make New Connection Wizard. (The Network Setup Wizard is available only in Windows XP Professional.)
+
+By default, ICS is disabled when you create a remote access connection, but administrators can use the Advanced tab to enable it. When running the New Connection Wizard or Network Setup Wizard, administrators can choose to enable ICS.
+
+> [!NOTE]
+> Internet Connection Sharing is only available when two or more network connections are present.
+
+When the "Prohibit access to properties of a LAN connection," "Ability to change properties of an all user remote access connection," or "Prohibit changing properties of a private remote access connection" settings are set to deny access to the Connection Properties dialog box, the Advanced tab for the connection is blocked.
+
+Nonadministrators are already prohibited from configuring Internet Connection Sharing, regardless of this setting.
+
+Disabling this setting does not prevent Wireless Hosted Networking from using the ICS service for DHCP services. To prevent the ICS service from running, on the Network Permissions tab in the network's policy properties, select the "Don't use hosted networks" check box.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prohibit use of Internet Connection Sharing on your DNS domain network*
+- GP name: *NC_ShowSharedAccessUI*
+- GP path: *Network\Network Connections*
+- GP ADMX file name: *NetworkConnections.admx*
+
+
+
+
+
+
+**ADMX_NetworkConnections/NC_Statistics**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether users can view the status for an active connection.
+
+Connection status is available from the connection status taskbar icon or from the Status dialog box. The Status dialog box displays information about the connection and its activity. It also provides buttons to disconnect and to configure the properties of the connection.
+
+If you enable this setting, the connection status taskbar icon and Status dialog box are not available to users (including administrators). The Status option is disabled in the context menu for the connection and on the File menu in the Network Connections folder. Users cannot choose to show the connection icon in the taskbar from the Connection Properties dialog box.
+
+If the "Enable Network Connections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post-Windows 2000 computers.
+
+If you disable this setting or do not configure it, the connection status taskbar icon and Status dialog box are available to all users.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prohibit viewing of status for an active connection*
+- GP name: *NC_Statistics*
+- GP path: *Network\Network Connections*
+- GP ADMX file name: *NetworkConnections.admx*
+
+
+
+
+
+
+**ADMX_NetworkConnections/NC_StdDomainUserSetLocation**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether to require domain users to elevate when setting a network's location.
+
+If you enable this policy setting, domain users must elevate when setting a network's location.
+
+If you disable or do not configure this policy setting, domain users can set a network's location without elevating.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Require domain users to elevate when setting a network's location*
+- GP name: *NC_StdDomainUserSetLocation*
+- GP path: *Network\Network Connections*
+- GP ADMX file name: *NetworkConnections.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md
index abd5e758fc..27b56e21e6 100644
--- a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md
+++ b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md
@@ -209,7 +209,7 @@ manager: dansimp
-Available in Windows 10 Insider Preview Build 20185. This policy setting makes subfolders available offline whenever their parent folder is made available offline.
+Available in the latest Windows 10 Insider Preview Build. This policy setting makes subfolders available offline whenever their parent folder is made available offline.
This setting automatically extends the "make available offline" setting to all new and existing subfolders of a folder. Users do not have the option of excluding subfolders.
@@ -280,7 +280,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting lists network files and folders that are always available for offline use. This ensures that the specified files and folders are available offline to users of the computer.
+Available in the latest Windows 10 Insider Preview Build. This policy setting lists network files and folders that are always available for offline use. This ensures that the specified files and folders are available offline to users of the computer.
If you enable this policy setting, the files you enter are always available offline to users of the computer. To specify a file or folder, click Show. In the Show Contents dialog box in the Value Name column, type the fully qualified UNC path to the file or folder. Leave the Value column field blank.
@@ -354,7 +354,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting lists network files and folders that are always available for offline use. This ensures that the specified files and folders are available offline to users of the computer.
+Available in the latest Windows 10 Insider Preview Build. This policy setting lists network files and folders that are always available for offline use. This ensures that the specified files and folders are available offline to users of the computer.
If you enable this policy setting, the files you enter are always available offline to users of the computer. To specify a file or folder, click Show. In the Show Contents dialog box in the Value Name column, type the fully qualified UNC path to the file or folder. Leave the Value column field blank.
@@ -428,7 +428,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting controls when background synchronization occurs while operating in slow-link mode, and applies to any user who logs onto the specified machine while this policy is in effect. To control slow-link mode, use the "Configure slow-link mode" policy setting.
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls when background synchronization occurs while operating in slow-link mode, and applies to any user who logs onto the specified machine while this policy is in effect. To control slow-link mode, use the "Configure slow-link mode" policy setting.
If you enable this policy setting, you can control when Windows synchronizes in the background while operating in slow-link mode. Use the 'Sync Interval' and 'Sync Variance' values to override the default sync interval and variance settings. Use 'Blockout Start Time' and 'Blockout Duration' to set a period of time where background sync is disabled. Use the 'Maximum Allowed Time Without A Sync' value to ensure that all network folders on the machine are synchronized with the server on a regular basis.
@@ -499,7 +499,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting limits the amount of disk space that can be used to store offline files. This includes the space used by automatically cached files and files that are specifically made available offline. Files can be automatically cached if the user accesses a file on an automatic caching network share.
+Available in the latest Windows 10 Insider Preview Build. This policy setting limits the amount of disk space that can be used to store offline files. This includes the space used by automatically cached files and files that are specifically made available offline. Files can be automatically cached if the user accesses a file on an automatic caching network share.
This setting also disables the ability to adjust, through the Offline Files control panel applet, the disk space limits on the Offline Files cache. This prevents users from trying to change the option while a policy setting controls it.
@@ -580,7 +580,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files.
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files.
This setting also disables the "When a network connection is lost" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it.
@@ -664,7 +664,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files.
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files.
This setting also disables the "When a network connection is lost" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it.
@@ -748,7 +748,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. Limits the percentage of the computer's disk space that can be used to store automatically cached offline files.
+Available in the latest Windows 10 Insider Preview Build. Limits the percentage of the computer's disk space that can be used to store automatically cached offline files.
This setting also disables the "Amount of disk space to use for temporary offline files" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it.
@@ -828,7 +828,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185.This policy setting determines whether the Offline Files feature is enabled. Offline Files saves a copy of network files on the user's computer for use when the computer is not connected to the network.
+Available in the latest Windows 10 Insider Preview Build.This policy setting determines whether the Offline Files feature is enabled. Offline Files saves a copy of network files on the user's computer for use when the computer is not connected to the network.
If you enable this policy setting, Offline Files is enabled and users cannot disable it.
@@ -902,7 +902,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether offline files are encrypted.
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are encrypted.
Offline files are locally cached copies of files from a network share. Encrypting this cache reduces the likelihood that a user could access files from the Offline Files cache without proper permissions.
@@ -979,7 +979,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting determines which events the Offline Files feature records in the event log.
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines which events the Offline Files feature records in the event log.
Offline Files records events in the Application log in Event Viewer when it detects errors. By default, Offline Files records an event only when the offline files storage cache is corrupted. However, you can use this setting to specify additional events you want Offline Files to record.
@@ -1059,7 +1059,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting determines which events the Offline Files feature records in the event log.
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines which events the Offline Files feature records in the event log.
Offline Files records events in the Application log in Event Viewer when it detects errors. By default, Offline Files records an event only when the offline files storage cache is corrupted. However, you can use this setting to specify additional events you want Offline Files to record.
@@ -1139,7 +1139,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting enables administrators to block certain file types from being created in the folders that have been made available offline.
+Available in the latest Windows 10 Insider Preview Build. This policy setting enables administrators to block certain file types from being created in the folders that have been made available offline.
If you enable this policy setting, a user will be unable to create files with the specified file extensions in any of the folders that have been made available offline.
@@ -1208,7 +1208,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. Lists types of files that cannot be used offline.
+Available in the latest Windows 10 Insider Preview Build. Lists types of files that cannot be used offline.
This setting lets you exclude certain types of files from automatic and manual caching for offline use. The system does not cache files of the type specified in this setting even when they reside on a network share configured for automatic caching. Also, if users try to make a file of this type available offline, the operation will fail and the following message will be displayed in the Synchronization Manager progress dialog box: "Files of this type cannot be made available offline."
@@ -1282,7 +1282,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files.
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files.
This setting also disables the "When a network connection is lost" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it.
@@ -1366,7 +1366,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files.
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files.
This setting also disables the "When a network connection is lost" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it.
@@ -1450,7 +1450,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting disables the Offline Files folder.
+Available in the latest Windows 10 Insider Preview Build. This policy setting disables the Offline Files folder.
This setting disables the "View Files" button on the Offline Files tab. As a result, users cannot use the Offline Files folder to view or open copies of network files stored on their computer. Also, they cannot use the folder to view characteristics of offline files, such as their server status, type, or location.
@@ -1524,7 +1524,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting disables the Offline Files folder.
+Available in the latest Windows 10 Insider Preview Build. This policy setting disables the Offline Files folder.
This setting disables the "View Files" button on the Offline Files tab. As a result, users cannot use the Offline Files folder to view or open copies of network files stored on their computer. Also, they cannot use the folder to view characteristics of offline files, such as their server status, type, or location.
@@ -1598,7 +1598,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from enabling, disabling, or changing the configuration of Offline Files.
+Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from enabling, disabling, or changing the configuration of Offline Files.
This setting removes the Offline Files tab from the Folder Options dialog box. It also removes the Settings item from the Offline Files context menu and disables the Settings button on the Offline Files Status dialog box. As a result, users cannot view or change the options on the Offline Files tab or Offline Files dialog box.
@@ -1672,7 +1672,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from enabling, disabling, or changing the configuration of Offline Files.
+Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from enabling, disabling, or changing the configuration of Offline Files.
This setting removes the Offline Files tab from the Folder Options dialog box. It also removes the Settings item from the Offline Files context menu and disables the Settings button on the Offline Files Status dialog box. As a result, users cannot view or change the options on the Offline Files tab or Offline Files dialog box.
@@ -1746,7 +1746,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from making network files and folders available offline.
+Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from making network files and folders available offline.
If you enable this policy setting, users cannot designate files to be saved on their computer for offline use. However, Windows will still cache local copies of files that reside on network shares designated for automatic caching.
@@ -1819,7 +1819,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from making network files and folders available offline.
+Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from making network files and folders available offline.
If you enable this policy setting, users cannot designate files to be saved on their computer for offline use. However, Windows will still cache local copies of files that reside on network shares designated for automatic caching.
@@ -1892,7 +1892,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to manage a list of files and folders for which you want to block the "Make Available Offline" command.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage a list of files and folders for which you want to block the "Make Available Offline" command.
If you enable this policy setting, the "Make Available Offline" command is not available for the files and folders that you list. To specify these files and folders, click Show. In the Show Contents dialog box, in the Value Name column box, type the fully qualified UNC path to the file or folder. Leave the Value column field blank.
@@ -1969,7 +1969,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to manage a list of files and folders for which you want to block the "Make Available Offline" command.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage a list of files and folders for which you want to block the "Make Available Offline" command.
If you enable this policy setting, the "Make Available Offline" command is not available for the files and folders that you list. To specify these files and folders, click Show. In the Show Contents dialog box, in the Value Name column box, type the fully qualified UNC path to the file or folder. Leave the Value column field blank.
@@ -2046,7 +2046,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. Hides or displays reminder balloons, and prevents users from changing the setting.
+Available in the latest Windows 10 Insider Preview Build. Hides or displays reminder balloons, and prevents users from changing the setting.
Reminder balloons appear above the Offline Files icon in the notification area to notify users when they have lost the connection to a networked file and are working on a local copy of the file. Users can then decide how to proceed.
@@ -2126,7 +2126,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. Hides or displays reminder balloons, and prevents users from changing the setting.
+Available in the latest Windows 10 Insider Preview Build. Hides or displays reminder balloons, and prevents users from changing the setting.
Reminder balloons appear above the Offline Files icon in the notification area to notify users when they have lost the connection to a networked file and are working on a local copy of the file. Users can then decide how to proceed.
@@ -2206,7 +2206,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting controls whether files read from file shares over a slow network are transparently cached in the Offline Files cache for future reads. When a user tries to access a file that has been transparently cached, Windows reads from the cached copy after verifying its integrity. This improves end-user response times and decreases bandwidth consumption over WAN links.
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether files read from file shares over a slow network are transparently cached in the Offline Files cache for future reads. When a user tries to access a file that has been transparently cached, Windows reads from the cached copy after verifying its integrity. This improves end-user response times and decreases bandwidth consumption over WAN links.
The cached files are temporary and are not available to the user when offline. The cached files are not kept in sync with the version on the server, and the most current version from the server is always available for subsequent reads.
@@ -2279,7 +2279,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting makes subfolders available offline whenever their parent folder is made available offline.
+Available in the latest Windows 10 Insider Preview Build. This policy setting makes subfolders available offline whenever their parent folder is made available offline.
This setting automatically extends the "make available offline" setting to all new and existing subfolders of a folder. Users do not have the option of excluding subfolders.
@@ -2350,7 +2350,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting deletes local copies of the user's offline files when the user logs off.
+Available in the latest Windows 10 Insider Preview Build. This policy setting deletes local copies of the user's offline files when the user logs off.
This setting specifies that automatically and manually cached offline files are retained only while the user is logged on to the computer. When the user logs off, the system deletes all local copies of offline files.
@@ -2422,7 +2422,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to turn on economical application of administratively assigned Offline Files.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn on economical application of administratively assigned Offline Files.
If you enable or do not configure this policy setting, only new files and folders in administratively assigned folders are synchronized at logon. Files and folders that are already available offline are skipped and are synchronized later.
@@ -2491,7 +2491,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting determines how often reminder balloon updates appear.
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines how often reminder balloon updates appear.
If you enable this setting, you can select how often reminder balloons updates appear and also prevent users from changing this setting.
@@ -2565,7 +2565,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting determines how often reminder balloon updates appear.
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines how often reminder balloon updates appear.
If you enable this setting, you can select how often reminder balloons updates appear and also prevent users from changing this setting.
@@ -2639,7 +2639,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting determines how long the first reminder balloon for a network status change is displayed.
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines how long the first reminder balloon for a network status change is displayed.
Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the first reminder.
@@ -2708,7 +2708,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting determines how long the first reminder balloon for a network status change is displayed.
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines how long the first reminder balloon for a network status change is displayed.
Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the first reminder.
@@ -2777,7 +2777,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting determines how long updated reminder balloons are displayed.
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines how long updated reminder balloons are displayed.
Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the update reminder.
@@ -2846,7 +2846,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting determines how long updated reminder balloons are displayed.
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines how long updated reminder balloons are displayed.
Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, updates appear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the update reminder.
@@ -2915,7 +2915,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting controls the network latency and throughput thresholds that will cause a client computers to transition files and folders that are already available offline to the slow-link mode so that the user's access to this data is not degraded due to network slowness. When Offline Files is operating in the slow-link mode, all network file requests are satisfied from the Offline Files cache. This is similar to a user working offline.
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls the network latency and throughput thresholds that will cause a client computers to transition files and folders that are already available offline to the slow-link mode so that the user's access to this data is not degraded due to network slowness. When Offline Files is operating in the slow-link mode, all network file requests are satisfied from the Offline Files cache. This is similar to a user working offline.
If you enable this policy setting, Offline Files uses the slow-link mode if the network throughput between the client and the server is below (slower than) the Throughput threshold parameter, or if the round-trip network latency is above (slower than) the Latency threshold parameter.
@@ -2994,7 +2994,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the threshold value at which Offline Files considers a network connection to be "slow". Any network speed below this value is considered to be slow.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the threshold value at which Offline Files considers a network connection to be "slow". Any network speed below this value is considered to be slow.
When a connection is considered slow, Offline Files automatically adjust its behavior to avoid excessive synchronization traffic and will not automatically reconnect to a server when the presence of a server is detected.
@@ -3068,7 +3068,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether offline files are fully synchronized when users log off.
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are fully synchronized when users log off.
This setting also disables the "Synchronize all offline files before logging off" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it.
@@ -3146,7 +3146,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether offline files are fully synchronized when users log off.
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are fully synchronized when users log off.
This setting also disables the "Synchronize all offline files before logging off" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it.
@@ -3224,7 +3224,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether offline files are fully synchronized when users log on.
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are fully synchronized when users log on.
This setting also disables the "Synchronize all offline files before logging on" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it.
@@ -3304,7 +3304,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether offline files are fully synchronized when users log on.
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are fully synchronized when users log on.
This setting also disables the "Synchronize all offline files before logging on" option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it.
@@ -3382,7 +3382,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether offline files are synchronized before a computer is suspended.
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are synchronized before a computer is suspended.
If you enable this setting, offline files are synchronized whenever the computer is suspended. Setting the synchronization action to "Quick" ensures only that all files in the cache are complete. Setting the synchronization action to "Full" ensures that all cached files and folders are up-to-date with the most current version.
@@ -3454,7 +3454,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether offline files are synchronized before a computer is suspended.
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are synchronized before a computer is suspended.
If you enable this setting, offline files are synchronized whenever the computer is suspended. Setting the synchronization action to "Quick" ensures only that all files in the cache are complete. Setting the synchronization action to "Full" ensures that all cached files and folders are up-to-date with the most current version.
@@ -3526,7 +3526,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether offline files are synchronized in the background when it could result in extra charges on cell phone or broadband plans.
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether offline files are synchronized in the background when it could result in extra charges on cell phone or broadband plans.
If you enable this setting, synchronization can occur in the background when the user's network is roaming, near, or over the plan's data limit. This may result in extra charges on cell phone or broadband plans.
@@ -3595,7 +3595,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting removes the "Work offline" command from Explorer, preventing users from manually changing whether Offline Files is in online mode or offline mode.
+Available in the latest Windows 10 Insider Preview Build. This policy setting removes the "Work offline" command from Explorer, preventing users from manually changing whether Offline Files is in online mode or offline mode.
If you enable this policy setting, the "Work offline" command is not displayed in File Explorer.
@@ -3664,7 +3664,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting removes the "Work offline" command from Explorer, preventing users from manually changing whether Offline Files is in online mode or offline mode.
+Available in the latest Windows 10 Insider Preview Build. This policy setting removes the "Work offline" command from Explorer, preventing users from manually changing whether Offline Files is in online mode or offline mode.
If you enable this policy setting, the "Work offline" command is not displayed in File Explorer.
@@ -3691,14 +3691,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md b/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md
index 426fcbe069..ed16a33a35 100644
--- a/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md
+++ b/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md
@@ -97,7 +97,7 @@ manager: dansimp
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether BranchCache is enabled on client computers to which this policy is applied. In addition to this policy setting, you must specify whether the client computers are hosted cache mode or distributed cache mode clients. To do so, configure one of the following the policy settings:
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether BranchCache is enabled on client computers to which this policy is applied. In addition to this policy setting, you must specify whether the client computers are hosted cache mode or distributed cache mode clients. To do so, configure one of the following the policy settings:
- Set BranchCache Distributed Cache mode
- Set BranchCache Hosted Cache mode
@@ -177,7 +177,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether BranchCache distributed cache mode is enabled on client computers to which this policy is applied. In addition to this policy, you must use the policy "Turn on BranchCache" to enable BranchCache on client computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether BranchCache distributed cache mode is enabled on client computers to which this policy is applied. In addition to this policy, you must use the policy "Turn on BranchCache" to enable BranchCache on client computers.
In distributed cache mode, client computers download content from BranchCache-enabled main office content servers, cache the content locally, and serve the content to other BranchCache distributed cache mode clients in the branch office.
@@ -255,7 +255,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether BranchCache hosted cache mode is enabled on client computers to which this policy is applied. In addition to this policy, you must use the policy "Turn on BranchCache" to enable BranchCache on client computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether BranchCache hosted cache mode is enabled on client computers to which this policy is applied. In addition to this policy, you must use the policy "Turn on BranchCache" to enable BranchCache on client computers.
When a client computer is configured as a hosted cache mode client, it is able to download cached content from a hosted cache server that is located at the branch office. In addition, when the hosted cache client obtains content from a content server, the client can upload the content to the hosted cache server for access by other hosted cache clients at the branch office.
@@ -339,7 +339,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether client computers should attempt the automatic configuration of hosted cache mode by searching for hosted cache servers publishing service connection points that are associated with the client's current Active Directory site. If you enable this policy setting, client computers to which the policy setting is applied search for hosted cache servers using Active Directory, and will prefer both these servers and hosted cache mode rather than manual BranchCache configuration or BranchCache configuration by other group policies.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether client computers should attempt the automatic configuration of hosted cache mode by searching for hosted cache servers publishing service connection points that are associated with the client's current Active Directory site. If you enable this policy setting, client computers to which the policy setting is applied search for hosted cache servers using Active Directory, and will prefer both these servers and hosted cache mode rather than manual BranchCache configuration or BranchCache configuration by other group policies.
If you enable this policy setting in addition to the "Turn on BranchCache" policy setting, BranchCache clients attempt to discover hosted cache servers in the local branch office. If client computers detect hosted cache servers, hosted cache mode is turned on. If they do not detect hosted cache servers, hosted cache mode is not turned on, and the client uses any other configuration that is specified manually or by Group Policy.
@@ -426,7 +426,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether client computers are configured to use hosted cache mode and provides the computer name of the hosted cache servers that are available to the client computers. Hosted cache mode enables client computers in branch offices to retrieve content from one or more hosted cache servers that are installed in the same office location. You can use this setting to automatically configure client computers that are configured for hosted cache mode with the computer names of the hosted cache servers in the branch office.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether client computers are configured to use hosted cache mode and provides the computer name of the hosted cache servers that are available to the client computers. Hosted cache mode enables client computers in branch offices to retrieve content from one or more hosted cache servers that are installed in the same office location. You can use this setting to automatically configure client computers that are configured for hosted cache mode with the computer names of the hosted cache servers in the branch office.
If you enable this policy setting and specify valid computer names of hosted cache servers, hosted cache mode is enabled for all client computers to which the policy setting is applied. For this policy setting to take effect, you must also enable the "Turn on BranchCache" policy setting.
@@ -509,7 +509,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting is used only when you have deployed one or more BranchCache-enabled file servers at your main office. This policy setting specifies when client computers in branch offices start caching content from file servers based on the network latency - or delay - that occurs when the clients download content from the main office over a Wide Area Network (WAN) link. When you configure a value for this setting, which is the maximum round trip network latency allowed before caching begins, clients do not cache content until the network latency reaches the specified value; when network latency is greater than the value, clients begin caching content after they receive it from the file servers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting is used only when you have deployed one or more BranchCache-enabled file servers at your main office. This policy setting specifies when client computers in branch offices start caching content from file servers based on the network latency - or delay - that occurs when the clients download content from the main office over a Wide Area Network (WAN) link. When you configure a value for this setting, which is the maximum round trip network latency allowed before caching begins, clients do not cache content until the network latency reaches the specified value; when network latency is greater than the value, clients begin caching content after they receive it from the file servers.
Policy configuration
@@ -586,7 +586,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the default percentage of total disk space that is allocated for the BranchCache disk cache on client computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the default percentage of total disk space that is allocated for the BranchCache disk cache on client computers.
If you enable this policy setting, you can configure the percentage of total disk space to allocate for the cache.
@@ -670,7 +670,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the default age in days for which segments are valid in the BranchCache data cache on client computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the default age in days for which segments are valid in the BranchCache data cache on client computers.
If you enable this policy setting, you can configure the age for segments in the data cache.
@@ -751,7 +751,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether BranchCache-capable client computers operate in a downgraded mode in order to maintain compatibility with previous versions of BranchCache. If client computers do not use the same BranchCache version, cache efficiency might be reduced because client computers that are using different versions of BranchCache might store cache data in incompatible formats.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether BranchCache-capable client computers operate in a downgraded mode in order to maintain compatibility with previous versions of BranchCache. If client computers do not use the same BranchCache version, cache efficiency might be reduced because client computers that are using different versions of BranchCache might store cache data in incompatible formats.
If you enable this policy setting, all clients use the version of BranchCache that you specify in "Select from the following versions."
@@ -793,13 +793,14 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md b/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md
index f02fb046cc..0e39a89004 100644
--- a/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md
+++ b/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md
@@ -83,7 +83,7 @@ manager: dansimp
-Available in Windows 10 Insider Preview Build 20185. This policy setting determines the execution level for Windows Boot Performance Diagnostics.
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines the execution level for Windows Boot Performance Diagnostics.
If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Boot Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Boot Performance problems and indicate to the user that assisted resolution is available.
@@ -160,7 +160,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. Determines the execution level for Windows Standby/Resume Performance Diagnostics.
+Available in the latest Windows 10 Insider Preview Build. Determines the execution level for Windows Standby/Resume Performance Diagnostics.
If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Standby/Resume Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Standby/Resume Performance problems and indicate to the user that assisted resolution is available.
@@ -237,7 +237,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting determines the execution level for Windows Shutdown Performance Diagnostics.
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines the execution level for Windows Shutdown Performance Diagnostics.
If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Shutdown Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Shutdown Performance problems and indicate to the user that assisted resolution is available.
@@ -314,7 +314,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. Determines the execution level for Windows Standby/Resume Performance Diagnostics.
+Available in the latest Windows 10 Insider Preview Build. Determines the execution level for Windows Standby/Resume Performance Diagnostics.
If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) will detect Windows Standby/Resume Performance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected, but no corrective action will be taken. If you select detection, troubleshooting and resolution, the DPS will detect Windows Standby/Resume Performance problems and indicate to the user that assisted resolution is available.
@@ -349,14 +349,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-power.md b/windows/client-management/mdm/policy-csp-admx-power.md
new file mode 100644
index 0000000000..3d1a58a8f1
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-power.md
@@ -0,0 +1,1882 @@
+---
+title: Policy CSP - ADMX_Power
+description: Policy CSP - ADMX_Power
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 12/22/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_Power
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_Power policies
+
+
+
+
+
+
+
+
+**ADMX_Power/ACConnectivityInStandby_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems.
+
+If you enable this policy setting, network connectivity will be maintained in standby.
+
+If you disable this policy setting, network connectivity in standby is not guaranteed. This connectivity restriction currently applies to WLAN networks only, and is subject to change.
+
+If you do not configure this policy setting, users control this setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow network connectivity during connected-standby (plugged in)*
+- GP name: *ACConnectivityInStandby_2*
+- GP path: *System\Power Management\Sleep Settings*
+- GP ADMX file name: *Power.admx*
+
+
+
+
+
+
+**ADMX_Power/ACCriticalSleepTransitionsDisable_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn on the ability for applications and services to prevent the system from sleeping.
+
+If you enable this policy setting, an application or service may prevent the system from sleeping (Hybrid Sleep, Stand By, or Hibernate).
+
+If you disable or do not configure this policy setting, users control this setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn on the ability for applications to prevent sleep transitions (plugged in)*
+- GP name: *ACCriticalSleepTransitionsDisable_2*
+- GP path: *System\Power Management\Sleep Settings*
+- GP ADMX file name: *Power.admx*
+
+
+
+
+
+
+**ADMX_Power/ACStartMenuButtonAction_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the action that Windows takes when a user presses the Start menu Power button.
+
+If you enable this policy setting, select one of the following actions:
+
+- Sleep
+- Hibernate
+- Shut down
+
+If you disable this policy or do not configure this policy setting, users control this setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Select the Start menu Power button action (plugged in)*
+- GP name: *ACStartMenuButtonAction_2*
+- GP path: *System\Power Management\Button Settings*
+- GP ADMX file name: *Power.admx*
+
+
+
+
+
+
+**ADMX_Power/AllowSystemPowerRequestAC**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows applications and services to prevent automatic sleep.
+
+If you enable this policy setting, any application, service, or device driver prevents Windows from automatically transitioning to sleep after a period of user inactivity.
+
+If you disable or do not configure this policy setting, applications, services, or drivers do not prevent Windows from automatically transitioning to sleep. Only user input is used to determine if Windows should automatically sleep.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow applications to prevent automatic sleep (plugged in)*
+- GP name: *AllowSystemPowerRequestAC*
+- GP path: *System\Power Management\Sleep Settings*
+- GP ADMX file name: *Power.admx*
+
+
+
+
+
+
+**ADMX_Power/AllowSystemPowerRequestDC**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows applications and services to prevent automatic sleep.
+
+If you enable this policy setting, any application, service, or device driver prevents Windows from automatically transitioning to sleep after a period of user inactivity.
+
+If you disable or do not configure this policy setting, applications, services, or drivers do not prevent Windows from automatically transitioning to sleep. Only user input is used to determine if Windows should automatically sleep.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow applications to prevent automatic sleep (on battery)*
+- GP name: *AllowSystemPowerRequestDC*
+- GP path: *System\Power Management\Sleep Settings*
+- GP ADMX file name: *Power.admx*
+
+
+
+
+
+
+**ADMX_Power/AllowSystemSleepWithRemoteFilesOpenAC**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage automatic sleep with open network files.
+
+If you enable this policy setting, the computer automatically sleeps when network files are open.
+
+If you disable or do not configure this policy setting, the computer does not automatically sleep when network files are open.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow automatic sleep with Open Network Files (plugged in)*
+- GP name: *AllowSystemSleepWithRemoteFilesOpenAC*
+- GP path: *System\Power Management\Sleep Settings*
+- GP ADMX file name: *Power.admx*
+
+
+
+
+
+
+**ADMX_Power/AllowSystemSleepWithRemoteFilesOpenDC**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage automatic sleep with open network files.
+
+If you enable this policy setting, the computer automatically sleeps when network files are open.
+
+If you disable or do not configure this policy setting, the computer does not automatically sleep when network files are open.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow automatic sleep with Open Network Files (on battery)*
+- GP name: *AllowSystemSleepWithRemoteFilesOpenDC*
+- GP path: *System\Power Management\Sleep Settings*
+- GP ADMX file name: *Power.admx*
+
+
+
+
+
+
+**ADMX_Power/CustomActiveSchemeOverride_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the active power plan from a specified power plan’s GUID. The GUID for a custom power plan GUID can be retrieved by using powercfg, the power configuration command line tool.
+
+If you enable this policy setting, you must specify a power plan, specified as a GUID using the following format: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX (For example, 103eea6e-9fcd-4544-a713-c282d8e50083), indicating the power plan to be active.
+
+If you disable or do not configure this policy setting, users can see and change this setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Specify a custom active power plan*
+- GP name: *CustomActiveSchemeOverride_2*
+- GP path: *System\Power Management*
+- GP ADMX file name: *Power.admx*
+
+
+
+
+
+
+**ADMX_Power/DCBatteryDischargeAction0_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the action that Windows takes when battery capacity reaches the critical battery notification level.
+
+If you enable this policy setting, select one of the following actions:
+
+- Take no action
+- Sleep
+- Hibernate
+- Shut down
+
+If you disable or do not configure this policy setting, users control this setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Critical battery notification action*
+- GP name: *DCBatteryDischargeAction0_2*
+- GP path: *System\Power Management\Notification Settings*
+- GP ADMX file name: *Power.admx*
+
+
+
+
+
+
+**ADMX_Power/DCBatteryDischargeAction1_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the action that Windows takes when battery capacity reaches the low battery notification level.
+
+If you enable this policy setting, select one of the following actions:
+
+- Take no action
+- Sleep
+- Hibernate
+- Shut down
+
+If you disable or do not configure this policy setting, users control this setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Low battery notification action*
+- GP name: *DCBatteryDischargeAction1_2*
+- GP path: *System\Power Management\Notification Settings*
+- GP ADMX file name: *Power.admx*
+
+
+
+
+
+
+**ADMX_Power/DCBatteryDischargeLevel0_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the percentage of battery capacity remaining that triggers the critical battery notification action.
+
+If you enable this policy setting, you must enter a numeric value (percentage) to set the battery level that triggers the critical notification.
+
+To set the action that is triggered, see the "Critical Battery Notification Action" policy setting.
+
+If you disable this policy setting or do not configure it, users control this setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Critical battery notification level*
+- GP name: *DCBatteryDischargeLevel0_2*
+- GP path: *System\Power Management\Notification Settings*
+- GP ADMX file name: *Power.admx*
+
+
+
+
+
+
+**ADMX_Power/DCBatteryDischargeLevel1UINotification_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting turns off the user notification when the battery capacity remaining equals the low battery notification level.
+
+If you enable this policy setting, Windows shows a notification when the battery capacity remaining equals the low battery notification level.
+
+To configure the low battery notification level, see the "Low Battery Notification Level" policy setting.
+
+The notification will only be shown if the "Low Battery Notification Action" policy setting is configured to "No Action".
+
+If you disable or do not configure this policy setting, users can control this setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off low battery user notification*
+- GP name: *DCBatteryDischargeLevel1UINotification_2*
+- GP path: *System\Power Management\Notification Settings*
+- GP ADMX file name: *Power.admx*
+
+
+
+
+
+
+**ADMX_Power/DCBatteryDischargeLevel1_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the percentage of battery capacity remaining that triggers the low battery notification action.
+
+If you enable this policy setting, you must enter a numeric value (percentage) to set the battery level that triggers the low notification.
+
+To set the action that is triggered, see the "Low Battery Notification Action" policy setting.
+
+If you disable this policy setting or do not configure it, users control this setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Low battery notification level*
+- GP name: *DCBatteryDischargeLevel1_2*
+- GP path: *System\Power Management\Notification Settings*
+- GP ADMX file name: *Power.admx*
+
+
+
+
+
+
+**ADMX_Power/DCConnectivityInStandby_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems.
+
+If you enable this policy setting, network connectivity will be maintained in standby.
+
+If you disable this policy setting, network connectivity in standby is not guaranteed. This connectivity restriction currently applies to WLAN networks only, and is subject to change.
+
+If you do not configure this policy setting, users control this setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow network connectivity during connected-standby (on battery)*
+- GP name: *DCConnectivityInStandby_2*
+- GP path: *System\Power Management\Sleep Settings*
+- GP ADMX file name: *Power.admx*
+
+
+
+
+
+
+**ADMX_Power/DCCriticalSleepTransitionsDisable_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn on the ability for applications and services to prevent the system from sleeping.
+
+If you enable this policy setting, an application or service may prevent the system from sleeping (Hybrid Sleep, Stand By, or Hibernate).
+
+If you disable or do not configure this policy setting, users control this setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn on the ability for applications to prevent sleep transitions (on battery)*
+- GP name: *DCCriticalSleepTransitionsDisable_2*
+- GP path: *System\Power Management\Sleep Settings*
+- GP ADMX file name: *Power.admx*
+
+
+
+
+
+
+**ADMX_Power/DCStartMenuButtonAction_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the action that Windows takes when a user presses the Start menu Power button.
+
+If you enable this policy setting, select one of the following actions:
+
+- Sleep
+- Hibernate
+- Shut down
+
+If you disable this policy or do not configure this policy setting, users control this setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Select the Start menu Power button action (on battery)*
+- GP name: *DCStartMenuButtonAction_2*
+- GP path: *System\Power Management\Button Settings*
+- GP ADMX file name: *Power.admx*
+
+
+
+
+
+
+**ADMX_Power/DiskACPowerDownTimeOut_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the period of inactivity before Windows turns off the hard disk.
+
+If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the hard disk.
+
+If you disable or do not configure this policy setting, users can see and change this setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn Off the hard disk (plugged in)*
+- GP name: *DiskACPowerDownTimeOut_2*
+- GP path: *System\Power Management\Hard Disk Settings*
+- GP ADMX file name: *Power.admx*
+
+
+
+
+
+
+**ADMX_Power/DiskDCPowerDownTimeOut_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the period of inactivity before Windows turns off the hard disk.
+
+If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the hard disk.
+
+If you disable or do not configure this policy setting, users can see and change this setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn Off the hard disk (on battery)*
+- GP name: *DiskDCPowerDownTimeOut_2*
+- GP path: *System\Power Management\Hard Disk Settings*
+- GP ADMX file name: *Power.admx*
+
+
+
+
+
+
+**ADMX_Power/Dont_PowerOff_AfterShutdown**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure whether power is automatically turned off when Windows shutdown completes.
+
+This setting does not affect Windows shutdown behavior when shutdown is manually selected using the Start menu or Task Manager user interfaces.
+
+Applications such as UPS software may rely on Windows shutdown behavior.
+
+This setting is only applicable when Windows shutdown is initiated by software programs invoking the Windows programming interfaces ExitWindowsEx() or InitiateSystemShutdown().
+
+If you enable this policy setting, the computer system safely shuts down and remains in a powered state, ready for power to be safely removed.
+
+If you disable or do not configure this policy setting, the computer system safely shuts down to a fully powered-off state.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not turn off system power after a Windows system shutdown has occurred.*
+- GP name: *Dont_PowerOff_AfterShutdown*
+- GP path: *System*
+- GP ADMX file name: *Power.admx*
+
+
+
+
+
+
+**ADMX_Power/EnableDesktopSlideShowAC**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify if Windows should enable the desktop background slideshow.
+
+If you enable this policy setting, desktop background slideshow is enabled.
+
+If you disable this policy setting, the desktop background slideshow is disabled.
+
+If you disable or do not configure this policy setting, users control this setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn on desktop background slideshow (plugged in)*
+- GP name: *EnableDesktopSlideShowAC*
+- GP path: *System\Power Management\Video and Display Settings*
+- GP ADMX file name: *Power.admx*
+
+
+
+
+
+
+**ADMX_Power/EnableDesktopSlideShowDC**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify if Windows should enable the desktop background slideshow.
+
+If you enable this policy setting, desktop background slideshow is enabled.
+
+If you disable this policy setting, the desktop background slideshow is disabled.
+
+If you disable or do not configure this policy setting, users control this setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn on desktop background slideshow (on battery)*
+- GP name: *EnableDesktopSlideShowDC*
+- GP path: *System\Power Management\Video and Display Settings*
+- GP ADMX file name: *Power.admx*
+
+
+
+
+
+
+**ADMX_Power/InboxActiveSchemeOverride_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the active power plan from a list of default Windows power plans. To specify a custom power plan, use the Custom Active Power Plan setting.
+
+If you enable this policy setting, specify a power plan from the Active Power Plan list.
+
+If you disable or do not configure this policy setting, users control this setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Select an active power plan*
+- GP name: *InboxActiveSchemeOverride_2*
+- GP path: *System\Power Management*
+- GP ADMX file name: *Power.admx*
+
+
+
+
+
+
+**ADMX_Power/PW_PromptPasswordOnResume**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure client computers to lock and prompt for a password when resuming from a hibernate or suspend state.
+
+If you enable this policy setting, the client computer is locked and prompted for a password when it is resumed from a suspend or hibernate state.
+
+If you disable or do not configure this policy setting, users control if their computer is automatically locked or not after performing a resume operation.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prompt for password on resume from hibernate/suspend*
+- GP name: *PW_PromptPasswordOnResume*
+- GP path: *System\Power Management*
+- GP ADMX file name: *Power.admx*
+
+
+
+
+
+
+**ADMX_Power/PowerThrottlingTurnOff**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off Power Throttling.
+
+If you enable this policy setting, Power Throttling will be turned off.
+
+If you disable or do not configure this policy setting, users control this setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off Power Throttling*
+- GP name: *PowerThrottlingTurnOff*
+- GP path: *System\Power Management\Power Throttling Settings*
+- GP ADMX file name: *Power.admx*
+
+
+
+
+
+
+**ADMX_Power/ReserveBatteryNotificationLevel**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the percentage of battery capacity remaining that triggers the reserve power mode.
+
+If you enable this policy setting, you must enter a numeric value (percentage) to set the battery level that triggers the reserve power notification.
+
+If you disable or do not configure this policy setting, users can see and change this setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Reserve battery notification level*
+- GP name: *ReserveBatteryNotificationLevel*
+- GP path: *System\Power Management\Notification Settings*
+- GP ADMX file name: *Power.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md b/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md
new file mode 100644
index 0000000000..5880faae13
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md
@@ -0,0 +1,352 @@
+---
+title: Policy CSP - ADMX_PowerShellExecutionPolicy
+description: Policy CSP - ADMX_PowerShellExecutionPolicy
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 10/26/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_PowerShellExecutionPolicy
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_PowerShellExecutionPolicy policies
+
+
+
+
+
+
+
+
+**ADMX_PowerShellExecutionPolicy/EnableModuleLogging**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn on logging for Windows PowerShell modules.
+
+If you enable this policy setting, pipeline execution events for members of the specified modules are recorded in the Windows PowerShell log in Event Viewer. Enabling this policy setting for a module is equivalent to setting the LogPipelineExecutionDetails property of the module to True.
+
+If you disable this policy setting, logging of execution events is disabled for all Windows PowerShell modules. Disabling this policy setting for a module is equivalent to setting the LogPipelineExecutionDetails property of the module to False. If this policy setting is not configured, the LogPipelineExecutionDetails property of a module or snap-in determines whether the execution events of a module or snap-in are logged. By default, the LogPipelineExecutionDetails property of all modules and snap-ins is set to False.
+
+To add modules and snap-ins to the policy setting list, click Show, and then type the module names in the list. The modules and snap-ins in the list must be installed on the computer.
+
+> [!NOTE]
+> This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn on Module Logging*
+- GP name: *EnableModuleLogging*
+- GP path: *Windows Components\Windows PowerShell*
+- GP ADMX file name: *PowerShellExecutionPolicy.admx*
+
+
+
+
+
+
+**ADMX_PowerShellExecutionPolicy/EnableScripts**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting lets you configure the script execution policy, controlling which scripts are allowed to run.
+
+If you enable this policy setting, the scripts selected in the drop-down list are allowed to run. The "Allow only signed scripts" policy setting allows scripts to execute only if they are signed by a trusted publisher.
+
+The "Allow local scripts and remote signed scripts" policy setting allows any local scripts to run; scripts that originate from the Internet must be signed by a trusted publisher. The "Allow all scripts" policy setting allows all scripts to run.
+
+If you disable this policy setting, no scripts are allowed to run.
+
+> [!NOTE]
+> This policy setting exists under both "Computer Configuration" and "User Configuration" in the Local Group Policy Editor. The "Computer Configuration" has precedence over "User Configuration." If you disable or do not configure this policy setting, it reverts to a per-machine preference setting; the default if that is not configured is "No scripts allowed."
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn on Script Execution*
+- GP name: *EnableScripts*
+- GP path: *Windows Components\Windows PowerShell*
+- GP ADMX file name: *PowerShellExecutionPolicy.admx*
+
+
+
+
+
+
+**ADMX_PowerShellExecutionPolicy/EnableTranscripting**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts.
+
+If you enable this policy setting, Windows PowerShell will enable transcripting for Windows PowerShell, the Windows PowerShell ISE, and any other applications that leverage the Windows PowerShell engine. By default, Windows PowerShell will record transcript output to each users' My Documents directory, with a file name that includes 'PowerShell_transcript', along with the computer name and time started. Enabling this policy is equivalent to calling the Start-Transcript cmdlet on each Windows PowerShell session.
+
+If you disable this policy setting, transcripting of PowerShell-based applications is disabled by default, although transcripting can still be enabled through the Start-Transcript cmdlet.
+
+If you use the OutputDirectory setting to enable transcript logging to a shared location, be sure to limit access to that directory to prevent users from viewing the transcripts of other users or computers.
+
+> [!NOTE]
+> This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn on PowerShell Transcription*
+- GP name: *EnableTranscripting*
+- GP path: *Windows Components\Windows PowerShell*
+- GP ADMX file name: *PowerShellExecutionPolicy.admx*
+
+
+
+
+
+
+**ADMX_PowerShellExecutionPolicy/EnableUpdateHelpDefaultSourcePath**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to set the default value of the SourcePath parameter on the Update-Help cmdlet.
+
+If you enable this policy setting, the Update-Help cmdlet will use the specified value as the default value for the SourcePath parameter. This default value can be overridden by specifying a different value with the SourcePath parameter on the Update-Help cmdlet.
+
+If this policy setting is disabled or not configured, this policy setting does not set a default value for the SourcePath parameter of the Update-Help cmdlet.
+
+> [!NOTE]
+> This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Set the default source path for Update-Help*
+- GP name: *EnableUpdateHelpDefaultSourcePath*
+- GP path: *Windows Components\Windows PowerShell*
+- GP ADMX file name: *PowerShellExecutionPolicy.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-printing.md b/windows/client-management/mdm/policy-csp-admx-printing.md
new file mode 100644
index 0000000000..e97cb3df92
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-printing.md
@@ -0,0 +1,2028 @@
+---
+title: Policy CSP - ADMX_Printing
+description: Policy CSP - ADMX_Printing
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 12/15/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_Printing
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_Printing policies
+
+
+
+
+
+
+
+
+**ADMX_Printing/AllowWebPrinting**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Internet printing lets you display printers on Web pages so that printers can be viewed, managed, and used across the Internet or an intranet.
+
+If you enable this policy setting, Internet printing is activated on this server.
+
+If you disable this policy setting or do not configure it, Internet printing is not activated.
+
+Internet printing is an extension of Internet Information Services (IIS). To use Internet printing, IIS must be installed, and printing support and this setting must be enabled.
+
+> [!NOTE]
+> This setting affects the server side of Internet printing only. It does not prevent the print client on the computer from printing across the Internet.
+
+Also, see the "Custom support URL in the Printers folder's left pane" setting in this folder and the "Browse a common Web site to find printers" setting in User Configuration\Administrative Templates\Control Panel\Printers.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Activate Internet printing*
+- GP name: *AllowWebPrinting*
+- GP path: *Printers*
+- GP ADMX file name: *Printing.admx*
+
+
+
+
+
+
+**ADMX_Printing/ApplicationDriverIsolation**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Determines if print driver components are isolated from applications instead of normally loading them into applications. Isolating print drivers greatly reduces the risk of a print driver failure causing an application crash.
+
+Not all applications support driver isolation. By default, Microsoft Excel 2007, Excel 2010, Word 2007, Word 2010 and certain other applications are configured to support it. Other applications may also be capable of isolating print drivers, depending on whether they are configured for it.
+
+If you enable or do not configure this policy setting, then applications that are configured to support driver isolation will be isolated.
+
+If you disable this policy setting, then print drivers will be loaded within all associated application processes.
+
+> [!NOTE]
+> - This policy setting applies only to applications opted into isolation.
+> - This policy setting applies only to print drivers loaded by applications. Print drivers loaded by the print spooler are not affected.
+> - This policy setting is only checked once during the lifetime of a process. After changing the policy, a running application must be relaunched before settings take effect.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Isolate print drivers from applications*
+- GP name: *ApplicationDriverIsolation*
+- GP path: *Printers*
+- GP ADMX file name: *Printing.admx*
+
+
+
+
+
+
+**ADMX_Printing/CustomizedSupportUrl**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. By default, the Printers folder includes a link to the Microsoft Support Web page called "Get help with printing". It can also include a link to a Web page supplied by the vendor of the currently selected printer.
+
+If you enable this policy setting, you replace the "Get help with printing" default link with a link to a Web page customized for your enterprise.
+
+If you disable this setting or do not configure it, or if you do not enter an alternate Internet address, the default link will appear in the Printers folder.
+
+> [!NOTE]
+> Web pages links only appear in the Printers folder when Web view is enabled. If Web view is disabled, the setting has no effect. (To enable Web view, open the Printers folder, and, on the Tools menu, click Folder Options, click the General tab, and then click "Enable Web content in folders.")
+
+Also, see the "Activate Internet printing" setting in this setting folder and the "Browse a common web site to find printers" setting in User Configuration\Administrative Templates\Control Panel\Printers.
+
+Web view is affected by the "Turn on Classic Shell" and "Do not allow Folder Options to be opened from the Options button on the View tab of the ribbon" settings in User Configuration\Administrative Templates\Windows Components\Windows Explorer, and by the "Enable Active Desktop" setting in User Configuration\Administrative Templates\Desktop\Active Desktop.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Custom support URL in the Printers folder's left pane*
+- GP name: *CustomizedSupportUrl*
+- GP path: *Printers*
+- GP ADMX file name: *Printing.admx*
+
+
+
+
+
+
+**ADMX_Printing/DoNotInstallCompatibleDriverFromWindowsUpdate**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage where client computers search for Point and Printer drivers.
+
+If you enable this policy setting, the client computer will continue to search for compatible Point and Print drivers from Windows Update after it fails to find the compatible driver from the local driver store and the server driver cache.
+
+If you disable this policy setting, the client computer will only search the local driver store and server driver cache for compatible Point and Print drivers. If it is unable to find a compatible driver, then the Point and Print connection will fail.
+
+This policy setting is not configured by default, and the behavior depends on the version of Windows that you are using.
+
+By default, Windows Ultimate, Professional and Home SKUs will continue to search for compatible Point and Print drivers from Windows Update, if needed. However, you must explicitly enable this policy setting for other versions of Windows (for example Windows Enterprise, and all versions of Windows Server 2008 R2 and later) to have the same behavior.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Extend Point and Print connection to search Windows Update*
+- GP name: *DoNotInstallCompatibleDriverFromWindowsUpdate*
+- GP path: *Printers*
+- GP ADMX file name: *Printing.admx*
+
+
+
+
+
+
+**ADMX_Printing/DomainPrinters**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. If you enable this policy setting, it sets the maximum number of printers (of each type) that the Add Printer wizard will display on a computer on a managed network (when the computer is able to reach a domain controller, e.g. a domain-joined laptop on a corporate network.)
+
+If this policy setting is disabled, the network scan page will not be displayed.
+
+If this policy setting is not configured, the Add Printer wizard will display the default number of printers of each type:
+
+- Directory printers: 20
+- TCP/IP printers: 0
+- Web Services printers: 0
+- Bluetooth printers: 10
+- Shared printers: 0
+
+In order to view available Web Services printers on your network, ensure that network discovery is turned on. To turn on network discovery, click "Start", click "Control Panel", and then click "Network and Internet". On the "Network and Internet" page, click "Network and Sharing Center". On the Network and Sharing Center page, click "Change advanced sharing settings". On the Advanced sharing settings page, click the arrow next to "Domain" arrow, click "turn on network discovery", and then click "Save changes".
+
+If you would like to not display printers of a certain type, enable this policy and set the number of printers to display to 0.
+
+In Windows 10 and later, only TCP/IP printers can be shown in the wizard. If you enable this policy setting, only TCP/IP printer limits are applicable. On Windows 10 only, if you disable or do not configure this policy setting, the default limit is applied.
+
+In Windows 8 and later, Bluetooth printers are not shown so its limit does not apply to those versions of Windows.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Add Printer wizard - Network scan page (Managed network)*
+- GP name: *DomainPrinters*
+- GP path: *Printers*
+- GP ADMX file name: *Printing.admx*
+
+
+
+
+
+
+**ADMX_Printing/DownlevelBrowse**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Allows users to use the Add Printer Wizard to search the network for shared printers.
+
+If you enable this setting or do not configure it, when users choose to add a network printer by selecting the "A network printer, or a printer attached to another computer" radio button on Add Printer Wizard's page 2, and also check the "Connect to this printer (or to browse for a printer, select this option and click Next)" radio button on Add Printer Wizard's page 3, and do not specify a printer name in the adjacent "Name" edit box, then Add Printer Wizard displays the list of shared printers on the network and invites to choose a printer from the shown list.
+
+If you disable this setting, the network printer browse page is removed from within the Add Printer Wizard, and users cannot search the network but must type a printer name.
+
+> [!NOTE]
+> This setting affects the Add Printer Wizard only. It does not prevent users from using other programs to search for shared printers or to connect to network printers.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Browse the network to find printers*
+- GP name: *DownlevelBrowse*
+- GP path: *Control Panel\Printers*
+- GP ADMX file name: *Printing.admx*
+
+
+
+
+
+
+**ADMX_Printing/EMFDespooling**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. When printing through a print server, determines whether the print spooler on the client will process print jobs itself, or pass them on to the server to do the work.
+
+This policy setting only effects printing to a Windows print server.
+
+If you enable this policy setting on a client machine, the client spooler will not process print jobs before sending them to the print server. This decreases the workload on the client at the expense of increasing the load on the server.
+
+If you disable this policy setting on a client machine, the client itself will process print jobs into printer device commands. These commands will then be sent to the print server, and the server will simply pass the commands to the printer. This increases the workload of the client while decreasing the load on the server.
+
+If you do not enable this policy setting, the behavior is the same as disabling it.
+
+> [!NOTE]
+> This policy does not determine whether offline printing will be available to the client. The client print spooler can always queue print jobs when not connected to the print server. Upon reconnecting to the server, the client will submit any pending print jobs.
+>
+> Some printer drivers require a custom print processor. In some cases the custom print processor may not be installed on the client machine, such as when the print server does not support transferring print processors during point-and-print. In the case of a print processor mismatch, the client spooler will always send jobs to the print server for rendering. Disabling the above policy setting does not override this behavior.
+>
+> In cases where the client print driver does not match the server print driver (mismatched connection), the client will always process the print job, regardless of the setting of this policy.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Always render print jobs on the server*
+- GP name: *EMFDespooling*
+- GP path: *Printers*
+- GP ADMX file name: *Printing.admx*
+
+
+
+
+
+
+**ADMX_Printing/ForceSoftwareRasterization**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Determines whether the XPS Rasterization Service or the XPS-to-GDI conversion (XGC) is forced to use a software rasterizer instead of a Graphics Processing Unit (GPU) to rasterize pages.
+
+This setting may improve the performance of the XPS Rasterization Service or the XPS-to-GDI conversion (XGC) on machines that have a relatively powerful CPU as compared to the machine’s GPU.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Always rasterize content to be printed using a software rasterizer*
+- GP name: *ForceSoftwareRasterization*
+- GP path: *Printers*
+- GP ADMX file name: *Printing.admx*
+
+
+
+
+
+
+**ADMX_Printing/IntranetPrintersUrl**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Adds a link to an Internet or intranet Web page to the Add Printer Wizard.
+
+You can use this setting to direct users to a Web page from which they can install printers.
+
+If you enable this setting and type an Internet or intranet address in the text box, the system adds a Browse button to the "Specify a Printer" page in the Add Printer Wizard. The Browse button appears beside the "Connect to a printer on the Internet or on a home or office network" option. When users click Browse, the system opens an Internet browser and navigates to the specified URL address to display the available printers.
+
+This setting makes it easy for users to find the printers you want them to add.
+
+Also, see the "Custom support URL in the Printers folder's left pane" and "Activate Internet printing" settings in "Computer Configuration\Administrative Templates\Printers."
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Browse a common web site to find printers*
+- GP name: *IntranetPrintersUrl*
+- GP path: *Control Panel\Printers*
+- GP ADMX file name: *Printing.admx*
+
+
+
+
+
+
+**ADMX_Printing/KMPrintersAreBlocked**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Determines whether printers using kernel-mode drivers may be installed on the local computer. Kernel-mode drivers have access to system-wide memory, and therefore poorly-written kernel-mode drivers can cause stop errors.
+
+If you disable this setting, or do not configure it, then printers using a kernel-mode drivers may be installed on the local computer running Windows XP Home Edition and Windows XP Professional.
+
+If you do not configure this setting on Windows Server 2003 family products, the installation of kernel-mode printer drivers will be blocked.
+
+If you enable this setting, installation of a printer using a kernel-mode driver will not be allowed.
+
+> [!NOTE]
+> By applying this policy, existing kernel-mode drivers will be disabled upon installation of service packs or reinstallation of the Windows XP operating system. This policy does not apply to 64-bit kernel-mode printer drivers as they cannot be installed and associated with a print queue.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Disallow installation of printers using kernel-mode drivers*
+- GP name: *KMPrintersAreBlocked*
+- GP path: *Printers*
+- GP ADMX file name: *Printing.admx*
+
+
+
+
+
+
+**ADMX_Printing/LegacyDefaultPrinterMode**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This preference allows you to change default printer management.
+
+If you enable this setting, Windows will not manage the default printer.
+
+If you disable this setting, Windows will manage the default printer.
+
+If you do not configure this setting, default printer management will not change.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off Windows default printer management*
+- GP name: *LegacyDefaultPrinterMode*
+- GP path: *Control Panel\Printers*
+- GP ADMX file name: *Printing.admx*
+
+
+
+
+
+
+**ADMX_Printing/MXDWUseLegacyOutputFormatMSXPS**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Microsoft XPS Document Writer (MXDW) generates OpenXPS (*.oxps) files by default in Windows 10, Windows 10 and Windows Server 2019.
+
+If you enable this group policy setting, the default MXDW output format is the legacy Microsoft XPS (*.xps).
+
+If you disable or do not configure this policy setting, the default MXDW output format is OpenXPS (*.oxps).
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Change Microsoft XPS Document Writer (MXDW) default output format to the legacy Microsoft XPS format (*.xps)*
+- GP name: *MXDWUseLegacyOutputFormatMSXPS*
+- GP path: *Printers*
+- GP ADMX file name: *Printing.admx*
+
+
+
+
+
+
+**ADMX_Printing/NoDeletePrinter**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. If this policy setting is enabled, it prevents users from deleting local and network printers.
+
+If a user tries to delete a printer, such as by using the Delete option in Printers in Control Panel, a message appears explaining that a setting prevents the action.
+
+This setting does not prevent users from running other programs to delete a printer.
+
+If this policy is disabled, or not configured, users can delete printers using the methods described above.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prevent deletion of printers*
+- GP name: *NoDeletePrinter*
+- GP path: *Control Panel\Printers*
+- GP ADMX file name: *Printing.admx*
+
+
+
+
+
+
+**ADMX_Printing/NonDomainPrinters**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy sets the maximum number of printers (of each type) that the Add Printer wizard will display on a computer on an unmanaged network (when the computer is not able to reach a domain controller, e.g. a domain-joined laptop on a home network.)
+
+If this setting is disabled, the network scan page will not be displayed.
+
+If this setting is not configured, the Add Printer wizard will display the default number of printers of each type:
+
+- TCP/IP printers: 50
+- Web Services printers: 50
+- Bluetooth printers: 10
+- Shared printers: 50
+
+If you would like to not display printers of a certain type, enable this policy and set the number of printers to display to 0.
+
+In Windows 10 and later, only TCP/IP printers can be shown in the wizard. If you enable this policy setting, only TCP/IP printer limits are applicable. On Windows 10 only, if you disable or do not configure this policy setting, the default limit is applied.
+
+In Windows 8 and later, Bluetooth printers are not shown so its limit does not apply to those versions of Windows.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Add Printer wizard - Network scan page (Unmanaged network)*
+- GP name: *NonDomainPrinters*
+- GP path: *Printers*
+- GP ADMX file name: *Printing.admx*
+
+
+
+
+
+
+**ADMX_Printing/PackagePointAndPrintOnly**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy restricts clients computers to use package point and print only.
+
+If this setting is enabled, users will only be able to point and print to printers that use package-aware drivers. When using package point and print, client computers will check the driver signature of all drivers that are downloaded from print servers.
+
+If this setting is disabled, or not configured, users will not be restricted to package-aware point and print only.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Only use Package Point and print*
+- GP name: *PackagePointAndPrintOnly*
+- GP path: *Control Panel\Printers*
+- GP ADMX file name: *Printing.admx*
+
+
+
+
+
+
+**ADMX_Printing/PackagePointAndPrintOnly_Win7**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy restricts clients computers to use package point and print only.
+
+If this setting is enabled, users will only be able to point and print to printers that use package-aware drivers. When using package point and print, client computers will check the driver signature of all drivers that are downloaded from print servers.
+
+If this setting is disabled, or not configured, users will not be restricted to package-aware point and print only.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Only use Package Point and print*
+- GP name: *PackagePointAndPrintOnly_Win7*
+- GP path: *Printers*
+- GP ADMX file name: *Printing.admx*
+
+
+
+
+
+
+**ADMX_Printing/PackagePointAndPrintServerList**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Restricts package point and print to approved servers.
+
+This policy setting restricts package point and print connections to approved servers. This setting only applies to Package Point and Print connections, and is completely independent from the "Point and Print Restrictions" policy that governs the behavior of non-package point and print connections.
+
+Windows Vista and later clients will attempt to make a non-package point and print connection anytime a package point and print connection fails, including attempts that are blocked by this policy. Administrators may need to set both policies to block all print connections to a specific print server.
+
+If this setting is enabled, users will only be able to package point and print to print servers approved by the network administrator. When using package point and print, client computers will check the driver signature of all drivers that are downloaded from print servers.
+
+If this setting is disabled, or not configured, package point and print will not be restricted to specific print servers.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Package Point and print - Approved servers*
+- GP name: *PackagePointAndPrintServerList*
+- GP path: *Control Panel\Printers*
+- GP ADMX file name: *Printing.admx*
+
+
+
+
+
+
+**ADMX_Printing/PackagePointAndPrintServerList_Win7**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Restricts package point and print to approved servers.
+
+This policy setting restricts package point and print connections to approved servers. This setting only applies to Package Point and Print connections, and is completely independent from the "Point and Print Restrictions" policy that governs the behavior of non-package point and print connections.
+
+Windows Vista and later clients will attempt to make a non-package point and print connection anytime a package point and print connection fails, including attempts that are blocked by this policy. Administrators may need to set both policies to block all print connections to a specific print server.
+
+If this setting is enabled, users will only be able to package point and print to print servers approved by the network administrator. When using package point and print, client computers will check the driver signature of all drivers that are downloaded from print servers.
+
+If this setting is disabled, or not configured, package point and print will not be restricted to specific print servers.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Package Point and print - Approved servers*
+- GP name: *PackagePointAndPrintServerList_Win7*
+- GP path: *Printers*
+- GP ADMX file name: *Printing.admx*
+
+
+
+
+
+
+**ADMX_Printing/PhysicalLocation**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. If this policy setting is enabled, it specifies the default location criteria used when searching for printers.
+
+This setting is a component of the Location Tracking feature of Windows printers. To use this setting, enable Location Tracking by enabling the "Pre-populate printer search location text" setting.
+
+When Location Tracking is enabled, the system uses the specified location as a criterion when users search for printers. The value you type here overrides the actual location of the computer conducting the search.
+
+Type the location of the user's computer. When users search for printers, the system uses the specified location (and other search criteria) to find a printer nearby. You can also use this setting to direct users to a particular printer or group of printers that you want them to use.
+
+If you disable this setting or do not configure it, and the user does not type a location as a search criterion, the system searches for a nearby printer based on the IP address and subnet mask of the user's computer.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Computer location*
+- GP name: *PhysicalLocation*
+- GP path: *Printers*
+- GP ADMX file name: *Printing.admx*
+
+
+
+
+
+
+**ADMX_Printing/PhysicalLocationSupport**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Enables the physical Location Tracking setting for Windows printers.
+
+Use Location Tracking to design a location scheme for your enterprise and assign computers and printers to locations in the scheme. Location Tracking overrides the standard method used to locate and associate computers and printers. The standard method uses a printer's IP address and subnet mask to estimate its physical location and proximity to computers.
+
+If you enable this setting, users can browse for printers by location without knowing the printer's location or location naming scheme. Enabling Location Tracking adds a Browse button in the Add Printer wizard's Printer Name and Sharing Location screen and to the General tab in the Printer Properties dialog box. If you enable the Group Policy Computer location setting, the default location you entered appears in the Location field by default.
+
+If you disable this setting or do not configure it, Location Tracking is disabled. Printer proximity is estimated using the standard method (that is, based on IP address and subnet mask).
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Pre-populate printer search location text*
+- GP name: *PhysicalLocationSupport*
+- GP path: *Printers*
+- GP ADMX file name: *Printing.admx*
+
+
+
+
+
+
+**ADMX_Printing/PrintDriverIsolationExecutionPolicy**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the print spooler will execute print drivers in an isolated or separate process. When print drivers are loaded in an isolated process (or isolated processes), a print driver failure will not cause the print spooler service to fail.
+
+If you enable or do not configure this policy setting, the print spooler will execute print drivers in an isolated process by default.
+
+If you disable this policy setting, the print spooler will execute print drivers in the print spooler process.
+
+> [!NOTE]
+> - Other system or driver policy settings may alter the process in which a print driver is executed.
+> - This policy setting applies only to print drivers loaded by the print spooler. Print drivers loaded by applications are not affected.
+> - This policy setting takes effect without restarting the print spooler service.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Execute print drivers in isolated processes*
+- GP name: *PrintDriverIsolationExecutionPolicy*
+- GP path: *Printers*
+- GP ADMX file name: *Printing.admx*
+
+
+
+
+
+
+**ADMX_Printing/PrintDriverIsolationOverrideCompat**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the print spooler will override the Driver Isolation compatibility reported by the print driver. This enables executing print drivers in an isolated process, even if the driver does not report compatibility.
+
+If you enable this policy setting, the print spooler isolates all print drivers that do not explicitly opt out of Driver Isolation.
+
+If you disable or do not configure this policy setting, the print spooler uses the Driver Isolation compatibility flag value reported by the print driver.
+
+> [!NOTE]
+> - Other system or driver policy settings may alter the process in which a print driver is executed.
+> - This policy setting applies only to print drivers loaded by the print spooler. Print drivers loaded by applications are not affected.
+> - This policy setting takes effect without restarting the print spooler service.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Override print driver execution compatibility setting reported by print driver*
+- GP name: *PrintDriverIsolationOverrideCompat*
+- GP path: *Printers*
+- GP ADMX file name: *Printing.admx*
+
+
+
+
+
+
+**ADMX_Printing/PrinterDirectorySearchScope**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Specifies the Active Directory location where searches for printers begin.
+
+The Add Printer Wizard gives users the option of searching Active Directory for a shared printer.
+
+If you enable this policy setting, these searches begin at the location you specify in the "Default Active Directory path" box. Otherwise, searches begin at the root of Active Directory.
+
+This setting only provides a starting point for Active Directory searches for printers. It does not restrict user searches through Active Directory.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Default Active Directory path when searching for printers*
+- GP name: *PrinterDirectorySearchScope*
+- GP path: *Control Panel\Printers*
+- GP ADMX file name: *Printing.admx*
+
+
+
+
+
+
+**ADMX_Printing/PrinterServerThread**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Announces the presence of shared printers to print browse master servers for the domain.
+
+On domains with Active Directory, shared printer resources are available in Active Directory and are not announced.
+
+If you enable this setting, the print spooler announces shared printers to the print browse master servers.
+
+If you disable this setting, shared printers are not announced to print browse master servers, even if Active Directory is not available.
+
+If you do not configure this setting, shared printers are announced to browse master servers only when Active Directory is not available.
+
+> [!NOTE]
+> A client license is used each time a client computer announces a printer to a print browse master on the domain.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Printer browsing*
+- GP name: *PrinterServerThread*
+- GP path: *Printers*
+- GP ADMX file name: *Printing.admx*
+
+
+
+
+
+
+**ADMX_Printing/ShowJobTitleInEventLogs**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy controls whether the print job name will be included in print event logs.
+
+If you disable or do not configure this policy setting, the print job name will not be included.
+
+If you enable this policy setting, the print job name will be included in new log entries.
+
+> [!NOTE]
+> This setting does not apply to Branch Office Direct Printing jobs.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow job name in event logs*
+- GP name: *ShowJobTitleInEventLogs*
+- GP path: *Printers*
+- GP ADMX file name: *Printing.admx*
+
+
+
+
+
+
+**ADMX_Printing/V4DriverDisallowPrinterExtension**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy determines if v4 printer drivers are allowed to run printer extensions.
+
+V4 printer drivers may include an optional, customized user interface known as a printer extension. These extensions may provide access to more device features, but this may not be appropriate for all enterprises.
+
+If you enable this policy setting, then all printer extensions will not be allowed to run.
+
+If you disable this policy setting or do not configure it, then all printer extensions that have been installed will be allowed to run.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not allow v4 printer drivers to show printer extensions*
+- GP name: *V4DriverDisallowPrinterExtension*
+- GP path: *Printers*
+- GP ADMX file name: *Printing.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-printing2.md b/windows/client-management/mdm/policy-csp-admx-printing2.md
new file mode 100644
index 0000000000..8ce369426a
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-printing2.md
@@ -0,0 +1,741 @@
+---
+title: Policy CSP - ADMX_Printing2
+description: Policy CSP - ADMX_Printing2
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 12/15/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_Printing2
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_Printing2 policies
+
+
+
+
+
+
+
+
+**ADMX_Printing2/AutoPublishing**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Determines whether the Add Printer Wizard automatically publishes the computer's shared printers in Active Directory.
+
+If you enable this setting or do not configure it, the Add Printer Wizard automatically publishes all shared printers.
+
+If you disable this setting, the Add Printer Wizard does not automatically publish printers. However, you can publish shared printers manually.
+
+The default behavior is to automatically publish shared printers in Active Directory.
+
+> [!NOTE]
+> This setting is ignored if the "Allow printers to be published" setting is disabled.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Automatically publish new printers in Active Directory*
+- GP name: *AutoPublishing*
+- GP path: *Printers*
+- GP ADMX file name: *Printing2.admx*
+
+
+
+
+
+
+**ADMX_Printing2/ImmortalPrintQueue**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Determines whether the domain controller can prune (delete from Active Directory) the printers published by this computer.
+
+By default, the pruning service on the domain controller prunes printer objects from Active Directory if the computer that published them does not respond to contact requests. When the computer that published the printers restarts, it republishes any deleted printer objects.
+
+If you enable this setting or do not configure it, the domain controller prunes this computer's printers when the computer does not respond.
+
+If you disable this setting, the domain controller does not prune this computer's printers. This setting is designed to prevent printers from being pruned when the computer is temporarily disconnected from the network.
+
+> [!NOTE]
+> You can use the "Directory Pruning Interval" and "Directory Pruning Retry" settings to adjust the contact interval and number of contact attempts.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow pruning of published printers*
+- GP name: *ImmortalPrintQueue*
+- GP path: *Printers*
+- GP ADMX file name: *Printing2.admx*
+
+
+
+
+
+
+**ADMX_Printing2/PruneDownlevel**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Determines whether the pruning service on a domain controller prunes printer objects that are not automatically republished whenever the host computer does not respond,just as it does with Windows 2000 printers. This setting applies to printers running operating systems other than Windows 2000 and to Windows 2000 printers published outside their forest.
+
+The Windows pruning service prunes printer objects from Active Directory when the computer that published them does not respond to contact requests. Computers running Windows 2000 Professional detect and republish deleted printer objects when they rejoin the network. However, because non-Windows 2000 computers and computers in other domains cannot republish printers in Active Directory automatically, by default, the system never prunes their printer objects.
+
+You can enable this setting to change the default behavior. To use this setting, select one of the following options from the "Prune non-republishing printers" box:
+
+- "Never" specifies that printer objects that are not automatically republished are never pruned. "Never" is the default.
+
+- "Only if Print Server is found" prunes printer objects that are not automatically republished only when the print server responds, but the printer is unavailable.
+
+- "Whenever printer is not found" prunes printer objects that are not automatically republished whenever the host computer does not respond, just as it does with Windows 2000 printers.
+
+> [!NOTE]
+> This setting applies to printers published by using Active Directory Users and Computers or Pubprn.vbs. It does not apply to printers published by using Printers in Control Panel.
+
+> [!TIP]
+> If you disable automatic pruning, remember to delete printer objects manually whenever you remove a printer or print server.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prune printers that are not automatically republished*
+- GP name: *PruneDownlevel*
+- GP path: *Printers*
+- GP ADMX file name: *Printing2.admx*
+
+
+
+
+
+
+**ADMX_Printing2/PruningInterval**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Specifies how often the pruning service on a domain controller contacts computers to verify that their printers are operational.
+
+The pruning service periodically contacts computers that have published printers. If a computer does not respond to the contact message (optionally, after repeated attempts), the pruning service "prunes" (deletes from Active Directory) printer objects the computer has published.
+
+By default, the pruning service contacts computers every eight hours and allows two repeated contact attempts before deleting printers from Active Directory.
+
+If you enable this setting, you can change the interval between contact attempts.
+
+If you do not configure or disable this setting the default values will be used.
+
+> [!NOTE]
+> This setting is used only on domain controllers.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Directory pruning interval*
+- GP name: *PruningInterval*
+- GP path: *Printers*
+- GP ADMX file name: *Printing2.admx*
+
+
+
+
+
+
+**ADMX_Printing2/PruningPriority**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Sets the priority of the pruning thread.
+
+The pruning thread, which runs only on domain controllers, deletes printer objects from Active Directory if the printer that published the object does not respond to contact attempts. This process keeps printer information in Active Directory current.
+
+The thread priority influences the order in which the thread receives processor time and determines how likely it is to be preempted by higher priority threads.
+
+By default, the pruning thread runs at normal priority. However, you can adjust the priority to improve the performance of this service.
+
+> [!NOTE]
+> This setting is used only on domain controllers.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Directory pruning priority*
+- GP name: *PruningPriority*
+- GP path: *Printers*
+- GP ADMX file name: *Printing2.admx*
+
+
+
+
+
+
+**ADMX_Printing2/PruningRetries**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Specifies how many times the pruning service on a domain controller repeats its attempt to contact a computer before pruning the computer's printers.
+
+The pruning service periodically contacts computers that have published printers to verify that the printers are still available for use. If a computer does not respond to the contact message, the message is repeated for the specified number of times. If the computer still fails to respond, then the pruning service "prunes" (deletes from Active Directory) printer objects the computer has published.
+
+By default, the pruning service contacts computers every eight hours and allows two retries before deleting printers from Active Directory. You can use this setting to change the number of retries.
+
+If you enable this setting, you can change the interval between attempts.
+
+If you do not configure or disable this setting, the default values are used.
+
+> [!NOTE]
+> This setting is used only on domain controllers.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Directory pruning retry*
+- GP name: *PruningRetries*
+- GP path: *Printers*
+- GP ADMX file name: *Printing2.admx*
+
+
+
+
+
+
+**ADMX_Printing2/PruningRetryLog**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Specifies whether or not to log events when the pruning service on a domain controller attempts to contact a computer before pruning the computer's printers.
+
+The pruning service periodically contacts computers that have published printers to verify that the printers are still available for use. If a computer does not respond to the contact attempt, the attempt is retried a specified number of times, at a specified interval. The "Directory pruning retry" setting determines the number of times the attempt is retried; the default value is two retries. The "Directory Pruning Interval" setting determines the time interval between retries; the default value is every eight hours. If the computer has not responded by the last contact attempt, its printers are pruned from the directory.
+
+If you enable this policy setting, the contact events are recorded in the event log.
+
+If you disable or do not configure this policy setting, the contact events are not recorded in the event log.
+
+Note: This setting does not affect the logging of pruning events; the actual pruning of a printer is always logged.
+
+> [!NOTE]
+> This setting is used only on domain controllers.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Log directory pruning retry events*
+- GP name: *PruningRetryLog*
+- GP path: *Printers*
+- GP ADMX file name: *Printing2.admx*
+
+
+
+
+
+
+**ADMX_Printing2/RegisterSpoolerRemoteRpcEndPoint**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy controls whether the print spooler will accept client connections.
+
+When the policy is not configured or enabled, the spooler will always accept client connections.
+
+When the policy is disabled, the spooler will not accept client connections nor allow users to share printers. All printers currently shared will continue to be shared.
+
+The spooler must be restarted for changes to this policy to take effect.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow Print Spooler to accept client connections*
+- GP name: *RegisterSpoolerRemoteRpcEndPoint*
+- GP path: *Printers*
+- GP ADMX file name: *Printing2.admx*
+
+
+
+
+
+
+**ADMX_Printing2/VerifyPublishedState**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Directs the system to periodically verify that the printers published by this computer still appear in Active Directory. This setting also specifies how often the system repeats the verification.
+
+By default, the system only verifies published printers at startup. This setting allows for periodic verification while the computer is operating.
+
+To enable this additional verification, enable this setting, and then select a verification interval.
+
+To disable verification, disable this setting, or enable this setting and select "Never" for the verification interval.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Check published state*
+- GP name: *VerifyPublishedState*
+- GP path: *Printers*
+- GP ADMX file name: *Printing2.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-programs.md b/windows/client-management/mdm/policy-csp-admx-programs.md
new file mode 100644
index 0000000000..d7e0d1fec9
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-programs.md
@@ -0,0 +1,569 @@
+---
+title: Policy CSP - ADMX_Programs
+description: Policy CSP - ADMX_Programs
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 12/01/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_Programs
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_Programs policies
+
+
+
+
+
+
+
+
+**ADMX_Programs/NoDefaultPrograms**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This setting removes the Set Program Access and Defaults page from the Programs Control Panel. As a result, users cannot view or change the associated page.
+
+The Set Program Access and Computer Defaults page allows administrators to specify default programs for certain activities, such as Web browsing or sending e-mail, as well as specify the programs that are accessible from the Start menu, desktop, and other locations.
+
+If this setting is disabled or not configured, the Set Program Access and Defaults button is available to all users.
+
+This setting does not prevent users from using other tools and methods to change program access or defaults.
+
+This setting does not prevent the Default Programs icon from appearing on the Start menu.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Hide "Set Program Access and Computer Defaults" page*
+- GP name: *NoDefaultPrograms*
+- GP path: *Control Panel\Programs*
+- GP ADMX file name: *Programs.admx*
+
+
+
+
+
+
+**ADMX_Programs/NoGetPrograms**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Prevents users from viewing or installing published programs from the network.
+
+This setting prevents users from accessing the "Get Programs" page from the Programs Control Panel in Category View, Programs and Features in Classic View and the "Install a program from the network" task. The "Get Programs" page lists published programs and provides an easy way to install them.
+
+Published programs are those programs that the system administrator has explicitly made available to the user with a tool such as Windows Installer. Typically, system administrators publish programs to notify users of their availability, to recommend their use, or to enable users to install them without having to search for installation files.
+
+If this setting is enabled, users cannot view the programs that have been published by the system administrator, and they cannot use the "Get Programs" page to install published programs. Enabling this feature does not prevent users from installing programs by using other methods. Users will still be able to view and installed assigned (partially installed) programs that are offered on the desktop or on the Start menu.
+
+If this setting is disabled or is not configured, the "Install a program from the network" task to the "Get Programs" page will be available to all users.
+
+> [!NOTE]
+> If the "Hide Programs Control Panel" setting is enabled, this setting is ignored.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Hide "Get Programs" page*
+- GP name: *NoGetPrograms*
+- GP path: *Control Panel\Programs*
+- GP ADMX file name: *Programs.admx*
+
+
+
+
+
+
+**ADMX_Programs/NoInstalledUpdates**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This setting prevents users from accessing "Installed Updates" page from the "View installed updates" task.
+
+"Installed Updates" allows users to view and uninstall updates currently installed on the computer. The updates are often downloaded directly from Windows Update or from various program publishers.
+
+If this setting is disabled or not configured, the "View installed updates" task and the "Installed Updates" page will be available to all users.
+
+This setting does not prevent users from using other tools and methods to install or uninstall programs.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Hide "Installed Updates" page*
+- GP name: *NoInstalledUpdates*
+- GP path: *Control Panel\Programs*
+- GP ADMX file name: *Programs.admx*
+
+
+
+
+
+
+**ADMX_Programs/NoProgramsAndFeatures**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This setting prevents users from accessing "Programs and Features" to view, uninstall, change, or repair programs that are currently installed on the computer.
+
+If this setting is disabled or not configured, "Programs and Features" will be available to all users.
+
+This setting does not prevent users from using other tools and methods to view or uninstall programs. It also does not prevent users from linking to related Programs Control Panel Features including Windows Features, Get Programs, or Windows Marketplace.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Hide "Programs and Features" page*
+- GP name: *NoProgramsAndFeatures*
+- GP path: *Control Panel\Programs*
+- GP ADMX file name: *Programs.admx*
+
+
+
+
+
+
+**ADMX_Programs/NoProgramsCPL**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This setting prevents users from using the Programs Control Panel in Category View and Programs and Features in Classic View.
+
+The Programs Control Panel allows users to uninstall, change, and repair programs, enable and disable Windows Features, set program defaults, view installed updates, and purchase software from Windows Marketplace. Programs published or assigned to the user by the system administrator also appear in the Programs Control Panel.
+
+If this setting is disabled or not configured, the Programs Control Panel in Category View and Programs and Features in Classic View will be available to all users.
+
+When enabled, this setting takes precedence over the other settings in this folder.
+
+This setting does not prevent users from using other tools and methods to install or uninstall programs.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Hide the Programs Control Panel*
+- GP name: *NoProgramsCPL*
+- GP path: *Control Panel\Programs*
+- GP ADMX file name: *Programs.admx*
+
+
+
+
+
+
+**ADMX_Programs/NoWindowsFeatures**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This setting prevents users from accessing the "Turn Windows features on or off" task from the Programs Control Panel in Category View, Programs and Features in Classic View, and Get Programs. As a result, users cannot view, enable, or disable various Windows features and services.
+
+If this setting is disabled or is not configured, the "Turn Windows features on or off" task will be available to all users.
+
+This setting does not prevent users from using other tools and methods to configure services or enable or disable program components.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Hide "Windows Features"*
+- GP name: *NoWindowsFeatures*
+- GP path: *Control Panel\Programs*
+- GP ADMX file name: *Programs.admx*
+
+
+
+
+
+
+**ADMX_Programs/NoWindowsMarketplace**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This setting prevents users from access the "Get new programs from Windows Marketplace" task from the Programs Control Panel in Category View, Programs and Features in Classic View, and Get Programs.
+
+Windows Marketplace allows users to purchase and/or download various programs to their computer for installation.
+
+Enabling this feature does not prevent users from navigating to Windows Marketplace using other methods.
+
+If this feature is disabled or is not configured, the "Get new programs from Windows Marketplace" task link will be available to all users.
+
+> [!NOTE]
+> If the "Hide Programs control Panel" setting is enabled, this setting is ignored.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Hide "Windows Marketplace"*
+- GP name: *NoWindowsMarketplace*
+- GP path: *Control Panel\Programs*
+- GP ADMX file name: *Programs.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-reliability.md b/windows/client-management/mdm/policy-csp-admx-reliability.md
index e466f85f86..398c939856 100644
--- a/windows/client-management/mdm/policy-csp-admx-reliability.md
+++ b/windows/client-management/mdm/policy-csp-admx-reliability.md
@@ -83,7 +83,7 @@ manager: dansimp
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows the system to detect the time of unexpected shutdowns by writing the current time to disk on a schedule controlled by the Timestamp Interval.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows the system to detect the time of unexpected shutdowns by writing the current time to disk on a schedule controlled by the Timestamp Interval.
If you enable this policy setting, you are able to specify how often the Persistent System Timestamp is refreshed and subsequently written to the disk. You can specify the Timestamp Interval in seconds.
@@ -159,7 +159,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting controls whether or not unplanned shutdown events can be reported when error reporting is enabled.
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether or not unplanned shutdown events can be reported when error reporting is enabled.
If you enable this policy setting, error reporting includes unplanned shutdown events.
@@ -234,7 +234,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting defines when the Shutdown Event Tracker System State Data feature is activated.
+Available in the latest Windows 10 Insider Preview Build. This policy setting defines when the Shutdown Event Tracker System State Data feature is activated.
The system state data file contains information about the basic system state as well as the state of all running processes.
@@ -312,7 +312,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. The Shutdown Event Tracker can be displayed when you shut down a workstation or server. This is an extra set of questions that is displayed when you invoke a shutdown to collect information related to why you are shutting down the computer.
+Available in the latest Windows 10 Insider Preview Build. The Shutdown Event Tracker can be displayed when you shut down a workstation or server. This is an extra set of questions that is displayed when you invoke a shutdown to collect information related to why you are shutting down the computer.
If you enable this setting and choose "Always" from the drop-down menu list, the Shutdown Event Tracker is displayed when the computer shuts down.
@@ -348,14 +348,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-remoteassistance.md b/windows/client-management/mdm/policy-csp-admx-remoteassistance.md
new file mode 100644
index 0000000000..692487c12d
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-remoteassistance.md
@@ -0,0 +1,206 @@
+---
+title: Policy CSP - ADMX_RemoteAssistance
+description: Policy CSP - ADMX_RemoteAssistance
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 12/14/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_RemoteAssistance
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_RemoteAssistance policies
+
+
+
+
+
+
+
+
+**ADMX_RemoteAssistance/RA_EncryptedTicketOnly**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting enables Remote Assistance invitations to be generated with improved encryption so that only computers running this version (or later versions) of the operating system can connect. This policy setting does not affect Remote Assistance connections that are initiated by instant messaging contacts or the unsolicited Offer Remote Assistance.
+
+If you enable this policy setting, only computers running this version (or later versions) of the operating system can connect to this computer.
+
+If you disable this policy setting, computers running this version and a previous version of the operating system can connect to this computer.
+
+If you do not configure this policy setting, users can configure the setting in System Properties in the Control Panel.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow only Windows Vista or later connections*
+- GP name: *RA_EncryptedTicketOnly*
+- GP path: *System\Remote Assistance*
+- GP ADMX file name: *RemoteAssistance.admx*
+
+
+
+
+
+
+**ADMX_RemoteAssistance/RA_Optimize_Bandwidth**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to improve performance in low bandwidth scenarios.
+
+This setting is incrementally scaled from "No optimization" to "Full optimization". Each incremental setting includes the previous optimization setting.
+
+For example:
+
+"Turn off background" will include the following optimizations:
+
+- No full window drag
+- Turn off background
+
+"Full optimization" will include the following optimizations:
+
+- Use 16-bit color (8-bit color in Windows Vista)
+- Turn off font smoothing (not supported in Windows Vista)
+- No full window drag
+- Turn off background
+
+If you enable this policy setting, bandwidth optimization occurs at the level specified.
+
+If you disable this policy setting, application-based settings are used.
+
+If you do not configure this policy setting, application-based settings are used.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn on bandwidth optimization*
+- GP name: *RA_Optimize_Bandwidth*
+- GP path: *System\Remote Assistance*
+- GP ADMX file name: *RemoteAssistance.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-removablestorage.md b/windows/client-management/mdm/policy-csp-admx-removablestorage.md
new file mode 100644
index 0000000000..6a9c3b8bfa
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-removablestorage.md
@@ -0,0 +1,2329 @@
+---
+title: Policy CSP - ADMX_RemovableStorage
+description: Policy CSP - ADMX_RemovableStorage
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 12/10/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_RemovableStorage
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_RemovableStorage policies
+
+
+
+
+
+
+
+
+**ADMX_RemovableStorage/AccessRights_RebootTime_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the amount of time (in seconds) that the operating system waits to reboot in order to enforce a change in access rights to removable storage devices.
+
+If you enable this policy setting, you can set the number of seconds you want the system to wait until a reboot.
+
+If you disable or do not configure this setting, the operating system does not force a reboot.
+
+> [!NOTE]
+> If no reboot is forced, the access right does not take effect until the operating system is restarted.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Set time (in seconds) to force reboot*
+- GP name: *AccessRights_RebootTime_1*
+- GP path: *System\Removable Storage Access*
+- GP ADMX file name: *RemovableStorage.admx*
+
+
+
+
+
+
+**ADMX_RemovableStorage/AccessRights_RebootTime_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the amount of time (in seconds) that the operating system waits to reboot in order to enforce a change in access rights to removable storage devices.
+
+If you enable this policy setting, you can set the number of seconds you want the system to wait until a reboot.
+
+If you disable or do not configure this setting, the operating system does not force a reboot
+
+> [!NOTE]
+> If no reboot is forced, the access right does not take effect until the operating system is restarted.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Set time (in seconds) to force reboot*
+- GP name: *AccessRights_RebootTime_2*
+- GP path: *System\Removable Storage Access*
+- GP ADMX file name: *RemovableStorage.admx*
+
+
+
+
+
+
+**ADMX_RemovableStorage/CDandDVD_DenyExecute_Access_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting denies execute access to the CD and DVD removable storage class.
+
+If you enable this policy setting, execute access is denied to this removable storage class.
+
+If you disable or do not configure this policy setting, execute access is allowed to this removable storage class.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *CD and DVD: Deny execute access*
+- GP name: *CDandDVD_DenyExecute_Access_2*
+- GP path: *System\Removable Storage Access*
+- GP ADMX file name: *RemovableStorage.admx*
+
+
+
+
+
+
+**ADMX_RemovableStorage/CDandDVD_DenyRead_Access_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to the CD and DVD removable storage class.
+
+If you enable this policy setting, read access is denied to this removable storage class.
+
+If you disable or do not configure this policy setting, read access is allowed to this removable storage class.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *CD and DVD: Deny read access*
+- GP name: *CDandDVD_DenyRead_Access_1*
+- GP path: *System\Removable Storage Access*
+- GP ADMX file name: *RemovableStorage.admx*
+
+
+
+
+
+
+**ADMX_RemovableStorage/CDandDVD_DenyRead_Access_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to the CD and DVD removable storage class.
+
+If you enable this policy setting, read access is denied to this removable storage class.
+
+If you disable or do not configure this policy setting, read access is allowed to this removable storage class.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *CD and DVD: Deny read access*
+- GP name: *CDandDVD_DenyRead_Access_2*
+- GP path: *System\Removable Storage Access*
+- GP ADMX file name: *RemovableStorage.admx*
+
+
+
+
+
+
+**ADMX_RemovableStorage/CDandDVD_DenyWrite_Access_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to the CD and DVD removable storage class.
+
+If you enable this policy setting, write access is denied to this removable storage class.
+
+If you disable or do not configure this policy setting, write access is allowed to this removable storage class.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *CD and DVD: Deny write access*
+- GP name: *CDandDVD_DenyWrite_Access_1*
+- GP path: *System\Removable Storage Access*
+- GP ADMX file name: *RemovableStorage.admx*
+
+
+
+
+
+
+**ADMX_RemovableStorage/CDandDVD_DenyWrite_Access_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to the CD and DVD removable storage class.
+
+If you enable this policy setting, write access is denied to this removable storage class.
+
+If you disable or do not configure this policy setting, write access is allowed to this removable storage class.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *CD and DVD: Deny write access*
+- GP name: *CDandDVD_DenyWrite_Access_2*
+- GP path: *System\Removable Storage Access*
+- GP ADMX file name: *RemovableStorage.admx*
+
+
+
+
+
+
+**ADMX_RemovableStorage/CustomClasses_DenyRead_Access_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to custom removable storage classes.
+
+If you enable this policy setting, read access is denied to these removable storage classes.
+
+If you disable or do not configure this policy setting, read access is allowed to these removable storage classes.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Custom Classes: Deny read access*
+- GP name: *CustomClasses_DenyRead_Access_1*
+- GP path: *System\Removable Storage Access*
+- GP ADMX file name: *RemovableStorage.admx*
+
+
+
+
+
+
+**ADMX_RemovableStorage/CustomClasses_DenyRead_Access_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to custom removable storage classes.
+
+If you enable this policy setting, read access is denied to these removable storage classes.
+
+If you disable or do not configure this policy setting, read access is allowed to these removable storage classes.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Custom Classes: Deny read access*
+- GP name: *CustomClasses_DenyRead_Access_2*
+- GP path: *System\Removable Storage Access*
+- GP ADMX file name: *RemovableStorage.admx*
+
+
+
+
+
+
+**ADMX_RemovableStorage/CustomClasses_DenyWrite_Access_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to custom removable storage classes.
+
+If you enable this policy setting, write access is denied to these removable storage classes.
+
+If you disable or do not configure this policy setting, write access is allowed to these removable storage classes.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Custom Classes: Deny write access*
+- GP name: *CustomClasses_DenyWrite_Access_1*
+- GP path: *System\Removable Storage Access*
+- GP ADMX file name: *RemovableStorage.admx*
+
+
+
+
+
+**ADMX_RemovableStorage/CustomClasses_DenyWrite_Access_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to custom removable storage classes.
+
+If you enable this policy setting, write access is denied to these removable storage classes.
+
+If you disable or do not configure this policy setting, write access is allowed to these removable storage classes.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Custom Classes: Deny write access*
+- GP name: *CustomClasses_DenyWrite_Access_2*
+- GP path: *System\Removable Storage Access*
+- GP ADMX file name: *RemovableStorage.admx*
+
+
+
+
+
+**ADMX_RemovableStorage/FloppyDrives_DenyExecute_Access_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting denies execute access to the Floppy Drives removable storage class, including USB Floppy Drives.
+
+If you enable this policy setting, execute access is denied to this removable storage class.
+
+If you disable or do not configure this policy setting, execute access is allowed to this removable storage class.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Floppy Drives: Deny execute access*
+- GP name: *FloppyDrives_DenyExecute_Access_2*
+- GP path: *System\Removable Storage Access*
+- GP ADMX file name: *RemovableStorage.admx*
+
+
+
+
+
+**ADMX_RemovableStorage/FloppyDrives_DenyRead_Access_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to the Floppy Drives removable storage class, including USB Floppy Drives.
+
+If you enable this policy setting, read access is denied to this removable storage class.
+
+If you disable or do not configure this policy setting, read access is allowed to this removable storage class.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Floppy Drives: Deny read access*
+- GP name: *FloppyDrives_DenyRead_Access_1*
+- GP path: *System\Removable Storage Access*
+- GP ADMX file name: *RemovableStorage.admx*
+
+
+
+
+
+**ADMX_RemovableStorage/FloppyDrives_DenyRead_Access_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to the Floppy Drives removable storage class, including USB Floppy Drives.
+
+If you enable this policy setting, read access is denied to this removable storage class.
+
+If you disable or do not configure this policy setting, read access is allowed to this removable storage class.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Floppy Drives: Deny read access*
+- GP name: *FloppyDrives_DenyRead_Access_2*
+- GP path: *System\Removable Storage Access*
+- GP ADMX file name: *RemovableStorage.admx*
+
+
+
+
+
+**ADMX_RemovableStorage/FloppyDrives_DenyWrite_Access_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to the Floppy Drives removable storage class, including USB Floppy Drives.
+
+If you enable this policy setting, write access is denied to this removable storage class.
+
+If you disable or do not configure this policy setting, write access is allowed to this removable storage class.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Floppy Drives: Deny write access*
+- GP name: *FloppyDrives_DenyWrite_Access_1*
+- GP path: *System\Removable Storage Access*
+- GP ADMX file name: *RemovableStorage.admx*
+
+
+
+
+
+**ADMX_RemovableStorage/FloppyDrives_DenyWrite_Access_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to the Floppy Drives removable storage class, including USB Floppy Drives.
+
+If you enable this policy setting, write access is denied to this removable storage class.
+
+If you disable or do not configure this policy setting, write access is allowed to this removable storage class.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Floppy Drives: Deny write access*
+- GP name: *FloppyDrives_DenyWrite_Access_2*
+- GP path: *System\Removable Storage Access*
+- GP ADMX file name: *RemovableStorage.admx*
+
+
+
+
+
+**ADMX_RemovableStorage/RemovableDisks_DenyExecute_Access_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting denies execute access to removable disks.
+
+If you enable this policy setting, execute access is denied to this removable storage class.
+
+If you disable or do not configure this policy setting, execute access is allowed to this removable storage class.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Removable Disks: Deny execute access*
+- GP name: *RemovableDisks_DenyExecute_Access_2*
+- GP path: *System\Removable Storage Access*
+- GP ADMX file name: *RemovableStorage.admx*
+
+
+
+
+
+**ADMX_RemovableStorage/RemovableDisks_DenyRead_Access_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to removable disks.
+
+If you enable this policy setting, read access is denied to this removable storage class.
+
+If you disable or do not configure this policy setting, read access is allowed to this removable storage class.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Removable Disks: Deny read access*
+- GP name: *RemovableDisks_DenyRead_Access_1*
+- GP path: *System\Removable Storage Access*
+- GP ADMX file name: *RemovableStorage.admx*
+
+
+
+
+
+**ADMX_RemovableStorage/RemovableDisks_DenyRead_Access_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to removable disks.
+
+If you enable this policy setting, read access is denied to this removable storage class.
+
+If you disable or do not configure this policy setting, read access is allowed to this removable storage class.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Removable Disks: Deny read access*
+- GP name: *RemovableDisks_DenyRead_Access_2*
+- GP path: *System\Removable Storage Access*
+- GP ADMX file name: *RemovableStorage.admx*
+
+
+
+
+
+**ADMX_RemovableStorage/RemovableDisks_DenyWrite_Access_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to removable disks.
+
+If you enable this policy setting, write access is denied to this removable storage class.
+
+If you disable or do not configure this policy setting, write access is allowed to this removable storage class.
+
+> [!NOTE]
+> To require that users write data to BitLocker-protected storage, enable the policy setting "Deny write access to drives not protected by BitLocker," which is located in "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives."
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Removable Disks: Deny write access*
+- GP name: *RemovableDisks_DenyWrite_Access_1*
+- GP path: *System\Removable Storage Access*
+- GP ADMX file name: *RemovableStorage.admx*
+
+
+
+
+
+**ADMX_RemovableStorage/RemovableStorageClasses_DenyAll_Access_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Configure access to all removable storage classes.
+
+This policy setting takes precedence over any individual removable storage policy settings. To manage individual classes, use the policy settings available for each class.
+
+If you enable this policy setting, no access is allowed to any removable storage class.
+
+If you disable or do not configure this policy setting, write and read accesses are allowed to all removable storage classes.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *All Removable Storage classes: Deny all access*
+- GP name: *RemovableStorageClasses_DenyAll_Access_1*
+- GP path: *System\Removable Storage Access*
+- GP ADMX file name: *RemovableStorage.admx*
+
+
+
+
+
+**ADMX_RemovableStorage/RemovableStorageClasses_DenyAll_Access_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Configure access to all removable storage classes.
+
+This policy setting takes precedence over any individual removable storage policy settings. To manage individual classes, use the policy settings available for each class.
+
+If you enable this policy setting, no access is allowed to any removable storage class.
+
+If you disable or do not configure this policy setting, write and read accesses are allowed to all removable storage classes.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *All Removable Storage classes: Deny all access*
+- GP name: *RemovableStorageClasses_DenyAll_Access_2*
+- GP path: *System\Removable Storage Access*
+- GP ADMX file name: *RemovableStorage.admx*
+
+
+
+
+
+**ADMX_RemovableStorage/Removable_Remote_Allow_Access**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting grants normal users direct access to removable storage devices in remote sessions.
+
+If you enable this policy setting, remote users can open direct handles to removable storage devices in remote sessions.
+
+If you disable or do not configure this policy setting, remote users cannot open direct handles to removable storage devices in remote sessions.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *All Removable Storage: Allow direct access in remote sessions*
+- GP name: *Removable_Remote_Allow_Access*
+- GP path: *System\Removable Storage Access*
+- GP ADMX file name: *RemovableStorage.admx*
+
+
+
+
+
+**ADMX_RemovableStorage/TapeDrives_DenyExecute_Access_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting denies execute access to the Tape Drive removable storage class.
+
+If you enable this policy setting, execute access is denied to this removable storage class.
+
+If you disable or do not configure this policy setting, execute access is allowed to this removable storage class.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Tape Drives: Deny execute access*
+- GP name: *TapeDrives_DenyExecute_Access_2*
+- GP path: *System\Removable Storage Access*
+- GP ADMX file name: *RemovableStorage.admx*
+
+
+
+
+
+**ADMX_RemovableStorage/TapeDrives_DenyRead_Access_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to the Tape Drive removable storage class.
+
+If you enable this policy setting, read access is denied to this removable storage class.
+
+If you disable or do not configure this policy setting, read access is allowed to this removable storage class.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Tape Drives: Deny read access*
+- GP name: *TapeDrives_DenyRead_Access_1*
+- GP path: *System\Removable Storage Access*
+- GP ADMX file name: *RemovableStorage.admx*
+
+
+
+
+
+**ADMX_RemovableStorage/TapeDrives_DenyRead_Access_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to the Tape Drive removable storage class.
+
+If you enable this policy setting, read access is denied to this removable storage class.
+
+If you disable or do not configure this policy setting, read access is allowed to this removable storage class.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Tape Drives: Deny read access*
+- GP name: *TapeDrives_DenyRead_Access_2*
+- GP path: *System\Removable Storage Access*
+- GP ADMX file name: *RemovableStorage.admx*
+
+
+
+
+
+**ADMX_RemovableStorage/TapeDrives_DenyWrite_Access_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to the Tape Drive removable storage class.
+
+If you enable this policy setting, write access is denied to this removable storage class.
+
+If you disable or do not configure this policy setting, write access is allowed to this removable storage class.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Tape Drives: Deny write access*
+- GP name: *TapeDrives_DenyWrite_Access_1*
+- GP path: *System\Removable Storage Access*
+- GP ADMX file name: *RemovableStorage.admx*
+
+
+
+
+
+**ADMX_RemovableStorage/TapeDrives_DenyWrite_Access_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to the Tape Drive removable storage class.
+
+If you enable this policy setting, write access is denied to this removable storage class.
+
+If you disable or do not configure this policy setting, write access is allowed to this removable storage class.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Tape Drives: Deny write access*
+- GP name: *TapeDrives_DenyWrite_Access_2*
+- GP path: *System\Removable Storage Access*
+- GP ADMX file name: *RemovableStorage.admx*
+
+
+
+
+
+**ADMX_RemovableStorage/WPDDevices_DenyRead_Access_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices.
+
+If you enable this policy setting, read access is denied to this removable storage class.
+
+If you disable or do not configure this policy setting, read access is allowed to this removable storage class.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *WPD Devices: Deny read access*
+- GP name: *WPDDevices_DenyRead_Access_1*
+- GP path: *System\Removable Storage Access*
+- GP ADMX file name: *RemovableStorage.admx*
+
+
+
+
+
+**ADMX_RemovableStorage/WPDDevices_DenyRead_Access_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting denies read access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices.
+
+If you enable this policy setting, read access is denied to this removable storage class.
+
+If you disable or do not configure this policy setting, read access is allowed to this removable storage class.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *WPD Devices: Deny read access*
+- GP name: *WPDDevices_DenyRead_Access_2*
+- GP path: *System\Removable Storage Access*
+- GP ADMX file name: *RemovableStorage.admx*
+
+
+
+
+
+**ADMX_RemovableStorage/WPDDevices_DenyWrite_Access_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices.
+
+If you enable this policy setting, write access is denied to this removable storage class.
+
+If you disable or do not configure this policy setting, write access is allowed to this removable storage class.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *WPD Devices: Deny write access*
+- GP name: *WPDDevices_DenyWrite_Access_1*
+- GP path: *System\Removable Storage Access*
+- GP ADMX file name: *RemovableStorage.admx*
+
+
+
+
+
+**ADMX_RemovableStorage/WPDDevices_DenyWrite_Access_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting denies write access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices.
+
+If you enable this policy setting, write access is denied to this removable storage class.
+
+If you disable or do not configure this policy setting, write access is allowed to this removable storage class.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *WPD Devices: Deny write access*
+- GP name: *WPDDevices_DenyWrite_Access_2*
+- GP path: *System\Removable Storage Access*
+- GP ADMX file name: *RemovableStorage.admx*
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-rpc.md b/windows/client-management/mdm/policy-csp-admx-rpc.md
new file mode 100644
index 0000000000..4c77e82fa2
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-rpc.md
@@ -0,0 +1,391 @@
+---
+title: Policy CSP - ADMX_RPC
+description: Policy CSP - ADMX_RPC
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 12/08/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_RPC
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_RPC policies
+
+
+
+
+
+
+
+
+**ADMX_RPC/RpcExtendedErrorInformation**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether the RPC runtime generates extended error information when an error occurs.
+
+Extended error information includes the local time that the error occurred, the RPC version, and the name of the computer on which the error occurred, or from which it was propagated. Programs can retrieve the extended error information by using standard Windows application programming interfaces (APIs).
+
+If you disable this policy setting, the RPC Runtime only generates a status code to indicate an error condition.
+
+If you do not configure this policy setting, it remains disabled. It will only generate a status code to indicate an error condition.
+
+If you enable this policy setting, the RPC runtime will generate extended error information.
+
+You must select an error response type in the drop-down box.
+
+- "Off" disables all extended error information for all processes. RPC only generates an error code.
+- "On with Exceptions" enables extended error information, but lets you disable it for selected processes. To disable extended error information for a process while this policy setting is in effect, the command that starts the process must begin with one of the strings in the Extended Error Information Exception field.
+- "Off with Exceptions" disables extended error information, but lets you enable it for selected processes. To enable extended error information for a process while this policy setting is in effect, the command that starts the process must begin with one of the strings in the Extended Error Information Exception field.
+- "On" enables extended error information for all processes.
+
+> [!NOTE]
+> For information about the Extended Error Information Exception field, see the Windows Software Development Kit (SDK).
+>
+> Extended error information is formatted to be compatible with other operating systems and older Microsoft operating systems, but only newer Microsoft operating systems can read and respond to the information.
+>
+> The default policy setting, "Off," is designed for systems where extended error information is considered to be sensitive, and it should not be made available remotely.
+>
+> This policy setting will not be applied until the system is rebooted.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Propagate extended error information*
+- GP name: *RpcExtendedErrorInformation*
+- GP path: *System\Remote Procedure Call*
+- GP ADMX file name: *RPC.admx*
+
+
+
+
+
+
+**ADMX_RPC/RpcIgnoreDelegationFailure**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether the RPC Runtime ignores delegation failures when delegation is requested.
+
+The constrained delegation model, introduced in Windows Server 2003, does not report that delegation was enabled on a security context when a client connects to a server. Callers of RPC and COM are encouraged to use the RPC_C_QOS_CAPABILITIES_IGNORE_DELEGATE_FAILURE flag, but some applications written for the traditional delegation model prior to Windows Server 2003 may not use this flag and will encounter RPC_S_SEC_PKG_ERROR when connecting to a server that uses constrained delegation.
+
+If you disable this policy setting, the RPC Runtime will generate RPC_S_SEC_PKG_ERROR errors to applications that ask for delegation and connect to servers using constrained delegation.
+
+If you do not configure this policy setting, it remains disabled and will generate RPC_S_SEC_PKG_ERROR errors to applications that ask for delegation and connect to servers using constrained delegation.
+
+If you enable this policy setting, then:
+
+- "Off" directs the RPC Runtime to generate RPC_S_SEC_PKG_ERROR if the client asks for delegation, but the created security context does not support delegation.
+
+- "On" directs the RPC Runtime to accept security contexts that do not support delegation even if delegation was asked for.
+
+> [!NOTE]
+> This policy setting will not be applied until the system is rebooted.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Ignore Delegation Failure*
+- GP name: *RpcIgnoreDelegationFailure*
+- GP path: *System\Remote Procedure Call*
+- GP ADMX file name: *RPC.admx*
+
+
+
+
+
+
+
+**ADMX_RPC/RpcMinimumHttpConnectionTimeout**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls the idle connection timeout for RPC/HTTP connections.
+
+This policy setting is useful in cases where a network agent like an HTTP proxy or a router uses a lower idle connection timeout than the IIS server running the RPC/HTTP proxy. In such cases, RPC/HTTP clients may encounter errors because connections will be timed out faster than expected. Using this policy setting you can force the RPC Runtime and the RPC/HTTP Proxy to use a lower connection timeout.
+
+This policy setting is only applicable when the RPC Client, the RPC Server and the RPC HTTP Proxy are all running Windows Server 2003 family/Windows XP SP1 or higher versions. If either the RPC Client or the RPC Server or the RPC HTTP Proxy run on an older version of Windows, this policy setting will be ignored.
+
+The minimum allowed value for this policy setting is 90 seconds. The maximum is 7200 seconds (2 hours).
+
+If you disable this policy setting, the idle connection timeout on the IIS server running the RPC HTTP proxy will be used.
+
+If you do not configure this policy setting, it will remain disabled. The idle connection timeout on the IIS server running the RPC HTTP proxy will be used.
+
+If you enable this policy setting, and the IIS server running the RPC HTTP proxy is configured with a lower idle connection timeout, the timeout on the IIS server is used. Otherwise, the provided timeout value is used. The timeout is given in seconds.
+
+> [!NOTE]
+> This policy setting will not be applied until the system is rebooted.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Set Minimum Idle Connection Timeout for RPC/HTTP connections*
+- GP name: *RpcMinimumHttpConnectionTimeout*
+- GP path: *System\Remote Procedure Call*
+- GP ADMX file name: *RPC.admx*
+
+
+
+
+
+
+**ADMX_RPC/RpcStateInformation**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the RPC Runtime maintains RPC state information for the system, and how much information it maintains. Basic state information, which consists only of the most commonly needed state data, is required for troubleshooting RPC problems.
+
+If you disable this policy setting, the RPC runtime defaults to "Auto2" level.
+
+If you do not configure this policy setting, the RPC defaults to "Auto2" level.
+
+If you enable this policy setting, you can use the drop-down box to determine which systems maintain RPC state information.
+
+- "None" indicates that the system does not maintain any RPC state information. Note: Because the basic state information required for troubleshooting has a negligible effect on performance and uses only about 4K of memory, this setting is not recommended for most installations.
+
+- "Auto1" directs RPC to maintain basic state information only if the computer has at least 64 MB of memory.
+
+- "Auto2" directs RPC to maintain basic state information only if the computer has at least 128 MB of memory and is running Windows 2000 Server, Windows 2000 Advanced Server, or Windows 2000 Datacenter Server.
+
+- "Server" directs RPC to maintain basic state information on the computer, regardless of its capacity.
+
+- "Full" directs RPC to maintain complete RPC state information on the system, regardless of its capacity. Because this level can degrade performance, it is recommended for use only while you are investigating an RPC problem.
+
+> [!NOTE]
+> To retrieve the RPC state information from a system that maintains it, you must use a debugging tool.
+>
+> This policy setting will not be applied until the system is rebooted.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Maintain RPC Troubleshooting State Information*
+- GP name: *RpcStateInformation*
+- GP path: *System\Remote Procedure Call*
+- GP ADMX file name: *RPC.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-scripts.md b/windows/client-management/mdm/policy-csp-admx-scripts.md
index 7f655514ef..56b8fa10a1 100644
--- a/windows/client-management/mdm/policy-csp-admx-scripts.md
+++ b/windows/client-management/mdm/policy-csp-admx-scripts.md
@@ -107,7 +107,7 @@ manager: dansimp
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows user logon scripts to run when the logon cross-forest, DNS suffixes are not configured, and NetBIOS or WINS is disabled. This policy setting affects all user accounts interactively logging on to the computer.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows user logon scripts to run when the logon cross-forest, DNS suffixes are not configured, and NetBIOS or WINS is disabled. This policy setting affects all user accounts interactively logging on to the computer.
If you enable this policy setting, user logon scripts run if NetBIOS or WINS is disabled during cross-forest logons without the DNS suffixes being configured.
@@ -176,7 +176,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting determines how long the system waits for scripts applied by Group Policy to run.
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines how long the system waits for scripts applied by Group Policy to run.
This setting limits the total time allowed for all logon, logoff, startup, and shutdown scripts applied by Group Policy to finish running. If the scripts have not finished running when the specified time expires, the system stops script processing and records an error event.
@@ -251,7 +251,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during computer startup and shutdown. By default, Windows PowerShell scripts run after non-Windows PowerShell scripts.
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during computer startup and shutdown. By default, Windows PowerShell scripts run after non-Windows PowerShell scripts.
If you enable this policy setting, within each applicable Group Policy Object (GPO), Windows PowerShell scripts are run before non-Windows PowerShell scripts during computer startup and shutdown.
@@ -343,7 +343,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting hides the instructions in logon scripts written for Windows NT 4.0 and earlier.
+Available in the latest Windows 10 Insider Preview Build. This policy setting hides the instructions in logon scripts written for Windows NT 4.0 and earlier.
Logon scripts are batch files of instructions that run when the user logs on. By default, Windows 2000 displays the instructions in logon scripts written for Windows NT 4.0 and earlier in a command window as they run, although it does not display logon scripts written for Windows 2000.
@@ -416,7 +416,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting displays the instructions in logoff scripts as they run.
+Available in the latest Windows 10 Insider Preview Build. This policy setting displays the instructions in logoff scripts as they run.
Logoff scripts are batch files of instructions that run when the user logs off. By default, the system does not display the instructions in the logoff script.
@@ -487,7 +487,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting directs the system to wait for logon scripts to finish running before it starts the File Explorer interface program and creates the desktop.
+Available in the latest Windows 10 Insider Preview Build. This policy setting directs the system to wait for logon scripts to finish running before it starts the File Explorer interface program and creates the desktop.
If you enable this policy setting, File Explorer does not start until the logon scripts have finished running. This policy setting ensures that logon script processing is complete before the user starts working, but it can delay the appearance of the desktop.
@@ -558,7 +558,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting directs the system to wait for logon scripts to finish running before it starts the File Explorer interface program and creates the desktop.
+Available in the latest Windows 10 Insider Preview Build. This policy setting directs the system to wait for logon scripts to finish running before it starts the File Explorer interface program and creates the desktop.
If you enable this policy setting, File Explorer does not start until the logon scripts have finished running. This policy setting ensures that logon script processing is complete before the user starts working, but it can delay the appearance of the desktop.
@@ -629,7 +629,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting displays the instructions in logon scripts as they run.
+Available in the latest Windows 10 Insider Preview Build. This policy setting displays the instructions in logon scripts as they run.
Logon scripts are batch files of instructions that run when the user logs on. By default, the system does not display the instructions in logon scripts.
@@ -700,7 +700,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting displays the instructions in shutdown scripts as they run.
+Available in the latest Windows 10 Insider Preview Build. This policy setting displays the instructions in shutdown scripts as they run.
Shutdown scripts are batch files of instructions that run when the user restarts the system or shuts it down. By default, the system does not display the instructions in the shutdown script.
@@ -771,7 +771,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting lets the system run startup scripts simultaneously.
+Available in the latest Windows 10 Insider Preview Build. This policy setting lets the system run startup scripts simultaneously.
Startup scripts are batch files that run before the user is invited to log on. By default, the system waits for each startup script to complete before it runs the next startup script.
@@ -845,7 +845,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting displays the instructions in startup scripts as they run.
+Available in the latest Windows 10 Insider Preview Build. This policy setting displays the instructions in startup scripts as they run.
Startup scripts are batch files of instructions that run before the user is invited to log on. By default, the system does not display the instructions in the startup script.
@@ -920,7 +920,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during user logon and logoff. By default, Windows PowerShell scripts run after non-Windows PowerShell scripts.
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during user logon and logoff. By default, Windows PowerShell scripts run after non-Windows PowerShell scripts.
If you enable this policy setting, within each applicable Group Policy Object (GPO), PowerShell scripts are run before non-PowerShell scripts during user logon and logoff.
@@ -972,14 +972,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-sdiageng.md b/windows/client-management/mdm/policy-csp-admx-sdiageng.md
index ce4096ecc5..dca614dec2 100644
--- a/windows/client-management/mdm/policy-csp-admx-sdiageng.md
+++ b/windows/client-management/mdm/policy-csp-admx-sdiageng.md
@@ -80,7 +80,7 @@ manager: dansimp
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows users who are connected to the Internet to access and search troubleshooting content that is hosted on Microsoft content servers. Users can access online troubleshooting content from within the Troubleshooting Control Panel UI by clicking "Yes" when they are prompted by a message that states, "Do you want the most up-to-date troubleshooting content?"
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows users who are connected to the Internet to access and search troubleshooting content that is hosted on Microsoft content servers. Users can access online troubleshooting content from within the Troubleshooting Control Panel UI by clicking "Yes" when they are prompted by a message that states, "Do you want the most up-to-date troubleshooting content?"
If you enable or do not configure this policy setting, users who are connected to the Internet can access and search troubleshooting content that is hosted on Microsoft content servers from within the Troubleshooting Control Panel user interface.
@@ -149,7 +149,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows users to access and run the troubleshooting tools that are available in the Troubleshooting Control Panel and to run the troubleshooting wizard to troubleshoot problems on their computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows users to access and run the troubleshooting tools that are available in the Troubleshooting Control Panel and to run the troubleshooting wizard to troubleshoot problems on their computers.
If you enable or do not configure this policy setting, users can access and run the troubleshooting tools from the Troubleshooting Control Panel.
@@ -220,7 +220,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether scripted diagnostics will execute diagnostic packages that are signed by untrusted publishers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether scripted diagnostics will execute diagnostic packages that are signed by untrusted publishers.
If you enable this policy setting, the scripted diagnostics execution engine validates the signer of any diagnostic package and runs only those signed by trusted publishers.
@@ -247,14 +247,14 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-securitycenter.md b/windows/client-management/mdm/policy-csp-admx-securitycenter.md
index 3f963a77cb..7590b70934 100644
--- a/windows/client-management/mdm/policy-csp-admx-securitycenter.md
+++ b/windows/client-management/mdm/policy-csp-admx-securitycenter.md
@@ -74,7 +74,7 @@ manager: dansimp
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether Security Center is turned on or off for computers that are joined to an Active Directory domain. When Security Center is turned on, it monitors essential security settings and notifies the user when the computer might be at risk. The Security Center Control Panel category view also contains a status section, where the user can get recommendations to help increase the computer's security. When Security Center is not enabled on the domain, neither the notifications nor the Security Center status section are displayed.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Security Center is turned on or off for computers that are joined to an Active Directory domain. When Security Center is turned on, it monitors essential security settings and notifies the user when the computer might be at risk. The Security Center Control Panel category view also contains a status section, where the user can get recommendations to help increase the computer's security. When Security Center is not enabled on the domain, neither the notifications nor the Security Center status section are displayed.
Note that Security Center can only be turned off for computers that are joined to a Windows domain. When a computer is not joined to a Windows domain, the policy setting will have no effect.
@@ -113,14 +113,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-sensors.md b/windows/client-management/mdm/policy-csp-admx-sensors.md
new file mode 100644
index 0000000000..66a0fdf6d6
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-sensors.md
@@ -0,0 +1,402 @@
+---
+title: Policy CSP - ADMX_Sensors
+description: Policy CSP - ADMX_Sensors
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 10/22/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_Sensors
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_Sensors policies
+
+
+
+
+
+
+
+
+**ADMX_Sensors/DisableLocationScripting_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting turns off scripting for the location feature.
+
+If you enable this policy setting, scripts for the location feature will not run.
+
+If you disable or do not configure this policy setting, all location scripts will run.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off location scripting*
+- GP name: *DisableLocationScripting_1*
+- GP path: *Windows Components\Location and Sensors*
+- GP ADMX file name: *Sensors.admx*
+
+
+
+
+
+
+**ADMX_Sensors/DisableLocationScripting_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting turns off scripting for the location feature.
+
+If you enable this policy setting, scripts for the location feature will not run.
+
+If you disable or do not configure this policy setting, all location scripts will run.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off location scripting*
+- GP name: *DisableLocationScripting_2*
+- GP path: *Windows Components\Location and Sensors*
+- GP ADMX file name: *Sensors.admx*
+
+
+
+
+
+
+**ADMX_Sensors/DisableLocation_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting turns off the location feature for this computer.
+
+If you enable this policy setting, the location feature is turned off, and all programs on this computer are prevented from using location information from the location feature.
+
+If you disable or do not configure this policy setting, all programs on this computer will not be prevented from using location information from the location feature.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off location*
+- GP name: *DisableLocation_1*
+- GP path: *Windows Components\Location and Sensors*
+- GP ADMX file name: *Sensors.admx*
+
+
+
+
+
+
+**ADMX_Sensors/DisableSensors_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting turns off the sensor feature for this computer.
+
+If you enable this policy setting, the sensor feature is turned off, and all programs on this computer cannot use the sensor feature.
+
+If you disable or do not configure this policy setting, all programs on this computer can use the sensor feature.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off sensors*
+- GP name: *DisableSensors_1*
+- GP path: *Windows Components\Location and Sensors*
+- GP ADMX file name: *Sensors.admx*
+
+
+
+
+
+
+**ADMX_Sensors/DisableSensors_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting turns off the sensor feature for this computer.
+
+If you enable this policy setting, the sensor feature is turned off, and all programs on this computer cannot use the sensor feature.
+
+If you disable or do not configure this policy setting, all programs on this computer can use the sensor feature.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off sensors*
+- GP name: *DisableSensors_2*
+- GP path: *Windows Components\Location and Sensors*
+- GP ADMX file name: *Sensors.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-servicing.md b/windows/client-management/mdm/policy-csp-admx-servicing.md
index c18852e5ea..af834f2656 100644
--- a/windows/client-management/mdm/policy-csp-admx-servicing.md
+++ b/windows/client-management/mdm/policy-csp-admx-servicing.md
@@ -74,7 +74,7 @@ manager: dansimp
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the network locations that will be used for the repair of operating system corruption and for enabling optional features that have had their payload files removed.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the network locations that will be used for the repair of operating system corruption and for enabling optional features that have had their payload files removed.
If you enable this policy setting and specify the new location, the files in that location will be used to repair operating system corruption and for enabling optional features that have had their payload files removed. You must enter the fully qualified path to the new location in the ""Alternate source file path"" text box. Multiple locations can be specified when each path is separated by a semicolon.
@@ -103,14 +103,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-settingsync.md b/windows/client-management/mdm/policy-csp-admx-settingsync.md
new file mode 100644
index 0000000000..53ca6431fc
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-settingsync.md
@@ -0,0 +1,706 @@
+---
+title: Policy CSP - ADMX_SettingSync
+description: Policy CSP - ADMX_SettingSync
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 12/01/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_SettingSync
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_SettingSync policies
+
+
+
+
+
+
+
+
+**ADMX_SettingSync/DisableAppSyncSettingSync**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Prevent the "AppSync" group from syncing to and from this PC. This turns off and disables the "AppSync" group on the "sync your settings" page in PC settings.
+
+If you enable this policy setting, the "AppSync" group will not be synced.
+
+Use the option "Allow users to turn app syncing on" so that syncing it turned off by default but not disabled.
+
+If you do not set or disable this setting, syncing of the "AppSync" group is on by default and configurable by the user.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not sync Apps*
+- GP name: *DisableAppSyncSettingSync*
+- GP path: *Windows Components\Sync your settings*
+- GP ADMX file name: *SettingSync.admx*
+
+
+
+
+
+
+**ADMX_SettingSync/DisableApplicationSettingSync**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Prevent the "app settings" group from syncing to and from this PC. This turns off and disables the "app settings" group on the "sync your settings" page in PC settings.
+
+If you enable this policy setting, the "app settings" group will not be synced.
+
+Use the option "Allow users to turn app settings syncing on" so that syncing it turned off by default but not disabled.
+
+If you do not set or disable this setting, syncing of the "app settings" group is on by default and configurable by the user.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not sync app settings*
+- GP name: *DisableApplicationSettingSync*
+- GP path: *Windows Components\Sync your settings*
+- GP ADMX file name: *SettingSync.admx*
+
+
+
+
+
+
+**ADMX_SettingSync/DisableCredentialsSettingSync**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Prevent the "passwords" group from syncing to and from this PC. This turns off and disables the "passwords" group on the "sync your settings" page in PC settings.
+
+If you enable this policy setting, the "passwords" group will not be synced.
+
+Use the option "Allow users to turn passwords syncing on" so that syncing it turned off by default but not disabled.
+
+If you do not set or disable this setting, syncing of the "passwords" group is on by default and configurable by the user.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not sync passwords*
+- GP name: *DisableCredentialsSettingSync*
+- GP path: *Windows Components\Sync your settings*
+- GP ADMX file name: *SettingSync.admx*
+
+
+
+
+
+
+**ADMX_SettingSync/DisableDesktopThemeSettingSync**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Prevent the "desktop personalization" group from syncing to and from this PC. This turns off and disables the "desktop personalization" group on the "sync your settings" page in PC settings.
+
+If you enable this policy setting, the "desktop personalization" group will not be synced.
+
+Use the option "Allow users to turn desktop personalization syncing on" so that syncing it turned off by default but not disabled.
+
+If you do not set or disable this setting, syncing of the "desktop personalization" group is on by default and configurable by the user.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not sync desktop personalization*
+- GP name: *DisableDesktopThemeSettingSync*
+- GP path: *Windows Components\Sync your settings*
+- GP ADMX file name: *SettingSync.admx*
+
+
+
+
+
+
+**ADMX_SettingSync/DisablePersonalizationSettingSync**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Prevent the "personalize" group from syncing to and from this PC. This turns off and disables the "personalize" group on the "sync your settings" page in PC settings.
+
+If you enable this policy setting, the "personalize" group will not be synced.
+
+Use the option "Allow users to turn personalize syncing on" so that syncing it turned off by default but not disabled.
+
+If you do not set or disable this setting, syncing of the "personalize" group is on by default and configurable by the user.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not sync personalize*
+- GP name: *DisablePersonalizationSettingSync*
+- GP path: *Windows Components\Sync your settings*
+- GP ADMX file name: *SettingSync.admx*
+
+
+
+
+
+
+**ADMX_SettingSync/DisableSettingSync**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Prevent syncing to and from this PC. This turns off and disables the "sync your settings" switch on the "sync your settings" page in PC Settings.
+
+If you enable this policy setting, "sync your settings" will be turned off, and none of the "sync your setting" groups will be synced on this PC.
+
+Use the option "Allow users to turn syncing on" so that syncing it turned off by default but not disabled.
+
+If you do not set or disable this setting, "sync your settings" is on by default and configurable by the user.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not sync*
+- GP name: *DisableSettingSync*
+- GP path: *Windows Components\Sync your settings*
+- GP ADMX file name: *SettingSync.admx*
+
+
+
+
+
+
+**ADMX_SettingSync/DisableStartLayoutSettingSync**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Prevent the "Start layout" group from syncing to and from this PC. This turns off and disables the "Start layout" group on the "sync your settings" page in PC settings.
+
+If you enable this policy setting, the "Start layout" group will not be synced.
+
+Use the option "Allow users to turn start syncing on" so that syncing is turned off by default but not disabled.
+
+If you do not set or disable this setting, syncing of the "Start layout" group is on by default and configurable by the user.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not sync start settings*
+- GP name: *DisableStartLayoutSettingSync*
+- GP path: *Windows Components\Sync your settings*
+- GP ADMX file name: *SettingSync.admx*
+
+
+
+
+
+
+**ADMX_SettingSync/DisableSyncOnPaidNetwork**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Prevent syncing to and from this PC when on metered Internet connections. This turns off and disables "sync your settings on metered connections" switch on the "sync your settings" page in PC Settings.
+
+If you enable this policy setting, syncing on metered connections will be turned off, and no syncing will take place when this PC is on a metered connection.
+
+If you do not set or disable this setting, syncing on metered connections is configurable by the user.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not sync on metered connections*
+- GP name: *DisableSyncOnPaidNetwork*
+- GP path: *Windows Components\Sync your settings*
+- GP ADMX file name: *SettingSync.admx*
+
+
+
+
+
+
+**ADMX_SettingSync/DisableWindowsSettingSync**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Prevent the "Other Windows settings" group from syncing to and from this PC. This turns off and disables the "Other Windows settings" group on the "sync your settings" page in PC settings.
+
+If you enable this policy setting, the "Other Windows settings" group will not be synced.
+
+Use the option "Allow users to turn other Windows settings syncing on" so that syncing it turned off by default but not disabled.
+
+If you do not set or disable this setting, syncing of the "Other Windows settings" group is on by default and configurable by the user.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not sync other Windows settings*
+- GP name: *DisableWindowsSettingSync*
+- GP path: *Windows Components\Sync your settings*
+- GP ADMX file name: *SettingSync.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-sharedfolders.md b/windows/client-management/mdm/policy-csp-admx-sharedfolders.md
index 7b7f7b195c..a9749a346b 100644
--- a/windows/client-management/mdm/policy-csp-admx-sharedfolders.md
+++ b/windows/client-management/mdm/policy-csp-admx-sharedfolders.md
@@ -76,7 +76,7 @@ manager: dansimp
-Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether the user can publish DFS roots in Active Directory Domain Services (AD DS).
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the user can publish DFS roots in Active Directory Domain Services (AD DS).
If you enable or do not configure this policy setting, users can use the "Publish in Active Directory" option to publish DFS roots as shared folders in AD DS .
@@ -149,7 +149,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether the user can publish shared folders in Active Directory Domain Services (AD DS).
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the user can publish shared folders in Active Directory Domain Services (AD DS).
If you enable or do not configure this policy setting, users can use the "Publish in Active Directory" option in the Shared Folders snap-in to publish shared folders in AD DS.
@@ -179,14 +179,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-sharing.md b/windows/client-management/mdm/policy-csp-admx-sharing.md
index a293d2b013..42e13cdd7d 100644
--- a/windows/client-management/mdm/policy-csp-admx-sharing.md
+++ b/windows/client-management/mdm/policy-csp-admx-sharing.md
@@ -73,7 +73,7 @@ manager: dansimp
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether users can share files within their profile. By default users are allowed to share files within their profile to other users on their network after an administrator opts in the computer. An administrator can opt in the computer by using the sharing wizard to share a file within their profile.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether users can share files within their profile. By default users are allowed to share files within their profile to other users on their network after an administrator opts in the computer. An administrator can opt in the computer by using the sharing wizard to share a file within their profile.
If you enable this policy setting, users cannot share files within their profile using the sharing wizard. Also, the sharing wizard cannot create a share at %root%\users and can only be used to create SMB shares on folders.
@@ -100,14 +100,14 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md b/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md
index e8df85ad6d..58d1a90759 100644
--- a/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md
+++ b/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md
@@ -83,7 +83,7 @@ manager: dansimp
-Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from running the interactive command prompt, Cmd.exe. This policy setting also determines whether batch files (.cmd and .bat) can run on the computer.
+Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from running the interactive command prompt, Cmd.exe. This policy setting also determines whether batch files (.cmd and .bat) can run on the computer.
If you enable this policy setting and the user tries to open a command window, the system displays a message explaining that a setting prevents the action.
@@ -155,7 +155,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. Disables the Windows registry editor Regedit.exe.
+Available in the latest Windows 10 Insider Preview Build. Disables the Windows registry editor Regedit.exe.
If you enable this policy setting and the user tries to start Regedit.exe, a message appears explaining that a policy setting prevents the action.
@@ -227,7 +227,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting prevents Windows from running the programs you specify in this policy setting.
+Available in the latest Windows 10 Insider Preview Build. This policy setting prevents Windows from running the programs you specify in this policy setting.
If you enable this policy setting, users cannot run programs that you add to the list of disallowed applications.
@@ -302,7 +302,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. Limits the Windows programs that users have permission to run on the computer.
+Available in the latest Windows 10 Insider Preview Build. Limits the Windows programs that users have permission to run on the computer.
If you enable this policy setting, users can only run programs that you add to the list of allowed applications.
@@ -335,14 +335,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-skydrive.md b/windows/client-management/mdm/policy-csp-admx-skydrive.md
new file mode 100644
index 0000000000..e42d009528
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-skydrive.md
@@ -0,0 +1,117 @@
+---
+title: Policy CSP - ADMX_SkyDrive
+description: Policy CSP - ADMX_SkyDrive
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 12/08/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_SkyDrive
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_SkyDrive policies
+
+
+
+
+
+
+
+**ADMX_SkyDrive/PreventNetworkTrafficPreUserSignIn**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Enable this setting to prevent the OneDrive sync client (OneDrive.exe) from generating network traffic (checking for updates, etc.) until the user signs in to OneDrive or starts syncing files to the local computer.
+
+If you enable this setting, users must sign in to the OneDrive sync client on the local computer, or select to sync OneDrive or SharePoint files on the computer, for the sync client to start automatically.
+
+If this setting is not enabled, the OneDrive sync client will start automatically when users sign in to Windows.
+
+If you enable or disable this setting, do not return the setting to Not Configured. Doing so will not change the configuration and the last configured setting will remain in effect.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prevent OneDrive from generating network traffic until the user signs in to OneDrive*
+- GP name: *PreventNetworkTrafficPreUserSignIn*
+- GP path: *Windows Components\OneDrive*
+- GP ADMX file name: *SkyDrive.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-smartcard.md b/windows/client-management/mdm/policy-csp-admx-smartcard.md
index 76452c2119..b75b3b086d 100644
--- a/windows/client-management/mdm/policy-csp-admx-smartcard.md
+++ b/windows/client-management/mdm/policy-csp-admx-smartcard.md
@@ -119,7 +119,7 @@ manager: dansimp
-Available in Windows 10 Insider Preview Build 20185. This policy setting lets you allow certificates without an Extended Key Usage (EKU) set to be used for logon.
+Available in the latest Windows 10 Insider Preview Build. This policy setting lets you allow certificates without an Extended Key Usage (EKU) set to be used for logon.
In versions of Windows prior to Windows Vista, smart card certificates that are used for logon require an enhanced key usage (EKU) extension with a smart card logon object identifier. This policy setting can be used to modify that restriction.
@@ -194,7 +194,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting lets you determine whether the integrated unblock feature will be available in the logon User Interface (UI).
+Available in the latest Windows 10 Insider Preview Build. This policy setting lets you determine whether the integrated unblock feature will be available in the logon User Interface (UI).
In order to use the integrated unblock feature your smart card must support this feature. Please check with your hardware manufacturer to see if your smart card supports this feature.
@@ -265,7 +265,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting lets you allow signature key-based certificates to be enumerated and available for logon.
+Available in the latest Windows 10 Insider Preview Build. This policy setting lets you allow signature key-based certificates to be enumerated and available for logon.
If you enable this policy setting then any certificates available on the smart card with a signature only key will be listed on the logon screen.
@@ -334,7 +334,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting permits those certificates to be displayed for logon that are either expired or not yet valid.
+Available in the latest Windows 10 Insider Preview Build. This policy setting permits those certificates to be displayed for logon that are either expired or not yet valid.
Under previous versions of Microsoft Windows, certificates were required to contain a valid time and not be expired. The certificate must still be accepted by the domain controller in order to be used. This setting only controls the displaying of the certificate on the client machine.
@@ -405,7 +405,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to manage the certificate propagation that occurs when a smart card is inserted.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the certificate propagation that occurs when a smart card is inserted.
If you enable or do not configure this policy setting then certificate propagation will occur when you insert your smart card.
@@ -474,7 +474,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to manage the cleanup behavior of root certificates. If you enable this policy setting then root certificate cleanup will occur according to the option selected. If you disable or do not configure this setting then root certificate cleanup will occur on logoff.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the cleanup behavior of root certificates. If you enable this policy setting then root certificate cleanup will occur according to the option selected. If you disable or do not configure this setting then root certificate cleanup will occur on logoff.
> [!TIP]
@@ -539,7 +539,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to manage the root certificate propagation that occurs when a smart card is inserted.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the root certificate propagation that occurs when a smart card is inserted.
If you enable or do not configure this policy setting then root certificate propagation will occur when you insert your smart card.
@@ -611,7 +611,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting prevents plaintext PINs from being returned by Credential Manager.
+Available in the latest Windows 10 Insider Preview Build. This policy setting prevents plaintext PINs from being returned by Credential Manager.
If you enable this policy setting, Credential Manager does not return a plaintext PIN.
@@ -683,7 +683,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to control whether elliptic curve cryptography (ECC) certificates on a smart card can be used to log on to a domain.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control whether elliptic curve cryptography (ECC) certificates on a smart card can be used to log on to a domain.
If you enable this policy setting, ECC certificates on a smart card can be used to log on to a domain.
@@ -755,7 +755,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting lets you configure if all your valid logon certificates are displayed.
+Available in the latest Windows 10 Insider Preview Build. This policy setting lets you configure if all your valid logon certificates are displayed.
During the certificate renewal period, a user can have multiple valid logon certificates issued from the same certificate template. This can cause confusion as to which certificate to select for logon. The common case for this behavior is when a certificate is renewed and the old one has not yet expired. Two certificates are determined to be the same if they are issued from the same template with the same major version and they are for the same user (determined by their UPN).
@@ -831,7 +831,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to manage the reading of all certificates from the smart card for logon.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the reading of all certificates from the smart card for logon.
During logon Windows will by default only read the default certificate from the smart card unless it supports retrieval of all certificates in a single call. This setting forces Windows to read all the certificates from the card. This can introduce a significant performance decrease in certain situations. Please contact your smart card vendor to determine if your smart card and associated CSP supports the required behavior.
@@ -902,7 +902,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to manage the displayed message when a smart card is blocked.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the displayed message when a smart card is blocked.
If you enable this policy setting, the specified message will be displayed to the user when the smart card is blocked.
@@ -974,7 +974,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting lets you reverse the subject name from how it is stored in the certificate when displaying it during logon.
+Available in the latest Windows 10 Insider Preview Build. This policy setting lets you reverse the subject name from how it is stored in the certificate when displaying it during logon.
By default the user principal name (UPN) is displayed in addition to the common name to help users distinguish one certificate from another. For example, if the certificate subject was CN=User1, OU=Users, DN=example, DN=com and had an UPN of user1@example.com then "User1" will be displayed along with "user1@example.com." If the UPN is not present then the entire subject name will be displayed. This setting controls the appearance of that subject name and might need to be adjusted per organization.
@@ -1045,7 +1045,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to control whether Smart Card Plug and Play is enabled.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control whether Smart Card Plug and Play is enabled.
If you enable or do not configure this policy setting, Smart Card Plug and Play will be enabled and the system will attempt to install a Smart Card device driver when a card is inserted in a Smart Card Reader for the first time.
@@ -1117,7 +1117,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to control whether a confirmation message is displayed when a smart card device driver is installed.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control whether a confirmation message is displayed when a smart card device driver is installed.
If you enable or do not configure this policy setting, a confirmation message will be displayed when a smart card device driver is installed.
@@ -1189,7 +1189,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting lets you determine whether an optional field will be displayed during logon and elevation that allows a user to enter his or her user name or user name and domain, thereby associating a certificate with that user.
+Available in the latest Windows 10 Insider Preview Build. This policy setting lets you determine whether an optional field will be displayed during logon and elevation that allows a user to enter his or her user name or user name and domain, thereby associating a certificate with that user.
If you enable this policy setting then an optional field that allows a user to enter their user name or user name and domain will be displayed.
@@ -1216,14 +1216,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-snmp.md b/windows/client-management/mdm/policy-csp-admx-snmp.md
index 2a83f8346c..8b1a15bdca 100644
--- a/windows/client-management/mdm/policy-csp-admx-snmp.md
+++ b/windows/client-management/mdm/policy-csp-admx-snmp.md
@@ -80,7 +80,7 @@ manager: dansimp
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures a list of the communities defined to the Simple Network Management Protocol (SNMP) service.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures a list of the communities defined to the Simple Network Management Protocol (SNMP) service.
SNMP is a protocol designed to give a user the capability to remotely manage a computer network, by polling and setting terminal values and monitoring network events.
@@ -161,7 +161,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting determines the permitted list of hosts that can submit a query to the Simple Network Management (SNMP) agent running on the client computer.
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines the permitted list of hosts that can submit a query to the Simple Network Management (SNMP) agent running on the client computer.
Simple Network Management Protocol is a protocol designed to give a user the capability to remotely manage a computer network by polling and setting terminal values and monitoring network events.
@@ -241,7 +241,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows trap configuration for the Simple Network Management Protocol (SNMP) agent.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows trap configuration for the Simple Network Management Protocol (SNMP) agent.
Simple Network Management Protocol is a protocol designed to give a user the capability to remotely manage a computer network by polling and setting terminal values and monitoring network events.
@@ -277,14 +277,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-startmenu.md b/windows/client-management/mdm/policy-csp-admx-startmenu.md
new file mode 100644
index 0000000000..2c16014c48
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-startmenu.md
@@ -0,0 +1,5011 @@
+---
+title: Policy CSP - ADMX_StartMenu
+description: Policy CSP - ADMX_StartMenu
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 10/20/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_StartMenu
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_StartMenu policies
+
+
+
+
+
+
+
+
+**ADMX_StartMenu/AddSearchInternetLinkInStartMenu**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. If you enable this policy, a "Search the Internet" link is shown when the user performs a search in the start menu search box. This button launches the default browser with the search terms.
+
+If you disable this policy, there will not be a "Search the Internet" link when the user performs a search in the start menu search box.
+
+If you do not configure this policy (default), there will not be a "Search the Internet" link on the start menu.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Add Search Internet link to Start Menu*
+- GP name: *AddSearchInternetLinkInStartMenu*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/ClearRecentDocsOnExit**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Clear history of recently opened documents on exit.
+
+If you enable this setting, the system deletes shortcuts to recently used document files when the user logs off. As a result, the Recent Items menu on the Start menu is always empty when the user logs on. In addition, recently and frequently used items in the Jump Lists off of programs in the Start Menu and Taskbar will be cleared when the user logs off.
+
+If you disable or do not configure this setting, the system retains document shortcuts, and when a user logs on, the Recent Items menu and the Jump Lists appear just as it did when the user logged off.
+
+> [!NOTE]
+> The system saves document shortcuts in the user profile in the System-drive\Users\User-name\Recent folder.
+
+Also, see the "Remove Recent Items menu from Start Menu" and "Do not keep history of recently opened documents" policies in this folder. The system only uses this setting when neither of these related settings are selected.
+
+This setting does not clear the list of recent files that Windows programs display at the bottom of the File menu. See the "Do not keep history of recently opened documents" setting.
+
+This policy setting also does not hide document shortcuts displayed in the Open dialog box. See the "Hide the dropdown list of recent files" setting.
+
+This policy also does not clear items that the user may have pinned to the Jump Lists, or Tasks that the application has provided for their menu. See the "Do not allow pinning items in Jump Lists" setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Clear history of recently opened documents on exit*
+- GP name: *ClearRecentDocsOnExit*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/ClearRecentProgForNewUserInStartMenu**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. If you enable this policy setting, the recent programs list in the start menu will be blank for each new user.
+
+If you disable or do not configure this policy, the start menu recent programs list will be pre-populated with programs for each new user.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Clear the recent programs list for new users*
+- GP name: *ClearRecentProgForNewUserInStartMenu*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/ClearTilesOnExit**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. If you enable this setting, the system deletes tile notifications when the user logs on. As a result, the Tiles in the start view will always show their default content when the user logs on. In addition, any cached versions of these notifications will be cleared when the user logs on.
+
+If you disable or do not configure this setting, the system retains notifications, and when a user logs on, the tiles appear just as they did when the user logged off, including the history of previous notifications for each tile.
+
+This setting does not prevent new notifications from appearing. See the "Turn off Application Notifications" setting to prevent new notifications.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Clear tile notifications during log on*
+- GP name: *ClearTilesOnExit*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/DesktopAppsFirstInAppsView**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows desktop apps to be listed first in the Apps view in Start.
+
+If you enable this policy setting, desktop apps would be listed first when the apps are sorted by category in the Apps view. The other sorting options would continue to be available and the user could choose to change their default sorting options.
+
+If you disable or don't configure this policy setting, the desktop apps won't be listed first when the apps are sorted by category, and the user can configure this setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *List desktop apps first in the Apps view*
+- GP name: *DesktopAppsFirstInAppsView*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/DisableGlobalSearchOnAppsView**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting prevents the user from searching apps, files, settings (and the web if enabled) when the user searches from the Apps view.
+
+This policy setting is only applied when the Apps view is set as the default view for Start.
+
+If you enable this policy setting, searching from the Apps view will only search the list of installed apps.
+
+If you disable or don’t configure this policy setting, the user can configure this setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Search just apps from the Apps view*
+- GP name: *DisableGlobalSearchOnAppsView*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/ForceStartMenuLogOff**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy only applies to the classic version of the start menu and does not affect the new style start menu.
+
+Adds the "Log Off `
+
+
+**ADMX_StartMenu/GoToDesktopOnSignIn**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows users to go to the desktop instead of the Start screen when they sign in.
+
+If you enable this policy setting, users will always go to the desktop when they sign in.
+
+If you disable this policy setting, users will always go to the Start screen when they sign in.
+
+If you don’t configure this policy setting, the default setting for the user’s device will be used, and the user can choose to change it.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Go to the desktop instead of Start when signing in*
+- GP name: *GoToDesktopOnSignIn*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/GreyMSIAds**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Displays Start menu shortcuts to partially installed programs in gray text.
+
+This setting makes it easier for users to distinguish between programs that are fully installed and those that are only partially installed.
+
+Partially installed programs include those that a system administrator assigns using Windows Installer and those that users have configured for full installation upon first use.
+
+If you disable this setting or do not configure it, all Start menu shortcuts appear as black text.
+
+> [!NOTE]
+> Enabling this setting can make the Start menu slow to open.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Gray unavailable Windows Installer programs Start Menu shortcuts*
+- GP name: *GreyMSIAds*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/HidePowerOptions**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from performing the following commands from the Windows security screen, the logon screen, and the Start menu: Shut Down, Restart, Sleep, and Hibernate. This policy setting does not prevent users from running Windows-based programs that perform these functions.
+
+If you enable this policy setting, the shutdown, restart, sleep, and hibernate commands are removed from the Start menu. The Power button is also removed from the Windows Security screen, which appears when you press CTRL+ALT+DELETE, and from the logon screen.
+
+If you disable or do not configure this policy setting, the Power button and the Shut Down, Restart, Sleep, and Hibernate commands are available on the Start menu. The Power button on the Windows Security and logon screens is also available.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands*
+- GP name: *HidePowerOptions*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/Intellimenus**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Disables personalized menus.
+
+Windows personalizes long menus by moving recently used items to the top of the menu and hiding items that have not been used recently. Users can display the hidden items by clicking an arrow to extend the menu.
+
+If you enable this setting, the system does not personalize menus. All menu items appear and remain in standard order. Also, this setting removes the "Use Personalized Menus" option so users do not try to change the setting while a setting is in effect.
+
+> [!NOTE]
+> Personalized menus require user tracking. If you enable the "Turn off user tracking" setting, the system disables user tracking and personalized menus and ignores this setting.
+
+To Turn off personalized menus without specifying a setting, click Start, click Settings, click Taskbar and Start Menu, and then, on the General tab, clear the "Use Personalized Menus" option.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off personalized menus*
+- GP name: *Intellimenus*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/LockTaskbar**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This setting affects the taskbar, which is used to switch between running applications.
+
+The taskbar includes the Start button, list of currently running tasks, and the notification area. By default, the taskbar is located at the bottom of the screen, but it can be dragged to any side of the screen. When it is locked, it cannot be moved or resized.
+
+If you enable this setting, it prevents the user from moving or resizing the taskbar. While the taskbar is locked, auto-hide and other taskbar options are still available in Taskbar properties.
+
+If you disable this setting or do not configure it, the user can configure the taskbar position.
+
+> [!NOTE]
+> Enabling this setting also locks the QuickLaunch bar and any other toolbars that the user has on their taskbar. The toolbar's position is locked, and the user cannot show and hide various toolbars using the taskbar context menu.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Lock the Taskbar*
+- GP name: *LockTaskbar*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/MemCheckBoxInRunDlg**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting lets users run a 16-bit program in a dedicated (not shared) Virtual DOS Machine (VDM) process.
+
+All DOS and 16-bit programs run on Windows 2000 Professional and Windows XP Professional in the Windows Virtual DOS Machine program. VDM simulates a 16-bit environment, complete with the DLLs required by 16-bit programs. By default, all 16-bit programs run as threads in a single, shared VDM process. As such, they share the memory space allocated to the VDM process and cannot run simultaneously.
+
+Enabling this setting adds a check box to the Run dialog box, giving users the option of running a 16-bit program in its own dedicated NTVDM process. The additional check box is enabled only when a user enters a 16-bit program in the Run dialog box.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Add "Run in Separate Memory Space" check box to Run dialog box*
+- GP name: *MemCheckBoxInRunDlg*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/NoAutoTrayNotify**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This setting affects the notification area, also called the "system tray."
+
+The notification area is located in the task bar, generally at the bottom of the screen, and it includes the clock and current notifications. This setting determines whether the items are always expanded or always collapsed. By default, notifications are collapsed. The notification cleanup << icon can be referred to as the "notification chevron."
+
+If you enable this setting, the system notification area expands to show all of the notifications that use this area.
+
+If you disable this setting, the system notification area will always collapse notifications.
+
+If you do not configure it, the user can choose if they want notifications collapsed.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off notification area cleanup*
+- GP name: *NoAutoTrayNotify*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/NoBalloonTip**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Hides pop-up text on the Start menu and in the notification area.
+
+When you hold the cursor over an item on the Start menu or in the notification area, the system displays pop-up text providing additional information about the object.
+
+If you enable this setting, some of this pop-up text is not displayed. The pop-up text affected by this setting includes "Click here to begin" on the Start button, "Where have all my programs gone" on the Start menu, and "Where have my icons gone" in the notification area.
+
+If you disable this setting or do not configure it, all pop-up text is displayed on the Start menu and in the notification area.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove Balloon Tips on Start Menu items*
+- GP name: *NoBalloonTip*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/NoChangeStartMenu**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent users from changing their Start screen layout.
+
+If you enable this setting, you will prevent a user from selecting an app, resizing a tile, pinning/unpinning a tile or a secondary tile, entering the customize mode and rearranging tiles within Start and Apps.
+
+If you disable or do not configure this setting, you will allow a user to select an app, resize a tile, pin/unpin a tile or a secondary tile, enter the customize mode and rearrange tiles within Start and Apps.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prevent users from customizing their Start Screen*
+- GP name: *NoChangeStartMenu*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/NoClose**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from performing the following commands from the Start menu or Windows Security screen: Shut Down, Restart, Sleep, and Hibernate. This policy setting does not prevent users from running Windows-based programs that perform these functions.
+
+If you enable this policy setting, the Power button and the Shut Down, Restart, Sleep, and Hibernate commands are removed from the Start menu. The Power button is also removed from the Windows Security screen, which appears when you press CTRL+ALT+DELETE.
+
+If you disable or do not configure this policy setting, the Power button and the Shut Down, Restart, Sleep, and Hibernate commands are available on the Start menu. The Power button on the Windows Security screen is also available.
+
+> [!NOTE]
+> Third-party programs certified as compatible with Microsoft Windows Vista, Windows XP SP2, Windows XP SP1, Windows XP, or Windows 2000 Professional are required to support this policy setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands*
+- GP name: *NoClose*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/NoCommonGroups**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Removes items in the All Users profile from the Programs menu on the Start menu.
+
+By default, the Programs menu contains items from the All Users profile and items from the user's profile. If you enable this setting, only items in the user's profile appear in the Programs menu.
+
+To see the Program menu items in the All Users profile, on the system drive, go to ProgramData\Microsoft\Windows\Start Menu\Programs.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove common program groups from Start Menu*
+- GP name: *NoCommonGroups*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/NoFavoritesMenu**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Prevents users from adding the Favorites menu to the Start menu or classic Start menu.
+
+If you enable this setting, the Display Favorites item does not appear in the Advanced Start menu options box.
+
+If you disable or do not configure this setting, the Display Favorite item is available.
+
+> [!NOTE]
+> The Favorities menu does not appear on the Start menu by default. To display the Favorites menu, right-click Start, click Properties, and then click Customize. If you are using Start menu, click the Advanced tab, and then, under Start menu items, click the Favorites menu. If you are using the classic Start menu, click Display Favorites under Advanced Start menu options.
+>
+> The items that appear in the Favorites menu when you install Windows are preconfigured by the system to appeal to most users. However, users can add and remove items from this menu, and system administrators can create a customized Favorites menu for a user group.
+>
+> This setting only affects the Start menu. The Favorites item still appears in File Explorer and in Internet Explorer.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove Favorites menu from Start Menu*
+- GP name: *NoFavoritesMenu*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/NoFind**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Search link from the Start menu, and disables some File Explorer search elements. Note that this does not remove the search box from the new style Start menu.
+
+If you enable this policy setting, the Search item is removed from the Start menu and from the context menu that appears when you right-click the Start menu. Also, the system does not respond when users press the Application key (the key with the Windows logo)+ F.
+
+Note: Enabling this policy setting also prevents the user from using the F3 key.
+
+In File Explorer, the Search item still appears on the Standard buttons toolbar, but the system does not respond when the user presses Ctrl+F. Also, Search does not appear in the context menu when you right-click an icon representing a drive or a folder.
+
+This policy setting affects the specified user interface elements only. It does not affect Internet Explorer and does not prevent the user from using other methods to search.
+
+If you disable or do not configure this policy setting, the Search link is available from the Start menu.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove Search link from Start Menu*
+- GP name: *NoFind*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/NoGamesFolderOnStartMenu**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. If you enable this policy the start menu will not show a link to the Games folder.
+
+If you disable or do not configure this policy, the start menu will show a link to the Games folder, unless the user chooses to remove it in the start menu control panel.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove Games link from Start Menu*
+- GP name: *NoGamesFolderOnStartMenu*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/NoHelp**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Help command from the Start menu.
+
+If you enable this policy setting, the Help command is removed from the Start menu.
+
+If you disable or do not configure this policy setting, the Help command is available from the Start menu.
+
+This policy setting only affects the Start menu. It does not remove the Help menu from File Explorer and does not prevent users from running Help.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove Help menu from Start Menu*
+- GP name: *NoHelp*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/NoInstrumentation**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off user tracking.
+
+If you enable this policy setting, the system does not track the programs that the user runs, and does not display frequently used programs in the Start Menu.
+
+If you disable or do not configure this policy setting, the system tracks the programs that the user runs. The system uses this information to customize Windows features, such as showing frequently used programs in the Start Menu.
+
+Also, see these related policy settings: "Remove frequent programs liist from the Start Menu" and "Turn off personalized menus".
+
+This policy setting does not prevent users from pinning programs to the Start Menu or Taskbar. See the "Remove pinned programs list from the Start Menu" and "Do not allow pinning programs to the Taskbar" policy settings.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off user tracking*
+- GP name: *NoInstrumentation*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/NoMoreProgramsList**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. If you enable this setting, the Start Menu will either collapse or remove the all apps list from the Start menu.
+
+Selecting "Collapse" will not display the app list next to the pinned tiles in Start. An "All apps" button will be displayed on Start to open the all apps list. This is equivalent to setting the "Show app list in Start" in Settings to Off.
+
+Selecting "Collapse and disable setting" will do the same as the collapse option and disable the "Show app list in Start menu" in Settings, so users cannot turn it to On.
+
+Selecting "Remove and disable setting" will remove the all apps list from Start and disable the "Show app list in Start menu" in Settings, so users cannot turn it to On. Select this option for compatibility with earlier versions of Windows.
+
+If you disable or do not configure this setting, the all apps list will be visible by default, and the user can change "Show app list in Start" in Settings.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove All Programs list from the Start menu*
+- GP name: *NoMoreProgramsList*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/NoNetAndDialupConnect**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove Network Connections from the Start Menu.
+
+If you enable this policy setting, users are prevented from running Network Connections.
+
+Enabling this policy setting prevents the Network Connections folder from opening. This policy setting also removes Network Connections from Settings on the Start menu.
+
+Network Connections still appears in Control Panel and in File Explorer, but if users try to start it, a message appears explaining that a setting prevents the action.
+
+If you disable or do not configure this policy setting, Network Connections is available from the Start Menu.
+
+Also, see the "Disable programs on Settings menu" and "Disable Control Panel" policy settings and the policy settings in the Network Connections folder (Computer Configuration and User Configuration\Administrative Templates\Network\Network Connections).
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove Network Connections from Start Menu*
+- GP name: *NoNetAndDialupConnect*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/NoPinnedPrograms**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. If you enable this setting, the "Pinned Programs" list is removed from the Start menu. Users cannot pin programs to the Start menu.
+
+In Windows XP and Windows Vista, the Internet and email checkboxes are removed from the 'Customize Start Menu' dialog.
+
+If you disable this setting or do not configure it, the "Pinned Programs" list remains on the Start menu. Users can pin and unpin programs in the Start Menu.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove pinned programs list from the Start Menu*
+- GP name: *NoPinnedPrograms*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/NoRecentDocsMenu**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Removes the Recent Items menu from the Start menu. Removes the Documents menu from the classic Start menu.
+
+The Recent Items menu contains links to the non-program files that users have most recently opened. It appears so that users can easily reopen their documents.
+
+If you enable this setting, the system saves document shortcuts but does not display the Recent Items menu in the Start Menu, and users cannot turn the menu on.
+
+If you later disable the setting, so that the Recent Items menu appears in the Start Menu, the document shortcuts saved before the setting was enabled and while it was in effect appear in the Recent Items menu.
+
+When the setting is disabled, the Recent Items menu appears in the Start Menu, and users cannot remove it.
+
+If the setting is not configured, users can turn the Recent Items menu on and off.
+
+> [!NOTE]
+> This setting does not prevent Windows programs from displaying shortcuts to recently opened documents. See the "Do not keep history of recently opened documents" setting.
+
+This setting also does not hide document shortcuts displayed in the Open dialog box. See the "Hide the dropdown list of recent files" setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove Recent Items menu from Start Menu*
+- GP name: *NoRecentDocsMenu*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/NoResolveSearch**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting prevents the system from conducting a comprehensive search of the target drive to resolve a shortcut.
+
+If you enable this policy setting, the system does not conduct the final drive search. It just displays a message explaining that the file is not found.
+
+If you disable or do not configure this policy setting, by default, when the system cannot find the target file for a shortcut (.lnk), it searches all paths associated with the shortcut. If the target file is located on an NTFS partition, the system then uses the target's file ID to find a path. If the resulting path is not correct, it conducts a comprehensive search of the target drive in an attempt to find the file.
+
+> [!NOTE]
+> This policy setting only applies to target files on NTFS partitions. FAT partitions do not have this ID tracking and search capability.
+
+Also, see the "Do not track Shell shortcuts during roaming" and the "Do not use the tracking-based method when resolving shell shortcuts" policy settings.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not use the search-based method when resolving shell shortcuts*
+- GP name: *NoResolveSearch*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/NoResolveTrack**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting prevents the system from using NTFS tracking features to resolve a shortcut.
+
+If you enable this policy setting, the system does not try to locate the file by using its file ID. It skips this step and begins a comprehensive search of the drive specified in the target path.
+
+If you disable or do not configure this policy setting, by default, when the system cannot find the target file for a shortcut (.lnk), it searches all paths associated with the shortcut. If the target file is located on an NTFS partition, the system then uses the target's file ID to find a path. If the resulting path is not correct, it conducts a comprehensive search of the target drive in an attempt to find the file.
+
+> [!NOTE]
+> This policy setting only applies to target files on NTFS partitions. FAT partitions do not have this ID tracking and search capability.
+
+Also, see the "Do not track Shell shortcuts during roaming" and the "Do not use the search-based method when resolving shell shortcuts" policy settings.
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not use the tracking-based method when resolving shell shortcuts*
+- GP name: *NoResolveTrack*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/NoRun**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Allows you to remove the Run command from the Start menu, Internet Explorer, and Task Manager.
+
+If you enable this setting, the following changes occur:
+
+1. The Run command is removed from the Start menu.
+
+2. The New Task (Run) command is removed from Task Manager.
+
+3. The user will be blocked from entering the following into the Internet Explorer Address Bar:
+
+ - A UNC path: `\\
+
+
+**ADMX_StartMenu/NoSMConfigurePrograms**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Default Programs link from the Start menu.
+
+If you enable this policy setting, the Default Programs link is removed from the Start menu.
+
+Clicking the Default Programs link from the Start menu opens the Default Programs control panel and provides administrators the ability to specify default programs for certain activities, such as Web browsing or sending e-mail, as well as which programs are accessible from the Start menu, desktop, and other locations.
+
+If you disable or do not configure this policy setting, the Default Programs link is available from the Start menu.
+
+> [!NOTE]
+> This policy setting does not prevent the Set Default Programs for This Computer option from appearing in the Default Programs control panel.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove Default Programs link from the Start menu.*
+- GP name: *NoSMConfigurePrograms*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/NoSMMyDocuments**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Documents icon from the Start menu and its submenus.
+
+If you enable this policy setting, the Documents icon is removed from the Start menu and its submenus. Enabling this policy setting only removes the icon. It does not prevent the user from using other methods to gain access to the contents of the Documents folder.
+
+> [!NOTE]
+> To make changes to this policy setting effective, you must log off and then log on.
+
+If you disable or do not configure this policy setting, he Documents icon is available from the Start menu.
+
+Also, see the "Remove Documents icon on the desktop" policy setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove Documents icon from Start Menu*
+- GP name: *NoSMMyDocuments*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/NoSMMyMusic**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Music icon from Start Menu.
+
+If you enable this policy setting, the Music icon is no longer available from Start Menu.
+
+If you disable or do not configure this policy setting, the Music icon is available from Start Menu.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove Music icon from Start Menu*
+- GP name: *NoSMMyMusic*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/NoSMMyNetworkPlaces**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build.This policy setting allows you to remove the Network icon from Start Menu.
+
+If you enable this policy setting, the Network icon is no longer available from Start Menu.
+
+If you disable or do not configure this policy setting, the Network icon is available from Start Menu.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove Network icon from Start Menu*
+- GP name: *NoSMMyNetworkPlaces*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/NoSMMyPictures**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Pictures icon from Start Menu.
+
+If you enable this policy setting, the Pictures icon is no longer available from Start Menu.
+
+If you disable or do not configure this policy setting, the Pictures icon is available from Start Menu.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove Pictures icon from Start Menu*
+- GP name: *NoSMMyPictures*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/NoSearchCommInStartMenu**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. If you enable this policy the start menu search box will not search for communications.
+
+If you disable or do not configure this policy, the start menu will search for communications, unless the user chooses not to in the start menu control panel.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not search communications*
+- GP name: *NoSearchCommInStartMenu*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/NoSearchComputerLinkInStartMenu**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. If you enable this policy, the "See all results" link will not be shown when the user performs a search in the start menu search box.
+
+If you disable or do not configure this policy, the "See all results" link will be shown when the user performs a search in the start menu search box.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove Search Computer link*
+- GP name: *NoSearchComputerLinkInStartMenu*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/NoSearchEverywhereLinkInStartMenu**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. If you enable this policy, a "See more results" / "Search Everywhere" link will not be shown when the user performs a search in the start menu search box.
+
+If you disable or do not configure this policy, a "See more results" link will be shown when the user performs a search in the start menu search box. If a 3rd party protocol handler is installed, a "Search Everywhere" link will be shown instead of the "See more results" link.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove See More Results / Search Everywhere link*
+- GP name: *NoSearchEverywhereLinkInStartMenu*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/NoSearchFilesInStartMenu**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. If you enable this policy setting the Start menu search box will not search for files.
+
+If you disable or do not configure this policy setting, the Start menu will search for files, unless the user chooses not to do so directly in Control Panel. If you enable this policy, a "See more results" / "Search Everywhere" link will not be shown when the user performs a search in the start menu search box.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not search for files*
+- GP name: *NoSearchFilesInStartMenu*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/NoSearchInternetInStartMenu**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. If you enable this policy the start menu search box will not search for internet history or favorites.
+
+If you disable or do not configure this policy, the start menu will search for for internet history or favorites, unless the user chooses not to in the start menu control panel.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not search Internet*
+- GP name: *NoSearchInternetInStartMenu*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/NoSearchProgramsInStartMenu**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. If you enable this policy setting the Start menu search box will not search for programs or Control Panel items.
+
+If you disable or do not configure this policy setting, the Start menu search box will search for programs and Control Panel items, unless the user chooses not to do so directly in Control Panel.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not search programs and Control Panel items*
+- GP name: *NoSearchProgramsInStartMenu*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/NoSetFolders**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove programs on Settings menu.
+
+If you enable this policy setting, the Control Panel, Printers, and Network and Connection folders are removed from Settings on the Start menu, and from Computer and File Explorer. It also prevents the programs represented by these folders (such as Control.exe) from running.
+
+However, users can still start Control Panel items by using other methods, such as right-clicking the desktop to start Display or right-clicking Computer to start System.
+
+If you disable or do not configure this policy setting, the Control Panel, Printers, and Network and Connection folders from Settings are available on the Start menu, and from Computer and File Explorer.
+
+Also, see the "Disable Control Panel," "Disable Display in Control Panel," and "Remove Network Connections from Start Menu" policy settings.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove programs on Settings menu*
+- GP name: *NoSetFolders*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/NoSetTaskbar**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent changes to Taskbar and Start Menu Settings.
+
+If you enable this policy setting, The user will be prevented from opening the Taskbar Properties dialog box.
+
+If the user right-clicks the taskbar and then clicks Properties, a message appears explaining that a setting prevents the action.
+
+If you disable or do not configure this policy setting, the Taskbar and Start Menu items are available from Settings on the Start menu.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prevent changes to Taskbar and Start Menu Settings*
+- GP name: *NoSetTaskbar*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/NoStartMenuDownload**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Downloads link from the Start Menu.
+
+If you enable this policy setting, the Start Menu does not show a link to the Downloads folder.
+
+If you disable or do not configure this policy setting, the Downloads link is available from the Start Menu.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove Downloads link from Start Menu*
+- GP name: *NoStartMenuDownload*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/NoStartMenuHomegroup**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. If you enable this policy the Start menu will not show a link to Homegroup. It also removes the homegroup item from the Start Menu options. As a result, users cannot add the homegroup link to the Start Menu.
+
+If you disable or do not configure this policy, users can use the Start Menu options to add or remove the homegroup link from the Start Menu.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove Homegroup link from Start Menu*
+- GP name: *NoStartMenuHomegroup*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/NoStartMenuRecordedTV**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Recorded TV link from the Start Menu.
+
+If you enable this policy setting, the Start Menu does not show a link to the Recorded TV library.
+
+If you disable or do not configure this policy setting, the Recorded TV link is available from the Start Menu.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove Recorded TV link from Start Menu*
+- GP name: *NoStartMenuRecordedTV*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/NoStartMenuSubFolders**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Hides all folders on the user-specific (top) section of the Start menu. Other items appear, but folders are hidden.
+
+This setting is designed for use with redirected folders. Redirected folders appear on the main (bottom) section of the Start menu. However, the original, user-specific version of the folder still appears on the top section of the Start menu. Because the appearance of two folders with the same name might confuse users, you can use this setting to hide user-specific folders.
+
+Note that this setting hides all user-specific folders, not just those associated with redirected folders.
+
+If you enable this setting, no folders appear on the top section of the Start menu. If users add folders to the Start Menu directory in their user profiles, the folders appear in the directory but not on the Start menu.
+
+If you disable this setting or do not configured it, Windows 2000 Professional and Windows XP Professional display folders on both sections of the Start menu.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove user's folders from the Start Menu*
+- GP name: *NoStartMenuSubFolders*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/NoStartMenuVideos**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Videos link from the Start Menu.
+
+If you enable this policy setting, the Start Menu does not show a link to the Videos library.
+
+If you disable or do not configure this policy setting, the Videos link is available from the Start Menu.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove Videos link from Start Menu*
+- GP name: *NoStartMenuVideos*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/NoStartPage**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This setting affects the presentation of the Start menu.
+
+The classic Start menu in Windows 2000 Professional allows users to begin common tasks, while the new Start menu consolidates common items onto one menu. When the classic Start menu is used, the following icons are placed on the desktop: Documents, Pictures, Music, Computer, and Network. The new Start menu starts them directly.
+
+If you enable this setting, the Start menu displays the classic Start menu in the Windows 2000 style and displays the standard desktop icons.
+
+If you disable this setting, the Start menu only displays in the new style, meaning the desktop icons are now on the Start page.
+
+If you do not configure this setting, the default is the new style, and the user can change the view.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Force classic Start Menu*
+- GP name: *NoStartPage*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/NoTaskBarClock**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Prevents the clock in the system notification area from being displayed.
+
+If you enable this setting, the clock will not be displayed in the system notification area.
+
+If you disable or do not configure this setting, the default behavior of the clock appearing in the notification area will occur.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove Clock from the system notification area*
+- GP name: *NoTaskBarClock*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/NoTaskGrouping**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This setting affects the taskbar buttons used to switch between running programs.
+
+Taskbar grouping consolidates similar applications when there is no room on the taskbar. It kicks in when the user's taskbar is full.
+
+If you enable this setting, it prevents the taskbar from grouping items that share the same program name. By default, this setting is always enabled.
+
+If you disable or do not configure it, items on the taskbar that share the same program are grouped together. The users have the option to disable grouping if they choose.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prevent grouping of taskbar items*
+- GP name: *NoTaskGrouping*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/NoToolbarsOnTaskbar**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This setting affects the taskbar.
+
+The taskbar includes the Start button, buttons for currently running tasks, custom toolbars, the notification area, and the system clock. Toolbars include Quick Launch, Address, Links, Desktop, and other custom toolbars created by the user or by an application.
+
+If this setting is enabled, the taskbar does not display any custom toolbars, and the user cannot add any custom toolbars to the taskbar. Moreover, the "Toolbars" menu command and submenu are removed from the context menu. The taskbar displays only the Start button, taskbar buttons, the notification area, and the system clock.
+
+If this setting is disabled or is not configured, the taskbar displays all toolbars. Users can add or remove custom toolbars, and the "Toolbars" command appears in the context menu.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not display any custom toolbars in the taskbar*
+- GP name: *NoToolbarsOnTaskbar*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/NoTrayContextMenu**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove access to the context menus for the taskbar.
+
+If you enable this policy setting, the menus that appear when you right-click the taskbar and items on the taskbar are hidden, such as the Start button, the clock, and the taskbar buttons.
+
+If you disable or do not configure this policy setting, the context menus for the taskbar are available.
+
+This policy setting does not prevent users from using other methods to issue the commands that appear on these menus.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove access to the context menus for the taskbar*
+- GP name: *NoTrayContextMenu*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/NoTrayItemsDisplay**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This setting affects the notification area (previously called the "system tray") on the taskbar.
+
+The notification area is located at the far right end of the task bar and includes the icons for current notifications and the system clock.
+
+If this setting is enabled, the user’s entire notification area, including the notification icons, is hidden. The taskbar displays only the Start button, taskbar buttons, custom toolbars (if any), and the system clock.
+
+If this setting is disabled or is not configured, the notification area is shown in the user's taskbar.
+
+> [!NOTE]
+> Enabling this setting overrides the "Turn off notification area cleanup" setting, because if the notification area is hidden, there is no need to clean up the icons.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Hide the notification area*
+- GP name: *NoTrayItemsDisplay*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/NoUninstallFromStart**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. If you enable this setting, users cannot uninstall apps from Start.
+
+If you disable this setting or do not configure it, users can access the uninstall command from Start.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prevent users from uninstalling applications from Start*
+- GP name: *NoUninstallFromStart*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/NoUserFolderOnStartMenu**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. If you enable this policy the start menu will not show a link to the user's storage folder.
+
+If you disable or do not configure this policy, the start menu will display a link, unless the user chooses to remove it in the start menu control panel.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove user folder link from Start Menu*
+- GP name: *NoUserFolderOnStartMenu*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/NoUserNameOnStartMenu**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the user name label from the Start Menu in Windows XP and Windows Server 2003.
+
+If you enable this policy setting, the user name label is removed from the Start Menu in Windows XP and Windows Server 2003.
+
+To remove the user name folder on Windows Vista, set the "Remove user folder link from Start Menu" policy setting.
+
+If you disable or do not configure this policy setting, the user name label appears on the Start Menu in Windows XP and Windows Server 2003.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove user name from Start Menu*
+- GP name: *NoUserNameOnStartMenu*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/NoWindowsUpdate**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove links and access to Windows Update.
+
+If you enable this policy setting, users are prevented from connecting to the Windows Update Web site.
+
+Enabling this policy setting blocks user access to the Windows Update Web site at https://windowsupdate.microsoft.com. Also, the policy setting removes the Windows Update hyperlink from the Start menu and from the Tools menu in Internet Explorer.
+
+Windows Update, the online extension of Windows, offers software updates to keep a user’s system up-to-date. The Windows Update Product Catalog determines any system files, security fixes, and Microsoft updates that users need and shows the newest versions available for download.
+
+If you disable or do not configure this policy setting, the Windows Update hyperlink is available from the Start menu and from the Tools menu in Internet Explorer.
+
+Also, see the "Hide the "Add programs from Microsoft" option" policy setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove links and access to Windows Update*
+- GP name: *NoWindowsUpdate*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/PowerButtonAction**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Set the default action of the power button on the Start menu.
+
+If you enable this setting, the Start Menu will set the power button to the chosen action, and not let the user change this action.
+
+If you set the button to either Sleep or Hibernate, and that state is not supported on a computer, then the button will fall back to Shut Down.
+
+If you disable or do not configure this setting, the Start Menu power button will be set to Shut Down by default, and the user can change this setting to another action.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Change Start Menu power button*
+- GP name: *PowerButtonAction*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/QuickLaunchEnabled**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether the QuickLaunch bar is displayed in the Taskbar.
+
+If you enable this policy setting, the QuickLaunch bar will be visible and cannot be turned off.
+
+If you disable this policy setting, the QuickLaunch bar will be hidden and cannot be turned on.
+
+If you do not configure this policy setting, then users will be able to turn the QuickLaunch bar on and off.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Show QuickLaunch on Taskbar*
+- GP name: *QuickLaunchEnabled*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/RemoveUnDockPCButton**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. If you enable this setting, the "Undock PC" button is removed from the simple Start Menu, and your PC cannot be undocked.
+
+If you disable this setting or do not configure it, the "Undock PC" button remains on the simple Start menu, and your PC can be undocked.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove the "Undock PC" button from the Start Menu*
+- GP name: *RemoveUnDockPCButton*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/ShowAppsViewOnStart**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows the Apps view to be opened by default when the user goes to Start.
+
+If you enable this policy setting, the Apps view will appear whenever the user goes to Start. Users will still be able to switch between the Apps view and the Start screen.
+
+If you disable or don’t configure this policy setting, the Start screen will appear by default whenever the user goes to Start, and the user will be able to switch between the Apps view and the Start screen. Also, the user will be able to configure this setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Show the Apps view automatically when the user goes to Start*
+- GP name: *ShowAppsViewOnStart*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/ShowRunAsDifferentUserInStart**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting shows or hides the "Run as different user" command on the Start application bar.
+
+If you enable this setting, users can access the "Run as different user" command from Start for applications which support this functionality.
+
+If you disable this setting or do not configure it, users cannot access the "Run as different user" command from Start for any applications.
+
+> [!NOTE]
+> This setting does not prevent users from using other methods, such as the shift right-click menu on application's jumplists in the taskbar to issue the "Run as different user" command.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Show "Run as different user" command on Start*
+- GP name: *ShowRunAsDifferentUserInStart*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/ShowRunInStartMenu**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. If you enable this setting, the Run command is added to the Start menu.
+
+If you disable or do not configure this setting, the Run command is not visible on the Start menu by default, but it can be added from the Taskbar and Start menu properties.
+
+If the Remove Run link from Start Menu policy is set, the Add the Run command to the Start menu policy has no effect.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Add the Run command to the Start Menu*
+- GP name: *ShowRunInStartMenu*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/ShowStartOnDisplayWithForegroundOnWinKey**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows the Start screen to appear on the display the user is using when they press the Windows logo key. This setting only applies to users who are using multiple displays.
+
+If you enable this policy setting, the Start screen will appear on the display the user is using when they press the Windows logo key.
+
+If you disable or don't configure this policy setting, the Start screen will always appear on the main display when the user presses the Windows logo key. Users will still be able to open Start on other displays by pressing the Start button on that display. Also, the user will be able to configure this setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Show Start on the display the user is using when they press the Windows logo key*
+- GP name: *ShowStartOnDisplayWithForegroundOnWinKey*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+
+**ADMX_StartMenu/StartMenuLogOff**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to removes the "Log Off `
+
+
+**ADMX_StartMenu/StartPinAppsWhenInstalled**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows pinning apps to Start by default, when they are included by AppID on the list.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Pin Apps to Start when installed*
+- GP name: *StartPinAppsWhenInstalled*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *StartMenu.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-systemrestore.md b/windows/client-management/mdm/policy-csp-admx-systemrestore.md
new file mode 100644
index 0000000000..70b84425c0
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-systemrestore.md
@@ -0,0 +1,121 @@
+---
+title: Policy CSP - ADMX_SystemRestore
+description: Policy CSP - ADMX_SystemRestore
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 11/13/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_SystemRestore
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_SystemRestore policies
+
+
+
+
+
+
+
+**ADMX_SystemRestore/SR_DisableConfig**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Allows you to disable System Restore configuration through System Protection.
+
+This policy setting allows you to turn off System Restore configuration through System Protection.
+
+System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. The behavior of this policy setting depends on the "Turn off System Restore" policy setting.
+
+If you enable this policy setting, the option to configure System Restore through System Protection is disabled.
+
+If you disable or do not configure this policy setting, users can change the System Restore settings through System Protection.
+
+Also, see the "Turn off System Restore" policy setting. If the "Turn off System Restore" policy setting is enabled, the "Turn off System Restore configuration" policy setting is overwritten.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off Configuration*
+- GP name: *SR_DisableConfig*
+- GP path: *System\System Restore*
+- GP ADMX file name: *SystemRestore.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-taskbar.md b/windows/client-management/mdm/policy-csp-admx-taskbar.md
new file mode 100644
index 0000000000..bff61dc5f1
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-taskbar.md
@@ -0,0 +1,1664 @@
+---
+title: Policy CSP - ADMX_Taskbar
+description: Policy CSP - ADMX_Taskbar
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 10/26/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_Taskbar
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_Taskbar policies
+
+
+
+
+
+
+
+
+**ADMX_Taskbar/DisableNotificationCenter**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting removes Notifications and Action Center from the notification area on the taskbar.
+
+The notification area is located at the far right end of the taskbar and includes icons for current notifications and the system clock.
+
+If this setting is enabled, Notifications and Action Center is not displayed in the notification area. The user will be able to read notifications when they appear, but they won’t be able to review any notifications they miss.
+
+If you disable or do not configure this policy setting, Notification and Security and Maintenance will be displayed on the taskbar.
+
+A reboot is required for this policy setting to take effect.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove Notifications and Action Center*
+- GP name: *DisableNotificationCenter*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *Taskbar.admx*
+
+
+
+
+
+
+**ADMX_Taskbar/EnableLegacyBalloonNotifications**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy disables the functionality that converts balloons to toast notifications.
+
+If you enable this policy setting, system and application notifications will render as balloons instead of toast notifications.
+
+Enable this policy setting if a specific app or system component that uses balloon notifications has compatibility issues with toast notifications.
+
+If you disable or don’t configure this policy setting, all notifications will appear as toast notifications.
+
+A reboot is required for this policy setting to take effect.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Disable showing balloon notifications as toasts.*
+- GP name: *EnableLegacyBalloonNotifications*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *Taskbar.admx*
+
+
+
+
+
+
+**ADMX_Taskbar/HideSCAHealth**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove Security and Maintenance from the system control area.
+
+If you enable this policy setting, the Security and Maintenance icon is not displayed in the system notification area.
+
+If you disable or do not configure this policy setting, the Security and Maintenance icon is displayed in the system notification area.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove the Security and Maintenance icon*
+- GP name: *HideSCAHealth*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *Taskbar.admx*
+
+
+
+
+
+
+**ADMX_Taskbar/HideSCANetwork**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the networking icon from the system control area.
+
+If you enable this policy setting, the networking icon is not displayed in the system notification area.
+
+If you disable or do not configure this policy setting, the networking icon is displayed in the system notification area.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove the networking icon*
+- GP name: *HideSCANetwork*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *Taskbar.admx*
+
+
+
+
+
+
+**ADMX_Taskbar/HideSCAPower**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the battery meter from the system control area.
+
+If you enable this policy setting, the battery meter is not displayed in the system notification area.
+
+If you disable or do not configure this policy setting, the battery meter is displayed in the system notification area.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove the battery meter*
+- GP name: *HideSCAPower*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *Taskbar.admx*
+
+
+
+
+
+
+**ADMX_Taskbar/HideSCAVolume**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the volume control icon from the system control area.
+
+If you enable this policy setting, the volume control icon is not displayed in the system notification area.
+
+If you disable or do not configure this policy setting, the volume control icon is displayed in the system notification area.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove the volume control icon*
+- GP name: *HideSCAVolume*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *Taskbar.admx*
+
+
+
+
+
+
+**ADMX_Taskbar/NoBalloonFeatureAdvertisements**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off feature advertisement balloon notifications.
+
+If you enable this policy setting, certain notification balloons that are marked as feature advertisements are not shown.
+
+If you disable do not configure this policy setting, feature advertisement balloons are shown.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off feature advertisement balloon notifications*
+- GP name: *NoBalloonFeatureAdvertisements*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *Taskbar.admx*
+
+
+
+
+
+
+**ADMX_Taskbar/NoPinningStoreToTaskbar**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control pinning the Store app to the Taskbar.
+
+If you enable this policy setting, users cannot pin the Store app to the Taskbar. If the Store app is already pinned to the Taskbar, it will be removed from the Taskbar on next login.
+
+If you disable or do not configure this policy setting, users can pin the Store app to the Taskbar.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not allow pinning Store app to the Taskbar*
+- GP name: *NoPinningStoreToTaskbar*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *Taskbar.admx*
+
+
+
+
+
+
+**ADMX_Taskbar/NoPinningToDestinations**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control pinning items in Jump Lists.
+
+If you enable this policy setting, users cannot pin files, folders, websites, or other items to their Jump Lists in the Start Menu and Taskbar. Users also cannot unpin existing items pinned to their Jump Lists. Existing items already pinned to their Jump Lists will continue to show.
+
+If you disable or do not configure this policy setting, users can pin files, folders, websites, and other items to a program's Jump List so that the items is always present in this menu.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not allow pinning items in Jump Lists*
+- GP name: *NoPinningToDestinations*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *Taskbar.admx*
+
+
+
+
+
+
+**ADMX_Taskbar/NoPinningToTaskbar**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control pinning programs to the Taskbar.
+
+If you enable this policy setting, users cannot change the programs currently pinned to the Taskbar. If any programs are already pinned to the Taskbar, these programs continue to show in the Taskbar. However, users cannot unpin these programs already pinned to the Taskbar, and they cannot pin new programs to the Taskbar.
+
+If you disable or do not configure this policy setting, users can change the programs currently pinned to the Taskbar.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not allow pinning programs to the Taskbar*
+- GP name: *NoPinningToTaskbar*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *Taskbar.admx*
+
+
+
+
+
+
+
+
+**ADMX_Taskbar/NoRemoteDestinations**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control displaying or tracking items in Jump Lists from remote locations.
+
+The Start Menu and Taskbar display Jump Lists off of programs. These menus include files, folders, websites and other relevant items for that program. This helps users more easily reopen their most important documents and other tasks.
+
+If you enable this policy setting, the Start Menu and Taskbar only track the files that the user opens locally on this computer. Files that the user opens over the network from remote computers are not tracked or shown in the Jump Lists. Use this setting to reduce network traffic, particularly over slow network connections.
+
+If you disable or do not configure this policy setting, all files that the user opens appear in the menus, including files located remotely on another computer. Note: This setting does not prevent Windows from displaying remote files that the user has explicitly pinned to the Jump Lists. See the "Do not allow pinning items in Jump Lists" policy setting.
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not display or track items in Jump Lists from remote locations*
+- GP name: *NoRemoteDestinations*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *Taskbar.admx*
+
+
+
+
+
+
+
+
+**ADMX_Taskbar/NoSystraySystemPromotion**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off automatic promotion of notification icons to the taskbar.
+
+If you enable this policy setting, newly added notification icons are not temporarily promoted to the Taskbar. Users can still configure icons to be shown or hidden in the Notification Control Panel.
+
+If you disable or do not configure this policy setting, newly added notification icons are temporarily promoted to the Taskbar.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off automatic promotion of notification icons to the taskbar*
+- GP name: *NoSystraySystemPromotion*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *Taskbar.admx*
+
+
+
+
+
+
+
+
+**ADMX_Taskbar/ShowWindowsStoreAppsOnTaskbar**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows users to see Windows Store apps on the taskbar.
+
+If you enable this policy setting, users will see Windows Store apps on the taskbar.
+
+If you disable this policy setting, users won’t see Windows Store apps on the taskbar.
+
+If you don’t configure this policy setting, the default setting for the user’s device will be used, and the user can choose to change it.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Show Windows Store apps on the taskbar*
+- GP name: *ShowWindowsStoreAppsOnTaskbar*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *Taskbar.admx*
+
+
+
+
+
+
+
+
+**ADMX_Taskbar/TaskbarLockAll**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to lock all taskbar settings.
+
+If you enable this policy setting, the user cannot access the taskbar control panel. The user is also unable to resize, move or rearrange toolbars on their taskbar.
+
+If you disable or do not configure this policy setting, the user will be able to set any taskbar setting that is not prevented by another policy setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Lock all taskbar settings*
+- GP name: *TaskbarLockAll*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *Taskbar.admx*
+
+
+
+
+
+
+
+
+**ADMX_Taskbar/TaskbarNoAddRemoveToolbar**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent users from adding or removing toolbars.
+
+If you enable this policy setting, the user is not allowed to add or remove any toolbars to the taskbar. Applications are not able to add toolbars either.
+
+If you disable or do not configure this policy setting, the users and applications are able to add toolbars to the taskbar.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prevent users from adding or removing toolbars*
+- GP name: *TaskbarNoAddRemoveToolbar*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *Taskbar.admx*
+
+
+
+
+
+
+
+
+**ADMX_Taskbar/TaskbarNoDragToolbar**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent users from rearranging toolbars.
+
+If you enable this policy setting, users are not able to drag or drop toolbars to the taskbar.
+
+If you disable or do not configure this policy setting, users are able to rearrange the toolbars on the taskbar.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prevent users from rearranging toolbars*
+- GP name: *TaskbarNoDragToolbar*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *Taskbar.admx*
+
+
+
+
+
+
+
+
+**ADMX_Taskbar/TaskbarNoMultimon**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent taskbars from being displayed on more than one monitor.
+
+If you enable this policy setting, users are not able to show taskbars on more than one display. The multiple display section is not enabled in the taskbar properties dialog.
+
+If you disable or do not configure this policy setting, users can show taskbars on more than one display.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not allow taskbars on more than one display*
+- GP name: *TaskbarNoMultimon*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *Taskbar.admx*
+
+
+
+
+
+
+
+
+**ADMX_Taskbar/TaskbarNoNotification**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off all notification balloons.
+
+If you enable this policy setting, no notification balloons are shown to the user.
+
+If you disable or do not configure this policy setting, notification balloons are shown to the user.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off all balloon notifications*
+- GP name: *TaskbarNoNotification*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *Taskbar.admx*
+
+
+
+
+
+
+
+
+**ADMX_Taskbar/TaskbarNoPinnedList**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove pinned programs from the taskbar.
+
+If you enable this policy setting, pinned programs are prevented from being shown on the Taskbar. Users cannot pin programs to the Taskbar.
+
+If you disable or do not configure this policy setting, users can pin programs so that the program shortcuts stay on the Taskbar.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove pinned programs from the Taskbar*
+- GP name: *TaskbarNoPinnedList*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *Taskbar.admx*
+
+
+
+
+
+
+
+
+**ADMX_Taskbar/TaskbarNoRedock**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent users from moving taskbar to another screen dock location.
+
+If you enable this policy setting, users are not able to drag their taskbar to another area of the monitor(s).
+
+If you disable or do not configure this policy setting, users are able to drag their taskbar to another area of the monitor unless prevented by another policy setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prevent users from moving taskbar to another screen dock location*
+- GP name: *TaskbarNoRedock*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *Taskbar.admx*
+
+
+
+
+
+
+
+
+**ADMX_Taskbar/TaskbarNoResize**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent users from resizing the taskbar.
+
+If you enable this policy setting, users are not be able to resize their taskbar.
+
+If you disable or do not configure this policy setting, users are able to resize their taskbar unless prevented by another setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prevent users from resizing the taskbar*
+- GP name: *TaskbarNoResize*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *Taskbar.admx*
+
+
+
+
+
+
+
+
+**ADMX_Taskbar/TaskbarNoThumbnail**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off taskbar thumbnails.
+
+If you enable this policy setting, the taskbar thumbnails are not displayed and the system uses standard text for the tooltips.
+
+If you disable or do not configure this policy setting, the taskbar thumbnails are displayed.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off taskbar thumbnails*
+- GP name: *TaskbarNoThumbnail*
+- GP path: *Start Menu and Taskbar*
+- GP ADMX file name: *Taskbar.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-tcpip.md b/windows/client-management/mdm/policy-csp-admx-tcpip.md
index b43d4d2011..3cd6999994 100644
--- a/windows/client-management/mdm/policy-csp-admx-tcpip.md
+++ b/windows/client-management/mdm/policy-csp-admx-tcpip.md
@@ -110,7 +110,7 @@ manager: dansimp
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify a 6to4 relay name for a 6to4 host. A 6to4 relay is used as a default gateway for IPv6 network traffic sent by the 6to4 host. The 6to4 relay name setting has no effect if 6to4 connectivity is not available on the host.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify a 6to4 relay name for a 6to4 host. A 6to4 relay is used as a default gateway for IPv6 network traffic sent by the 6to4 host. The 6to4 relay name setting has no effect if 6to4 connectivity is not available on the host.
If you enable this policy setting, you can specify a relay name for a 6to4 host.
@@ -179,7 +179,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify the interval at which the relay name is resolved. The 6to4 relay name resolution interval setting has no effect if 6to4 connectivity is not available on the host.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the interval at which the relay name is resolved. The 6to4 relay name resolution interval setting has no effect if 6to4 connectivity is not available on the host.
If you enable this policy setting, you can specify the value for the duration at which the relay name is resolved periodically.
@@ -248,7 +248,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure 6to4, an address assignment and router-to-router automatic tunneling technology that is used to provide unicast IPv6 connectivity between IPv6 sites and hosts across the IPv4 Internet. 6to4 uses the global address prefix: 2002:WWXX:YYZZ::/48 in which the letters are a hexadecimal representation of the global IPv4 address (w.x.y.z) assigned to a site.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure 6to4, an address assignment and router-to-router automatic tunneling technology that is used to provide unicast IPv6 connectivity between IPv6 sites and hosts across the IPv4 Internet. 6to4 uses the global address prefix: 2002:WWXX:YYZZ::/48 in which the letters are a hexadecimal representation of the global IPv4 address (w.x.y.z) assigned to a site.
If you disable or do not configure this policy setting, the local host setting is used.
@@ -323,7 +323,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure IP-HTTPS, a tunneling technology that uses the HTTPS protocol to provide IP connectivity to a remote network.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure IP-HTTPS, a tunneling technology that uses the HTTPS protocol to provide IP connectivity to a remote network.
If you disable or do not configure this policy setting, the local host settings are used.
@@ -398,7 +398,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure IP Stateless Autoconfiguration Limits.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure IP Stateless Autoconfiguration Limits.
If you enable or do not configure this policy setting, IP Stateless Autoconfiguration Limits will be enabled and system will limit the number of autoconfigured addresses and routes.
@@ -467,7 +467,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify a router name or Internet Protocol version 4 (IPv4) address for an ISATAP router.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify a router name or Internet Protocol version 4 (IPv4) address for an ISATAP router.
If you enable this policy setting, you can specify a router name or IPv4 address for an ISATAP router. If you enter an IPv4 address of the ISATAP router in the text box, DNS services are not required.
@@ -536,7 +536,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), an address-to-router and host-to-host, host-to-router and router-to-host automatic tunneling technology that is used to provide unicast IPv6 connectivity between IPv6 hosts across an IPv4 intranet.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), an address-to-router and host-to-host, host-to-router and router-to-host automatic tunneling technology that is used to provide unicast IPv6 connectivity between IPv6 hosts across an IPv4 intranet.
If you disable or do not configure this policy setting, the local host setting is used.
@@ -611,7 +611,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to select the UDP port the Teredo client will use to send packets. If you leave the default of 0, the operating system will select a port (recommended). If you select a UDP port that is already in use by a system, the Teredo client will fail to initialize.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to select the UDP port the Teredo client will use to send packets. If you leave the default of 0, the operating system will select a port (recommended). If you select a UDP port that is already in use by a system, the Teredo client will fail to initialize.
If you enable this policy setting, you can customize a UDP port for the Teredo client.
@@ -680,7 +680,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to set Teredo to be ready to communicate, a process referred to as qualification. By default, Teredo enters a dormant state when not in use. The qualification process brings it out of a dormant state.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to set Teredo to be ready to communicate, a process referred to as qualification. By default, Teredo enters a dormant state when not in use. The qualification process brings it out of a dormant state.
If you disable or do not configure this policy setting, the local host setting is used.
@@ -751,7 +751,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure the Teredo refresh rate.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the Teredo refresh rate.
> [!NOTE]
> On a periodic basis (by default, every 30 seconds), Teredo clients send a single Router Solicitation packet to the Teredo server. The Teredo server sends a Router Advertisement Packet in response. This periodic packet refreshes the IP address and UDP port mapping in the translation table of the Teredo client's NAT device.
@@ -823,7 +823,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify the name of the Teredo server. This server name will be used on the Teredo client computer where this policy setting is applied.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the name of the Teredo server. This server name will be used on the Teredo client computer where this policy setting is applied.
If you enable this policy setting, you can specify a Teredo server name that applies to a Teredo client.
@@ -892,7 +892,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure Teredo, an address assignment and automatic tunneling technology that provides unicast IPv6 connectivity across the IPv4 Internet.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure Teredo, an address assignment and automatic tunneling technology that provides unicast IPv6 connectivity across the IPv4 Internet.
If you disable or do not configure this policy setting, the local host settings are used.
@@ -969,7 +969,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure Window Scaling Heuristics. Window Scaling Heuristics is an algorithm to identify connectivity and throughput problems caused by many Firewalls and other middle boxes that don't interpret Window Scaling option correctly.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure Window Scaling Heuristics. Window Scaling Heuristics is an algorithm to identify connectivity and throughput problems caused by many Firewalls and other middle boxes that don't interpret Window Scaling option correctly.
If you do not configure this policy setting, the local host settings are used.
@@ -998,14 +998,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-thumbnails.md b/windows/client-management/mdm/policy-csp-admx-thumbnails.md
index 69fd52c66e..73f6ca56cd 100644
--- a/windows/client-management/mdm/policy-csp-admx-thumbnails.md
+++ b/windows/client-management/mdm/policy-csp-admx-thumbnails.md
@@ -79,7 +79,7 @@ manager: dansimp
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure how File Explorer displays thumbnail images or icons on the local computer.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure how File Explorer displays thumbnail images or icons on the local computer.
File Explorer displays thumbnail images by default.
@@ -150,7 +150,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure how File Explorer displays thumbnail images or icons on network folders.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure how File Explorer displays thumbnail images or icons on network folders.
File Explorer displays thumbnail images on network folders by default.
@@ -221,7 +221,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. Turns off the caching of thumbnails in hidden thumbs.db files.
+Available in the latest Windows 10 Insider Preview Build. Turns off the caching of thumbnails in hidden thumbs.db files.
This policy setting allows you to configure File Explorer to cache thumbnails of items residing in network folders in hidden thumbs.db files.
@@ -251,14 +251,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-tpm.md b/windows/client-management/mdm/policy-csp-admx-tpm.md
index aeec40aa7f..d12a0686f7 100644
--- a/windows/client-management/mdm/policy-csp-admx-tpm.md
+++ b/windows/client-management/mdm/policy-csp-admx-tpm.md
@@ -101,7 +101,7 @@ manager: dansimp
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to manage the Group Policy list of Trusted Platform Module (TPM) commands blocked by Windows.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the Group Policy list of Trusted Platform Module (TPM) commands blocked by Windows.
If you enable this policy setting, Windows will block the specified commands from being sent to the TPM on the computer. TPM commands are referenced by a command number. For example, command number 129 is TPM_OwnerReadInternalPub, and command number 170 is TPM_FieldUpgrade. To find the command number associated with each TPM command with TPM 1.2, run "tpm.msc" and navigate to the "Command Management" section.
@@ -170,7 +170,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the system to prompt the user to clear the TPM if the TPM is detected to be in any state other than Ready. This policy will take effect only if the system’s TPM is in a state other than Ready, including if the TPM is “Ready, with reduced functionality”. The prompt to clear the TPM will start occurring after the next reboot, upon user login only if the logged in user is part of the Administrators group for the system. The prompt can be dismissed, but will reappear after every reboot and login until the policy is disabled or until the TPM is in a Ready state.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the system to prompt the user to clear the TPM if the TPM is detected to be in any state other than Ready. This policy will take effect only if the system’s TPM is in a state other than Ready, including if the TPM is “Ready, with reduced functionality”. The prompt to clear the TPM will start occurring after the next reboot, upon user login only if the logged in user is part of the Administrators group for the system. The prompt can be dismissed, but will reappear after every reboot and login until the policy is disabled or until the TPM is in a Ready state.
> [!TIP]
@@ -235,7 +235,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to enforce or ignore the computer's default list of blocked Trusted Platform Module (TPM) commands.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to enforce or ignore the computer's default list of blocked Trusted Platform Module (TPM) commands.
If you enable this policy setting, Windows will ignore the computer's default list of blocked TPM commands and will only block those TPM commands specified by Group Policy or the local list.
@@ -306,7 +306,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to enforce or ignore the computer's local list of blocked Trusted Platform Module (TPM) commands.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to enforce or ignore the computer's local list of blocked Trusted Platform Module (TPM) commands.
If you enable this policy setting, Windows will ignore the computer's local list of blocked TPM commands and will only block those TPM commands specified by Group Policy or the default list.
@@ -377,7 +377,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures how much of the TPM owner authorization information is stored in the registry of the local computer. Depending on the amount of TPM owner authorization information stored locally, the operating system and TPM-based applications can perform certain TPM actions which require TPM owner authorization without requiring the user to enter the TPM owner password.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures how much of the TPM owner authorization information is stored in the registry of the local computer. Depending on the amount of TPM owner authorization information stored locally, the operating system and TPM-based applications can perform certain TPM actions which require TPM owner authorization without requiring the user to enter the TPM owner password.
You can choose to have the operating system store either the full TPM owner authorization value, the TPM administrative delegation blob plus the TPM user delegation blob, or none.
@@ -455,7 +455,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This group policy enables Device Health Attestation reporting (DHA-report) on supported devices. It enables supported devices to send Device Health Attestation related information (device boot logs, PCR values, TPM certificate, etc.) to Device Health Attestation Service (DHA-Service) every time a device starts. Device Health Attestation Service validates the security state and health of the devices, and makes the findings accessible to enterprise administrators via a cloud based reporting portal. This policy is independent of DHA reports that are initiated by device manageability solutions (like MDM or SCCM), and will not interfere with their workflows.
+Available in the latest Windows 10 Insider Preview Build. This group policy enables Device Health Attestation reporting (DHA-report) on supported devices. It enables supported devices to send Device Health Attestation related information (device boot logs, PCR values, TPM certificate, etc.) to Device Health Attestation Service (DHA-Service) every time a device starts. Device Health Attestation Service validates the security state and health of the devices, and makes the findings accessible to enterprise administrators via a cloud based reporting portal. This policy is independent of DHA reports that are initiated by device manageability solutions (like MDM or SCCM), and will not interfere with their workflows.
> [!TIP]
@@ -520,7 +520,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for Trusted Platform Module (TPM) commands requiring authorization. If the number of TPM commands with an authorization failure within the duration equals a threshold, a standard user is prevented from sending commands requiring authorization to the TPM.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for Trusted Platform Module (TPM) commands requiring authorization. If the number of TPM commands with an authorization failure within the duration equals a threshold, a standard user is prevented from sending commands requiring authorization to the TPM.
This setting helps administrators prevent the TPM hardware from entering a lockout mode because it slows the speed standard users can send commands requiring authorization to the TPM.
@@ -601,7 +601,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to manage the maximum number of authorization failures for each standard user for the Trusted Platform Module (TPM). If the number of authorization failures for the user within the duration for Standard User Lockout Duration equals this value, the standard user is prevented from sending commands to the Trusted Platform Module (TPM) that require authorization.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the maximum number of authorization failures for each standard user for the Trusted Platform Module (TPM). If the number of authorization failures for the user within the duration for Standard User Lockout Duration equals this value, the standard user is prevented from sending commands to the Trusted Platform Module (TPM) that require authorization.
This setting helps administrators prevent the TPM hardware from entering a lockout mode because it slows the speed standard users can send commands requiring authorization to the TPM.
@@ -684,7 +684,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to manage the maximum number of authorization failures for all standard users for the Trusted Platform Module (TPM). If the total number of authorization failures for all standard users within the duration for Standard User Lockout Duration equals this value, all standard users are prevented from sending commands to the Trusted Platform Module (TPM) that require authorization.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the maximum number of authorization failures for all standard users for the Trusted Platform Module (TPM). If the total number of authorization failures for all standard users within the duration for Standard User Lockout Duration equals this value, all standard users are prevented from sending commands to the Trusted Platform Module (TPM) that require authorization.
This setting helps administrators prevent the TPM hardware from entering a lockout mode because it slows the speed standard users can send commands requiring authorization to the TPM.
@@ -767,7 +767,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the TPM to use the Dictionary Attack Prevention Parameters (lockout threshold and recovery time) to the values that were used for Windows 10 Version 1607 and below. Setting this policy will take effect only if a) the TPM was originally prepared using a version of Windows after Windows 10 Version 1607 and b) the System has a TPM 2.0. Note that enabling this policy will only take effect after the TPM maintenance task runs (which typically happens after a system restart). Once this policy has been enabled on a system and has taken effect (after a system restart), disabling it will have no impact and the system's TPM will remain configured using the legacy Dictionary Attack Prevention parameters, regardless of the value of this group policy. The only way for the disabled setting of this policy to take effect on a system where it was once enabled is to a) disable it from group policy and b)clear the TPM on the system.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the TPM to use the Dictionary Attack Prevention Parameters (lockout threshold and recovery time) to the values that were used for Windows 10 Version 1607 and below. Setting this policy will take effect only if a) the TPM was originally prepared using a version of Windows after Windows 10 Version 1607 and b) the System has a TPM 2.0. Note that enabling this policy will only take effect after the TPM maintenance task runs (which typically happens after a system restart). Once this policy has been enabled on a system and has taken effect (after a system restart), disabling it will have no impact and the system's TPM will remain configured using the legacy Dictionary Attack Prevention parameters, regardless of the value of this group policy. The only way for the disabled setting of this policy to take effect on a system where it was once enabled is to a) disable it from group policy and b)clear the TPM on the system.
> [!TIP]
@@ -790,14 +790,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md b/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md
index d967a2db8e..7f23f18d6f 100644
--- a/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md
+++ b/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md
@@ -450,7 +450,7 @@ manager: dansimp
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings of Calculator.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings of Calculator.
By default, the user settings of Calculator synchronize between computers. Use the policy setting to prevent the user settings of Calculator from synchronization between computers.
@@ -524,7 +524,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the sync provider used by User Experience Virtualization (UE-V) to sync settings between users’ computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the sync provider used by User Experience Virtualization (UE-V) to sync settings between users’ computers.
With Sync Method set to ”SyncProvider,” the UE-V Agent uses a built-in sync provider to keep user settings synchronized between the computer and the settings storage location. This is the default value. You can disable the sync provider on computers that never go offline and are always connected to the settings storage location.
@@ -603,7 +603,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of User Experience Virtualization (UE-V) rollback information for computers running in a non-persistent, pooled VDI environment.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of User Experience Virtualization (UE-V) rollback information for computers running in a non-persistent, pooled VDI environment.
UE-V settings rollback data and checkpoints are normally stored only on the local computer. With this policy setting enabled, the rollback information is copied to the settings storage location when the user logs off or shuts down their VDI session.
@@ -677,7 +677,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the text of the Contact IT URL hyperlink in the Company Settings Center.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the text of the Contact IT URL hyperlink in the Company Settings Center.
If you enable this policy setting, the Company Settings Center displays the specified text in the link to the Contact IT URL.
@@ -748,7 +748,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the URL for the Contact IT link in the Company Settings Center.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the URL for the Contact IT link in the Company Settings Center.
If you enable this policy setting, the Company Settings Center Contact IT text links to the specified URL. The link can be of any standard protocol such as http or mailto.
@@ -819,7 +819,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings for Windows apps.
+Available in the latest Windows 10 Insider Preview Build. This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings for Windows apps.
By default, the UE-V Agent synchronizes settings for Windows apps between the computer and the settings storage location.
@@ -896,7 +896,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of Windows settings between computers. Certain Windows settings will synchronize between computers by default. These settings include Windows themes, Windows desktop settings, Ease of Access settings, and network printers. Use this policy setting to specify which Windows settings synchronize between computers. You can also use these settings to enable synchronization of users' sign-in information for certain apps, networks, and certificates.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of Windows settings between computers. Certain Windows settings will synchronize between computers by default. These settings include Windows themes, Windows desktop settings, Ease of Access settings, and network printers. Use this policy setting to specify which Windows settings synchronize between computers. You can also use these settings to enable synchronization of users' sign-in information for certain apps, networks, and certificates.
If you enable this policy setting, only the selected Windows settings synchronize. Unselected Windows settings are excluded from settings synchronization.
@@ -967,7 +967,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to enable or disable User Experience Virtualization (UE-V) feature.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to enable or disable User Experience Virtualization (UE-V) feature.
Reboot is needed for enable to take effect. With Auto-register inbox templates enabled, the UE-V inbox templates such as Office 2016 will be automatically registered when the UE-V Service is enabled. If this option is changed, it will only take effect when UE-V service is re-enabled.
@@ -1035,7 +1035,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for the Finance app. By default, the user settings of Finance sync between computers. Use the policy setting to prevent the user settings of Finance from synchronizing between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Finance app. By default, the user settings of Finance sync between computers. Use the policy setting to prevent the user settings of Finance from synchronizing between computers.
If you enable this policy setting, Finance user settings continue to sync.
@@ -1106,7 +1106,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting enables a notification in the system tray that appears when the User Experience Virtualization (UE-V) Agent runs for the first time. By default, a notification informs users that Company Settings Center, the user-facing name for the UE-V Agent, now helps to synchronize settings between their work computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting enables a notification in the system tray that appears when the User Experience Virtualization (UE-V) Agent runs for the first time. By default, a notification informs users that Company Settings Center, the user-facing name for the UE-V Agent, now helps to synchronize settings between their work computers.
With this setting enabled, the notification appears the first time that the UE-V Agent runs.
@@ -1178,7 +1178,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for the Games app. By default, the user settings of Games sync between computers. Use the policy setting to prevent the user settings of Games from synchronizing between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Games app. By default, the user settings of Games sync between computers. Use the policy setting to prevent the user settings of Games from synchronizing between computers.
If you enable this policy setting, Games user settings continue to sync.
@@ -1250,7 +1250,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Internet Explorer 8.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Internet Explorer 8.
By default, the user settings of Internet Explorer 8 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 8 from synchronization between computers.
@@ -1324,7 +1324,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Internet Explorer 9. By default, the user settings of Internet Explorer 9 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 9 from synchronization between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Internet Explorer 9. By default, the user settings of Internet Explorer 9 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 9 from synchronization between computers.
If you enable this policy setting, the Internet Explorer 9 user settings continue to synchronize.
@@ -1396,7 +1396,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings of Internet Explorer 10. By default, the user settings of Internet Explorer 10 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 10 from synchronization between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings of Internet Explorer 10. By default, the user settings of Internet Explorer 10 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 10 from synchronization between computers.
If you enable this policy setting, the Internet Explorer 10 user settings continue to synchronize.
@@ -1468,7 +1468,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings of Internet Explorer 11. By default, the user settings of Internet Explorer 11 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 11 from synchronization between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings of Internet Explorer 11. By default, the user settings of Internet Explorer 11 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 11 from synchronization between computers.
If you enable this policy setting, the Internet Explorer 11 user settings continue to synchronize.
@@ -1540,7 +1540,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings which are common between the versions of Internet Explorer.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings which are common between the versions of Internet Explorer.
By default, the user settings which are common between the versions of Internet Explorer synchronize between computers. Use the policy setting to prevent the user settings of Internet Explorer from synchronization between computers.
If you enable this policy setting, the user settings which are common between the versions of Internet Explorer continue to synchronize.
@@ -1612,7 +1612,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for the Maps app. By default, the user settings of Maps sync between computers. Use the policy setting to prevent the user settings of Maps from synchronizing between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Maps app. By default, the user settings of Maps sync between computers. Use the policy setting to prevent the user settings of Maps from synchronizing between computers.
If you enable this policy setting, Maps user settings continue to sync.
@@ -1684,7 +1684,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure the UE-V Agent to write a warning event to the event log when a settings package file size reaches a defined threshold. By default the UE-V Agent does not report information about package file size.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the UE-V Agent to write a warning event to the event log when a settings package file size reaches a defined threshold. By default the UE-V Agent does not report information about package file size.
If you enable this policy setting, specify the threshold file size in bytes. When the settings package file exceeds this threshold the UE-V Agent will write a warning event to the event log.
@@ -1754,7 +1754,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Access 2010. By default, the user settings of Microsoft Access 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2010 from synchronization between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Access 2010. By default, the user settings of Microsoft Access 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2010 from synchronization between computers.
If you enable this policy setting, Microsoft Access 2010 user settings continue to synchronize.
@@ -1826,7 +1826,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2010 applications. By default, the user settings which are common between the Microsoft Office Suite 2010 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2010 applications from synchronization between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2010 applications. By default, the user settings which are common between the Microsoft Office Suite 2010 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2010 applications from synchronization between computers.
If you enable this policy setting, the user settings which are common between the Microsoft Office Suite 2010 applications continue to synchronize.
@@ -1898,7 +1898,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Excel 2010. By default, the user settings of Microsoft Excel 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2010 from synchronization between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Excel 2010. By default, the user settings of Microsoft Excel 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2010 from synchronization between computers.
If you enable this policy setting, Microsoft Excel 2010 user settings continue to synchronize.
@@ -1969,7 +1969,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft InfoPath 2010. By default, the user settings of Microsoft InfoPath 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft InfoPath 2010 from synchronization between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft InfoPath 2010. By default, the user settings of Microsoft InfoPath 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft InfoPath 2010 from synchronization between computers.
If you enable this policy setting, Microsoft InfoPath 2010 user settings continue to synchronize.
@@ -2041,7 +2041,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Lync 2010. By default, the user settings of Microsoft Lync 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2010 from synchronization between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Lync 2010. By default, the user settings of Microsoft Lync 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2010 from synchronization between computers.
If you enable this policy setting, Microsoft Lync 2010 user settings continue to synchronize.
@@ -2113,7 +2113,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft OneNote 2010. By default, the user settings of Microsoft OneNote 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2010 from synchronization between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft OneNote 2010. By default, the user settings of Microsoft OneNote 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2010 from synchronization between computers.
If you enable this policy setting, Microsoft OneNote 2010 user settings continue to synchronize.
@@ -2184,7 +2184,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Outlook 2010. By default, the user settings of Microsoft Outlook 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2010 from synchronization between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Outlook 2010. By default, the user settings of Microsoft Outlook 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2010 from synchronization between computers.
If you enable this policy setting, Microsoft Outlook 2010 user settings continue to synchronize.
@@ -2256,7 +2256,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2010. By default, the user settings of Microsoft PowerPoint 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2010 from synchronization between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2010. By default, the user settings of Microsoft PowerPoint 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2010 from synchronization between computers.
If you enable this policy setting, Microsoft PowerPoint 2010 user settings continue to synchronize.
@@ -2328,7 +2328,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Project 2010. By default, the user settings of Microsoft Project 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2010 from synchronization between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Project 2010. By default, the user settings of Microsoft Project 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2010 from synchronization between computers.
If you enable this policy setting, Microsoft Project 2010 user settings continue to synchronize.
@@ -2399,7 +2399,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Publisher 2010. By default, the user settings of Microsoft Publisher 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2010 from synchronization between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Publisher 2010. By default, the user settings of Microsoft Publisher 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2010 from synchronization between computers.
If you enable this policy setting, Microsoft Publisher 2010 user settings continue to synchronize.
@@ -2471,7 +2471,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft SharePoint Designer 2010. By default, the user settings of Microsoft SharePoint Designer 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Designer 2010 from synchronization between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft SharePoint Designer 2010. By default, the user settings of Microsoft SharePoint Designer 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Designer 2010 from synchronization between computers.
If you enable this policy setting, Microsoft SharePoint Designer 2010 user settings continue to synchronize.
@@ -2543,7 +2543,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft SharePoint Workspace 2010. By default, the user settings of Microsoft SharePoint Workspace 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Workspace 2010 from synchronization between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft SharePoint Workspace 2010. By default, the user settings of Microsoft SharePoint Workspace 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Workspace 2010 from synchronization between computers.
If you enable this policy setting, Microsoft SharePoint Workspace 2010 user settings continue to synchronize.
@@ -2615,7 +2615,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Visio 2010. By default, the user settings of Microsoft Visio 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2010 from synchronization between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Visio 2010. By default, the user settings of Microsoft Visio 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2010 from synchronization between computers.
If you enable this policy setting, Microsoft Visio 2010 user settings continue to synchronize.
@@ -2687,7 +2687,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Word 2010. By default, the user settings of Microsoft Word 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2010 from synchronization between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Word 2010. By default, the user settings of Microsoft Word 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2010 from synchronization between computers.
If you enable this policy setting, Microsoft Word 2010 user settings continue to synchronize.
@@ -2759,7 +2759,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Access 2013. By default, the user settings of Microsoft Access 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2013 from synchronization between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Access 2013. By default, the user settings of Microsoft Access 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2013 from synchronization between computers.
If you enable this policy setting, Microsoft Access 2013 user settings continue to synchronize.
@@ -2830,7 +2830,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Access 2013. Microsoft Access 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Access 2013 settings.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Access 2013. Microsoft Access 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Access 2013 settings.
If you enable this policy setting, certain user settings of Microsoft Access 2013 will continue to be backed up.
@@ -2902,7 +2902,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2013 applications. By default, the user settings which are common between the Microsoft Office Suite 2013 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2013 applications from synchronization between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2013 applications. By default, the user settings which are common between the Microsoft Office Suite 2013 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2013 applications from synchronization between computers.
If you enable this policy setting, the user settings which are common between the Microsoft Office Suite 2013 applications continue to synchronize.
@@ -2974,7 +2974,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings which are common between the Microsoft Office Suite 2013 applications.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings which are common between the Microsoft Office Suite 2013 applications.
Microsoft Office Suite 2013 has user settings which are common between applications and are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific common Microsoft Office Suite 2013 applications.
If you enable this policy setting, certain user settings which are common between the Microsoft Office Suite 2013 applications will continue to be backed up.
@@ -3047,7 +3047,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Excel 2013.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Excel 2013.
By default, the user settings of Microsoft Excel 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2013 from synchronization between computers.
@@ -3120,7 +3120,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Excel 2013. Microsoft Excel 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Excel 2013 settings.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Excel 2013. Microsoft Excel 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Excel 2013 settings.
If you enable this policy setting, certain user settings of Microsoft Excel 2013 will continue to be backed up.
@@ -3191,7 +3191,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft InfoPath 2013. By default, the user settings of Microsoft InfoPath 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft InfoPath 2013 from synchronization between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft InfoPath 2013. By default, the user settings of Microsoft InfoPath 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft InfoPath 2013 from synchronization between computers.
If you enable this policy setting, Microsoft InfoPath 2013 user settings continue to synchronize.
@@ -3263,7 +3263,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft InfoPath 2013. Microsoft InfoPath 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft InfoPath 2013 settings.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft InfoPath 2013. Microsoft InfoPath 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft InfoPath 2013 settings.
If you enable this policy setting, certain user settings of Microsoft InfoPath 2013 will continue to be backed up.
@@ -3335,7 +3335,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Lync 2013. By default, the user settings of Microsoft Lync 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2013 from synchronization between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Lync 2013. By default, the user settings of Microsoft Lync 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2013 from synchronization between computers.
If you enable this policy setting, Microsoft Lync 2013 user settings continue to synchronize.
@@ -3406,7 +3406,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Lync 2013. Microsoft Lync 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Lync 2013 settings.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Lync 2013. Microsoft Lync 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Lync 2013 settings.
If you enable this policy setting, certain user settings of Microsoft Lync 2013 will continue to be backed up.
@@ -3478,7 +3478,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for OneDrive for Business 2013. By default, the user settings of OneDrive for Business 2013 synchronize between computers. Use the policy setting to prevent the user settings of OneDrive for Business 2013 from synchronization between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for OneDrive for Business 2013. By default, the user settings of OneDrive for Business 2013 synchronize between computers. Use the policy setting to prevent the user settings of OneDrive for Business 2013 from synchronization between computers.
If you enable this policy setting, OneDrive for Business 2013 user settings continue to synchronize.
@@ -3550,7 +3550,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft OneNote 2013. By default, the user settings of Microsoft OneNote 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2013 from synchronization between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft OneNote 2013. By default, the user settings of Microsoft OneNote 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2013 from synchronization between computers.
If you enable this policy setting, Microsoft OneNote 2013 user settings continue to synchronize.
@@ -3622,7 +3622,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft OneNote 2013. Microsoft OneNote 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft OneNote 2013 settings.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft OneNote 2013. Microsoft OneNote 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft OneNote 2013 settings.
If you enable this policy setting, certain user settings of Microsoft OneNote 2013 will continue to be backed up.
@@ -3694,7 +3694,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Outlook 2013. By default, the user settings of Microsoft Outlook 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2013 from synchronization between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Outlook 2013. By default, the user settings of Microsoft Outlook 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2013 from synchronization between computers.
If you enable this policy setting, Microsoft Outlook 2013 user settings continue to synchronize.
@@ -3765,7 +3765,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Outlook 2013. Microsoft Outlook 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Outlook 2013 settings.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Outlook 2013. Microsoft Outlook 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Outlook 2013 settings.
If you enable this policy setting, certain user settings of Microsoft Outlook 2013 will continue to be backed up.
@@ -3837,7 +3837,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2013. By default, the user settings of Microsoft PowerPoint 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2013 from synchronization between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2013. By default, the user settings of Microsoft PowerPoint 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2013 from synchronization between computers.
If you enable this policy setting, Microsoft PowerPoint 2013 user settings continue to synchronize.
@@ -3909,7 +3909,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft PowerPoint 2013. Microsoft PowerPoint 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft PowerPoint 2013 settings.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft PowerPoint 2013. Microsoft PowerPoint 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft PowerPoint 2013 settings.
If you enable this policy setting, certain user settings of Microsoft PowerPoint 2013 will continue to be backed up.
@@ -3981,7 +3981,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Project 2013. By default, the user settings of Microsoft Project 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2013 from synchronization between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Project 2013. By default, the user settings of Microsoft Project 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2013 from synchronization between computers.
If you enable this policy setting, Microsoft Project 2013 user settings continue to synchronize.
@@ -4052,7 +4052,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Project 2013. Microsoft Project 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Project 2013 settings.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Project 2013. Microsoft Project 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Project 2013 settings.
If you enable this policy setting, certain user settings of Microsoft Project 2013 will continue to be backed up.
@@ -4124,7 +4124,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Publisher 2013. By default, the user settings of Microsoft Publisher 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2013 from synchronization between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Publisher 2013. By default, the user settings of Microsoft Publisher 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2013 from synchronization between computers.
If you enable this policy setting, Microsoft Publisher 2013 user settings continue to synchronize.
@@ -4196,7 +4196,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Publisher 2013. Microsoft Publisher 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Publisher 2013 settings.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Publisher 2013. Microsoft Publisher 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Publisher 2013 settings.
If you enable this policy setting, certain user settings of Microsoft Publisher 2013 will continue to be backed up.
@@ -4268,7 +4268,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft SharePoint Designer 2013. By default, the user settings of Microsoft SharePoint Designer 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Designer 2013 from synchronization between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft SharePoint Designer 2013. By default, the user settings of Microsoft SharePoint Designer 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Designer 2013 from synchronization between computers.
If you enable this policy setting, Microsoft SharePoint Designer 2013 user settings continue to synchronize.
@@ -4339,7 +4339,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft SharePoint Designer 2013. Microsoft SharePoint Designer 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft SharePoint Designer 2013 settings.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft SharePoint Designer 2013. Microsoft SharePoint Designer 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft SharePoint Designer 2013 settings.
If you enable this policy setting, certain user settings of Microsoft SharePoint Designer 2013 will continue to be backed up.
@@ -4410,7 +4410,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 2013 Upload Center. By default, the user settings of Microsoft Office 2013 Upload Center synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Office 2013 Upload Center from synchronization between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 2013 Upload Center. By default, the user settings of Microsoft Office 2013 Upload Center synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Office 2013 Upload Center from synchronization between computers.
If you enable this policy setting, Microsoft Office 2013 Upload Center user settings continue to synchronize.
@@ -4482,7 +4482,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Visio 2013. By default, the user settings of Microsoft Visio 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2013 from synchronization between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Visio 2013. By default, the user settings of Microsoft Visio 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2013 from synchronization between computers.
If you enable this policy setting, Microsoft Visio 2013 user settings continue to synchronize.
@@ -4554,7 +4554,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Visio 2013. Microsoft Visio 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Visio 2013 settings.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Visio 2013. Microsoft Visio 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Visio 2013 settings.
If you enable this policy setting, certain user settings of Microsoft Visio 2013 will continue to be backed up.
@@ -4626,7 +4626,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Word 2013. By default, the user settings of Microsoft Word 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2013 from synchronization between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Word 2013. By default, the user settings of Microsoft Word 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2013 from synchronization between computers.
If you enable this policy setting, Microsoft Word 2013 user settings continue to synchronize.
@@ -4698,7 +4698,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Word 2013. Microsoft Word 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Word 2013 settings.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Word 2013. Microsoft Word 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Word 2013 settings.
If you enable this policy setting, certain user settings of Microsoft Word 2013 will continue to be backed up.
@@ -4770,7 +4770,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Access 2016. By default, the user settings of Microsoft Access 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2016 from synchronization between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Access 2016. By default, the user settings of Microsoft Access 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2016 from synchronization between computers.
If you enable this policy setting, Microsoft Access 2016 user settings continue to synchronize.
@@ -4842,7 +4842,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Access 2016. Microsoft Access 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Access 2016 settings.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Access 2016. Microsoft Access 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Access 2016 settings.
If you enable this policy setting, certain user settings of Microsoft Access 2016 will continue to be backed up.
@@ -4914,7 +4914,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2016 applications. By default, the user settings which are common between the Microsoft Office Suite 2016 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2016 applications from synchronization between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2016 applications. By default, the user settings which are common between the Microsoft Office Suite 2016 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2016 applications from synchronization between computers.
If you enable this policy setting, the user settings which are common between the Microsoft Office Suite 2016 applications continue to synchronize.
@@ -4986,7 +4986,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings which are common between the Microsoft Office Suite 2016 applications.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings which are common between the Microsoft Office Suite 2016 applications.
Microsoft Office Suite 2016 has user settings which are common between applications and are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific common Microsoft Office Suite 2016 applications.
If you enable this policy setting, certain user settings which are common between the Microsoft Office Suite 2016 applications will continue to be backed up.
@@ -5059,7 +5059,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Excel 2016. By default, the user settings of Microsoft Excel 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2016 from synchronization between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Excel 2016. By default, the user settings of Microsoft Excel 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2016 from synchronization between computers.
If you enable this policy setting, Microsoft Excel 2016 user settings continue to synchronize.
@@ -5131,7 +5131,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Excel 2016. Microsoft Excel 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Excel 2016 settings.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Excel 2016. Microsoft Excel 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Excel 2016 settings.
If you enable this policy setting, certain user settings of Microsoft Excel 2016 will continue to be backed up.
@@ -5203,7 +5203,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Lync 2016. By default, the user settings of Microsoft Lync 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2016 from synchronization between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Lync 2016. By default, the user settings of Microsoft Lync 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2016 from synchronization between computers.
If you enable this policy setting, Microsoft Lync 2016 user settings continue to synchronize.
@@ -5275,7 +5275,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Lync 2016. Microsoft Lync 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Lync 2016 settings.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Lync 2016. Microsoft Lync 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Lync 2016 settings.
If you enable this policy setting, certain user settings of Microsoft Lync 2016 will continue to be backed up.
@@ -5347,7 +5347,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for OneDrive for Business 2016. By default, the user settings of OneDrive for Business 2016 synchronize between computers. Use the policy setting to prevent the user settings of OneDrive for Business 2016 from synchronization between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for OneDrive for Business 2016. By default, the user settings of OneDrive for Business 2016 synchronize between computers. Use the policy setting to prevent the user settings of OneDrive for Business 2016 from synchronization between computers.
If you enable this policy setting, OneDrive for Business 2016 user settings continue to synchronize.
@@ -5419,7 +5419,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft OneNote 2016. By default, the user settings of Microsoft OneNote 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2016 from synchronization between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft OneNote 2016. By default, the user settings of Microsoft OneNote 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2016 from synchronization between computers.
If you enable this policy setting, Microsoft OneNote 2016 user settings continue to synchronize.
@@ -5491,7 +5491,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft OneNote 2016. Microsoft OneNote 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft OneNote 2016 settings.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft OneNote 2016. Microsoft OneNote 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft OneNote 2016 settings.
If you enable this policy setting, certain user settings of Microsoft OneNote 2016 will continue to be backed up.
@@ -5563,7 +5563,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Outlook 2016. By default, the user settings of Microsoft Outlook 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2016 from synchronization between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Outlook 2016. By default, the user settings of Microsoft Outlook 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2016 from synchronization between computers.
If you enable this policy setting, Microsoft Outlook 2016 user settings continue to synchronize.
@@ -5635,7 +5635,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Outlook 2016. Microsoft Outlook 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Outlook 2016 settings.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Outlook 2016. Microsoft Outlook 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Outlook 2016 settings.
If you enable this policy setting, certain user settings of Microsoft Outlook 2016 will continue to be backed up.
@@ -5707,7 +5707,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2016. By default, the user settings of Microsoft PowerPoint 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2016 from synchronization between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2016. By default, the user settings of Microsoft PowerPoint 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2016 from synchronization between computers.
If you enable this policy setting, Microsoft PowerPoint 2016 user settings continue to synchronize.
@@ -5779,7 +5779,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft PowerPoint 2016. Microsoft PowerPoint 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft PowerPoint 2016 settings.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft PowerPoint 2016. Microsoft PowerPoint 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft PowerPoint 2016 settings.
If you enable this policy setting, certain user settings of Microsoft PowerPoint 2016 will continue to be backed up.
@@ -5851,7 +5851,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Project 2016.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Project 2016.
By default, the user settings of Microsoft Project 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2016 from synchronization between computers.
If you enable this policy setting, Microsoft Project 2016 user settings continue to synchronize.
@@ -5924,7 +5924,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Project 2016. Microsoft Project 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Project 2016 settings.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Project 2016. Microsoft Project 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Project 2016 settings.
If you enable this policy setting, certain user settings of Microsoft Project 2016 will continue to be backed up.
@@ -5995,7 +5995,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Publisher 2016. By default, the user settings of Microsoft Publisher 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2016 from synchronization between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Publisher 2016. By default, the user settings of Microsoft Publisher 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2016 from synchronization between computers.
If you enable this policy setting, Microsoft Publisher 2016 user settings continue to synchronize.
@@ -6067,7 +6067,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Publisher 2016. Microsoft Publisher 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Publisher 2016 settings.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Publisher 2016. Microsoft Publisher 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Publisher 2016 settings.
If you enable this policy setting, certain user settings of Microsoft Publisher 2016 will continue to be backed up.
@@ -6138,7 +6138,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 2016 Upload Center. By default, the user settings of Microsoft Office 2016 Upload Center synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Office 2016 Upload Center from synchronization between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 2016 Upload Center. By default, the user settings of Microsoft Office 2016 Upload Center synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Office 2016 Upload Center from synchronization between computers.
If you enable this policy setting, Microsoft Office 2016 Upload Center user settings continue to synchronize.
@@ -6210,7 +6210,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Visio 2016. By default, the user settings of Microsoft Visio 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2016 from synchronization between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Visio 2016. By default, the user settings of Microsoft Visio 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2016 from synchronization between computers.
If you enable this policy setting, Microsoft Visio 2016 user settings continue to synchronize.
@@ -6282,7 +6282,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Visio 2016. Microsoft Visio 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Visio 2016 settings.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Visio 2016. Microsoft Visio 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Visio 2016 settings.
If you enable this policy setting, certain user settings of Microsoft Visio 2016 will continue to be backed up.
@@ -6354,7 +6354,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Word 2016. By default, the user settings of Microsoft Word 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2016 from synchronization between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Word 2016. By default, the user settings of Microsoft Word 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2016 from synchronization between computers.
If you enable this policy setting, Microsoft Word 2016 user settings continue to synchronize.
@@ -6426,7 +6426,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Word 2016. Microsoft Word 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Word 2016 settings.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Word 2016. Microsoft Word 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Word 2016 settings.
If you enable this policy setting, certain user settings of Microsoft Word 2016 will continue to be backed up.
@@ -6498,7 +6498,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Access 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Access 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Access 2013 from synchronization between computers with UE-V.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Access 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Access 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Access 2013 from synchronization between computers with UE-V.
If you enable this policy setting, Microsoft Office 365 Access 2013 user settings continue to sync with UE-V.
@@ -6570,7 +6570,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Access 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Access 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Access 2016 from synchronization between computers with UE-V.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Access 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Access 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Access 2016 from synchronization between computers with UE-V.
If you enable this policy setting, Microsoft Office 365 Access 2016 user settings continue to sync with UE-V.
@@ -6642,7 +6642,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2013 applications. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings which are common between the Microsoft Office Suite 2013 applications will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings which are common between the Microsoft Office Suite 2013 applications from synchronization between computers with UE-V.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2013 applications. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings which are common between the Microsoft Office Suite 2013 applications will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings which are common between the Microsoft Office Suite 2013 applications from synchronization between computers with UE-V.
If you enable this policy setting, user settings which are common between the Microsoft Office Suite 2013 applications continue to synchronize with UE-V.
@@ -6713,7 +6713,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2016 applications. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings which are common between the Microsoft Office Suite 2016 applications will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings which are common between the Microsoft Office Suite 2016 applications from synchronization between computers with UE-V.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2016 applications. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings which are common between the Microsoft Office Suite 2016 applications will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings which are common between the Microsoft Office Suite 2016 applications from synchronization between computers with UE-V.
If you enable this policy setting, user settings which are common between the Microsoft Office Suite 2016 applications continue to synchronize with UE-V.
@@ -6785,7 +6785,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Excel 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Excel 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Excel 2013 from synchronization between computers with UE-V.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Excel 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Excel 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Excel 2013 from synchronization between computers with UE-V.
If you enable this policy setting, Microsoft Office 365 Excel 2013 user settings continue to sync with UE-V.
@@ -6857,7 +6857,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Excel 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Excel 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Excel 2016 from synchronization between computers with UE-V.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Excel 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Excel 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Excel 2016 from synchronization between computers with UE-V.
If you enable this policy setting, Microsoft Office 365 Excel 2016 user settings continue to sync with UE-V.
@@ -6929,7 +6929,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 InfoPath 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 InfoPath 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 InfoPath 2013 from synchronization between computers with UE-V.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 InfoPath 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 InfoPath 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 InfoPath 2013 from synchronization between computers with UE-V.
If you enable this policy setting, Microsoft Office 365 InfoPath 2013 user settings continue to sync with UE-V.
@@ -7000,7 +7000,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Lync 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Lync 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Lync 2013 from synchronization between computers with UE-V.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Lync 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Lync 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Lync 2013 from synchronization between computers with UE-V.
If you enable this policy setting, Microsoft Office 365 Lync 2013 user settings continue to sync with UE-V.
@@ -7072,7 +7072,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Lync 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Lync 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Lync 2016 from synchronization between computers with UE-V.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Lync 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Lync 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Lync 2016 from synchronization between computers with UE-V.
If you enable this policy setting, Microsoft Office 365 Lync 2016 user settings continue to sync with UE-V.
@@ -7144,7 +7144,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 OneNote 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 OneNote 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 OneNote 2013 from synchronization between computers with UE-V.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 OneNote 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 OneNote 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 OneNote 2013 from synchronization between computers with UE-V.
If you enable this policy setting, Microsoft Office 365 OneNote 2013 user settings continue to sync with UE-V.
@@ -7216,7 +7216,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 OneNote 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 OneNote 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 OneNote 2016 from synchronization between computers with UE-V.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 OneNote 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 OneNote 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 OneNote 2016 from synchronization between computers with UE-V.
If you enable this policy setting, Microsoft Office 365 OneNote 2016 user settings continue to sync with UE-V.
@@ -7288,7 +7288,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Outlook 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Outlook 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Outlook 2013 from synchronization between computers with UE-V.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Outlook 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Outlook 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Outlook 2013 from synchronization between computers with UE-V.
If you enable this policy setting, Microsoft Office 365 Outlook 2013 user settings continue to sync with UE-V.
@@ -7360,7 +7360,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Outlook 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Outlook 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Outlook 2016 from synchronization between computers with UE-V.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Outlook 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Outlook 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Outlook 2016 from synchronization between computers with UE-V.
If you enable this policy setting, Microsoft Office 365 Outlook 2016 user settings continue to sync with UE-V.
@@ -7432,7 +7432,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 PowerPoint 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 PowerPoint 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 PowerPoint 2013 from synchronization between computers with UE-V.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 PowerPoint 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 PowerPoint 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 PowerPoint 2013 from synchronization between computers with UE-V.
If you enable this policy setting, Microsoft Office 365 PowerPoint 2013 user settings continue to sync with UE-V.
@@ -7504,7 +7504,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 PowerPoint 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 PowerPoint 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 PowerPoint 2016 from synchronization between computers with UE-V.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 PowerPoint 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 PowerPoint 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 PowerPoint 2016 from synchronization between computers with UE-V.
If you enable this policy setting, Microsoft Office 365 PowerPoint 2016 user settings continue to sync with UE-V.
@@ -7576,7 +7576,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Project 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Project 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Project 2013 from synchronization between computers with UE-V.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Project 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Project 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Project 2013 from synchronization between computers with UE-V.
If you enable this policy setting, Microsoft Office 365 Project 2013 user settings continue to sync with UE-V.
@@ -7647,7 +7647,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Project 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Project 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Project 2016 from synchronization between computers with UE-V.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Project 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Project 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Project 2016 from synchronization between computers with UE-V.
If you enable this policy setting, Microsoft Office 365 Project 2016 user settings continue to sync with UE-V.
@@ -7719,7 +7719,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Publisher 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Publisher 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Publisher 2013 from synchronization between computers with UE-V.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Publisher 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Publisher 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Publisher 2013 from synchronization between computers with UE-V.
If you enable this policy setting, Microsoft Office 365 Publisher 2013 user settings continue to sync with UE-V.
@@ -7791,7 +7791,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Publisher 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Publisher 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Publisher 2016 from synchronization between computers with UE-V.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Publisher 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Publisher 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Publisher 2016 from synchronization between computers with UE-V.
If you enable this policy setting, Microsoft Office 365 Publisher 2016 user settings continue to sync with UE-V.
@@ -7863,7 +7863,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 SharePoint Designer 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 SharePoint Designer 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 SharePoint Designer 2013 from synchronization between computers with UE-V.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 SharePoint Designer 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 SharePoint Designer 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 SharePoint Designer 2013 from synchronization between computers with UE-V.
If you enable this policy setting, Microsoft Office 365 SharePoint Designer 2013 user settings continue to sync with UE-V.
@@ -7935,7 +7935,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Visio 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Visio 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Visio 2013 from synchronization between computers with UE-V.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Visio 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Visio 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Visio 2013 from synchronization between computers with UE-V.
If you enable this policy setting, Microsoft Office 365 Visio 2013 user settings continue to sync with UE-V.
@@ -8007,7 +8007,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Visio 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Visio 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Visio 2016 from synchronization between computers with UE-V.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Visio 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Visio 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Visio 2016 from synchronization between computers with UE-V.
If you enable this policy setting, Microsoft Office 365 Visio 2016 user settings continue to sync with UE-V.
@@ -8079,7 +8079,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Word 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Word 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Word 2013 from synchronization between computers with UE-V.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Word 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Word 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Word 2013 from synchronization between computers with UE-V.
If you enable this policy setting, Microsoft Office 365 Word 2013 user settings continue to sync with UE-V.
@@ -8151,7 +8151,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Word 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Word 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Word 2016 from synchronization between computers with UE-V.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Word 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Word 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Word 2016 from synchronization between computers with UE-V.
If you enable this policy setting, Microsoft Office 365 Word 2016 user settings continue to sync with UE-V.
@@ -8223,7 +8223,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for the Music app. By default, the user settings of Music sync between computers. Use the policy setting to prevent the user settings of Music from synchronizing between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Music app. By default, the user settings of Music sync between computers. Use the policy setting to prevent the user settings of Music from synchronizing between computers.
If you enable this policy setting, Music user settings continue to sync.
@@ -8294,7 +8294,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for the News app. By default, the user settings of News sync between computers. Use the policy setting to prevent the user settings of News from synchronizing between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the News app. By default, the user settings of News sync between computers. Use the policy setting to prevent the user settings of News from synchronizing between computers.
If you enable this policy setting, News user settings continue to sync.
@@ -8366,7 +8366,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings of Notepad. By default, the user settings of Notepad synchronize between computers. Use the policy setting to prevent the user settings of Notepad from synchronization between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings of Notepad. By default, the user settings of Notepad synchronize between computers. Use the policy setting to prevent the user settings of Notepad from synchronization between computers.
If you enable this policy setting, the Notepad user settings continue to synchronize.
@@ -8438,7 +8438,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for the Reader app. By default, the user settings of Reader sync between computers. Use the policy setting to prevent the user settings of Reader from synchronizing between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Reader app. By default, the user settings of Reader sync between computers. Use the policy setting to prevent the user settings of Reader from synchronizing between computers.
If you enable this policy setting, Reader user settings continue to sync.
@@ -8511,7 +8511,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the number of milliseconds that the computer waits when retrieving user settings from the settings storage location. You can use this setting to override the default value of 2000 milliseconds.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the number of milliseconds that the computer waits when retrieving user settings from the settings storage location. You can use this setting to override the default value of 2000 milliseconds.
If you enable this policy setting, set the number of milliseconds that the system waits to retrieve settings.
@@ -8581,7 +8581,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures where the settings package files that contain user settings are stored.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures where the settings package files that contain user settings are stored.
If you enable this policy setting, the user settings are stored in the specified location.
@@ -8651,7 +8651,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures where custom settings location templates are stored and if the catalog will be used to replace the default Microsoft templates installed with the UE-V Agent.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures where custom settings location templates are stored and if the catalog will be used to replace the default Microsoft templates installed with the UE-V Agent.
If you enable this policy setting, the UE-V Agent checks the specified location once each day and updates its synchronization behavior based on the templates in this location. Settings location templates added or updated since the last check are registered by the UE-V Agent. The UE-V Agent deregisters templates that were removed from this location.
@@ -8727,7 +8727,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for the Sports app. By default, the user settings of Sports sync between computers. Use the policy setting to prevent the user settings of Sports from synchronizing between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Sports app. By default, the user settings of Sports sync between computers. Use the policy setting to prevent the user settings of Sports from synchronizing between computers.
If you enable this policy setting, Sports user settings continue to sync.
@@ -8799,7 +8799,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to enable or disable User Experience Virtualization (UE-V). Only applies to Windows 10 or earlier.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to enable or disable User Experience Virtualization (UE-V). Only applies to Windows 10 or earlier.
> [!TIP]
@@ -8864,7 +8864,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings over metered connections. By default, the UE-V Agent does not synchronize settings over a metered connection.
+Available in the latest Windows 10 Insider Preview Build. This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings over metered connections. By default, the UE-V Agent does not synchronize settings over a metered connection.
With this setting enabled, the UE-V Agent synchronizes settings over a metered connection.
@@ -8936,7 +8936,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings over metered connections outside of the home provider network, for example when connected via a roaming connection. By default, the UE-V Agent does not synchronize settings over a metered connection that is roaming.
+Available in the latest Windows 10 Insider Preview Build. This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings over metered connections outside of the home provider network, for example when connected via a roaming connection. By default, the UE-V Agent does not synchronize settings over a metered connection that is roaming.
With this setting enabled, the UE-V Agent synchronizes settings over a metered connection that is roaming.
@@ -9008,7 +9008,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure the User Experience Virtualization (UE-V) sync provider to ping the settings storage path before attempting to sync settings. If the ping is successful then the sync provider attempts to synchronize the settings packages. If the ping is unsuccessful then the sync provider doesn’t attempt the synchronization.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the User Experience Virtualization (UE-V) sync provider to ping the settings storage path before attempting to sync settings. If the ping is successful then the sync provider attempts to synchronize the settings packages. If the ping is unsuccessful then the sync provider doesn’t attempt the synchronization.
If you enable this policy setting, the sync provider pings the settings storage location before synchronizing settings packages.
@@ -9079,7 +9079,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting defines the default settings sync behavior of the User Experience Virtualization (UE-V) Agent for Windows apps that are not explicitly listed in Windows App List. By default, the UE-V Agent only synchronizes settings of those Windows apps included in the Windows App List.
+Available in the latest Windows 10 Insider Preview Build. This policy setting defines the default settings sync behavior of the User Experience Virtualization (UE-V) Agent for Windows apps that are not explicitly listed in Windows App List. By default, the UE-V Agent only synchronizes settings of those Windows apps included in the Windows App List.
With this setting enabled, the settings of all Windows apps not expressly disable in the Windows App List are synchronized.
@@ -9151,7 +9151,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for the Travel app. By default, the user settings of Travel sync between computers. Use the policy setting to prevent the user settings of Travel from synchronizing between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Travel app. By default, the user settings of Travel sync between computers. Use the policy setting to prevent the user settings of Travel from synchronizing between computers.
If you enable this policy setting, Travel user settings continue to sync.
@@ -9222,7 +9222,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting enables the User Experience Virtualization (UE-V) tray icon. By default, an icon appears in the system tray that displays notifications for UE-V. This icon also provides a link to the UE-V Agent application, Company Settings Center. Users can open the Company Settings Center by right-clicking the icon and selecting Open or by double-clicking the icon. When this group policy setting is enabled, the UE-V tray icon is visible, the UE-V notifications display, and the Company Settings Center is accessible from the tray icon.
+Available in the latest Windows 10 Insider Preview Build. This policy setting enables the User Experience Virtualization (UE-V) tray icon. By default, an icon appears in the system tray that displays notifications for UE-V. This icon also provides a link to the UE-V Agent application, Company Settings Center. Users can open the Company Settings Center by right-clicking the icon and selecting Open or by double-clicking the icon. When this group policy setting is enabled, the UE-V tray icon is visible, the UE-V notifications display, and the Company Settings Center is accessible from the tray icon.
With this setting disabled, the tray icon does not appear in the system tray, UE-V never displays notifications, and the user cannot access Company Settings Center from the system tray. The Company Settings Center remains accessible through the Control Panel and the Start menu or Start screen.
@@ -9292,7 +9292,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for the Video app. By default, the user settings of Video sync between computers. Use the policy setting to prevent the user settings of Video from synchronizing between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Video app. By default, the user settings of Video sync between computers. Use the policy setting to prevent the user settings of Video from synchronizing between computers.
If you enable this policy setting, Video user settings continue to sync.
@@ -9364,7 +9364,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for the Weather app. By default, the user settings of Weather sync between computers. Use the policy setting to prevent the user settings of Weather from synchronizing between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Weather app. By default, the user settings of Weather sync between computers. Use the policy setting to prevent the user settings of Weather from synchronizing between computers.
If you enable this policy setting, Weather user settings continue to sync.
@@ -9435,7 +9435,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings of WordPad. By default, the user settings of WordPad synchronize between computers. Use the policy setting to prevent the user settings of WordPad from synchronization between computers.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings of WordPad. By default, the user settings of WordPad synchronize between computers. Use the policy setting to prevent the user settings of WordPad from synchronization between computers.
If you enable this policy setting, the WordPad user settings continue to synchronize.
@@ -9463,14 +9463,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-userprofiles.md b/windows/client-management/mdm/policy-csp-admx-userprofiles.md
new file mode 100644
index 0000000000..dcc45e4c5e
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-userprofiles.md
@@ -0,0 +1,655 @@
+---
+title: Policy CSP - ADMX_UserProfiles
+description: Policy CSP - ADMX_UserProfiles
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 11/11/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_UserProfiles
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_UserProfiles policies
+
+
+
+
+
+
+
+
+**ADMX_UserProfiles/CleanupProfiles**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows an administrator to automatically delete user profiles on system restart that have not been used within a specified number of days. Note: One day is interpreted as 24 hours after a specific user profile was accessed.
+
+If you enable this policy setting, the User Profile Service will automatically delete on the next system restart all user profiles on the computer that have not been used within the specified number of days.
+
+If you disable or do not configure this policy setting, User Profile Service will not automatically delete any profiles on the next system restart.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Delete user profiles older than a specified number of days on system restart*
+- GP name: *CleanupProfiles*
+- GP path: *System\User Profiles*
+- GP ADMX file name: *UserProfiles.admx*
+
+
+
+
+
+
+**ADMX_UserProfiles/DontForceUnloadHive**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether Windows forcefully unloads the user's registry at logoff, even if there are open handles to the per-user registry keys.
+
+Note: This policy setting should only be used for cases where you may be running into application compatibility issues due to this specific Windows behavior. It is not recommended to enable this policy by default as it may prevent users from getting an updated version of their roaming user profile.
+
+If you enable this policy setting, Windows will not forcefully unload the users registry at logoff, but will unload the registry when all open handles to the per-user registry keys are closed.
+
+If you disable or do not configure this policy setting, Windows will always unload the users registry at logoff, even if there are any open handles to the per-user registry keys at user logoff.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not forcefully unload the users registry at user logoff*
+- GP name: *DontForceUnloadHive*
+- GP path: *System\User Profiles*
+- GP ADMX file name: *UserProfiles.admx*
+
+
+
+
+
+
+**ADMX_UserProfiles/LeaveAppMgmtData**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the system retains a roaming user's Windows Installer and Group Policy based software installation data on their profile deletion.
+
+By default Windows deletes all information related to a roaming user (which includes the user's settings, data, Windows Installer related data, and the like) when their profile is deleted. As a result, the next time a roaming user whose profile was previously deleted on that client logs on, they will need to reinstall all apps published via policy at logon increasing logon time. You can use this policy setting to change this behavior.
+
+If you enable this policy setting, Windows will not delete Windows Installer or Group Policy software installation data for roaming users when profiles are deleted from the machine. This will improve the performance of Group Policy based Software Installation during user logon when a user profile is deleted and that user subsequently logs on to the machine.
+
+If you disable or do not configure this policy setting, Windows will delete the entire profile for roaming users, including the Windows Installer and Group Policy software installation data when those profiles are deleted.
+
+> [!NOTE]
+> If this policy setting is enabled for a machine, local administrator action is required to remove the Windows Installer or Group Policy software installation data stored in the registry and file system of roaming users' profiles on the machine.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Leave Windows Installer and Group Policy Software Installation Data*
+- GP name: *LeaveAppMgmtData*
+- GP path: *System\User Profiles*
+- GP ADMX file name: *UserProfiles.admx*
+
+
+
+
+
+
+**ADMX_UserProfiles/LimitSize**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting sets the maximum size of each user profile and determines the system's response when a user profile reaches the maximum size. This policy setting affects both local and roaming profiles.
+
+If you disable this policy setting or do not configure it, the system does not limit the size of user profiles.
+
+If you enable this policy setting, you can:
+
+- Set a maximum permitted user profile size.
+- Determine whether the registry files are included in the calculation of the profile size.
+- Determine whether users are notified when the profile exceeds the permitted maximum size.
+- Specify a customized message notifying users of the oversized profile.
+- Determine how often the customized message is displayed.
+
+> [!NOTE]
+> In operating systems earlier than Microsoft Windows Vista, Windows will not allow users to log off until the profile size has been reduced to within the allowable limit. In Microsoft Windows Vista, Windows will not block users from logging off. Instead, if the user has a roaming user profile, Windows will not synchronize the user's profile with the roaming profile server if the maximum profile size limit specified here is exceeded.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Limit profile size*
+- GP name: *LimitSize*
+- GP path: *System\User Profiles*
+- GP ADMX file name: *UserProfiles.admx*
+
+
+
+
+
+
+**ADMX_UserProfiles/ProfileErrorAction**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting will automatically log off a user when Windows cannot load their profile.
+
+If Windows cannot access the user profile folder or the profile contains errors that prevent it from loading, Windows logs on the user with a temporary profile. This policy setting allows the administrator to disable this behavior, preventing Windows from logging on the user with a temporary profile.
+
+If you enable this policy setting, Windows will not log on a user with a temporary profile. Windows logs the user off if their profile cannot be loaded.
+
+If you disable this policy setting or do not configure it, Windows logs on the user with a temporary profile when Windows cannot load their user profile.
+
+Also, see the "Delete cached copies of roaming profiles" policy setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not log users on with temporary profiles*
+- GP name: *ProfileErrorAction*
+- GP path: *System\User Profiles*
+- GP ADMX file name: *UserProfiles.admx*
+
+
+
+
+
+
+**ADMX_UserProfiles/SlowLinkTimeOut**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting defines a slow connection for roaming user profiles and establishes thresholds for two tests of network speed.
+
+To determine the network performance characteristics, a connection is made to the file share storing the user's profile and 64 kilobytes of data is transferred. From that connection and data transfer, the network's latency and connection speed are determined.
+
+This policy setting and related policy settings in this folder together define the system's response when roaming user profiles are slow to load.
+
+If you enable this policy setting, you can change how long Windows waits for a response from the server before considering the connection to be slow.
+
+If you disable or do not configure this policy setting, Windows considers the network connection to be slow if the server returns less than 500 kilobits of data per second or take 120 milliseconds to respond.Consider increasing this value for clients using DHCP Service-assigned addresses or for computers accessing profiles across dial-up connections.Important: If the "Do not detect slow network connections" policy setting is enabled, this policy setting is ignored. Also, if the "Delete cached copies of roaming profiles" policy setting is enabled, there is no local copy of the roaming profile to load when the system detects a slow connection.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Control slow network connection timeout for user profiles*
+- GP name: *SlowLinkTimeOut*
+- GP path: *System\User Profiles*
+- GP ADMX file name: *UserProfiles.admx*
+
+
+
+
+
+
+**ADMX_UserProfiles/USER_HOME**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the location and root (file share or local path) of a user's home folder for a logon session.
+
+If you enable this policy setting, the user's home folder is configured to the specified local or network location, creating a new folder for each user name.
+
+To use this policy setting, in the Location list, choose the location for the home folder. If you choose “On the network,” enter the path to a file share in the Path box (for example, \\\\ComputerName\ShareName), and then choose the drive letter to assign to the file share. If you choose “On the local computer,” enter a local path (for example, C:\HomeFolder) in the Path box.
+
+Do not specify environment variables or ellipses in the path. Also, do not specify a placeholder for the user name because the user name will be appended at logon.
+
+> [!NOTE]
+> The Drive letter box is ignored if you choose “On the local computer” from the Location list. If you choose “On the local computer” and enter a file share, the user's home folder will be placed in the network location without mapping the file share to a drive letter.
+
+If you disable or do not configure this policy setting, the user's home folder is configured as specified in the user's Active Directory Domain Services account.
+
+If the "Set Remote Desktop Services User Home Directory" policy setting is enabled, the “Set user home folder” policy setting has no effect.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Set user home folder*
+- GP name: *USER_HOME*
+- GP path: *System\User Profiles*
+- GP ADMX file name: *UserProfiles.admx*
+
+
+
+
+
+
+**ADMX_UserProfiles/UserInfoAccessAction**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This setting prevents users from managing the ability to allow apps to access the user name, account picture, and domain information.
+
+If you enable this policy setting, sharing of user name, picture and domain information may be controlled by setting one of the following options:
+
+- "Always on" - users will not be able to change this setting and the user's name and account picture will be shared with apps (not desktop apps). In addition apps (not desktop apps) that have the enterprise authentication capability will also be able to retrieve the user's UPN, SIP/URI, and DNS.
+
+- "Always off" - users will not be able to change this setting and the user's name and account picture will not be shared with apps (not desktop apps). In addition apps (not desktop apps) that have the enterprise authentication capability will not be able to retrieve the user's UPN, SIP/URI, and DNS. Selecting this option may have a negative impact on certain enterprise software and/or line of business apps that depend on the domain information protected by this setting to connect with network resources.
+
+If you do not configure or disable this policy the user will have full control over this setting and can turn it off and on. Selecting this option may have a negative impact on certain enterprise software and/or line of business apps that depend on the domain information protected by this setting to connect with network resources if users choose to turn the setting off.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *User management of sharing user name, account picture, and domain information with apps (not desktop apps)*
+- GP name: *UserInfoAccessAction*
+- GP path: *System\User Profiles*
+- GP ADMX file name: *UserProfiles.admx*
+
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
diff --git a/windows/client-management/mdm/policy-csp-admx-w32time.md b/windows/client-management/mdm/policy-csp-admx-w32time.md
index a9b6715a43..37697fb185 100644
--- a/windows/client-management/mdm/policy-csp-admx-w32time.md
+++ b/windows/client-management/mdm/policy-csp-admx-w32time.md
@@ -83,7 +83,7 @@ manager: dansimp
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify Clock discipline and General values for the Windows Time service (W32time) for domain controllers including RODCs.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify Clock discipline and General values for the Windows Time service (W32time) for domain controllers including RODCs.
If this policy setting is enabled, W32time Service on target machines use the settings provided here. Otherwise, the service on target machines use locally configured settings values.
@@ -228,7 +228,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies a set of parameters for controlling the Windows NTP Client.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies a set of parameters for controlling the Windows NTP Client.
If you enable this policy setting, you can specify the following parameters for the Windows NTP Client.
@@ -318,7 +318,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether the Windows NTP Client is enabled.
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the Windows NTP Client is enabled.
Enabling the Windows NTP Client allows your computer to synchronize its computer clock with other NTP servers. You might want to disable this service if you decide to use a third-party time provider.
@@ -389,7 +389,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify whether the Windows NTP Server is enabled.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify whether the Windows NTP Server is enabled.
If you enable this policy setting for the Windows NTP Server, your computer can service NTP requests from other computers.
@@ -416,14 +416,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-wcm.md b/windows/client-management/mdm/policy-csp-admx-wcm.md
new file mode 100644
index 0000000000..0c5ea22e12
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-wcm.md
@@ -0,0 +1,273 @@
+---
+title: Policy CSP - ADMX_WCM
+description: Policy CSP - ADMX_WCM
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 10/22/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_WCM
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_WCM policies
+
+
+
+
+
+
+
+
+**ADMX_WCM/WCM_DisablePowerManagement**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies that power management is disabled when the machine enters connected standby mode.
+
+If this policy setting is enabled, Windows Connection Manager does not manage adapter radios to reduce power consumption when the machine enters connected standby mode.
+
+If this policy setting is not configured or is disabled, power management is enabled when the machine enters connected standby mode.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Disable power management in connected standby mode*
+- GP name: *WCM_DisablePowerManagement*
+- GP path: *Network\Windows Connection Manager*
+- GP ADMX file name: *WCM.admx*
+
+
+
+
+
+
+**ADMX_WCM/WCM_EnableSoftDisconnect**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows will soft-disconnect a computer from a network.
+
+If this policy setting is enabled or not configured, Windows will soft-disconnect a computer from a network when it determines that the computer should no longer be connected to a network.
+
+If this policy setting is disabled, Windows will disconnect a computer from a network immediately when it determines that the computer should no longer be connected to a network.
+
+When soft disconnect is enabled:
+
+- When Windows decides that the computer should no longer be connected to a network, it waits for traffic to settle on that network. The existing TCP session will continue uninterrupted.
+- Windows then checks the traffic level on the network periodically. If the traffic level is above a certain threshold, no further action is taken. The computer stays connected to the network and continues to use it. For example, if the network connection is currently being used to download files from the Internet, the files will continue to be downloaded using that network connection.
+- When the network traffic drops below this threshold, the computer will be disconnected from the network. Apps that keep a network connection active even when they’re not actively using it (for example, email apps) might lose their connection. If this happens, these apps should re-establish their connection over a different network.
+
+This policy setting depends on other group policy settings. For example, if 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is disabled, Windows will not disconnect from any networks.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Enable Windows to soft-disconnect a computer from a network*
+- GP name: *WCM_EnableSoftDisconnect*
+- GP path: *Network\Windows Connection Manager*
+- GP ADMX file name: *WCM.admx*
+
+
+
+
+
+
+**ADMX_WCM/WCM_MinimizeConnections**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines if a computer can have multiple connections to the internet or to a Windows domain. If multiple connections are allowed, it then determines how network traffic will be routed.
+
+If this policy setting is set to 0, a computer can have simultaneous connections to the internet, to a Windows domain, or to both. Internet traffic can be routed over any connection - including a cellular connection and any metered network. This was previously the Disabled state for this policy setting. This option was first available in Windows 8.
+
+If this policy setting is set to 1, any new automatic internet connection is blocked when the computer has at least one active internet connection to a preferred type of network. Here's the order of preference (from most preferred to least preferred): Ethernet, WLAN, then cellular. Ethernet is always preferred when connected. Users can still manually connect to any network. This was previously the Enabled state for this policy setting. This option was first available in Windows 8.
+
+If this policy setting is set to 2, the behavior is similar to 1. However, if a cellular data connection is available, it will always stay connected for services that require a cellular connection. When the user is connected to a WLAN or Ethernet connection, no internet traffic will be routed over the cellular connection. This option was first available in Windows 10 (Version 1703).
+
+If this policy setting is set to 3, the behavior is similar to 2. However, if there's an Ethernet connection, Windows won't allow users to connect to a WLAN manually. A WLAN can only be connected (automatically or manually) when there's no Ethernet connection.
+
+This policy setting is related to the "Enable Windows to soft-disconnect a computer from a network" policy setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Minimize the number of simultaneous connections to the Internet or a Windows Domain*
+- GP name: *WCM_MinimizeConnections*
+- GP path: *Network\Windows Connection Manager*
+- GP ADMX file name: *WCM.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-wincal.md b/windows/client-management/mdm/policy-csp-admx-wincal.md
index bceaf394ed..399309047c 100644
--- a/windows/client-management/mdm/policy-csp-admx-wincal.md
+++ b/windows/client-management/mdm/policy-csp-admx-wincal.md
@@ -77,7 +77,7 @@ manager: dansimp
-Available in Windows 10 Insider Preview Build 20185. Windows Calendar is a feature that allows users to manage appointments and tasks by creating personal calendars, publishing them, and subscribing to other users calendars.
+Available in the latest Windows 10 Insider Preview Build. Windows Calendar is a feature that allows users to manage appointments and tasks by creating personal calendars, publishing them, and subscribing to other users calendars.
If you enable this setting, Windows Calendar will be turned off.
@@ -150,7 +150,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. Windows Calendar is a feature that allows users to manage appointments and tasks by creating personal calendars, publishing them, and subscribing to other users calendars.
+Available in the latest Windows 10 Insider Preview Build. Windows Calendar is a feature that allows users to manage appointments and tasks by creating personal calendars, publishing them, and subscribing to other users calendars.
If you enable this setting, Windows Calendar will be turned off.
@@ -179,14 +179,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-windowsanytimeupgrade.md b/windows/client-management/mdm/policy-csp-admx-windowsanytimeupgrade.md
index 8b06f92864..efff151d08 100644
--- a/windows/client-management/mdm/policy-csp-admx-windowsanytimeupgrade.md
+++ b/windows/client-management/mdm/policy-csp-admx-windowsanytimeupgrade.md
@@ -75,7 +75,7 @@ manager: dansimp
-Available in Windows 10 Insider Preview Build 20185. By default, Add features to Windows 10 is available for all administrators.
+Available in the latest Windows 10 Insider Preview Build. By default, Add features to Windows 10 is available for all administrators.
If you enable this policy setting, the wizard will not run.
@@ -102,14 +102,14 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
-
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md b/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md
index 80b7d947fa..086405efd2 100644
--- a/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md
+++ b/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md
@@ -80,7 +80,7 @@ manager: dansimp
-Available in Windows 10 Insider Preview Build 20185. This policy setting prohibits access to Windows Connect Now (WCN) wizards.
+Available in the latest Windows 10 Insider Preview Build. This policy setting prohibits access to Windows Connect Now (WCN) wizards.
If you enable this policy setting, the wizards are turned off and users have no access to any of the wizard tasks. All the configuration related tasks, including "Set up a wireless router or access point" and "Add a wireless device" are disabled.
@@ -149,7 +149,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting prohibits access to Windows Connect Now (WCN) wizards.
+Available in the latest Windows 10 Insider Preview Build. This policy setting prohibits access to Windows Connect Now (WCN) wizards.
If you enable this policy setting, the wizards are turned off and users have no access to any of the wizard tasks. All the configuration related tasks, including "Set up a wireless router or access point" and "Add a wireless device" are disabled.
@@ -218,7 +218,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN). The WCN Registrar enables the discovery and configuration of devices over Ethernet (UPnP), over In-band 802.11 WLAN, through the Windows Portable Device API (WPD), and via USB Flash drives.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN). The WCN Registrar enables the discovery and configuration of devices over Ethernet (UPnP), over In-band 802.11 WLAN, through the Windows Portable Device API (WPD), and via USB Flash drives.
Additional options are available to allow discovery and configuration over a specific medium.
@@ -251,14 +251,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md
new file mode 100644
index 0000000000..004f66dae4
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md
@@ -0,0 +1,5368 @@
+---
+title: Policy CSP - ADMX_WindowsExplorer
+description: Policy CSP - ADMX_WindowsExplorer
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 10/29/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_WindowsExplorer
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+
+## ADMX_WindowsExplorer policies
+
+
+
+
+
+
+
+
+**ADMX_WindowsExplorer/CheckSameSourceAndTargetForFRAndDFS**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent data loss when you change the target location for Folder Redirection, and the new and old targets point to the same network share, but have different network paths.
+
+If you enable this policy setting, Folder Redirection creates a temporary file in the old location in order to verify that new and old locations point to the same network share. If both new and old locations point to the same share, the target path is updated and files are not copied or deleted. The temporary file is deleted.
+
+If you disable or do not configure this policy setting, Folder Redirection does not create a temporary file and functions as if both new and old locations point to different shares when their network paths are different.
+
+> [!NOTE]
+> If the paths point to different network shares, this policy setting is not required. If the paths point to the same network share, any data contained in the redirected folders is deleted if this policy setting is not enabled.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Verify old and new Folder Redirection targets point to the same share before redirecting*
+- GP name: *CheckSameSourceAndTargetForFRAndDFS*
+- GP path: *Windows Components\File Explorer*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+
+**ADMX_WindowsExplorer/ClassicShell**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This setting allows an administrator to revert specific Windows Shell behavior to classic Shell behavior.
+
+If you enable this setting, users cannot configure their system to open items by single-clicking (such as in Mouse in Control Panel). As a result, the user interface looks and operates like the interface for Windows NT 4.0, and users cannot restore the new features.
+
+Enabling this policy will also turn off the preview pane and set the folder options for File Explorer to Use classic folders view and disable the users ability to change these options.
+
+If you disable or not configure this policy, the default File Explorer behavior is applied to the user.
+
+> [!NOTE]
+> In operating systems earlier than Windows Vista, enabling this policy will also disable the Active Desktop and Web view. This setting will also take precedence over the "Enable Active Desktop" setting. If both policies are enabled, Active Desktop is disabled. Also, see the "Disable Active Desktop" setting in User Configuration\Administrative Templates\Desktop\Active Desktop and the "Do not allow Folder Options to be opened from the Options button on the View tab of the ribbon" setting in User Configuration\Administrative Templates\Windows Components\File Explorer.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn on Classic Shell*
+- GP name: *ClassicShell*
+- GP path: *Windows Components\File Explorer*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/ConfirmFileDelete**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Allows you to have File Explorer display a confirmation dialog whenever a file is deleted or moved to the Recycle Bin.
+
+If you enable this setting, a confirmation dialog is displayed when a file is deleted or moved to the Recycle Bin by the user.
+
+If you disable or do not configure this setting, the default behavior of not displaying a confirmation dialog occurs.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Display confirmation dialog when deleting files*
+- GP name: *ConfirmFileDelete*
+- GP path: *Windows Components\File Explorer*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/DefaultLibrariesLocation**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify a location where all default Library definition files for users/machines reside.
+
+If you enable this policy setting, administrators can specify a path where all default Library definition files for users reside. The user will not be allowed to make changes to these Libraries from the UI. On every logon, the policy settings are verified and Libraries for the user are updated or changed according to the path defined.
+
+If you disable or do not configure this policy setting, no changes are made to the location of the default Library definition files.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Location where all default Library definition files for users/machines reside.*
+- GP name: *DefaultLibrariesLocation*
+- GP path: *Windows Components\File Explorer*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/DisableBindDirectlyToPropertySetStorage**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Changes the behavior of IShellFolder::BindToObject for IID_IPropertySetStorage to not bind directly to the IPropertySetStorage implementation, and to include the intermediate layers provided by the Property System.
+
+This behavior is consistent with Windows Vista's behavior in this scenario.
+
+This disables access to user-defined properties, and properties stored in NTFS secondary streams.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Disable binding directly to IPropertySetStorage without intermediate layers.*
+- GP name: *DisableBindDirectlyToPropertySetStorage*
+- GP path: *Windows Components\File Explorer*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/DisableIndexedLibraryExperience**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off Windows Libraries features that need indexed file metadata to function properly.
+
+If you enable this policy, some Windows Libraries features will be turned off to better handle included folders that have been redirected to non-indexed network locations.
+
+Setting this policy will:
+
+- Disable all Arrangement views except for "By Folder"
+- Disable all Search filter suggestions other than "Date Modified" and "Size"
+- Disable view of file content snippets in Content mode when search results are returned
+- Disable ability to stack in the Context menu and Column headers
+- Exclude Libraries from the scope of Start search This policy will not enable users to add unsupported locations to Libraries
+
+If you enable this policy, Windows Libraries features that rely on indexed file data will be disabled.
+
+If you disable or do not configure this policy, all default Windows Libraries features will be enabled.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off Windows Libraries features that rely on indexed file data*
+- GP name: *DisableIndexedLibraryExperience*
+- GP path: *Windows Components\File Explorer*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+
+**ADMX_WindowsExplorer/DisableKnownFolders**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify a list of known folders that should be disabled.
+
+Disabling a known folder will prevent the underlying file or directory from being created via the known folder API. If the folder exists before the policy is applied, the folder must be manually deleted since the policy only blocks the creation of the folder.
+
+You can specify a known folder using its known folder id or using its canonical name. For example, the Sample Videos known folder can be disabled by specifying {440fcffd-a92b-4739-ae1a-d4a54907c53f} or SampleVideos.
+
+> [!NOTE]
+> Disabling a known folder can introduce application compatibility issues in applications that depend on the existence of the known folder.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Disable Known Folders*
+- GP name: *DisableKnownFolders*
+- GP path: *Windows Components\File Explorer*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/DisableSearchBoxSuggestions**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Disables suggesting recent queries for the Search Box and prevents entries into the Search Box from being stored in the registry for future references.
+
+File Explorer shows suggestion pop-ups as users type into the Search Box.
+
+These suggestions are based on their past entries into the Search Box.
+
+> [!NOTE]
+> If you enable this policy, File Explorer will not show suggestion pop-ups as users type into the Search Box, and it will not store Search Box entries into the registry for future references. If the user types a property, values that match this property will be shown but no data will be saved in the registry or re-shown on subsequent uses of the search box.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off display of recent search entries in the File Explorer search box*
+- GP name: *DisableSearchBoxSuggestions*
+- GP path: *Windows Components\File Explorer*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+
+**ADMX_WindowsExplorer/EnableShellShortcutIconRemotePath**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether remote paths can be used for file shortcut (.lnk file) icons.
+
+If you enable this policy setting, file shortcut icons are allowed to be obtained from remote paths.
+
+If you disable or do not configure this policy setting, file shortcut icons that use remote paths are prevented from being displayed.
+
+> [!NOTE]
+> Allowing the use of remote paths in file shortcut icons can expose users’ computers to security risks.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow the use of remote paths in file shortcut icons*
+- GP name: *EnableShellShortcutIconRemotePath*
+- GP path: *Windows Components\File Explorer*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+
+**ADMX_WindowsExplorer/EnableSmartScreen**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy allows you to turn Windows Defender SmartScreen on or off. SmartScreen helps protect PCs by warning users before running potentially malicious programs downloaded from the Internet. This warning is presented as an interstitial dialog shown before running an app that has been downloaded from the Internet and is unrecognized or known to be malicious. No dialog is shown for apps that do not appear to be suspicious.
+
+Some information is sent to Microsoft about files and programs run on PCs with this feature enabled.
+
+If you enable this policy, SmartScreen will be turned on for all users. Its behavior can be controlled by the following options:
+
+- Warn and prevent bypass
+- Warn
+
+If you enable this policy with the "Warn and prevent bypass" option, SmartScreen's dialogs will not present the user with the option to disregard the warning and run the app. SmartScreen will continue to show the warning on subsequent attempts to run the app. If you enable this policy with the "Warn" option, SmartScreen's dialogs will warn the user that the app appears suspicious, but will permit the user to disregard the warning and run the app anyway. SmartScreen will not warn the user again for that app if the user tells SmartScreen to run the app.
+
+If you disable this policy, SmartScreen will be turned off for all users. Users will not be warned if they try to run suspicious apps from the Internet.
+
+If you do not configure this policy, SmartScreen will be enabled by default, but users may change their settings.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure Windows Defender SmartScreen*
+- GP name: *EnableSmartScreen*
+- GP path: *Windows Components\File Explorer*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/EnforceShellExtensionSecurity**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This setting is designed to ensure that shell extensions can operate on a per-user basis.
+
+If you enable this setting, Windows is directed to only run those shell extensions that have either been approved by an administrator or that will not impact other users of the machine. A shell extension only runs if there is an entry in at least one of the following locations in registry.
+
+For shell extensions that have been approved by the administrator and are available to all users of the computer, there must be an entry at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved.
+
+For shell extensions to run on a per-user basis, there must be an entry at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow only per user or approved shell extensions*
+- GP name: *EnforceShellExtensionSecurity*
+- GP path: *Windows Components\File Explorer*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/ExplorerRibbonStartsMinimized**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify whether the ribbon appears minimized or in full when new File Explorer windows are opened.
+
+If you enable this policy setting, you can set how the ribbon appears the first time users open File Explorer and whenever they open new windows.
+
+If you disable or do not configure this policy setting, users can choose how the ribbon appears when they open new windows.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Start File Explorer with ribbon minimized*
+- GP name: *ExplorerRibbonStartsMinimized*
+- GP path: *Windows Components\File Explorer*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/HideContentViewModeSnippets**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off the display of snippets in Content view mode.
+
+If you enable this policy setting, File Explorer will not display snippets in Content view mode.
+
+If you disable or do not configure this policy setting, File Explorer shows snippets in Content view mode by default.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off the display of snippets in Content view mode*
+- GP name: *HideContentViewModeSnippets*
+- GP path: *Windows Components\File Explorer*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Internet**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item.
+
+If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer.
+
+If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer.
+
+If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer.
+
+Changes to this setting may not be applied until the user logs off from Windows.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow previewing and custom thumbnails of OpenSearch query results in File Explorer*
+- GP name: *IZ_Policy_OpenSearchPreview_Internet*
+- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_InternetLockdown**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item.
+
+If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer.
+
+If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer.
+
+If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer.
+
+Changes to this setting may not be applied until the user logs off from Windows.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow OpenSearch queries in File Explorer*
+- GP name: *IZ_Policy_OpenSearchPreview_InternetLockdown*
+- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Intranet**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item.
+
+If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer.
+
+If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer.
+
+If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer.
+
+Changes to this setting may not be applied until the user logs off from Windows.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow previewing and custom thumbnails of OpenSearch query results in File Explorer*
+- GP name: *IZ_Policy_OpenSearchPreview_Intranet*
+- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_IntranetLockdown**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item.
+
+If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer.
+
+If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer.
+
+If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer.
+
+Changes to this setting may not be applied until the user logs off from Windows.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow previewing and custom thumbnails of OpenSearch query results in File Explorer*
+- GP name: *IZ_Policy_OpenSearchPreview_IntranetLockdown*
+- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_LocalMachine**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item.
+
+If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer.
+
+If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer.
+
+If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer.
+
+Changes to this setting may not be applied until the user logs off from Windows.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow previewing and custom thumbnails of OpenSearch query results in File Explorer*
+- GP name: *IZ_Policy_OpenSearchPreview_LocalMachine*
+- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_LocalMachineLockdown**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item.
+
+If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer.
+
+If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer.
+
+If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer.
+
+Changes to this setting may not be applied until the user logs off from Windows.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow previewing and custom thumbnails of OpenSearch query results in File Explorer*
+- GP name: *IZ_Policy_OpenSearchPreview_LocalMachineLockdown*
+- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Restricted**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item.
+
+If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer.
+
+If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer.
+
+If you do not configure this policy setting, users cannot preview items or get custom thumbnails from OpenSearch query results in this zone using File Explorer.
+
+Changes to this setting may not be applied until the user logs off from Windows.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow previewing and custom thumbnails of OpenSearch query results in File Explorer*
+- GP name: *IZ_Policy_OpenSearchPreview_Restricted*
+- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_RestrictedLockdown**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item.
+
+If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer.
+
+If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer.
+
+If you do not configure this policy setting, users cannot preview items or get custom thumbnails from OpenSearch query results in this zone using File Explorer.
+
+Changes to this setting may not be applied until the user logs off from Windows.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow previewing and custom thumbnails of OpenSearch query results in File Explorer*
+- GP name: *IZ_Policy_OpenSearchPreview_RestrictedLockdown*
+- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_Trusted**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item.
+
+If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer.
+
+If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer.
+
+If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer.
+
+Changes to this setting may not be applied until the user logs off from Windows.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow previewing and custom thumbnails of OpenSearch query results in File Explorer*
+- GP name: *IZ_Policy_OpenSearchPreview_Trusted*
+- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/IZ_Policy_OpenSearchPreview_TrustedLockdown**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer), it might affect other items as well that are marked from this zone. For example, some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone, so disabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails, it is the zone of the thumbnail that is checked, not the zone of item. Typically these are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item.
+
+If you enable this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer.
+
+If you disable this policy setting, users will be prevented from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer.
+
+If you do not configure this policy setting, users can preview items and get custom thumbnails from OpenSearch query results in this zone using File Explorer.
+
+Changes to this setting may not be applied until the user logs off from Windows.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow previewing and custom thumbnails of OpenSearch query results in File Explorer*
+- GP name: *IZ_Policy_OpenSearchPreview_TrustedLockdown*
+- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Internet**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files.
+
+If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors.
+
+If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors.
+
+If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow OpenSearch queries in File Explorer*
+- GP name: *IZ_Policy_OpenSearchQuery_Internet*
+- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_InternetLockdown**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files.
+
+If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors.
+
+If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors.
+
+If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow OpenSearch queries in File Explorer*
+- GP name: *IZ_Policy_OpenSearchQuery_InternetLockdown*
+- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Intranet**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files.
+
+If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors.
+
+If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors.
+
+If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow OpenSearch queries in File Explorer*
+- GP name: *IZ_Policy_OpenSearchQuery_Intranet*
+- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_IntranetLockdown**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files.
+
+If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors.
+
+If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors.
+
+If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow OpenSearch queries in File Explorer*
+- GP name: *IZ_Policy_OpenSearchQuery_IntranetLockdown*
+- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_LocalMachine**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files.
+
+If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors.
+
+If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors.
+
+If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow OpenSearch queries in File Explorer*
+- GP name: *IZ_Policy_OpenSearchQuery_LocalMachine*
+- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_LocalMachineLockdown**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files.
+
+If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors.
+
+If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors.
+
+If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow OpenSearch queries in File Explorer*
+- GP name: *IZ_Policy_OpenSearchQuery_LocalMachineLockdown*
+- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Restricted**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files.
+
+If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors.
+
+If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors.
+
+If you do not configure this policy setting, users cannot perform OpenSearch queries in this zone using Search Connectors.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow OpenSearch queries in File Explorer*
+- GP name: *IZ_Policy_OpenSearchQuery_Restricted*
+- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+
+**ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_RestrictedLockdown**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files.
+
+If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors.
+
+If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors.
+
+If you do not configure this policy setting, users cannot perform OpenSearch queries in this zone using Search Connectors.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow OpenSearch queries in File Explorer*
+- GP name: *IZ_Policy_OpenSearchQuery_RestrictedLockdown*
+- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+
+**ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_Trusted**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files.
+
+If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors.
+
+If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors.
+
+If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow OpenSearch queries in File Explorer*
+- GP name: *IZ_Policy_OpenSearchQuery_Trusted*
+- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/IZ_Policy_OpenSearchQuery_TrustedLockdown**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files.
+
+If you enable this policy setting, users can perform OpenSearch queries in this zone using Search Connectors.
+
+If you disable this policy setting, users are prevented from performing OpenSearch queries in this zone using Search Connectors.
+
+If you do not configure this policy setting, users can perform OpenSearch queries in this zone using Search Connectors.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow OpenSearch queries in File Explorer*
+- GP name: *IZ_Policy_OpenSearchQuery_TrustedLockdown*
+- GP path: *Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/LinkResolveIgnoreLinkInfo**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows traces shortcuts back to their sources when it cannot find the target on the user's system.
+
+Shortcut files typically include an absolute path to the original target file as well as the relative path to the current target file. When the system cannot find the file in the current target path, then, by default, it searches for the target in the original path. If the shortcut has been copied to a different computer, the original path might lead to a network computer, including external resources, such as an Internet server.
+
+If you enable this policy setting, Windows only searches the current target path. It does not search for the original path even when it cannot find the target file in the current target path.
+
+If you disable or do not configure this policy setting, Windows searches for the original path when it cannot find the target file in the current target path.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not track Shell shortcuts during roaming*
+- GP name: *LinkResolveIgnoreLinkInfo*
+- GP path: *Windows Components\File Explorer*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/MaxRecentDocs**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to set the maximum number of shortcuts the system can display in the Recent Items menu on the Start menu. The Recent Items menu contains shortcuts to the nonprogram files the user has most recently opened.
+
+If you enable this policy setting, the system displays the number of shortcuts specified by the policy setting.
+
+If you disable or do not configure this policy setting, by default, the system displays shortcuts to the 10 most recently opened documents.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Maximum number of recent documents*
+- GP name: *MaxRecentDocs*
+- GP path: *Windows Components\File Explorer*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/NoBackButton**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Hide the Back button in the Open dialog box. This policy setting lets you remove new features added in Microsoft Windows 2000 Professional, so the Open dialog box appears as it did in Windows NT 4.0 and earlier. This policy setting affects only programs that use the standard Open dialog box provided to developers of Windows programs.
+
+If you enable this policy setting, the Back button is removed from the standard Open dialog box.
+
+If you disable or do not configure this policy setting, the Back button is displayed for any standard Open dialog box. To see an example of the standard Open dialog box, start Notepad and, on the File menu, click Open.
+
+> [!NOTE]
+> In Windows Vista, this policy setting applies only to applications that are using the Windows XP common dialog box style. This policy setting does not apply to the new Windows Vista common dialog box style. Also, third-party applications with Windows 2000 or later certification to are required to adhere to this policy setting.
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Hide the common dialog back button*
+- GP name: *NoBackButton*
+- GP path: *Windows Components\File Explorer\Common Open File Dialog*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/NoCDBurning**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove CD Burning features. File Explorer allows you to create and modify re-writable CDs if you have a CD writer connected to your PC.
+
+If you enable this policy setting, all features in the File Explorer that allow you to use your CD writer are removed.
+
+If you disable or do not configure this policy setting, users are able to use the File Explorer CD burning features.
+
+> [!NOTE]
+> This policy setting does not prevent users from using third-party applications to create or modify CDs using a CD writer.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove CD Burning features*
+- GP name: *NoCDBurning*
+- GP path: *Windows Components\File Explorer*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/NoCacheThumbNailPictures**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off caching of thumbnail pictures.
+
+If you enable this policy setting, thumbnail views are not cached.
+
+If you disable or do not configure this policy setting, thumbnail views are cached.
+
+> [!NOTE]
+> For shared corporate workstations or computers where security is a top concern, you should enable this policy setting to turn off the thumbnail view cache, because the thumbnail cache can be read by everyone.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off caching of thumbnail pictures*
+- GP name: *NoCacheThumbNailPictures*
+- GP path: *Windows Components\File Explorer*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/NoChangeAnimation**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent users from enabling or disabling minor animations in the operating system for the movement of windows, menus, and lists.
+
+If you enable this policy setting, the "Use transition effects for menus and tooltips" option in Display in Control Panel is disabled, and cannot be toggled by users.
+
+Effects, such as animation, are designed to enhance the user's experience but might be confusing or distracting to some users.
+
+If you disable or do not configure this policy setting, users are allowed to turn on or off these minor system animations using the "Use transition effects for menus and tooltips" option in Display in Control Panel.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove UI to change menu animation setting*
+- GP name: *NoChangeAnimation*
+- GP path: *Windows Components\File Explorer*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/NoChangeKeyboardNavigationIndicators**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Disables the "Hide keyboard navigation indicators until I use the ALT key" option in Display in Control Panel. When this Display Properties option is selected, the underlining that indicates a keyboard shortcut character (hot key) does not appear on menus until you press ALT.
+
+Effects, such as transitory underlines, are designed to enhance the user's experience but might be confusing or distracting to some users.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove UI to change keyboard navigation indicator setting*
+- GP name: *NoChangeKeyboardNavigationIndicators*
+- GP path: *Windows Components\File Explorer*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/NoDFSTab**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the DFS tab from File Explorer.
+
+If you enable this policy setting, the DFS (Distributed File System) tab is removed from File Explorer and from other programs that use the File Explorer browser, such as My Computer. As a result, users cannot use this tab to view or change the properties of the DFS shares available from their computer. This policy setting does not prevent users from using other methods to configure DFS.
+
+If you disable or do not configure this policy setting, the DFS tab is available.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove DFS tab*
+- GP name: *NoDFSTab*
+- GP path: *Windows Components\File Explorer*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/NoDrives**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to hide these specified drives in My Computer.
+
+This policy setting allows you to remove the icons representing selected hard drives from My Computer and File Explorer. Also, the drive letters representing the selected drives do not appear in the standard Open dialog box.
+
+If you enable this policy setting, select a drive or combination of drives in the drop-down list.
+
+> [!NOTE]
+> This policy setting removes the drive icons. Users can still gain access to drive contents by using other methods, such as by typing the path to a directory on the drive in the Map Network Drive dialog box, in the Run dialog box, or in a command window. Also, this policy setting does not prevent users from using programs to access these drives or their contents. And, it does not prevent users from using the Disk Management snap-in to view and change drive characteristics.
+
+If you disable or do not configure this policy setting, all drives are displayed, or select the "Do not restrict drives" option in the drop-down list. Also, see the "Prevent access to drives from My Computer" policy setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Hide these specified drives in My Computer*
+- GP name: *NoDrives*
+- GP path: *Windows Components\File Explorer*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/NoEntireNetwork**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Removes all computers outside of the user's workgroup or local domain from lists of network resources in File Explorer and Network Locations.
+
+If you enable this setting, the system removes the Entire Network option and the icons representing networked computers from Network Locations and from the browser associated with the Map Network Drive option.
+
+This setting does not prevent users from viewing or connecting to computers in their workgroup or domain. It also does not prevent users from connecting to remote computers by other commonly used methods, such as by typing the share name in the Run dialog box or the Map Network Drive dialog box.
+
+To remove computers in the user's workgroup or domain from lists of network resources, use the "No Computers Near Me in Network Locations" setting.
+
+> [!NOTE]
+> It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *No Entire Network in Network Locations*
+- GP name: *NoEntireNetwork*
+- GP path: *Windows Components\File Explorer*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/NoFileMRU**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Removes the list of most recently used files from the Open dialog box.
+
+If you disable this setting or do not configure it, the "File name" field includes a drop-down list of recently used files. If you enable this setting, the "File name" field is a simple text box. Users must browse directories to find a file or type a file name in the text box.
+
+This setting, and others in this folder, lets you remove new features added in Windows 2000 Professional, so that the Open dialog box looks like it did in Windows NT 4.0 and earlier. These policies only affect programs that use the standard Open dialog box provided to developers of Windows programs.
+
+To see an example of the standard Open dialog box, start WordPad and, on the File menu, click Open.
+
+> [!NOTE]
+> In Windows Vista, this policy setting applies only to applications that are using the Windows XP common dialog box style. This policy setting does not apply to the new Windows Vista common dialog box style. It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Hide the dropdown list of recent files*
+- GP name: *NoFileMRU*
+- GP path: *Windows Components\File Explorer\Common Open File Dialog*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/NoFileMenu**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Removes the File menu from My Computer and File Explorer.
+
+This setting does not prevent users from using other methods to perform tasks available on the File menu.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove File menu from File Explorer*
+- GP name: *NoFileMenu*
+- GP path: *Windows Components\File Explorer*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/NoFolderOptions**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent users from accessing Folder Options through the View tab on the ribbon in File Explorer.
+
+Folder Options allows users to change the way files and folders open, what appears in the navigation pane, and other advanced view settings.
+
+If you enable this policy setting, users will receive an error message if they tap or click the Options button or choose the Change folder and search options command, and they will not be able to open Folder Options.
+
+If you disable or do not configure this policy setting, users can open Folder Options from the View tab on the ribbon.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not allow Folder Options to be opened from the Options button on the View tab of the ribbon*
+- GP name: *NoFolderOptions*
+- GP path: *Windows Components\File Explorer*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/NoHardwareTab**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Removes the Hardware tab. This setting removes the Hardware tab from Mouse, Keyboard, and Sounds and Audio Devices in Control Panel. It also removes the Hardware tab from the Properties dialog box for all local drives, including hard drives, floppy disk drives, and CD-ROM drives. As a result, users cannot use the Hardware tab to view or change the device list or device properties, or use the Troubleshoot button to resolve problems with the device.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove Hardware tab*
+- GP name: *NoHardwareTab*
+- GP path: *Windows Components\File Explorer*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/NoManageMyComputerVerb**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Removes the Manage item from the File Explorer context menu. This context menu appears when you right-click File Explorer or My Computer.
+
+The Manage item opens Computer Management (Compmgmt.msc), a console tool that includes many of the primary Windows 2000 administrative tools, such as Event Viewer, Device Manager, and Disk Management. You must be an administrator to use many of the features of these tools.
+
+This setting does not remove the Computer Management item from the Start menu (Start, Programs, Administrative Tools, Computer Management), nor does it prevent users from using other methods to start Computer Management.
+
+> [!TIP]
+> To hide all context menus, use the "Remove File Explorer's default context menu" setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Hides the Manage item on the File Explorer context menu*
+- GP name: *NoManageMyComputerVerb*
+- GP path: *Windows Components\File Explorer*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/NoMyComputerSharedDocuments**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Shared Documents folder from My Computer. When a Windows client is in a workgroup, a Shared Documents icon appears in the File Explorer Web view under "Other Places" and also under "Files Stored on This Computer" in My Computer. Using this policy setting, you can choose not to have these items displayed.
+
+If you enable this policy setting, the Shared Documents folder is not displayed in the Web view or in My Computer.
+
+If you disable or do not configure this policy setting, the Shared Documents folder is displayed in Web view and also in My Computer when the client is part of a workgroup.
+
+> [!NOTE]
+> The ability to remove the Shared Documents folder via Group Policy is only available on Windows XP Professional.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove Shared Documents from My Computer*
+- GP name: *NoMyComputerSharedDocuments*
+- GP path: *Windows Components\File Explorer*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/NoNetConnectDisconnect**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Prevents users from using File Explorer or Network Locations to map or disconnect network drives.
+
+If you enable this setting, the system removes the Map Network Drive and Disconnect Network Drive commands from the toolbar and Tools menus in File Explorer and Network Locations and from menus that appear when you right-click the File Explorer or Network Locations icons.
+
+This setting does not prevent users from connecting to another computer by typing the name of a shared folder in the Run dialog box.
+
+> [!NOTE]
+> This setting was documented incorrectly on the Explain tab in Group Policy for Windows 2000. The Explain tab states incorrectly that this setting prevents users from connecting and disconnecting drives.
+>
+> It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove "Map Network Drive" and "Disconnect Network Drive"*
+- GP name: *NoNetConnectDisconnect*
+- GP path: *Windows Components\File Explorer*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/NoNewAppAlert**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy removes the end-user notification for new application associations. These associations are based on file types (e.g. *.txt) or protocols (e.g. http:).
+
+If this group policy is enabled, no notifications will be shown. If the group policy is not configured or disabled, notifications will be shown to the end user if a new application has been installed that can handle the file type or protocol association that was invoked.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not show the 'new application installed' notification*
+- GP name: *NoNewAppAlert*
+- GP path: *Windows Components\File Explorer*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/NoPlacesBar**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Removes the shortcut bar from the Open dialog box. This setting, and others in this folder, lets you remove new features added in Windows 2000 Professional, so that the Open dialog box looks like it did in Windows NT 4.0 and earlier. These policies only affect programs that use the standard Open dialog box provided to developers of Windows programs.
+
+To see an example of the standard Open dialog box, start WordPad and, on the File menu, click Open.
+
+> [!NOTE]
+> In Windows Vista, this policy setting applies only to applications that are using the Windows XP common dialog box style. This policy setting does not apply to the new Windows Vista common dialog box style. It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Hide the common dialog places bar*
+- GP name: *NoPlacesBar*
+- GP path: *Windows Components\File Explorer\Common Open File Dialog*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/NoRecycleFiles**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. When a file or folder is deleted in File Explorer, a copy of the file or folder is placed in the Recycle Bin. Using this setting, you can change this behavior.
+
+If you enable this setting, files and folders that are deleted using File Explorer will not be placed in the Recycle Bin and will therefore be permanently deleted.
+
+If you disable or do not configure this setting, files and folders deleted using File Explorer will be placed in the Recycle Bin.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not move deleted files to the Recycle Bin*
+- GP name: *NoRecycleFiles*
+- GP path: *Windows Components\File Explorer*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/NoRunAsInstallPrompt**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Prevents users from submitting alternate logon credentials to install a program.
+
+This setting suppresses the "Install Program As Other User" dialog box for local and network installations. This dialog box, which prompts the current user for the user name and password of an administrator, appears when users who are not administrators try to install programs locally on their computers. This setting allows administrators who have logged on as regular users to install programs without logging off and logging on again using their administrator credentials.
+
+Many programs can be installed only by an administrator. If you enable this setting and a user does not have sufficient permissions to install a program, the installation continues with the current user's logon credentials. As a result, the installation might fail, or it might complete but not include all features. Or, it might appear to complete successfully, but the installed program might not operate correctly.
+
+If you disable this setting or do not configure it, the "Install Program As Other User" dialog box appears whenever users install programs locally on the computer.
+
+By default, users are not prompted for alternate logon credentials when installing programs from a network share. If enabled, this setting overrides the "Request credentials for network installations" setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Do not request alternate credentials*
+- GP name: *NoRunAsInstallPrompt*
+- GP path: *Windows Components\File Explorer*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/NoSearchInternetTryHarderButton**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. If you enable this policy, the "Internet" "Search again" link will not be shown when the user performs a search in the Explorer window.
+
+If you disable this policy, there will be an "Internet" "Search again" link when the user performs a search in the Explorer window. This button launches a search in the default browser with the search terms.
+
+If you do not configure this policy (default), there will be an "Internet" link when the user performs a search in the Explorer window.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove the Search the Internet "Search again" link*
+- GP name: *NoSearchInternetTryHarderButton*
+- GP path: *Windows Components\File Explorer*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/NoSecurityTab**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Removes the Security tab from File Explorer.
+
+If you enable this setting, users opening the Properties dialog box for all file system objects, including folders, files, shortcuts, and drives, will not be able to access the Security tab. As a result, users will be able to neither change the security settings nor view a list of all users that have access to the resource in question.
+
+If you disable or do not configure this setting, users will be able to access the security tab.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove Security tab*
+- GP name: *NoSecurityTab*
+- GP path: *Windows Components\File Explorer*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/NoShellSearchButton**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove the Search button from the File Explorer toolbar. If you enable this policy setting, the Search button is removed from the Standard Buttons toolbar that appears in File Explorer and other programs that use the File Explorer window, such as My Computer and Network Locations. Enabling this policy setting does not remove the Search button or affect any search features of Internet browser windows, such as the Internet Explorer window.
+
+If you disable or do not configure this policy setting, the Search button is available from the File Explorer toolbar.
+
+This policy setting does not affect the Search items on the File Explorer context menu or on the Start menu. To remove Search from the Start menu, use the "Remove Search menu from Start menu" policy setting (in User Configuration\Administrative Templates\Start Menu and Taskbar). To hide all context menus, use the "Remove File Explorer's default context menu" policy setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove Search button from File Explorer*
+- GP name: *NoShellSearchButton*
+- GP path: *Windows Components\File Explorer*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/NoStrCmpLogical**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to have file names sorted literally (as in Windows 2000 and earlier) rather than in numerical order.
+
+If you enable this policy setting, File Explorer will sort file names by each digit in a file name (for example, 111 < 22 < 3).
+
+If you disable or do not configure this policy setting, File Explorer will sort file names by increasing number value (for example, 3 < 22 < 111).
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off numerical sorting in File Explorer*
+- GP name: *NoStrCmpLogical*
+- GP path: *Windows Components\File Explorer*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/NoViewContextMenu**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Removes shortcut menus from the desktop and File Explorer. Shortcut menus appear when you right-click an item.
+
+If you enable this setting, menus do not appear when you right-click the desktop or when you right-click the items in File Explorer. This setting does not prevent users from using other methods to issue commands available on the shortcut menus.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove File Explorer's default context menu*
+- GP name: *NoViewContextMenu*
+- GP path: *Windows Components\File Explorer*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/NoViewOnDrive**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Prevents users from using My Computer to gain access to the content of selected drives.
+
+If you enable this setting, users can browse the directory structure of the selected drives in My Computer or File Explorer, but they cannot open folders and access the contents. Also, they cannot use the Run dialog box or the Map Network Drive dialog box to view the directories on these drives.
+
+To use this setting, select a drive or combination of drives from the drop-down list. To allow access to all drive directories, disable this setting or select the "Do not restrict drives" option from the drop-down list.
+
+> [!NOTE]
+> The icons representing the specified drives still appear in My Computer, but if users double-click the icons, a message appears explaining that a setting prevents the action.
+>
+> Also, this setting does not prevent users from using programs to access local and network drives. And, it does not prevent them from using the Disk Management snap-in to view and change drive characteristics. Also, see the "Hide these specified drives in My Computer" setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prevent access to drives from My Computer*
+- GP name: *NoViewOnDrive*
+- GP path: *Windows Components\File Explorer*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/NoWindowsHotKeys**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Turn off Windows Key hotkeys. Keyboards with a Windows key provide users with shortcuts to common shell features. For example, pressing the keyboard sequence Windows+R opens the Run dialog box; pressing Windows+E starts File Explorer.
+
+By using this setting, you can disable these Windows Key hotkeys.
+
+If you enable this setting, the Windows Key hotkeys are unavailable.
+
+If you disable or do not configure this setting, the Windows Key hotkeys are available.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off Windows Key hotkeys*
+- GP name: *NoWindowsHotKeys*
+- GP path: *Windows Components\File Explorer*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/NoWorkgroupContents**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to remove computers in the user's workgroup and domain from lists of network resources in File Explorer and Network Locations.
+
+If you enable this policy setting, the system removes the "Computers Near Me" option and the icons representing nearby computers from Network Locations. This policy setting also removes these icons from the Map Network Drive browser.
+
+If you disable or do not configure this policy setting, computers in the user's workgroup and domain appear in lists of network resources in File Explorer and Network Locations.
+
+This policy setting does not prevent users from connecting to computers in their workgroup or domain by other commonly used methods, such as typing the share name in the Run dialog box or the Map Network Drive dialog box.
+
+To remove network computers from lists of network resources, use the "No Entire Network in Network Locations" policy setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *No Computers Near Me in Network Locations*
+- GP name: *NoWorkgroupContents*
+- GP path: *Windows Components\File Explorer*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/PlacesBar**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Configures the list of items displayed in the Places Bar in the Windows File/Open dialog. If enable this setting you can specify from 1 to 5 items to be displayed in the Places Bar.
+
+The valid items you may display in the Places Bar are:
+
+1. Shortcuts to a local folders -- (example: `C:\Windows`)
+2. Shortcuts to remote folders -- (`\\server\share`)
+3. FTP folders
+4. web folders
+5. Common Shell folders.
+
+The list of Common Shell Folders that may be specified:
+
+Desktop, Recent Places, Documents, Pictures, Music, Recently Changed, Attachments and Saved Searches.
+
+If you disable or do not configure this setting the default list of items will be displayed in the Places Bar.
+
+> [!NOTE]
+> In Windows Vista, this policy setting applies only to applications that are using the Windows XP common dialog box style. This policy setting does not apply to the new Windows Vista common dialog box style.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Items displayed in Places Bar*
+- GP name: *PlacesBar*
+- GP path: *Windows Components\File Explorer\Common Open File Dialog*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/PromptRunasInstallNetPath**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Prompts users for alternate logon credentials during network-based installations.
+
+This setting displays the "Install Program As Other User" dialog box even when a program is being installed from files on a network computer across a local area network connection.
+
+If you disable this setting or do not configure it, this dialog box appears only when users are installing programs from local media.
+
+The "Install Program as Other User" dialog box prompts the current user for the user name and password of an administrator. This setting allows administrators who have logged on as regular users to install programs without logging off and logging on again using their administrator credentials.
+
+If the dialog box does not appear, the installation proceeds with the current user's permissions. If these permissions are not sufficient, the installation might fail, or it might complete but not include all features. Or, it might appear to complete successfully, but the installed program might not operate correctly.
+
+> [!NOTE]
+> If it is enabled, the "Do not request alternate credentials" setting takes precedence over this setting. When that setting is enabled, users are not prompted for alternate logon credentials on any installation.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Request credentials for network installations*
+- GP name: *PromptRunasInstallNetPath*
+- GP path: *Windows Components\File Explorer*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/RecycleBinSize**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Limits the percentage of a volume's disk space that can be used to store deleted files.
+
+If you enable this setting, the user has a maximum amount of disk space that may be used for the Recycle Bin on their workstation.
+
+If you disable or do not configure this setting, users can change the total amount of disk space used by the Recycle Bin.
+
+> [!NOTE]
+> This setting is applied to all volumes.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Maximum allowed Recycle Bin size*
+- GP name: *RecycleBinSize*
+- GP path: *Windows Components\File Explorer*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/ShellProtocolProtectedModeTitle_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows.
+
+If you enable this policy setting the protocol is fully enabled, allowing the opening of folders and files.
+
+If you disable this policy setting the protocol is in the protected mode, allowing applications to only open a limited set of folders.
+
+If you do not configure this policy setting the protocol is in the protected mode, allowing applications to only open a limited set of folders.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off shell protocol protected mode*
+- GP name: *ShellProtocolProtectedModeTitle_1*
+- GP path: *Windows Components\File Explorer*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/ShellProtocolProtectedModeTitle_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows.
+
+If you enable this policy setting the protocol is fully enabled, allowing the opening of folders and files.
+
+If you disable this policy setting the protocol is in the protected mode, allowing applications to only open a limited set of folders.
+
+If you do not configure this policy setting the protocol is in the protected mode, allowing applications to only open a limited set of folders.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off shell protocol protected mode*
+- GP name: *ShellProtocolProtectedModeTitle_2*
+- GP path: *Windows Components\File Explorer*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/ShowHibernateOption**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Shows or hides hibernate from the power options menu.
+
+If you enable this policy setting, the hibernate option will be shown in the Power Options menu (as long as it is supported by the machine's hardware).
+
+If you disable this policy setting, the hibernate option will never be shown in the Power Options menu.
+
+If you do not configure this policy setting, users will be able to choose whether they want hibernate to show through the Power Options Control Panel.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Show hibernate in the power options menu*
+- GP name: *ShowHibernateOption*
+- GP path: *Windows Components\File Explorer*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/ShowSleepOption**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Shows or hides sleep from the power options menu.
+
+If you enable this policy setting, the sleep option will be shown in the Power Options menu (as long as it is supported by the machine's hardware).
+
+If you disable this policy setting, the sleep option will never be shown in the Power Options menu.
+
+If you do not configure this policy setting, users will be able to choose whether they want sleep to show through the Power Options Control Panel.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Show sleep in the power options menu*
+- GP name: *ShowSleepOption*
+- GP path: *Windows Components\File Explorer*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/TryHarderPinnedLibrary**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows up to five Libraries or Search Connectors to be pinned to the "Search again" links and the Start menu links. The "Search again" links at the bottom of the Search Results view allow the user to reconduct a search but in a different location. To add a Library or Search Connector link, specify the path of the .Library-ms or .searchConnector-ms file in the "Location" text box (for example, "C:\sampleLibrary.Library-ms" for the Documents library, or "C:\sampleSearchConnector.searchConnector-ms" for a Search Connector). The pinned link will only work if this path is valid and the location contains the specified .Library-ms or .searchConnector-ms file.
+
+You can add up to five additional links to the "Search again" links at the bottom of results returned in File Explorer after a search is executed. These links will be shared between Internet search sites and Search Connectors/Libraries. Search Connector/Library links take precedence over Internet search links.
+
+The first several links will also be pinned to the Start menu. A total of four links can be included on the Start menu. The "See more results" link will be pinned first by default, unless it is disabled via Group Policy. The "Search the Internet" link is pinned second, if it is pinned via Group Policy (though this link is disabled by default). If a custom Internet search link is pinned using the "Custom Internet search provider" Group Policy, this link will be pinned third on the Start menu. The remaining link(s) will be shared between pinned Search Connectors/Libraries and pinned Internet/intranet search links. Search Connector/Library links take precedence over Internet/intranet search links.
+
+If you enable this policy setting, the specified Libraries or Search Connectors will appear in the "Search again" links and the Start menu links.
+
+If you disable or do not configure this policy setting, no Libraries or Search Connectors will appear in the "Search again" links or the Start menu links.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Pin Libraries or Search Connectors to the "Search again" links and the Start menu*
+- GP name: *TryHarderPinnedLibrary*
+- GP path: *Windows Components\File Explorer*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+
+**ADMX_WindowsExplorer/TryHarderPinnedOpenSearch**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to add Internet or intranet sites to the "Search again" links located at the bottom of search results in File Explorer and the Start menu links. The "Search again" links at the bottom of the Search Results view allow the user to reconduct a search but in a different location. The Internet search site will be searched with the text in the search box. To add an Internet search site, specify the URL of the search site in OpenSearch format with {searchTerms} for the query string (for example, http://www.example.com/results.aspx?q={searchTerms}).
+
+You can add up to five additional links to the "Search again" links at the bottom of results returned in File Explorer after a search is executed. These links will be shared between Internet search sites and Search Connectors/Libraries. Search Connector/Library links take precedence over Internet search links.
+
+The first several links will also be pinned to the Start menu. A total of four links can be pinned on the Start menu. The "See more results" link will be pinned first by default, unless it is disabled via Group Policy. The "Search the Internet" link is pinned second, if it is pinned via Group Policy (though this link is disabled by default). If a custom Internet search link is pinned using the "Custom Internet search provider" Group Policy, this link will be pinned third on the Start menu. The remaining link(s) will be shared between pinned Internet/intranet links and pinned Search Connectors/Libraries. Search Connector/Library links take precedence over Internet/intranet search links.
+
+If you enable this policy setting, the specified Internet sites will appear in the "Search again" links and the Start menu links.
+
+If you disable or do not configure this policy setting, no custom Internet search sites will be added to the "Search again" links or the Start menu links.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Pin Internet search sites to the "Search again" links and the Start menu*
+- GP name: *TryHarderPinnedOpenSearch*
+- GP path: *Windows Components\File Explorer*
+- GP ADMX file name: *WindowsExplorer.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-windowsfileprotection.md b/windows/client-management/mdm/policy-csp-admx-windowsfileprotection.md
new file mode 100644
index 0000000000..610f1840b9
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-windowsfileprotection.md
@@ -0,0 +1,357 @@
+---
+title: Policy CSP - ADMX_WindowsFileProtection
+description: Policy CSP - ADMX_WindowsFileProtection
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 01/03/2021
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_WindowsFileProtection
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_WindowsFileProtection policies
+
+
+
+
+
+
+
+
+**ADMX_WindowsFileProtection/WFPShowProgress**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Machine
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting hides the file scan progress window. This window provides status information to sophisticated users, but it might confuse the users.
+
+- If you enable this policy setting, the file scan window does not appear during file scanning.
+- If you disable or do not configure this policy setting, the file scan progress window appears.
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Hide the file scan progress window*
+- GP name: *WFPShowProgress*
+- GP path: *Windows File Protection!SfcShowProgress*
+- GP ADMX file name: *WindowsFileProtection.admx*
+
+
+
+
+
+
+**ADMX_WindowsFileProtection/WFPQuota**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Machine
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the maximum amount of disk space that can be used for the Windows File Protection file cache.
+Windows File Protection adds protected files to the cache until the cache content reaches the quota.
+If the quota is greater than 50 MB, Windows File Protection adds other important Windows XP files to the cache until the cache size reaches the quota.
+
+- If you enable this policy setting, enter the maximum amount of disk space to be used (in MB).
+To indicate that the cache size is unlimited, select "4294967295" as the maximum amount of disk space.
+
+- If you disable this policy setting or do not configure it, the default value is set to 50 MB on Windows XP Professional and is unlimited (4294967295 MB) on Windows Server 2003.
+> [!NOTE]
+> Icon size is dependent upon what the user has set it to in the previous session.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Limit Windows File Protection cache size*
+- GP name: *WFPQuota*
+- GP path: *System\Windows File Protection*
+- GP ADMX file name: *WindowsFileProtection.admx*
+
+
+
+
+
+
+**ADMX_WindowsFileProtection/WFPScan**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Machine
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to set when Windows File Protection scans protected files.
+This policy setting directs Windows File Protection to enumerate and scan all system files for changes.
+
+- If you enable this policy setting, select a rate from the "Scanning Frequency" box.
+You can use this setting to direct Windows File Protection to scan files more often.
+-- "Do not scan during startup," the default, scans files only during setup.
+-- "Scan during startup" also scans files each time you start Windows XP.
+This setting delays each startup.
+
+- If you disable or do not configure this policy setting, by default, files are scanned only during setup.
+
+> [!NOTE]
+> This policy setting affects file scanning only. It does not affect the standard background file change detection that Windows File Protection provides.
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Set Windows File Protection scanning*
+- GP name: *WFPScan*
+- GP path: *System\Windows File Protection*
+- GP ADMX file name: *WindowsFileProtection.admx*
+
+
+
+
+
+
+**ADMX_WindowsFileProtection/WFPDllCacheDir**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Machine
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies an alternate location for the Windows File Protection cache.
+
+- If you enable this policy setting, enter the fully qualified local path to the new location in the "Cache file path" box.
+- If you disable this setting or do not configure it, the Windows File Protection cache is located in the "%Systemroot%\System32\Dllcache directory".
+
+> [!NOTE]
+> Do not add the cache on a network shared directory.
+
+
+> [!NOTE]
+> For Windows Vista, Windows Server 2008, and earlier versions of Windows, the module name, for example timedate.cpl or inetcpl.cpl, should be entered. If a Control Panel item does not have a CPL file, or the CPL file contains multiple applets, then its module name and string resource identification number should be entered. For example, enter @systemcpl.dll,-1 for System or @themecpl.dll,-1 for Personalization. A complete list of canonical and module names of Control Panel items can be found in MSDN by searching "Control Panel items".
+
+If both the "Hide specified Control Panel items" setting and the "Show only specified Control Panel items" setting are enabled, the "Show only specified Control Panel items" setting is ignored.
+
+> [!NOTE]
+> The Display Control Panel item cannot be hidden in the Desktop context menu by using this setting. To hide the Display Control Panel item and prevent users from modifying the computer's display settings use the "Disable Display Control Panel" setting instead.
+>
+> To hide pages in the System Settings app, use the "Settings Page Visibility" setting under Computer Configuration.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Specify Windows File Protection cache location*
+- GP name: *WFPDllCacheDir*
+- GP path: *System\Windows File Protection*
+- GP ADMX file name: *WindowsFileProtection.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md b/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md
index d9845c8533..66570c3061 100644
--- a/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md
+++ b/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md
@@ -74,7 +74,7 @@ manager: dansimp
-Available in Windows 10 Insider Preview Build 20185. This policy setting prevents Windows Media Digital Rights Management (DRM) from accessing the Internet (or intranet).
+Available in the latest Windows 10 Insider Preview Build. This policy setting prevents Windows Media Digital Rights Management (DRM) from accessing the Internet (or intranet).
When enabled, Windows Media DRM is prevented from accessing the Internet (or intranet) for license acquisition and security upgrades.
@@ -103,14 +103,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md b/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md
index 69a27c1fef..f0273482cf 100644
--- a/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md
+++ b/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md
@@ -134,7 +134,7 @@ manager: dansimp
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify the HTTP proxy settings for Windows Media Player.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the HTTP proxy settings for Windows Media Player.
If you enable this policy setting, select one of the following proxy types:
@@ -215,7 +215,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify the MMS proxy settings for Windows Media Player.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the MMS proxy settings for Windows Media Player.
If you enable this policy setting, select one of the following proxy types:
@@ -295,7 +295,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify the RTSP proxy settings for Windows Media Player.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the RTSP proxy settings for Windows Media Player.
If you enable this policy setting, select one of the following proxy types:
@@ -373,7 +373,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to turn off do not show first use dialog boxes.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off do not show first use dialog boxes.
If you enable this policy setting, the Privacy Options and Installation Options dialog boxes are prevented from being displayed the first time a user starts Windows Media Player.
@@ -444,7 +444,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to hide the Network tab.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to hide the Network tab.
If you enable this policy setting, the Network tab in Windows Media Player is hidden. The default network settings are used unless the user has previously defined network settings for the Player.
@@ -513,7 +513,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to prevent the anchor window from being displayed when Windows Media Player is in skin mode.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent the anchor window from being displayed when Windows Media Player is in skin mode.
If you enable this policy setting, the anchor window is hidden when the Player is in skin mode. In addition, the option on the Player tab in the Player that enables users to choose whether the anchor window displays is not available.
@@ -584,7 +584,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting prevents the anchor window from being displayed when Windows Media Player is in skin mode.
+Available in the latest Windows 10 Insider Preview Build. This policy setting prevents the anchor window from being displayed when Windows Media Player is in skin mode.
This policy hides the anchor window when the Player is in skin mode. In addition, the option on the Player tab in the Player that enables users to choose whether the anchor window displays is not available.
@@ -655,7 +655,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to prevent video smoothing from occurring.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent video smoothing from occurring.
If you enable this policy setting, video smoothing is prevented, which can improve video playback on computers with limited resources. In addition, the Use Video Smoothing check box in the Video Acceleration Settings dialog box in the Player is cleared and is not available.
@@ -728,7 +728,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows a screen saver to interrupt playback.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows a screen saver to interrupt playback.
If you enable this policy setting, a screen saver is displayed during playback of digital media according to the options selected on the Screen Saver tab in the Display Properties dialog box in Control Panel. The Allow screen saver during playback check box on the Player tab in the Player is selected and is not available.
@@ -799,7 +799,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to hide the Privacy tab in Windows Media Player.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to hide the Privacy tab in Windows Media Player.
If you enable this policy setting, the "Update my music files (WMA and MP3 files) by retrieving missing media information from the Internet" check box on the Media Library tab is available, even though the Privacy tab is hidden, unless the "Prevent music file media information retrieval" policy setting is enabled.
@@ -870,7 +870,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to hide the Security tab in Windows Media Player.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to hide the Security tab in Windows Media Player.
If you enable this policy setting, the default security settings for the options on the Security tab are used unless the user changed the settings previously. Users can still change security and zone settings by using Internet Explorer unless these settings have been hidden or disabled by Internet Explorer policies.
@@ -939,7 +939,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify whether network buffering uses the default or a specified number of seconds.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify whether network buffering uses the default or a specified number of seconds.
If you enable this policy setting, select one of the following options to specify the number of seconds streaming media is buffered before it is played.
@@ -1013,7 +1013,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to prevent Windows Media Player from downloading codecs.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent Windows Media Player from downloading codecs.
If you enable this policy setting, the Player is prevented from automatically downloading codecs to your computer. In addition, the Download codecs automatically check box on the Player tab in the Player is not available.
@@ -1084,7 +1084,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to prevent media information for CDs and DVDs from being retrieved from the Internet.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent media information for CDs and DVDs from being retrieved from the Internet.
If you enable this policy setting, the Player is prevented from automatically obtaining media information from the Internet for CDs and DVDs played by users. In addition, the Retrieve media information for CDs and DVDs from the Internet check box on the Privacy Options tab in the first use dialog box and on the Privacy tab in the Player are not selected and are not available.
@@ -1153,7 +1153,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to prevent media sharing from Windows Media Player.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent media sharing from Windows Media Player.
If you enable this policy setting, any user on this computer is prevented from sharing digital media content from Windows Media Player with other computers and devices that are on the same network. Media sharing is disabled from Windows Media Player or from programs that depend on the Player's media sharing feature.
@@ -1222,7 +1222,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to prevent media information for music files from being retrieved from the Internet.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent media information for music files from being retrieved from the Internet.
If you enable this policy setting, the Player is prevented from automatically obtaining media information for music files such as Windows Media Audio (WMA) and MP3 files from the Internet. In addition, the Update my music files (WMA and MP3 files) by retrieving missing media information from the Internet check box in the first use dialog box and on the Privacy and Media Library tabs in the Player are not selected and are not available.
@@ -1291,7 +1291,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to prevent a shortcut for the Player from being added to the Quick Launch bar.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent a shortcut for the Player from being added to the Quick Launch bar.
If you enable this policy setting, the user cannot add the shortcut for the Player to the Quick Launch bar.
@@ -1359,7 +1359,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to prevent radio station presets from being retrieved from the Internet.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent radio station presets from being retrieved from the Internet.
If you enable this policy setting, the Player is prevented from automatically retrieving radio station presets from the Internet and displaying them in Media Library. In addition, presets that exist before the policy is configured are not be updated, and presets a user adds are not be displayed.
@@ -1428,7 +1428,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to prevent a shortcut icon for the Player from being added to the user's desktop.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent a shortcut icon for the Player from being added to the user's desktop.
If you enable this policy setting, users cannot add the Player shortcut icon to their desktops.
@@ -1497,7 +1497,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to set and lock Windows Media Player in skin mode, using a specified skin.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to set and lock Windows Media Player in skin mode, using a specified skin.
If you enable this policy setting, the Player displays only in skin mode using the skin specified in the Skin box on the Setting tab.
@@ -1570,7 +1570,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify that Windows Media Player can attempt to use selected protocols when receiving streaming media from a server running Windows Media Services.
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify that Windows Media Player can attempt to use selected protocols when receiving streaming media from a server running Windows Media Services.
If you enable this policy setting, the protocols that are selected on the Network tab of the Player are used to receive a stream initiated through an MMS or RTSP URL from a Windows Media server. If the RSTP/UDP check box is selected, a user can specify UDP ports in the Use ports check box. If the user does not specify UDP ports, the Player uses default ports when using the UDP protocol. This policy setting also specifies that multicast streams can be received if the "Allow the Player to receive multicast streams" check box on the Network tab is selected.
@@ -1601,14 +1601,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md b/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md
new file mode 100644
index 0000000000..dc7bcf1f15
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md
@@ -0,0 +1,185 @@
+---
+title: Policy CSP - ADMX_WindowsRemoteManagement
+description: Policy CSP - ADMX_WindowsRemoteManagement
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 12/16/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_WindowsRemoteManagement
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_WindowsRemoteManagement policies
+
+
+
+
+
+
+
+
+**ADMX_WindowsRemoteManagement/DisallowKerberos_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Kerberos credentials over the network.
+
+If you enable this policy setting, the WinRM service does not accept Kerberos credentials over the network. If you disable or do not configure this policy setting, the WinRM service accepts Kerberos authentication from a remote client.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Disallow Kerberos authentication*
+- GP name: *DisallowKerberos_1*
+- GP path: *Windows Components\Windows Remote Management (WinRM)\WinRM Service*
+- GP ADMX file name: *WindowsRemoteManagement.admx*
+
+
+
+
+
+
+
+**ADMX_WindowsRemoteManagement/DisallowKerberos_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Kerberos authentication directly.
+
+If you enable this policy setting, the Windows Remote Management (WinRM) client does not use Kerberos authentication directly. Kerberos can still be used if the WinRM client is using the Negotiate authentication and Kerberos is selected.
+
+If you disable or do not configure this policy setting, the WinRM client uses the Kerberos authentication directly.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Disallow Kerberos authentication*
+- GP name: *DisallowKerberos_2*
+- GP path: *Windows Components\Windows Remote Management (WinRM)\WinRM Client*
+- GP ADMX file name: *WindowsRemoteManagement.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-windowsstore.md b/windows/client-management/mdm/policy-csp-admx-windowsstore.md
new file mode 100644
index 0000000000..cec2e2bd4f
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-windowsstore.md
@@ -0,0 +1,409 @@
+---
+title: Policy CSP - ADMX_WindowsStore
+description: Policy CSP - ADMX_WindowsStore
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 10/26/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_WindowsStore
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_WindowsStore policies
+
+
+
+
+
+
+
+
+**ADMX_WindowsStore/DisableAutoDownloadWin8**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting enables or disables the automatic download of app updates on PCs running Windows 8.
+
+If you enable this setting, the automatic download of app updates is turned off. If you disable this setting, the automatic download of app updates is turned on.
+
+If you don't configure this setting, the automatic download of app updates is determined by a registry setting that the user can change using Settings in the Windows Store.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off Automatic Download of updates on Win8 machines*
+- GP name: *DisableAutoDownloadWin8*
+- GP path: *Windows Components\Store*
+- GP ADMX file name: *WindowsStore.admx*
+
+
+
+
+
+
+
+
+**ADMX_WindowsStore/DisableOSUpgrade_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting enables or disables the Store offer to update to the latest version of Windows.
+
+If you enable this setting, the Store application will not offer updates to the latest version of Windows.
+
+If you disable or do not configure this setting the Store application will offer updates to the latest version of Windows.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off the offer to update to the latest version of Windows*
+- GP name: *DisableOSUpgrade_1*
+- GP path: *Windows Components\Store*
+- GP ADMX file name: *WindowsStore.admx*
+
+
+
+
+
+
+
+
+**ADMX_WindowsStore/DisableOSUpgrade_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting enables or disables the Store offer to update to the latest version of Windows.
+
+If you enable this setting, the Store application will not offer updates to the latest version of Windows.
+
+If you disable or do not configure this setting the Store application will offer updates to the latest version of Windows.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off the offer to update to the latest version of Windows*
+- GP name: *DisableOSUpgrade_2*
+- GP path: *Windows Components\Store*
+- GP ADMX file name: *WindowsStore.admx*
+
+
+
+
+
+
+
+
+**ADMX_WindowsStore/RemoveWindowsStore_1**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting denies or allows access to the Store application.
+
+If you enable this setting, access to the Store application is denied. Access to the Store is required for installing app updates.
+
+If you disable or don't configure this setting, access to the Store application is allowed.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off the Store application*
+- GP name: *RemoveWindowsStore_1*
+- GP path: *Windows Components\Store*
+- GP ADMX file name: *WindowsStore.admx*
+
+
+
+
+
+
+
+
+**ADMX_WindowsStore/RemoveWindowsStore_2**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting denies or allows access to the Store application.
+
+If you enable this setting, access to the Store application is denied. Access to the Store is required for installing app updates.
+
+If you disable or don't configure this setting, access to the Store application is allowed.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off the Store application*
+- GP name: *RemoveWindowsStore_2*
+- GP path: *Windows Components\Store*
+- GP ADMX file name: *WindowsStore.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-wininit.md b/windows/client-management/mdm/policy-csp-admx-wininit.md
index dbbecca9d5..93d25c2f1e 100644
--- a/windows/client-management/mdm/policy-csp-admx-wininit.md
+++ b/windows/client-management/mdm/policy-csp-admx-wininit.md
@@ -80,7 +80,7 @@ manager: dansimp
-Available in Windows 10 Insider Preview Build 20185. This policy setting controls the legacy remote shutdown interface (named pipe). The named pipe remote shutdown interface is needed in order to shutdown this system from a remote Windows XP or Windows Server 2003 system.
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls the legacy remote shutdown interface (named pipe). The named pipe remote shutdown interface is needed in order to shutdown this system from a remote Windows XP or Windows Server 2003 system.
If you enable this policy setting, the system does not create the named pipe remote shutdown interface.
@@ -149,7 +149,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting controls the use of fast startup.
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls the use of fast startup.
If you enable this policy setting, the system requires hibernate to be enabled.
@@ -218,7 +218,7 @@ ADMX Info:
-Available in Windows 10 Insider Preview Build 20185. This policy setting configures the number of minutes the system waits for the hung logon sessions before proceeding with the system shutdown.
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the number of minutes the system waits for the hung logon sessions before proceeding with the system shutdown.
If you enable this policy setting, the system waits for the hung logon sessions for the number of minutes specified.
@@ -245,14 +245,15 @@ ADMX Info:
Footnotes:
-- 1 - Available in Windows 10, version 1607.
-- 2 - Available in Windows 10, version 1703.
-- 3 - Available in Windows 10, version 1709.
-- 4 - Available in Windows 10, version 1803.
-- 5 - Available in Windows 10, version 1809.
-- 6 - Available in Windows 10, version 1903.
-- 7 - Available in Windows 10, version 1909.
-- 8 - Available in Windows 10, version 2004.
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
diff --git a/windows/client-management/mdm/policy-csp-admx-winlogon.md b/windows/client-management/mdm/policy-csp-admx-winlogon.md
new file mode 100644
index 0000000000..f1998bb579
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-winlogon.md
@@ -0,0 +1,494 @@
+---
+title: Policy CSP - ADMX_WinLogon
+description: Policy CSP - ADMX_WinLogon
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 11/09/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_WinLogon
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_WinLogon policies
+
+
+
+
+
+
+
+
+**ADMX_WinLogon/CustomShell**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. Specifies an alternate user interface. The Explorer program (%windir%\explorer.exe) creates the familiar Windows interface, but you can use this setting to specify an alternate interface.
+
+If you enable this setting, the system starts the interface you specify instead of Explorer.exe. To use this setting, copy your interface program to a network share or to your system drive. Then, enable this setting, and type the name of the interface program, including the file name extension, in the Shell name text box. If the interface program file is not located in a folder specified in the Path environment variable for your system, enter the fully qualified path to the file.
+
+If you disable this setting or do not configure it, the setting is ignored and the system displays the Explorer interface.
+
+> [!TIP]
+> To find the folders indicated by the Path environment variable, click System Properties in Control Panel, click the Advanced tab, click the Environment Variables button, and then, in the System variables box, click Path.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Custom User Interface*
+- GP name: *CustomShell*
+- GP path: *System*
+- GP ADMX file name: *WinLogon.admx*
+
+
+
+
+
+
+**ADMX_WinLogon/DisplayLastLogonInfoDescription**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether or not the system displays information about previous logons and logon failures to the user.
+
+For local user accounts and domain user accounts in domains of at least a Windows Server 2008 functional level, if you enable this setting, a message appears after the user logs on that displays the date and time of the last successful logon by that user, the date and time of the last unsuccessful logon attempted with that user name, and the number of unsuccessful logons since the last successful logon by that user. This message must be acknowledged by the user before the user is presented with the Microsoft Windows desktop.
+
+For domain user accounts in Windows Server 2003, Windows 2000 native, or Windows 2000 mixed functional level domains, if you enable this setting, a warning message will appear that Windows could not retrieve the information and the user will not be able to log on. Therefore, you should not enable this policy setting if the domain is not at the Windows Server 2008 domain functional level.
+
+If you disable or do not configure this setting, messages about the previous logon or logon failures are not displayed.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Display information about previous logons during user logon*
+- GP name: *DisplayLastLogonInfoDescription*
+- GP path: *Windows Components\Windows Logon Options*
+- GP ADMX file name: *WinLogon.admx*
+
+
+
+
+
+
+
+**ADMX_WinLogon/LogonHoursNotificationPolicyDescription**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy controls whether the logged on user should be notified when his logon hours are about to expire. By default, a user is notified before logon hours expire, if actions have been set to occur when the logon hours expire.
+
+If you enable this setting, warnings are not displayed to the user before the logon hours expire.
+
+If you disable or do not configure this setting, users receive warnings before the logon hours expire, if actions have been set to occur when the logon hours expire.
+
+> [!NOTE]
+> If you configure this setting, you might want to examine and appropriately configure the “Set action to take when logon hours expire” setting. If “Set action to take when logon hours expire” is disabled or not configured, the “Remove logon hours expiration warnings” setting will have no effect, and users receive no warnings about logon hour expiration
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Remove logon hours expiration warnings*
+- GP name: *LogonHoursNotificationPolicyDescription*
+- GP path: *Windows Components\Windows Logon Options*
+- GP ADMX file name: *WinLogon.admx*
+
+
+
+
+
+
+**ADMX_WinLogon/LogonHoursPolicyDescription**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy controls which action will be taken when the logon hours expire for the logged on user. The actions include lock the workstation, disconnect the user, or log the user off completely.
+
+If you choose to lock or disconnect a session, the user cannot unlock the session or reconnect except during permitted logon hours.
+
+If you choose to log off a user, the user cannot log on again except during permitted logon hours. If you choose to log off a user, the user might lose unsaved data. If you enable this setting, the system will perform the action you specify when the user’s logon hours expire.
+
+If you disable or do not configure this setting, the system takes no action when the user’s logon hours expire. The user can continue the existing session, but cannot log on to a new session.
+
+> [!NOTE]
+> If you configure this setting, you might want to examine and appropriately configure the “Remove logon hours expiration warnings” setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Set action to take when logon hours expire*
+- GP name: *LogonHoursPolicyDescription*
+- GP path: *Windows Components\Windows Logon Options*
+- GP ADMX file name: *WinLogon.admx*
+
+
+
+
+
+
+**ADMX_WinLogon/ReportCachedLogonPolicyDescription**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy controls whether the logged on user should be notified if the logon server could not be contacted during logon and he has been logged on using previously stored account information.
+
+If enabled, a notification popup will be displayed to the user when the user logs on with cached credentials.
+
+If disabled or not configured, no popup will be displayed to the user.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Report when logon server was not available during user logon*
+- GP name: *ReportCachedLogonPolicyDescription*
+- GP path: *Windows Components\Windows Logon Options*
+- GP ADMX file name: *WinLogon.admx*
+
+
+
+
+
+
+**ADMX_WinLogon/SoftwareSASGeneration**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether or not software can simulate the Secure Attention Sequence (SAS).
+
+If you enable this policy setting, you have one of four options:
+
+- If you set this policy setting to "None," user mode software cannot simulate the SAS.
+- If you set this policy setting to "Services," services can simulate the SAS.
+- If you set this policy setting to "Ease of Access applications," Ease of Access applications can simulate the SAS.
+- If you set this policy setting to "Services and Ease of Access applications," both services and Ease of Access applications can simulate the SAS.
+
+If you disable or do not configure this setting, only Ease of Access applications running on the secure desktop can simulate the SAS.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Disable or enable software Secure Attention Sequence*
+- GP name: *SoftwareSASGeneration*
+- GP path: *Windows Components\Windows Logon Options*
+- GP ADMX file name: *WinLogon.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-admx-wlansvc.md b/windows/client-management/mdm/policy-csp-admx-wlansvc.md
new file mode 100644
index 0000000000..c66f4a6598
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-wlansvc.md
@@ -0,0 +1,261 @@
+---
+title: Policy CSP - ADMX_wlansvc
+description: Policy CSP - ADMX_wlansvc
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 10/27/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_wlansvc
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_wlansvc policies
+
+
+
+
+
+
+
+
+**ADMX_wlansvc/SetCost**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting configures the cost of Wireless LAN (WLAN) connections on the local machine.
+
+If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all WLAN connections on the local machine:
+
+- Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints.
+- Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit.
+- Variable: This connection is costed on a per byte basis. If this policy setting is disabled or is not configured, the cost of Wireless LAN connections is Unrestricted by default.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Set Cost*
+- GP name: *IncludeCmdLine*
+- GP path: *Network\WLAN Service\WLAN Media Cost*
+- GP ADMX file name: *wlansvc.admx*
+
+
+
+
+
+
+**ADMX_wlansvc/SetPINEnforced**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy applies to Wireless Display connections. This policy means that the use of a PIN for pairing to Wireless Display devices is required rather than optional.
+
+Conversely it means that Push Button is NOT allowed.
+
+If this policy setting is disabled or is not configured, by default Push Button pairing is allowed (but not necessarily preferred).
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Require PIN pairing*
+- GP name: *SetPINEnforced*
+- GP path: *Network\Wireless Display*
+- GP ADMX file name: *wlansvc.admx*
+
+
+
+
+
+
+**ADMX_wlansvc/SetPINPreferred**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy applies to Wireless Display connections. This policy changes the preference order of the pairing methods.
+
+When enabled, it makes the connections to prefer a PIN for pairing to Wireless Display devices over the Push Button pairing method.
+
+If this policy setting is disabled or is not configured, by default Push Button pairing is preferred (if allowed by other policies).
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Prefer PIN pairing*
+- GP name: *SetPINPreferred*
+- GP path: *Network\Wireless Display*
+- GP ADMX file name: *wlansvc.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-wpn.md b/windows/client-management/mdm/policy-csp-admx-wpn.md
new file mode 100644
index 0000000000..7e7e4ee561
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-admx-wpn.md
@@ -0,0 +1,490 @@
+---
+title: Policy CSP - ADMX_WPN
+description: Policy CSP - ADMX_WPN
+ms.author: dansimp
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.date: 11/13/2020
+ms.reviewer:
+manager: dansimp
+---
+
+# Policy CSP - ADMX_WPN
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+## ADMX_WPN policies
+
+
+
+
+
+
+
+
+**ADMX_WPN/NoCallsDuringQuietHours**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting blocks voice and video calls during Quiet Hours.
+
+If you enable this policy setting, voice and video calls will be blocked during the designated Quiet Hours time window each day, and users will not be able to customize any other Quiet Hours settings.
+
+If you disable this policy setting, voice and video calls will be allowed during Quiet Hours, and users will not be able to customize this or any other Quiet Hours settings.
+
+If you do not configure this policy setting, voice and video calls will be allowed during Quiet Hours by default. Administrators and users will be able to modify this setting.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off calls during Quiet Hours*
+- GP name: *NoCallsDuringQuietHours*
+- GP path: *Start Menu and Taskbar\Notifications*
+- GP ADMX file name: *WPN.admx*
+
+
+
+
+
+
+**ADMX_WPN/NoLockScreenToastNotification**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting turns off toast notifications on the lock screen.
+
+If you enable this policy setting, applications will not be able to raise toast notifications on the lock screen.
+
+If you disable or do not configure this policy setting, toast notifications on the lock screen are enabled and can be turned off by the administrator or user.
+
+No reboots or service restarts are required for this policy setting to take effect.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off toast notifications on the lock screen*
+- GP name: *NoLockScreenToastNotification*
+- GP path: *Start Menu and Taskbar\Notifications*
+- GP ADMX file name: *WPN.admx*
+
+
+
+
+
+
+**ADMX_WPN/NoQuietHours**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting turns off Quiet Hours functionality.
+
+If you enable this policy setting, toast notifications will not be suppressed and some background tasks will not be deferred during the designated Quiet Hours time window each day.
+
+If you disable this policy setting, toast notifications will be suppressed and some background task deferred during the designated Quiet Hours time window. Users will not be able to change this or any other Quiet Hours settings.
+
+If you do not configure this policy setting, Quiet Hours are enabled by default but can be turned off or by the administrator or user.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off Quiet Hours*
+- GP name: *NoQuietHours*
+- GP path: *Start Menu and Taskbar\Notifications*
+- GP ADMX file name: *WPN.admx*
+
+
+
+
+
+
+**ADMX_WPN/NoToastNotification**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting turns off toast notifications for applications.
+
+If you enable this policy setting, applications will not be able to raise toast notifications.
+
+Note that this policy does not affect taskbar notification balloons.
+
+Note that Windows system features are not affected by this policy. You must enable/disable system features individually to stop their ability to raise toast notifications.
+
+If you disable or do not configure this policy setting, toast notifications are enabled and can be turned off by the administrator or user.
+
+No reboots or service restarts are required for this policy setting to take effect.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Turn off toast notifications*
+- GP name: *NoToastNotification*
+- GP path: *Start Menu and Taskbar\Notifications*
+- GP ADMX file name: *WPN.admx*
+
+
+
+
+
+
+**ADMX_WPN/QuietHoursDailyBeginMinute**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the number of minutes after midnight (local time) that Quiet Hours is to begin each day.
+
+If you enable this policy setting, the specified time will be used, and users will not be able to customize any Quiet Hours settings.
+
+If you disable this policy setting, a default value will be used, and users will not be able to change it or any other Quiet Hours setting.
+
+If you do not configure this policy setting, a default value will be used, which administrators and users will be able to modify.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Set the time Quiet Hours begins each day*
+- GP name: *QuietHoursDailyBeginMinute*
+- GP path: *Start Menu and Taskbar\Notifications*
+- GP ADMX file name: *WPN.admx*
+
+
+
+
+
+
+**ADMX_WPN/QuietHoursDailyEndMinute**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the number of minutes after midnight (local time) that Quiet Hours is to end each day.
+
+If you enable this policy setting, the specified time will be used, and users will not be able to customize any Quiet Hours settings.
+
+If you disable this policy setting, a default value will be used, and users will not be able to change it or any other Quiet Hours setting.
+
+If you do not configure this policy setting, a default value will be used, which administrators and users will be able to modify.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Set the time Quiet Hours ends each day*
+- GP name: *QuietHoursDailyEndMinute*
+- GP path: *Start Menu and Taskbar\Notifications*
+- GP ADMX file name: *WPN.admx*
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607
+- 2 - Available in Windows 10, version 1703
+- 3 - Available in Windows 10, version 1709
+- 4 - Available in Windows 10, version 1803
+- 5 - Available in Windows 10, version 1809
+- 6 - Available in Windows 10, version 1903
+- 7 - Available in Windows 10, version 1909
+- 8 - Available in Windows 10, version 2004
+- 9 - Available in Windows 10, version 20H2
+
+
\ No newline at end of file
diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md
index d2c9190e0b..e65609226d 100644
--- a/windows/client-management/mdm/policy-csp-browser.md
+++ b/windows/client-management/mdm/policy-csp-browser.md
@@ -177,6 +177,10 @@ ms.localizationpriority: medium
+
+**Browser/SuppressEdgeDeprecationNotification**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+This policy allows Enterprise Admins to turn off the notification for company devices that the Edge Legacy browser is no longer supported after 3/9/2021 to avoid confusion for their enterprise users and reduce help desk calls.
+By default, a notification will be presented to the user informing them of this upon application startup.
+With this policy, you can either allow (default) or suppress this notification.
+
+> [!NOTE]
+> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
+
+
+
+ADMX Info:
+- GP English name: *Suppress Edge Deprecation Notification*
+- GP name: *SuppressEdgeDeprecationNotification*
+- GP path: *Windows Components/Microsoft Edge*
+- GP ADMX file name: *MicrosoftEdge.admx*
+
+
+
+Supported values:
+
+- 0 (default) – Allowed. Notification will be shown at application startup.
+- 1 – Prevented/not allowed.
+
+
**Browser/SyncFavoritesBetweenIEAndMicrosoftEdge**
diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md
index 503ee130bc..9e0b691757 100644
--- a/windows/client-management/mdm/policy-csp-connectivity.md
+++ b/windows/client-management/mdm/policy-csp-connectivity.md
@@ -8,18 +8,16 @@ ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer:
manager: dansimp
---
# Policy CSP - Connectivity
-
-
-## Connectivity policies
+## Connectivity policies
-**Connectivity/AllowBluetooth**
+**Connectivity/AllowBluetooth**
@@ -136,7 +134,7 @@ The following list shows the supported values:
-**Connectivity/AllowCellularData**
+**Connectivity/AllowCellularData**
@@ -195,7 +193,7 @@ The following list shows the supported values:
-**Connectivity/AllowCellularDataRoaming**
+**Connectivity/AllowCellularDataRoaming**
@@ -244,7 +242,7 @@ Most restricted value is 0.
-ADMX Info:
+ADMX Info:
- GP English name: *Prohibit connection to roaming Mobile Broadband networks*
- GP name: *WCM_DisableRoaming*
- GP path: *Network/Windows Connection Manager*
@@ -274,7 +272,7 @@ To validate on mobile devices, do the following:
-**Connectivity/AllowConnectedDevices**
+**Connectivity/AllowConnectedDevices**
@@ -335,7 +333,7 @@ The following list shows the supported values:
-**Connectivity/AllowPhonePCLinking**
+**Connectivity/AllowPhonePCLinking**
@@ -385,20 +383,20 @@ If you do not configure this policy setting, the default behavior depends on the
-ADMX Info:
+ADMX Info:
- GP name: *enableMMX*
- GP ADMX file name: *grouppolicy.admx*
-This setting supports a range of values between 0 and 1.
+This setting supports a range of values between 0 and 1.
- 0 - Do not link
- 1 (default) - Allow phone-PC linking
-Validation:
+Validation:
If the Connectivity/AllowPhonePCLinking policy is configured to value 0, the add a phone button in the Phones section in settings will be grayed out and clicking it will not launch the window for a user to enter their phone number.
@@ -410,7 +408,7 @@ Device that has previously opt-in to MMX will also stop showing on the device li
-**Connectivity/AllowUSBConnection**
+**Connectivity/AllowUSBConnection**
@@ -475,7 +473,7 @@ The following list shows the supported values:
-**Connectivity/AllowVPNOverCellular**
+**Connectivity/AllowVPNOverCellular**
@@ -535,7 +533,7 @@ The following list shows the supported values:
-**Connectivity/AllowVPNRoamingOverCellular**
+**Connectivity/AllowVPNRoamingOverCellular**
@@ -595,7 +593,7 @@ The following list shows the supported values:
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md
index 58edb0059e..65ade4ae02 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md
@@ -4,7 +4,7 @@ description: This topic for IT professionals describes how each AppLocker Window
ms.assetid: 374e029c-5c0a-44ab-a57a-2a9dd17dc57d
ms.reviewer:
ms.author: macapara
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
+ms.technology: mde
---
# Use the AppLocker Windows PowerShell cmdlets
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md
index 78c04357c6..7895373d6e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md
@@ -4,7 +4,7 @@ description: This topic lists AppLocker events and describes how to use Event Vi
ms.assetid: 109abb10-78b1-4c29-a576-e5a17dfeb916
ms.reviewer:
ms.author: macapara
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
+ms.technology: mde
---
# Using Event Viewer with AppLocker
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md
index 1dd5197ddd..5e34495965 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md
@@ -4,7 +4,7 @@ description: This topic for the IT professional describes how to use Software Re
ms.assetid: c3366be7-e632-4add-bd10-9df088f74c6d
ms.reviewer:
ms.author: macapara
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
+ms.technology: mde
---
# Use Software Restriction Policies and AppLocker policies
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md
index eab62e36b7..5e8f5b2efb 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md
@@ -4,7 +4,7 @@ description: This topic for the IT professional describes what AppLocker is and
ms.assetid: 44a8a2bb-0f83-4f95-828e-1f364fb65869
ms.reviewer:
ms.author: macapara
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
+ms.technology: mde
---
# What Is AppLocker?
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md
index 50fff5a7b2..77b78c5a84 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md
@@ -4,7 +4,7 @@ description: This topic describes the file formats and available default rules f
ms.assetid: 3fecde5b-88b3-4040-81fa-a2d36d052ec9
ms.reviewer:
ms.author: macapara
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
+ms.technology: mde
---
# Windows Installer rules in AppLocker
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md
index 2bde016bc2..276960c4b0 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md
@@ -4,7 +4,7 @@ description: This topic for IT professionals provides links to procedural topics
ms.assetid: 7062d2e0-9cbb-4cb8-aa8c-b24945c3771d
ms.reviewer:
ms.author: macapara
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
+ms.technology: mde
---
# Working with AppLocker policies
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md
index 1b92efcccf..67910704f3 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md
@@ -5,14 +5,15 @@ ms.assetid: 3966b35b-f2da-4371-8b5f-aec031db6bc9
ms.reviewer:
manager: dansimp
ms.author: macapara
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-author: mjcaparas
+author: dansimp
ms.localizationpriority: medium
msauthor: v-anbic
ms.date: 08/27/2018
+ms.technology: mde
---
# Working with AppLocker rules
diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md
index c5f703e0aa..c35dfc5108 100644
--- a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md
@@ -1,9 +1,9 @@
---
title: Audit Windows Defender Application Control policies (Windows 10)
description: Audits allow admins to discover apps that were missed during an initial policy scan and to identify new apps that were installed since the policy was created.
-keywords: security, malware
+keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 05/03/2018
+ms.technology: mde
---
# Audit Windows Defender Application Control policies
diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md
index b7f98f9949..91186d9798 100644
--- a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md
@@ -1,9 +1,9 @@
---
title: Configure a WDAC managed installer (Windows 10)
description: Explains how to configure a custom Manged Installer.
-keywords: security, malware
+keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 08/14/2020
+ms.technology: mde
---
# Configuring a managed installer with AppLocker and Windows Defender Application Control
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md
index da15b10af4..f3b993cbc0 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md
@@ -1,9 +1,9 @@
---
title: Create a code signing cert for Windows Defender Application Control (Windows 10)
description: Learn how to set up a publicly-issued code signing certificate, so you can sign catalog files or WDAC policies internally.
-keywords: security, malware
+keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 02/28/2018
+ms.technology: mde
---
# Optional: Create a code signing cert for Windows Defender Application Control
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md
index d755422a84..37cb5bd513 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md
@@ -1,9 +1,9 @@
---
title: Create a WDAC policy for fixed-workload devices using a reference computer (Windows 10)
description: To create a Windows Defender Application Control (WDAC) policy for fixed-workload devices within your organization, follow this guide.
-keywords: security, malware
+keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 05/03/2018
+ms.technology: mde
---
# Create a WDAC policy for fixed-workload devices using a reference computer
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
index 8b4a0fa4ff..bec0d684e1 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
@@ -1,10 +1,10 @@
---
title: Create a WDAC policy for fully-managed devices (Windows 10)
description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core.
-keywords: security, malware
+keywords: security, malware
ms.topic: conceptual
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -16,6 +16,7 @@ ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 11/20/2019
+ms.technology: mde
---
# Create a WDAC policy for fully-managed devices
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
index 89cecfc78b..85a6d9cfdc 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
@@ -1,10 +1,10 @@
---
title: Create a WDAC policy for lightly-managed devices (Windows 10)
description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core.
-keywords: security, malware
+keywords: security, malware
ms.topic: conceptual
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -16,6 +16,7 @@ ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 11/15/2019
+ms.technology: mde
---
# Create a WDAC policy for lightly-managed devices
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
index 3abf426167..9dd3b2efa3 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
@@ -1,9 +1,9 @@
---
title: Deploy catalog files to support Windows Defender Application Control (Windows 10)
description: Catalog files simplify running unsigned applications in the presence of a Windows Defender Application Control (WDAC) policy.
-keywords: security, malware
+keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 02/28/2018
+ms.technology: mde
---
# Deploy catalog files to support Windows Defender Application Control
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
index bf44f8cd81..d52c5a2d88 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
@@ -1,9 +1,9 @@
---
title: Use multiple Windows Defender Application Control Policies (Windows 10)
description: Windows Defender Application Control supports multiple code integrity policies for one device.
-keywords: security, malware
+keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -14,7 +14,8 @@ author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
-ms.date: 09/16/2020
+ms.date: 11/13/2020
+ms.technology: mde
---
# Use multiple Windows Defender Application Control Policies
@@ -27,7 +28,7 @@ ms.date: 09/16/2020
The restriction of only having a single code integrity policy active on a system at any given time has felt limiting for customers in situations where multiple policies with different intents would be useful. Beginning with Windows 10 version 1903, WDAC supports up to 32 active policies on a device at once in order to enable the following scenarios:
1. Enforce and Audit Side-by-Side
- - To validate policy changes before deploying in enforcement mode, users can now deploy an audit-mode base policy side-by-side with an existing enforcement-mode base policy
+ - To validate policy changes before deploying in enforcement mode, users can now deploy an audit-mode base policy side by side with an existing enforcement-mode base policy
2. Multiple Base Policies
- Users can enforce two or more base policies simultaneously in order to allow simpler policy targeting for policies with different scope/intent
- If two base policies exist on a device, an application has to be allowed by both to run
@@ -48,19 +49,19 @@ The restriction of only having a single code integrity policy active on a system
## Creating WDAC policies in Multiple Policy Format
-In order to allow multiple policies to exist and take effect on a single system, policies must be created using the new Multiple Policy Format. The "MultiplePolicyFormat" switch in [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy?view=win10-ps) results in 1) random GUIDs being generated for the policy ID and 2) the policy type being specified as base. The below is an example of creating a new policy in the multiple policy format.
+In order to allow multiple policies to exist and take effect on a single system, policies must be created using the new Multiple Policy Format. The "MultiplePolicyFormat" switch in [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy?view=win10-ps&preserve-view=true) results in 1) random GUIDs being generated for the policy ID and 2) the policy type being specified as base. The below is an example of creating a new policy in the multiple policy format.
```powershell
New-CIPolicy -MultiplePolicyFormat -ScanPath "
-**Connectivity/DiablePrintingOverHTTP**
+**Connectivity/DisablePrintingOverHTTP**
@@ -652,14 +650,14 @@ Also, see the "Web-based printing" policy setting in Computer Configuration/Admi
> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there is a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-ADMX Info:
+ADMX Info:
- GP English name: *Turn off printing over HTTP*
- GP name: *DisableHTTPPrinting_2*
- GP path: *Internet Communication settings*
@@ -671,7 +669,7 @@ ADMX Info:
-#### SP 800-132 Password Based Key Derivation Function (PBKDF)
+#### SP 800-132 Password-Based Key Derivation Function (PBKDF)
-**Connectivity/DisableDownloadingOfPrintDriversOverHTTP**
+**Connectivity/DisableDownloadingOfPrintDriversOverHTTP**
@@ -726,14 +724,14 @@ If you disable or do not configure this policy setting, users can download print
> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there is a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-ADMX Info:
+ADMX Info:
- GP English name: *Turn off downloading of print drivers over HTTP*
- GP name: *DisableWebPnPDownload_2*
- GP path: *Internet Communication settings*
@@ -745,7 +743,7 @@ ADMX Info:
@@ -2065,7 +2212,7 @@ Validated Editions: Server, Storage Server
-**Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards**
+**Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards**
@@ -800,14 +798,14 @@ See the documentation for the web publishing and online ordering wizards for mor
> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there is a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-ADMX Info:
+ADMX Info:
- GP English name: *Turn off Internet download for Web publishing and online ordering wizards*
- GP name: *ShellPreventWPWDownload_2*
- GP path: *Internet Communication settings*
@@ -819,7 +817,7 @@ ADMX Info:
@@ -1934,7 +2081,7 @@ Validated Editions: Server, Storage Server
-**Connectivity/DisallowNetworkConnectivityActiveTests**
+**Connectivity/DisallowNetworkConnectivityActiveTests**
@@ -868,7 +866,7 @@ Value type is integer.
-ADMX Info:
+ADMX Info:
- GP English name: *Turn off Windows Network Connectivity Status Indicator active tests*
- GP name: *NoActiveProbe*
- GP path: *Internet Communication settings*
@@ -880,7 +878,7 @@ ADMX Info:
@@ -1893,22 +2040,22 @@ Validated Editions: Server, Storage Server
-**Connectivity/HardenedUNCPaths**
+**Connectivity/HardenedUNCPaths**
@@ -929,14 +927,14 @@ If you enable this policy, Windows only allows access to the specified UNC paths
> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there is a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-ADMX Info:
+ADMX Info:
- GP English name: *Hardened UNC Paths*
- GP name: *Pol_HardenedPaths*
- GP path: *Network/Network Provider*
@@ -948,7 +946,7 @@ ADMX Info:
@@ -1735,65 +1882,65 @@ Validated Editions: Server, Storage Server
-**Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge**
+**Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge**
@@ -1001,14 +999,14 @@ If you disable this setting or do not configure it, the user will be able to cre
> [!TIP]
-> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
->
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there is a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-ADMX Info:
+ADMX Info:
- GP English name: *Prohibit installation and configuration of Network Bridge on your DNS domain network*
- GP name: *NC_AllowNetBridge_NLA*
- GP path: *Network/Network Connections*
@@ -1016,6 +1014,7 @@ ADMX Info:
+
-\[16\] Does not apply to **Azure StorSimple Virtual Array Windows Server 2012 R2**
+\[16\] Doesn't apply to **Azure StorSimple Virtual Array Windows Server 2012 R2**
-\[17\] Does not apply to **Azure StorSimple Virtual Array Windows Server 2012 R2**
+\[17\] Doesn't apply to **Azure StorSimple Virtual Array Windows Server 2012 R2**
**Windows Server 2012**
@@ -1647,27 +1794,27 @@ Validated Editions: Server, Storage Server
Footnotes:
@@ -1028,6 +1027,6 @@ Footnotes:
- 6 - Available in Windows 10, version 1903.
- 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004.
+- 9 - Available in Windows 10, version 2009.
-
diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md
index dcea40a888..6387efccc5 100644
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@@ -2317,6 +2317,15 @@ Added in Windows 10, version 1607. Specifies the level of detection for potenti
> Potentially unwanted applications (PUA) are a category of software that can cause your machine to run slowly, display unexpected ads, or at worst, install other software which might be unexpected or unwanted. By default in Windows 10 (version 2004 and later), Microsoft Defender Antivirus blocks apps that are considered PUA, for Enterprise (E5) devices. For more information about PUA, see [Detect and block potentially unwanted applications](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus).
+
+ADMX Info:
+- GP English name: *Configure detection for potentially unwanted applications*
+- GP name: *Root_PUAProtection*
+- GP element: *Root_PUAProtection*
+- GP path: *Windows Components/Microsoft Defender Antivirus*
+- GP ADMX file name: *WindowsDefender.admx*
+
+
The following list shows the supported values:
@@ -3112,6 +3121,7 @@ Footnotes:
- 6 - Available in Windows 10, version 1903.
- 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004.
+- 9 - Available in Windows 10, version 20H2.
diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
index 4061074c76..1031aada9c 100644
--- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md
+++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
@@ -371,7 +371,7 @@ ADMX Info:
-This policy allows you to to configure one or more Delivery Optimization in Network Cache servers through a custom DHCP Option. One or more values can be added as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address by commas.
+This policy allows you to configure one or more Delivery Optimization in Network Cache servers through a custom DHCP Option. One or more values can be added as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address by commas.
@@ -754,8 +754,7 @@ The following list shows the supported values:
- 2 – HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if it exists) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2.
- 3 – HTTP blended with Internet peering.
- 99 - Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services. Added in Windows 10, version 1607.
-- 100 - Bypass mode. Do not use Delivery Optimization and use BITS instead. Added in Windows 10, version 1607.
-
+- 100 - Bypass mode. Do not use Delivery Optimization and use BITS instead. Added in Windows 10, version 1607. Note that this value is deprecated and will be removed in a future release.
@@ -882,7 +881,7 @@ The options set in this policy only apply to Group (2) download mode. If Group (
For option 3 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID.
-Starting with Windows 10, version 1903, you can use the Azure Active Directory (AAD) Tenant ID as a means to define groups. To do this, set the value of DOGroupIdSource to 5.
+Starting with Windows 10, version 1903, you can use the Azure Active Directory (Azure AD) Tenant ID as a means to define groups. To do this, set the value of DOGroupIdSource to 5.
diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md
index 24c7b04cbf..ba86d69fad 100644
--- a/windows/client-management/mdm/policy-csp-deviceinstallation.md
+++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md
@@ -22,28 +22,28 @@ ms.localizationpriority: medium
@@ -51,7 +51,7 @@ ms.localizationpriority: medium
-**DeviceInstallation/AllowInstallationOfMatchingDeviceIDs**
+## DeviceInstallation/AllowInstallationOfMatchingDeviceIDs
@@ -165,7 +165,7 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and
@@ -1083,14 +1160,14 @@ Validated Editions: Ultimate Edition
-**DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs**
+## DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs
@@ -272,7 +272,7 @@ To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see i
@@ -1042,22 +1119,22 @@ Validated Editions: Ultimate Edition
-**DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses**
+## DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses
@@ -395,7 +395,7 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and
@@ -990,23 +1067,23 @@ Validated Editions: Ultimate Edition
-**DeviceInstallation/PreventDeviceMetadataFromNetwork**
+## DeviceInstallation/PreventDeviceMetadataFromNetwork
@@ -474,7 +474,7 @@ ADMX Info:
@@ -924,13 +1001,13 @@ Validated Editions: Ultimate Edition
-**DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings**
+## DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings
@@ -586,7 +586,7 @@ You can also block installation by using a custom profile in Intune.
@@ -801,11 +878,11 @@ Validated Editions: Windows 7, Windows 7 SP1
-**DeviceInstallation/PreventInstallationOfMatchingDeviceIDs**
+## DeviceInstallation/PreventInstallationOfMatchingDeviceIDs
@@ -703,7 +703,7 @@ For example, this custom profile blocks installation and usage of USB devices wi
-\[9\] Applies only to Home, Pro, Enterprise and Enterprise LTSB
+\[9\] Applies only to Home, Pro, Enterprise, and Enterprise LTSB
-\[10\] Applies only to Home, Pro, Enterprise and Enterprise LTSB
+\[10\] Applies only to Home, Pro, Enterprise, and Enterprise LTSB
-\[11\] Applies only to Home, Pro, Enterprise and Enterprise LTSB
+\[11\] Applies only to Home, Pro, Enterprise, and Enterprise LTSB
-\[12\] Applies only to Pro, Enterprise and Enterprise LTSB
+\[12\] Applies only to Pro, Enterprise, and Enterprise LTSB
\[13\] Applies only to Enterprise and Enterprise LTSB
@@ -621,25 +698,25 @@ Validated Editions: RT, Pro, Enterprise, Phone, Embedded
-**DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs**
+## DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs
@@ -830,7 +830,7 @@ with
-\[4\] Applies only to Home, Pro, Enterprise, Mobile and Surface Hub
+\[4\] Applies only to Home, Pro, Enterprise, Mobile, and Surface Hub
-\[5\] Applies only to Home, Pro, Enterprise, Mobile and Surface Hub
+\[5\] Applies only to Home, Pro, Enterprise, Mobile, and Surface Hub
-\[6\] Applies only to Home, Pro and Enterprise
+\[6\] Applies only to Home, Pro, and Enterprise
-\[7\] Applies only to Pro, Enterprise, Mobile and Surface Hub
+\[7\] Applies only to Pro, Enterprise, Mobile, and Surface Hub
\[8\] Applies only to Enterprise and Enterprise LTSB
@@ -523,7 +600,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface
-**DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses**
+## DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses
diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md
index f68a71f820..b106637736 100644
--- a/windows/client-management/mdm/policy-csp-devicelock.md
+++ b/windows/client-management/mdm/policy-csp-devicelock.md
@@ -677,7 +677,7 @@ The following list shows the supported values:
-Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app.
+Specifies the maximum amount of time (in seconds) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app.
* On Mobile, the Lumia 950 and 950XL have a maximum timeout value of 5 minutes, regardless of the value set by this policy.
* On HoloLens, this timeout is controlled by the device's system sleep timeout, regardless of the value set by this policy.
diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md
index d9e072c7c3..8550d25403 100644
--- a/windows/client-management/mdm/policy-csp-experience.md
+++ b/windows/client-management/mdm/policy-csp-experience.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
-ms.date: 09/27/2019
+ms.date: 11/02/2020
ms.reviewer:
manager: dansimp
---
@@ -73,6 +73,9 @@ manager: dansimp
-\[1\] Applies only to Home, Pro, Enterprise and Enterprise LTSB
+\[1\] Applies only to Home, Pro, Enterprise, and Enterprise LTSB
-\[2\] Applies only to Pro, Enterprise, Enterprise LTSB and Mobile
+\[2\] Applies only to Pro, Enterprise, Enterprise LTSB, and Mobile
-\[3\] Applies only to Pro, Enterprise and Enterprise LTSB
+\[3\] Applies only to Pro, Enterprise, and Enterprise LTSB
##### Windows 10 November 2015 Update (Version 1511)
@@ -425,7 +502,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting lets you turn off cloud optimized content in all Windows experiences.
+
+If you enable this policy setting, Windows experiences that use the cloud optimized content client component will present the default fallback content.
+
+If you disable or do not configure this policy setting, Windows experiences will be able to use cloud optimized content.
+
+
+
+ADMX Info:
+- GP English name: *Turn off cloud optimized content*
+- GP name: *DisableCloudOptimizedContent*
+- GP path: *Windows Components/Cloud Content*
+- GP ADMX file name: *CloudContent.admx*
+
+
+
+The following list shows the supported values:
+
+- 0 (default) – Disabled.
+- 1 – Enabled.
+
+
+
+
@@ -1286,7 +1358,7 @@ ADMX Info:
Supported values:
-- 0 (default) - Allowed/turned on. The "browser" group syncs automatically between user’s devices and lets users to make changes.
+- 0 (default) - Allowed/turned on. The "browser" group synchronizes automatically between users' devices and lets users make changes.
- 2 - Prevented/turned off. The "browser" group does not use the _Sync your Settings_ option.
@@ -1500,6 +1572,7 @@ Footnotes:
- 6 - Available in Windows 10, version 1903.
- 7 - Available in Windows 10, version 1909.
- 8 - Available in Windows 10, version 2004.
+- 9 - Available in Windows 10, version 20H2.
diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md
index c63c654abe..73e6d3c865 100644
--- a/windows/client-management/mdm/policy-csp-internetexplorer.md
+++ b/windows/client-management/mdm/policy-csp-internetexplorer.md
@@ -5,9 +5,8 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
-author: manikadhiman
+author: dansimp
ms.localizationpriority: medium
-ms.date: 09/27/2019
ms.reviewer:
manager: dansimp
---
@@ -85,6 +84,9 @@ manager: dansimp
+
+**InternetExplorer/AllowSaveTargetAsInIEMode**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+This policy setting allows the administrator to enable "Save Target As" context menu in Internet Explorer mode.
+
+- If you enable this policy, "Save Target As" will show up in the Internet Explorer mode context menu and work the same as Internet Explorer.
+- If you disable or do not configure this policy setting, "Save Target As" will not show up in the Internet Explorer mode context menu.
+
+For more information, see [https://go.microsoft.com/fwlink/?linkid=2102115](https://go.microsoft.com/fwlink/?linkid=2102115)
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Allow "Save Target As" in Internet Explorer mode*
+- GP name: *AllowSaveTargetAsInIEMode*
+- GP path: *Windows Components/Internet Explorer*
+- GP ADMX file name: *inetres.admx*
+
+
+
+```xml
+
+**InternetExplorer/ConfigureEdgeRedirectChannel**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+Enables you to configure up to three versions of Microsoft Edge to open a redirected site (in order of preference). Use this policy, if your environment is configured to redirect sites from Internet Explorer 11 to Microsoft Edge. If any of the chosen versions are not installed on the device, that preference will be bypassed.
+
+If both the Windows Update for the next version of Microsoft Edge* and Microsoft Edge Stable channel are installed, the following behaviors occur:
+
+- If you enable this policy, you can configure redirected sites to open in up to three of the following channels where:
+ 1 = Microsoft Edge Stable
+ 2 = Microsoft Edge Beta version 77 or later
+ 3 = Microsoft Edge Dev version 77 or later
+ 4 = Microsoft Edge Canary version 77 or later
+
+- If you disable or do not configure this policy, Microsoft Edge Stable channel is used. This is the default behavior.
+
+If the Windows Update for the next version of Microsoft Edge* or Microsoft Edge Stable channel are not installed, the following behaviors occur:
+
+- If you enable this policy, you can configure redirected sites to open in up to three of the following channels where:
+ 0 = Microsoft Edge version 45 or earlier
+ 1 = Microsoft Edge Stable
+ 2 = Microsoft Edge Beta version 77 or later
+ 3 = Microsoft Edge Dev version 77 or later
+ 4 = Microsoft Edge Canary version 77 or later
+
+- If you disable or do not configure this policy, Microsoft Edge version 45 or earlier is automatically used. This is the default behavior.
+
+> [!NOTE]
+> For more information about the Windows update for the next version of Microsoft Edge including how to disable it, see [https://go.microsoft.com/fwlink/?linkid=2102115](https://go.microsoft.com/fwlink/?linkid=2102115). This update applies only to Windows 10 version 1709 and higher.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure which channel of Microsoft Edge to use for opening redirected sites*
+- GP name: *NeedEdgeBrowser*
+- GP path: *Windows Components/Internet Explorer*
+- GP ADMX file name: *inetres.admx*
+
+
+
+```xml
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+This policy lets you restrict launching of Internet Explorer as a standalone browser.
+
+If you enable this policy, it:
+- Prevents Internet Explorer 11 from launching as a standalone browser.
+- Restricts Internet Explorer's usage to Microsoft Edge's native 'Internet Explorer mode'.
+- Redirects all attempts at launching Internet Explorer 11 to Microsoft Edge Stable Channel browser.
+- Overrides any other policies that redirect to Internet Explorer 11.
+
+If you disable, or do not configure this policy, all sites are opened using the current active browser settings.
+
+> [!NOTE]
+> Microsoft Edge Stable Channel must be installed for this policy to take effect.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Disable Internet Explorer 11 as a standalone browser*
+- GP name: *DisableInternetExplorerApp*
+- GP path: *Windows Components/Internet Explorer*
+- GP ADMX file name: *inetres.admx*
+
+
+
+```xml
+
+
+**InternetExplorer/KeepIntranetSitesInInternetExplorer**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+This policy setting prevents intranet sites from being opened in any browser except Internet Explorer.
+
+> [!NOTE]
+> If the [InternetExplorer/SendSitesNotInEnterpriseSiteListToEdg](#internetexplorer-policies)e policy is not enabled, then this policy has no effect.
+
+If you enable this policy, all intranet sites are opened in Internet Explorer 11. The only exceptions are sites listed in your Enterprise Mode Site List.
+If you disable or do not configure this policy, all intranet sites are automatically opened in Microsoft Edge.
+
+We strongly recommend keeping this policy in sync with the [Browser/SendIntranetTraffictoInternetExplorer](#internetexplorer-policies) policy. Additionally, it is best to enable this policy only if your intranet sites have known compatibility problems with Microsoft Edge.
+
+Related policies:
+- [Browser/SendIntranetTraffictoInternetExplorer](#internetexplorer-policies)
+- [InternetExplorer/SendSitesNotInEnterpriseSiteListToEdge](#internetexplorer-policies)
+
+For more information on how to use this policy together with other related policies to create the optimal configuration for your organization, see [https://go.microsoft.com/fwlink/?linkid=2094210.](https://go.microsoft.com/fwlink/?linkid=2094210)
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Keep all Intranet Sites in Internet Explorer*
+- GP name: *KeepIntranetSitesInInternetExplorer*
+- GP path: *Windows Components/Internet Explorer*
+- GP ADMX file name: *inetres.admx*
+
+
+
+```xml
+
+
+**InternetExplorer/SendSitesNotInEnterpriseSiteListToEdge**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+> * Device
+
+
+
+
+
+This setting lets you decide whether to open all sites not included in the Enterprise Mode Site List in Microsoft Edge. If you use this setting, you must also turn on the [InternetExplorer/AllowEnterpriseModeSiteList ](#internetexplorer-policies) policy setting and you must include at least one site in the Enterprise Mode Site List.
+
+If you enable this setting, it automatically opens all sites not included in the Enterprise Mode Site List in Microsoft Edge.
+
+If you disable, or not configure this setting, then it opens all sites based on the currently active browser.
+
+> [!NOTE]
+> If you have also enabled the [InternetExplorer/SendIntranetTraffictoInternetExplorer](#internetexplorer-policies) policy setting, then all intranet sites will continue to open in Internet Explorer 11.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Send all sites not included in the Enterprise Mode Site List to Microsoft Edge*
+- GP name: *RestrictInternetExplorer*
+- GP path: *Windows Components/Internet Explorer*
+- GP ADMX file name: *inetres.admx*
+
+> [!NOTE]
+> This MDM policy is still outstanding.
+
+
+```xml
+
+
+
+## LocalUsersAndGroups policies
+
+
+
+
+
+
+
+
+**LocalUsersAndGroups/Configure**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows 10, version 20H2. This policy setting allows IT admins to add, remove, or replace members of local groups on a managed device.
+
+> [!NOTE]
+> The [RestrictedGroups/ConfigureGroupMembership](./policy-csp-restrictedgroups.md#restrictedgroups-configuregroupmembership) policy setting also allows you to configure members (users or AAD groups) to a Windows 10 local group. However, it allows only for a full replace of the existing groups with the new members and does not allow selective add or remove.
+>
+> Starting from Windows 10, version 20H2, it is recommended to use the LocalUsersandGroups policy instead of the RestrictedGroups policy. Applying both the policies to the same device is unsupported and may yield unpredictable results.
+
+Here is an example of the policy definition XML for group configuration:
+
+```xml
+
+
+> [!NOTE]
+>
+> When AAD group SID’s are added to local groups, during AAD account logon privileges are evaluated only for the following well-known groups on a Windows 10 device:
+>
+> - Administrators
+> - Users
+> - Guests
+> - Power Users
+> - Remote Desktop Users
+> - Remote Management Users
+
+## FAQs
+
+This section provides answers to some common questions you might have about the LocalUsersAndGroups policy CSP.
+
+### What happens if I accidentally remove the built-in Administrator SID from the Administrators group?
+
+Removing the built-in Administrator account from the built-in Administrators group is blocked at SAM/OS level for security reasons. Attempting to do so will result in failure with the following error:
+
+| Error Code | Symbolic Name | Error Description | Header |
+|----------|----------|----------|----------|
+| 0x55b (Hex)
1371 (Dec) |ERROR_SPECIAL_ACCOUNT|Cannot perform this operation on built-in accounts.| winerror.h |
+
+When configuring the built-in Administrators group with the R (Restrict) action, specify the built-in Administrator account SID/Name in `
+
+
+## Multitasking policies
+
+
+
+
+
+
+
+**Multitasking/BrowserAltTabBlowout**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * User
+
+
+
+
+
+
+> [!Warning]
+> This policy is currently in preview mode only and will be supported in future releases. It may be used for testing purposes, but should not be used in a production environment at this time.
+
+This policy controls the inclusion of Edge tabs into Alt+Tab.
+
+Enabling this policy restricts the number of Edge tabs that are allowed to appear in the Alt+Tab switcher. Alt+Tab can be configured to show all open Edge tabs, only the 5 most recent tabs, only the 3 most recent tabs, or no tabs. Setting the policy to no tabs configures the Alt+Tab switcher to show app windows only, which is the classic Alt+Tab behavior.
+
+This policy only applies to the Alt+Tab switcher. When the policy is not enabled, the feature respects the user's setting in the Settings app.
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+ADMX Info:
+- GP English name: *Configure the inclusion of Edge tabs into Alt-Tab*
+- GP name: *BrowserAltTabBlowout*
+- GP path: *Windows Components/Multitasking*
+- GP ADMX file name: *Multitasking.admx*
+
+
+
+
+The following list shows the supported values:
+
+- 1 - Open windows and all tabs in Edge.
+- 2 - Open windows and 5 most recent tabs in Edge.
+- 3 - Open windows and 3 most recent tabs in Edge.
+- 4 - Open windows only.
+
+
+
+
+
+
+Footnotes:
+
+- 1 - Available in Windows 10, version 1607.
+- 2 - Available in Windows 10, version 1703.
+- 3 - Available in Windows 10, version 1709.
+- 4 - Available in Windows 10, version 1803.
+- 5 - Available in Windows 10, version 1809.
+- 6 - Available in Windows 10, version 1903.
+- 7 - Available in Windows 10, version 1909.
+- 8 - Available in Windows 10, version 2004.
+- 9 - Available in Windows 10, version 20H2.
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md
index 67cb225555..4b9506c5c9 100644
--- a/windows/client-management/mdm/policy-csp-restrictedgroups.md
+++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md
@@ -14,6 +14,9 @@ manager: dansimp
# Policy CSP - RestrictedGroups
+> [!IMPORTANT]
+> Starting from Windows 10, version 20H2, it is recommended to use the [LocalUsersandGroups](policy-csp-localusersandgroups.md) policy instead of the RestrictedGroups policy to configure members (users or AAD groups) to a Windows 10 local group. Applying both the policies to the same device is unsupported and may yield unpredictable results.
+
diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md
index 5fe588c782..b3290f82dc 100644
--- a/windows/client-management/mdm/policy-csp-search.md
+++ b/windows/client-management/mdm/policy-csp-search.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
-ms.date: 09/27/2019
+ms.date: 02/12/2021
ms.reviewer:
manager: dansimp
---
@@ -25,9 +25,6 @@ manager: dansimp
-**Search/AllowCortanaInAAD**
@@ -178,30 +174,6 @@ The following list shows the supported values:
-
-
-### Read-Only Domain Controllers
-
-This group is comprised of the Read-only domain controllers in the domain. A Read-only domain controller makes it possible for organizations to easily deploy a domain controller in scenarios where physical security cannot be guaranteed, such as branch office locations, or in scenarios where local storage of all domain passwords is considered a primary threat, such as in an extranet or in an application-facing role.
-
-Because administration of a Read-only domain controller can be delegated to a domain user or security group, an Read-only domain controller is well suited for a site that should not have a user who is a member of the Domain Admins group. A Read-only domain controller encompasses the following functionality:
-
-- Read-only AD DS database
-
-- Unidirectional replication
-
-- Credential caching
-
-- Administrator role separation
-
-- Read-only Domain Name System (DNS)
-
-For information about deploying a Read-only domain controller, see [Understanding Planning and Deployment for Read-Only Domain Controllers](https://technet.microsoft.com/library/cc754719(v=ws.10).aspx).
-
-This security group was introduced in Windows Server 2008, and it has not changed in subsequent versions.
-
-
-
-
-Added in Windows 10, version 1803. This specifies whether the Cortana consent page can appear in the Azure Active Directory (AAD) device out-of-box-experience (OOBE) flow. If this policy is left in its default state, Cortana will not be shown in the AAD OOBE flow. If you opt-in to this policy, then the Cortana consent page will appear in the AAD OOBE flow..
-
-
-
-ADMX Info:
-- GP English name: *Allow Cortana Page in OOBE on an AAD account*
-- GP name: *AllowCortanaInAAD*
-- GP path: *Windows Components/Search*
-- GP ADMX file name: *Search.admx*
-
-
-
-The following list shows the supported values:
-
-- 0 (default) - Not allowed. The Cortana consent page will not appear in AAD OOBE during setup.
-- 1 - Allowed. The Cortana consent page will appear in Azure AAD OOBE during setup.
-
-
-
-
-
-
**Search/AllowFindMyFiles**
diff --git a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md
index 762c801e6c..8f43acb2ab 100644
--- a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md
+++ b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md
@@ -78,6 +78,9 @@ If you enable this policy setting, built-in system services hosted in svchost.ex
This includes a policy requiring all binaries loaded in these processes to be signed by Microsoft, as well as a policy disallowing dynamically-generated code.
+> [!IMPORTANT]
+> Enabling this policy could cause compatibility issues with third-party software that uses svchost.exe processes (for example, third-party antivirus software).
+
If you disable or do not configure this policy setting, the stricter security settings will not be applied.
@@ -122,4 +125,3 @@ Footnotes:
- 8 - Available in Windows 10, version 2004.
-
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index 05c983440b..6012a60ed9 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -1,13 +1,13 @@
---
title: Policy CSP - System
-description: Learn policy settings that determines whether users can access the Insider build controls in the advanced options for Windows Update.
+description: Learn policy settings that determine whether users can access the Insider build controls in the advanced options for Windows Update.
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
-ms.date: 08/12/2020
+ms.date: 10/14/2020
ms.reviewer:
manager: dansimp
---
@@ -212,14 +212,13 @@ The following list shows the supported values:
-This policy setting controls whether Microsoft is a processor or controller for Windows diagnostic data collected from devices.
+This policy setting opts the device into the Windows enterprise data pipeline.
-If you enable this policy and enroll your devices in your Azure AD tenant, your organization becomes the controller and Microsoft is the processor of this data.
+If you enable this setting, data collected from the device will be opted into the Windows enterprise data pipeline.
-If you disable or don't configure this policy setting, Microsoft will be the controller for Windows diagnostic data collected from the device.
+If you disable or don't configure this setting, all data from the device will be collected and processed in accordance with our policies for the Windows standard data pipeline.
->[!Note]
-> This policy setting only controls if Microsoft is a processor for Windows diagnostic data from this device. Use the [System/AllowTelemetry](#system-allowtelemetry) policy setting to limit the diagnostic data that can be collected from the device.
+Configuring this setting does not change the telemetry collection level or the ability of the user to change the level. This setting only applies to the Windows operating system and apps included with Windows, not third-party apps or services running on Windows 10.
@@ -234,8 +233,8 @@ ADMX Info:
The following list shows the supported values:
-- 0 (default) - Do not use the Windows Commercial Data Pipeline
-- 1 - Use the Windows Commercial Data Pipeline
+- 0 (default) - Disabled.
+- 1 - Enabled.
@@ -245,7 +244,9 @@ The following list shows the supported values:
+
+
**System/AllowDeviceNameInDiagnosticData**
@@ -488,7 +489,7 @@ The following list shows the supported values:
-Added in Windows 10, version 1703. Boolean policy setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. If you enable this setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text. If you disable this policy setting, Windows does not connect to an online font provider and only enumerates locally-installed fonts.
+Added in Windows 10, version 1703. Boolean policy setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. If you enable this setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text. If you disable this policy setting, Windows does not connect to an online font provider and only enumerates locally installed fonts.
This MDM setting corresponds to the EnableFontProviders Group Policy setting. If both the Group Policy and the MDM settings are configured, the group policy setting takes precedence. If neither is configured, the behavior depends on a DisableFontProviders registry value. In server editions, this registry value is set to 1 by default, so the default behavior is false (disabled). In all other editions, the registry value is not set by default, so the default behavior is true (enabled).
@@ -509,7 +510,7 @@ ADMX Info:
The following list shows the supported values:
-- 0 - false - No traffic to fs.microsoft.com and only locally-installed fonts are available.
+- 0 - false - No traffic to fs.microsoft.com and only locally installed fonts are available.
- 1 - true (default) - There may be network traffic to fs.microsoft.com and downloadable fonts are available to apps that support them.
@@ -1605,7 +1606,7 @@ The following list shows the supported values:
This policy setting, in combination with the System/AllowTelemetry
policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services.
-To enable this behavior you must complete two steps:
+To enable this behavior, you must complete two steps:
+
+**Update/DisableWUfBSafeguards**
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Available in Windows Update for Business (WUfB) devices running Windows 10, version 1809 and above and installed with October 2020 security update. This policy setting specifies that a WUfB device should skip safeguards.
+
+Safeguard holds prevent a device with a known compatibility issue from being offered a new OS version. The offering will proceed once a fix is issued and is verified on a held device. The aim of safeguards is to protect the device and user from a failed or poor upgrade experience.
+
+The safeguard holds protection is provided by default to all the devices trying to update to a new Windows 10 Feature Update version via Windows Update.
+
+IT admins can, if necessary, opt devices out of safeguard protections using this policy setting or via the “Disable safeguards for Feature Updates” Group Policy.
+
+> [!NOTE]
+> Opting out of the safeguards can put devices at risk from known performance issues. We recommend opting out only in an IT environment for validation purposes. Further, you can leverage the Windows Insider Program for Business Release Preview Channel in order to validate the upcoming Windows 10 Feature Update version without the safeguards being applied.
+>
+> The disable safeguards policy will revert to “Not Configured” on a device after moving to a new Windows 10 version, even if previously enabled. This ensures the admin is consciously disabling Microsoft’s default protection from known issues for each new feature update.
+>
+> Disabling safeguards does not guarantee your device will be able to successfully update. The update may still fail on the device and will likely result in a bad experience post upgrade as you are bypassing the protection given by Microsoft pertaining to known issues.
+
+
+
+ADMX Info:
+- GP English name: *Disable safeguards for Feature Updates*
+- GP name: *DisableWUfBSafeguards*
+- GP path: *Windows Components/Windows Update/Windows Update for Business*
+- GP ADMX file name: *WindowsUpdate.admx*
+
+
+
+The following list shows the supported values:
+
+- 0 (default) - Safeguards are enabled and devices may be blocked for upgrades until the safeguard is cleared.
+- 1 - Safeguards are not enabled and upgrades will be deployed without blocking on safeguards.
+
+
+
+
+
+
**Update/EngagedRestartDeadline**
@@ -4250,7 +4333,7 @@ The following list shows the supported values:
-Available in Windows 10, version 1803 and later. Enables IT administrators to specify which version they would like their device(s) to move to and/or stay on until they reach end of service or reconfigure the policy. For details about different Windows 10 versions, see [Windows 10 release information](https://docs.microsoft.com/windows/release-information/).
+Available in Windows 10, version 1803 and later. Enables IT administrators to specify which version they would like their device(s) to move to and/or stay on until they reach end of service or reconfigure the policy. For details about different Windows 10 versions, see [Windows 10 release information](https://docs.microsoft.com/windows/release-health/release-information/).
ADMX Info:
@@ -4525,4 +4608,3 @@ Footnotes:
- 8 - Available in Windows 10, version 2004.
-
diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md
index df12efd32b..b1a0a67245 100644
--- a/windows/client-management/mdm/policy-csp-userrights.md
+++ b/windows/client-management/mdm/policy-csp-userrights.md
@@ -84,6 +84,18 @@ For example, the following syntax grants user rights to Authenticated Users and
```
+For example, the following syntax grants user rights to two specific Azure Active Directory (AAD) users from Contoso, user1 and user2:
+
+```xml
+
+```
+
+For example, the following syntax grants user rights to a specific user or group, by using the Security Identifier (SID) of the account or group:
+
+```xml
+
+```
+
diff --git a/windows/client-management/mdm/policy-csp-windowssandbox.md b/windows/client-management/mdm/policy-csp-windowssandbox.md
new file mode 100644
index 0000000000..77c69597e9
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-windowssandbox.md
@@ -0,0 +1,561 @@
+---
+title: Policy CSP - WindowsSandbox
+description: Policy CSP - WindowsSandbox
+ms.author: dansimp
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: manikadhiman
+ms.localizationpriority: medium
+ms.date: 10/14/2020
+---
+
+# Policy CSP - WindowsSandbox
+
+> [!WARNING]
+> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
+
+
+
+
+
+## WindowsSandbox policies
+
+
+
+
+
+
+
+
+**WindowsSandbox/AllowAudioInput**
+
+Available in the latest Windows 10 insider preview build.
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting allows the IT admin to enable or disable audio input to the Sandbox.
+
+> [!NOTE]
+> There may be security implications of exposing host audio input to the container.
+
+If this policy is not configured, end-users get the default behavior (audio input enabled).
+
+If audio input is disabled, a user will not be able to enable audio input from their own configuration file.
+
+If audio input is enabled, a user will be able to disable audio input from their own configuration file to make the device more secure.
+
+> [!NOTE]
+> You must restart Windows Sandbox for any changes to this policy setting to take effect.
+
+
+
+ADMX Info:
+
+- GP English Name: *Allow audio input in Windows Sandbox*
+- GP name: *AllowAudioInput*
+- GP path: *Windows Components/Windows Sandbox*
+- GP ADMX file name: *WindowsSandbox.admx*
+
+
+
+The following are the supported values:
+
+- 0 - Disabled
+- 1 (default) - Enabled
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**WindowsSandbox/AllowClipboardRedirection**
+
+Available in the latest Windows 10 insider preview build.
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting allows the IT admin to enable or disable sharing of the host clipboard with the sandbox.
+
+If this policy is not configured, end-users get the default behavior (clipboard redirection enabled.
+
+If clipboard sharing is disabled, a user will not be able to enable clipboard sharing from their own configuration file.
+
+If clipboard sharing is enabled, a user will be able to disable clipboard sharing from their own configuration file to make the device more secure.
+
+> [!NOTE]
+> You must restart Windows Sandbox for any changes to this policy setting to take effect.
+
+
+
+ADMX Info:
+
+- GP English Name: *Allow clipboard sharing with Windows Sandbox*
+- GP name: *AllowClipboardRedirection*
+- GP path: *Windows Components/Windows Sandbox*
+- GP ADMX file name: *WindowsSandbox.admx*
+
+
+
+The following are the supported values:
+
+- 0 - Disabled
+- 1 (default) - Enabled
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+**WindowsSandbox/AllowNetworking**
+
+Available in the latest Windows 10 insider preview build.
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting allows the IT admin to enable or disable networking in Windows Sandbox. Disabling network access can decrease the attack surface exposed by the Sandbox. Enabling networking can expose untrusted applications to the internal network.
+
+If this policy is not configured, end-users get the default behavior (networking enabled).
+
+If networking is disabled, a user will not be able to enable networking from their own configuration file.
+
+If networking is enabled, a user will be able to disable networking from their own configuration file to make the device more secure.
+
+> [!NOTE]
+> You must restart Windows Sandbox for any changes to this policy setting to take effect.
+
+
+
+ADMX Info:
+
+- GP English Name: *Allow networking in Windows Sandbox*
+- GP name: *AllowNetworking*
+- GP path: *Windows Components/Windows Sandbox*
+- GP ADMX file name: *WindowsSandbox.admx*
+
+
+
+The following are the supported values:
+- 0 - Disabled
+- 1 (default) - Enabled
+
+
+
+
+
+
+
+
+
+
+
+
+
+**WindowsSandbox/AllowPrinterRedirection**
+
+Available in the latest Windows 10 insider preview build.
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting allows the IT admin to enable or disable printer sharing from the host into the Sandbox.
+
+If this policy is not configured, end-users get the default behavior (printer sharing disabled).
+
+If printer sharing is disabled, a user will not be able to enable printer sharing from their own configuration file.
+
+If printer sharing is enabled, a user will be able to disable printer sharing from their own configuration file to make the device more secure.
+
+> [!NOTE]
+> You must restart Windows Sandbox for any changes to this policy setting to take effect.
+
+
+
+ADMX Info:
+
+- GP English Name: *Allow printer sharing with Windows Sandbox*
+- GP name: *AllowPrinterRedirection*
+- GP path: *Windows Components/Windows Sandbox*
+- GP ADMX file name: *WindowsSandbox.admx*
+
+
+
+The following are the supported values:
+
+- 0 - Disabled
+- 1 (default) - Enabled
+
+
+
+
+
+
+
+
+
+
+
+
+
+**WindowsSandbox/AllowVGPU**
+
+Available in the latest Windows 10 insider preview build.
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting allows the IT admin to enable or disable virtualized GPU for Windows Sandbox.
+
+> [!NOTE]
+> Enabling virtualized GPU can potentially increase the attack surface of Windows Sandbox.
+
+If this policy is not configured, end-users get the default behavior (vGPU is disabled).
+
+If vGPU is disabled, a user will not be able to enable vGPU support from their own configuration file.
+
+If vGPU is enabled, a user will be able to disable vGPU support from their own configuration file to make the device more secure.
+
+> [!NOTE]
+> You must restart Windows Sandbox for any changes to this policy setting to take effect.
+
+
+
+ADMX Info:
+
+- GP English Name: *Allow vGPU sharing for Windows Sandbox*
+- GP name: *AllowVGPU*
+- GP path: *Windows Components/Windows Sandbox*
+- GP ADMX file name: *WindowsSandbox.admx*
+
+
+
+The following are the supported values:
+
+- 0 (default) - Disabled
+- 1 - Enabled
+
+
+
+
+
+
+
+
+
+
+
+
+
+**WindowsSandbox/AllowVideoInput**
+
+Available in the latest Windows 10 insider preview build.
+
+
+
+
+
+
+
+
+Windows Edition
+ Supported?
+
+
+Home
+
+
+Pro
+
+
+Business
+
+
+Enterprise
+
+
+Education
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This policy setting allows the IT admin to enable or disable video input to the Sandbox.
+
+> [!NOTE]
+> There may be security implications of exposing host video input to the container.
+
+If this policy is not configured, users get the default behavior (video input disabled).
+
+If video input is disabled, users will not be able to enable video input from their own configuration file.
+
+If video input is enabled, users will be able to disable video input from their own configuration file to make the device more secure.
+
+> [!NOTE]
+> You must restart Windows Sandbox for any changes to this policy setting to take effect.
+
+
+
+ADMX Info:
+- GP English Name: *Allow video input in Windows Sandbox*
+- GP name: *AllowVideoInput*
+- GP path: *Windows Components/Windows Sandbox*
+- GP ADMX file name: *WindowsSandbox.admx*
+
+
+
+The following are the supported values:
+
+- 0 (default) - Disabled
+- 1 - Enabled
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md
index 27c1aceaf0..0ed48a5776 100644
--- a/windows/client-management/mdm/policy-ddf-file.md
+++ b/windows/client-management/mdm/policy-ddf-file.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
-ms.date: 06/03/2020
+ms.date: 10/28/2020
---
# Policy DDF file
@@ -20,6 +20,7 @@ This topic shows the OMA DM device description framework (DDF) for the **Policy*
You can view various Policy DDF files by clicking the following links:
+- [View the Policy DDF file for Windows 10, version 20H2](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/PolicyDDF_all_20H2.xml)
- [View the Policy DDF file for Windows 10, version 2004](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/PolicyDDF_all_2004.xml)
- [View the Policy DDF file for Windows 10, version 1903](https://download.microsoft.com/download/0/C/D/0CD61812-8B9C-4846-AC4A-1545BFD201EE/PolicyDDF_all_1903.xml)
- [View the Policy DDF file for Windows 10, version 1809](https://download.microsoft.com/download/7/3/5/735B8537-82F4-4CD1-B059-93984F9FAAC5/Policy_DDF_all_1809.xml)
@@ -32,7 +33,7 @@ You can view various Policy DDF files by clicking the following links:
You can download DDF files for various CSPs from [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
-The XML below is the DDF for Windows 10, version 2004.
+The XML below is the DDF for Windows 10, version 20H2.
```xml
@@ -8713,6 +8714,52 @@ Related policy:
+
@@ -161,7 +166,7 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
@@ -4227,27 +4225,27 @@ The following functions are for internal USMT use only. Do not use them in an .x
You can use the following version tags with various helper functions:
-- “CompanyName”
+- "CompanyName"
-- “FileDescription”
+- "FileDescription"
-- “FileVersion”
+- "FileVersion"
-- “InternalName”
+- "InternalName"
-- “LegalCopyright”
+- "LegalCopyright"
-- “OriginalFilename”
+- "OriginalFilename"
-- “ProductName”
+- "ProductName"
-- “ProductVersion”
+- "ProductVersion"
The following version tags contain values that can be compared:
-- “FileVersion”
+- "FileVersion"
-- “ProductVersion”
+- "ProductVersion"
## Related topics
diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md
index 5b4f53e98a..e7ec8ac329 100644
--- a/windows/deployment/vda-subscription-activation.md
+++ b/windows/deployment/vda-subscription-activation.md
@@ -7,6 +7,7 @@ ms.author: greglin
author: greg-lindsay
description: Learn how to configure virtual machines (VMs) to enable Windows 10 Subscription Activation in a Windows Virtual Desktop Access (VDA) scenario.
keywords: upgrade, update, task sequence, deploy
+ms.custom: seo-marvel-apr2020
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
@@ -31,25 +32,28 @@ Deployment instructions are provided for the following scenarios:
- VMs must be running Windows 10 Pro, version 1703 (also known as the Creator's Update) or later.
- VMs must be Active Directory-joined or Azure Active Directory (AAD)-joined.
- VMs must be generation 1.
-- VMs must hosted by a [Qualified Multitenant Hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) (QMTH).
+- VMs must be hosted by a [Qualified Multitenant Hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) (QMTH).
## Activation
### Scenario 1
+
- The VM is running Windows 10, version 1803 or later.
- The VM is hosted in Azure or another [Qualified Multitenant Hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) (QMTH).
When a user with VDA rights signs in to the VM using their AAD credentials, the VM is automatically stepped-up to Enterprise and activated. There is no need to perform Windows 10 Pro activation. This eliminates the need to maintain KMS or MAK in the qualifying cloud infrastructure.
### Scenario 2
+
- The Hyper-V host and the VM are both running Windows 10, version 1803 or later.
[Inherited Activation](https://docs.microsoft.com/windows/deployment/windows-10-subscription-activation#inherited-activation) is enabled. All VMs created by a user with a Windows 10 E3 or E5 license are automatically activated independent of whether a user signs in with a local account or using an Azure Active Directory account.
### Scenario 3
+
- The VM is running Windows 10, version 1703 or 1709, or the hoster is not an authorized [QMTH](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) partner.
- In this scenario, the underlying Windows 10 Pro license must be activated prior to Subscription Activation of Windows 10 Enterprise. Activation is accomplished using a Windows 10 Pro Generic Volume License Key (GVLK) and a Volume License KMS activation server provided by the hoster. Alternatively, a KMS activation server on your corporate network can be used if you have configured a private connection, such as [ExpressRoute](https://azure.microsoft.com/services/expressroute/) or [VPN Gateway](https://azure.microsoft.com/services/vpn-gateway/).
+ In this scenario, the underlying Windows 10 Pro license must be activated prior to Subscription Activation of Windows 10 Enterprise. Activation is accomplished using a Windows 10 Pro Generic Volume License Key (GVLK) and a Volume License KMS activation server provided by the hoster. Alternatively, a KMS activation server can be used. KMS activation is provided for Azure VMs. For more information, see [Troubleshoot Azure Windows virtual machine activation problems](https://docs.microsoft.com/azure/virtual-machines/troubleshooting/troubleshoot-activation-problems).
For examples of activation issues, see [Troubleshoot the user experience](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses#troubleshoot-the-user-experience).
@@ -68,7 +72,7 @@ For examples of activation issues, see [Troubleshoot the user experience](https:
6. Follow the instructions to use sysprep at [Steps to generalize a VHD](https://docs.microsoft.com/azure/virtual-machines/windows/prepare-for-upload-vhd-image#steps-to-generalize-a-vhd) and then start the VM again.
7. If you must activate Windows 10 Pro as described for [scenario 3](#scenario-3), complete the following steps to use Windows Configuration Designer and inject an activation key. Otherwise, skip to step 20.
8. [Install Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd).
-9. Open Windows Configuration Designer and click **Provison desktop services**.
+9. Open Windows Configuration Designer and click **Provision desktop services**.
10. Under **Name**, type **Desktop AD Enrollment Pro GVLK**, click **Finish**, and then on the **Set up device** page enter a device name.
- Note: You can use a different project name, but this name is also used with dism.exe in a subsequent step.
11. Under **Enter product key** type the Pro GVLK key: **W269N-WFGWX-YVC9B-4J6C9-T83GX**.
@@ -110,7 +114,7 @@ For Azure AD-joined VMs, follow the same instructions (above) as for [Active Dir
3. On the Remote tab, choose **Allow remote connections to this computer** and then click **Select Users**.
4. Click **Add**, type **Authenticated users**, and then click **OK** three times.
5. [Install Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd).
-6. Open Windows Configuration Designer and click **Provison desktop services**.
+6. Open Windows Configuration Designer and click **Provision desktop services**.
7. If you must activate Windows 10 Pro as described for [scenario 3](#scenario-3), complete the following steps. Otherwise, skip to step 8.
1. Under **Name**, type **Desktop Bulk Enrollment Token Pro GVLK**, click **Finish**, and then on the **Set up device** page enter a device name.
2. Under **Enter product key** type the Pro GVLK key: **W269N-WFGWX-YVC9B-4J6C9-T83GX**.
diff --git a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
index 893b4f6f7c..79c1279f78 100644
--- a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
+++ b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
@@ -1,6 +1,7 @@
---
title: Activate using Active Directory-based activation (Windows 10)
-description: Active Directory-based activation is implemented as a role service that relies on AD DS to store activation objects.
+description: Learn how active directory-based activation is implemented as a role service that relies on AD DS to store activation objects.
+ms.custom: seo-marvel-apr2020
ms.assetid: 08cce6b7-7b5b-42cf-b100-66c363a846af
ms.reviewer:
manager: laurawi
@@ -28,6 +29,9 @@ ms.topic: article
>- Windows Server 2012
>- Windows Server 2016
>- Windows Server 2019
+>- Office 2013*
+>- Office 2016*
+>- Office 2019*
**Looking for retail activation?**
@@ -45,10 +49,13 @@ The process proceeds as follows:
1. Perform one of the following tasks:
- Install the Volume Activation Services server role on a domain controller and add a KMS host key by using the Volume Activation Tools Wizard.
- Extend the domain to the Windows Server 2012 R2 or higher schema level, and add a KMS host key by using the VAMT.
-1. Microsoft verifies the KMS host key, and an activation object is created.
-1. Client computers are activated by receiving the activation object from a domain controller during startup.
- 
+2. Microsoft verifies the KMS host key, and an activation object is created.
+
+3. Client computers are activated by receiving the activation object from a domain controller during startup.
+
+ > [!div class="mx-imgBorder"]
+ > 
**Figure 10**. The Active Directory-based activation flow
@@ -68,52 +75,67 @@ When a reactivation event occurs, the client queries AD DS for the activation o
**To configure Active Directory-based activation on Windows Server 2012 R2 or higher, complete the following steps:**
1. Use an account with Domain Administrator and Enterprise Administrator credentials to sign in to a domain controller.
-1. Launch Server Manager.
-1. Add the Volume Activation Services role, as shown in Figure 11.
+
+2. Launch Server Manager.
+
+3. Add the Volume Activation Services role, as shown in Figure 11.
**Figure 11**. Adding the Volume Activation Services role
-1. Click the link to launch the Volume Activation Tools (Figure 12).
+4. Click the link to launch the Volume Activation Tools (Figure 12).
**Figure 12**. Launching the Volume Activation Tools
-1. Select the **Active Directory-Based Activation** option (Figure 13).
+5. Select the **Active Directory-Based Activation** option (Figure 13).
**Figure 13**. Selecting Active Directory-Based Activation
-1. Enter your KMS host key and (optionally) a display name (Figure 14).
+6. Enter your KMS host key and (optionally) a display name (Figure 14).
**Figure 14**. Entering your KMS host key
-1. Activate your KMS host key by phone or online (Figure 15).
+7. Activate your KMS host key by phone or online (Figure 15).
-
+
**Figure 15**. Choosing how to activate your product
-1. After activating the key, click **Commit**, and then click **Close**.
+ > [!NOTE]
+ > To activate a KMS Host Key (CSVLK) for Microsoft Office, you need to install the version-specific Office Volume License Pack on the server where the Volume Activation Server Role is installed.
+ >
+ >
+ > - [Office 2013 VL pack](https://www.microsoft.com/download/details.aspx?id=35584)
+ >
+ > - [Office 2016 VL pack](https://www.microsoft.com/download/details.aspx?id=49164)
+ >
+ > - [Office 2019 VL pack](https://www.microsoft.com/download/details.aspx?id=57342)
+
+8. After activating the key, click **Commit**, and then click **Close**.
## Verifying the configuration of Active Directory-based activation
To verify your Active Directory-based activation configuration, complete the following steps:
1. After you configure Active Directory-based activation, start a computer that is running an edition of Windows that is configured by volume licensing.
-1. If the computer has been previously configured with a MAK key, replace the MAK key with the GVLK by running the **slmgr.vbs /ipk** command and specifying the GLVK as the new product key.
-1. If the computer is not joined to your domain, join it to the domain.
-1. Sign in to the computer.
-1. Open Windows Explorer, right-click **Computer**, and then click **Properties**.
-1. Scroll down to the **Windows activation** section, and verify that this client has been activated.
+2. If the computer has been previously configured with a MAK key, replace the MAK key with the GVLK by running the **slmgr.vbs /ipk** command and specifying the GLVK as the new product key.
+3. If the computer is not joined to your domain, join it to the domain.
+4. Sign in to the computer.
+5. Open Windows Explorer, right-click **Computer**, and then click **Properties**.
+6. Scroll down to the **Windows activation** section, and verify that this client has been activated.
> [!NOTE]
> If you are using both KMS and Active Directory-based activation, it may be difficult to see whether a client has been activated by KMS or by Active Directory-based activation. Consider disabling KMS during the test, or make sure that you are using a client computer that has not already been activated by KMS. The **slmgr.vbs /dlv** command also indicates whether KMS has been used.
+ >
+ > To manage individual activations or apply multiple (mass) activations, please consider using the [VAMT](https://docs.microsoft.com/windows/deployment/volume-activation/volume-activation-management-tool).
+
## See also
diff --git a/windows/deployment/volume-activation/configure-client-computers-vamt.md b/windows/deployment/volume-activation/configure-client-computers-vamt.md
index f4e102124a..952db8ab4a 100644
--- a/windows/deployment/volume-activation/configure-client-computers-vamt.md
+++ b/windows/deployment/volume-activation/configure-client-computers-vamt.md
@@ -24,8 +24,8 @@ To enable the Volume Activation Management Tool (VAMT) to function correctly, ce
Organizations where the VAMT will be widely used may benefit from making these changes inside the master image for Windows.
-> [IMPORTANT]
-> This procedure only applies to clients running Windows Vista or later. For clients running Windows XP Service Pack 1, see [Connecting Through Windows Firewall](https://docs.microsoft.com/windows/win32/wmisdk/connecting-to-wmi-remotely-with-vbscript).
+> [IMPORTANT]
+> This procedure only applies to clients running Windows Vista or later. For clients running Windows XP Service Pack 1, see [Connecting Through Windows Firewall](https://docs.microsoft.com/windows/win32/wmisdk/connecting-to-wmi-remotely-with-vbscript).
## Configuring the Windows Firewall to allow VAMT access
diff --git a/windows/deployment/volume-activation/install-vamt.md b/windows/deployment/volume-activation/install-vamt.md
index 6b18acd8ae..a525cff518 100644
--- a/windows/deployment/volume-activation/install-vamt.md
+++ b/windows/deployment/volume-activation/install-vamt.md
@@ -25,7 +25,7 @@ This topic describes how to install the Volume Activation Management Tool (VAMT)
You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for Windows 10.
>[!IMPORTANT]
->VAMT requires local administrator privileges on all managed computers in order to deposit confirmation IDs (CIDs), get the client products’ license status, and install product keys. If VAMT is being used to manage products and product keys on the local host computer and you do not have administrator privileges, start VAMT with elevated privileges. For Active Directory-Based Activation use, for best results we recommend running VAMT while logged on as a domain administrator.
+>VAMT requires local administrator privileges on all managed computers in order to deposit confirmation IDs (CIDs), get the client products’ license status, and install product keys. If VAMT is being used to manage products and product keys on the local host computer and you do not have administrator privileges, start VAMT with elevated privileges. For best results when using Active Directory-based activation, we recommend running VAMT while logged on as a domain administrator.
>[!NOTE]
>The VAMT Microsoft Management Console snap-in ships as an x86 package.
@@ -33,46 +33,58 @@ You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for
### Requirements
- [Windows Server with Desktop Experience](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-with-desktop-experience), with internet access (for the main VAMT console) and all updates applied
-- [Windows 10, version 1903 ADK](https://go.microsoft.com/fwlink/?linkid=2086042)
+- Latest version of the [Windows 10 ADK](https://docs.microsoft.com/windows-hardware/get-started/adk-install)
- Any supported [SQL Server Express](https://www.microsoft.com/sql-server/sql-server-editions-express) version, the latest is recommended
- Alternatively, any supported **full** SQL instance
### Install SQL Server Express / alternatively use any full SQL instance
1. Download and open the [SQL Server Express](https://www.microsoft.com/sql-server/sql-server-editions-express) package.
+
2. Select **Basic**.
+
3. Accept the license terms.
+
4. Enter an install location or use the default path, and then select **Install**.
+
5. On the completion page, note the instance name for your installation, select **Close**, and then select **Yes**.
### Install VAMT using the ADK
-1. Download and open the [Windows 10, version 1903 ADK](https://go.microsoft.com/fwlink/?linkid=2086042) package.
-Reminder: There won't be new ADK release for 1909.
+1. Download the latest version of [Windows 10 ADK](https://docs.microsoft.com/windows-hardware/get-started/adk-install).
+
+ If an older version is already installed, it is recommended to uninstall the older ADK and install the latest version. Existing VAMT data is maintained in the VAMT database.
+
2. Enter an install location or use the default path, and then select **Next**.
+
3. Select a privacy setting, and then select **Next**.
+
4. Accept the license terms.
+
5. On the **Select the features you want to install** page, select **Volume Activation Management Tool (VAMT)**, and then select **Install**. (You can select additional features to install as well.)
+
6. On the completion page, select **Close**.
### Configure VAMT to connect to SQL Server Express or full SQL Server
1. Open **Volume Active Management Tool 3.1** from the Start menu.
+
2. Enter the server instance name (for a remote SQL use the FQDN) and a name for the database, select **Connect**, and then select **Yes** to create the database. See the following image for an example for SQL.
- 
+ 
-for remote SQL Server use
-servername.yourdomain.com
+ For remote SQL Server, use `servername.yourdomain.com`.
## Uninstall VAMT
To uninstall VAMT using the **Programs and Features** Control Panel:
+
1. Open **Control Panel** and select **Programs and Features**.
+
2. Select **Assessment and Deployment Kit** from the list of installed programs and click **Change**. Follow the instructions in the Windows ADK installer to remove VAMT.
diff --git a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md
index 7389bcd273..0fcb1ad99c 100644
--- a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md
+++ b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md
@@ -57,7 +57,7 @@ get-help get-VamtProduct -all
```
**Warning**
-The update-help cmdlet is not supported for VAMT PowerShell cmdlets. To view online help for VAMT cmdlets, you can use the -online option with the get-help cmdlet. For more information, see [Volume Activation Management Tool (VAMT) Cmdlets in Windows PowerShell](https://go.microsoft.com/fwlink/p/?LinkId=242278).
+The update-help cmdlet is not supported for VAMT PowerShell cmdlets. To view online help for VAMT cmdlets, you can use the -online option with the get-help cmdlet. For more information, see [Volume Activation Management Tool (VAMT) Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/vamt).
**To view VAMT PowerShell Help sections**
diff --git a/windows/deployment/volume-activation/volume-activation-management-tool.md b/windows/deployment/volume-activation/volume-activation-management-tool.md
index c73cbc4546..23c0a83614 100644
--- a/windows/deployment/volume-activation/volume-activation-management-tool.md
+++ b/windows/deployment/volume-activation/volume-activation-management-tool.md
@@ -13,13 +13,14 @@ audience: itpro
author: greg-lindsay
ms.date: 04/25/2017
ms.topic: article
+ms.custom: seo-marvel-apr2020
---
# Volume Activation Management Tool (VAMT) Technical Reference
-The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process.
+The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process.
VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in that requires the Microsoft Management Console (MMC) 3.0. VAMT can be installed on any computer that has one of the following Windows operating systems:
-- Windows® 7 or above
+- Windows® 7 or above
- Windows Server 2008 R2 or above
@@ -28,7 +29,7 @@ VAMT is designed to manage volume activation for: Windows 7, Windows 8, Window
VAMT is only available in an EN-US (x86) package.
-## In this Section
+## In this section
|Topic |Description |
|------|------------|
diff --git a/windows/deployment/windows-10-deployment-posters.md b/windows/deployment/windows-10-deployment-posters.md
index 99b5479318..1a47bd0cf9 100644
--- a/windows/deployment/windows-10-deployment-posters.md
+++ b/windows/deployment/windows-10-deployment-posters.md
@@ -1,6 +1,6 @@
---
title: Windows 10 deployment process posters
-description: View and download Windows 10 deployment process flows for Microsoft Endpoint Configuration Manager and Windows Autopilot.
+description: View and download Windows 10 deployment process flows for Microsoft Endpoint Manager and Windows Autopilot.
ms.reviewer:
manager: laurawi
ms.audience: itpro
diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md
index 61d5af710d..2146d2fb9f 100644
--- a/windows/deployment/windows-10-deployment-scenarios.md
+++ b/windows/deployment/windows-10-deployment-scenarios.md
@@ -159,7 +159,7 @@ For more information about Windows Autopilot, see [Overview of Windows Autopilot
For existing computers running Windows 7, Windows 8, or Windows 8.1, the recommended path for organizations deploying Windows 10 leverages the Windows installation program (Setup.exe) to perform an in-place upgrade, which automatically preserves all data, settings, applications, and drivers from the existing operating system version. This requires the least IT effort, because there is no need for any complex deployment infrastructure.
-Although consumer PCs will be upgraded using Windows Update, organizations want more control over the process. This is accomplished by leveraging tools like Microsoft Endpoint Configuration Manager or the Microsoft Deployment Toolkit to completely automate the upgrade process through simple task sequences.
+Although consumer PCs will be upgraded using Windows Update, organizations want more control over the process. This is accomplished by leveraging tools like Microsoft Endpoint Manager or the Microsoft Deployment Toolkit to completely automate the upgrade process through simple task sequences.
The in-place upgrade process is designed to be extremely reliable, with the ability to automatically roll back to the previous operating system if any issues are encountered during the deployment process, without any IT staff involvement. Rolling back manually can also be done by leveraging the automatically-created recovery information (stored in the Windows.old folder), in case any issues are encountered after the upgrade is finished. The upgrade process is also typically faster than traditional deployments, because applications do not need to be reinstalled as part of the process.
diff --git a/windows/deployment/windows-10-deployment-tools-reference.md b/windows/deployment/windows-10-deployment-tools-reference.md
index 2321163bd1..9bb72ea7bb 100644
--- a/windows/deployment/windows-10-deployment-tools-reference.md
+++ b/windows/deployment/windows-10-deployment-tools-reference.md
@@ -26,5 +26,5 @@ Learn about the tools available to deploy Windows 10.
|[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. |
|[Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md) |The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. |
|[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. |
-|[Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) |The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process. |
+|[Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) |The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process. |
|[User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md) |The User State Migration Tool (USMT) 10.0 is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals |
diff --git a/windows/deployment/windows-10-deployment-tools.md b/windows/deployment/windows-10-deployment-tools.md
index 33f7b49f5e..6a20248ebe 100644
--- a/windows/deployment/windows-10-deployment-tools.md
+++ b/windows/deployment/windows-10-deployment-tools.md
@@ -26,5 +26,5 @@ Learn about the tools available to deploy Windows 10.
|[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. |
|[Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md) |The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. |
|[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. |
-|[Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) |The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process. |
+|[Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) |The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process. |
|[User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md) |The User State Migration Tool (USMT) 10.0 is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals |
diff --git a/windows/deployment/windows-10-poc-mdt.md b/windows/deployment/windows-10-poc-mdt.md
index c10e477cff..8e1f84c95e 100644
--- a/windows/deployment/windows-10-poc-mdt.md
+++ b/windows/deployment/windows-10-poc-mdt.md
@@ -1,6 +1,7 @@
---
title: Step by step - Deploy Windows 10 in a test lab using MDT
-description: Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit (MDT)
+description: In this article, you'll learn how to deploy Windows 10 in a test lab using Microsoft Deployment Toolkit (MDT).
+ms.custom: seo-marvel-apr2020
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md
index 1db27c1143..180f2dd30b 100644
--- a/windows/deployment/windows-10-poc-sc-config-mgr.md
+++ b/windows/deployment/windows-10-poc-sc-config-mgr.md
@@ -1,6 +1,6 @@
---
-title: Step by step - Deploy Windows 10 using Microsoft Endpoint Configuration Manager
-description: Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager
+title: Steps to deploy Windows 10 with Microsoft Endpoint Configuration Manager
+description: In this article, you'll learn how to deploy Windows 10 in a test lab using Microsoft endpoint configuration manager.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -14,6 +14,7 @@ ms.author: greglin
author: greg-lindsay
audience: itpro
ms.topic: article
+ms.custom: seo-marvel-apr2020
---
# Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager
@@ -127,7 +128,7 @@ Topics and procedures in this guide are summarized in the following table. An es
Stop-Process -Name Explorer
```
-2. Download [Microsoft Endpoint Configuration Manager and Endpoint Protection](https://www.microsoft.com/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection) on SRV1 (download the executable file anywhere on SRV1), double-click the file, enter **C:\configmgr** for **Unzip to folder**, and click **Unzip**. The C:\configmgr directory will be automatically created. Click **OK** and then close the **WinZip Self-Extractor** dialog box when finished.
+2. Download [Microsoft Endpoint Manager and Endpoint Protection](https://www.microsoft.com/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection) on SRV1 (download the executable file anywhere on SRV1), double-click the file, enter **C:\configmgr** for **Unzip to folder**, and click **Unzip**. The C:\configmgr directory will be automatically created. Click **OK** and then close the **WinZip Self-Extractor** dialog box when finished.
3. Before starting the installation, verify that WMI is working on SRV1. See the following examples. Verify that **Running** is displayed under **Status** and **True** is displayed next to **TcpTestSucceeded**:
@@ -187,7 +188,7 @@ Topics and procedures in this guide are summarized in the following table. An es
cmd /c C:\configmgr\SMSSETUP\BIN\X64\Setup.exe
```
-18. Provide the following in the Microsoft Endpoint Configuration Manager Setup Wizard:
+18. Provide the following in the Microsoft Endpoint Manager Setup Wizard:
- **Before You Begin**: Read the text and click *Next*.
- **Getting Started**: Choose **Install a Configuration Manager primary site** and select the **Use typical installation options for a stand-alone primary site** checkbox.
- Click **Yes** in response to the popup window.
@@ -282,7 +283,7 @@ This section contains several procedures to support Zero Touch installation with
3. On the **Network Access Account** tab, choose **Specify the account that accesses network locations**.
4. Click the yellow starburst and then click **New Account**.
5. Click **Browse** and then under **Enter the object name to select**, type **CM_NAA** and click **OK**.
-6. Next to **Password** and **Confirm Password**, type **pass@word1**, and then click **OK** twice.
+6. Next to **Password** and **Confirm Password**, type **pass\@word1**, and then click **OK** twice.
### Configure a boundary group
@@ -319,7 +320,7 @@ WDSUTIL /Set-Server /AnswerClients:None
> If the internal network adapter, assigned an IP address of 192.168.0.2, is not named "Ethernet" then replace the name "Ethernet" in the previous command with the name of this network adapter. You can review the names of network adapters and the IP addresses assigned to them by typing **ipconfig**.
-2. In the Microsoft Endpoint Configuration Manager console, in the **Administration** workspace, click **Distribution Points**.
+2. In the Microsoft Endpoint Manager console, in the **Administration** workspace, click **Distribution Points**.
3. In the display pane, right-click **SRV1.CONTOSO.COM** and then click **Properties**.
4. On the PXE tab, select the following settings:
- **Enable PXE support for clients**. Click **Yes** in the popup that appears.
@@ -769,8 +770,8 @@ In this first deployment scenario, we will deploy Windows 10 using PXE. This sce
6. The smsts.log file is critical for troubleshooting any installation problems that might be encountered. Depending on the deployment phase, the smsts.log file is created in different locations:
- X:\Windows\temp\SMSTSLog\smsts.log before disks are formatted.
- X:\smstslog\smsts.log after disks are formatted.
- - C:\\_SMSTaskSequence\Logs\Smstslog\smsts.log before the Microsoft Endpoint Configuration Manager client is installed.
- - C:\Windows\ccm\logs\Smstslog\smsts.log after the Microsoft Endpoint Configuration Manager client is installed.
+ - C:\\_SMSTaskSequence\Logs\Smstslog\smsts.log before the Microsoft Endpoint Manager client is installed.
+ - C:\Windows\ccm\logs\Smstslog\smsts.log after the Microsoft Endpoint Manager client is installed.
- C:\Windows\ccm\logs\smsts.log when the task sequence is complete.
Note: If a reboot is pending on the client, the reboot will be blocked as long as the command window is open.
diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md
index 6b3110a329..86d6e33e83 100644
--- a/windows/deployment/windows-10-poc.md
+++ b/windows/deployment/windows-10-poc.md
@@ -1,11 +1,12 @@
---
title: Configure a test lab to deploy Windows 10
+description: In this article, you will learn about concepts and procedures for deploying Windows 10 in a proof of concept lab environment.
+ms.custom: seo-marvel-apr2020
ms.reviewer:
manager: laurawi
ms.audience: itpro
ms.author: greglin
author: greg-lindsay
-description: Concepts and procedures for deploying Windows 10 in a proof of concept lab environment.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -213,7 +214,7 @@ Starting with Windows 8, the host computer’s microprocessor must support secon
2. The Hyper-V feature is not installed by default. To install it, open an elevated Windows PowerShell window and type the following command:
-
@@ -206,67 +211,67 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
ErrorContext value
-Stage where error occured
+Stage where error occurred
Description and suggestions
@@ -290,36 +295,36 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
-
+
+0
-Never timeout Never time out
1
1 minute
@@ -370,8 +375,8 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
+0
-Never timeout Never time out
1
1 minute (default)
@@ -422,8 +427,8 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
+0
-Never timeout Never time out
1
1 minute
@@ -474,53 +479,54 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
Here is an example:
diff --git a/windows/client-management/mdm/uefi-csp.md b/windows/client-management/mdm/uefi-csp.md
index c26f13353d..c6d416f858 100644
--- a/windows/client-management/mdm/uefi-csp.md
+++ b/windows/client-management/mdm/uefi-csp.md
@@ -22,10 +22,33 @@ The UEFI configuration service provider (CSP) interfaces to UEFI's Device Firmwa
> [!NOTE]
> The production UEFI CSP is present in 1809, but it depends upon the [Device Firmware Configuration Interface (DFCI) and UEFI firmware](https://microsoft.github.io/mu/dyn/mu_plus/DfciPkg/Docs/Dfci_Feature/) to comply with this interface.
-The following diagram shows the UEFI CSP in tree format.
-
-
-
+The following shows the UEFI CSP in tree format.
+```
+./Vendor/MSFT
+Uefi
+----DeviceIdentifier
+----Identity
+--------Current
+--------Apply
+--------Result
+----Permissions
+--------Current
+--------Apply
+--------Result
+----Settings
+--------Current
+--------Apply
+--------Result
+----Identity2
+--------Apply
+--------Result
+----Permissions2
+--------Apply
+--------Result
+----Settings2
+--------Apply
+--------Result
+```
The following list describes the characteristics and parameters.
**./Vendor/MSFT/Uefi**
diff --git a/windows/client-management/mdm/update-csp.md b/windows/client-management/mdm/update-csp.md
index 183c89df6d..875bce0570 100644
--- a/windows/client-management/mdm/update-csp.md
+++ b/windows/client-management/mdm/update-csp.md
@@ -19,10 +19,37 @@ The Update configuration service provider enables IT administrators to manage an
> [!Note]
> The Update CSP functionality of 'AprrovedUpdates' is not recommended for managing desktop devices. To manage updates to desktop devices from Windows Update, see the [Policy CSP - Updates](policy-csp-update.md) documentation for the recommended policies.
-The following diagram shows the Update configuration service provider in tree format.
-
-
+The following shows the Update configuration service provider in tree format.
+```./Vendor/MSFT
+Update
+----ApprovedUpdates
+--------Approved Update Guid
+------------ApprovedTime
+----FailedUpdates
+--------Failed Update Guid
+------------HResult
+------------Status
+------------RevisionNumber
+----InstalledUpdates
+--------Installed Update Guid
+------------RevisionNumber
+----InstallableUpdates
+--------Installable Update Guid
+------------Type
+------------RevisionNumber
+----PendingRebootUpdates
+--------Pending Reboot Update Guid
+------------InstalledTime
+------------RevisionNumber
+----LastSuccessfulScanTime
+----DeferUpgrade
+----Rollback
+--------QualityUpdate
+--------FeatureUpdate
+--------QualityUpdateStatus
+--------FeatureUpdateStatus
+```
**Update**
bcdedit /set *{identifier}* option value
-For example, if the device under {default} is wrong or missing, run the following command to set it: `bcdedit /set {default} device partition=C:`
+For example, if the device under {default} is wrong or missing, run this command to set it: `bcdedit /set {default} device partition=C:`
- If you want to re-create the BCD completely, or if you get a message that states that "**The boot configuration data store could not be opened. The system could not find the file specified,** " run `bootrec /rebuildbcd`.
+ If you want to completely re-create the BCD, or if you get a message that states that "**The boot configuration data store could not be opened. The system could not find the file specified,** " run `bootrec /rebuildbcd`.
-If the BCD has the correct entries, check whether the **winload** and **bootmgr** entries exist in the correct location per the path that is specified in the **bcdedit** command. By default, **bootmgr** in the BIOS partition will be in the root of the **SYSTEM** partition. To see the file, run `Attrib -s -h -r`.
+If the BCD has the correct entries, check whether the **winload** and **bootmgr** entries exist in the correct location, which is in the specified path in the **bcdedit** command. By default, **bootmgr** in the BIOS partition is in the root of the **SYSTEM** partition. To see the file, run `Attrib -s -h -r`.
If the files are missing, and you want to rebuild the boot files, follow these steps:
-1. Copy all the contents under the **SYSTEM** partition to another location. Alternatively, you can use the command prompt to navigate to the OS drive, create a new folder, and then copy all the files and folders from the **SYSTEM** volume, as follows:
+1. Copy all the contents under the **SYSTEM** partition to another location. Alternatively, you can use the command prompt to navigate to the OS drive, create a new folder, and then copy all the files and folders from the **SYSTEM** volume, like shown here:
-```
-D:\> Mkdir BootBackup
-R:\> Copy *.* D:\BootBackup
-```
+ ```cmd
+ D:\> Mkdir BootBackup
+ R:\> Copy *.* D:\BootBackup
+ ```
-2. If you are using Windows 10, or if you are troubleshooting by using a Windows 10 ISO at the Windows Pre-Installation Environment command prompt, you can use the **bcdboot** command to re-create the boot files, as follows:
+2. If you're using Windows 10, or if you're troubleshooting by using a Windows 10 ISO at the Windows Pre-Installation Environment command prompt, you can use the **bcdboot** command to re-create the boot files, like shown here:
```cmd
Bcdboot <**OSDrive* >:\windows /s <**SYSTEMdrive* >: /f ALL
```
- For example: if we assign the `
- ```
+ * An account can be marked exempt from deletion by adding the account SID to the registry key: `HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\`.
+ * To add the account SID to the registry key using PowerShell:
+
+ ```powershell
$adminName = "LocalAdmin"
$adminPass = 'Pa$$word123'
iex "net user /add $adminName $adminPass"
@@ -228,8 +242,6 @@ On a desktop computer, navigate to **Settings** > **Accounts** > **Work ac
```
-
-
## Policies set by shared PC mode
Shared PC mode sets local group policies to configure the device. Some of these are configurable using the shared pc mode options.
diff --git a/windows/configuration/start-layout-troubleshoot.md b/windows/configuration/start-layout-troubleshoot.md
index 37c8bc44ec..f373bc8c78 100644
--- a/windows/configuration/start-layout-troubleshoot.md
+++ b/windows/configuration/start-layout-troubleshoot.md
@@ -12,41 +12,41 @@ manager: dansimp
ms.topic: troubleshooting
---
-# Troubleshoot Start Menu errors
+# Troubleshoot Start menu errors
Start failures can be organized into these categories:
- **Deployment/Install issues** - Easiest to identify but difficult to recover. This failure is consistent and usually permanent. Reset, restore from backup, or rollback to recover.
- **Performance issues** - More common with older hardware, low-powered machines. Symptoms include: High CPU utilization, disk contention, memory resources. This makes Start very slow to respond. Behavior is intermittent depending on available resources.
- **Crashes** - Also easy to identify. Crashes in Shell Experience Host or related can be found in System or Application event logs. This can be a code defect or related to missing or altered permissions to files or registry keys by a program or incorrect security tightening configurations. Determining permissions issues can be time consuming but a [SysInternals tool called Procmon](https://docs.microsoft.com/sysinternals/downloads/procmon) will show **Access Denied**. The other option is to get a dump of the process when it crashes and depending on comfort level, review the dump in the debugger, or have support review the data.
-- **Hangs** in Shell Experience host or related. These are the hardest issues to identify as there are few events logged, but behavior is typically intermittent or recovers with a reboot. If a background application or service hangs, Start will not have resources to respond in time. Clean boot may help identify if the issue is related to additional software. Procmon is also useful in this scenario.
+- **Hangs** - in Shell Experience host or related. These are the hardest issues to identify as there are few events logged, but behavior is typically intermittent or recovers with a reboot. If a background application or service hangs, Start will not have resources to respond in time. Clean boot may help identify if the issue is related to additional software. Procmon is also useful in this scenario.
- **Other issues** - Customization, domain policies, deployment issues.
## Basic troubleshooting
-When troubleshooting basic Start issues (and for the most part, all other Windows apps), there are a few things to check if they are not working as expected. When experiencing issues where the Start Menu or sub-component are not working, there are some quick tests to narrow down where the issue may reside.
+When troubleshooting basic Start issues (and for the most part, all other Windows apps), there are a few things to check if they are not working as expected. For issues where the Start menu or subcomponent isn't working, you can do some quick tests to narrow down where the issue may reside.
### Check the OS and update version
- Is the system running the latest Feature and Cumulative Monthly update?
- Did the issue start immediately after an update? Ways to check:
- - Powershell:[System.Environment]::OSVersion.Version
+ - PowerShell:[System.Environment]::OSVersion.Version
- WinVer from CMD.exe
### Check if Start is installed
- If Start fails immediately after a feature update, on thing to check is if the App package failed to install successfully.
-- If Start was working and just fails intermittently, it's likely that Start is installed correctly, but the issue occurs downstream. The way to check for this is to look for output from these two PS commands:
+- If Start was working and just fails intermittently, it's likely that Start is installed correctly, but the issue occurs downstream. The way to check for this problem is to look for output from these two PS commands:
- `get-AppXPackage -Name Microsoft.Windows.ShellExperienceHost`
- `get-AppXPackage -Name Microsoft.Windows.Cortana`
- Failure messages will appear if they are not installed
+ Failure messages will appear if they aren't installed
-- If Start is not installed the fastest resolution is to revert to a known good configuration. This can be rolling back the update, resetting the PC to defaults (where there is a choice to save to delete user data), or restoring from backup. There is no supported method to install Start Appx files. The results are often problematic and unreliable.
+- If Start is not installed, then the fastest resolution is to revert to a known good configuration. This can be rolling back the update, resetting the PC to defaults (where there is a choice to save to delete user data), or restoring from backup. No method is supported to install Start Appx files. The results are often problematic and unreliable.
### Check if Start is running
@@ -54,7 +54,7 @@ If either component is failing to start on boot, reviewing the event logs for er
- `get-process -name shellexperiencehost`
- `get-process -name searchui`
-If it is installed but not running, test booting into safe mode or use MSCONFIG to eliminate 3rd party or additional drivers and applications.
+If it is installed but not running, test booting into safe mode or use MSCONFIG to eliminate third-party or additional drivers and applications.
### Check whether the system a clean install or upgrade
@@ -76,9 +76,9 @@ If these events are found, Start is not activated correctly. Each event will hav
### Other things to consider
-When did this start?
+When did the problem start?
-- Top issues for Start Menu failure are triggered
+- Top issues for Start menu failure are triggered
- After an update
- After installation of an application
- After joining a domain or applying a domain policy
@@ -87,7 +87,7 @@ When did this start?
- Start or related component crashes or hangs
- Customization failure
-To narrow this down further, it's good to note:
+To narrow down the problem further, it's good to note:
- What is the install background?
- Was this a deployment, install from media, other
@@ -103,7 +103,7 @@ To narrow this down further, it's good to note:
- Some Group Policies intended for Windows 7 or older have been known to cause issues with Start
- Untested Start Menu customizations can cause unexpected behavior by typically not complete Start failures.
-- Is this a virtualized environment?
+- Is the environment virtualized?
- VMware
- Citrix
- Other
@@ -123,13 +123,13 @@ To narrow this down further, it's good to note:
- Microsoft-Windows-CloudStore*
-- Check for crashes that may be related to Start (explorer.exe, taskbar, etc)
+- Check for crashes that may be related to Start (explorer.exe, taskbar, and so on)
- Application log event 1000, 1001
- Check WER reports
- C:\ProgramData\Microsoft\Windows\WER\ReportArchive\
- C:\ProgramData\Micrt\Windowsosof\WER\ReportQueue\
-If there is a component of Start that is consistently crashing, capture a dump which can be reviewed by Microsoft Support.
+If there is a component of Start that is consistently crashing, capture a dump that can be reviewed by Microsoft Support.
## Common errors and mitigation
@@ -169,7 +169,8 @@ The PDC registry key is:
**Type**=dword:00000001
In addition to the listed dependencies for the service, Background Tasks Infrastructure Service requires the Power Dependency Coordinator Driver to be loaded. If the PDC does not load at boot, Background Tasks Infrastructure Service will fail and affect Start Menu.
-Events for both PDC and Background Tasks Infrastructure Service will be recorded in the event logs. PDC should not be disabled or deleted. BrokerInfrastructure is an automatic service. This Service is required for all these operating Systems as running to have a stable Start Menu.
+
+Events for both PDC and Background Tasks Infrastructure Service will be recorded in the event logs. PDC shouldn't be disabled or deleted. BrokerInfrastructure is an automatic service. This Service is required for all these operating Systems as running to have a stable Start Menu.
>[!NOTE]
>You cannot stop this automatic service when machine is running (C:\windows\system32\svchost.exe -k DcomLaunch -p).
@@ -179,17 +180,17 @@ Events for both PDC and Background Tasks Infrastructure Service will be recorded
**Cause**: There was a change in the All Apps list between Windows 10, versions 1511 and 1607. These changes mean the original Group Policy and corresponding registry key no longer apply.
-**Resolution**: This issue was resolved in the June 2017 updates. Please update Windows 10, version 1607 to the latest cumulative or feature updates.
+**Resolution**: This issue was resolved in the June 2017 updates. Update Windows 10, version 1607, to the latest cumulative or feature updates.
>[!NOTE]
>When the Group Policy is enabled, the desired behavior also needs to be selected. By default, it is set to **None**.
-### Symptom: Application tiles like Alarm, Calculator, and Edge are missing from Start Menu and the Settings app fails to open on Windows 10, version 1709 when a local user profile is deleted
+### Symptom: Application tiles like Alarm, Calculator, and Edge are missing from Start menu and the Settings app fails to open on Windows 10, version 1709 when a local user profile is deleted
-**Cause**: This is a known issue where the first-time logon experience is not detected and does not trigger the install of some Apps.
+**Cause**: This issue is known. The first-time sign-in experience is not detected and does not trigger the install of some apps.
**Resolution**: This issue has been fixed for Windows 10, version 1709 in [KB 4089848](https://support.microsoft.com/help/4089848) March 22, 2018—KB4089848 (OS Build 16299.334)
@@ -202,17 +203,17 @@ Events for both PDC and Background Tasks Infrastructure Service will be recorded
- Event ID 22 is logged when the xml is malformed, meaning the specified file simply isn’t valid xml.
- When editing the xml file, it should be saved in UTF-8 format.
-- Unexpected information: This occurs when possibly trying to add a tile via unexpected or undocumented method.
+- Unexpected information: This occurs when possibly trying to add a tile via an unexpected or undocumented method.
- **Event ID: 64** is logged when the xml is valid but has unexpected values.
- For example: The following error occurred while parsing a layout xml file: The attribute 'LayoutCustomizationRestrictiontype' on the element '{http://schemas.microsoft.com/Start/2014/LayoutModification}DefaultLayoutOverride' is not defined in the DTD/Schema.
XML files can and should be tested locally on a Hyper-V or other virtual machine before deployment or application by Group Policy
-### Symptom: Start menu no longer works after a PC is refreshed using F12 during start up
+### Symptom: Start menu no longer works after a PC is refreshed using F12 during startup
-**Description**: If a user is having problems with a PC, is can be refreshed, reset, or restored. Refreshing the PC is a beneficial option because it maintains personal files and settings. When users have trouble starting the PC, "Change PC settings" in Settings is not accessible. So, to access the System Refresh, users may use the F12 key at start up. Refreshing the PC finishes, but Start Menu is not accessible.
+**Description**: If a user is having problems with a PC, it can be refreshed, reset, or restored. Refreshing the PC is a beneficial option because it maintains personal files and settings. When users have trouble starting the PC, "Change PC settings" in Settings is not accessible. So, to access the System Refresh, users may use the F12 key at startup. Refreshing the PC finishes, but Start Menu is not accessible.
-**Cause**: This is a known issue and has been resolved in a cumulative update released August 30th 2018.
+**Cause**: This issue is known and was resolved in a cumulative update released August 30, 2018.
**Resolution**: Install corrective updates; a fix is included in the [September 11, 2018-KB4457142 release](https://support.microsoft.com/help/4457142).
@@ -232,7 +233,7 @@ Specifically, behaviors include
- Applications (apps or icons) pinned to the start menu are missing.
- Entire tile window disappears.
- The start button fails to respond.
-- If a new roaming user is created, the first logon appears normal, but on subsequent logons, tiles are missing.
+- If a new roaming user is created, the first sign-in appears normal, but on subsequent sign-ins, tiles are missing.
@@ -261,12 +262,12 @@ After the upgrade the user pinned tiles are missing:
-Additionally, users may see blank tiles if logon was attempted without network connectivity.
+Additionally, users may see blank tiles if sign-in was attempted without network connectivity.
-**Resolution**: This is fixed in [October 2017 update](https://support.microsoft.com/en-us/help/4041676).
+**Resolution**: This issue was fixed in the [October 2017 update](https://support.microsoft.com/en-us/help/4041676).
### Symptom: Tiles are missing after upgrade from Windows 10, version 1607 to version 1709 for users with Roaming User Profiles (RUP) enabled and managed Start Menu layout with partial lockdown
@@ -278,13 +279,13 @@ Additionally, users may see blank tiles if logon was attempted without network c
### Symptom: Start Menu issues with Tile Data Layer corruption
-**Cause**: Windows 10, version 1507 through the release of version 1607 uses a database for the Tile image information. This is called the Tile Data Layer database (The feature was deprecated in [Windows 10 1703](https://support.microsoft.com/help/4014193/features-that-are-removed-or-deprecated-in-windows-10-creators-update)).
+**Cause**: Windows 10, version 1507 through the release of version 1607 uses a database for the Tile image information. This is called the Tile Data Layer database. (The feature was deprecated in [Windows 10 1703](https://support.microsoft.com/help/4014193/features-that-are-removed-or-deprecated-in-windows-10-creators-update).)
**Resolution** There are steps you can take to fix the icons, first is to confirm that is the issue that needs to be addressed.
-1. The App or Apps work fine when you click on the tiles.
+1. The App or Apps work fine when you select the tiles.
2. The tiles are blank, have a generic placeholder icon, have the wrong or strange title information.
-3. The app is missing, but listed as installed via Powershell and works if you launch via URI.
+3. The app is missing, but listed as installed via PowerShell and works if you launch via URI.
- Example: `windows-feedback://`
4. In some cases, Start can be blank, and Action Center and Cortana do not launch.
@@ -301,9 +302,9 @@ Although a reboot is not required, it may help clear up any residual issues afte
### Symptoms: Start Menu and Apps cannot start after upgrade to Windows 10 version 1809 when Symantec Endpoint Protection is installed
-**Description** Start Menu, Search and Apps do not start after you upgrade a Windows 7-based computer that has Symantec Endpoint Protection installed to Windows 10 version 1809.
+**Description**: Start menu, Search, and Apps do not start after you upgrade a computer running Windows 7 that has Symantec Endpoint Protection installed to Windows 10 version 1809.
-**Cause** This occurs because of a failure to load sysfer.dll. During upgrade, the setup process does not set the privilege group "All Application Packages" on sysfer.dll and other Symantec modules.
+**Cause**: This problem occurs because of a failure to load sysfer.dll. During upgrade, the setup process does not set the privilege group "All Application Packages" on sysfer.dll and other Symantec modules.
**Resolution** This issue was fixed by the Windows Cumulative Update that were released on December 5, 2018—KB4469342 (OS Build 17763.168).
@@ -321,7 +322,7 @@ If you have already encountered this issue, use one of the following two options
4. Confirm that **All Application Packages** group is missing.
-5. Click **Edit**, and then click **Add** to add the group.
+5. Select **Edit**, and then select **Add** to add the group.
6. Test Start and other Apps.
diff --git a/windows/configuration/stop-employees-from-using-microsoft-store.md b/windows/configuration/stop-employees-from-using-microsoft-store.md
index e665d37ba5..a6c45ca8c1 100644
--- a/windows/configuration/stop-employees-from-using-microsoft-store.md
+++ b/windows/configuration/stop-employees-from-using-microsoft-store.md
@@ -32,7 +32,6 @@ IT pros can configure access to Microsoft Store for client computers in their or
## Options to configure access to Microsoft Store
-
You can use these tools to configure access to Microsoft Store: AppLocker or Group Policy. For Windows 10, this is only supported on Windows 10 Enterprise edition.
## Block Microsoft Store using AppLocker
@@ -64,6 +63,20 @@ For more information on AppLocker, see [What is AppLocker?](/windows/device-secu
8. Optional: On **Exceptions**, specify conditions by which to exclude files from being affected by the rule. This allows you to add exceptions based on the same rule reference and rule scope as you set before. Click **Next**.
+## Block Microsoft Store using configuration service provider
+
+Applies to: Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education
+
+If you have Windows 10 devices in your organization that are managed using a mobile device management (MDM) system, such as Microsoft Intune, you can block access to Microsoft Store app using the following configuration service providers (CSPs):
+
+- [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider)
+- [AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp)
+
+For more information, see [Configure an MDM provider](https://docs.microsoft.com/microsoft-store/configure-mdm-provider-microsoft-store-for-business).
+
+For more information on the rules available via AppLocker on the different supported operating systems, see [Operating system requirements](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker#operating-system-requirements).
+
+
## Block Microsoft Store using Group Policy
@@ -87,12 +100,12 @@ You can also use Group Policy to manage access to Microsoft Store.
> [!Important]
> Enabling **Turn off the Store application** policy turns off app updates from Microsoft Store.
-## Block Microsoft Store using management tool
+## Block Microsoft Store on Windows 10 Mobile
Applies to: Windows 10 Mobile
-If you have mobile devices in your organization that you upgraded from earlier versions of Windows Phone 8 to Windows 10 Mobile, existing policies created using the Windows Phone 8.1 configuration service providers (CSP) with your MDM tool will continue to work on Windows 10 Mobile. If you are starting with Windows 10 Mobile, we recommend using [AppLocker](#block-store-applocker) to manage access to Microsoft Store app.
+If you have mobile devices in your organization that you upgraded from earlier versions of Windows Phone 8 to Windows 10 Mobile, existing policies created using the Windows Phone 8.1 CSPs with your MDM tool will continue to work on Windows 10 Mobile. If you are starting with Windows 10 Mobile, we recommend using [AppLocker](#block-store-applocker) to manage access to Microsoft Store app.
When your MDM tool supports Microsoft Store for Business, the MDM can use these CSPs to block Microsoft Store app:
diff --git a/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md
index 110c062f57..159d0b1376 100644
--- a/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md
+++ b/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md
@@ -1,7 +1,7 @@
---
title: Administering UE-V with Windows PowerShell and WMI
description: Learn how User Experience Virtualization (UE-V) provides Windows PowerShell cmdlets to help administrators perform various UE-V tasks.
-author: trudyha
+author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/configuration/ue-v/uev-administering-uev.md b/windows/configuration/ue-v/uev-administering-uev.md
index 1b5004453a..ae0c0dc0e4 100644
--- a/windows/configuration/ue-v/uev-administering-uev.md
+++ b/windows/configuration/ue-v/uev-administering-uev.md
@@ -1,7 +1,7 @@
---
title: Administering UE-V
description: Learn how to perform administrative tasks for User Experience Virtualization (UE-V). These tasks include configuring the UE-V service and recovering lost settings.
-author: trudyha
+author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/configuration/ue-v/uev-application-template-schema-reference.md b/windows/configuration/ue-v/uev-application-template-schema-reference.md
index 6ca0f295e0..9fb9d1704d 100644
--- a/windows/configuration/ue-v/uev-application-template-schema-reference.md
+++ b/windows/configuration/ue-v/uev-application-template-schema-reference.md
@@ -1,7 +1,7 @@
---
title: Application Template Schema Reference for UE-V
description: Learn details about the XML structure of the UE-V settings location templates and learn how to edit these files.
-author: trudyha
+author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md b/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md
index 508ec913ff..a4d2addc34 100644
--- a/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md
+++ b/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md
@@ -1,7 +1,7 @@
---
title: Changing the Frequency of UE-V Scheduled Tasks
description: Learn how to create a script that uses the Schtasks.exe command-line options so you can change the frequency of UE-V scheduled tasks.
-author: trudyha
+author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md b/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md
index 169e31075f..2a85dc79f2 100644
--- a/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md
+++ b/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md
@@ -1,7 +1,7 @@
---
title: Configuring UE-V with Group Policy Objects
description: In this article, learn how to configure User Experience Virtualization (UE-V) with Group Policy objects.
-author: trudyha
+author: dansimp
ms.pagetype: mdop, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md
index f4ea6d2a5f..2ced4afd25 100644
--- a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md
+++ b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md
@@ -14,12 +14,12 @@ ms.topic: article
---
-# Configuring UE-V with Microsoft Endpoint Configuration Manager
+# Configuring UE-V with Microsoft Endpoint Manager
**Applies to**
- Windows 10, version 1607
-After you deploy User Experience Virtualization (UE-V) and its required features, you can start to configure it to meet your organization's need. The UE-V Configuration Pack provides a way for administrators to use the Compliance Settings feature of Microsoft Endpoint Configuration Manager to apply consistent configurations across sites where UE-V and Configuration Manager are installed.
+After you deploy User Experience Virtualization (UE-V) and its required features, you can start to configure it to meet your organization's need. The UE-V Configuration Pack provides a way for administrators to use the Compliance Settings feature of Microsoft Endpoint Manager to apply consistent configurations across sites where UE-V and Configuration Manager are installed.
## UE-V Configuration Pack supported features
diff --git a/windows/configuration/ue-v/uev-deploy-required-features.md b/windows/configuration/ue-v/uev-deploy-required-features.md
index 04cf9543e9..dd861cea0f 100644
--- a/windows/configuration/ue-v/uev-deploy-required-features.md
+++ b/windows/configuration/ue-v/uev-deploy-required-features.md
@@ -117,7 +117,7 @@ You can configure UE-V before, during, or after you enable the UE-V service on u
Windows Server 2012 and Windows Server 2012 R2
-- [**Configuration Manager**](uev-configuring-uev-with-system-center-configuration-manager.md) The UE-V Configuration Pack lets you use the Compliance Settings feature of Microsoft Endpoint Configuration Manager to apply consistent configurations across sites where UE-V and Configuration Manager are installed.
+- [**Configuration Manager**](uev-configuring-uev-with-system-center-configuration-manager.md) The UE-V Configuration Pack lets you use the Compliance Settings feature of Microsoft Endpoint Manager to apply consistent configurations across sites where UE-V and Configuration Manager are installed.
- [**Windows PowerShell and WMI**](uev-administering-uev-with-windows-powershell-and-wmi.md) You can use scripted commands for Windows PowerShell and Windows Management Instrumentation (WMI) to modify the configuration of the UE-V service.
diff --git a/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md b/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md
index 375f826703..f953320ab4 100644
--- a/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md
+++ b/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md
@@ -24,7 +24,7 @@ As an administrator of User Experience Virtualization (UE-V), you can restore ap
## Restore Settings in UE-V when a User Adopts a New Device
-To restore settings when a user adopts a new device, you can put a settings location template in **backup** or **roam (default)** profile using the Set-UevTemplateProfile PowerShell cmdlet. This lets computer settings sync to the new computer, in addition to user settings. Templates assigned to the backup profile are backed up for that device and configured on a per-device basis. To backup settings for a template, use the following cmdlet in Windows PowerShell:
+To restore settings when a user adopts a new device, you can put a settings location template in a **backup** or **roam (default)** profile using the Set-UevTemplateProfile PowerShell cmdlet. This setup lets computer settings sync to the new computer, in addition to user settings. Templates assigned to the backup profile are backed up for that device and configured on a per-device basis. To back up settings for a template, use the following cmdlet in Windows PowerShell:
```powershell
Set-UevTemplateProfile -ID
+>An issue has been identified where devices can lose activation status or be blocked from upgrading to Windows Enterprise if the device is not able to connect to Windows Update. A workaround is to ensure that devices do not have the REG_DWORD present HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations and set to 1. If this REG_DWORD is present, it must be set to 0.
+>
>Also ensure that the Group Policy setting: Computer Configuration > Administrative Templates > Windows Components > Windows Update > "Do not connect to any Windows Update Internet locations" is set to "Disabled".
## Firmware-embedded activation key
-To determine if the computer has a firmware-embedded activation key, type the following command at an elevated Windows PowerShell prompt
+To determine if the computer has a firmware-embedded activation key, type the following command at an elevated Windows PowerShell prompt:
-```
-(Get-WmiObject -query ‘select * from SoftwareLicensingService’).OA3xOriginalProductKey
+```PowerShell
+(Get-CimInstance -query ‘select * from SoftwareLicensingService’).OA3xOriginalProductKey
```
If the device has a firmware-embedded activation key, it will be displayed in the output. If the output is blank, the device does not have a firmware embedded activation key. Most OEM-provided devices designed to run Windows 8 or later will have a firmware-embedded key.
@@ -44,19 +46,28 @@ If the device has a firmware-embedded activation key, it will be displayed in th
If you are an EA customer with an existing Office 365 tenant, use the following steps to enable Windows 10 Subscription licenses on your existing tenant:
1. Work with your reseller to place an order for one $0 SKU per user. There are two SKUs available, depending on their current Windows Enterprise SA license:
-2. **AAA-51069** - Win10UsrOLSActv Alng MonthlySub Addon E3
-3. **AAA-51068** - Win10UsrOLSActv Alng MonthlySub Addon E5
-4. After placing an order, the OLS admin on the agreement will receive a service activation email, indicating their subscription licenses have been provisioned on the tenant.
-5. The admin can now assign subscription licenses to users.
->Use the following process if you need to update contact information and retrigger activation in order to resend the activation email:
+ - **AAA-51069** - Win10UsrOLSActv Alng MonthlySub Addon E3
+ - **AAA-51068** - Win10UsrOLSActv Alng MonthlySub Addon E5
+
+1. After placing an order, the OLS admin on the agreement will receive a service activation email, indicating their subscription licenses have been provisioned on the tenant.
+
+1. The admin can now assign subscription licenses to users.
+
+Use the following process if you need to update contact information and retrigger activation in order to resend the activation email:
1. Sign in to the [Microsoft Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
-2. Click on **Subscriptions**.
-3. Click on **Online Services Agreement List**.
+
+2. Click **Subscriptions**.
+
+3. Click **Online Services Agreement List**.
+
4. Enter your agreement number, and then click **Search**.
+
5. Click the **Service Name**.
+
6. In the **Subscription Contact** section, click the name listed under **Last Name**.
+
7. Update the contact information, then click **Update Contact Details**. This will trigger a new email.
Also in this article:
@@ -91,17 +102,21 @@ Devices must be running Windows 10 Pro, version 1703, and be Azure Active Direct
Upon acquisition of Windows 10 subscription has been completed (Windows 10 Business, E3 or E5), customers will receive an email that will provide guidance on how to use Windows as an online service:
-
+> [!div class="mx-imgBorder"]
+> 
The following methods are available to assign licenses:
1. When you have the required Azure AD subscription, [group-based licensing](https://docs.microsoft.com/azure/active-directory/active-directory-licensing-whatis-azure-portal) is the preferred method to assign Enterprise E3 or E5 licenses to users.
+
2. You can sign in to portal.office.com and manually assign licenses:
3. You can assign licenses by uploading a spreadsheet.
+
4. A per-user [PowerShell scripted method](https://social.technet.microsoft.com/wiki/contents/articles/15905.how-to-use-powershell-to-automatically-assign-licenses-to-your-office-365-users.aspx) of assigning licenses is available.
+
5. Organizations can use synchronized [AD groups](https://ronnydejong.com/2015/03/04/assign-ems-licenses-based-on-local-active-directory-group-membership/) to automatically assign licenses.
## Explore the upgrade experience
@@ -114,50 +129,50 @@ Users can join a Windows 10 Pro device to Azure AD the first time they start the
**To join a device to Azure AD the first time the device is started**
-1. During the initial setup, on the **Who owns this PC?** page, select **My organization**, and then click **Next**, as illustrated in **Figure 2**.
+1. During the initial setup, on the **Who owns this PC?** page, select **My organization**, and then click **Next**, as illustrated in **Figure 2**.
**Figure 2. The “Who owns this PC?” page in initial Windows 10 setup**
-2. On the **Choose how you’ll connect** page, select **Join Azure AD**, and then click **Next**, as illustrated in **Figure 3**.
+2. On the **Choose how you’ll connect** page, select **Join Azure AD**, and then click **Next**, as illustrated in **Figure 3**.
**Figure 3. The “Choose how you’ll connect” page in initial Windows 10 setup**
-3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 4**.
+3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 4**.
**Figure 4. The “Let’s get you signed in” page in initial Windows 10 setup**
-Now the device is Azure AD joined to the company’s subscription.
+Now the device is Azure AD–joined to the company’s subscription.
**To join a device to Azure AD when the device already has Windows 10 Pro, version 1703 installed and set up**
>[!IMPORTANT]
>Make sure that the user you're signing in with is **not** a BUILTIN/Administrator. That user cannot use the `+ Connect` button to join a work or school account.
-1. Go to **Settings > Accounts > Access work or school**, as illustrated in **Figure 5**.
+1. Go to **Settings > Accounts > Access work or school**, as illustrated in **Figure 5**.
**Figure 5. Connect to work or school configuration in Settings**
-2. In **Set up a work or school account**, click **Join this device to Azure Active Directory**, as illustrated in **Figure 6**.
+2. In **Set up a work or school account**, click **Join this device to Azure Active Directory**, as illustrated in **Figure 6**.
**Figure 6. Set up a work or school account**
-3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 7**.
+3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 7**.
**Figure 7. The “Let’s get you signed in” dialog box**
-Now the device is Azure AD joined to the company’s subscription.
+Now the device is Azure AD–joined to the company's subscription.
### Step 2: Pro edition activation
@@ -165,7 +180,7 @@ Now the device is Azure AD joined to the company’s subscription.
>If your device is running Windows 10, version 1803 or later, this step is not needed. From Windows 10, version 1803, the device will automatically activate Windows 10 Enterprise using the firmware-embedded activation key.
>If the device is running Windows 10, version 1703 or 1709, then Windows 10 Pro must be successfully activated in **Settings > Update & Security > Activation**, as illustrated in **Figure 7a**.
-
+
Figure 7a - Windows 10 Pro activation in Settings
@@ -176,7 +191,7 @@ Windows 10 Pro activation is required before Enterprise E3 or E5 can be enabled
Once the device is joined to your Azure AD subscription, the user will sign in by using his or her Azure AD account, as illustrated in **Figure 8**. The Windows 10 Enterprise E3 or E5 license associated with the user will enable Windows 10 Enterprise edition capabilities on the device.
-
+
**Figure 8. Sign in by using Azure AD account**
@@ -184,7 +199,7 @@ Once the device is joined to your Azure AD subscription, the user will sign in b
You can verify the Windows 10 Enterprise E3 or E5 subscription in **Settings > Update & Security > Activation**, as illustrated in **Figure 9**.
-
+
**Figure 9 - Windows 10 Enterprise subscription in Settings**
@@ -218,19 +233,19 @@ Use the following figures to help you troubleshoot when users experience these c
- [Figure 10](#win-10-not-activated) (below) illustrates a device on which Windows 10 Pro is not activated, but the Windows 10 Enterprise subscription is active.
-
+
Figure 10 - Windows 10 Pro, version 1703 edition not activated in Settings
- [Figure 11](#subscription-not-active) (below) illustrates a device on which Windows 10 Pro is activated, but the Windows 10 Enterprise subscription is lapsed or removed.
-
+
Figure 11 - Windows 10 Enterprise subscription lapsed or removed in Settings
- [Figure 12](#win-10-not-activated-subscription-not-active) (below) illustrates a device on which Windows 10 Pro license is not activated and the Windows 10 Enterprise subscription is lapsed or removed.
-
+
Figure 12 - Windows 10 Pro, version 1703 edition not activated and Windows 10 Enterprise subscription lapsed or removed in Settings
diff --git a/windows/deployment/deploy-m365.md b/windows/deployment/deploy-m365.md
index c28a60db3e..b541debb81 100644
--- a/windows/deployment/deploy-m365.md
+++ b/windows/deployment/deploy-m365.md
@@ -14,6 +14,7 @@ audience: itpro
author: greg-lindsay
ms.topic: article
ms.collection: M365-modern-desktop
+ms.custom: seo-marvel-apr2020
---
# Deploy Windows 10 with Microsoft 365
diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md
index 519ec80cf3..0cea204292 100644
--- a/windows/deployment/deploy-whats-new.md
+++ b/windows/deployment/deploy-whats-new.md
@@ -13,12 +13,13 @@ ms.pagetype: deploy
audience: itpro
author: greg-lindsay
ms.topic: article
+ms.custom: seo-marvel-apr2020
---
# What's new in Windows 10 deployment
-**Applies to**
-- Windows 10
+**Applies to:**
+- Windows 10
## In this topic
@@ -42,10 +43,10 @@ The [Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/
## Microsoft 365
-Microsoft 365 is a new offering from Microsoft that combines
+Microsoft 365 is a new offering from Microsoft that combines
- Windows 10
- Office 365
-- Enterprise Mobility and Security (EMS).
+- Enterprise Mobility and Security (EMS).
See [Deploy Windows 10 with Microsoft 365](deploy-m365.md) for an overview, which now includes a link to download a nifty [M365 Enterprise poster](deploy-m365.md#m365-enterprise-poster).
@@ -60,16 +61,16 @@ Windows PowerShell cmdlets for Delivery Optimization have been improved:
- **Enable-DeliveryOptimizationVerboseLogs** is a new cmdlet that enables a greater level of logging detail to assist in troubleshooting.
Additional improvements in [Delivery Optimization](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization) include:
-- Enterprise network [throttling is enhanced](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#new-download-throttling-options-for-delivery-optimization-build-18917) to optimize foreground vs. background throttling.
+- Enterprise network [throttling is enhanced](https://docs.microsoft.com/windows-insider/archive/new-for-business#new-download-throttling-options-for-delivery-optimization-build-18917) to optimize foreground vs. background throttling.
- Automatic cloud-based congestion detection is available for PCs with cloud service support.
-- Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Microsoft 365 Apps for enterprise updates, and Intune content, with Microsoft Endpoint Configuration Manager content coming soon!
+- Improved peer efficiency for enterprises and educational institutions with complex networks is enabled with [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Microsoft 365 Apps for enterprise updates and Intune content, with Microsoft Endpoint Manager content coming soon!
The following Delivery Optimization policies are removed in the Windows 10, version 2004 release:
- Percentage of Maximum Download Bandwidth (DOPercentageMaxDownloadBandwidth)
- Reason: Replaced with separate policies for foreground and background
- Max Upload Bandwidth (DOMaxUploadBandwidth)
- - Reason: impacts uploads to internet peers only, which isn't used in Enterprises.
+ - Reason: impacts uploads to internet peers only, which isn't used in enterprises.
- Absolute max throttle (DOMaxDownloadBandwidth)
- Reason: separated to foreground and background
@@ -79,11 +80,11 @@ The following Delivery Optimization policies are removed in the Windows 10, vers
- Intune console updates: target version is now available allowing you to specify which version of Windows 10 you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy.
- Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we have created a new policy that enables admins to opt devices out of the built-in safeguard holds.
-- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically log on as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed.
-- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will be a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
+- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically log on as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed.
+- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will be a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
- **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally.
-- **Pause updates**: We have extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you will need to update your device before pausing again.
-- **Improved update notifications**: When there’s an update requiring you to restart your device, you’ll see a colored dot on the Power button in the Start menu and on the Windows icon in your taskbar.
+- **Pause updates**: We have extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you will need to update your device before pausing again.
+- **Improved update notifications**: When there's an update requiring you to restart your device, you'll see a colored dot on the Power button in the Start menu and on the Windows icon in your taskbar.
- **Intelligent active hours**: To further enhance active hours, users will now have the option to let Windows Update intelligently adjust active hours based on their device-specific usage patterns. You must enable the intelligent active hours feature for the system to predict device-specific usage patterns.
- **Improved update orchestration to improve system responsiveness**: This feature will improve system performance by intelligently coordinating Windows updates and Microsoft Store updates, so they occur when users are away from their devices to minimize disruptions.
@@ -103,7 +104,7 @@ For more information, see [Windows 10 Enterprise E3 in CSP](windows-10-enterpris
### Windows Autopilot
-[Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) streamlines and automates the process of setting up and configuring new devices, with minimal interaction required from the end user. You can also use Windows Autopilot to reset, repurpose and recover devices.
+[Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) streamlines and automates the process of setting up and configuring new devices, with minimal interaction required from the end user. You can also use Windows Autopilot to reset, repurpose, and recover devices.
With the release of Windows 10, version 2004 you can configure [Windows Autopilot user-driven](https://docs.microsoft.com/windows/deployment/windows-autopilot/user-driven) Hybrid Azure Active Directory join with VPN support. This support is also backported to Windows 10, version 1909 and 1903.
@@ -115,7 +116,7 @@ The following Windows Autopilot features are available in Windows 10, version 19
- The Intune [enrollment status page](https://docs.microsoft.com/intune/windows-enrollment-status) (ESP) now tracks Intune Management Extensions.
- [Cortana voiceover](https://docs.microsoft.com/windows-hardware/customize/desktop/cortana-voice-support) and speech recognition during OOBE is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs.
- Windows Autopilot is self-updating during OOBE. Starting with the Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE.
-- Windows Autopilot will set the [diagnostics data](https://docs.microsoft.com/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE.
+- Windows Autopilot will set the [diagnostics data](https://docs.microsoft.com/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE.
### Microsoft Endpoint Configuration Manager
@@ -137,11 +138,11 @@ During the upgrade process, Windows Setup will extract all its sources files to
### Upgrade Readiness
-The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017.
+The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017.
-Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details.
+Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details.
-The development of Upgrade Readiness has been heavily influenced by input from the community the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled.
+The development of Upgrade Readiness has been heavily influenced by input from the community; the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled.
For more information about Upgrade Readiness, see the following topics:
@@ -163,7 +164,7 @@ Device Health is the newest Windows Analytics solution that complements the exis
### MBR2GPT
-MBR2GPT.EXE converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. Previously, it was necessary to image, then wipe and reload a disk to change from MBR format to GPT.
+MBR2GPT.EXE converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. Previously, it was necessary to image, then wipe and reload a disk to change from MBR format to GPT.
There are many benefits to converting the partition style of a disk to GPT, including the use of larger disk partitions, added data reliability, and faster boot and shutdown speeds. The GPT format also enables you to use the Unified Extensible Firmware Interface (UEFI) which replaces the Basic Input/Output System (BIOS) firmware interface. Security features of Windows 10 that require UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock.
@@ -182,14 +183,14 @@ The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can
Download the Windows ADK and Windows PE add-on for Windows 10, version 2004 [here](https://docs.microsoft.com/windows-hardware/get-started/adk-install).
For information about what's new in the ADK, see [What's new in the Windows ADK for Windows 10, version 2004](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-kits-and-tools#whats-new-in-the-windows-adk-for-windows-10-version-2004).
-
+
Also see [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md).
## Testing and validation guidance
### Windows 10 deployment proof of concept (PoC)
-The Windows 10 PoC guide enables you to test Windows 10 deployment in a virtual environment and become familiar with deployment tools such as MDT and Configuration Manager. The PoC guide provides step-by-step instructions for installing and using Hyper-V to create a virtual lab environment. The guide makes extensive use of Windows PowerShell to streamline each phase of the installation and setup.
+The Windows 10 PoC guide enables you to test Windows 10 deployment in a virtual environment and become familiar with deployment tools such as MDT and Configuration Manager. The PoC guide provides step-by-step instructions for installing and using Hyper-V to create a virtual lab environment. The guide makes extensive use of Windows PowerShell to streamline each phase of the installation and setup.
For more information, see the following guides:
diff --git a/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md
index 1fd47c5505..5d44f0af26 100644
--- a/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md
@@ -1,5 +1,5 @@
---
-title: Add a Windows 10 operating system image using Configuration Manager (Windows 10)
+title: Add a Windows 10 operating system image using Configuration Manager
description: Operating system images are typically the production image used for deployment throughout the organization.
ms.assetid: 77f769cc-1a47-4f36-8082-201cd77b8d3b
ms.reviewer:
@@ -13,6 +13,7 @@ ms.sitesec: library
audience: itpro
author: greg-lindsay
ms.topic: article
+ms.custom: seo-marvel-apr2020
---
# Add a Windows 10 operating system image using Configuration Manager
diff --git a/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
index e8896d30de..85dcbc3828 100644
--- a/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
@@ -1,5 +1,5 @@
---
-title: Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager (Windows 10)
+title: Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager
description: Learn how to configure the Windows Preinstallation Environment (Windows PE) to include required network and storage drivers.
ms.assetid: 97b3ea46-28d9-407e-8c42-ded2e45e8d5c
ms.reviewer:
@@ -13,6 +13,7 @@ ms.sitesec: library
audience: itpro
author: greg-lindsay
ms.topic: article
+ms.custom: seo-marvel-apr2020
---
# Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager
@@ -51,10 +52,10 @@ On **CM01**:
6. In the popup window that appears, click **Yes** to automatically update the distribution point.
7. Click **Next**, wait for the image to be updated, and then click **Close**.
- 
- 
- 
- 
+ 
+ 
+ 
+ 
Add drivers to Windows PE
@@ -64,7 +65,7 @@ This section illustrates how to add drivers for Windows 10 using the HP EliteBoo
For the purposes of this section, we assume that you have downloaded the Windows 10 drivers for the HP EliteBook 8560w model and copied them to the **D:\Sources$\OSD\DriverSources\Windows 10 x64\Hewlett-Packard\HP EliteBook 8560w** folder on CM01.
-
+
Driver folder structure on CM01
diff --git a/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
index 5ff94676d8..e4d235f852 100644
--- a/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
@@ -1,6 +1,6 @@
---
title: Create a custom Windows PE boot image with Configuration Manager (Windows 10)
-description: In Microsoft Endpoint Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features.
+description: Learn how to create custom Windows Preinstallation Environment (Windows PE) boot images in Microsoft Endpoint Configuration Manager.
ms.assetid: b9e96974-324d-4fa4-b0ce-33cfc49c4809
ms.reviewer:
manager: laurawi
@@ -13,6 +13,7 @@ ms.sitesec: library
audience: itpro
author: greg-lindsay
ms.topic: article
+ms.custom: seo-marvel-apr2020
---
# Create a custom Windows PE boot image with Configuration Manager
@@ -71,8 +72,8 @@ On **CM01**:
8. In the Distribute Content Wizard, add the CM01 distribution point, and complete the wizard.
9. Using Configuration Manager Trace, review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Do not continue until you can see that the boot image is distributed. Look for the line that reads **STATMSG: ID=2301**. You also can monitor Content Status in the Configuration Manager Console at **\Monitoring\Overview\Distribution Status\Content Status\Zero Touch WinPE x64**. See the following examples:
- 
- 
+ 
+ 
Content status for the Zero Touch WinPE x64 boot image
@@ -81,8 +82,8 @@ On **CM01**:
12. Using Configuration Manager Trace, review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for this text: **Expanding PS100009 to D:\\RemoteInstall\\SMSImages**.
13. Review the **D:\\RemoteInstall\\SMSImages** folder. You should see three folders containing boot images. Two are from the default boot images, and the third folder (PS100009) is from your new boot image with DaRT. See the examples below:
- 
- 
+ 
+ 
>Note: Depending on your infrastructure and the number of packages and boot images present, the Image ID might be a different number than PS100009.
diff --git a/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
index 7e1c6b9819..4b0eb20dcf 100644
--- a/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
@@ -1,6 +1,6 @@
---
title: Create an app to deploy with Windows 10 using Configuration Manager
-description: Microsoft Microsoft Endpoint Configuration Manager supports deploying applications as part of the Windows 10 deployment process.
+description: Microsoft Microsoft Endpoint Manager supports deploying applications as part of the Windows 10 deployment process.
ms.assetid: 2dfb2f39-1597-4999-b4ec-b063e8a8c90c
ms.reviewer:
manager: laurawi
@@ -22,7 +22,7 @@ ms.topic: article
- Windows 10
-Microsoft Endpoint Configuration Manager supports deploying applications as part of the Windows 10 deployment process. In this section, you create an application in Microsoft Endpoint Configuration Manager that you later configure the task sequence to use.
+Microsoft Endpoint Manager supports deploying applications as part of the Windows 10 deployment process. In this section, you create an application in Microsoft Endpoint Manager that you later configure the task sequence to use.
For the purposes of this guide, we will use one server computer: CM01.
- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
diff --git a/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md
index a5ea3f78c2..ccb8ed6bb5 100644
--- a/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md
@@ -1,6 +1,6 @@
---
title: Deploy Windows 10 using PXE and Configuration Manager (Windows 10)
-description: In this topic, you will learn how to deploy Windows 10 using Microsoft Endpoint Configuration Manager deployment packages and task sequences.
+description: In this topic, you will learn how to deploy Windows 10 using Microsoft Endpoint Manager deployment packages and task sequences.
ms.assetid: fb93f514-5b30-4f4b-99dc-58e6860009fa
ms.reviewer:
manager: laurawi
@@ -21,7 +21,7 @@ ms.topic: article
- Windows 10
-In this topic, you will learn how to deploy Windows 10 using Microsoft Endpoint Configuration Manager deployment packages and task sequences. This topic will walk you through the process of deploying the Windows 10 Enterprise image to a Unified Extensible Firmware Interface (UEFI) computer named PC0001. An existing Configuration Manager infrastructure that is integrated with MDT is used for the procedures in this topic.
+In this topic, you will learn how to deploy Windows 10 using Microsoft Endpoint Manager deployment packages and task sequences. This topic will walk you through the process of deploying the Windows 10 Enterprise image to a Unified Extensible Firmware Interface (UEFI) computer named PC0001. An existing Configuration Manager infrastructure that is integrated with MDT is used for the procedures in this topic.
This topic assumes that you have completed the following prerequisite procedures:
- [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
@@ -51,7 +51,7 @@ All server and client computers referenced in this guide are on the same subnet.
## Procedures
1. Start the PC0001 computer. At the Pre-Boot Execution Environment (PXE) boot menu, press **Enter** to allow it to PXE boot.
-2. On the **Welcome to the Task Sequence Wizard** page, type in the password **pass@word1** and click **Next**.
+2. On the **Welcome to the Task Sequence Wizard** page, type in the password **pass\@word1** and click **Next**.
3. On the **Select a task sequence to run** page, select **Windows 10 Enterprise x64 RTM** and click **Next**.
4. On the **Edit Task Sequence Variables** page, double-click the **OSDComputerName** variable, and in the **Value** field, type **PC0001** and click **OK**. Then click **Next**.
5. The operating system deployment will take several minutes to complete.
@@ -99,4 +99,4 @@ Next, see [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Ma
[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
\ No newline at end of file
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
diff --git a/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
index b3c301d048..87bed1dd16 100644
--- a/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
@@ -1,6 +1,6 @@
---
title: Finalize operating system configuration for Windows 10 deployment
-description: Follow this walk-through to finalize the configuration of your Windows 10 operating deployment.
+description: This article provides a walk-through to finalize the configuration of your Windows 10 operating deployment.
ms.assetid: 38b55fa8-e717-4689-bd43-8348751d493e
ms.reviewer:
manager: laurawi
@@ -13,6 +13,7 @@ ms.sitesec: library
audience: itpro
author: greg-lindsay
ms.topic: article
+ms.custom: seo-marvel-apr2020
---
# Finalize the operating system configuration for Windows 10 deployment with Configuration Manager
diff --git a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
index ca87d2d6b3..66c81b0a5b 100644
--- a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
@@ -1,5 +1,5 @@
---
-title: Prepare for Zero Touch Installation of Windows 10 with Configuration Manager (Windows 10)
+title: Prepare for Zero Touch Installation of Windows 10 with Configuration Manager
description: Learn how to prepare a Zero Touch Installation of Windows 10 with Configuration Manager, by integrating Configuration Manager with Microsoft Deployment Toolkit.
ms.assetid: 06e3a221-31ef-47a5-b4da-3b927cb50d08
ms.reviewer:
@@ -13,6 +13,7 @@ ms.sitesec: library
audience: itpro
author: greg-lindsay
ms.topic: article
+ms.custom: seo-marvel-apr2020
---
# Prepare for Zero Touch Installation of Windows 10 with Configuration Manager
@@ -21,7 +22,7 @@ ms.topic: article
- Windows 10
-This topic will walk you through the Zero Touch Installation process of Windows 10 operating system deployment (OSD) using Microsoft Endpoint Configuration Manager (ConfigMgr) [integrated](#why-integrate-mdt-with-configuration-manager) with Microsoft Deployment Toolkit (MDT).
+This topic will walk you through the Zero Touch Installation process of Windows 10 operating system deployment (OSD) using Microsoft Endpoint Manager (ConfigMgr) [integrated](#why-integrate-mdt-with-configuration-manager) with Microsoft Deployment Toolkit (MDT).
## Prerequisites
@@ -76,7 +77,7 @@ ForEach($entry in $oulist){
}
```
-Next, copy the following list of OU names and paths into a text file and save it as C:\Setup\Scripts\oulist.txt
+Next, copy the following list of OU names and paths into a text file and save it as **C:\Setup\Scripts\oulist.txt**
```text
OUName,OUPath
@@ -128,7 +129,7 @@ In order for the Configuration Manager Join Domain Account (CM\_JD) to join mach
On **DC01**:
-1. Sign in as contoso\administrtor and enter the following at an elevated Windows PowerShell prompt:
+1. Sign in as contoso\administrator and enter the following at an elevated Windows PowerShell prompt:
```
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
@@ -240,7 +241,7 @@ On **CM01**:
2. Right-click **PS1 - Primary Site 1**, point to **Configure Site Components**, and then select **Software Distribution**.
3. On the **Network Access Account** tab, select **Specify the account that accesses network locations** and add the *New Account* **CONTOSO\\CM\_NAA** as the Network Access account (password: pass@word1). Use the new **Verify** option to verify that the account can connect to the **\\\\DC01\\sysvol** network share.
-
+
Test the connection for the Network Access account.
@@ -388,4 +389,4 @@ You can create reference images for Configuration Manager in Configuration Manag
[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)
[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
-[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
\ No newline at end of file
+[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
diff --git a/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
index 24ea36579b..7ff3078c04 100644
--- a/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
@@ -1,5 +1,5 @@
---
-title: Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager (Windows 10)
+title: Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager
description: Learn how to use Configuration Manager and Microsoft Deployment Toolkit (MDT) to refresh a Windows 7 SP1 client with Windows 10.
ms.assetid: 57c81667-1019-4711-b3de-15ae9c5387c7
ms.reviewer:
@@ -13,6 +13,7 @@ ms.sitesec: library
audience: itpro
author: greg-lindsay
ms.topic: article
+ms.custom: seo-marvel-apr2020
---
# Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager
@@ -57,9 +58,9 @@ On **PC0003**:
1. Open the Configuration Manager control panel (control smscfgrc).
2. On the **Site** tab, click **Configure Settings**, then click **Find Site**.
-3. Verify that Configuration Manager has successfullyl found a site to manage this client is displayed. See the following example.
+3. Verify that Configuration Manager has successfully found a site to manage this client is displayed. See the following example.
-
+
## Create a device collection and add the PC0003 computer
@@ -123,16 +124,16 @@ On **PC0003**:
2. In the **Software Center** warning dialog box, click **Install Operating System**.
3. The client computer will run the Configuration Manager task sequence, boot into Windows PE, and install the new OS and applications. See the following examples:
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
Next, see [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md).
diff --git a/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
index b2ef8ff138..4c98f861cf 100644
--- a/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
@@ -1,5 +1,5 @@
---
-title: Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager (Windows 10)
+title: Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager
description: In this topic, you will learn how to replacing a Windows 7 SP1 computer using Microsoft Endpoint Configuration Manager.
ms.assetid: 3c8a2d53-8f08-475f-923a-bca79ca8ac36
ms.reviewer:
@@ -13,6 +13,7 @@ ms.sitesec: library
audience: itpro
author: greg-lindsay
ms.topic: article
+ms.custom: seo-marvel-apr2020
---
# Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager
@@ -159,7 +160,7 @@ On **PC0004**:
4. Confirm you want to upgrade the operating system on this computer by clicking **Install** again.
5. Allow the Replace Task Sequence to complete. The PC0004 computer will gather user data, boot into Windows PE and gather more data, then boot back to the full OS. The entire process should only take a few minutes.
-
+
Capturing the user state
@@ -190,15 +191,15 @@ On **PC0006**:
When the process is complete, you will have a new Windows 10 computer in your domain with user data and settings restored. See the following examples:
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
Next, see [Perform an in-place upgrade to Windows 10 using Configuration Manager](upgrade-to-windows-10-with-configuraton-manager.md).
diff --git a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md
index 553be3b239..1c8551218d 100644
--- a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md
+++ b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md
@@ -1,6 +1,6 @@
---
title: Perform in-place upgrade to Windows 10 via Configuration Manager
-description: In-place upgrades make upgrading Windows 7, Windows 8, and Windows 8.1 to Windows 10 easy -- you can even automate the whole process with a Microsoft Endpoint Configuration Manager task sequence.
+description: Learn how to perform an in-place upgrade to Windows 10 by automating the process with a Microsoft Endpoint Manager task sequence.
ms.assetid: F8DF6191-0DB0-4EF5-A9B1-6A11D5DE4878
ms.reviewer:
manager: laurawi
@@ -12,6 +12,7 @@ ms.mktglfcycl: deploy
audience: itpro
author: greg-lindsay
ms.topic: article
+ms.custom: seo-marvel-apr2020
---
# Perform an in-place upgrade to Windows 10 using Configuration Manager
@@ -21,7 +22,7 @@ ms.topic: article
- Windows 10
-The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Endpoint Configuration Manager task sequence to completely automate the process.
+The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Endpoint Manager task sequence to completely automate the process.
>[!IMPORTANT]
>Beginning with Windows 10 and Windows Server 2016, Windows Defender is already installed. A management client for Windows Defender is also installed automatically if the Configuration Manager client is installed. However, previous Windows operating systems installed the System Center Endpoint Protection (SCEP) client with the Configuration Manager client. The SCEP client can block in-place upgrade to Windows 10 due to incompatibility, and must be removed from a device before performing an in-place upgrade to Windows 10.
@@ -126,13 +127,13 @@ On **PC0004**:
4. Confirm you want to upgrade the operating system on this computer by clicking **Install** again.
5. Allow the Upgrade Task Sequence to complete. The PC0004 computer will download the install.wim file, perform an in-place upgrade, and install your added applications. See the following examples:
-
-
-
-
-
-
-
+
+
+
+
+
+
+
In-place upgrade with Configuration Manager
diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
index c55b476746..f60f34e592 100644
--- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
+++ b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
@@ -388,12 +388,12 @@ On **MDT01**:
1. Using the Deployment Workbench, under **Deployment Shares > MDT Build Lab > Task Sequences** right-click the **Windows 10 Enterprise x64 RTM Default Image** task sequence and select **Properties**.
2. In the **OS Info** tab, click **Edit Unattend.xml**. MDT now generates a catalog file. This will take a few minutes, and then Windows System Image Manager (Windows SIM) will start.
- >[!IMPORTANT]
- >The current version of MDT (8456) has a known issue generating a catalog file for Windows 10, version 1903 or 1909 X64 install.wim. You might see the error "Could not load file or assembly" in in the console output. As a temporary workaround:
- >- Close the Deployment Workbench and install the [WSIM 1903 update](https://go.microsoft.com/fwlink/?linkid=2095334). This will update imagecat.exe and imgmgr.exe to version 10.0.18362.144.
- >- Manually run imgmgr.exe (C:\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\WSIM\\imgmgr.exe).
- >- Generate a catalog (Tools/Create Catalog) for the selected install.wim (ex: D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM\\sources\\install.wim).
- >- After manually creating the catalog file (ex: D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM\\sources\\install_Windows 10 Enterprise.clg), open the Deployment Workbench and proceed to edit unattend.xml.
+ > [!IMPORTANT]
+ > The ADK version 1903 has a [known issue](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-kits-and-tools#whats-new-in-the-windows-adk-for-windows-10-version-1903) generating a catalog file for Windows 10, version 1903 or 1909 X64 install.wim. You might see the error "Could not load file or assembly" in in the console output. To avoid this issue, [install the ADK, version 2004 or a later version](https://docs.microsoft.com/windows-hardware/get-started/adk-install). A workaround is also available for the ADK version 1903:
+ > - Close the Deployment Workbench and install the [WSIM 1903 update](https://go.microsoft.com/fwlink/?linkid=2095334). This will update imagecat.exe and imgmgr.exe to version 10.0.18362.144.
+ > - Manually run imgmgr.exe (C:\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Deployment Tools\\WSIM\\imgmgr.exe).
+ > - Generate a catalog (Tools/Create Catalog) for the selected install.wim (ex: D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM\\sources\\install.wim).
+ > - After manually creating the catalog file (ex: D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM\\sources\\install_Windows 10 Enterprise.clg), open the Deployment Workbench and proceed to edit unattend.xml.
3. In Windows SIM, expand the **4 specialize** node in the **Answer File** pane and select the amd64\_Microsoft-Windows-IE-InternetExplorer\_neutral entry.
4. In the **amd64\_Microsoft-Windows-IE-InternetExplorer\_neutral properties** window (right-hand window), set the following values:
diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
index 5c8972471b..5d5ff0215e 100644
--- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
@@ -45,8 +45,9 @@ These steps will show you how to configure an Active Directory account with the
On **DC01**:
-1. Download the [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copy it to the **C:\\Setup\\Scripts** directory on DC01. This script configures permissions to allow the MDT_JD account to manage computer accounts in the contoso > Computers organizational unit.
-2. Create the MDT_JD service account by running the following command from an elevated Windows PowerShell prompt:
+1. Download the [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copy it to the **C:\\Setup\\Scripts** directory on **DC01**. This script configures permissions to allow the **MDT_JD** account to manage computer accounts in the contoso > Computers organizational unit.
+
+2. Create the **MDT_JD** service account by running the following command from an elevated **Windows PowerShell prompt**:
```powershell
New-ADUser -Name MDT_JD -UserPrincipalName MDT_JD -path "OU=Service Accounts,OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM" -Description "MDT join domain account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled $true
@@ -60,19 +61,20 @@ On **DC01**:
.\Set-OUPermissions.ps1 -Account MDT_JD -TargetOU "OU=Workstations,OU=Computers,OU=Contoso"
```
-The following is a list of the permissions being granted:
- a. Scope: This object and all descendant objects
- b. Create Computer objects
- c. Delete Computer objects
- d. Scope: Descendant Computer objects
- e. Read All Properties
- f. Write All Properties
- g. Read Permissions
- h. Modify Permissions
- i. Change Password
- j. Reset Password
- k. Validated write to DNS host name
- l. Validated write to service principal name
+ The following is a list of the permissions being granted:
+
+ - Scope: This object and all descendant objects
+ - Create Computer objects
+ - Delete Computer objects
+ - Scope: Descendant Computer objects
+ - Read All Properties
+ - Write All Properties
+ - Read Permissions
+ - Modify Permissions
+ - Change Password
+ - Reset Password
+ - Validated write to DNS host name
+ - Validated write to service principal name
## Step 2: Set up the MDT production deployment share
@@ -87,8 +89,11 @@ The steps for creating the deployment share for production are the same as when
1. Ensure you are signed on as: contoso\administrator.
2. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
3. On the **Path** page, in the **Deployment share path** text box, type **D:\\MDTProduction** and click **Next**.
+
4. On the **Share** page, in the **Share name** text box, type **MDTProduction$** and click **Next**.
+
5. On the **Descriptive Name** page, in the **Deployment share description** text box, type **MDT Production** and click **Next**.
+
6. On the **Options** page, accept the default settings and click **Next** twice, and then click **Finish**.
7. Using File Explorer, verify that you can access the **\\\\MDT01\\MDTProduction$** share.
@@ -116,9 +121,13 @@ In these steps, we assume that you have completed the steps in the [Create a Win
1. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**; select the **Operating Systems** node, and create a folder named **Windows 10**.
2. Right-click the **Windows 10** folder and select **Import Operating System**.
+
3. On the **OS Type** page, select **Custom image file** and click **Next**.
+
4. On the **Image** page, in the **Source file** text box, browse to **D:\\MDTBuildLab\\Captures\\REFW10X64-001.wim** and click **Next**.
+
5. On the **Setup** page, select the **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path** option; in the **Setup source directory** text box, browse to **D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM** and click **Next**.
+
6. On the **Destination** page, in the **Destination directory name** text box, type **W10EX64RTM**, click **Next** twice, and then click **Finish**.
7. After adding the operating system, double-click the added operating system name in the **Operating Systems / Windows 10** node and change the name to **Windows 10 Enterprise x64 RTM Custom Image**.
@@ -140,16 +149,22 @@ On **MDT01**:
2. Extract the .exe file that you downloaded to an .msi (ex: .\AcroRdrDC1902120058_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne).
3. In the Deployment Workbench, expand the **MDT Production** node and navigate to the **Applications** node.
4. Right-click the **Applications** node, and create a new folder named **Adobe**.
+
5. In the **Applications** node, right-click the **Adobe** folder and select **New Application**.
+
6. On the **Application Type** page, select the **Application with source files** option and click **Next**.
+
7. On the **Details** page, in the **Application Name** text box, type **Install - Adobe Reader** and click *Next**.
+
8. On the **Source** page, in the **Source Directory** text box, browse to **D:\\setup\\adobe\\install** and click **Next**.
+
9. On the **Destination** page, in the **Specify the name of the directory that should be created** text box, type **Install - Adobe Reader** and click **Next**.
+
10. On the **Command Details** page, in the **Command Line** text box, type **msiexec /i AcroRead.msi /q**, click **Next** twice, and then click **Finish**.
-
+ 
-The Adobe Reader application added to the Deployment Workbench.
+ The Adobe Reader application added to the Deployment Workbench.
## Step 5: Prepare the drivers repository
@@ -211,16 +226,17 @@ When you import drivers to the MDT driver repository, MDT creates a single insta
The preceding folder names should match the actual make and model values that MDT reads from devices during deployment. You can find out the model values for your machines by using the following command in Windows PowerShell:
-``` powershell
+```powershell
Get-WmiObject -Class:Win32_ComputerSystem
```
+
Or, you can use this command in a normal command prompt:
-```
+```console
wmic csproduct get name
```
-If you want a more standardized naming convention, try the ModelAliasExit.vbs script from the Deployment Guys blog post entitled [Using and Extending Model Aliases for Hardware Specific Application Installation](https://go.microsoft.com/fwlink/p/?LinkId=619536).
+If you want a more standardized naming convention, try the **ModelAliasExit.vbs script** from the Deployment Guys blog post, entitled [Using and Extending Model Aliases for Hardware Specific Application Installation](https://go.microsoft.com/fwlink/p/?LinkId=619536).
@@ -244,9 +260,9 @@ On **MDT01**:
2. Folders: Select the WinPE x64 folder in Out-of-Box Drivers.
3. Click **Next**, **Next** and **Finish**.
-
+ 
-Creating the WinPE x64 selection profile.
+ Creating the WinPE x64 selection profile.
### Extract and import drivers for the x64 boot image
@@ -267,7 +283,8 @@ On **MDT01**:
For the ThinkStation P500 model, you use the Lenovo ThinkVantage Update Retriever software to download the drivers. With Update Retriever, you need to specify the correct Lenovo Machine Type for the actual hardware (the first four characters of the model name). As an example, the Lenovo ThinkStation P500 model has the 30A6003TUS model name, meaning the Machine Type is 30A6.
-
+> [!div class="mx-imgBorder"]
+> 
To get the updates, download the drivers from the Lenovo ThinkVantage Update Retriever using its export function. You can also download the drivers by searching PC Support on the [Lenovo website](https://go.microsoft.com/fwlink/p/?LinkId=619543).
@@ -276,9 +293,12 @@ In this example, we assume you have downloaded and extracted the drivers using T
On **MDT01**:
1. In the Deployment Workbench, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Lenovo** node.
-2. Right-click the **30A6003TUS** folder and select **Import Drivers** and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Lenovo\\ThinkStation P500 (30A6003TUS)**
-The folder you select and all sub-folders will be checked for drivers, expanding any .cab files that are present and searching for drivers.
+2. Right-click the **30A6003TUS** folder and select **Import Drivers** and use the following Driver source directory to import drivers:
+
+ **D:\\Drivers\\Windows 10 x64\\Lenovo\\ThinkStation P500 (30A6003TUS)**
+
+ The folder you select and all sub-folders will be checked for drivers, expanding any .cab files that are present and searching for drivers.
### For the Latitude E7450
@@ -289,7 +309,10 @@ In these steps, we assume you have downloaded and extracted the CAB file for the
On **MDT01**:
1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Dell Inc** node.
-2. Right-click the **Latitude E7450** folder and select **Import Drivers** and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Dell Inc\\Latitude E7450**
+
+2. Right-click the **Latitude E7450** folder and select **Import Drivers** and use the following Driver source directory to import drivers:
+
+ **D:\\Drivers\\Windows 10 x64\\Dell Inc\\Latitude E7450**
### For the HP EliteBook 8560w
@@ -300,7 +323,10 @@ In these steps, we assume you have downloaded and extracted the drivers for the
On **MDT01**:
1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Hewlett-Packard** node.
-2. Right-click the **HP EliteBook 8560w** folder and select **Import Drivers** and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w**
+
+2. Right-click the **HP EliteBook 8560w** folder and select **Import Drivers** and use the following Driver source directory to import drivers:
+
+ **D:\\Drivers\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w**
### For the Microsoft Surface Laptop
@@ -309,7 +335,10 @@ For the Microsoft Surface Laptop model, you find the drivers on the Microsoft we
On **MDT01**:
1. In the Deployment Workbench, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Microsoft** node.
-2. Right-click the **Surface Laptop** folder and select **Import Drivers**; and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Laptop**
+
+2. Right-click the **Surface Laptop** folder and select **Import Drivers**; and use the following Driver source directory to import drivers:
+
+ **D:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Laptop**
## Step 6: Create the deployment task sequence
@@ -320,40 +349,46 @@ This section will show you how to create the task sequence used to deploy your p
On **MDT01**:
1. In the Deployment Workbench, under the **MDT Production** node, right-click **Task Sequences**, and create a folder named **Windows 10**.
+
2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
- 1. Task sequence ID: W10-X64-001
- 2. Task sequence name: Windows 10 Enterprise x64 RTM Custom Image
- 3. Task sequence comments: Production Image
- 4. Template: Standard Client Task Sequence
- 5. Select OS: Windows 10 Enterprise x64 RTM Custom Image
- 6. Specify Product Key: Do not specify a product key at this time
- 7. Full Name: Contoso
- 8. Organization: Contoso
- 9. Internet Explorer home page: https://www.contoso.com
- 10. Admin Password: Do not specify an Administrator Password at this time
+ - Task sequence ID: W10-X64-001
+ - Task sequence name: Windows 10 Enterprise x64 RTM Custom Image
+ - Task sequence comments: Production Image
+ - Template: Standard Client Task Sequence
+ - Select OS: Windows 10 Enterprise x64 RTM Custom Image
+ - Specify Product Key: Do not specify a product key at this time
+ - Full Name: Contoso
+ - Organization: Contoso
+ - Internet Explorer home page: https://www.contoso.com
+ - Admin Password: Do not specify an Administrator Password at this time
### Edit the Windows 10 task sequence
1. Continuing from the previous procedure, right-click the **Windows 10 Enterprise x64 RTM Custom Image** task sequence, and select **Properties**.
-2. On the **Task Sequence** tab, configure the **Windows 10 Enterprise x64 RTM Custom Image** task sequence with the following settings:
- 1. Preinstall: After the **Enable BitLocker (Offline)** action, add a **Set Task Sequence Variable** action with the following settings:
- 1. Name: Set DriverGroup001
- 2. Task Sequence Variable: DriverGroup001
- 3. Value: Windows 10 x64\\%Make%\\%Model%
- 2. Configure the **Inject Drivers** action with the following settings:
- 1. Choose a selection profile: Nothing
- 2. Install all drivers from the selection profile
- >[!NOTE]
- >The configuration above indicates that MDT should only use drivers from the folder specified by the DriverGroup001 property, which is defined by the "Choose a selection profile: Nothing" setting, and that MDT should not use plug and play to determine which drivers to copy, which is defined by the "Install all drivers from the selection profile" setting.
+2. On the **Task Sequence** tab, configure the **Windows 10 Enterprise x64 RTM Custom Image** task sequence with the following settings:
+
+ 1. Preinstall: After the **Enable BitLocker (Offline)** action, add a **Set Task Sequence Variable** action with the following settings:
+ - Name: Set DriverGroup001
+ - Task Sequence Variable: DriverGroup001
+ - Value: Windows 10 x64\\%Make%\\%Model%
+
+ 2. Configure the **Inject Drivers** action with the following settings:
+ - Choose a selection profile: Nothing
+ - Install all drivers from the selection profile
+
+ > [!NOTE]
+ > The configuration above indicates that MDT should only use drivers from the folder specified by the DriverGroup001 property, which is defined by the "Choose a selection profile: Nothing" setting, and that MDT should not use plug and play to determine which drivers to copy, which is defined by the "Install all drivers from the selection profile" setting.
3. State Restore. Enable the **Windows Update (Pre-Application Installation)** action.
+
4. State Restore. Enable the **Windows Update (Post-Application Installation)** action.
+
3. Click **OK**.
-
+ 
-The task sequence for production deployment.
+ The task sequence for production deployment.
## Step 7: Configure the MDT production deployment share
@@ -361,100 +396,112 @@ In this section, you will learn how to configure the MDT Build Lab deployment sh
### Configure the rules
+> [!NOTE]
+> The following instructions assume the device is online. If you're offline you can remove SLShare variable.
+
On **MDT01**:
1. Right-click the **MDT Production** deployment share and select **Properties**.
2. Select the **Rules** tab and replace the existing rules with the following information (modify the domain name, WSUS server, and administrative credentials to match your environment):
- ```
- [Settings]
- Priority=Default
-
- [Default]
- _SMSTSORGNAME=Contoso
- OSInstall=YES
- UserDataLocation=AUTO
- TimeZoneName=Pacific Standard Time
- AdminPassword=pass@word1
- JoinDomain=contoso.com
- DomainAdmin=CONTOSO\MDT_JD
- DomainAdminPassword=pass@word1
- MachineObjectOU=OU=Workstations,OU=Computers,OU=Contoso,DC=contoso,DC=com
- SLShare=\\MDT01\Logs$
- ScanStateArgs=/ue:*\* /ui:CONTOSO\*
- USMTMigFiles001=MigApp.xml
- USMTMigFiles002=MigUser.xml
- HideShell=YES
- ApplyGPOPack=NO
- WSUSServer=mdt01.contoso.com:8530
- SkipAppsOnUpgrade=NO
- SkipAdminPassword=YES
- SkipProductKey=YES
- SkipComputerName=NO
- SkipDomainMembership=YES
- SkipUserData=YES
- SkipLocaleSelection=YES
- SkipTaskSequence=NO
- SkipTimeZone=YES
- SkipApplications=NO
- SkipBitLocker=YES
- SkipSummary=YES
- SkipCapture=YES
- SkipFinalSummary=NO
- ```
+ ```
+ [Settings]
+ Priority=Default
+
+ [Default]
+ _SMSTSORGNAME=Contoso
+ OSInstall=YES
+ UserDataLocation=AUTO
+ TimeZoneName=Pacific Standard Time
+ AdminPassword=pass@word1
+ JoinDomain=contoso.com
+ DomainAdmin=CONTOSO\MDT_JD
+ DomainAdminPassword=pass@word1
+ MachineObjectOU=OU=Workstations,OU=Computers,OU=Contoso,DC=contoso,DC=com
+ SLShare=\\MDT01\Logs$
+ ScanStateArgs=/ue:*\* /ui:CONTOSO\*
+ USMTMigFiles001=MigApp.xml
+ USMTMigFiles002=MigUser.xml
+ HideShell=YES
+ ApplyGPOPack=NO
+ WSUSServer=mdt01.contoso.com:8530
+ SkipAppsOnUpgrade=NO
+ SkipAdminPassword=YES
+ SkipProductKey=YES
+ SkipComputerName=NO
+ SkipDomainMembership=YES
+ SkipUserData=YES
+ SkipLocaleSelection=YES
+ SkipTaskSequence=NO
+ SkipTimeZone=YES
+ SkipApplications=NO
+ SkipBitLocker=YES
+ SkipSummary=YES
+ SkipCapture=YES
+ SkipFinalSummary=NO
+ ```
3. Click **Edit Bootstrap.ini** and modify using the following information:
-```
-[Settings]
-Priority=Default
+ ```
+ [Settings]
+ Priority=Default
-[Default]
-DeployRoot=\\MDT01\MDTProduction$
-UserDomain=CONTOSO
-UserID=MDT_BA
-UserPassword=pass@word1
-SkipBDDWelcome=YES
-```
+ [Default]
+ DeployRoot=\\MDT01\MDTProduction$
+ UserDomain=CONTOSO
+ UserID=MDT_BA
+ UserPassword=pass@word1
+ SkipBDDWelcome=YES
+ ```
4. On the **Windows PE** tab, in the **Platform** drop-down list, make sure **x86** is selected.
+
5. On the **General** sub tab (still under the main Windows PE tab), configure the following settings:
- - In the **Lite Touch Boot Image Settings** area:
- 1. Image description: MDT Production x86
- 2. ISO file name: MDT Production x86.iso
+
+ In the **Lite Touch Boot Image Settings** area:
+
+ - Image description: MDT Production x86
+ - ISO file name: MDT Production x86.iso
- > [!NOTE]
- >
- >Because you are going to use Pre-Boot Execution Environment (PXE) later to deploy the machines, you do not need the ISO file; however, we recommend creating ISO files because they are useful when troubleshooting deployments and for quick tests.
+ > [!NOTE]
+ >
+ > Because you are going to use Pre-Boot Execution Environment (PXE) later to deploy the machines, you do not need the ISO file; however, we recommend creating ISO files because they are useful when troubleshooting deployments and for quick tests.
6. On the **Drivers and Patches** sub tab, select the **WinPE x86** selection profile and select the **Include all drivers from the selection profile** option.
+
7. On the **Windows PE** tab, in the **Platform** drop-down list, select **x64**.
+
8. On the **General** sub tab, configure the following settings:
- - In the **Lite Touch Boot Image Settings** area:
- 1. Image description: MDT Production x64
- 2. ISO file name: MDT Production x64.iso
+
+ In the **Lite Touch Boot Image Settings** area:
+
+ - Image description: MDT Production x64
+ - ISO file name: MDT Production x64.iso
+
9. In the **Drivers and Patches** sub tab, select the **WinPE x64** selection profile and select the **Include all drivers from the selection profile** option.
+
10. In the **Monitoring** tab, select the **Enable monitoring for this deployment share** check box.
+
11. Click **OK**.
->[!NOTE]
->It will take a while for the Deployment Workbench to create the monitoring database and web service.
+ >[!NOTE]
+ >It will take a while for the Deployment Workbench to create the monitoring database and web service.
+ 
-
-
-The Windows PE tab for the x64 boot image.
+ The Windows PE tab for the x64 boot image.
### The rules explained
The rules for the MDT Production deployment share are somewhat different from those for the MDT Build Lab deployment share. The biggest differences are that you deploy the machines into a domain instead of a workgroup.
->
->You can optionally remove the **UserID** and **UserPassword** entries from Bootstrap.ini so that users performing PXE boot are prompted to provide credentials with permission to connect to the deployment share. Setting **SkipBDDWelcome=NO** enables the welcome screen that displays options to run the deployment wizard, run DaRT tools (if installed), exit to a Windows PE command prompt, set the keyboard layout, or configure a static IP address. In this example we are skipping the welcome screen and providing credentials.
+You can optionally remove the **UserID** and **UserPassword** entries from Bootstrap.ini so that users performing PXE boot are prompted to provide credentials with permission to connect to the deployment share. Setting **SkipBDDWelcome=NO** enables the welcome screen that displays options to run the deployment wizard, run DaRT tools (if installed), exit to a Windows PE command prompt, set the keyboard layout, or configure a static IP address. In this example we are skipping the welcome screen and providing credentials.
### The Bootstrap.ini file
This is the MDT Production Bootstrap.ini:
+
```
[Settings]
Priority=Default
@@ -470,6 +517,7 @@ SkipBDDWelcome=YES
### The CustomSettings.ini file
This is the CustomSettings.ini file with the new join domain information:
+
```
[Settings]
Priority=Default
@@ -526,32 +574,44 @@ If your organization has a Microsoft Software Assurance agreement, you also can
If you have licensing for MDOP and DaRT, you can add DaRT to the boot images using the steps in this section. If you do not have DaRT licensing, or don't want to use it, simply skip to the next section, [Update the Deployment Share](#update-the-deployment-share). To enable the remote connection feature in MDT, you need to do the following:
->DaRT 10 is part of [MDOP 2015](https://docs.microsoft.com/microsoft-desktop-optimization-pack/#how-to-get-mdop). Note: MDOP might be available as a download from your [Visual Studio subscription](https://my.visualstudio.com/Downloads). When searching, be sure to look for **Desktop Optimization Pack**.
+
+> [!NOTE]
+> DaRT 10 is part of [MDOP 2015](https://docs.microsoft.com/microsoft-desktop-optimization-pack/#how-to-get-mdop).
+>
+> MDOP might be available as a download from your [Visual Studio subscription](https://my.visualstudio.com/Downloads). When searching, be sure to look for **Desktop Optimization Pack**.
On **MDT01**:
1. Download MDOP 2015 and copy the DaRT 10 installer file to the D:\\Setup\\DaRT 10 folder on MDT01 (DaRT\\DaRT 10\\Installers\\\
Dism /Split-Image /ImageFile:D:\MDTOfflinemedia\Content\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.wim /SWMFile:E:\sources\install.swm /FileSize:3800.
Windows Setup automatically installs from this file, provided you name it install.swm. The file names for the next files include numbers, for example: install2.swm, install3.swm.
To enable split image in MDT, the Settings.xml file in your deployment share (ex: D:\MDTProduction\Control\Settings.xml) must have the **SkipWimSplit** value set to **False**. By default this value is set to True (\
Dism /Split-Image /ImageFile:D:\MDTOfflinemedia\Content\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.wim /SWMFile:E:\sources\install.swm /FileSize:3800.
Windows Setup automatically installs from this file, provided you name it install.swm. The file names for the next files include numbers, for example: install2.swm, install3.swm.
To enable split image in MDT, the Settings.xml file in your deployment share (ex: D:\MDTProduction\Control\Settings.xml) must have the **SkipWimSplit** value set to **False**. By default this value is set to True (`
@@ -92,7 +93,7 @@ The following table lists the known compatibility fixes for all Windows operatin
@@ -219,7 +219,7 @@ Syntax: < winDir > </ winDir >
### <path>
-This element is a required child of **<winDir>** and contains a file path pointing to a valid Windows directory. Relative paths are interpreted from the ScanState tool’s working directory.
+This element is a required child of **<winDir>** and contains a file path pointing to a valid Windows directory. Relative paths are interpreted from the ScanState tool's working directory.
Syntax: <path> c:\\windows </path>
@@ -235,7 +235,7 @@ Syntax: <mappings> </mappings>
### <failOnMultipleWinDir>
-This element is an optional child of **<offline>**. The **<failOnMultipleWinDir>** element allows the user to specify that the migration should fail when USMT detects that there are multiple instances of Windows installed on the source machine. When the **<failOnMultipleWinDir>** element isn’t present, the default behavior is that the migration does not fail.
+This element is an optional child of **<offline>**. The **<failOnMultipleWinDir>** element allows the user to specify that the migration should fail when USMT detects that there are multiple instances of Windows installed on the source machine. When the **<failOnMultipleWinDir>** element isn't present, the default behavior is that the migration does not fail.
Syntax: <failOnMultipleWinDir>1</failOnMultipleWinDir> or Syntax: <failOnMultipleWinDir>0</failOnMultipleWinDir>
diff --git a/windows/deployment/usmt/understanding-migration-xml-files.md b/windows/deployment/usmt/understanding-migration-xml-files.md
index eebb4c23d3..1a5ba3389e 100644
--- a/windows/deployment/usmt/understanding-migration-xml-files.md
+++ b/windows/deployment/usmt/understanding-migration-xml-files.md
@@ -21,7 +21,7 @@ You can modify the behavior of a basic User State Migration Tool (USMT)10.0 migr
This topic provides an overview of the default and custom migration XML files and includes guidelines for creating and editing a customized version of the MigDocs.xml file. The MigDocs.xml file uses the new **GenerateDocPatterns** function available in USMT to automatically find user documents on a source computer.
-## In This Topic
+## In This topic
[Overview of the Config.xml file](#bkmk-config)
@@ -435,7 +435,7 @@ In the examples below, the source computer has a .txt file called "new text docu
-To exclude the new text document.txt file as well as any .txt files in “new folder”, you can do the following:
+To exclude the new text document.txt file as well as any .txt files in "new folder", you can do the following:
**Example 1: Exclude all .txt files in a folder**
diff --git a/windows/deployment/usmt/usmt-best-practices.md b/windows/deployment/usmt/usmt-best-practices.md
index 81f3d94585..acf803b701 100644
--- a/windows/deployment/usmt/usmt-best-practices.md
+++ b/windows/deployment/usmt/usmt-best-practices.md
@@ -1,6 +1,7 @@
---
title: USMT Best Practices (Windows 10)
-description: Learn about general and security-related best practices when using User State Migration Tool (USMT) 10.0.
+description: This article discusses general and security-related best practices when using User State Migration Tool (USMT) 10.0.
+ms.custom: seo-marvel-apr2020
ms.assetid: e3cb1e78-4230-4eae-b179-e6e9160542d2
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/usmt/usmt-common-migration-scenarios.md b/windows/deployment/usmt/usmt-common-migration-scenarios.md
index ce5b144011..30930ac481 100644
--- a/windows/deployment/usmt/usmt-common-migration-scenarios.md
+++ b/windows/deployment/usmt/usmt-common-migration-scenarios.md
@@ -21,7 +21,7 @@ You use the User State Migration Tool (USMT) 10.0 when hardware and/or operatin
One common scenario when only the operating system, and not the hardware, is being upgraded is referred to as *PC refresh*. A second common scenario is known as *PC replacement*, where one piece of hardware is being replaced, typically by newer hardware and a newer operating system.
-## In This Topic
+## In this topic
[PC Refresh](#bkmk-pcrefresh)
@@ -59,7 +59,7 @@ A company has just received funds to update the operating system on all of its c
1. On each computer, the administrator boots the machine into WinPE and runs the ScanState command-line tool, specifying the **/hardlink /nocompress** command-line options. ScanState saves the user state to a hard-link migration store on each computer, improving performance by minimizing network traffic as well as minimizing migration failures on computers with very limited space available on the hard drive.
-2. On each computer, the administrator installs the company’s standard operating environment (SOE) which includes Windows 10 and other company applications.
+2. On each computer, the administrator installs the company's standard operating environment (SOE) which includes Windows 10 and other company applications.
3. The administrator runs the LoadState command-line tool on each computer. LoadState restores each user state back to each computer.
@@ -89,7 +89,7 @@ A company has decided to update the operating system on all of its computers to
1. The administrator clean installs Windows 10 on each computer, making sure that the Windows.old directory is created by installing Windows 10 without formatting or repartitioning and by selecting a partition that contains the previous version of Windows.
-2. On each computer, the administrator installs the company’s SOE which includes company applications.
+2. On each computer, the administrator installs the company's SOE which includes company applications.
3. The administrator runs the ScanState and LoadState command-line tools successively on each computer while specifying the **/hardlink /nocompress** command-line options.
@@ -118,13 +118,13 @@ A company is allocating 20 new computers to users in the accounting department.
A company receives 50 new laptops for their managers and needs to reallocate 50 older laptops to new employees. In this scenario, an administrator runs the ScanState tool from the cmd prompt on each computer to collect the user states and save them to a server in a compressed migration store.
-1. The administrator runs the ScanState tool on each of the manager’s old laptops, and saves each user state to a server.
+1. The administrator runs the ScanState tool on each of the manager's old laptops, and saves each user state to a server.
2. On the new laptops, the administrator installs the company's SOE, which includes Windows 10 and other company applications.
-3. The administrator runs the LoadState tool on the new laptops to migrate the managers’ user states to the appropriate computer. The new laptops are now ready for the managers to use.
+3. The administrator runs the LoadState tool on the new laptops to migrate the managers' user states to the appropriate computer. The new laptops are now ready for the managers to use.
-4. On the old computers, the administrator installs the company’s SOE, which includes Windows 10, Microsoft Office, and other company applications. The old computers are now ready for the new employees to use.
+4. On the old computers, the administrator installs the company's SOE, which includes Windows 10, Microsoft Office, and other company applications. The old computers are now ready for the new employees to use.
### Scenario Three: Managed network migration
diff --git a/windows/deployment/usmt/usmt-configxml-file.md b/windows/deployment/usmt/usmt-configxml-file.md
index 6a280b171a..084c869c9a 100644
--- a/windows/deployment/usmt/usmt-configxml-file.md
+++ b/windows/deployment/usmt/usmt-configxml-file.md
@@ -33,7 +33,7 @@ To exclude a component from the Config.xml file, set the **migrate** value to **
-## In This Topic
+## In this topic
In USMT there are new migration policies that can be configured in the Config.xml file. For example, you can configure additional **<ErrorControl>**, **<ProfileControl>**, and **<HardLinkStoreControl>** options. The following elements and parameters are for use in the Config.xml file only.
diff --git a/windows/deployment/usmt/usmt-conflicts-and-precedence.md b/windows/deployment/usmt/usmt-conflicts-and-precedence.md
index 660d157cfc..fdb0e895c5 100644
--- a/windows/deployment/usmt/usmt-conflicts-and-precedence.md
+++ b/windows/deployment/usmt/usmt-conflicts-and-precedence.md
@@ -31,7 +31,7 @@ When you include, exclude, and reroute files and settings, it is important to kn
- **You can use the <unconditionalExclude> element to globally exclude data.** This element excludes objects, regardless of any other <include> rules that are in the .xml files. For example, you can use the <unconditionalExclude> element to exclude all MP3 files on the computer or to exclude all files from C:\\UserData.
-## In This Topic
+## In this topic
**General**
diff --git a/windows/deployment/usmt/usmt-hard-link-migration-store.md b/windows/deployment/usmt/usmt-hard-link-migration-store.md
index c444a1894a..8c39400821 100644
--- a/windows/deployment/usmt/usmt-hard-link-migration-store.md
+++ b/windows/deployment/usmt/usmt-hard-link-migration-store.md
@@ -19,7 +19,7 @@ ms.topic: article
A *hard-link migration store* enables you to perform an in-place migration where all user state is maintained on the computer while the old operating system is removed and the new operating system is installed; this is why it is best suited for the computer-refresh scenario. Use of a hard-link migration store for a computer-refresh scenario drastically improves migration performance and significantly reduces hard-disk utilization, reduces deployment costs and enables entirely new migration scenarios.
-## In This Topic
+## In this topic
[When to Use a Hard-Link Migration](#bkmk-when)
@@ -75,7 +75,7 @@ A hard link can only be created for a file on the same volume. If you copy a har
For more information about hard links, please see [Hard Links and Junctions](https://go.microsoft.com/fwlink/p/?LinkId=132934)
-In most aspects, a hard-link migration store is identical to an uncompressed migration store. It is located where specified by the Scanstate command-line tool and you can view the contents of the store by using Windows® Explorer. Once created, it can be deleted or copied to another location without changing user state. Restoring a hard-link migration store is similar to restoring any other migration store; however, as with creating the store, the same hard-link functionality is used to keep files in-place.
+In most aspects, a hard-link migration store is identical to an uncompressed migration store. It is located where specified by the Scanstate command-line tool and you can view the contents of the store by using Windows® Explorer. Once created, it can be deleted or copied to another location without changing user state. Restoring a hard-link migration store is similar to restoring any other migration store; however, as with creating the store, the same hard-link functionality is used to keep files in-place.
As a best practice, we recommend that you delete the hard-link migration store after you confirm that the Loadstate tool has successfully migrated the files. Since Loadstate has created new paths to the files on your new installation of a Windows operating system, deleting the hard links in the migration store will only delete one path to the files and will not delete the actual files or the paths to them from your new operating system.
diff --git a/windows/deployment/usmt/usmt-identify-users.md b/windows/deployment/usmt/usmt-identify-users.md
index f592773c30..d86d82ae25 100644
--- a/windows/deployment/usmt/usmt-identify-users.md
+++ b/windows/deployment/usmt/usmt-identify-users.md
@@ -18,7 +18,7 @@ ms.localizationpriority: medium
It is important to carefully consider how you plan to migrate users. By default, all users are migrated by User State Migration Tool (USMT) 5.0. You must specify which users to include by using the command line. You cannot specify users in the .xml files. For instructions on how to migrate users, see [Migrate User Accounts](usmt-migrate-user-accounts.md).
-## In This Topic
+## In this topic
- [Migrating Local Accounts](#bkmk-8)
- [Migrating Domain Accounts](#bkmk-9)
diff --git a/windows/deployment/usmt/usmt-loadstate-syntax.md b/windows/deployment/usmt/usmt-loadstate-syntax.md
index 2a52999416..f421c5d9ee 100644
--- a/windows/deployment/usmt/usmt-loadstate-syntax.md
+++ b/windows/deployment/usmt/usmt-loadstate-syntax.md
@@ -17,9 +17,9 @@ ms.topic: article
# LoadState Syntax
-This topic discusses the **LoadState** command syntax and options.
+This topic discusses the **LoadState** command syntax and options available with it.
-## In This Topic
+## In this topic
[Before You Begin](#before)
@@ -462,7 +462,7 @@ You can use the **/uel**, **/ue** and **/ui** options together to migrate only t
**The /ui option has precedence over the /ue and /uel options.** If a user is specified to be included using the **/ui** option, and also specified to be excluded using either the **/ue** or **/uel** options, the user will be included in the migration. For example, if you specify `/ui:contoso\* /ue:contoso\user1`, then User1 will be migrated, because the **/ui** option takes precedence over the **/ue** option.
-**The /uel option takes precedence over the /ue option.** If a user has logged on within the specified time period set by the **/uel** option, that user’s profile will be migrated even if they are excluded by using the **/ue** option. For example, if you specify `/ue:contoso\user1 /uel:14`, the User1 will be migrated if they have logged on to the computer within the last 14 days.
+**The /uel option takes precedence over the /ue option.** If a user has logged on within the specified time period set by the **/uel** option, that user's profile will be migrated even if they are excluded by using the **/ue** option. For example, if you specify `/ue:contoso\user1 /uel:14`, the User1 will be migrated if they have logged on to the computer within the last 14 days.
The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.| 1903 |
| Print 3D app | Going forward, 3D Builder is the recommended 3D printing app. To 3D print objects on new Windows devices, customers must first install 3D Builder from the Store.| 1903 |
-|Companion device dynamic lock APIS|The companion device framework (CDF) APIs enable wearables and other devices to unlock a PC. In Windows 10, version 1709, we introduced [Dynamic Lock](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features#dynamic-lock), including an inbox method using Bluetooth to detect whether a user is present and lock or unlock the PC. Because of this, and because third party partners didn't adopt the CDF method, we're no longer developing CDF Dynamic Lock APIs.| 1809 |
+|Companion device dynamic lock APIS|The companion device framework (CDF) APIs enable wearables and other devices to unlock a PC. In Windows 10, version 1709, we introduced [Dynamic Lock](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features#dynamic-lock), including an inbox method using Bluetooth to detect whether a user is present and lock or unlock the PC. Because of this, and because non-Microsoft partners didn't adopt the CDF method, we're no longer developing CDF Dynamic Lock APIs.| 1809 |
|OneSync service|The OneSync service synchronizes data for the Mail, Calendar, and People apps. We've added a sync engine to the Outlook app that provides the same synchronization.| 1809 |
|Snipping Tool|The Snipping Tool is an application included in Windows 10 that is used to capture screenshots, either the full screen or a smaller, custom "snip" of the screen. In Windows 10, version 1809, we're [introducing a new universal app, Snip & Sketch](https://blogs.windows.com/windowsexperience/2018/05/03/announcing-windows-10-insider-preview-build-17661/#8xbvP8vMO0lF20AM.97), that provides the same screen snipping abilities, as well as additional features. You can launch Snip & Sketch directly and start a snip from there, or just press WIN + Shift + S. Snip & Sketch can also be launched from the “Screen snip” button in the Action Center. We're no longer developing the Snipping Tool as a separate app but are instead consolidating its functionality into Snip & Sketch.| 1809 |
|[Software Restriction Policies](https://docs.microsoft.com/windows-server/identity/software-restriction-policies/software-restriction-policies) in Group Policy|Instead of using the Software Restriction Policies through Group Policy, you can use [AppLocker](https://docs.microsoft.com/windows/security/threat-protection/applocker/applocker-overview) or [Windows Defender Application Control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control) to control which apps users can access and what code can run in the kernel.| 1803 |
|[Offline symbol packages](https://docs.microsoft.com/windows-hardware/drivers/debugger/debugger-download-symbols) (Debug symbol MSIs)|We're no longer making the symbol packages available as a downloadable MSI. Instead, the [Microsoft Symbol Server is moving to be an Azure-based symbol store](https://blogs.msdn.microsoft.com/windbg/2017/10/18/update-on-microsofts-symbol-server/). If you need the Windows symbols, connect to the Microsoft Symbol Server to cache your symbols locally or use a manifest file with SymChk.exe on a computer with internet access.| 1803 |
|Windows Help Viewer (WinHlp32.exe)|All Windows help information is [available online](https://support.microsoft.com/products/windows?os=windows-10). The Windows Help Viewer is no longer supported in Windows 10. If for any reason you see an error message about "help not supported," possibly when using a non-Microsoft application, read [this support article](https://support.microsoft.com/help/917607/error-opening-help-in-windows-based-programs-feature-not-included-or-h) for additional information and any next steps.| 1803 |
+|MBAE service metadata|The MBAE app experience is replaced by an MO UWP app. For more information, see [Developer guide for creating service metadata](https://docs.microsoft.com/windows-hardware/drivers/mobilebroadband/developer-guide-for-creating-service-metadata) | 1803 |
|Contacts feature in File Explorer|We're no longer developing the Contacts feature or the corresponding [Windows Contacts API](https://msdn.microsoft.com/library/ff800913.aspx). Instead, you can use the People app in Windows 10 to maintain your contacts.| 1803 |
|Phone Companion|Use the **Phone** page in the Settings app. In Windows 10, version 1709, we added the new **Phone** page to help you sync your mobile phone with your PC. It includes all the Phone Companion features.| 1803 |
|IPv4/6 Transition Technologies (6to4, ISATAP, Teredo, and Direct Tunnels)|6to4 has been disabled by default since Windows 10, version 1607 (the Anniversary Update), ISATAP has been disabled by default since Windows 10, version 1703 (the Creators Update), Teredo has been disabled since Windows 10, version 1803, and Direct Tunnels has always been disabled by default. Please use native IPv6 support instead.| 1803 |
@@ -58,7 +59,7 @@ The features described below are no longer being actively developed, and might b
|Trusted Platform Module (TPM) Owner Password Management |This functionality within TPM.msc will be migrated to a new user interface.| 1709 |
|Trusted Platform Module (TPM): TPM.msc and TPM Remote Management | To be replaced by a new user interface in a future release. | 1709 |
|Trusted Platform Module (TPM) Remote Management |This functionality within TPM.msc will be migrated to a new user interface. | 1709 |
-|Windows Hello for Business deployment that uses Microsoft Endpoint Configuration Manager |Windows Server 2016 Active Directory Federation Services – Registration Authority (ADFS RA) deployment is simpler and provides a better user experience and a more deterministic certificate enrollment experience. | 1709 |
+|Windows Hello for Business deployment that uses Microsoft Endpoint Manager |Windows Server 2016 Active Directory Federation Services – Registration Authority (ADFS RA) deployment is simpler and provides a better user experience and a more deterministic certificate enrollment experience. | 1709 |
|Windows PowerShell 2.0 | Applications and components should be migrated to PowerShell 5.0+. | 1709 |
|Apndatabase.xml | Apndatabase.xml is being replaced by the COSA database. Therefore, some constructs will no longer function. This includes Hardware ID, incoming SMS messaging rules in mobile apps, a list of privileged apps in mobile apps, autoconnect order, APN parser, and CDMAProvider ID. | 1703 |
|Tile Data Layer | The [Tile Data Layer](https://docs.microsoft.com/windows/configuration/start-layout-troubleshoot#symptom-start-menu-issues-with-tile-data-layer-corruption) database stopped development in Windows 10, version 1703. | 1703 |
diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md
index 546b8de3af..b48649cf32 100644
--- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md
+++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md
@@ -64,7 +64,7 @@ Many existing Win32 and Win64 applications already run reliably on Windows 10 wi
Updated versions of Microsoft deployment tools, including MDT, Configuration Manager, and the Windows Assessment and Deployment Kit (Windows ADK) have been released to support Windows 10.
- [MDT](https://www.microsoft.com/mdt) is Microsoft’s recommended collection of tools, processes, and guidance for automating desktop and server deployment.
-- Configuration Manager simplifies the deployment and management of Windows 10. If you are not currently using Configuration Manager, you can download a free 180-day trial of [Microsoft Endpoint Configuration Manager and Endpoint Protection (current branch)](https://www.microsoft.com/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection) from the TechNet Evaluation Center.
+- Configuration Manager simplifies the deployment and management of Windows 10. If you are not currently using Configuration Manager, you can download a free 180-day trial of [Microsoft Endpoint Manager and Endpoint Protection (current branch)](https://www.microsoft.com/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection) from the TechNet Evaluation Center.
- The [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit#winADK) has tools that allow you to customize Windows images for large-scale deployment, and test system quality and performance. You can download the latest version of the Windows ADK for Windows 10 from the Hardware Dev Center.
### Can I upgrade computers from Windows 7 or Windows 8.1 without deploying a new image?
diff --git a/windows/deployment/planning/windows-10-infrastructure-requirements.md b/windows/deployment/planning/windows-10-infrastructure-requirements.md
index 7ca82acf70..ccc6b27193 100644
--- a/windows/deployment/planning/windows-10-infrastructure-requirements.md
+++ b/windows/deployment/planning/windows-10-infrastructure-requirements.md
@@ -40,7 +40,7 @@ The latest version of the Microsoft Deployment Toolkit (MDT) is available for do
For Configuration Manager, Windows 10 version specific support is offered with [various releases](https://docs.microsoft.com/mem/configmgr/core/plan-design/configs/support-for-windows-10).
-For more details about Microsoft Endpoint Configuration Manager support for Windows 10, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
+For more details about Microsoft Endpoint Manager support for Windows 10, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md).
## Management tools
diff --git a/windows/deployment/planning/windows-10-removed-features.md b/windows/deployment/planning/windows-10-removed-features.md
index 7085ba9fb5..22163f17a9 100644
--- a/windows/deployment/planning/windows-10-removed-features.md
+++ b/windows/deployment/planning/windows-10-removed-features.md
@@ -10,6 +10,7 @@ author: greg-lindsay
ms.author: greglin
manager: laurawi
ms.topic: article
+ms.custom: seo-marvel-apr2020
---
# Features and functionality removed in Windows 10
@@ -27,6 +28,8 @@ The following features and functionalities have been removed from the installed
|Feature | Details and mitigation | Removed in version |
| ----------- | --------------------- | ------ |
+|Microsoft Edge|The legacy version of Microsoft Edge is no longer supported after March 9th, 2021. For more information, see [End of support reminder for Microsoft Edge Legacy](https://docs.microsoft.com/lifecycle/announcements/edge-legacy-eos-details). | 21H1 |
+|MBAE service metadata|The MBAE app experience is replaced by an MO UWP app. Metadata for the MBAE service is removed. | 20H2 |
| Connect app | The **Connect** app for wireless projection using Miracast is no longer installed by default, but is available as an optional feature. To install the app, click on **Settings** > **Apps** > **Optional features** > **Add a feature** and then install the **Wireless Display** app. | 2004 |
| Rinna and Japanese Address suggestion | The Rinna and Japanese Address suggestion service for Microsoft Japanese Input Method Editor (IME) ended on August 13th, 2020. For more information, see [Rinna and Japanese Address suggestion will no longer be offered](https://support.microsoft.com/help/4576767/windows-10-rinna-and-japanese-address-suggestion) | 2004 |
| Cortana | Cortana has been updated and enhanced in the Windows 10 May 2020 Update. With [these changes](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-2004#cortana), some previously available consumer skills such as music, connected home, and other non-Microsoft skills are no longer available. | 2004 |
@@ -43,7 +46,7 @@ The following features and functionalities have been removed from the installed
|Future updates through [Windows Embedded Developer Update](https://docs.microsoft.com/previous-versions/windows/embedded/ff770079\(v=winembedded.60\)) for Windows Embedded Standard 7-SP1 (WES7-SP1) and Windows Embedded Standard 8 (WES8)|We’re no longer publishing new updates to the WEDU server. Instead, you may secure any new updates from the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx). [Learn how](https://techcommunity.microsoft.com/t5/Windows-Embedded/Change-to-the-Windows-Embedded-Developer-Update/ba-p/285704) to get updates from the catalog.| 1809 |
|Groove Music Pass|[We ended the Groove streaming music service and music track sales through the Microsoft Store in 2017](https://support.microsoft.com/help/4046109/groove-music-and-spotify-faq). The Groove app is being updated to reflect this change. You can still use Groove Music to play the music on your PC. You can use Spotify or other music services to stream music on Windows 10, or to buy music to own.| 1803 |
|People - Suggestions will no longer include unsaved contacts for non-Microsoft accounts|Manually save the contact details for people you send mail to or get mail from.| 1803 |
-|Language control in the Control Panel| Use the Settings app to change your language settings.| 1803 |
+|Language control in the Control Panel| Use the Settings app to change your language settings.| 1803 |
|HomeGroup|We are removing [HomeGroup](https://support.microsoft.com/help/17145) but not your ability to share printers, files, and folders.
When you update to Windows 10, version 1803, you won't see HomeGroup in File Explorer, the Control Panel, or Troubleshoot (**Settings > Update & Security > Troubleshoot**). Any printers, files, and folders that you shared using HomeGroup **will continue to be shared**.
Instead of using HomeGroup, you can now share printers, files and folders by using features that are built into Windows 10:
- [Share your network printer](https://www.bing.com/search?q=share+printer+windows+10)
- [Share files in File Explorer](https://support.microsoft.com/help/4027674/windows-10-share-files-in-file-explorer) | 1803 |
|**Connect to suggested open hotspots** option in Wi-Fi settings |We previously [disabled the **Connect to suggested open hotspots** option](https://privacy.microsoft.com/windows-10-open-wi-fi-hotspots) and are now removing it from the Wi-Fi settings page. You can manually connect to free wireless hotspots with **Network & Internet** settings, from the taskbar or Control Panel, or by using Wi-Fi Settings (for mobile devices).| 1803 |
|XPS Viewer|We're changing the way you get XPS Viewer. In Windows 10, version 1709 and earlier versions, the app is included in the installation image. If you have XPS Viewer and you update to Windows 10, version 1803, there's no action required. You'll still have XPS Viewer.
However, if you install Windows 10, version 1803, on a new device (or as a clean installation), you may need to [install XPS Viewer from **Apps and Features** in the Settings app](https://docs.microsoft.com/windows/application-management/add-apps-and-features) or through [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). If you had XPS Viewer in Windows 10, version 1709, but manually removed it before updating, you'll need to manually reinstall it.| 1803 |
diff --git a/windows/deployment/planning/windows-to-go-frequently-asked-questions.md b/windows/deployment/planning/windows-to-go-frequently-asked-questions.md
index 2a8889f1ab..f0c41844f7 100644
--- a/windows/deployment/planning/windows-to-go-frequently-asked-questions.md
+++ b/windows/deployment/planning/windows-to-go-frequently-asked-questions.md
@@ -49,13 +49,13 @@ The following list identifies some commonly asked questions about Windows To Go.
- [How do I make my computer boot from USB?](#wtf-faq-startup)
-- [Why isn’t my computer booting from USB?](#wtg-faq-noboot)
+- [Why isn't my computer booting from USB?](#wtg-faq-noboot)
- [What happens if I remove my Windows To Go drive while it is running?](#wtg-faq-surprise)
- [Can I use BitLocker to protect my Windows To Go drive?](#wtg-faq-bitlocker)
-- [Why can’t I enable BitLocker from Windows To Go Creator?](#wtg-faq-blfail)
+- [Why can't I enable BitLocker from Windows To Go Creator?](#wtg-faq-blfail)
- [What power states does Windows To Go support?](#wtg-faq-power)
@@ -63,11 +63,11 @@ The following list identifies some commonly asked questions about Windows To Go.
- [Does Windows To Go support crash dump analysis?](#wtg-faq-crashdump)
-- [Do “Windows To Go Startup Options” work with dual boot computers?](#wtg-faq-dualboot)
+- [Do "Windows To Go Startup Options" work with dual boot computers?](#wtg-faq-dualboot)
-- [I plugged my Windows To Go drive into a running computer and I can’t see the partitions on the drive. Why not?](#wtg-faq-diskpart)
+- [I plugged my Windows To Go drive into a running computer and I can't see the partitions on the drive. Why not?](#wtg-faq-diskpart)
-- [I’m booted into Windows To Go, but I can’t browse to the internal hard drive of the host computer. Why not?](#wtg-faq-san4)
+- [I'm booted into Windows To Go, but I can't browse to the internal hard drive of the host computer. Why not?](#wtg-faq-san4)
- [Why does my Windows To Go drive have an MBR disk format with a FAT32 system partition?](#wtg-faq-fatmbr)
@@ -95,17 +95,17 @@ The following list identifies some commonly asked questions about Windows To Go.
- [How is Windows To Go licensed?](#wtg-faq-lic)
-- [Does Windows Recovery Environment work with Windows To Go? What’s the guidance for recovering a Windows To Go drive?](#wtg-faq-recovery)
+- [Does Windows Recovery Environment work with Windows To Go? What's the guidance for recovering a Windows To Go drive?](#wtg-faq-recovery)
-- [Why won’t Windows To Go work on a computer running Windows XP or Windows Vista?](#wtg-faq-oldos)
+- [Why won't Windows To Go work on a computer running Windows XP or Windows Vista?](#wtg-faq-oldos)
- [Why does the operating system on the host computer matter?](#wtg-faq-oldos2)
- [My host computer running Windows 7 is protected by BitLocker Drive Encryption. Why did I need to use the recovery key to unlock and reboot my host computer after using Windows To Go?](#wtg-faq-blreckey)
-- [I decided to stop using a drive for Windows To Go and reformatted it – why doesn’t it have a drive letter assigned and how can I fix it?](#wtg-faq-reformat)
+- [I decided to stop using a drive for Windows To Go and reformatted it – why doesn't it have a drive letter assigned and how can I fix it?](#wtg-faq-reformat)
-- [Why do I keep on getting the message “Installing devices…” when I boot Windows To Go?](#bkmk-roamconflict)
+- [Why do I keep on getting the message "Installing devices…" when I boot Windows To Go?](#bkmk-roamconflict)
- [How do I upgrade the operating system on my Windows To Go drive?](#bkmk-upgradewtg)
@@ -188,7 +188,7 @@ In the **Windows To Go Startup Options** dialog box select **Yes** and then clic
If the host computer is running an earlier version of the Windows operating system need to configure the computer to boot from USB manually.
-To do this, early during boot time (usually when you see the manufacturer’s logo), enter your firmware/BIOS setup. (This method to enter firmware/BIOS setup differs with different computer manufacturers, but is usually entered by pressing one of the function keys, such as F12, F2, F1, Esc, and so forth. You should check the manufacturer’s site to be sure if you do not know which key to use to enter firmware setup.)
+To do this, early during boot time (usually when you see the manufacturer's logo), enter your firmware/BIOS setup. (This method to enter firmware/BIOS setup differs with different computer manufacturers, but is usually entered by pressing one of the function keys, such as F12, F2, F1, Esc, and so forth. You should check the manufacturer's site to be sure if you do not know which key to use to enter firmware setup.)
After you have entered firmware setup, make sure that boot from USB is enabled. Then change the boot order to boot from USB drives first.
@@ -201,14 +201,14 @@ Configuring a computer to boot from USB will cause your computer to attempt to b
-## Why isn’t my computer booting from USB?
+## Why isn't my computer booting from USB?
Computers certified for Windows 7 and later are required to have support for USB boot. Check to see if any of the following items apply to your situation:
1. Ensure that your computer has the latest BIOS installed and the BIOS is configured to boot from a USB device.
-2. Ensure that the Windows To Go drive is connected directly to a USB port on the computer. Many computers don’t support booting from a device connected to a USB 3 PCI add-on card or external USB hubs.
+2. Ensure that the Windows To Go drive is connected directly to a USB port on the computer. Many computers don't support booting from a device connected to a USB 3 PCI add-on card or external USB hubs.
3. If the computer is not booting from a USB 3.0 port, try to boot from a USB 2.0 port.
@@ -229,7 +229,7 @@ You should never remove your Windows To Go drive when your workspace is running.
Yes. In Windows 8 and later, BitLocker has added support for using a password to protect operating system drives. This means that you can use a password to secure your Windows To Go workspace and you will be prompted to enter this password every time you use the Windows To Go workspace.
-## Why can’t I enable BitLocker from Windows To Go Creator?
+## Why can't I enable BitLocker from Windows To Go Creator?
Several different Group Policies control the use of BitLocker on your organizations computers. These policies are located in the **Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption** folder of the local Group Policy editor. The folder contains three sub-folders for fixed, operating system and removable data drive types.
@@ -265,27 +265,27 @@ When a Windows To Go workspace is hibernated, it will only successfully resume o
Yes. Windows 8 and later support crash dump stack analysis for both USB 2.0 and 3.0.
-## Do “Windows To Go Startup Options” work with dual boot computers?
+## Do "Windows To Go Startup Options" work with dual boot computers?
-Yes, if both operating systems are running the Windows 8 operating system. Enabling “Windows To Go Startup Options” should cause the computer to boot from the Windows To Go workspace when the drive is plugged in before the computer is turned on.
+Yes, if both operating systems are running the Windows 8 operating system. Enabling "Windows To Go Startup Options" should cause the computer to boot from the Windows To Go workspace when the drive is plugged in before the computer is turned on.
If you have configured a dual boot computer with a Windows operating system and another operating system it might work occasionally and fail occasionally. Using this configuration is unsupported.
-## I plugged my Windows To Go drive into a running computer and I can’t see the partitions on the drive. Why not?
+## I plugged my Windows To Go drive into a running computer and I can't see the partitions on the drive. Why not?
-Windows To Go Creator and the recommended deployment steps for Windows To Go set the NO\_DEFAULT\_DRIVE\_LETTER flag on the Windows To Go drive. This flag prevents Windows from automatically assigning drive letters to the partitions on the Windows To Go drive. That’s why you can’t see the partitions on the drive when you plug your Windows To Go drive into a running computer. This helps prevent accidental data leakage between the Windows To Go drive and the host computer. If you really need to access the files on the Windows To Go drive from a running computer, you can use diskmgmt.msc or diskpart to assign a drive letter.
+Windows To Go Creator and the recommended deployment steps for Windows To Go set the NO\_DEFAULT\_DRIVE\_LETTER flag on the Windows To Go drive. This flag prevents Windows from automatically assigning drive letters to the partitions on the Windows To Go drive. That's why you can't see the partitions on the drive when you plug your Windows To Go drive into a running computer. This helps prevent accidental data leakage between the Windows To Go drive and the host computer. If you really need to access the files on the Windows To Go drive from a running computer, you can use diskmgmt.msc or diskpart to assign a drive letter.
**Warning**
It is strongly recommended that you do not plug your Windows To Go drive into a running computer. If the computer is compromised, your Windows To Go workspace can also be compromised.
-## I’m booted into Windows To Go, but I can’t browse to the internal hard drive of the host computer. Why not?
+## I'm booted into Windows To Go, but I can't browse to the internal hard drive of the host computer. Why not?
-Windows To Go Creator and the recommended deployment steps for Windows To Go set SAN Policy 4 on Windows To Go drive. This policy prevents Windows from automatically mounting internal disk drives. That’s why you can’t see the internal hard drives of the host computer when you are booted into Windows To Go. This is done to prevent accidental data leakage between Windows To Go and the host system. This policy also prevents potential corruption on the host drives or data loss if the host operating system is in a hibernation state. If you really need to access the files on the internal hard drive, you can use diskmgmt.msc to mount the internal drive.
+Windows To Go Creator and the recommended deployment steps for Windows To Go set SAN Policy 4 on Windows To Go drive. This policy prevents Windows from automatically mounting internal disk drives. That's why you can't see the internal hard drives of the host computer when you are booted into Windows To Go. This is done to prevent accidental data leakage between Windows To Go and the host system. This policy also prevents potential corruption on the host drives or data loss if the host operating system is in a hibernation state. If you really need to access the files on the internal hard drive, you can use diskmgmt.msc to mount the internal drive.
**Warning**
It is strongly recommended that you do not mount internal hard drives when booted into the Windows To Go workspace. If the internal drive contains a hibernated Windows 8 or later operating system, mounting the drive will lead to loss of hibernation state and therefor user state or any unsaved user data when the host operating system is booted. If the internal drive contains a hibernated Windows 7 or earlier operating system, mounting the drive will lead to corruption when the host operating system is booted.
@@ -340,7 +340,7 @@ If you are using a USB 3.0 port and a Windows To Go certified device, there shou
## If I lose my Windows To Go drive, will my data be safe?
-Yes! If you enable BitLocker on your Windows To Go drive, all your data will be encrypted and protected and a malicious user will not be able to access your data without your password. If you don’t enable BitLocker, your data will be vulnerable if you lose your Windows To Go drive.
+Yes! If you enable BitLocker on your Windows To Go drive, all your data will be encrypted and protected and a malicious user will not be able to access your data without your password. If you don't enable BitLocker, your data will be vulnerable if you lose your Windows To Go drive.
## Can I boot Windows To Go on a Mac?
@@ -361,12 +361,12 @@ For more information, see the MSDN article on the [Win32\_OperatingSystem class]
Windows To Go allows organization to support the use of privately owned PCs at the home or office with more secure access to their organizational resources. With Windows To Go use rights under [Software Assurance](https://go.microsoft.com/fwlink/p/?LinkId=619062), an employee will be able to use Windows To Go on any company PC licensed with Software Assurance as well as from their home PC.
-## Does Windows Recovery Environment work with Windows To Go? What’s the guidance for recovering a Windows To Go drive?
+## Does Windows Recovery Environment work with Windows To Go? What's the guidance for recovering a Windows To Go drive?
No, use of Windows Recovery Environment is not supported on Windows To Go. It is recommended that you implement user state virtualization technologies like Folder Redirection to centralize and back up user data in the data center. If any corruption occurs on a Windows To Go drive, you should re-provision the workspace.
-## Why won’t Windows To Go work on a computer running Windows XP or Windows Vista?
+## Why won't Windows To Go work on a computer running Windows XP or Windows Vista?
Actually it might. If you have purchased a computer certified for Windows 7 or later and then installed an older operating system, Windows To Go will boot and run as expected as long as you have configured the firmware to boot from USB. However, if the computer was certified for Windows XP or Windows Vista, it might not meet the hardware requirements for Windows To Go to run. Typically computers certified for Windows Vista and earlier operating systems have less memory, less processing power, reduced video rendering, and slower USB ports.
@@ -374,7 +374,7 @@ Actually it might. If you have purchased a computer certified for Windows 7 or
## Why does the operating system on the host computer matter?
-It doesn’t other than to help visually identify if the PC has compatible hardware. For a PC to be certified for Windows 7 or later it had to support booting from USB. If a computer cannot boot from USB there is no way that it can be used with Windows To Go. The Windows To Go workspace is a full Windows 10 environment, so all of the hardware requirements of Windows 10 with respect to processing speed, memory usage, and graphics rendering need to be supported to be assured that it will work as expected.
+It doesn't other than to help visually identify if the PC has compatible hardware. For a PC to be certified for Windows 7 or later it had to support booting from USB. If a computer cannot boot from USB there is no way that it can be used with Windows To Go. The Windows To Go workspace is a full Windows 10 environment, so all of the hardware requirements of Windows 10 with respect to processing speed, memory usage, and graphics rendering need to be supported to be assured that it will work as expected.
## My host computer running Windows 7 is protected by BitLocker Drive Encryption. Why did I need to use the recovery key to unlock and reboot my host computer after using Windows To Go?
@@ -406,10 +406,10 @@ The host computer will now be able to be booted from a USB drive without trigger
-## I decided to stop using a drive for Windows To Go and reformatted it – why doesn’t it have a drive letter assigned and how can I fix it?
+## I decided to stop using a drive for Windows To Go and reformatted it – why doesn't it have a drive letter assigned and how can I fix it?
-Reformatting the drive erases the data on the drive, but doesn’t reconfigure the volume attributes. When a drive is provisioned for use as a Windows To Go drive the NODEFAULTDRIVELETTER attribute is set on the volume. To remove this attribute, use the following steps:
+Reformatting the drive erases the data on the drive, but doesn't reconfigure the volume attributes. When a drive is provisioned for use as a Windows To Go drive the NODEFAULTDRIVELETTER attribute is set on the volume. To remove this attribute, use the following steps:
1. Open a command prompt with full administrator permissions.
@@ -424,14 +424,14 @@ Reformatting the drive erases the data on the drive, but doesn’t reconfigure t
4. After selecting the disk, run the `clean` command to remove all data, formatting, and initialization information from the drive.
-## Why do I keep on getting the message “Installing devices…” when I boot Windows To Go?
+## Why do I keep on getting the message "Installing devices…" when I boot Windows To Go?
One of the challenges involved in moving the Windows To Go drive between PCs while seamlessly booting Windows with access to all of their applications and data is that for Windows to be fully functional, specific drivers need to be installed for the hardware in each machine that runs Windows. Windows 8 or later has a process called respecialize which will identify new drivers that need to be loaded for the new PC and disable drivers which are not present on the new configuration. In general this feature is reliable and efficient when roaming between PCs of widely varying hardware configurations.
-In certain cases, third party drivers for different hardware models or versions can reuse device ID’s, driver file names, registry keys (or any other operating system constructs which do not support side-by-side storage) for similar hardware. For example, Touchpad drivers on different laptops often reuse the same device ID’s, and video cards from the same manufacturer may often reuse service names. Windows handles these situations by marking the non-present device node with a flag that indicates the existing driver needs to be reinstalled before continuing to install the new driver.
+In certain cases, third party drivers for different hardware models or versions can reuse device ID's, driver file names, registry keys (or any other operating system constructs which do not support side-by-side storage) for similar hardware. For example, Touchpad drivers on different laptops often reuse the same device ID's, and video cards from the same manufacturer may often reuse service names. Windows handles these situations by marking the non-present device node with a flag that indicates the existing driver needs to be reinstalled before continuing to install the new driver.
-This process will occur on any boot that a new driver is found and a driver conflict is detected. In some cases that will result in a respecialize progress message “Installing devices…” displaying every time that a Windows to Go drive is roamed between two PCs which require conflicting drivers.
+This process will occur on any boot that a new driver is found and a driver conflict is detected. In some cases that will result in a respecialize progress message "Installing devices…" displaying every time that a Windows to Go drive is roamed between two PCs which require conflicting drivers.
## How do I upgrade the operating system on my Windows To Go drive?
diff --git a/windows/deployment/s-mode.md b/windows/deployment/s-mode.md
index 37b3315a1d..ea76222dde 100644
--- a/windows/deployment/s-mode.md
+++ b/windows/deployment/s-mode.md
@@ -14,6 +14,7 @@ author: greg-lindsay
ms.author: greglin
audience: itpro
ms.topic: article
+ms.custom: seo-marvel-apr2020
---
# Windows 10 in S mode - What is it?
@@ -57,4 +58,4 @@ The [MSIX Packaging Tool](https://docs.microsoft.com/windows/application-managem
- [Consumer applications for S mode](https://www.microsoft.com/windows/s-mode)
- [S mode devices](https://www.microsoft.com/en-us/windows/view-all-devices)
- [Windows Defender Application Control deployment guide](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide)
-- [Windows Defender Advanced Threat Protection](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp)
+- [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp)
diff --git a/windows/deployment/update/PSFxWhitepaper.md b/windows/deployment/update/PSFxWhitepaper.md
index 8f73fcdfd0..4a6d9ab0f1 100644
--- a/windows/deployment/update/PSFxWhitepaper.md
+++ b/windows/deployment/update/PSFxWhitepaper.md
@@ -12,6 +12,7 @@ ms.author: jaimeo
ms.reviewer:
manager: laurawi
ms.topic: article
+ms.custom: seo-marvel-apr2020
---
# Windows Updates using forward and reverse differentials
@@ -37,8 +38,6 @@ The following general terms apply throughout this document:
- *Revision*: Minor releases in between the major version releases, such as KB4464330 (Windows 10 Build 17763.55)
- *Baseless Patch Storage Files (Baseless PSF)*: Patch storage files that contain full binaries or files
-## Introduction
-
In this paper, we introduce a new technique that can produce compact software
updates optimized for any origin/destination revision pair. It does this by
calculating forward the differential of a changed file from the base version and
diff --git a/windows/deployment/update/WIP4Biz-intro.md b/windows/deployment/update/WIP4Biz-intro.md
index 97f6eb21e1..4a1087d274 100644
--- a/windows/deployment/update/WIP4Biz-intro.md
+++ b/windows/deployment/update/WIP4Biz-intro.md
@@ -1,7 +1,8 @@
---
title: Introduction to the Windows Insider Program for Business
-description: Introduction to the Windows Insider Program for Business and why IT Pros should join
+description: In this article, you'll learn about the Windows Insider Program for Business and why IT Pros should join.
keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, WiP4Biz, enterprise, rings, flight
+ms.custom: seo-marvel-apr2020
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro
diff --git a/windows/deployment/update/create-deployment-plan.md b/windows/deployment/update/create-deployment-plan.md
index da1db27ff2..a1ce6bbe19 100644
--- a/windows/deployment/update/create-deployment-plan.md
+++ b/windows/deployment/update/create-deployment-plan.md
@@ -6,20 +6,20 @@ ms.mktglfcycl: manage
author: jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
-ms.reviewer:
+ms.collection: m365initiative-coredeploy
manager: laurawi
ms.topic: article
---
# Create a deployment plan
-A service management mindset means that the devices in your organization fall into a continuum, with the software update process being constantly planned, deployed, monitored, and optimized. And once this process is used for feature updates, quality updates become a lightweight procedure that is simple and fast to execute, ultimately increasing velocity.
+A "service management" mindset means that the devices in your organization fall into a continuum, with the software update process being constantly planned, deployed, monitored, and optimized. And once you use this process for feature updates, quality updates become a lightweight procedure that is simple and fast to execute, ultimately increasing velocity.
-When you move to a service management model, you need effective ways of rolling out updates to representative groups of devices, and we’ve found that ring-based deployment is a methodology that works well for us at Microsoft and many other organizations across the globe. Deployment rings in Windows 10 are similar to the deployment groups most organizations constructed for previous major revision upgrades--they are simply a method by which to separate devices into a deployment timeline.
+When you move to a service management model, you need effective ways of rolling out updates to representative groups of devices. We’ve found that a ring-based deployment works well for us at Microsoft and many other organizations across the globe. Deployment rings in Windows 10 are similar to the deployment groups most organizations constructed for previous major revision upgrades. They are simply a method to separate devices into a deployment timeline.
-At the highest level, each “ring” comprise a group of users or devices that receive a particular update concurrently. For each ring, IT administrators set criteria to control deferral time or adoption (completion) that should be met before deployment to the next broader ring of devices or users can occur.
+At the highest level, each “ring” comprises a group of users or devices that receive a particular update concurrently. For each ring, IT administrators set criteria to control deferral time or adoption (completion) that should be met before deployment to the next broader ring of devices or users can occur.
-A common ring structure comprises three deployment groups:
+A common ring structure uses three deployment groups:
- Preview: Planning and development
- Limited: Pilot and validation
@@ -34,22 +34,20 @@ A common ring structure comprises three deployment groups:
## How many rings should I have?
-There are no definite rules for exactly how many rings to have for your deployments. As mentioned previously, you might want to ensure zero downtime for mission-critical devices by putting them in their own ring. If you have a large
-organization, you might want to consider assigning devices to rings based on geographic location or the size of rings so that helpdesk resources are more available. Consider the needs of your business and introduce rings that make sense for your organization.
+There are no definite rules for exactly how many rings to have for your deployments. As mentioned previously, you might want to ensure zero downtime for mission-critical devices by putting them in their own ring. If you have a large organization, you might want to consider assigning devices to rings based on geographic location or the size of rings so that helpdesk resources are more available. Consider the needs of your business and introduce rings that make sense for your organization.
## Advancing between rings
-There are basically two strategies for moving deployments from one ring to the next. One is service based, the other project based.
+There are basically two strategies for moving deployments from one ring to the next. One is service-based, the other project based.
- "Red button" (service based): Assumes that content is good until proven bad. Content flows until an issue is discovered, at which point the IT administrator presses the “red button” to stop further distribution.
- Green button (project based): Assumes that content is bad until proven good. Once all validation has passed, the IT administrator presses the “green button” to push the content to the next ring.
-When it comes to deployments, having manual steps in the process usually impedes update velocity, so a "red button" strategy is better when that is your goal.
+When it comes to deployments, having manual steps in the process usually impedes update velocity. A "red button" strategy is better when that is your goal.
## Preview ring
-The purpose of the Preview ring is to evaluate the new features of the update. This is specifically *not* for broad parts of the organization but is limited to the people who are responsible for knowing what is coming next,
-generally IT administrators. Ultimately, this is the time the design and planning work happens so that when the public update is actually shipped, you can have greater confidence in the update.
+The purpose of the Preview ring is to evaluate the new features of the update. It's *not* for broad parts of the organization but is limited to the people who are responsible for knowing what is coming next, generally IT administrators. Ultimately, this phase is the time the design and planning work happens so that when the public update is shipped, you can have greater confidence in the update.
> [!NOTE]
> Being part of the [Windows Insider Program](https://insider.windows.com/for-business/) gives you early access to Windows releases so that you can use Insider Preview builds in your Preview ring to validate your apps and infrastructure, preparing you for public Windows releases.
@@ -57,14 +55,14 @@ generally IT administrators. Ultimately, this is the time the design and plannin
### Who goes in the Preview ring?
-The Preview ring users are the most tech savvy and resilient people, who will not lose productivity if something goes wrong. In general, these are IT pros, and perhaps a few people in the business organization.
+The Preview ring users are the most tech savvy and resilient people, who will not lose productivity if something goes wrong. In general, these users are IT pros, and perhaps a few people in the business organization.
-During your plan and prepare phases, these are the activities you should focus on:
+During your plan and prepare phases, you should focus on the following activities:
- Work with Windows Insider Preview builds.
- Identify the features and functionality your organization can or wants to use.
- Establish who will use the features and how they will benefit.
-- Understand why you are putting the update out.
+- Understand why you are putting out the update.
- Plan for usage feedback.
Remember, you are working with pre-release software in the Preview ring and you will be evaluating features and testing the update for a targeted release.
@@ -76,7 +74,7 @@ Remember, you are working with pre-release software in the Preview ring and you
## Limited ring
-The purpose of the Limited ring is to validate the update on representative devices across the network. During this period, data, and feedback is generated to enable the decision to move forward to broader deployment. Desktop
+The purpose of the Limited ring is to validate the update on representative devices across the network. During this period, data, and feedback are generated to enable the decision to move forward to broader deployment. Desktop
Analytics can help with defining a good Limited ring of representative devices and assist in monitoring the deployment.
### Who goes in the Limited ring?
@@ -84,7 +82,7 @@ Analytics can help with defining a good Limited ring of representative devices a
The most important part of this phase is finding a representative sample of devices and applications across your network. If possible, all hardware and all applications should be represented, and it's important that the people selected for this ring are using their devices regularly in order to generate the data you will need to make a decision for broader deployment across your organization. The IT department, lab devices, and users with the most cutting-edge hardware usually don’t have the applications or device drivers that are truly a representative sample of your network.
-During your pilot and validate phases, these are the activities you should focus on:
+During your pilot and validate phases, you should focus on the following activities:
- Deploy new innovations.
- Assess and act if issues are encountered.
@@ -104,7 +102,7 @@ In most businesses, the Broad ring includes the rest of your organization. Becau
> In some instances, you might hold back on mission critical devices (such as medical devices) until deployment in the Broad ring is complete. Get best practices and recommendations for deploying Windows 10 feature
> updates to mission critical devices.
-During the broad deployment phase, these are the activities you should focus on:
+During the broad deployment phase, you should focus on the following activities:
- Deploy to all devices in the organization.
- Work through any final unusual issues that were not detected in your Limited ring.
@@ -112,7 +110,7 @@ During the broad deployment phase, these are the activities you should focus on:
## Ring deployment planning
-Previously, we have provided methods for analyzing your deployments, but these have generally been standalone tools to assess, manage and execute deployments. In other words, you would generate an analysis, make a deployment strategy, and then move to your console for implementation, repeating these steps for each deployment. We have combined many of these tasks, and more, into a single interface with Desktop Analytics.
+Previously, we have provided methods for analyzing your deployments, but these have been standalone tools to assess, manage and execute deployments. In other words, you would generate an analysis, make a deployment strategy, and then move to your console for implementation, repeating these steps for each deployment. We have combined many of these tasks, and more, into a single interface with Desktop Analytics.
[Desktop Analytics](https://docs.microsoft.com/mem/configmgr/desktop-analytics/overview) is a cloud-based service and a key tool in [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/configmgr/core/understand/microsoft-endpoint-manager-faq). Using artificial intelligence and machine learning, Desktop Analytics is a powerful tool to give you insights and intelligence to
diff --git a/windows/deployment/update/deploy-updates-configmgr.md b/windows/deployment/update/deploy-updates-configmgr.md
index 202b4531b9..1706180e52 100644
--- a/windows/deployment/update/deploy-updates-configmgr.md
+++ b/windows/deployment/update/deploy-updates-configmgr.md
@@ -17,4 +17,4 @@ ms.topic: article
- Windows 10
-See the Microsoft Endpoint Configuration Manager [documentation](https://docs.microsoft.com/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) for details about using Configuration Manager to deploy and manage Windows 10 updates.
\ No newline at end of file
+See the Microsoft Endpoint Manager [documentation](https://docs.microsoft.com/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) for details about using Configuration Manager to deploy and manage Windows 10 updates.
\ No newline at end of file
diff --git a/windows/deployment/update/eval-infra-tools.md b/windows/deployment/update/eval-infra-tools.md
index 77795ce1c4..ce3c85e030 100644
--- a/windows/deployment/update/eval-infra-tools.md
+++ b/windows/deployment/update/eval-infra-tools.md
@@ -1,8 +1,7 @@
---
title: Evaluate infrastructure and tools
-ms.reviewer:
manager: laurawi
-description:
+description: Steps to make sure your infrastructure is ready to deploy updates
keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
ms.prod: w10
ms.mktglfcycl: manage
@@ -11,18 +10,18 @@ author: jaimeo
ms.localizationpriority: medium
ms.audience: itpro
ms.topic: article
-ms.collection: M365-modern-desktop
+ms.collection: m365initiative-coredeploy
---
# Evaluate infrastructure and tools
-Before you deploy an update, it's best to assess your deployment infrastucture (that is, tools such as Configuration Manager, Microsoft Intune, or similar) and current configurations (such as security baselines, administrative templates, and policies that affect updates). Then, set some criteria to define your operational readiness.
+Before you deploy an update, it's best to assess your deployment infrastructure (that is, tools such as Configuration Manager, Microsoft Intune, or similar) and current configurations (such as security baselines, administrative templates, and policies that affect updates). Then, set some criteria to define your operational readiness.
## Infrastructure
Do your deployment tools need updates?
-- If you use Configuration Manager, is it on the Current Branch with the latest release installed. This ensures that it supports the next Windows 10 feature update. Configuration Manager releases are supported for 18 months.
+- If you use Configuration Manager, is it on the Current Branch with the latest release installed. Being on this branch ensures that it supports the next Windows 10 feature update. Configuration Manager releases are supported for 18 months.
- Using a cloud-based management tool like Microsoft Intune reduces support challenges, since no related products need to be updated.
- If you use a non-Microsoft tool, check with its product support to make sure you're using the current version and that it supports the next Windows 10 feature update.
@@ -30,11 +29,11 @@ Rely on your experiences and data from previous deployments to help you judge ho
## Device settings
-Make sure your security basline, administrative templates, and policies have the right settings to support your devices once the new Windows 10 update is installed.
+Make sure your security baseline, administrative templates, and policies have the right settings to support your devices once the new Windows 10 update is installed.
### Security baseline
-Keep security baslines current to help ensure that your environment is secure and that new security feature in the coming Windows 10 update are set properly.
+Keep security baselines current to help ensure that your environment is secure and that new security feature in the coming Windows 10 update are set properly.
- **Microsoft security baselines**: You should implement security baselines from Microsoft. They are included in the [Security Compliance Toolkit](https://www.microsoft.com/download/details.aspx?id=55319), along with tools for managing them.
- **Industry- or region-specific baselines**: Your specific industry or region might have particular baselines that you must follow per regulations. Ensure that any new baselines support the version of Windows 10 you are about to deploy.
@@ -49,14 +48,14 @@ There are a number of Windows policies (set by Group Policy, Intune, or other me
## Define operational readiness criteria
-When you’ve deployed an update, you’ll need to make sure the update isn’t introducing new operational issues. And you’ll also ensure that if incidents arise, the needed documentation and processes are available. To achieve this, work with your operations and support team to define acceptable trends and what documents or processes require updating:
+When you’ve deployed an update, you’ll need to make sure the update isn’t introducing new operational issues. And you’ll also ensure that if incidents arise, the needed documentation and processes are available. Work with your operations and support team to define acceptable trends and what documents or processes require updating:
- **Call trend**: Define what percentage increase in calls relating to Windows 10 feature updates are acceptable or can be supported.
- **Incident trend**: Define what percentage of increase in calls asking for support relating to Windows 10 feature updates are acceptable or can be supported.
- **Support documentation**: Review supporting documentation that requires an update to support new infrastructure tooling or configuration as part of the Windows 10 feature update.
- **Process changes:** Define and update any processes that will change as a result of the Windows 10 feature update.
-Your operations and support staff can help you determine if the appropriate information is being tracked at the moment. If it isn't, work out how to get get this information so you can gain the right insight.
+Your operations and support staff can help you determine if the appropriate information is being tracked at the moment. If it isn't, work out how to get this information so you can gain the right insight.
## Tasks
diff --git a/windows/deployment/update/feature-update-conclusion.md b/windows/deployment/update/feature-update-conclusion.md
index a23c157317..d8206d5491 100644
--- a/windows/deployment/update/feature-update-conclusion.md
+++ b/windows/deployment/update/feature-update-conclusion.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: laurawi
ms.collection: M365-modern-desktop
ms.topic: article
+ms.custom: seo-marvel-apr2020
---
# Conclusion
diff --git a/windows/deployment/update/feature-update-maintenance-window.md b/windows/deployment/update/feature-update-maintenance-window.md
index 2df56fa684..c586284056 100644
--- a/windows/deployment/update/feature-update-maintenance-window.md
+++ b/windows/deployment/update/feature-update-maintenance-window.md
@@ -11,6 +11,7 @@ ms.reviewer:
manager: laurawi
ms.collection: M365-modern-desktop
ms.topic: article
+ms.custom: seo-marvel-apr2020
---
# Deploy feature updates during maintenance windows
@@ -33,7 +34,7 @@ Use the following information to deploy feature updates during a maintenance win
### Step 2: Review computer restart device settings
-If you’re not suppressing computer restarts and the feature update will be installed when no users are present, consider deploying a custom client settings policy to your feature update target collection to shorten the settings below or consider the total duration of these settings when defining your maintenance window duration.
+If you're not suppressing computer restarts and the feature update will be installed when no users are present, consider deploying a custom client settings policy to your feature update target collection to shorten the settings below or consider the total duration of these settings when defining your maintenance window duration.
For example, by default, 90 minutes will be honored before the system is rebooted after the feature update install. If users will not be impacted by the user logoff or restart, there is no need to wait a full 90 minutes before rebooting the computer. If a delay and notification is needed, ensure that the maintenance window takes this into account along with the total time needed to install the feature update.
@@ -50,7 +51,7 @@ Use **Peer Cache** to help manage deployment of content to clients in remote loc
### Step 4: Override the default Windows setup priority (Windows 10, version 1709 and later)
-If you’re deploying **Feature update to Windows 10, version 1709** or later, by default, portions of setup are configured to run at a lower priority. This can result in a longer total install time for the feature update. When deploying within a maintenance window, we recommend that you override this default behavior to benefit from faster total install times. To override the default priority, create a file called SetupConfig.ini on each machine to be upgraded in the below location containing the single section noted.
+If you're deploying **Feature update to Windows 10, version 1709** or later, by default, portions of setup are configured to run at a lower priority. This can result in a longer total install time for the feature update. When deploying within a maintenance window, we recommend that you override this default behavior to benefit from faster total install times. To override the default priority, create a file called SetupConfig.ini on each machine to be upgraded in the below location containing the single section noted.
%systemdrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini
diff --git a/windows/deployment/update/feature-update-mission-critical.md b/windows/deployment/update/feature-update-mission-critical.md
index 69b91b9184..5c4c8987f1 100644
--- a/windows/deployment/update/feature-update-mission-critical.md
+++ b/windows/deployment/update/feature-update-mission-critical.md
@@ -1,6 +1,6 @@
---
title: Best practices and recommendations for deploying Windows 10 Feature updates to mission-critical devices
-description: Learn how to use the Microsoft Endpoint Configuration Manager (current branch) software updates feature to deploy Windows 10 semi-annual feature updates.
+description: Learn how to use the Microsoft Endpoint Manager (current branch) software updates feature to deploy Windows 10 semi-annual feature updates.
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro
@@ -12,13 +12,14 @@ ms.reviewer:
manager: laurawi
ms.collection: M365-modern-desktop
ms.topic: article
+ms.custom: seo-marvel-apr2020
---
# Best practices and recommendations for deploying Windows 10 Feature updates to mission critical devices
**Applies to**: Windows 10
-Managing an environment with devices that provide mission critical services 24 hours a day, 7 days a week, can present challenges in keeping these devices current with Windows 10 feature updates. The processes that you use to keep regular devices current with Windows 10 feature updates, often aren’t the most effective to service mission critical devices. This whitepaper will focus on the recommended approach of using the Microsoft Endpoint Configuration Manager (current branch) software updates feature to deploy Windows 10 semi-annual feature updates.
+Managing an environment with devices that provide mission critical services 24 hours a day, 7 days a week, can present challenges in keeping these devices current with Windows 10 feature updates. The processes that you use to keep regular devices current with Windows 10 feature updates, often aren't the most effective to service mission critical devices. This whitepaper will focus on the recommended approach of using the Microsoft Endpoint Manager (current branch) software updates feature to deploy Windows 10 semi-annual feature updates.
For simplicity, we will outline the steps to deploy a feature update manually. If you prefer an automated approach, see [Manage Windows as a service using Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/manage-windows-as-a-service).
@@ -30,10 +31,10 @@ Devices and shared workstations that are online and available 24 hours a day, 7
You can use Configuration Manager to deploy feature updates to Windows 10 devices in two ways. The first option is to use the software updates feature. The second option is to use a task sequence to deploy feature updates. There are times when deploying a Windows 10 feature update requires the use of a task sequence—for example:
- **Upgrade to the next LTSC release.** With the LTSC servicing branch, feature updates are never provided to the Windows clients themselves. Instead, feature updates must be installed like a traditional in-place upgrade.
-- **Additional required tasks.** When deploying a feature update requires additional steps (e.g., suspending disk encryption, updating applications), you can use task sequences to orchestrate the additional steps. Software updates do not have the ability to add steps to their deployments.
+- **Additional required tasks.** When deploying a feature update requires additional steps (for example, suspending disk encryption, updating applications), you can use task sequences to orchestrate the additional steps. Software updates do not have the ability to add steps to their deployments.
- **Language pack installations.** When deploying a feature update requires the installation of additional language packs, you can use task sequences to orchestrate the installation. Software updates do not have the ability to natively install language packs.
-If you need to use a task sequence to deploy feature updates, see [Manage Windows as a service using Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/manage-windows-as-a-service) for more information. If you find that your requirement for a task sequence is based solely on the need to run additional tasks preformed pre-install or pre-commit, see the new [run custom actions](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions) functionality first introduced with Windows 10, version 1803. You might find this useful in deploying software updates.
+If you need to use a task sequence to deploy feature updates, see [Manage Windows as a service using Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/manage-windows-as-a-service) for more information. If you find that your requirement for a task sequence is based solely on the need to run additional tasks performed pre-install or pre-commit, see the new [run custom actions](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions) functionality first introduced with Windows 10, version 1803. You might find this option useful in deploying software updates.
Use the following information:
diff --git a/windows/deployment/update/feature-update-user-install.md b/windows/deployment/update/feature-update-user-install.md
index 254703b4dc..70dcc6a516 100644
--- a/windows/deployment/update/feature-update-user-install.md
+++ b/windows/deployment/update/feature-update-user-install.md
@@ -12,6 +12,7 @@ ms.reviewer:
manager: laurawi
ms.collection: M365-modern-desktop
ms.topic: article
+ms.custom: seo-marvel-apr2020
---
# Deploy feature updates for user-initiated installations (during a fixed service window)
@@ -29,7 +30,7 @@ Use **Peer Cache** to help manage deployment of content to clients in remote loc
### Step 2: Override the default Windows setup priority (Windows 10, version 1709 and later)
-If you’re deploying **Feature update to Windows 10, version 1709** or later, by default, portions of setup are configured to run at a lower priority. This can result in a longer total install time for the feature update. When deploying within a maintenance window, we recommend that you override this default behavior to benefit from faster total install times. To override the default priority, create a file called SetupConfig.ini on each machine to be upgraded in the below location containing the single section noted.
+If you're deploying **Feature update to Windows 10, version 1709** or later, by default, portions of setup are configured to run at a lower priority. This can result in a longer total install time for the feature update. When deploying within a maintenance window, we recommend that you override this default behavior to benefit from faster total install times. To override the default priority, create a file called SetupConfig.ini on each machine to be upgraded in the below location containing the single section noted.
%systemdrive%\Users\Default\AppData\Local\Microsoft\Windows\WSUS\SetupConfig.ini
diff --git a/windows/deployment/update/fod-and-lang-packs.md b/windows/deployment/update/fod-and-lang-packs.md
index d125672d4a..98579c7905 100644
--- a/windows/deployment/update/fod-and-lang-packs.md
+++ b/windows/deployment/update/fod-and-lang-packs.md
@@ -1,9 +1,8 @@
---
-title: Windows 10 - How to make FoD and language packs available when you're using WSUS or Configuration Manager
-description: Learn how to make FoD and language packs available when you're using WSUS or Configuration Manager
+title: Make FoD and language packs available for WSUS/Configuration Manager
+description: Learn how to make FoD and language packs available when you're using WSUS/Configuration Manager.
ms.prod: w10
ms.mktglfcycl: manage
-
ms.pagetype: article
ms.author: jaimeo
audience: itpro
@@ -13,6 +12,7 @@ ms.date: 03/13/2019
ms.reviewer:
manager: laurawi
ms.topic: article
+ms.custom: seo-marvel-apr2020
---
# How to make Features on Demand and language packs available when you're using WSUS or Configuration Manager
@@ -20,11 +20,11 @@ ms.topic: article
As of Windows 10 version 1709, you can't use Windows Server Update Services (WSUS) to host [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) (FODs) locally. Starting with Windows 10 version 1803, language packs can no longer be hosted on WSUS.
-The **Specify settings for optional component installation and component repair** policy, located under `Computer Configuration\Administrative Templates\System` in the Group Policy Editor, can be used to specify alternate ways to acquire FOD packages, language packages, and content for corruption repair. However, it’s important to note this policy only allows specifying one alternate location and behaves differently across OS versions.
+The **Specify settings for optional component installation and component repair** policy, located under `Computer Configuration\Administrative Templates\System` in the Group Policy Editor, can be used to specify alternate ways to acquire FOD packages, language packages, and content for corruption repair. However, it's important to note this policy only allows specifying one alternate location and behaves differently across OS versions.
In Windows 10 version 1709 and 1803, changing the **Specify settings for optional component installation and component repair** policy to download content from Windows Update enables acquisition of FOD packages while also enabling corruption repair. Specifying a network location works for either, depending on the content is found at that location. Changing this policy on these OS versions does not influence how language packs are acquired.
-In Windows 10 version 1809 and beyond, changing the **Specify settings for optional component installation and component repair** policy also influences how language packs are acquired, however language packs can only be acquired directly from Windows Update. It’s currently not possible to acquire them from a network share. Specifying a network location works for FOD packages or corruption repair, depending on the content at that location.
+In Windows 10 version 1809 and beyond, changing the **Specify settings for optional component installation and component repair** policy also influences how language packs are acquired, however language packs can only be acquired directly from Windows Update. It's currently not possible to acquire them from a network share. Specifying a network location works for FOD packages or corruption repair, depending on the content at that location.
For all OS versions, changing the **Specify settings for optional component installation and component repair** policy does not affect how OS updates are distributed. They continue to come from WSUS, Configuration Manager, or other sources as you have scheduled them, even while optional content is sourced from Windows Update or a network location.
diff --git a/windows/deployment/update/get-started-updates-channels-tools.md b/windows/deployment/update/get-started-updates-channels-tools.md
index 93b16449ff..4816c7e26e 100644
--- a/windows/deployment/update/get-started-updates-channels-tools.md
+++ b/windows/deployment/update/get-started-updates-channels-tools.md
@@ -28,19 +28,19 @@ version of the software.
## Types of updates
-We include information here about a number of different update types you'll hear about, but the two overarching types which you have the most direct control over are *feature updates* and *quality updates*.
+We include information here about many different update types you'll hear about, but the two overarching types that you have the most direct control over are *feature updates* and *quality updates*.
- **Feature updates:** Released twice per year, during the first half and second half of each calendar year. Feature updates add new features and functionality to Windows 10. Because they are delivered frequently (rather than every 3-5 years), they are easier to manage.
- **Quality updates:** Quality updates deliver both security and non-security fixes to Windows 10. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. They are typically released on the second Tuesday of each month, though they can be released at any time. The second-Tuesday releases are the ones that focus on security updates. Quality updates are *cumulative*, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update, including any out-of-band security fixes and any *servicing stack updates* that might have been released previously.
- **Servicing stack updates:** The "servicing stack" is the code component that actually installs Windows updates. From time to time, the servicing stack itself needs to be updated in order to function smoothly. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes. Servicing stack updates are not necessarily included in *every* monthly quality update, and occasionally are released out of band to address a late-breaking issue. Always install the latest available quality update to catch any servicing stack updates that might have been released. The servicing stack also contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month. You can find a list of servicing stack updates at [Latest servicing stack updates](https://portal.msrc.microsoft.com/security-guidance/advisory/ADV990001). For more detail about servicing stack updates, see [Servicing stack updates](servicing-stack-updates.md).
-- **Driver updates**: These are updates to drivers applicable to your devices. Driver updates are turned off by default in Windows Server Update Services (WSUS), but for cloud-based update methods, you can control whether they are installed or not.
-- **Microsoft product updates:** These are updates for other Microsoft products, such as Office. You can enable or disable Microsoft updates by using policies controlled by various servicing tools.
+- **Driver updates**: These update drivers applicable to your devices. Driver updates are turned off by default in Windows Server Update Services (WSUS), but for cloud-based update methods, you can control whether they are installed or not.
+- **Microsoft product updates:** These update other Microsoft products, such as Office. You can enable or disable Microsoft updates by using policies controlled by various servicing tools.
## Servicing channels
-Windows 10 offers three servicing channels, each of which offers you a different level of flexibility with how and when updates are delivered to devices. Using the different servicing channels allows you to deploy Windows 10 "as a service" which conceives of deployment as a continual process of updates which roll out across the organization in waves. In this approach, an update is plugged into this process and while it runs, you monitor for anomalies, errors, or user impact and respond as issues arise--without interrupting the entire process.
+Windows 10 offers three servicing channels, each of which offers you a different level of flexibility with how and when updates are delivered to devices. Using the different servicing channels allows you to deploy Windows 10 "as a service," which conceives of deployment as a continual process of updates that roll out across the organization in waves. In this approach, an update is plugged into this process and while it runs, you monitor for anomalies, errors, or user impact and respond as issues arise--without interrupting the entire process.
The first step of controlling when and how devices install updates is assigning them to the appropriate servicing channel. You can assign devices to a particular channel with any of several tools, including Microsoft Endpoint Configuration Manager, Windows Server Update Services (WSUS), and Group Policy settings applied by any of several means. By dividing devices into different populations ("deployment groups" or "rings") you can use servicing channel assignment, followed by other management features such as update deferral policies, to create a phased deployment of any update that allows you to start with a limited pilot deployment for testing before moving to a broad deployment throughout your organization.
@@ -54,7 +54,7 @@ In the Semi-annual Channel, feature updates are available as soon as Microsoft r
### Windows Insider Program for Business
-Insider preview releases are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features as well as compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered. There are actually three options within the Windows Insider Program for Business channel:
+Insider preview releases are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features and compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered. There are actually three options within the Windows Insider Program for Business channel:
- Windows Insider Fast
- Windows Insider Slow
@@ -65,7 +65,7 @@ We recommend that you use the Windows Insider Release Preview channel for valida
### Long-term Servicing Channel
-The **Long Term Servicing Channel** is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATMs. Devices on this channel receive new feature releases every two to three years. LTSB releases service a special LTSB edition of Windows 10 and are only available through the [Microsoft Volume Licensing Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
+The **Long-Term Servicing Channel** is designed to be used only for specialized devices (which typically don't run Office) such as ones that control medical equipment or ATMs. Devices on this channel receive new feature releases every two to three years. LTSB releases service a special LTSB edition of Windows 10 and are only available through the [Microsoft Volume Licensing Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
The Semi-Annual Channel is the default servicing channel for all Windows 10 devices except those with the LTSB edition installed. The following table shows the servicing channels available to each Windows 10 edition.
@@ -85,7 +85,7 @@ The Semi-Annual Channel is the default servicing channel for all Windows 10 devi
Windows Server Update Services (WSUS): you set up a WSUS server, which downloads updates in bulk from Microsoft. Your individual devices then connect to your server to install their updates from there.
-You can set up, control, and manage the server and update process with a number of tools:
+You can set up, control, and manage the server and update process with several tools:
- A standalone Windows Server Update Services server operated directly
- [Configuration Manager](deploy-updates-configmgr.md)
@@ -95,7 +95,7 @@ For more information, see [Windows Server Update Services (WSUS)](https://docs.m
### Tools for cloud-based update delivery
-Your individual devices connect to Microsoft endpoints directly to get the updates. The details of this process (how often devices download updates of various kinds, from which channels, deferrals, and details of the users' experience of installation) are set on devices either with Group Policy or MDM policies, which you can control with any of a number of tools:
+Your individual devices connect to Microsoft endpoints directly to get the updates. The details of this process (how often devices download updates of various kinds, from which channels, deferrals, and details of the users' experience of installation) are set on devices either with Group Policy or MDM policies, which you can control with any of several tools:
- [Group Policy Management Console](waas-wufb-group-policy.md) (Gpmc.msc)
- [Microsoft Intune](waas-wufb-intune.md)
diff --git a/windows/deployment/update/how-windows-update-works.md b/windows/deployment/update/how-windows-update-works.md
index e427a2f861..44bbae9ebf 100644
--- a/windows/deployment/update/how-windows-update-works.md
+++ b/windows/deployment/update/how-windows-update-works.md
@@ -1,6 +1,6 @@
---
title: How Windows Update works
-description: Learn how Windows Update works, including architecture and troubleshooting.
+description: In this article, learn about the process Windows Update uses to download and install updates on a Windows 10 devices.
ms.prod: w10
ms.mktglfcycl:
audience: itpro
@@ -12,6 +12,7 @@ ms.reviewer:
manager: laurawi
ms.collection: M365-modern-desktop
ms.topic: article
+ms.custom: seo-marvel-apr2020
---
# How does Windows Update work?
@@ -27,7 +28,7 @@ The Windows Update workflow has four core areas of functionality:
### Download
-1. Orchestrator initiates downloads.
+1. Orchestrator starts downloads.
2. Windows Update downloads manifest files and provides them to the arbiter.
3. The arbiter evaluates the manifest and tells the Windows Update client to download files.
4. Windows Update client downloads files in a temporary folder.
@@ -35,54 +36,54 @@ The Windows Update workflow has four core areas of functionality:
### Install
-1. Orchestrator initiates the installation.
+1. Orchestrator starts the installation.
2. The arbiter calls the installer to install the package.
### Commit
-1. Orchestrator initiates a restart.
+1. Orchestrator starts a restart.
2. The arbiter finalizes before the restart.
## How updating works
-During the updating process, the Windows Update Orchestrator operates in the background to scan, download, and install updates. It does this automatically, according to your settings, and in a silent manner that doesn’t disrupt your computer usage.
+During the updating process, the Windows Update Orchestrator operates in the background to scan, download, and install updates. It does these actions automatically, according to your settings, and silently so that doesn't disrupt your computer usage.
## Scanning updates
The Windows Update Orchestrator on your PC checks the Microsoft Update server or your WSUS endpoint for new updates at random intervals. The randomization ensures that the Windows Update server isn't overloaded with requests all at the same time. The Update Orchestrator searches only for updates that have been added since the last time updates were searched, allowing it to find updates quickly and efficiently.
-When checking for updates, the Windows Update Orchestrator evaluates whether the update is appropriate for your computer using guidelines defined by the publisher of the update, for example, Microsoft Office including enterprise group policies.
+When checking for updates, the Windows Update Orchestrator evaluates whether the update is appropriate for your device. It uses guidelines defined by the publisher of the update, for example, Microsoft Office including enterprise group policies.
Make sure you're familiar with the following terminology related to Windows Update scan:
|Term|Definition|
|----|----------|
-|Update|We use this term to mean a lot of different things, but in this context it's the actual patch or change.|
+|Update|We use this term to mean several different things, but in this context it's the actual updated code or change.|
|Bundle update|An update that contains 1-N child updates; doesn't contain payload itself.|
|Child update|Leaf update that's bundled by another update; contains payload.|
-|Detectoid update|A special 'update' that contains "IsInstalled" applicability rule only and no payload. Used for prereq evaluation.|
-|Category update|A special 'detectoid' that has always true IsInstalled rule. Used for grouping updates and for client to filter updates. |
+|Detector update|A special "update" that contains "IsInstalled" applicability rule only and no payload. Used for prereq evaluation.|
+|Category update|A special "detectoid" that has an **IsInstalled** rule that is always true. Used for grouping updates and to allow the device to filter updates. |
|Full scan|Scan with empty datastore.|
|Delta scan|Scan with updates from previous scan already cached in datastore.|
-|Online scan|Scan that hits network and goes against server on cloud. |
-|Offline scan|Scan that doesn't hit network and goes against local datastore. Only useful if online scan has been performed before. |
-|CatScan|Category scan where caller can specify a categoryId to get updates published under the categoryId.|
-|AppCatScan|Category scan where caller can specify an AppCategoryId to get apps published under the appCategoryId.|
-|Software sync|Part of the scan that looks at software updates only (OS and apps).|
-|Driver sync|Part of the scan that looks at Driver updates only. This is run after Software sync and is optional.|
-|ProductSync|Attributes based sync, where client provides a list of device, product and caller attributes ahead of time to allow service to evaluate applicability in the cloud. |
+|Online scan|Scan that uses the network and to check an update server. |
+|Offline scan|Scan that doesn't use the network and instead checks the local datastore. Only useful if online scan has been performed before. |
+|CatScan|Category scan where caller can specify a **categoryId** to get updates published under that **categoryId**.|
+|AppCatScan|Category scan where caller can specify an **AppCategoryId** to get apps published under that **appCategoryId**.|
+|Software sync|Part of the scan that only checks for software updates (both the apps and the operating system).|
+|Driver sync|Part of the scan that checks driver updates only. This sync is optional and runs after the software sync.|
+|ProductSync|A sync based on attributes, in which the client provides a list of device, product, and caller attributes ahead of time to allow service to check applicability in the cloud. |
### How Windows Update scanning works
-Windows Update takes the following sets of actions when it runs a scan.
+Windows Update does the following actions when it runs a scan.
#### Starts the scan for updates
When users start scanning in Windows Update through the Settings panel, the following occurs:
-- The scan first generates a “ComApi” message. The caller (Microsoft Defender Antivirus) tells the WU engine to scan for updates.
+- The scan first generates a “ComApi” message. The caller (Microsoft Defender Antivirus) tells the Windows Update engine to scan for updates.
- "Agent" messages: queueing the scan, then actually starting the work:
- - Updates are identified by the different IDs ("Id = 10", "Id = 11") and from the different thread ID numbers.
+ - Updates are identified by the different IDs ("ID = 10", "ID = 11") and from the different thread ID numbers.
- Windows Update uses the thread ID filtering to concentrate on one particular task.
@@ -90,20 +91,19 @@ When users start scanning in Windows Update through the Settings panel, the foll
#### Identifies service IDs
- Service IDs indicate which update source is being scanned.
- Note The next screen shot shows Microsoft Update and the Flighting service.
- The Windows Update engine treats every service as a separate entity, even though multiple services may contain the same updates.
- Common service IDs
> [!IMPORTANT]
- > ServiceId here identifies a client abstraction, not any specific service in the cloud. No assumption should be made of which server a serviceId is pointing to, it's totally controlled by the SLS responses.
+ > ServiceId here identifies a client abstraction, not any specific service in the cloud. No assumption should be made of which server a serviceId is pointing to. It's totally controlled by responses from the Service Locator Service.
|Service|ServiceId|
|-------|---------|
-|Unspecified / Default|WU, MU or WSUS
00000000-0000-0000-0000-000000000000 |
-|WU|9482F4B4-E343-43B6-B170-9A65BC822C77|
-|MU|7971f918-a847-4430-9279-4a52d1efe18d|
+|Unspecified / Default|WU, MU, or WSUS
00000000-0000-0000-0000-000000000000 |
+|Windows Update|9482F4B4-E343-43B6-B170-9A65BC822C77|
+|Microsoft Update|7971f918-a847-4430-9279-4a52d1efe18d|
|Store|855E8A7C-ECB4-4CA3-B045-1DFA50104289|
|OS Flighting|8B24B027-1DEE-BABB-9A95-3517DFB9C552|
|WSUS or Configuration Manager|Via ServerSelection::ssManagedServer
3DA21691-E39D-4da6-8A4B-B43877BCB1B7 |
@@ -114,33 +114,33 @@ Common update failure is caused due to network issues. To find the root of the i
- Look for "ProtocolTalker" messages to see client-server sync network traffic.
- "SOAP faults" can be either client- or server-side issues; read the message.
-- The WU client uses SLS (Service Locator Service) to discover the configurations and endpoints of Microsoft network update sources – WU, MU, Flighting.
+- The Windows Update client uses the Service Locator Service to discover the configurations and endpoints of Microsoft network update sources: Windows update, Microsoft Update, or Flighting.
> [!NOTE]
- > Warning messages for SLS can be ignored if the search is against WSUS or Configuration Manager.
+ > If the search is against WSUS or Configuration Manager, you can ignore warning messages for the Service Locator Service.
-- On sites that only use WSUS or Configuration Manager, the SLS may be blocked at the firewall. In this case the SLS request will fail, and can’t scan against Windows Update or Microsoft Update but can still scan against WSUS or Configuration Manager, since it’s locally configured.
+- On sites that only use WSUS or Configuration Manager, the Service Locator Service might be blocked at the firewall. In this case the request will fail, and though the service can’t scan against Windows Update or Microsoft Update, it can still scan against WSUS or Configuration Manager, since it’s locally configured.
## Downloading updates
-Once the Windows Update Orchestrator determines which updates apply to your computer, it will begin downloading the updates, if you have selected the option to automatically download updates. It does this in the background without interrupting your normal use of the computer.
+Once the Windows Update Orchestrator determines which updates apply to your computer, it will begin downloading the updates, if you have selected the option to automatically download updates. It does operation in the background without interrupting your normal use of the device.
-To ensure that your other downloads aren’t affected or slowed down because updates are downloading, Windows Update uses the Delivery Optimization (DO) technology which downloads updates and reduces bandwidth consumption.
+To ensure that your other downloads aren't affected or slowed down because updates are downloading, Windows Update uses Delivery Optimization, which downloads updates and reduces bandwidth consumption.
-For more information see [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md).
+For more information, see [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md).
## Installing updates
When an update is applicable, the "Arbiter" and metadata are downloaded. Depending on your Windows Update settings, when downloading is complete, the Arbiter will gather details from the device, and compare that with the downloaded metadata to create an "action list".
-The action list describes all the files needed from WU, and what the install agent (such as CBS or Setup) should do with them. The action list is provided to the install agent along with the payload to begin the installation.
+The action list describes all the files needed from Windows Update, and what the installation agent (such as CBS or Setup) should do with them. The action list is provided to the installation agent along with the payload to begin the installation.
## Committing Updates
-When the option to automatically install updates is configured, the Windows Update Orchestrator, in most cases, automatically restarts the PC for you after installing the updates. This is necessary because your PC may be insecure, or not fully updated, until a restart is completed. You can use Group Policy settings, mobile device management (MDM), or the registry (not recommended) to configure when devices will restart after a Windows 10 update is installed.
+When the option to automatically install updates is configured, the Windows Update Orchestrator, in most cases, automatically restarts the device for you after installing the updates. It has to restart the device because it might be insecure, or not fully updated, until it restarts. You can use Group Policy settings, mobile device management (MDM), or the registry (not recommended) to configure when devices will restart after a Windows 10 update is installed.
-For more information see [Manage device restarts after updates](waas-restart.md).
+For more information, see [Manage device restarts after updates](waas-restart.md).
diff --git a/windows/deployment/update/images/safeguard-hold-notification.png b/windows/deployment/update/images/safeguard-hold-notification.png
new file mode 100644
index 0000000000..68714d08dc
Binary files /dev/null and b/windows/deployment/update/images/safeguard-hold-notification.png differ
diff --git a/windows/deployment/update/index.md b/windows/deployment/update/index.md
index 6c8417f572..8a080c9bcd 100644
--- a/windows/deployment/update/index.md
+++ b/windows/deployment/update/index.md
@@ -38,7 +38,6 @@ Windows as a service provides a new way to think about building, deploying, and
| [Assign devices to servicing branches for Windows 10 updates](https://docs.microsoft.com/windows/deployment/update/waas-servicing-channels-windows-10-updates) | Explains how to assign devices to the Semi-Annual Channel for feature and quality updates, and how to enroll devices in Windows Insider. |
| [Monitor Windows Updates with Update Compliance](update-compliance-monitor.md) | Explains how to use Update Compliance to monitor and manage Windows Updates on devices in your organization. |
| [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) | Explains the benefits of using Delivery Optimization or BranchCache for update distribution. |
-| [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) | Explains updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile. |
| [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) | Explains how to use Windows Update for Business to manage when devices receive updates directly from Windows Update. Includes walkthroughs for configuring Windows Update for Business using Group Policy and Microsoft Intune. |
| [Deploy Windows 10 updates using Windows Server Update Services (WSUS)](waas-manage-updates-wsus.md) | Explains how to use WSUS to manage Windows 10 updates. |
| [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md) | Explains how to use Configuration Manager to manage Windows 10 updates. |
@@ -47,6 +46,6 @@ Windows as a service provides a new way to think about building, deploying, and
| [Windows Insider Program for Business](waas-windows-insider-for-business.md) | Explains how the Windows Insider Program for Business works and how to become an insider. |
>[!TIP]
->Windows servicing is changing, but for disaster recovery scenarios and bare-metal deployments of Windows 10, you still can use traditional imaging software such as Microsoft Endpoint Configuration Manager or the Microsoft Deployment Toolkit. Using these tools to deploy Windows 10 images is similar to deploying previous versions of Windows.
+>Windows servicing is changing, but for disaster recovery scenarios and bare-metal deployments of Windows 10, you still can use traditional imaging software such as Microsoft Endpoint Manager or the Microsoft Deployment Toolkit. Using these tools to deploy Windows 10 images is similar to deploying previous versions of Windows.
>With each release of a new feature update for CB, Microsoft makes available new .iso files for use in updating your custom images. Each Windows 10 build has a finite servicing lifetime, so it’s important that images stay up to date with the latest build. For detailed information about how to deploy Windows 10 to bare-metal machines or to upgrade to Windows 10 from previous builds of Windows, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). Additionally, Windows 10 clients can move from any supported version of Windows 10 (i.e. Version 1511) to the latest version directly (i.e 1709).
diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md
index 53779f741d..1f7465c2ff 100644
--- a/windows/deployment/update/media-dynamic-update.md
+++ b/windows/deployment/update/media-dynamic-update.md
@@ -18,13 +18,13 @@ ms.topic: article
**Applies to**: Windows 10
-This topic explains how to acquire and apply Dynamic Update packages to existing Windows 10 images prior to deployment and includes Windows PowerShell scripts you can use to automate this process.
+This topic explains how to acquire and apply Dynamic Update packages to existing Windows 10 images *prior to deployment* and includes Windows PowerShell scripts you can use to automate this process.
Volume-licensed media is available for each release of Windows 10 in the Volume Licensing Service Center (VLSC) and other relevant channels such as Windows Update for Business, Windows Server Update Services (WSUS), and Visual Studio Subscriptions. You can use Dynamic Update to ensure that Windows 10 devices have the latest feature update packages as part of an in-place upgrade while preserving language pack and Features on Demand (FODs) that might have been previously installed. Dynamic Update also eliminates the need to install a separate quality update as part of the in-place upgrade process.
## Dynamic Update
-Whenever installation of a feature update starts (whether from media or an environment connected to Windows Update), *Dynamic Update* is one of the first steps. Windows 10 Setup contacts a Microsoft endpoint to fetch Dynamic Update packages, and then applies those updates to your operating system installation media. The update packages includes the following kinds of updates:
+Whenever installation of a feature update starts (whether from media or an environment connected to Windows Update), *Dynamic Update* is one of the first steps. Windows 10 Setup contacts a Microsoft endpoint to fetch Dynamic Update packages, and then applies those updates to your operating system installation media. The update packages include the following kinds of updates:
- Updates to Setup.exe binaries or other files that Setup uses for feature updates
- Updates for the "safe operating system" (SafeOS) that is used for the Windows recovery environment
@@ -42,12 +42,11 @@ You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https
-The various Dynamic Update packages might not all be present in the results from a single search, so you might have to search with different keywords to find all of the updates. And you'll need to check various parts of the results to be sure you've identified the needed files. This table shows in bold the key items to search for or look for in the results. For example, to find the relevant "Setup Dynamic Update," you'll have to check the detailed description for the download by selecting the link in the **Title** column of the search results.
+The various Dynamic Update packages might not all be present in the results from a single search, so you might have to search with different keywords to find all of the updates. And you'll need to check various parts of the results to be sure you've identified the needed files. This table shows in **bold** the key items to search for or look for in the results. For example, to find the relevant "Setup Dynamic Update," you'll have to check the detailed description for the download by selecting the link in the **Title** column of the search results.
-
-|To find this Dynamic Update packages, search for or check the results here--> |Title |Product |Description (select the **Title** link to see **Details**) |
+|To find this Dynamic Update packages, search for or check the results here |Title |Product |Description (select the **Title** link to see **Details**) |
|---------|---------|---------|---------|
-|Safe OS Dynamic Update | 2019-08 Dynamic Update... | Windows 10 Dynamic Update,Windows **Safe OS Dynamic Update** | ComponentUpdate: |
+|Safe OS Dynamic Update | 2019-08 Dynamic Update... | Windows 10 Dynamic Update, Windows **Safe OS Dynamic Update** | ComponentUpdate: |
|Setup Dynamic Update | 2019-08 Dynamic Update... | Windows 10 Dynamic Update | **SetupUpdate** |
|Latest cumulative update | 2019-08 **Cumulative Update for Windows 10** | Windows 10 | Install this update to resolve issues in Windows... |
|Servicing stack Dynamic Update | 2019-09 **Servicing Stack Update for Windows 10** | Windows 10... | Install this update to resolve issues in Windows... |
@@ -82,6 +81,9 @@ This table shows the correct sequence for applying the various tasks to the file
|Add .NET and .NET cumulative updates | | | 24 |
|Export image | 8 | 17 | 25 |
+> [!NOTE]
+> Starting in February 2021, the latest cumulative update and servicing stack update will be combined and distributed in the Microsoft Update Catalog as a new combined cumulative update. For Steps 1, 9, and 18 that require the servicing stack update for updating the installation media, you should use the combined cumulative update. For more information on the combined cumulative update, see [Servicing stack updates](https://docs.microsoft.com/windows/deployment/update/servicing-stack-updates).
+
### Multiple Windows editions
The main operating system file (install.wim) contains multiple editions of Windows 10. It’s possible that only an update for a given edition is required to deploy it, based on the index. Or, it might be that all editions need an update. Further, ensure that languages are installed before Features on Demand, and the latest cumulative update is always applied last.
@@ -94,8 +96,7 @@ Optional Components, along with the .NET feature, can be installed offline, howe
## Windows PowerShell scripts to apply Dynamic Updates to an existing image
-These examples are for illustration only, and therefore lack error handling. The script assumes that the following packages is stored locally in this folder structure:
-
+These examples are for illustration only, and therefore lack error handling. The script assumes that the following packages are stored locally in this folder structure:
|Folder |Description |
|---------|---------|
@@ -108,49 +109,51 @@ These examples are for illustration only, and therefore lack error handling. The
The script starts by declaring global variables and creating folders to use for mounting images. Then, make a copy of the original media, from \oldMedia to \newMedia, keeping the original media in case there is a script error and it's necessary to start over from a known state. Also, it will provide a comparison of old versus new media to evaluate changes. To ensure that the new media updates, make sure they are not read-only.
```powershell
-function Get-TS { return "{0:HH:mm:ss}" -f (Get-Date) }
+#Requires -RunAsAdministrator
-Write-Host "$(Get-TS): Starting media refresh"
+function Get-TS { return "{0:HH:mm:ss}" -f [DateTime]::Now }
-# Declare media for FOD and LPs
-$FOD_ISO_PATH = "C:\mediaRefresh\packages\FOD-PACKAGES_OEM_PT1_amd64fre_MULTI.iso"
-$LP_ISO_PATH = "C:\mediaRefresh\packages\CLIENTLANGPACKDVD_OEM_MULTI.iso"
+Write-Output "$(Get-TS): Starting media refresh"
# Declare language for showcasing adding optional localized components
-$LANG = "ja-jp"
+$LANG = "ja-jp"
$LANG_FONT_CAPABILITY = "jpan"
+# Declare media for FOD and LPs
+$FOD_ISO_PATH = "C:\mediaRefresh\packages\FOD-PACKAGES_OEM_PT1_amd64fre_MULTI.iso"
+$LP_ISO_PATH = "C:\mediaRefresh\packages\CLIENTLANGPACKDVD_OEM_MULTI.iso"
+
# Declare Dynamic Update packages
-$LCU_PATH = "C:\mediaRefresh\packages\LCU.msu"
-$SSU_PATH = "C:\mediaRefresh\packages\SSU_DU.msu"
-$SETUP_DU_PATH = "C:\mediaRefresh\packages\Setup_DU.cab"
+$LCU_PATH = "C:\mediaRefresh\packages\LCU.msu"
+$SSU_PATH = "C:\mediaRefresh\packages\SSU_DU.msu"
+$SETUP_DU_PATH = "C:\mediaRefresh\packages\Setup_DU.cab"
$SAFE_OS_DU_PATH = "C:\mediaRefresh\packages\SafeOS_DU.cab"
-$DOTNET_CU_PATH = "C:\mediaRefresh\packages\DotNet_CU.msu"
+$DOTNET_CU_PATH = "C:\mediaRefresh\packages\DotNet_CU.msu"
# Declare folders for mounted images and temp files
-$WORKING_PATH = "C:\mediaRefresh\temp"
-$MEDIA_OLD_PATH = "C:\mediaRefresh\oldMedia"
-$MEDIA_NEW_PATH = "C:\mediaRefresh\newMedia"
-$MAIN_OS_MOUNT = $WORKING_PATH + "\MainOSMount"
-$WINRE_MOUNT = $WORKING_PATH + "\WinREMount"
-$WINPE_MOUNT = $WORKING_PATH + "\WinPEMount"
+$MEDIA_OLD_PATH = "C:\mediaRefresh\oldMedia"
+$MEDIA_NEW_PATH = "C:\mediaRefresh\newMedia"
+$WORKING_PATH = "C:\mediaRefresh\temp"
+$MAIN_OS_MOUNT = "C:\mediaRefresh\temp\MainOSMount"
+$WINRE_MOUNT = "C:\mediaRefresh\temp\WinREMount"
+$WINPE_MOUNT = "C:\mediaRefresh\temp\WinPEMount"
# Mount the language pack ISO
-Write-Host "$(Get-TS): Mounting LP ISO"
+Write-Output "$(Get-TS): Mounting LP ISO"
$LP_ISO_DRIVE_LETTER = (Mount-DiskImage -ImagePath $LP_ISO_PATH -ErrorAction stop | Get-Volume).DriveLetter
# Declare language related cabs
-$WINPE_OC_PATH = Join-Path $LP_ISO_DRIVE_LETTER":" -ChildPath "Windows Preinstallation Environment" | Join-Path -ChildPath "x64" | Join-Path -ChildPath "WinPE_OCs"
-$WINPE_OC_LANG_PATH = Join-Path $WINPE_OC_PATH $LANG
-$WINPE_OC_LANG_CABS = Get-ChildItem $WINPE_OC_LANG_PATH -name
-$WINPE_OC_LP_PATH = Join-Path $WINPE_OC_LANG_PATH "lp.cab"
-$WINPE_FONT_SUPPORT_PATH = Join-Path $WINPE_OC_PATH "WinPE-FontSupport-$LANG.cab"
-$WINPE_SPEECH_TTS_PATH = Join-Path $WINPE_OC_PATH "WinPE-Speech-TTS.cab"
-$WINPE_SPEECH_TTS_LANG_PATH = Join-Path $WINPE_OC_PATH "WinPE-Speech-TTS-$LANG.cab"
-$OS_LP_PATH = $LP_ISO_DRIVE_LETTER + ":\x64\langpacks\" + "Microsoft-Windows-Client-Language-Pack_x64_" + $LANG + ".cab"
+$WINPE_OC_PATH = "$LP_ISO_DRIVE_LETTER`:\Windows Preinstallation Environment\x64\WinPE_OCs"
+$WINPE_OC_LANG_PATH = "$WINPE_OC_PATH\$LANG"
+$WINPE_OC_LANG_CABS = Get-ChildItem $WINPE_OC_LANG_PATH -Name
+$WINPE_OC_LP_PATH = "$WINPE_OC_LANG_PATH\lp.cab"
+$WINPE_FONT_SUPPORT_PATH = "$WINPE_OC_PATH\WinPE-FontSupport-$LANG.cab"
+$WINPE_SPEECH_TTS_PATH = "$WINPE_OC_PATH\WinPE-Speech-TTS.cab"
+$WINPE_SPEECH_TTS_LANG_PATH = "$WINPE_OC_PATH\WinPE-Speech-TTS-$LANG.cab"
+$OS_LP_PATH = "$LP_ISO_DRIVE_LETTER`:\x64\langpacks\Microsoft-Windows-Client-Language-Pack_x64_$LANG.cab"
# Mount the Features on Demand ISO
-Write-Host "$(Get-TS): Mounting FOD ISO"
+Write-Output "$(Get-TS): Mounting FOD ISO"
$FOD_ISO_DRIVE_LETTER = (Mount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Get-Volume).DriveLetter
$FOD_PATH = $FOD_ISO_DRIVE_LETTER + ":\"
@@ -161,10 +164,11 @@ New-Item -ItemType directory -Path $WINRE_MOUNT -ErrorAction stop | Out-Null
New-Item -ItemType directory -Path $WINPE_MOUNT -ErrorAction stop | Out-Null
# Keep the original media, make a copy of it for the new, updated media.
-Write-Host "$(Get-TS): Copying original media to new media path"
+Write-Output "$(Get-TS): Copying original media to new media path"
Copy-Item -Path $MEDIA_OLD_PATH"\*" -Destination $MEDIA_NEW_PATH -Force -Recurse -ErrorAction stop | Out-Null
Get-ChildItem -Path $MEDIA_NEW_PATH -Recurse | Where-Object { -not $_.PSIsContainer -and $_.IsReadOnly } | ForEach-Object { $_.IsReadOnly = $false }
```
+
### Update WinRE
The script assumes that only a single edition is being updated, indicated by Index = 1 (Windows 10 Education Edition). Then the script mounts the image, saves Winre.wim to the working folder, and mounts it. It then applies servicing stack Dynamic Update, since its components are used for updating other components. Since the script is optionally adding Japanese, it adds the language pack to the image, and installs the Japanese versions of all optional packages already installed in Winre.wim. Then, it applies the Safe OS Dynamic Update package.
@@ -176,25 +180,25 @@ It finishes by cleaning and exporting the image to reduce the image size.
```powershell
# Mount the main operating system, used throughout the script
-Write-Host "$(Get-TS): Mounting main OS"
+Write-Output "$(Get-TS): Mounting main OS"
Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\install.wim" -Index 1 -Path $MAIN_OS_MOUNT -ErrorAction stop| Out-Null
#
# update Windows Recovery Environment (WinRE)
#
Copy-Item -Path $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim" -Destination $WORKING_PATH"\winre.wim" -Force -Recurse -ErrorAction stop | Out-Null
-Write-Host "$(Get-TS): Mounting WinRE"
+Write-Output "$(Get-TS): Mounting WinRE"
Mount-WindowsImage -ImagePath $WORKING_PATH"\winre.wim" -Index 1 -Path $WINRE_MOUNT -ErrorAction stop | Out-Null
# Add servicing stack update
-Write-Host "$(Get-TS): Adding package $SSU_PATH"
+Write-Output "$(Get-TS): Adding package $SSU_PATH"
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH -ErrorAction stop | Out-Null
#
# Optional: Add the language to recovery environment
#
# Install lp.cab cab
-Write-Host "$(Get-TS): Adding package $WINPE_OC_LP_PATH"
+Write-Output "$(Get-TS): Adding package $WINPE_OC_LP_PATH"
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_OC_LP_PATH -ErrorAction stop | Out-Null
# Install language cabs for each optional package installed
@@ -210,7 +214,7 @@ Foreach ($PACKAGE in $WINRE_INSTALLED_OC) {
$OC_CAB = $PACKAGE.PackageName.Substring(0, $INDEX) + "_" + $LANG + ".cab"
if ($WINPE_OC_LANG_CABS.Contains($OC_CAB)) {
$OC_CAB_PATH = Join-Path $WINPE_OC_LANG_PATH $OC_CAB
- Write-Host "$(Get-TS): Adding package $OC_CAB_PATH"
+ Write-Output "$(Get-TS): Adding package $OC_CAB_PATH"
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $OC_CAB_PATH -ErrorAction stop | Out-Null
}
}
@@ -219,7 +223,7 @@ Foreach ($PACKAGE in $WINRE_INSTALLED_OC) {
# Add font support for the new language
if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) ) {
- Write-Host "$(Get-TS): Adding package $WINPE_FONT_SUPPORT_PATH"
+ Write-Output "$(Get-TS): Adding package $WINPE_FONT_SUPPORT_PATH"
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_FONT_SUPPORT_PATH -ErrorAction stop | Out-Null
}
@@ -227,30 +231,31 @@ if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) ) {
if (Test-Path -Path $WINPE_SPEECH_TTS_PATH) {
if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) ) {
- Write-Host "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH"
+ Write-Output "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH"
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_SPEECH_TTS_PATH -ErrorAction stop | Out-Null
- Write-Host "$(Get-TS): Adding package $WINPE_SPEECH_TTS_LANG_PATH"
+ Write-Output "$(Get-TS): Adding package $WINPE_SPEECH_TTS_LANG_PATH"
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_SPEECH_TTS_LANG_PATH -ErrorAction stop | Out-Null
}
}
# Add Safe OS
-Write-Host "$(Get-TS): Adding package $SAFE_OS_DU_PATH"
-Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SAFE_OS_DU_PATH -ErrorAction stop | Out-Null
+Write-Output "$(Get-TS): Adding package $SAFE_OS_DU_PATH"
+Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SAFE_OS_DU_PATH -ErrorAction stop | Out-Null
# Perform image cleanup
-Write-Host "$(Get-TS): Performing image cleanup on WinRE"
+Write-Output "$(Get-TS): Performing image cleanup on WinRE"
DISM /image:$WINRE_MOUNT /cleanup-image /StartComponentCleanup | Out-Null
# Dismount
Dismount-WindowsImage -Path $WINRE_MOUNT -Save -ErrorAction stop | Out-Null
# Export
-Write-Host "$(Get-TS): Exporting image to $WORKING_PATH\winre2.wim"
+Write-Output "$(Get-TS): Exporting image to $WORKING_PATH\winre2.wim"
Export-WindowsImage -SourceImagePath $WORKING_PATH"\winre.wim" -SourceIndex 1 -DestinationImagePath $WORKING_PATH"\winre2.wim" -ErrorAction stop | Out-Null
Move-Item -Path $WORKING_PATH"\winre2.wim" -Destination $WORKING_PATH"\winre.wim" -Force -ErrorAction stop | Out-Null
```
+
### Update WinPE
This script is similar to the one that updates WinRE, but instead it mounts Boot.wim, applies the packages with the latest cumulative update last, and saves. It repeats this for all images inside of Boot.wim, typically two images. It starts by applying the servicing stack Dynamic Update. Since the script is customizing this media with Japanese, it installs the language pack from the WinPE folder on the language pack ISO. Additionally, add font support and text to speech (TTS) support. Since the script is adding a new language, it rebuilds lang.ini, used to identify languages installed in the image. Finally, it cleans and exports Boot.wim, and copies it back to the new media.
@@ -266,15 +271,15 @@ $WINPE_IMAGES = Get-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim"
Foreach ($IMAGE in $WINPE_IMAGES) {
# update WinPE
- Write-Host "$(Get-TS): Mounting WinPE"
+ Write-Output "$(Get-TS): Mounting WinPE"
Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -Index $IMAGE.ImageIndex -Path $WINPE_MOUNT -ErrorAction stop | Out-Null
# Add SSU
- Write-Host "$(Get-TS): Adding package $SSU_PATH"
+ Write-Output "$(Get-TS): Adding package $SSU_PATH"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH -ErrorAction stop | Out-Null
# Install lp.cab cab
- Write-Host "$(Get-TS): Adding package $WINPE_OC_LP_PATH"
+ Write-Output "$(Get-TS): Adding package $WINPE_OC_LP_PATH"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_OC_LP_PATH -ErrorAction stop | Out-Null
# Install language cabs for each optional package installed
@@ -291,7 +296,7 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
$OC_CAB = $PACKAGE.PackageName.Substring(0, $INDEX) + "_" + $LANG + ".cab"
if ($WINPE_OC_LANG_CABS.Contains($OC_CAB)) {
$OC_CAB_PATH = Join-Path $WINPE_OC_LANG_PATH $OC_CAB
- Write-Host "$(Get-TS): Adding package $OC_CAB_PATH"
+ Write-Output "$(Get-TS): Adding package $OC_CAB_PATH"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $OC_CAB_PATH -ErrorAction stop | Out-Null
}
}
@@ -300,7 +305,7 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
# Add font support for the new language
if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) ) {
- Write-Host "$(Get-TS): Adding package $WINPE_FONT_SUPPORT_PATH"
+ Write-Output "$(Get-TS): Adding package $WINPE_FONT_SUPPORT_PATH"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_FONT_SUPPORT_PATH -ErrorAction stop | Out-Null
}
@@ -308,39 +313,40 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
if (Test-Path -Path $WINPE_SPEECH_TTS_PATH) {
if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) ) {
- Write-Host "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH"
+ Write-Output "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_SPEECH_TTS_PATH -ErrorAction stop | Out-Null
- Write-Host "$(Get-TS): Adding package $WINPE_SPEECH_TTS_LANG_PATH"
+ Write-Output "$(Get-TS): Adding package $WINPE_SPEECH_TTS_LANG_PATH"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_SPEECH_TTS_LANG_PATH -ErrorAction stop | Out-Null
}
}
# Generates a new Lang.ini file which is used to define the language packs inside the image
if ( (Test-Path -Path $WINPE_MOUNT"\sources\lang.ini") ) {
- Write-Host "$(Get-TS): Updating lang.ini"
+ Write-Output "$(Get-TS): Updating lang.ini"
DISM /image:$WINPE_MOUNT /Gen-LangINI /distribution:$WINPE_MOUNT | Out-Null
- }
+ }
# Add latest cumulative update
- Write-Host "$(Get-TS): Adding package $LCU_PATH"
+ Write-Output "$(Get-TS): Adding package $LCU_PATH"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $LCU_PATH -ErrorAction stop | Out-Null
# Perform image cleanup
- Write-Host "$(Get-TS): Performing image cleanup on WinPE"
+ Write-Output "$(Get-TS): Performing image cleanup on WinPE"
DISM /image:$WINPE_MOUNT /cleanup-image /StartComponentCleanup | Out-Null
# Dismount
Dismount-WindowsImage -Path $WINPE_MOUNT -Save -ErrorAction stop | Out-Null
#Export WinPE
- Write-Host "$(Get-TS): Exporting image to $WORKING_PATH\boot2.wim"
+ Write-Output "$(Get-TS): Exporting image to $WORKING_PATH\boot2.wim"
Export-WindowsImage -SourceImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -SourceIndex $IMAGE.ImageIndex -DestinationImagePath $WORKING_PATH"\boot2.wim" -ErrorAction stop | Out-Null
}
Move-Item -Path $WORKING_PATH"\boot2.wim" -Destination $MEDIA_NEW_PATH"\sources\boot.wim" -Force -ErrorAction stop | Out-Null
```
+
### Update the main operating system
For this next phase, there is no need to mount the main operating system, since it was already mounted in the previous scripts. This script starts by applying the servicing stack Dynamic Update. Then, it adds Japanese language support and then the Japanese language features. Unlike the Dynamic Update packages, it leverages `Add-WindowsCapability` to add these features. For a full list of such features, and their associated capability name, see [Available Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod).
@@ -355,36 +361,36 @@ You can install Optional Components, along with the .NET feature, offline, but t
#
# Add servicing stack update
-Write-Host "$(Get-TS): Adding package $SSU_PATH"
+Write-Output "$(Get-TS): Adding package $SSU_PATH"
Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH -ErrorAction stop | Out-Null
# Optional: Add language to main OS
-Write-Host "$(Get-TS): Adding package $OS_LP_PATH"
+Write-Output "$(Get-TS): Adding package $OS_LP_PATH"
Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $OS_LP_PATH -ErrorAction stop | Out-Null
# Optional: Add a Features on Demand to the image
-Write-Host "$(Get-TS): Adding language FOD: Language.Fonts.Jpan~~~und-JPAN~0.0.1.0"
+Write-Output "$(Get-TS): Adding language FOD: Language.Fonts.Jpan~~~und-JPAN~0.0.1.0"
Add-WindowsCapability -Name "Language.Fonts.$LANG_FONT_CAPABILITY~~~und-$LANG_FONT_CAPABILITY~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
-Write-Host "$(Get-TS): Adding language FOD: Language.Basic~~~$LANG~0.0.1.0"
+Write-Output "$(Get-TS): Adding language FOD: Language.Basic~~~$LANG~0.0.1.0"
Add-WindowsCapability -Name "Language.Basic~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
-Write-Host "$(Get-TS): Adding language FOD: Language.OCR~~~$LANG~0.0.1.0"
+Write-Output "$(Get-TS): Adding language FOD: Language.OCR~~~$LANG~0.0.1.0"
Add-WindowsCapability -Name "Language.OCR~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
-Write-Host "$(Get-TS): Adding language FOD: Language.Handwriting~~~$LANG~0.0.1.0"
+Write-Output "$(Get-TS): Adding language FOD: Language.Handwriting~~~$LANG~0.0.1.0"
Add-WindowsCapability -Name "Language.Handwriting~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
-Write-Host "$(Get-TS): Adding language FOD: Language.TextToSpeech~~~$LANG~0.0.1.0"
+Write-Output "$(Get-TS): Adding language FOD: Language.TextToSpeech~~~$LANG~0.0.1.0"
Add-WindowsCapability -Name "Language.TextToSpeech~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
-Write-Host "$(Get-TS): Adding language FOD:Language.Speech~~~$LANG~0.0.1.0"
+Write-Output "$(Get-TS): Adding language FOD:Language.Speech~~~$LANG~0.0.1.0"
Add-WindowsCapability -Name "Language.Speech~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
# Note: If I wanted to enable additional Features on Demand, I'd add these here.
# Add latest cumulative update
-Write-Host "$(Get-TS): Adding package $LCU_PATH"
+Write-Output "$(Get-TS): Adding package $LCU_PATH"
Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH -ErrorAction stop | Out-Null
# Copy our updated recovery image from earlier into the main OS
@@ -393,7 +399,7 @@ Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH -ErrorAction stop
Copy-Item -Path $WORKING_PATH"\winre.wim" -Destination $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim" -Force -Recurse -ErrorAction stop | Out-Null
# Perform image cleanup
-Write-Host "$(Get-TS): Performing image cleanup on main OS"
+Write-Output "$(Get-TS): Performing image cleanup on main OS"
DISM /image:$MAIN_OS_MOUNT /cleanup-image /StartComponentCleanup | Out-Null
#
@@ -402,18 +408,18 @@ DISM /image:$MAIN_OS_MOUNT /cleanup-image /StartComponentCleanup | Out-Null
# the image to be booted, and thus if we tried to cleanup after installation, it would fail.
#
-Write-Host "$(Get-TS): Adding NetFX3~~~~"
+Write-Output "$(Get-TS): Adding NetFX3~~~~"
Add-WindowsCapability -Name "NetFX3~~~~" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
# Add .NET Cumulative Update
-Write-Host "$(Get-TS): Adding package $DOTNET_CU_PATH"
+Write-Output "$(Get-TS): Adding package $DOTNET_CU_PATH"
Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $DOTNET_CU_PATH -ErrorAction stop | Out-Null
# Dismount
Dismount-WindowsImage -Path $MAIN_OS_MOUNT -Save -ErrorAction stop | Out-Null
# Export
-Write-Host "$(Get-TS): Exporting image to $WORKING_PATH\install2.wim"
+Write-Output "$(Get-TS): Exporting image to $WORKING_PATH\install2.wim"
Export-WindowsImage -SourceImagePath $MEDIA_NEW_PATH"\sources\install.wim" -SourceIndex 1 -DestinationImagePath $WORKING_PATH"\install2.wim" -ErrorAction stop | Out-Null
Move-Item -Path $WORKING_PATH"\install2.wim" -Destination $MEDIA_NEW_PATH"\sources\install.wim" -Force -ErrorAction stop | Out-Null
```
@@ -428,9 +434,10 @@ This part of the script updates the Setup files. It simply copies the individual
#
# Add Setup DU by copy the files from the package into the newMedia
-Write-Host "$(Get-TS): Adding package $SETUP_DU_PATH"
+Write-Output "$(Get-TS): Adding package $SETUP_DU_PATH"
cmd.exe /c $env:SystemRoot\System32\expand.exe $SETUP_DU_PATH -F:* $MEDIA_NEW_PATH"\sources" | Out-Null
```
+
### Finish up
As a last step, the script removes the working folder of temporary files, and unmounts our language pack and Features on Demand ISOs.
@@ -444,9 +451,9 @@ As a last step, the script removes the working folder of temporary files, and un
Remove-Item -Path $WORKING_PATH -Recurse -Force -ErrorAction stop | Out-Null
# Dismount ISO images
-Write-Host "$(Get-TS): Dismounting ISO images"
+Write-Output "$(Get-TS): Dismounting ISO images"
Dismount-DiskImage -ImagePath $LP_ISO_PATH -ErrorAction stop | Out-Null
Dismount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Out-Null
-Write-Host "$(Get-TS): Media refresh completed!"
+Write-Output "$(Get-TS): Media refresh completed!"
```
diff --git a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md
index 232fb2748c..8997b5e4f9 100644
--- a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md
+++ b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md
@@ -11,6 +11,7 @@ author: jaimeo
ms.reviewer:
manager: laurawi
keywords: insider, trial, enterprise, lab, corporation, test
+ms.custom: seo-marvel-apr2020
---
# Olympia Corp
@@ -21,7 +22,7 @@ Windows Insider Lab for Enterprise is intended for Windows Insiders who want to
As an Olympia user, you will have an opportunity to:
-- Use various enterprise features like Windows Information Protection (WIP), Advanced Threat Protection (ATP), windows Defender Application Guard (WDAG), and Application Virtualization (APP-V).
+- Use various enterprise features like Windows Information Protection (WIP), Microsoft Defender for Office 365, Windows Defender Application Guard (WDAG), and Application Virtualization (APP-V).
- Learn how Microsoft is preparing for GDPR, as well as enabling enterprise customers to prepare for their own readiness.
- Validate and test pre-release software in your environment.
- Provide feedback.
@@ -60,7 +61,7 @@ This is the Bring Your Own Device (BYOD) method--your device will receive Olympi
3. Click **Connect** and enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Click **Next**.
- 
+ 
4. Enter the temporary password that was sent to you. Click **Sign in**. Follow the instructions to set a new password.
@@ -96,10 +97,10 @@ This is the Bring Your Own Device (BYOD) method--your device will receive Olympi
2. If you are already connected to a domain, click the existing account and then click **Disconnect**. Click **Restart Later**.
-
+
3. Click **Connect**, then click **Join this device to Azure Active Directory**.
- 
+ ![Joining device to Azure AD]](images/2-3.png)
4. Enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Click **Next**.
@@ -110,7 +111,7 @@ This is the Bring Your Own Device (BYOD) method--your device will receive Olympi
> [!NOTE]
> Passwords should contain 8-16 characters, including at least one special character or number.
- 
+ 
6. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**.
diff --git a/windows/deployment/update/plan-define-readiness.md b/windows/deployment/update/plan-define-readiness.md
index 4264b434b1..2e371a0df1 100644
--- a/windows/deployment/update/plan-define-readiness.md
+++ b/windows/deployment/update/plan-define-readiness.md
@@ -1,6 +1,5 @@
---
title: Define readiness criteria
-ms.reviewer:
manager: laurawi
description: Identify important roles and figure out how to classify apps
keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
@@ -11,14 +10,14 @@ author: jaimeo
ms.localizationpriority: medium
ms.audience: itpro
ms.topic: article
-ms.collection: M365-modern-desktop
+ms.collection: m365initiative-coredeploy
---
# Define readiness criteria
## Figure out roles and personnel
-Planning and managing a deployment involves a variety of distinct activies and roles best suited to each. As you plan, it's worth figuring out which roles you'll need to carry out the deployment and who should fill them. Different roles are active at various phases of a deployment. Depending on the size and complexity of your organization, some of the roles could be filled by the same person. However, it's best to have an established *process manager*, who will oversee all of the tasks for the deployment.
+Planning and managing a deployment involves a variety of distinct activities and roles best suited to each. As you plan, it's worth figuring out which roles you'll need to carry out the deployment and who should fill them. Different roles are active at various phases of a deployment. Depending on the size and complexity of your organization, some of the roles could be filled by the same person. However, it's best to have an established *process manager*, who will oversee all of the tasks for the deployment.
### Process manager
@@ -39,7 +38,7 @@ This table sketches out one view of the other roles, with their responsibilities
|Role |Responsibilities |Skills |Active phases |
|---------|---------|---------|---------|
-|Process manager | Manages the process end to end; ensures inputs and outputs are captures; ensures that activities progress | IT service management | Plan, prepare, pilot deployment, broad deployment |
+|Process manager | Manages the process end to end; ensures inputs and outputs are captures; ensures that activities progress | IT Service Management | Plan, prepare, pilot deployment, broad deployment |
|Application owner | Define application test plan; assign user acceptance testers; certify the application | Knowledge of critical and important applications | Plan, prepare, pilot deployment |
|Application developer | Ensure apps are developed to stay compatible with current Windows versions | Application development; application remediation | Plan, prepare |
|End-user computing | Typically a group including infrastructure engineers or deployment engineers who ensure upgrade tools are compatible with Windows | Bare-metal deployment; infrastructure management; application delivery; update management | Plan, prepare, pilot deployment, broad deployment |
@@ -54,7 +53,7 @@ This table sketches out one view of the other roles, with their responsibilities
## Set criteria for rating apps
-Some apps in your environment are fundamental to your core business activities. Other apps help workers perform their roles, but aren’t critical to your business operations. Before you start inventorying and assessing the apps in your environment, you should establish some criteria for categorizing your apps, and then determine a priority for each. This will help you understand how best to deploy updates and how to resolve any issues that could arise.
+Some apps in your environment are fundamental to your core business activities. Other apps help workers perform their roles, but aren’t critical to your business operations. Before you start inventorying and assessing the apps in your environment, you should establish some criteria for categorizing your apps, and then determine a priority for each. This process will help you understand how best to deploy updates and how to resolve any issues that could arise.
In the Prepare phase, you'll apply the criteria you define now to every app in your organization.
@@ -67,9 +66,9 @@ Here's a suggested classification scheme:
|Important | Applications that individual staff members need to support their productivity. Downtime here would affect individual users, but would only have a minimal impact on the business. |
|Not important | There is no impact on the business if these apps are not available for a while. |
-Once you have classified your applications, you should agree what each classification means to the organization in terms of priority and severity. This will help ensure that you can triage problems with the right level of urgency. You should assign each app a time-based priority.
+Once you have classified your applications, you should agree what each classification means to the organization in terms of priority and severity. This activity will help ensure that you can triage problems with the right level of urgency. You should assign each app a time-based priority.
-Here's an example priority rating system; of course the specifics could vary for your organization:
+Here's an example priority rating system; the specifics could vary for your organization:
|Priority |Definition |
@@ -101,7 +100,7 @@ Using the suggested scheme, a financial corporation might classify their apps li
|Credit processing app | Critical |
|Frontline customer service app | Critical |
|PDF viewer | Important |
-|Image processing app | Not important |
+|Image-processing app | Not important |
Further, they might combine this classification with severity and priority rankings like this:
diff --git a/windows/deployment/update/plan-define-strategy.md b/windows/deployment/update/plan-define-strategy.md
index 4f1c4edfac..bb67966504 100644
--- a/windows/deployment/update/plan-define-strategy.md
+++ b/windows/deployment/update/plan-define-strategy.md
@@ -7,43 +7,45 @@ ms.mktglfcycl: manage
author: jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
-ms.reviewer:
manager: laurawi
ms.topic: article
+ms.collection: m365initiative-coredeploy
---
# Define update strategy with a calendar
Traditionally, organizations treated the deployment of operating system updates (especially feature updates) as a discrete project that had a beginning, a middle, and an end. A release was "built" (usually in the form of an image) and then distributed to users and their devices.
-Today, more organizations are treating deployment as a continual process of updates which roll out across the organization in waves. In this approach, an update is plugged into this process and while it runs, you monitor for anomalies, errors, or user impact and respond as issues arise--without interrupting the entire process. Microsoft has been evolving its Windows 10 release cycles, update mechanisms, and relevant tools to support this model. Feature updates are released twice per year, around March and September. All releases of Windows 10 have 18 months of servicing for all editions. Fall releases of the Enterprise and Education editions have an additional 12 months of servicing for specific Windows 10 releases, for a total of 30 months from initial release.
+Today, more organizations are treating deployment as a continual process of updates that roll out across the organization in waves. In this approach, an update is plugged into this process and while it runs, you monitor for anomalies, errors, or user impact and respond as issues arise--without interrupting the entire process. Microsoft has been evolving its Windows 10 release cycles, update mechanisms, and relevant tools to support this model. Feature updates are released twice per year, around March and September. All releases of Windows 10 have 18 months of servicing for all editions. Fall releases of the Enterprise and Education editions have an additional 12 months of servicing for specific Windows 10 releases, for a total of 30 months from initial release.
-Though we encourage you to deploy every available release and maintain a fast cadence for some portion of your environment, we also recognize that you might have a large number of devices, and a need for little or no disruption, an so you might choose to update annually. The 18/30 month lifecycle cadence lets you to allow some portion of you environment to move faster while a majority can move less quickly.
+Though we encourage you to deploy every available release and maintain a fast cadence for some portion of your environment, we also recognize that you might have a large number of devices, and a need for little or no disruption, and so you might choose to update annually. The 18/30 month lifecycle cadence lets you allow some portion of your environment to move faster while a majority can move less quickly.
## Calendar approaches
You can use a calendar approach for either a faster twice-per-year cadence or an annual cadence. Depending on company size, installing Windows 10 feature updates less often than once annually risks devices going out of service and becoming vulnerable to security threats, because they will stop receiving the monthly security updates.
### Annual
-Here's a calendar showing an example schedule that applies one Windows 10 feature update per calendar year, aligned with Microsoft Endpoint Configuration Manager and Microsoft 365 Apps release cycles:
+Here's a calendar showing an example schedule that applies one Windows 10 feature update per calendar year, aligned with Microsoft Endpoint Manager and Microsoft 365 Apps release cycles:
-
+[  ](images/annual-calendar.png#lightbox)
-This approach provides approximately twelve months of use from each feature update before the next update is due to be installed. By aligning to the Windows 10, version H2 feature update, each release will be serviced for 30 months from the time of availability, giving you more flexibility when applying future feature updates.
+This approach provides approximately 12 months of use from each feature update before the next update is due to be installed. By aligning to the Windows 10, version H2 feature update, each release will be serviced for 30 months from the time of availability, giving you more flexibility when applying future feature updates.
This cadence might be most suitable for you if any of these conditions apply:
-- You are just starting your journey with the Windows 10 servicing process. If you are unfamiliar with new processes that support Windows 10 servicing, moving from a once every 3-5 year project to a twice a year feature update process can be daunting. This approach gives you time to learn new approaches and tools to reduce effort and cost.
+- You are just starting your journey with the Windows 10 servicing process. If you are unfamiliar with new processes that support Windows 10 servicing, moving from a project happening once every three to five years to a twice-a-year feature update process can be daunting. This approach gives you time to learn new approaches and tools to reduce effort and cost.
+
- You want to wait and see how successful other companies are at adopting a Windows 10 feature update.
+
- You want to go quickly with feature updates, and want the ability to skip a feature update while keeping Windows 10 serviced in case business priorities change. Aligning to the Windows 10 feature update released in the second half of each calendar year, you get additional servicing for Windows 10 (30 months of servicing compared to 18 months).
### Rapid
This calendar shows an example schedule that installs each feature update as it is released, twice per year:
-
+[  ](images/rapid-calendar.png#lightbox)
This cadence might be best for you if these conditions apply:
- You have a strong appetite for change.
- You want to continuously update supporting infrastructure and unlock new scenarios.
- Your organization has a large population of information workers that can use the latest features and functionality in Windows 10 and Office.
-- You have experience with feature updates for Windows 10.
\ No newline at end of file
+- You have experience with feature updates for Windows 10.
diff --git a/windows/deployment/update/plan-determine-app-readiness.md b/windows/deployment/update/plan-determine-app-readiness.md
index 645903d80f..82ecea00a3 100644
--- a/windows/deployment/update/plan-determine-app-readiness.md
+++ b/windows/deployment/update/plan-determine-app-readiness.md
@@ -1,6 +1,5 @@
---
title: Determine application readiness
-ms.reviewer:
manager: laurawi
description: How to test your apps to know which need attention prior to deploying an update
keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
@@ -10,7 +9,7 @@ audience: itpro
ms.localizationpriority: medium
ms.audience: itpro
ms.topic: article
-ms.collection: M365-modern-desktop
+ms.collection: m365initiative-coredeploy
ms.author: jaimeo
author: jaimeo
---
@@ -26,11 +25,11 @@ You can choose from a variety of methods to validate apps. Exactly which ones to
|Validation method |Description |
|---------|---------|
-|Full regression | A full quality assurance probing. Staff who know the application very well and can validate its core functionality should do this. |
+|Full regression | A full quality assurance probing. Staff who know the application well and can validate its core functionality should do this. |
|Smoke testing | The application goes through formal validation. That is, a user validates the application following a detailed plan, ideally with limited, or no knowledge of the application they’re validating. |
|Automated testing | Software performs tests automatically. The software will let you know whether the tests have passed or failed, and will provide detailed reporting for you automatically. |
|Test in pilot | You pre-select users to be in the pilot deployment group and carry out the same tasks they do on a day-to-day basis to validate the application. Normally you use this method in addition to one of the other validation types. |
-|Reactive response | Applications are validated in late pilot, and no specific users are selected. These are normally applications aren't installed on many devices and aren’t handled by enterprise application distribution. |
+|Reactive response | Applications are validated in late pilot, and no specific users are selected. These applications normally aren't installed on many devices and aren’t handled by enterprise application distribution. |
Combining the various validation methods with the app classifications you've previously established might look like this:
diff --git a/windows/deployment/update/prepare-deploy-windows.md b/windows/deployment/update/prepare-deploy-windows.md
index 76cbb5eea0..19c0a83aa5 100644
--- a/windows/deployment/update/prepare-deploy-windows.md
+++ b/windows/deployment/update/prepare-deploy-windows.md
@@ -1,6 +1,6 @@
---
title: Prepare to deploy Windows
-description:
+description: Final steps to get ready to deploy Windows, including preparing infrastructure, environment, applications, devices, network, capability, and users
keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
ms.prod: w10
ms.mktglfcycl: manage
@@ -10,6 +10,7 @@ ms.author: jaimeo
ms.reviewer:
manager: laurawi
ms.topic: article
+ms.collection: m365initiative-coredeploy
---
# Prepare to deploy Windows
@@ -31,19 +32,25 @@ Now you're ready to actually start making changes in your environment to get rea
Your infrastructure probably includes many different components and tools. You’ll need to ensure your environment isn’t affected by issues due to the changes you make to the various parts of the infrastructure. Follow these steps:
-1. Review all of the infrastructure changes that you’ve identified in your plan. It’s important to understand the changes that need to be made and to detail how to implement them. This prevents problems later on.
+1. Review all of the infrastructure changes that you’ve identified in your plan. It’s important to understand the changes that need to be made and to detail how to implement them. This process prevents problems later on.
+
2. Validate your changes. You’ll validate the changes for your infrastructure’s components and tools, to help you understand how your changes could affect your production environment.
+
3. Implement the changes. Once the changes have been validated, you can implement the changes across the wider infrastructure.
You should also look at your organization’s environment’s configuration and outline how you’ll implement any necessary changes previously identified in the plan phase to support the update. Consider what you’ll need to do for the various settings and policies that currently underpin the environment. For example:
-- Implement new draft security guidance. New versions of Windows can include new features that improve your environment’s security. Your security teams will want to make appropriate changes to security related configurations.
+- Implement new draft security guidance. New versions of Windows can include new features that improve your environment’s security. Your security teams will want to make appropriate changes to security-related configurations.
+
- Update security baselines. Security teams understand the relevant security baselines and will have to work to make sure all baselines fit into whatever guidance they have to adhere to.
+
However, your configuration will consist of many different settings and policies. It’s important to only apply changes where they are necessary, and where you gain a clear improvement. Otherwise, your environment might face issues that will slow down the update process. You want to ensure your environment isn’t affected adversely because of changes you make. For example:
-1. Review new security settings. Your security team will review the new security settings, to understand how they can best be set to facilitate the update, and to also investigate the potential effects they might have on your environment.
+1. Review new security settings. Your security team will review the new security settings to understand how they can best be set to facilitate the update, and to also investigate the potential effects they might have on your environment.
+
2. Review security baselines for changes. Security teams will also review all the necessary security baselines, to ensure the changes can be implemented, and ensure your environment remains compliant.
+
3. Implement and validate security settings and baseline changes. Your security teams will then implement all of the security settings and baselines, having addressed any potential outstanding issues.
@@ -91,7 +98,24 @@ You can check these services manually by using Services.msc, or by using PowerSh
### Network configuration
-Ensure that devices can reach necessary Windows Update endpoints through the firewall.
+Ensure that devices can reach necessary Windows Update endpoints through the firewall. For example, for Windows 10, version 2004, the following protocols must be able to reach these respective endpoints:
+
+
+|Protocol |Endpoint URL |
+|---------|---------|
+|TLS 1.2 | `*.prod.do.dsp.mp.microsoft.com` |
+|HTTP | `emdl.ws.microsoft.com` |
+|HTTP | `*.dl.delivery.mp.microsoft.com` |
+|HTTP | `*.windowsupdate.com` |
+|HTTPS | `*.delivery.mp.microsoft.com` |
+|TLS 1.2 | `*.update.microsoft.com` |
+|TLS 1.2 | `tsfe.trafficshaping.dsp.mp.microsoft.com` |
+
+> [!NOTE]
+> Be sure not to use HTTPS for those endpoints that specify HTTP, and vice versa. The connection will fail.
+
+The specific endpoints can vary between Windows 10 versions. See, for example, [Windows 10 2004 Enterprise connection endpoints](https://docs.microsoft.com/windows/privacy/manage-windows-2004-endpoints). Similar articles for other Windows 10 versions are available in the table of contents nearby.
+
### Optimize download bandwidth
Set up [Delivery Optimization](waas-delivery-optimization.md) for peer network sharing or Microsoft Connected Cache.
@@ -100,39 +124,42 @@ Set up [Delivery Optimization](waas-delivery-optimization.md) for peer network s
In the course of surveying your device population, either with Desktop Analytics or by some other means, you might find devices that have systemic problems that could interfere with update installation. Now is the time to fix those problems.
-- **Low disk space:** Quality updates require a minimum of two GB to successfully install. Feature updates require between 8 and 15 GB depending upon the configuration. On Windows 10, version 1903 and later you can proactively use the "reserved storage" feature (for wipe and loads, rebuilds, and new builds) to avoid running out of disk space. If you find a group of devices that don't have enough disk space, you can often resolve this by cleaning up log files and asking users to clean up data if necessary. A good place to start is to delete the following files:
-- C:\Windows\temp
-- C:\Windows\cbstemp (though this file might be necessary to investigate update failures)
-- C:\Windows\WindowsUpdate.log (though this file might be necessary to investigate update failures)
-- C:\Windows.Old (these files should automatically clean up after 10 days or might ask the device user for permission to clean up sooner when constrained for disk space)
+- **Low disk space:** Quality updates require a minimum of 2 GB to successfully install. Feature updates require between 8 GB and 15 GB depending upon the configuration. On Windows 10, version 1903 and later you can proactively use the "reserved storage" feature (for wipe and loads, rebuilds, and new builds) to avoid running out of disk space. If you find a group of devices that don't have enough disk space, you can often resolve the problem by cleaning up log files and asking users to clean up data if necessary. A good place to start is to delete the following files:
+
+ - C:\Windows\temp
+ - C:\Windows\cbstemp (though this file might be necessary to investigate update failures)
+ - C:\Windows\WindowsUpdate.log (though this file might be necessary to investigate update failures)
+ - C:\Windows.Old (these files should automatically clean up after 10 days or might ask the device user for permission to clean up sooner when constrained for disk space)
You can also create and run scripts to perform additional cleanup actions on devices, with administrative rights, or use Group Policy settings.
-- Clean up the Windows Store Cache by running C:\Windows\sytem32\wsreset.exe
-- Optimize the WinSxS folder on the client machine by using **Dism.exe /online /Cleanup-Image /StartComponentCleanup**
-- Compact the operating system by running **Compact.exe /CompactOS:always**
+- Clean up the Windows Store Cache by running C:\Windows\sytem32\wsreset.exe.
+
+- Optimize the WinSxS folder on the client machine by using **Dism.exe /online /Cleanup-Image /StartComponentCleanup**.
+
+- Compact the operating system by running **Compact.exe /CompactOS:always**.
+
- Remove Windows Features on Demand that the user doesn't need. See [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) for more guidance.
+
- Move Windows Known Folders to OneDrive. See [Use Group Policy to control OneDrive sync settings](https://docs.microsoft.com/onedrive/use-group-policy) for more information.
+
- Clean up the Software Distribution folder. Try deploying these commands as a batch file to run on devices to reset the download state of Windows Updates:
-```
-net stop wuauserv
-net stop cryptSvc
-net stop bits
-net stop msiserver
-ren C:\Windows\SoftwareDistribution C:\Windows\SoftwareDistribution.old
-net start wuauserv
-net start cryptSvc
-net start bits
-net start msiserver
-```
-
-- **Application and driver updates:** Out-of-date app or driver software can prevent devices from updating successfully. Desktop Analytics will help you identify drivers and applications that need attention. You can also
-check for known issues in order to take any appropriate action. Deploy any updates from the vendor(s) for any problematic application or driver versions to resolve issues.
-- **Corruption:** In rare circumstances, a device that has repeated installation errors might be corrupted in a way that prevents the system from applying a new update. You might have to repair the Component Based Store from another source. You can do this with the [System File Checker](https://support.microsoft.com/help/929833/use-the-system-file-checker-tool-to-repair-missing-or-corrupted-system).
-
+ ```console
+ net stop wuauserv
+ net stop cryptSvc
+ net stop bits
+ net stop msiserver
+ ren C:\Windows\SoftwareDistribution C:\Windows\SoftwareDistribution.old
+ net start wuauserv
+ net start cryptSvc
+ net start bits
+ net start msiserver
+ ```
+- **Application and driver updates:** Out-of-date app or driver software can prevent devices from updating successfully. Desktop Analytics will help you identify drivers and applications that need attention. You can also check for known issues in order to take any appropriate action. Deploy any updates from the vendor(s) for any problematic application or driver versions to resolve issues.
+- **Corruption:** In rare circumstances, a device that has repeated installation errors might be corrupted in a way that prevents the system from applying a new update. You might have to repair the Component-Based Store from another source. You can fix the problem with the [System File Checker](https://support.microsoft.com/help/929833/use-the-system-file-checker-tool-to-repair-missing-or-corrupted-system).
## Prepare capability
@@ -140,14 +167,16 @@ check for known issues in order to take any appropriate action. Deploy any updat
In the plan phase, you determined the specific infrastructure and configuration changes that needed to be implemented to add new capabilities to the environment. Now you can move on to implementing those changes defined in the plan phase. You'll need to complete these higher-level tasks to gain those new capabilities:
- Enable capabilities across the environment by implementing the changes. For example, implement updates to relevant ADMX templates in Active Directory. New Windows versions will come with new policies that you use to update ADMX templates.
+
- Validate new changes to understand how they affect the wider environment.
+
- Remediate any potential problems that have been identified through validation.
## Prepare users
Users often feel like they are forced into updating their devices randomly. They often don't fully understand why an update is needed, and they don't know when updates would be applied to their devices ahead of time. It's best to ensure that upcoming updates are communicated clearly and with adequate warning.
-You can employ a variety of measures to achieve this, for example:
+You can employ a variety of measures to achieve this goal, for example:
- Send overview email about the update and how it will be deployed to the entire organization.
- Send personalized emails to users about the update with specific details.
diff --git a/windows/deployment/update/safeguard-holds.md b/windows/deployment/update/safeguard-holds.md
new file mode 100644
index 0000000000..003834c35c
--- /dev/null
+++ b/windows/deployment/update/safeguard-holds.md
@@ -0,0 +1,44 @@
+---
+title: Safeguard holds
+description: What are safeguard holds, how can you tell if one is in effect, and what to do about it
+ms.prod: w10
+ms.mktglfcycl: manage
+author: jaimeo
+ms.localizationpriority: medium
+ms.author: jaimeo
+manager: laurawi
+ms.topic: article
+---
+
+# Safeguard holds
+
+Microsoft uses quality and compatibility data to identify issues that might cause a Windows 10 feature update to fail or roll back. When we find such an issue, we might apply holds to the updating service to prevent affected devices from installing the update in order to safeguard them from these experiences. We also use holds when a customer, a partner, or Microsoft internal validation finds an issue that would cause severe impact (for example, rollback of the update, data loss, loss of connectivity, or loss of key functionality) and when a workaround is not immediately available.
+
+Safeguard holds prevent a device with a known issue from being offered a new operating system version. We renew the offering once a fix is found and verified. We use holds to ensure customers have a successful experience as their device moves to a new version of Windows 10.
+
+The lifespan of holds varies depending on the time required to investigate and fix an issue. During this time Microsoft works diligently to procure, develop, and validate a fix and then offer it to affected devices. We monitor quality and compatibility data to confirm that a fix is complete before releasing the hold. Once we release the hold, Windows Update will resume offering new operating system versions to devices.
+
+Safeguard holds only affect devices that use the Window Update service for updates. We encourage IT admins who manage updates to devices through other channels (such as media installations or updates coming from Windows Server Update Services) to remain aware of known issues that might also be present in their environments.
+
+
+## Am I affected by a safeguard hold?
+
+IT admins can use [Update Compliance](update-compliance-feature-update-status.md#safeguard-holds) to monitor various update health metrics for devices in their organization, including ones affected by a safeguard hold that prevents them from updating to a newer operating system version.
+
+Queries identify Safeguard IDs for each affected device, giving IT admins a detailed view into the various protections extended to devices. Safeguard IDs for publicly discussed known issues are also included in the [Windows release health](https://aka.ms/windowsreleasehealth) dashboard, where you can easily find information related to publicly available safeguards.
+
+On devices that use Windows Update (but not Windows Update for Business), the **Windows Update** page in the Settings app displays a message stating that an update is on its way, but not ready for the device. Instead of the option to download and install the update, users will see this message:
+
+
+
+
+If you see this message, it means one or more holds affect your device. When the issue is fixed and the update is safe to install, we’ll release the hold and the update can resume safely.
+
+## What can I do?
+
+We recommend that you do not attempt to manually update until issues have been resolved and holds released.
+
+> [!CAUTION]
+> Opting out of a safeguard hold can put devices at risk from known performance issues. We strongly recommend that you complete robust testing to ensure the impact is acceptable before opting out.
+
+With that in mind, IT admins who stay informed with [Update Compliance](update-compliance-feature-update-status.md#safeguard-holds) and the [Windows release health](https://aka.ms/windowsreleasehealth) dashboard can choose to temporarily [opt-out of the protection of all safeguard holds](safeguard-opt-out.md) and allow an update to proceed. We recommend opting out only in an IT environment and for validation purposes. If you do opt out of a hold, this condition is temporary. Once an update is complete, the protection of safeguard holds is reinstated automatically.
diff --git a/windows/deployment/update/safeguard-opt-out.md b/windows/deployment/update/safeguard-opt-out.md
new file mode 100644
index 0000000000..a6ad9a0b05
--- /dev/null
+++ b/windows/deployment/update/safeguard-opt-out.md
@@ -0,0 +1,32 @@
+---
+title: Opt out of safeguard holds
+description: Steps to install an update even it if has a safeguard hold applied
+ms.prod: w10
+ms.mktglfcycl: manage
+author: jaimeo
+ms.localizationpriority: medium
+ms.author: jaimeo
+manager: laurawi
+ms.topic: article
+---
+
+# Opt out of safeguard holds
+
+Safeguard holds prevent a device with a known compatibility issue from being offered a new Windows 10 feature update by using Windows Update. We use safeguard holds to protect the device and user from a failed or poor update experience. We renew the offering once a fix is issued and is verified on an affected device. For more information about safeguard holds, see [Safeguard holds](safeguard-holds.md).
+
+## How can I opt out of safeguard holds?
+
+IT admins can, if necessary, opt devices out of safeguard protections by using the disable safeguards policy. In a Mobile Device Management (MDM) tool, use the **Update/DisableWUfBSafeguards** CSP. In Group Policy, use the **Disable safeguards for Feature Updates** Group Policy. This policy is available to Windows Update for Business devices running Windows 10, version 1809 or later that have installed the October 2020 security update.
+
+> [!CAUTION]
+> Opting out of a safeguard hold can put devices at risk from known performance issues.
+
+We recommend opting out only in an IT environment and for validation purposes. You can also validate an upcoming Windows 10 feature update version without the safeguards being applied by using the Release Preview channel of the Windows Insider Program for Business.
+
+Disabling safeguards does not guarantee your device will be able to successfully update. The update might still fail and will likely result in a bad experience since you are bypassing the protection against known issues.
+
+> [!NOTE]
+> After a device installs a new Windows 10 version, the **Disable safeguards for Feature Updates** Group Policy will revert to “not configured” even if it was previously enabled. We do this to ensure the admin is consciously disabling Microsoft’s default protection from known issues for each new feature update.
+
+
+
diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md
index 49d29f4d8a..b22ca9e870 100644
--- a/windows/deployment/update/servicing-stack-updates.md
+++ b/windows/deployment/update/servicing-stack-updates.md
@@ -1,6 +1,6 @@
---
title: Servicing stack updates (Windows 10)
-description: Servicing stack updates improve the code that installs the other updates.
+description: In this article, learn how servicing stack updates improve the code that installs the other updates.
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro
@@ -12,6 +12,7 @@ ms.reviewer:
manager: laurawi
ms.collection: M365-modern-desktop
ms.topic: article
+ms.custom: seo-marvel-apr2020
---
# Servicing stack updates
@@ -41,7 +42,6 @@ Both Windows 10 and Windows Server use the cumulative update mechanism, in which
Servicing stack updates must ship separately from the cumulative updates because they modify the component that installs Windows updates. The servicing stack is released separately because the servicing stack itself requires an update. For example, the cumulative update [KB4284880](https://support.microsoft.com/help/4284880/windows-10-update-kb4284880) requires the [May 17, 2018 servicing stack update](https://support.microsoft.com/help/4132216), which includes updates to Windows Update.
-
## Is there any special guidance?
Microsoft recommends you install the latest servicing stack updates for your operating system before installing the latest cumulative update.
@@ -55,3 +55,7 @@ Typically, the improvements are reliability and performance improvements that do
* Servicing stack update releases are specific to the operating system version (build number), much like quality updates.
* Search to install latest available [Servicing stack update for Windows 10](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001).
* Once a servicing stack update is installed, it cannot be removed or uninstalled from the machine.
+
+## Simplifying on-premises deployment of servicing stack updates
+
+With the Windows Update experience, servicing stack updates and cumulative updates are deployed together to the device. The update stack automatically orchestrates the installation, so both are applied correctly. Starting in February 2021, the cumulative update will include the latest servicing stack updates, to provide a single cumulative update payload to both Windows Server Update Services (WSUS) and Microsoft Catalog. If you use an endpoint management tool backed by WSUS, such as Configuration Manager, you will only have to select and deploy the monthly cumulative update. The latest servicing stack updates will automatically be applied correctly. Release notes and file information for cumulative updates, including those related to the servicing stack, will be in a single KB article. The combined monthly cumulative update will be available on Windows 10, version 2004 and later starting with the 2021 2C release, KB4601382.
diff --git a/windows/deployment/update/update-compliance-configuration-manual.md b/windows/deployment/update/update-compliance-configuration-manual.md
index 8911262e12..b96d2edfd6 100644
--- a/windows/deployment/update/update-compliance-configuration-manual.md
+++ b/windows/deployment/update/update-compliance-configuration-manual.md
@@ -22,7 +22,7 @@ There are a number of requirements to consider when manually configuring devices
The requirements are separated into different categories:
1. Ensuring the [**required policies**](#required-policies) for Update Compliance are correctly configured.
-2. Devices in every network topography needs to send data to the [**required endpoints**](#required-endpoints) for Update Compliance, for example both devices in main and satellite offices, which may have different network configurations.
+2. Devices in every network topography must send data to the [**required endpoints**](#required-endpoints) for Update Compliance. For example, devices in both main and satellite offices, which might have different network configurations must be able to reach the endpoints.
3. Ensure [**Required Windows services**](#required-services) are running or are scheduled to run. It is recommended all Microsoft and Windows services are set to their out-of-box defaults to ensure proper functionality.
4. [**Run a full Census sync**](#run-a-full-census-sync) on new devices to ensure that all necessary data points are collected.
@@ -34,7 +34,7 @@ The requirements are separated into different categories:
Update Compliance has a number of policies that must be appropriately configured in order for devices to be processed by Microsoft and visible in Update Compliance. They are enumerated below, separated by whether the policies will be configured via [Mobile Device Management](https://docs.microsoft.com/windows/client-management/mdm/) (MDM) or Group Policy. For both tables:
- **Policy** corresponds to the location and name of the policy.
-- **Value** Indicates what value the policy must be set to. Update Compliance requires *at least* Basic (or Required) telemetry, but can function off Enhanced or Full (or Optional).
+- **Value** Indicates what value the policy must be set to. Update Compliance requires *at least* Basic (or Required) diagnostic data, but can function off Enhanced or Full (or Optional).
- **Function** details why the policy is required and what function it serves for Update Compliance. It will also detail a minimum version the policy is required, if any.
### Mobile Device Management policies
@@ -44,8 +44,8 @@ Each MDM Policy links to its documentation in the CSP hierarchy, providing its e
| Policy | Value | Function |
|---------------------------|-|------------------------------------------------------------|
|**Provider/*ProviderID*/**[**CommercialID**](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp#provider-providerid-commercialid) |[Your CommercialID](update-compliance-get-started.md#get-your-commercialid) |Identifies the device as belonging to your organization. |
-|**System/**[**AllowTelemetry**](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) | 1- Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this lower than what the policy defines, see the below policy for more information. |
-|**System/**[**ConfigureTelemetryOptInSettingsUx**](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux) | 1 - Disable Telemetry opt-in Settings | (in Windows 10, version 1803 and later) Determines whether end-users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy or the effective diagnostic data level on devices might not be sufficient. |
+|**System/**[**AllowTelemetry**](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) | 1- Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this value lower than what the policy defines. For more information, see the following policy. |
+|**System/**[**ConfigureTelemetryOptInSettingsUx**](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux) | 1 - Disable Telemetry opt-in Settings | (in Windows 10, version 1803 and later) Determines whether users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy or the effective diagnostic data level on devices might not be sufficient. |
|**System/**[**AllowDeviceNameInDiagnosticData**](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata) | 1 - Allowed | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or set to 0 (Disabled), Device Name will not be sent and will not be visible in Update Compliance, showing `#` instead. |
> [!NOTE]
@@ -58,8 +58,8 @@ All Group Policies that need to be configured for Update Compliance are under **
| Policy | Value | Function |
|---------------------------|-|-----------------------------------------------------------|
|**Configure the Commercial ID** |[Your CommercialID](update-compliance-get-started.md#get-your-commercialid) | Identifies the device as belonging to your organization. |
-|**Allow Telemetry** | 1 - Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this lower than what the policy defines. See the following policy for more information. |
-|**Configure telemetry opt-in setting user interface** | 1 - Disable telemetry opt-in Settings |(in Windows 10, version 1803 and later) Determines whether end-users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy, otherwise the effective diagnostic data level on devices might not be sufficient. |
+|**Allow Telemetry** | 1 - Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this value lower than what the policy defines. See the following policy for more information. |
+|**Configure telemetry opt-in setting user interface** | 1 - Disable diagnostic data opt-in Settings |(in Windows 10, version 1803 and later) Determines whether users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy, otherwise the effective diagnostic data level on devices might not be sufficient. |
|**Allow device name to be sent in Windows diagnostic data** | 1 - Enabled | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or Disabled, Device Name will not be sent and will not be visible in Update Compliance, showing `#` instead. |
## Required endpoints
@@ -72,9 +72,9 @@ To enable data sharing between devices, your network, and Microsoft's Diagnostic
| `https://v10.vortex-win.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1709 or earlier. |
| `https://settings-win.data.microsoft.com` | Required for Windows Update functionality. |
| `http://adl.windows.com` | Required for Windows Update functionality. |
-| `https://watson.telemetry.microsoft.com` | Windows Error Reporting (WER), used to provide more advanced error reporting in the event of certain Feature Update deployment failures. |
+| `https://watson.telemetry.microsoft.com` | Windows Error Reporting (WER), used to provide more advanced error reporting if certain Feature Update deployment failures occur. |
| `https://oca.telemetry.microsoft.com` | Online Crash Analysis, used to provide device-specific recommendations and detailed errors in the event of certain crashes. |
-| `https://login.live.com` | This endpoint facilitates MSA access and is required to create the primary identifier we use for devices. Without this service, devices will not be visible in the solution. This also requires Microsoft Account Sign-in Assistant service to be running (wlidsvc). |
+| `https://login.live.com` | This endpoint facilitates MSA access and is required to create the primary identifier we use for devices. Without this service, devices will not be visible in the solution. The Microsoft Account Sign-in Assistant service must also be running (wlidsvc). |
## Required services
@@ -83,7 +83,7 @@ Many Windows and Microsoft services are required to ensure that not only the dev
## Run a full Census sync
-Census is a service that runs on a regular schedule on Windows devices. A number of key device attributes, like what operating system edition is installed on the device, are included in the Census payload. However, to save network load and system resources, data that tends to be more static (like edition) is sent approximately once per week rather than on every daily run. Because of this, these attributes can take longer to appear in Update Compliance unless you start a full Census sync. The Update Compliance Configuration Script does this.
+Census is a service that runs on a regular schedule on Windows devices. A number of key device attributes, like what operating system edition is installed on the device, are included in the Census payload. However, to save network load and system resources, data that tends to be more static (like edition) is sent approximately once per week rather than on every daily run. Because of this behavior, these attributes can take longer to appear in Update Compliance unless you start a full Census sync. The Update Compliance Configuration Script will do a full sync.
A full Census sync adds a new registry value to Census's path. When this registry value is added, Census's configuration is overridden to force a full sync. For Census to work normally, this registry value should be enabled, Census should be started manually, and then the registry value should be disabled. Follow these steps:
diff --git a/windows/deployment/update/update-compliance-delivery-optimization.md b/windows/deployment/update/update-compliance-delivery-optimization.md
index 1fa0437e08..b56a569d4c 100644
--- a/windows/deployment/update/update-compliance-delivery-optimization.md
+++ b/windows/deployment/update/update-compliance-delivery-optimization.md
@@ -13,6 +13,7 @@ keywords: oms, operations management suite, optimization, downloads, updates, lo
ms.localizationpriority: medium
ms.collection: M365-analytics
ms.topic: article
+ms.custom: seo-marvel-apr2020
---
# Delivery Optimization in Update Compliance
@@ -41,5 +42,5 @@ The table breaks down the number of bytes from each download source into specifi
The download sources that could be included are:
- LAN Bytes: Bytes downloaded from LAN Peers which are other devices on the same local network
-- Group Bytes: Bytes downloaded from Group Peers which are other devices that belong to the same Group (available when the “Group” download mode is used)
+- Group Bytes: Bytes downloaded from Group Peers which are other devices that belong to the same Group (available when the "Group" download mode is used)
- HTTP Bytes: Non-peer bytes. The HTTP download source can be Microsoft Servers, Windows Update Servers, a WSUS server or an SCCM Distribution Point for Express Updates.
diff --git a/windows/deployment/update/update-compliance-feature-update-status.md b/windows/deployment/update/update-compliance-feature-update-status.md
index b58012dcad..12924ab50f 100644
--- a/windows/deployment/update/update-compliance-feature-update-status.md
+++ b/windows/deployment/update/update-compliance-feature-update-status.md
@@ -12,6 +12,7 @@ author: jaimeo
ms.author: jaimeo
ms.collection: M365-analytics
ms.topic: article
+ms.custom: seo-marvel-apr2020
---
# Feature Update Status
@@ -47,16 +48,6 @@ Update Compliance reporting offers two queries to help you retrieve data relat
Update Compliance reporting will display the Safeguard IDs for known issues affecting a device in the **DeploymentErrorCode** column. Safeguard IDs for publicly discussed known issues are also included in the Windows Release Health dashboard, where you can easily find information related to publicly available safeguards.
-### Opting out of safeguard hold
-
-Microsoft will release a device from a safeguard hold when it has determined it can safely and smoothly install a feature update, but you are ultimately in control of your devices and can opt out if desired.
-To opt out, set the registry key as follows:
-
-- Registry Key Path :: **Computer\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion**
-- Create New Key :: **502505fe-762c-4e80-911e-0c3fa4c63fb0**
-- Name :: **DataRequireGatedScanForFeatureUpdates**
-- Type :: **REG_DWORD**
-- Value :: **0**
-
-Setting this registry key to **0** will force the device to opt out from *all* safeguard holds. Any other value, or deleting the key, will resume compatibility protection on the device.
+### Opt out of safeguard hold
+You can [opt out of safeguard protections](safeguard-opt-out.md) by using the **Disable safeguards for Feature Updates** Group Policy. This policy is available to Windows Update for Business devices running Windows 10, version 1809 or later that have installed the October 2020 security update.
diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md
index 4e77a4d513..32cf41ab89 100644
--- a/windows/deployment/update/update-compliance-get-started.md
+++ b/windows/deployment/update/update-compliance-get-started.md
@@ -64,10 +64,10 @@ To find your CommercialID within Azure:
## Enroll devices in Update Compliance
-Once you've added Update Compliance to a workspace in your Azure subscription, you'll need to configure any devices you want to monitor. There are two ways to configure devices to use Update Compliance.
+Once you've added Update Compliance to a workspace in your Azure subscription, you'll need to configure any devices you want to monitor. There are two ways to configure devices to use Update Compliance. After you configure devices, it can take up to 72 hours before devices are visible in the solution. Until then, Update Compliance will indicate it is still assessing devices.
> [!NOTE]
-> After configuring devices via one of the two methods below, it can take up to 72 hours before devices are visible in the solution. Until then, Update Compliance will indicate it is still assessing devices.
+> If you use or plan to use [Desktop Analytics](https://docs.microsoft.com/mem/configmgr/desktop-analytics/overview), follow the steps in [Enroll devices in Desktop Analytics](https://docs.microsoft.com/mem/configmgr/desktop-analytics/enroll-devices) to also enroll devices in Update Compliance. You should be aware that the Commercial ID and Log Analytics workspace must be the same for both Desktop Analytics and Update Compliance.
### Configure devices using the Update Compliance Configuration Script
diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md
index 58bd854855..14008cd234 100644
--- a/windows/deployment/update/update-compliance-monitor.md
+++ b/windows/deployment/update/update-compliance-monitor.md
@@ -13,6 +13,7 @@ ms.author: jaimeo
ms.localizationpriority: medium
ms.collection: M365-analytics
ms.topic: article
+ms.custom: seo-marvel-apr2020
---
# Monitor Windows Updates with Update Compliance
diff --git a/windows/deployment/update/update-compliance-need-attention.md b/windows/deployment/update/update-compliance-need-attention.md
index 3032c95790..6a441b08d7 100644
--- a/windows/deployment/update/update-compliance-need-attention.md
+++ b/windows/deployment/update/update-compliance-need-attention.md
@@ -1,7 +1,7 @@
---
title: Update Compliance - Need Attention! report
manager: laurawi
-description: Learn how the Needs attention! section provides a breakdown of all Windows 10 device and update issues detected by Update Compliance.
+description: Learn how the Need attention! section provides a breakdown of all Windows 10 device and update issues detected by Update Compliance.
ms.mktglfcycl: deploy
ms.pagetype: deploy
audience: itpro
diff --git a/windows/deployment/update/update-compliance-schema-waasinsiderstatus.md b/windows/deployment/update/update-compliance-schema-waasinsiderstatus.md
index 2ddf505e62..52147e7fab 100644
--- a/windows/deployment/update/update-compliance-schema-waasinsiderstatus.md
+++ b/windows/deployment/update/update-compliance-schema-waasinsiderstatus.md
@@ -26,7 +26,7 @@ WaaSInsiderStatus records contain device-centric data and acts as the device rec
|**OSArchitecture** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`amd64` |The architecture of the Operating System. |
|**OSName** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Windows 10` |The name of the Operating System. This will always be Windows 10 for Update Compliance. |
|**OSVersion** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`1909` |The version of Windows 10. This typically is of the format of the year of the version's release, following the month. In this example, `1909` corresponds to 2019-09 (September). This maps to the `Major` portion of OSBuild. |
-|**OSBuild** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`18363.720` |The currently-installed Windows 10 Build, in the format `Major`.`Revision`. `Major` corresponds to which Feature Update the device is on, whereas `Revision` corresponds to which quality update the device is on. Mappings between Feature release and Major, as well as Revision and KBs, are available at [aka.ms/win10releaseinfo](https://docs.microsoft.com/windows/release-information/). |
+|**OSBuild** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`18363.720` |The currently-installed Windows 10 Build, in the format `Major`.`Revision`. `Major` corresponds to which Feature Update the device is on, whereas `Revision` corresponds to which quality update the device is on. Mappings between Feature release and Major, as well as Revision and KBs, are available at [aka.ms/win10releaseinfo](https://docs.microsoft.com/windows/release-health/release-information). |
|**OSRevisionNumber** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`720` |An integer value for the revision number of the currently-installed Windows 10 OSBuild on the device. |
|**OSEdition** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Enterprise` |The Windows 10 Edition or SKU. |
|**OSFamily** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Windows.Desktop` |The Device Family of the device. Only `Windows.Desktop` is currently supported. |
diff --git a/windows/deployment/update/update-compliance-schema-waasupdatestatus.md b/windows/deployment/update/update-compliance-schema-waasupdatestatus.md
index 0b5adb4096..72389ab819 100644
--- a/windows/deployment/update/update-compliance-schema-waasupdatestatus.md
+++ b/windows/deployment/update/update-compliance-schema-waasupdatestatus.md
@@ -33,7 +33,7 @@ WaaSUpdateStatus records contain device-centric data and acts as the device reco
|**OSArchitecture** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`amd64` |The architecture of the Operating System. |
|**OSName** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Windows 10` |The name of the Operating System. This will always be Windows 10 for Update Compliance. |
|**OSVersion** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`1909` |The version of Windows 10. This typically is of the format of the year of the version's release, following the month. In this example, `1909` corresponds to 2019-09 (September). This maps to the `Major` portion of OSBuild. |
-|**OSBuild** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`18363.720` |The currently-installed Windows 10 Build, in the format `Major`.`Revision`. `Major` corresponds to which Feature Update the device is on, whereas `Revision` corresponds to which quality update the device is on. Mappings between Feature release and Major, as well as Revision and KBs, are available at [aka.ms/win10releaseinfo](https://docs.microsoft.com/windows/release-information/). |
+|**OSBuild** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`18363.720` |The currently-installed Windows 10 Build, in the format `Major`.`Revision`. `Major` corresponds to which Feature Update the device is on, whereas `Revision` corresponds to which quality update the device is on. Mappings between Feature release and Major, as well as Revision and KBs, are available at [aka.ms/win10releaseinfo](https://docs.microsoft.com/windows/release-health/release-information). |
|**OSRevisionNumber** |[int](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/int) |`720` |An integer value for the revision number of the currently-installed Windows 10 OSBuild on the device. |
|**OSCurrentStatus** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Current` |*Deprecated* Whether or not the device is on the latest Windows Feature Update available, as well as the latest Quality Update for that Feature Update. |
|**OSEdition** |[string](https://docs.microsoft.com/azure/kusto/query/scalar-data-types/string) |`Enterprise` |The Windows 10 Edition or SKU. |
diff --git a/windows/deployment/update/update-compliance-security-update-status.md b/windows/deployment/update/update-compliance-security-update-status.md
index 5396a3f77c..085e47d153 100644
--- a/windows/deployment/update/update-compliance-security-update-status.md
+++ b/windows/deployment/update/update-compliance-security-update-status.md
@@ -10,6 +10,7 @@ author: jaimeo
ms.author: jaimeo
ms.collection: M365-analytics
ms.topic: article
+ms.custom: seo-marvel-apr2020
---
# Security Update Status
diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md
index d9207fdefb..92ae610fc5 100644
--- a/windows/deployment/update/update-compliance-using.md
+++ b/windows/deployment/update/update-compliance-using.md
@@ -2,7 +2,7 @@
title: Using Update Compliance (Windows 10)
ms.reviewer:
manager: laurawi
-description: Learn how to use Update Compliance to monitor your device's Windows updates and Microsoft Defender Antivirus status.
+description: Learn how to use Update Compliance to monitor your device's Windows updates.
keywords: oms, operations management suite, wdav, updates, upgrades, antivirus, antimalware, signature, log analytics
ms.prod: w10
ms.mktglfcycl: deploy
@@ -13,6 +13,7 @@ ms.author: jaimeo
ms.localizationpriority: medium
ms.collection: M365-analytics
ms.topic: article
+ms.custom: seo-marvel-apr2020
---
# Use Update Compliance
diff --git a/windows/deployment/update/waas-branchcache.md b/windows/deployment/update/waas-branchcache.md
index 6bb0bf7519..076590a90f 100644
--- a/windows/deployment/update/waas-branchcache.md
+++ b/windows/deployment/update/waas-branchcache.md
@@ -1,6 +1,6 @@
---
title: Configure BranchCache for Windows 10 updates (Windows 10)
-description: Use BranchCache to optimize network bandwidth during update deployment.
+description: In this article, learn how to use BranchCache to optimize network bandwidth during update deployment.
ms.prod: w10
ms.mktglfcycl: manage
author: jaimeo
@@ -9,6 +9,7 @@ ms.author: jaimeo
ms.reviewer:
manager: laurawi
ms.topic: article
+ms.custom: seo-marvel-apr2020
---
# Configure BranchCache for Windows 10 updates
@@ -20,7 +21,7 @@ ms.topic: article
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-BranchCache is a bandwidth-optimization feature that has been available since the Windows Server 2008 R2 and Windows 7 operating systems. Each client has a cache and acts as an alternate source for content that devices on its own network request. Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager can use BranchCache to optimize network bandwidth during update deployment, and it’s easy to configure for either of them. BranchCache has two operating modes: Distributed Cache mode and Hosted Cache mode.
+BranchCache is a bandwidth-optimization feature that has been available since the Windows Server 2008 R2 and Windows 7 operating systems. Each client has a cache and acts as an alternate source for content that devices on its own network request. Windows Server Update Services (WSUS) and Microsoft Endpoint Manager can use BranchCache to optimize network bandwidth during update deployment, and it's easy to configure for either of them. BranchCache has two operating modes: Distributed Cache mode and Hosted Cache mode.
- Distributed Cache mode operates like the [Delivery Optimization](waas-delivery-optimization.md) feature in Windows 10: each client contains a cached version of the BranchCache-enabled files it requests and acts as a distributed cache for other clients requesting that same file.
@@ -33,7 +34,7 @@ For detailed information about how Distributed Cache mode and Hosted Cache mode
## Configure clients for BranchCache
-Whether you use BranchCache with Configuration Manager or WSUS, each client that uses BranchCache must be configured to do so. You typically make your configurations through Group Policy. For step-by-step instructions on how to use Group Policy to configure BranchCache for Windows clients, see [Client Configuration](https://technet.microsoft.com/library/dd637820%28v=ws.10%29.aspx) in the [BranchCache Early Adopter’s Guide](https://technet.microsoft.com/library/dd637762(v=ws.10).aspx).
+Whether you use BranchCache with Configuration Manager or WSUS, each client that uses BranchCache must be configured to do so. You typically make your configurations through Group Policy. For step-by-step instructions on how to use Group Policy to configure BranchCache for Windows clients, see [Client Configuration](https://technet.microsoft.com/library/dd637820%28v=ws.10%29.aspx) in the [BranchCache Early Adopter's Guide](https://technet.microsoft.com/library/dd637762(v=ws.10).aspx).
In Windows 10, version 1607, the Windows Update Agent uses Delivery Optimization by default, even when the updates are retrieved from WSUS. When using BranchCache with Windows 10, simply set the Delivery Optimization mode to Bypass to allow clients to use the Background Intelligent Transfer Service (BITS) protocol with BranchCache instead. For instructions on how to use BranchCache in Distributed Cache mode with WSUS, see the section WSUS and Configuration Manager with BranchCache in Distributed Cache mode.
@@ -58,7 +59,6 @@ In addition to these steps, there is one requirement for WSUS to be able to use
- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
-- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md
index 68b9bc63f3..319ff18112 100644
--- a/windows/deployment/update/waas-configure-wufb.md
+++ b/windows/deployment/update/waas-configure-wufb.md
@@ -30,7 +30,7 @@ You can use Group Policy or your mobile device management (MDM) service to confi
> [!IMPORTANT]
> Beginning with Windows 10, version 1903, organizations can use Windows Update for Business policies, regardless of the diagnostic data level chosen. If the diagnostic data level is set to **0 (Security)**, Windows Update for Business policies will still be honored. For instructions, see [Configure the operating system diagnostic data level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels).
-Some Windows Update for Business policies are not applicable or behave differently for devices running Windows 10 Mobile Enterprise. Specifically, policies pertaining to Feature Updates will not be applied to Windows 10 Mobile Enterprise. All Windows 10 Mobile updates are recognized as Quality Updates, and can only be deferred or paused using the Quality Update policy settings. Additional information is provided in this topic and in [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md).
+Some Windows Update for Business policies are not applicable or behave differently for devices running Windows 10 Mobile Enterprise. Specifically, policies pertaining to Feature Updates will not be applied to Windows 10 Mobile Enterprise. All Windows 10 Mobile updates are recognized as Quality Updates, and can only be deferred or paused using the Quality Update policy settings. Additional information is provided in this topic.
## Start by grouping devices
@@ -267,7 +267,6 @@ When a device running a newer version sees an update available on Windows Update
- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md
index b101477546..d65d59a04d 100644
--- a/windows/deployment/update/waas-delivery-optimization-reference.md
+++ b/windows/deployment/update/waas-delivery-optimization-reference.md
@@ -2,17 +2,17 @@
title: Delivery Optimization reference
ms.reviewer:
manager: laurawi
-description: Reference of all Delivery Optimization settings and descriptions of same
+description: This article provides a summary of references and descriptions for all of the Delivery Optimization settings.
keywords: oms, operations management suite, wdav, updates, downloads, log analytics
ms.prod: w10
ms.mktglfcycl: deploy
-
audience: itpro
author: jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
ms.collection: M365-modern-desktop
ms.topic: article
+ms.custom: seo-marvel-apr2020
---
# Delivery Optimization reference
@@ -111,7 +111,7 @@ Download mode dictates which download sources clients are allowed to use when do
| --- | --- |
| HTTP Only (0) | This setting disables peer-to-peer caching but still allows Delivery Optimization to download content over HTTP from the download's original source. This mode uses additional metadata provided by the Delivery Optimization cloud services for a peerless reliable and efficient download experience. |
| LAN (1 – Default) | This default operating mode for Delivery Optimization enables peer sharing on the same network. The Delivery Optimization cloud service finds other clients that connect to the Internet using the same public IP as the target client. These clients then attempts to connect to other peers on the same network by using their private subnet IP.|
-| Group (2) | When group mode is set, the group is automatically selected based on the device’s Active Directory Domain Services (AD DS) site (Windows 10, version 1607) or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use GroupID option to create your own custom group independently of domains and AD DS sites. Starting with Windows 10, version 1803, you can use the GroupIDSource parameter to take advantage of other method to create groups dynamically. Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization. |
+| Group (2) | When group mode is set, the group is automatically selected based on the device's Active Directory Domain Services (AD DS) site (Windows 10, version 1607) or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use GroupID option to create your own custom group independently of domains and AD DS sites. Starting with Windows 10, version 1803, you can use the GroupIDSource parameter to take advantage of other method to create groups dynamically. Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization. |
| Internet (3) | Enable Internet peer sources for Delivery Optimization. |
| Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable, unreachable or when the content file size is less than 10 MB. In this mode, Delivery Optimization provides a reliable download experience, with no peer-to-peer caching. |
|Bypass (100) | Bypass Delivery Optimization and use BITS, instead. You should only select this mode if you use WSUS and prefer to use BranchCache. You do not need to set this option if you are using Configuration Manager. If you want to disable peer-to-peer functionality, it's best to set **DownloadMode** to **0** or **99**. |
@@ -156,7 +156,7 @@ This setting specifies the required minimum disk size (capacity in GB) for the d
### Max Cache Age
-In environments configured for Delivery Optimization, you might want to set an expiration on cached updates and Windows application installation files. If so, this setting defines the maximum number of seconds each file can be held in the Delivery Optimization cache on each Windows 10 client device. The default Max Cache Age value is 259,200 seconds (3 days). Alternatively, organizations might choose to set this value to “0” which means “unlimited” to avoid peers re-downloading content. When “Unlimited” value is set, Delivery Optimization will hold the files in the cache longer and will clean up the cache as needed (for example when the cache size exceeded the maximum space allowed).
+In environments configured for Delivery Optimization, you might want to set an expiration on cached updates and Windows application installation files. If so, this setting defines the maximum number of seconds each file can be held in the Delivery Optimization cache on each Windows 10 client device. The default Max Cache Age value is 259,200 seconds (3 days). Alternatively, organizations might choose to set this value to "0" which means "unlimited" to avoid peers re-downloading content. When "Unlimited" value is set, Delivery Optimization will hold the files in the cache longer and will clean up the cache as needed (for example when the cache size exceeded the maximum space allowed).
### Max Cache Size
@@ -188,7 +188,7 @@ This setting specifies the maximum download bandwidth that Delivery Optimization
### Max Upload Bandwidth
-This setting allows you to limit the amount of upload bandwidth individual clients can use for Delivery Optimization. Consider this setting when clients are providing content to requesting peers on the network. This option is set in kilobytes per second (KB/s). The default setting is 0, or “unlimited” which means Delivery Optimization dynamically optimizes for minimal usage of upload bandwidth; however it does not cap the upload bandwidth rate at a set rate.
+This setting allows you to limit the amount of upload bandwidth individual clients can use for Delivery Optimization. Consider this setting when clients are providing content to requesting peers on the network. This option is set in kilobytes per second (KB/s). The default setting is 0, or "unlimited" which means Delivery Optimization dynamically optimizes for minimal usage of upload bandwidth; however it does not cap the upload bandwidth rate at a set rate.
### Set Business Hours to Limit Background Download Bandwidth
Starting in Windows 10, version 1803, specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.
@@ -247,9 +247,9 @@ This policy allows you to specify how your client(s) can discover Delivery Optim
- 1 = DHCP Option 235.
- 2 = DHCP Option 235 Force.
-with either option, the client will query DHCP Option ID 235 and use the returned value as the Cache Server Hostname. Option 2 overrides the Cache Server Hostname policy, if set.
+With either option, the client will query DHCP Option ID 235 and use the returned value as the Cache Server Hostname. Option 2 overrides the Cache Server Hostname policy, if set.
-Set this policy to designate one or more Delivery Optimization in Network Cache servers through a custom DHCP Option. You can add one or more value either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address by commas.
+Set this policy to designate one or more Delivery Optimization in Network Cache servers through a custom DHCP Option. Specify the custom DHCP option on your server as *text* type. You can add one or more values as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address with commas.
> [!NOTE]
> If you format the DHCP Option ID incorrectly, the client will fall back to the Cache Server Hostname policy value if that value has been set.
diff --git a/windows/deployment/update/waas-delivery-optimization-setup.md b/windows/deployment/update/waas-delivery-optimization-setup.md
index 9cc82a5183..6e19c5ba6a 100644
--- a/windows/deployment/update/waas-delivery-optimization-setup.md
+++ b/windows/deployment/update/waas-delivery-optimization-setup.md
@@ -2,7 +2,7 @@
title: Set up Delivery Optimization
ms.reviewer:
manager: laurawi
-description: Delivery Optimization is a new peer-to-peer distribution method in Windows 10
+description: In this article, learn how to set up Delivery Optimization, a new peer-to-peer distribution method in Windows 10.
keywords: oms, operations management suite, wdav, updates, downloads, log analytics
ms.prod: w10
ms.mktglfcycl: deploy
@@ -12,6 +12,7 @@ ms.localizationpriority: medium
ms.author: jaimeo
ms.collection: M365-modern-desktop
ms.topic: article
+ms.custom: seo-marvel-apr2020
---
# Set up Delivery Optimization for Windows 10 updates
@@ -50,7 +51,7 @@ Quick-reference table:
### Hybrid WAN scenario
-For this scenario, grouping devices by domain allows devices to be included in peer downloads and uploads across VLANs. **Set Download Mode to 2 - Group**. The default group is the authenticated domain or Active Directory site. If your domain-based group is too wide, or your Active Directory sites aren’t aligned with your site network topology, then you should consider additional options for dynamically creating groups, for example by using the GroupIDSrc parameter.
+For this scenario, grouping devices by domain allows devices to be included in peer downloads and uploads across VLANs. **Set Download Mode to 2 - Group**. The default group is the authenticated domain or Active Directory site. If your domain-based group is too wide, or your Active Directory sites aren't aligned with your site network topology, then you should consider additional options for dynamically creating groups, for example by using the GroupIDSrc parameter.
@@ -103,7 +104,7 @@ To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/**
## Monitor Delivery Optimization
-[//]: # (How to tell if it’s working? What values are reasonable; which are not? If not, which way to adjust and how? -- check PercentPeerCaching for files > minimum >= 50%)
+[//]: # (How to tell if it's working? What values are reasonable; which are not? If not, which way to adjust and how? -- check PercentPeerCaching for files > minimum >= 50%)
### Windows PowerShell cmdlets
diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md
index d6edc9cf57..a9ec6583a1 100644
--- a/windows/deployment/update/waas-delivery-optimization.md
+++ b/windows/deployment/update/waas-delivery-optimization.md
@@ -1,7 +1,7 @@
---
title: Delivery Optimization for Windows 10 updates
manager: laurawi
-description: Delivery Optimization is a peer-to-peer distribution method in Windows 10
+description: This article provides information about Delivery Optimization, a peer-to-peer distribution method in Windows 10.
keywords: oms, operations management suite, wdav, updates, downloads, log analytics
ms.prod: w10
ms.mktglfcycl: deploy
@@ -13,6 +13,7 @@ ms.collection:
- M365-modern-desktop
- m365initiative-coredeploy
ms.topic: article
+ms.custom: seo-marvel-apr2020
---
# Delivery Optimization for Windows 10 updates
@@ -24,7 +25,7 @@ ms.topic: article
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-Windows updates, upgrades, and applications can contain packages with very large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment. Delivery Optimization can accomplish this because it is a self-organizing distributed cache that allows clients to download those packages from alternate sources (such as other peers on the network) in addition to the traditional Internet-based servers. You can use Delivery Optimization in conjunction with Windows Update, Windows Server Update Services (WSUS), Windows Update for Business, or Microsoft Endpoint Configuration Manager (when installation of Express Updates is enabled).
+Windows updates, upgrades, and applications can contain packages with very large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment. Delivery Optimization can accomplish this because it is a self-organizing distributed cache that allows clients to download those packages from alternate sources (such as other peers on the network) in addition to the traditional Internet-based servers. You can use Delivery Optimization in conjunction with Windows Update, Windows Server Update Services (WSUS), Windows Update for Business, or Microsoft Endpoint Manager (when installation of Express Updates is enabled).
Delivery Optimization is a cloud-managed solution. Access to the Delivery Optimization cloud services is a requirement. This means that in order to use the peer-to-peer functionality of Delivery Optimization, devices must have access to the internet.
@@ -61,10 +62,11 @@ For information about setting up Delivery Optimization, including tips for the b
- DOMaxUploadBandwidth
- Support for new types of downloads:
- - Office installations and updates
+ - Office installs and updates
- Xbox game pass games
- MSIX apps (HTTP downloads only)
-
+ - Edge browser installs and updates
+ - [Dynamic updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-benefits-of-windows-10-dynamic-update/ba-p/467847)
## Requirements
@@ -89,7 +91,9 @@ The following table lists the minimum Windows 10 version that supports Delivery
| Win32 apps for Intune | 1709 |
| Xbox game pass games | 2004 |
| MSIX apps (HTTP downloads only) | 2004 |
-| Configuration Manager Express Updates | 1709 + Configuration Manager version 1711 |
+| Configuration Manager Express updates | 1709 + Configuration Manager version 1711 |
+| Edge browser installs and updates | 1809 |
+| [Dynamic updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-benefits-of-windows-10-dynamic-update/ba-p/467847) | 1903 |
> [!NOTE]
> Starting with Configuration Manager version 1910, you can use Delivery Optimization for the distribution of all Windows update content for clients running Windows 10 version 1709 or newer, not just express installation files. For more, see [Delivery Optimization starting in version 1910](https://docs.microsoft.com/mem/configmgr/sum/deploy-use/optimize-windows-10-update-delivery#bkmk_DO-1910).
@@ -120,7 +124,7 @@ For complete list of every possible Delivery Optimization setting, see [Delivery
## How Microsoft uses Delivery Optimization
-At Microsoft, to help ensure that ongoing deployments weren’t affecting our network and taking away bandwidth for other services, Microsoft IT used a couple of different bandwidth management strategies. Delivery Optimization, peer-to-peer caching enabled through Group Policy, was piloted and then deployed to all managed devices using Group Policy. Based on recommendations from the Delivery Optimization team, we used the "group" configuration to limit sharing of content to only the devices that are members of the same Active Directory domain. The content is cached for 24 hours. More than 76 percent of content came from peer devices versus the Internet.
+At Microsoft, to help ensure that ongoing deployments weren't affecting our network and taking away bandwidth for other services, Microsoft IT used a couple of different bandwidth management strategies. Delivery Optimization, peer-to-peer caching enabled through Group Policy, was piloted and then deployed to all managed devices using Group Policy. Based on recommendations from the Delivery Optimization team, we used the "group" configuration to limit sharing of content to only the devices that are members of the same Active Directory domain. The content is cached for 24 hours. More than 76 percent of content came from peer devices versus the Internet.
For more details, check out the [Adopting Windows as a Service at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/851/Adopting-Windows-as-a-service-at-Microsoft) technical case study.
@@ -188,7 +192,7 @@ This section summarizes common problems and some solutions to try.
### If you don't see any bytes from peers
-If you don’t see any bytes coming from peers the cause might be one of the following issues:
+If you don't see any bytes coming from peers the cause might be one of the following issues:
- Clients aren’t able to reach the Delivery Optimization cloud services.
- The cloud service doesn’t see other peers on the network.
@@ -249,7 +253,6 @@ If you suspect this is the problem, check Delivery Optimization settings that co
- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
diff --git a/windows/deployment/update/waas-deployment-rings-windows-10-updates.md b/windows/deployment/update/waas-deployment-rings-windows-10-updates.md
index 5888c1f3a1..8d11c16e25 100644
--- a/windows/deployment/update/waas-deployment-rings-windows-10-updates.md
+++ b/windows/deployment/update/waas-deployment-rings-windows-10-updates.md
@@ -60,8 +60,7 @@ As Table 1 shows, each combination of servicing channel and deployment group is
## Related topics
-- [Update Windows 10 in the enterprise](index.md)
-- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Update Windows 10 in the enterprise](index.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
diff --git a/windows/deployment/update/waas-integrate-wufb.md b/windows/deployment/update/waas-integrate-wufb.md
index f473a704b2..b3fdbbb2d8 100644
--- a/windows/deployment/update/waas-integrate-wufb.md
+++ b/windows/deployment/update/waas-integrate-wufb.md
@@ -101,8 +101,7 @@ For more information, see [Integration with Windows Update for Business in Windo
- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
-- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md
index 9f7d882387..17a39a185f 100644
--- a/windows/deployment/update/waas-manage-updates-wsus.md
+++ b/windows/deployment/update/waas-manage-updates-wsus.md
@@ -24,7 +24,7 @@ ms.topic: article
>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB and CBB might still be displayed in some of our products, such as in Group Policy or the registry. If you encounter these terms, "CB" refers to the Semi-Annual Channel (Targeted)--which is no longer used--while "CBB" refers to the Semi-Annual Channel.
-WSUS is a Windows Server role available in the Windows Server operating systems. It provides a single hub for Windows updates within an organization. WSUS allows companies not only to defer updates but also to selectively approve them, choose when they’re delivered, and determine which individual devices or groups of devices receive them. WSUS provides additional control over Windows Update for Business but does not provide all the scheduling options and deployment flexibility that Microsoft Endpoint Configuration Manager provides.
+WSUS is a Windows Server role available in the Windows Server operating systems. It provides a single hub for Windows updates within an organization. WSUS allows companies not only to defer updates but also to selectively approve them, choose when they’re delivered, and determine which individual devices or groups of devices receive them. WSUS provides additional control over Windows Update for Business but does not provide all the scheduling options and deployment flexibility that Microsoft Endpoint Manager provides.
When you choose WSUS as your source for Windows updates, you use Group Policy to point Windows 10 client devices to the WSUS server for their updates. From there, updates are periodically downloaded to the WSUS server and managed, approved, and deployed through the WSUS administration console or Group Policy, streamlining enterprise update management. If you’re currently using WSUS to manage Windows updates in your environment, you can continue to do so in Windows 10.
@@ -350,8 +350,7 @@ Now that you have the **All Windows 10 Upgrades** view, complete the following s
- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
-- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md
index 95321b1013..5a410e9d8c 100644
--- a/windows/deployment/update/waas-manage-updates-wufb.md
+++ b/windows/deployment/update/waas-manage-updates-wufb.md
@@ -2,13 +2,14 @@
title: Windows Update for Business (Windows 10)
ms.reviewer:
manager: laurawi
-description: Windows Update for Business lets you manage when devices received updates from Windows Update.
+description: Learn how Windows Update for Business lets you manage when devices receive updates from Windows Update.
ms.prod: w10
ms.mktglfcycl: manage
author: jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
ms.topic: article
+ms.custom: seo-marvel-apr2020
---
# What is Windows Update for Business?
@@ -26,7 +27,7 @@ Windows Update for Business is a free service that is available for all premium
Windows Update for Business enables IT administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or Mobile Device Management (MDM) solutions such as Microsoft Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated.
-Specifically, Windows Update for Business allows for control over update offerings and experiences to allow for reliability and performance testing on a subset of devices before deploying updates across the organization as well as a positive update experience for those in your organization.
+Specifically, Windows Update for Business lets you control update offerings and experiences to allow for reliability and performance testing on a subset of devices before deploying updates across the organization. It also provides a positive update experience for people in your organization.
## What can I do with Windows Update for Business?
@@ -46,9 +47,9 @@ Windows Update for Business enables an IT administrator to receive and manage a
Windows Update for Business provides management policies for several types of updates to Windows 10 devices:
- **Feature updates:** Previously referred to as "upgrades," feature updates contain not only security and quality revisions, but also significant feature additions and changes. Feature updates are released semi-annually in the fall and in the spring.
-- **Quality updates:** These are traditional operating system updates, typically released on the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as those for Microsoft Office or Visual Studio) as quality updates. These non-Windows Updates are known as "Microsoft updates" and you can set devices to receive such updates (or not) along with their Windows updates.
-- **Driver updates:** These are non-Microsoft drivers that are applicable to your devices. Driver updates are on by default, but you can use Windows Update for Business policies to turn them off if you prefer.
-- **Microsoft product updates**: These are updates for other Microsoft products, such as Office. Product updates are off by default. You can turn them on by using Windows Update for Business policies.
+- **Quality updates:** Quality updates are traditional operating system updates, typically released on the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as updates for Microsoft Office or Visual Studio) as quality updates. These non-Windows Updates are known as "Microsoft updates" and you can set devices to receive such updates (or not) along with their Windows updates.
+- **Driver updates:** Updates for non-Microsoft drivers that are relevant to your devices. Driver updates are on by default, but you can use Windows Update for Business policies to turn them off if you prefer.
+- **Microsoft product updates**: Updates for other Microsoft products, such as versions of Office that are installed by using Windows Installer (MSI). Versions of Office that are installed by using Click-to-Run can't be updated by using Windows Update for Business. Product updates are off by default. You can turn them on by using Windows Update for Business policies.
## Offering
@@ -64,13 +65,13 @@ The branch readiness level enables administrators to specify which channel of fe
- Windows Insider Fast
- Windows Insider Slow
- Windows Insider Release Preview
-- Semi-annual Channel
+- Semi-Annual Channel
-Prior to Windows 10, version 1903, there are two channels for released updates: Semi-annual Channel and Semi-annual Channel (Targeted). Deferral days are calculated against the release date of the chosen channel. Starting with Windows 10, version 1903 there is only the one release channel: Semi-annual Channel. All deferral days are calculated against a release’s Semi-annual Channel release date. For exact release dates, see [Windows Release Information](https://docs.microsoft.com/windows/release-information/). You can set the branch readiness level by using the **Select when Preview Builds and Feature Updates are Received** policy. To use this policy to manage pre-release builds, first enable preview builds by using the **Manage preview Builds** policy.
+Prior to Windows 10, version 1903, there are two channels for released updates: Semi-Annual Channel and Semi-Annual Channel (Targeted). Deferral days are calculated against the release date of the chosen channel. Starting with Windows 10, version 1903 there is only the one release channel: Semi-Annual Channel. All deferral days are calculated against a release’s Semi-Annual Channel release date. For exact release dates, see [Windows Release Information](https://docs.microsoft.com/windows/release-health/release-information). You can set the branch readiness level by using the **Select when Preview Builds and Feature Updates are Received** policy. To use this policy to manage pre-release builds, first enable preview builds by using the **Manage preview Builds** policy.
#### Defer an update
-A Windows Update for Business administrator can defer the installation of both feature and quality updates from deploying to devices within a bounded range of time from when those updates are first made available on the Windows Update service. You can use this deferral to allow time to validate deployments as they are pushed to devices. Deferrals work by allowing you to specify the number of days after an update is released before it is offered to a device. That is, if you set a feature update deferral period of 365 days, the device will not install a feature update that has been released for less than 365 days. To defer feature updates use the **Select when Preview Builds and Feature Updates are Received** policy.
+A Windows Update for Business administrator can defer the installation of both feature and quality updates from deploying to devices within a bounded range of time from when those updates are first made available on the Windows Update service. You can use this deferral to allow time to validate deployments as they are pushed to devices. Deferrals work by allowing you to specify the number of days after an update is released before it is offered to a device. That is, if you set a feature update deferral period of 365 days, the device will not install a feature update that has been released for less than 365 days. To defer feature updates, use the **Select when Preview Builds and Feature Updates are Received** policy.
|Category |Maximum deferral period |
@@ -87,10 +88,10 @@ A Windows Update for Business administrator can defer the installation of both f
If you discover a problem while deploying a feature or quality update, the IT administrator can pause the update for 35 days from a specified start date to prevent other devices from installing it until the issue is mitigated.
If you pause a feature update, quality updates are still offered to devices to ensure they stay secure. The pause period for both feature and quality updates is calculated from a start date that you set.
-To pause feature updates use the **Select when Preview Builds and Feature Updates are Received** policy and to pause quality updates use the **Select when Quality Updates are Received** policy. For more information, see [Pause feature updates](waas-configure-wufb.md#pause-feature-updates) and [Pause quality updates](waas-configure-wufb.md#pause-quality-updates).
+To pause feature updates, use the **Select when Preview Builds and Feature Updates are Received** policy and to pause quality updates use the **Select when Quality Updates are Received** policy. For more information, see [Pause feature updates](waas-configure-wufb.md#pause-feature-updates) and [Pause quality updates](waas-configure-wufb.md#pause-quality-updates).
-Built in benefits:
-When updating from Windows Update you get the added benefits of built in compatibility checks to prevent against a poor update experience for your device as well as a check to prevent repeated rollbacks.
+Built-in benefits:
+When updating from Windows Update, you get the added benefits of built-in compatibility checks to prevent against a poor update experience for your device as well as a check to prevent repeated rollbacks.
### Recommendations
@@ -103,13 +104,13 @@ For the best experience with Windows Update, follow these guidelines:
### Manage the end-user experience when receiving Windows Updates
-Windows Update for Business provides controls to help meet your organization’s security standards as well as provide a great end-user experience. We do this by enabling you to set automatic updates at times that work well for those in your organization and set deadlines for quality and feature updates. Because Windows Update includes built-in intelligence, it's usually better to use fewer controls to manage the end-user experience.
+Windows Update for Business provides controls to help meet your organization’s security standards as well as provide a great end-user experience. We do this by enabling you to set automatic updates at times that work well for people in your organization and set deadlines for quality and feature updates. Because Windows Update includes built-in intelligence, it's better to use fewer controls to manage the user experience.
#### Recommended experience settings
Features like the smart busy check (which ensure updates don't happen when a user is signed in) and active hours help provide the best experience for end users while keeping devices more secure and up to date. Follow these steps to take advantage of these features:
-1. Automatically download, install and restart (default if no restart policies are set up or enabled)
+1. Automatically download, install, and restart (default if no restart policies are set up or enabled)
2. Use the default notifications
3. Set update deadlines
@@ -117,7 +118,7 @@ Features like the smart busy check (which ensure updates don't happen when a use
A compliance deadline policy (released in June 2019) enables you to set separate deadlines and grace periods for feature and quality updates.
-This policy enables you to specify the number of days from an update's publication date that it must be installed on the device. The policy also includes a configurable grace period that specifies the number of days from when the update is installed on the device until the device is forced to restart. This is extremely beneficial in a vacation scenario as it allows, for example, users who have been away to have a bit of time before being forced to restart their devices when they return from vacation.
+This policy enables you to specify the number of days from an update's publication date that it must be installed on the device. The policy also includes a configurable grace period that specifies the number of days from when the update is installed on the device until the device is forced to restart. This approach is useful in a vacation scenario as it allows, for example, users who have been away to have a bit of time before being forced to restart their devices when they return from vacation.
#### Update Baseline
The large number of different policies offered for Windows 10 can be overwhelming. Update Baseline provides a clear list of recommended Windows update policy settings for IT administrators who want the best user experience while also meeting their update compliance goals. The Update Baseline for Windows 10 includes policy settings recommendations covering deadline configuration, restart behavior, power policies, and more.
@@ -185,18 +186,18 @@ The branch readiness level enables administrators to specify which channel of fe
- Windows Insider Fast
- Windows Insider Slow
- Windows Insider Release Preview
-- Semi-annual Channel for released updates
+ - Semi-Annual Channel for released updates
-Prior to Windows 10, version 1903, there are two channels for released updates: Semi-annual Channel and Semi-annual Channel (Targeted). Deferral days are calculated against the release date of the chosen channel. Starting with Windows 10, version 1903 there is only the one release channel: Semi-annual Channel. All deferral days will be calculated against a release’s Semi-annual Channel release date. To see release dates, visit [Windows Release Information](https://docs.microsoft.com/windows/release-information/). You can set the branch readiness level by using the **Select when Preview Builds and Feature Updates are Received** policy. In order to use this to manage pre-release builds, first enable preview builds by using the **Manage preview Builds** policy.
+Prior to Windows 10, version 1903, there are two channels for released updates: Semi-Annual Channel and Semi-Annual Channel (Targeted). Deferral days are calculated against the release date of the chosen channel. Starting with Windows 10, version 1903 there is only the one release channel: Semi-Annual Channel. All deferral days will be calculated against a release's Semi-Annual Channel release date. To see release dates, visit [Windows Release Information](https://docs.microsoft.com/windows/release-health/release-information). You can set the branch readiness level by using the **Select when Preview Builds and Feature Updates are Received** policy. In order to use this to manage pre-release builds, first enable preview builds by using the **Manage preview Builds** policy.
### Recommendations
For the best experience with Windows Update, follow these guidelines:
-- Use devices for at least 6 hours per month, including at least 2 hours of continuous use.
-- Keep devices regularly charged. Plugging in devices overnight enables them to automatically update outside of active hours.
-- Make sure that devices have at least 10 GB of free space.
-- Give devices unobstructed access to the Windows Update service.
+- Use devices for at least 6 hours per month, including at least 2 hours of continuous use.
+- Keep devices regularly charged. Plugging in devices overnight enables them to automatically update outside of active hours.
+- Make sure that devices have at least 10 GB of free space.
+- Give devices unobstructed access to the Windows Update service.
## Monitor Windows Updates by using Update Compliance
diff --git a/windows/deployment/update/waas-mobile-updates.md b/windows/deployment/update/waas-mobile-updates.md
deleted file mode 100644
index abb64e0561..0000000000
--- a/windows/deployment/update/waas-mobile-updates.md
+++ /dev/null
@@ -1,77 +0,0 @@
----
-title: Deploy updates to Windows 10 Mobile or Windows 10 IoT Mobile
-description: Deploy updates to devices in your organization that are running Windows 10 Mobile Enterprise or Windows 10 IoT Mobile.
-ms.prod: w10
-ms.mktglfcycl: manage
-author: jaimeo
-ms.localizationpriority: medium
-ms.author: jaimeo
-ms.reviewer:
-manager: laurawi
-ms.topic: article
----
-
-# Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile
-
-
-**Applies to**
-
-- Windows 10 Mobile
-- [Windows 10 IoT Mobile](https://www.microsoft.com/WindowsForBusiness/windows-iot)
-
-> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-
->[!TIP]
->If you're not familiar with the Windows 10 servicing or release channels, read [Servicing channels](waas-overview.md#servicing-channels) first.
-
-Devices running Windows 10 Mobile and Windows 10 IoT Mobile receive updates from the Semi-annual Channel unless you [enroll the device in the Windows Insider Program](waas-servicing-channels-windows-10-updates.md#enroll-devices-in-the-windows-insider-program).
-
-[Learn how to upgrade Windows 10 Mobile to Windows 10 Mobile Enterprise](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades)
-
-
-
-| Windows 10 edition | Semi-annual Channel | Insider Program |
-| --- | --- | --- | --- |
-| Mobile |  |  |
-| Mobile Enterprise |  |  |
-| IoT Mobile |  |  |
-
-
-
-Configuration of Windows 10 Mobile and Windows 10 IoT Mobile devices is limited to the feature set pertaining to quality updates only. That is, Windows Mobile feature updates are categorized the same as quality updates, and can only be deferred by setting the quality update deferral period, for a maximum period of 30 days. You can use mobile device management (MDM) to manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile. Updates cannot be managed for Windows 10 Mobile.
-
-
-## Windows 10, version 1607
-
-Only the following Windows Update for Business policies are supported for Windows 10 Mobile and Windows 10 IoT Mobile:
-
-- ../Vendor/MSFT/Policy/Config/Update/BranchReadinessLevel
-- ../Vendor/MSFT/Policy/Config/Update/DeferQualityUpdatesInDays
-- ../Vendor/MSFT/Policy/Config/Update/PauseQualityUpdates
-
-
-
-
-
-
-## Related topics
-
-- [Update Windows 10 in the enterprise](index.md)
-- [Overview of Windows as a service](waas-overview.md)
-- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
-- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
-- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
-- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
-- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
-- [Configure Windows Update for Business](waas-configure-wufb.md)
-- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
-- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
-- [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure)
-- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-- [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md)
-- [Manage device restarts after updates](waas-restart.md)
-
-
-
diff --git a/windows/deployment/update/waas-morenews.md b/windows/deployment/update/waas-morenews.md
index 377895abf7..0617e20b00 100644
--- a/windows/deployment/update/waas-morenews.md
+++ b/windows/deployment/update/waas-morenews.md
@@ -1,5 +1,6 @@
---
title: Windows as a service news & resources
+description: The latest news for Windows as a service with resources to help you learn more about them.
ms.prod: w10
ms.topic: article
ms.manager: elizapo
@@ -17,8 +18,8 @@ Here's more news about [Windows as a service](windows-as-a-service.md):
| Method | Windows Update | Windows Update for Business | WSUS | Configuration Manager |
| --- | --- | --- | --- | --- |
@@ -43,9 +43,9 @@ Two methods of peer-to-peer content distribution are available in Windows 10.
| BranchCache |  |  | |  |
> [!NOTE]
-> Microsoft Endpoint Configuration Manager has an additional feature called Client Peer Cache that allows peer-to-peer content sharing between clients you use Microsoft Endpoint Configuration Manager to manage, in the same Configuration Manager boundary Group. For more information, see [Client Peer Cache](https://docs.microsoft.com/configmgr/core/plan-design/hierarchy/client-peer-cache).
+> Microsoft Endpoint Manager has an additional feature called Client Peer Cache that allows peer-to-peer content sharing between clients you use Microsoft Endpoint Manager to manage, in the same Configuration Manager boundary Group. For more information, see [Client Peer Cache](https://docs.microsoft.com/configmgr/core/plan-design/hierarchy/client-peer-cache).
>
-> In addition to Client Peer Cache, similar functionality is available in the Windows Preinstallation Environment (Windows PE) for imaging-related content. Using this technology, clients imaging with Microsoft Endpoint Configuration Manager task sequences can source operating system images, driver packages, boot images, packages, and programs from peers instead of distribution points. For detailed information about how Windows PE Peer Cache works and how to configure it, see [Prepare Windows PE peer cache to reduce WAN traffic in Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/get-started/prepare-windows-pe-peer-cache-to-reduce-wan-traffic).
+> In addition to Client Peer Cache, similar functionality is available in the Windows Preinstallation Environment (Windows PE) for imaging-related content. Using this technology, clients imaging with Microsoft Endpoint Manager task sequences can source operating system images, driver packages, boot images, packages, and programs from peers instead of distribution points. For detailed information about how Windows PE Peer Cache works and how to configure it, see [Prepare Windows PE peer cache to reduce WAN traffic in Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/get-started/prepare-windows-pe-peer-cache-to-reduce-wan-traffic).
## Express update delivery
@@ -93,13 +93,12 @@ At this point, the download is complete and the update is ready to be installed.
|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
|  | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
|  | Optimize update delivery for Windows 10 updates (this topic) |
-|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md) |
+|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md) |
## Related topics
-- [Update Windows 10 in the enterprise](index.md)
-- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Update Windows 10 in the enterprise](index.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md
index a656c096f6..eee777b2ac 100644
--- a/windows/deployment/update/waas-overview.md
+++ b/windows/deployment/update/waas-overview.md
@@ -18,7 +18,6 @@ ms.topic: article
**Applies to**
- Windows 10
-- Windows 10 IoT Mobile
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
@@ -46,7 +45,7 @@ Application compatibility testing has historically been a burden when approachin
Most Windows 7–compatible desktop applications will be compatible with Windows 10 straight out of the box. Windows 10 achieved such high compatibility because the changes in the existing Win32 application programming interfaces were minimal. Combined with valuable feedback via the Windows Insider Program and diagnostic data, this level of compatibility can be maintained through each feature update. As for websites, Windows 10 includes Internet Explorer 11 and its backward-compatibility modes for legacy websites. Finally, UWP apps follow a compatibility story similar to desktop applications, so most of them will be compatible with Windows 10.
-For the most important business-critical applications, organizations should still perform testing on a regular basis to validate compatibility with new builds. For remaining applications, consider validating them as part of a pilot deployment process to reduce the time spent on compatibility testing. Desktop Analytics s a cloud-based service that integrates with Configuration Manager. The service provides insight and intelligence for you to make more informed decisions about the update readiness of your Windows endpoints, including assessment of your existing applications. For more, see [Ready for modern desktop retirement FAQ](https://docs.microsoft.com/mem/configmgr/desktop-analytics/ready-for-windows).
+For the most important business-critical applications, organizations should still perform testing on a regular basis to validate compatibility with new builds. For remaining applications, consider validating them as part of a pilot deployment process to reduce the time spent on compatibility testing. Desktop Analytics is a cloud-based service that integrates with Configuration Manager. The service provides insight and intelligence for you to make more informed decisions about the update readiness of your Windows endpoints, including assessment of your existing applications. For more, see [Ready for modern desktop retirement FAQ](https://docs.microsoft.com/mem/configmgr/desktop-analytics/ready-for-windows).
### Device compatibility
@@ -67,7 +66,7 @@ To align with this new update delivery model, Windows 10 has three servicing cha
There are currently two release channels for Windows 10:
- The **Semi-Annual Channel** receives feature updates twice per year.
-- The **Long Term Servicing Channel**, which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years.
+- The **Long-Term Servicing Channel**, which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years.
>[!IMPORTANT]
>With each Semi-Annual Channel release, we recommend beginning deployment right away to devices selected for early adoption (targeted validation) and ramp up to full deployment at your discretion. This will enable you to gain access to new features, experiences, and integrated security as soon as possible. The "Semi-Annual Channel (Targeted)" designation is no longer used. For more information, see the blog post [Windows 10 and the "disappearing" SAC-T](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-and-the-disappearing-SAC-T/ba-p/199747).
@@ -101,7 +100,7 @@ In Windows 10, rather than receiving several updates each month and trying to fi
To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing channels to allow customers to designate how frequently their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity.
-With that in mind, Windows 10 offers three servicing channels. The [Windows Insider Program](#windows-insider) provides organizations with the opportunity to test and provide feedback on features that will be shipped in the next feature update. The [Semi-Annual Channel](#semi-annual-channel) provides new functionality with twice-per-year feature update releases. Organizations can choose when to deploy updates from the Semi-Annual Channel. The [Long Term Servicing Channel](#long-term-servicing-channel), which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years. For details about the versions in each servicing channel, see [Windows 10 release information](https://docs.microsoft.com/windows/release-information/).
+With that in mind, Windows 10 offers three servicing channels. The [Windows Insider Program](#windows-insider) provides organizations with the opportunity to test and provide feedback on features that will be shipped in the next feature update. The [Semi-Annual Channel](#semi-annual-channel) provides new functionality with twice-per-year feature update releases. Organizations can choose when to deploy updates from the Semi-Annual Channel. The [Long-Term Servicing Channel](#long-term-servicing-channel), which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years. For details about the versions in each servicing channel, see [Windows 10 release information](https://docs.microsoft.com/windows/release-health/release-information).
The concept of servicing channels is new, but organizations can use the same management tools they used to manage updates and upgrades in previous versions of Windows. For more information about the servicing tool options for Windows 10 and their capabilities, see [Servicing tools](#servicing-tools).
@@ -129,7 +128,7 @@ Organizations are expected to initiate targeted deployment on Semi-Annual Channe
Specialized systems—such as devices that control medical equipment, point-of-sale systems, and ATMs—often require a longer servicing option because of their purpose. These devices typically perform a single important task and don’t need feature updates as frequently as other devices in the organization. It’s more important that these devices be kept as stable and secure as possible than up to date with user interface changes. The LTSC servicing model prevents Windows 10 Enterprise LTSB devices from receiving the usual feature updates and provides only quality updates to ensure that device security stays up to date. With this in mind, quality updates are still immediately available to Windows 10 Enterprise LTSB clients, but customers can choose to defer them by using one of the servicing tools mentioned in the section Servicing tools.
> [!NOTE]
-> Windows 10 Enterprise LTSB is a separate Long Term Servicing Channel version.
+> Windows 10 Enterprise LTSB is a separate Long-Term Servicing Channel version.
>
> Long-term Servicing channel is not intended for deployment on most or all the devices in an organization; it should be used only for special-purpose devices. As a general guideline, a device with Microsoft Office installed is a general-purpose device, typically used by an information worker, and therefore it is better suited for the Semi-Annual servicing channel.
@@ -165,7 +164,7 @@ There are many tools with which IT pros can service Windows as a service. Each o
- **Windows Server Update Services (WSUS)** provides extensive control over Windows 10 updates and is natively available in the Windows Server operating system. In addition to the ability to defer updates, organizations can add an approval layer for updates and choose to deploy them to specific computers or groups of computers whenever ready.
- **Microsoft Endpoint Configuration Manager** provides the greatest control over servicing Windows as a service. IT pros can defer updates, approve them, and have multiple options for targeting deployments and managing bandwidth usage and deployment times.
-With all these options, which an organization chooses depends on the resources, staff, and expertise its IT organization already has. For example, if IT already uses Microsoft Endpoint Configuration Manager to manage Windows updates, it can continue to use it. Similarly, if IT is using WSUS, it can continue to use that. For a consolidated look at the benefits of each tool, see Table 1.
+With all these options, which an organization chooses depends on the resources, staff, and expertise its IT organization already has. For example, if IT already uses Microsoft Endpoint Manager to manage Windows updates, it can continue to use it. Similarly, if IT is using WSUS, it can continue to use that. For a consolidated look at the benefits of each tool, see Table 1.
**Table 1**
@@ -197,8 +196,7 @@ With all these options, which an organization chooses depends on the resources,
## Related topics
- [Update Windows 10 in the enterprise](index.md)
-- [Quick guide to Windows as a service](waas-quick-start.md)
-- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Quick guide to Windows as a service](waas-quick-start.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
diff --git a/windows/deployment/update/waas-quick-start.md b/windows/deployment/update/waas-quick-start.md
index 7e0bf21538..4a021b02f7 100644
--- a/windows/deployment/update/waas-quick-start.md
+++ b/windows/deployment/update/waas-quick-start.md
@@ -24,12 +24,12 @@ Windows as a service is a new concept, introduced with the release of Windows 10
## Definitions
Some new terms have been introduced as part of Windows as a service, so you should know what these terms mean.
-- **Feature updates** are released twice per year, around March and September. As the name suggests, these will add new features to Windows 10, delivered in bite-sized chunks compared to the previous practice of Windows releases every 3-5 years.
+- **Feature updates** are released twice per year, around March and September. As the name suggests, these updates add new features to Windows 10, delivered in bite-sized chunks compared to the previous practice of Windows releases every 3-5 years.
- **Quality updates** deliver both security and non-security fixes. They are typically released on the second Tuesday of each month, though they can be released at any time. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. Quality updates are cumulative, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update. The "servicing stack" is the code that installs other updates, so they are important to keep current. For more information, see [Servicing stack updates](servicing-stack-updates.md).
-- **Insider Preview** builds are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features as well as compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered.
+- **Insider Preview** builds are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features and confirm compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered.
- **Servicing channels** allow organizations to choose when to deploy new features.
- The **Semi-Annual Channel** receives feature updates twice per year.
- - The **Long Term Servicing Channel**, which is designed to be used only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years.
+ - The **Long-Term Servicing Channel**, which meant only for specialized devices (which typically don't run Office) such as those that control medical equipment or ATM machines, receives new feature releases every two to three years.
- **Deployment rings** are groups of devices used to initially pilot, and then to broadly deploy, each feature update in an organization.
See [Overview of Windows as a service](waas-overview.md) for more information.
@@ -42,19 +42,19 @@ Windows 10 gains new functionality with twice-per-year feature update releases.
All releases of Windows 10 have 18 months of servicing for all editions--these updates provide security and feature updates for the release. Customers running Enterprise and Education editions have an additional 12 months of servicing for specific Windows 10 releases, for a total of 30 months from initial release. These versions include Enterprise and Education editions for Windows 10, versions 1607 and later. Starting in October 2018, all Semi-Annual Channel releases in the September/October timeframe will also have the additional 12 months of servicing for a total of 30 months from the initial release. The Semi-Annual Channel versions released in March/April timeframe will continue to have an 18-month lifecycle.
-Windows 10 Enterprise LTSB is a separate **Long Term Servicing Channel** version. Each release is supported for a total of 10 years (five years standard support, five years extended support). New releases are expected about every three years.
+Windows 10 Enterprise LTSB is a separate **Long-Term Servicing Channel** version. Each release is supported for a total of 10 years (five years standard support, five years extended support). New releases are expected about every three years.
-See [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) for more information.
+For more information, see [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md).
## Staying up to date
-The process for keeping Windows 10 up to date involves deploying a feature update, at an appropriate time after its release. A variety of management and update tools such as Windows Update, Windows Update for Business, Windows Server Update Services, Microsoft Endpoint Configuration Manager, and third-party products) can be used to help with this process. [Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/upgrade-readiness-get-started), a free tool to streamline Windows upgrade projects, is another important tool to help.
+The process for keeping Windows 10 up to date involves deploying a feature update, at an appropriate time after its release. You can use various management and update tools such as Windows Update, Windows Update for Business, Windows Server Update Services, Microsoft Endpoint Configuration Manager, and non-Microsoft products) to help with this process. [Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/upgrade-readiness-get-started), a free tool to streamline Windows upgrade projects, is another important tool to help.
Because app compatibility, both for desktop apps and web apps, is outstanding with Windows 10, extensive advanced testing isn’t required. Instead, only business-critical apps need to be tested, with the remaining apps validated through a series of pilot deployment rings. Once these pilot deployments have validated most apps, broad deployment can begin.
-This process repeats with each new feature update, twice per year. These are small deployment projects, compared to the big projects that were necessary with the old three-to-five-year Windows release cycles.
+This process repeats with each new feature update, twice per year. These are small deployment projects, compared to the large projects that were necessary with the old three-to-five-year Windows release cycles.
-Additional technologies such as BranchCache and Delivery Optimization, both peer-to-peer distribution tools, can help with the distribution of the feature update installation files.
+Other technologies such as BranchCache and Delivery Optimization, both peer-to-peer distribution tools, can help with the distribution of the feature update installation files.
See [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) and [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) for more information.
@@ -67,8 +67,7 @@ See [Build deployment rings for Windows 10 updates](waas-deployment-rings-window
## Related topics
-- [Update Windows 10 in the enterprise](index.md)
-- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Update Windows 10 in the enterprise](index.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
diff --git a/windows/deployment/update/waas-restart.md b/windows/deployment/update/waas-restart.md
index 0031ab8ee0..4094472fa0 100644
--- a/windows/deployment/update/waas-restart.md
+++ b/windows/deployment/update/waas-restart.md
@@ -1,15 +1,16 @@
---
title: Manage device restarts after updates (Windows 10)
-description: Use Group Policy settings, mobile device management (MDM) or Registry to configure when devices will restart after a Windows 10 update is installed.
+description: Use Group Policy settings, mobile device management (MDM), or Registry to configure when devices will restart after a Windows 10 update is installed.
ms.prod: w10
ms.mktglfcycl: deploy
-
author: jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
ms.reviewer:
manager: laurawi
ms.topic: article
+ms.custom:
+- seo-marvel-apr2020
---
# Manage device restarts after updates
@@ -22,7 +23,7 @@ ms.topic: article
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-You can use Group Policy settings, mobile device management (MDM) or Registry (not recommended) to configure when devices will restart after a Windows 10 update is installed. You can schedule update installation and set policies for restart, configure active hours for when restarts will not occur, or you can do both.
+You can use Group Policy settings, mobile device management (MDM), or Registry (not recommended) to configure when devices will restart after a Windows 10 update is installed. You can schedule update installation and set policies for restart, configure active hours for when restarts will not occur, or you can do both.
## Schedule update installation
@@ -76,11 +77,12 @@ MDM uses the [Update/ActiveHoursStart and Update/ActiveHoursEnd](https://msdn.mi
### Configuring active hours through Registry
-This method is not recommended, and should only be used when neither Group Policy or MDM are available.
+This method is not recommended, and should only be used when you can't use Group Policy or MDM.
Any settings configured through Registry may conflict with any existing configuration that uses any of the methods mentioned above.
-You should set a combination of the following registry values, in order to configure active hours.
-Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate** use **SetActiveHours** to enable or disable active hours and **ActiveHoursStart**,**ActiveHoursEnd** to specify the range of active hours.
+Configure active hours by setting a combination of the following registry values:
+
+Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate** use **SetActiveHours** to enable or disable active hours and **ActiveHoursStart** and **ActiveHoursEnd** to specify the range of active hours.
For a detailed description of these registry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart).
@@ -99,7 +101,7 @@ To configure active hours max range through MDM, use [**Update/ActiveHoursMaxRan
## Limit restart delays
-After an update is installed, Windows 10 attempts automatic restart outside of active hours. If the restart does not succeed after 7 days (by default), the user will see a notification that restart is required. You can use the **Specify deadline before auto-restart for update installation** policy to change the delay from 7 days to a number of days between 2 and 14.
+After an update is installed, Windows 10 attempts automatic restart outside of active hours. If the restart does not succeed after seven days (by default), the user will see a notification that restart is required. You can use the **Specify deadline before auto-restart for update installation** policy to change the delay from seven days to any number of days between two and 14.
## Control restart notifications
@@ -136,7 +138,7 @@ In MDM, the warning reminder is configured using [**Update/ScheduleRestartWarnin
### Engaged restart
-Engaged restart is the period of time when users are required to schedule a restart. Initially, Windows will auto-restart outside of working hours. Once the set period ends (7 days by default), Windows transitions to user scheduled restarts.
+Engaged restart is the period of time when users are required to schedule a restart. Initially, Windows will auto-restart outside of working hours. Once the set period ends (seven days by default), Windows transitions to user scheduled restarts.
The following settings can be adjusted for engaged restart:
* Period of time before auto-restart transitions to engaged restart.
@@ -182,23 +184,22 @@ The following tables list registry values that correspond to the Group Policy se
| Registry key | Key type | Value |
| --- | --- | --- |
-| AlwaysAutoRebootAtScheduledTime | REG_DWORD | 0: disable automatic reboot after update installation at scheduled time1: enable automatic reboot after update installation at ascheduled time |
+| AlwaysAutoRebootAtScheduledTime | REG_DWORD | 0: disable automatic reboot after update installation at scheduled time1: enable automatic reboot after update installation at a scheduled time |
| AlwaysAutoRebootAtScheduledTimeMinutes | REG_DWORD | 15-180: set automatic reboot to occur after given minutes |
| AUOptions | REG_DWORD | 2: notify for download and notify for installation of updates3: automatically download and notify for installation of updates4: Automatically download and schedule installation of updates5: allow the local admin to configure these settings**Note:** To configure restart behavior, set this value to **4** |
-| NoAutoRebootWithLoggedOnUsers | REG_DWORD | 0: disable do not reboot if users are logged on1: do not reboot after an update installation if a user is logged on**Note:** If disabled : Automatic Updates will notify the user that the computer will automatically restart in 5 minutes to complete the installation |
+| NoAutoRebootWithLoggedOnUsers | REG_DWORD | 0: disable do not reboot if users are logged on1: do not reboot after an update installation if a user is logged on**Note:** If disabled: Automatic Updates will notify the user that the computer will automatically restart in 5 minutes to complete the installation |
| ScheduledInstallTime | REG_DWORD | 0-23: schedule update installation time to a specific hourstarts with 12 AM (0) and ends with 11 PM (23) |
-There are 3 different registry combinations for controlling restart behavior:
+There are three different registry combinations for controlling restart behavior:
- To set active hours, **SetActiveHours** should be **1**, while **ActiveHoursStart** and **ActiveHoursEnd** should define the time range.
-- To schedule a specific installation and reboot time, **AUOptions** should be **4**, **ScheduledInstallTime** should specify the installation time, **AlwaysAutoRebootAtScheduledTime** set to **1** and **AlwaysAutoRebootAtScheduledTimeMinutes** should specify number of minutes to wait before rebooting.
+- To schedule a specific installation and reboot time, **AUOptions** should be **4**, **ScheduledInstallTime** should specify the installation time, and **AlwaysAutoRebootAtScheduledTime** set to **1** and **AlwaysAutoRebootAtScheduledTimeMinutes** should specify number of minutes to wait before rebooting.
- To delay rebooting if a user is logged on, **AUOptions** should be **4**, while **NoAutoRebootWithLoggedOnUsers** is set to **1**.
-## Related topics
+## Related articles
- [Update Windows 10 in the enterprise](index.md)
- [Overview of Windows as a service](waas-overview.md)
-- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
diff --git a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
index 703e8f93bf..173deccbea 100644
--- a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
+++ b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
@@ -1,15 +1,16 @@
---
title: Assign devices to servicing channels for Windows 10 updates (Windows 10)
-description: Learn how to assign devices to servicing channels for Windows 10 updates locally, by using Group Policy, and by using MDM .
+description: Learn how to assign devices to servicing channels for Windows 10 updates locally, by using Group Policy, and by using MDM
ms.prod: w10
ms.mktglfcycl: deploy
-
author: jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
ms.reviewer:
manager: laurawi
ms.topic: article
+ms.custom:
+- seo-marvel-apr2020
---
# Assign devices to servicing channels for Windows 10 updates
@@ -27,7 +28,7 @@ ms.topic: article
>
>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB and CBB might still be displayed in some of our products, such as in Group Policy. If you encounter these terms, "CB" refers to the Semi-Annual Channel (Targeted)--which is no longer used--while "CBB" refers to the Semi-Annual Channel.
-The Semi-Annual Channel is the default servicing channel for all Windows 10 devices except those with the LTSB edition installed. The following table shows the servicing channels available to each Windows 10 edition.
+The Semi-Annual Channel is the default servicing channel for all Windows 10 devices except devices with the LTSB edition installed. The following table shows the servicing channels available to each Windows 10 edition.
| Windows 10 edition | Semi-Annual Channel | Long-Term Servicing Channel | Insider Program |
| --- | --- | --- | --- |
@@ -62,7 +63,7 @@ The Semi-Annual Channel is the default servicing channel for all Windows 10 devi
Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** - enable policy and set branch readiness level to the Semi-Annual Channel
-**To assign devices to to the Semi-Annual Channel by using MDM**
+**To assign devices to the Semi-Annual Channel by using MDM**
- In Windows 10, version 1607 and later releases:
@@ -78,10 +79,10 @@ The Semi-Annual Channel is the default servicing channel for all Windows 10 devi
## Enroll devices in the Windows Insider Program
-To get started with the Windows Insider Program for Business, you will need to follow a few simple steps:
+To get started with the Windows Insider Program for Business, you will need to follow a few steps:
1. On the [Windows Insider](https://insider.windows.com) website, go to **For Business > Getting Started** to [register your organizational Azure AD account](https://insider.windows.com/insidersigninaad/).
-2. **Register your domain**. Rather than have each user register individually for Insider Preview builds, administrators can simply [register their domain](https://insider.windows.com/for-business-organization-admin/) and control settings centrally.**Note:** The signed-in user needs to be a **Global Administrator** of the Azure AD domain in order to be able to register the domain.
+2. **Register your domain**. Rather than have each user register individually for Insider Preview builds, administrators can [register their domain](https://insider.windows.com/for-business-organization-admin/) and control settings centrally.**Note:** The signed-in user needs to be a **Global Administrator** of the Azure AD domain in order to be able to register the domain.
3. Make sure the **Allow Telemetry** setting is set to **2** or higher.
4. Starting with Windows 10, version 1709, set policies to manage preview builds and their delivery:
@@ -89,7 +90,7 @@ The **Manage preview builds** setting gives administrators control over enabling
* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/Windows Update for Business** - *Manage preview builds*
* MDM: **Update/ManagePreviewBuilds**
-The **Branch Readiness Level** settings allows you to choose between preview flight rings, and allows you to defer or pause the delivery of updates.
+The **Branch Readiness Level** settings allow you to choose between preview flight rings, and allows you to defer or pause the delivery of updates.
* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/ Windows Update for Business** - *Select when Preview Builds and Feature Updates are received*
* MDM: **Update/BranchReadinessLevel**
@@ -163,7 +164,7 @@ During the life of a device, it might be necessary or desirable to switch betwee
In Windows 10, administrators can control user access to Windows Update.
-Administrators can disable the "Check for updates" option for users by enabling the Group Policy setting under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Remove access to use all Windows update features** . Any background update scans, downloads and installations will continue to work as configured. We don't recomment this setting if you have configured the device to "notify" to download or install as this policy will prevent the user from being able to do so.
+Administrators can disable the "Check for updates" option for users by enabling the Group Policy setting under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Remove access to use all Windows update features**. Any background update scans, downloads, and installations will continue to work as configured. We don't recomment this setting if you have configured the device to "notify" to download or install as this policy will prevent the user from being able to do so.
>[!NOTE]
> Starting with Windows 10, any Group Policy user configuration settings for Windows Update are no longer supported.
@@ -181,8 +182,7 @@ Administrators can disable the "Check for updates" option for users by enabling
## Related topics
-- [Update Windows 10 in the enterprise](index.md)
-- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Update Windows 10 in the enterprise](index.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
diff --git a/windows/deployment/update/waas-servicing-differences.md b/windows/deployment/update/waas-servicing-differences.md
index 81e33643c9..d06e1da91b 100644
--- a/windows/deployment/update/waas-servicing-differences.md
+++ b/windows/deployment/update/waas-servicing-differences.md
@@ -2,7 +2,7 @@
title: Servicing differences between Windows 10 and older operating systems
ms.reviewer:
manager: laurawi
-description: Learn the differences between servicing Windows 10 and servicing older operating systems.
+description: In this article, learn the differences between servicing Windows 10 and servicing older operating systems.
keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
ms.prod: w10
ms.mktglfcycl: manage
@@ -12,6 +12,7 @@ ms.audience: itpro
author: jaimeo
ms.topic: article
ms.collection: M365-modern-desktop
+ms.custom: seo-marvel-apr2020
---
# Understanding the differences between servicing Windows 10-era and legacy Windows operating systems
@@ -31,7 +32,7 @@ Prior to Windows 10, all updates to operating system (OS) components were publis
As a result, each environment within the global Windows ecosystem that had only a subset of security and non-security fixes installed had a different set of binaries and behaviors than those that consistently installed every available update as tested by Microsoft.
-This resulted in a fragmented ecosystem that created diverse challenges in predictively testing interoperability, resulting in high update failure rates - which were subsequently mitigated by customers removing individual updates that were causing issues. Each customer that selectively removed individual updates amplified this fragmentation by creating more diverse environment permutations across the ecosystem. As an IT Administrator once quipped, "If you’ve seen one Windows 7 PC, you have seen one Windows 7 PC," suggesting no consistency or predictability across more than 250M commercial devices at the time.
+This resulted in a fragmented ecosystem that created diverse challenges in predictively testing interoperability, resulting in high update failure rates - which were subsequently mitigated by customers removing individual updates that were causing issues. Each customer that selectively removed individual updates amplified this fragmentation by creating more diverse environment permutations across the ecosystem. As an IT Administrator once quipped, "If you've seen one Windows 7 PC, you have seen one Windows 7 PC," suggesting no consistency or predictability across more than 250M commercial devices at the time.
## Windows 10 – Next generation
Windows 10 provided an opportunity to end the era of infinite fragmentation. With Windows 10 and the Windows as a service model, updates came rolled together in the "latest cumulative update" (LCU) packages for both client and server. Every new update published includes all changes from previous updates, as well as new fixes. Since Windows client and server share the same code base, these LCUs allow the same update to be installed on the same client and server OS family, further reducing fragmentation.
@@ -64,12 +65,12 @@ While Windows 10 updates could have been controlled as cumulative from "Day 1,"
Customers saw the LCU model used for Windows 10 as having packages that were too large and represented too much of a change for legacy operating systems, so a different model was implemented. Windows instead offered one cumulative package (Monthly Rollup) and one individual package (Security Only) for all legacy operating systems.
-The Monthly Rollup includes new non-security (if appropriate), security updates, Internet Explorer (IE) updates, and all updates from the previous month similar to the Windows 10 model. The Security-only package includes only new security updates for the month. This means that any security updates from any previous month are not included in current month’s Security-Only Package. If a Security-Only update is missed, it is missed. Those updates will not appear in a future Security-Only update. Additionally, a cumulative package is offered for IE, which can be tested and installed separately, reducing the total update package size. The IE cumulative update includes both security and non-security fixes following the same model as Windows 10.
+The Monthly Rollup includes new non-security (if appropriate), security updates, Internet Explorer (IE) updates, and all updates from the previous month similar to the Windows 10 model. The Security-only package includes only new security updates for the month. This means that any security updates from any previous month are not included in current month's Security-Only Package. If a Security-Only update is missed, it is missed. Those updates will not appear in a future Security-Only update. Additionally, a cumulative package is offered for IE, which can be tested and installed separately, reducing the total update package size. The IE cumulative update includes both security and non-security fixes following the same model as Windows 10.
*Figure 2.0 - Legacy OS security-only update model*
-Moving to the cumulative model for legacy OS versions continues to improve predictability of update quality. The Windows legacy environments which have fully updated machines with Monthly Rollups are running the same baseline against which all legacy OS version updates are tested. These include all of the updates (security and non-security) prior to and after October 2016. Many customer environments do not have all updates prior to this change installed, which leaves some continued fragmentation in the ecosystem. Further, customers who are installing Security-Only Updates and potentially doing so inconsistently are also more fragmented than Microsoft’s test environments for legacy OS version. This remaining fragmentation results in issues like those seen when the September 2016 Servicing Stack Update (SSU) was needed for smooth installation of the August 2018 security update. These environments did not have the SSU applied previously.
+Moving to the cumulative model for legacy OS versions continues to improve predictability of update quality. The Windows legacy environments which have fully updated machines with Monthly Rollups are running the same baseline against which all legacy OS version updates are tested. These include all of the updates (security and non-security) prior to and after October 2016. Many customer environments do not have all updates prior to this change installed, which leaves some continued fragmentation in the ecosystem. Further, customers who are installing Security-Only Updates and potentially doing so inconsistently are also more fragmented than Microsoft's test environments for legacy OS version. This remaining fragmentation results in issues like those seen when the September 2016 Servicing Stack Update (SSU) was needed for smooth installation of the August 2018 security update. These environments did not have the SSU applied previously.
### Points to consider
- Windows 7 and Windows 8 legacy operating system updates [moved from individual to cumulative in October 2016](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/More-on-Windows-7-and-Windows-8-1-servicing-changes/ba-p/166783). Devices with updates missing prior to that point are still missing those updates, as they were not included in the subsequent cumulative packages.
@@ -83,10 +84,10 @@ Moving to the cumulative model for legacy OS versions continues to improve predi
- For [Windows Server 2008 SP2](https://cloudblogs.microsoft.com/windowsserver/2018/06/12/windows-server-2008-sp2-servicing-changes/), cumulative updates began in October 2018, and follow the same model as Windows 7. Updates for IE9 are included in those packages, as the last supported version of Internet Explorer for that Legacy OS version.
## Public preview releases
-Lastly, the cumulative update model directly impacts the public Preview releases offered in the 3rd and/or 4th weeks of the month. Update Tuesday, also referred to as the "B" week release occurs on the second Tuesday of the month. It is always a required security update across all operating systems. In addition to this monthly release, Windows also releases non-security update "previews" targeting the 3rd (C) and the 4th (D) weeks of the month. These preview releases include that month’s B-release plus a set of non-security updates for testing and validation as a cumulative package. We recommend IT Administrators uses the C/D previews to test the update in their environments. Any issues identified with the updates in the C/D releases are identified and then fixed or removed, prior to being rolled up in to the next month’s B release package together with new security updates. Security-only Packages are not part of the C/D preview program.
+Lastly, the cumulative update model directly impacts the public Preview releases offered in the 3rd and/or 4th weeks of the month. Update Tuesday, also referred to as the "B" week release occurs on the second Tuesday of the month. It is always a required security update across all operating systems. In addition to this monthly release, Windows also releases non-security update "previews" targeting the 3rd (C) and the 4th (D) weeks of the month. These preview releases include that month's B-release plus a set of non-security updates for testing and validation as a cumulative package. We recommend IT Administrators uses the C/D previews to test the update in their environments. Any issues identified with the updates in the C/D releases are identified and then fixed or removed, prior to being rolled up in to the next month's B release package together with new security updates. Security-only Packages are not part of the C/D preview program.
> [!NOTE]
-> Only preview updates for the most recent release of Windows 10 are published to Windows Server Update Services (WSUS). For customers using the WSUS channel, and products such as Microsoft Endpoint Configuration Manager that rely on it, will not see preview updates for older versions of Windows 10.
+> Only preview updates for the most recent release of Windows 10 are published to Windows Server Update Services (WSUS). For customers using the WSUS channel, and products such as Microsoft Endpoint Manager that rely on it, will not see preview updates for older versions of Windows 10.
> [!NOTE]
> Preview updates for Windows 10 are not named differently than their LCU counterparts and do not contain the word 'Preview'. They can be identified by their release date (C or D week) and their classification as non-security updates.
@@ -102,9 +103,9 @@ All of these updates are cumulative and build on each other for Windows 10. This
*Figure 3.0 - Preview releases within the Windows 10 LCU model*
## Previews vs. on-demand releases
-In 2018, we experienced incidents which required urgent remediation that didn’t map to the monthly update release cadence. These incidents were situations that required an immediate fix to an Update Tuesday release. While Windows engineering worked aggressively to respond within a week of the B-release, these "on-demand" releases created confusion with the C Preview releases.
+In 2018, we experienced incidents which required urgent remediation that didn't map to the monthly update release cadence. These incidents were situations that required an immediate fix to an Update Tuesday release. While Windows engineering worked aggressively to respond within a week of the B-release, these "on-demand" releases created confusion with the C Preview releases.
-As a general policy, if a Security-Only package has a regression, which is defined as an unintentional error in the code of an update, then the fix for that regression will be added to the next month’s Security-Only Update. The fix for that regression may also be offered as part an On-Demand release and will be rolled into the next Monthly Update. (Note: Exceptions do exist to this policy, based on timing.)
+As a general policy, if a Security-Only package has a regression, which is defined as an unintentional error in the code of an update, then the fix for that regression will be added to the next month's Security-Only Update. The fix for that regression may also be offered as part an On-Demand release and will be rolled into the next Monthly Update. (Note: Exceptions do exist to this policy, based on timing.)
### Point to consider
- When Windows identifies an issue with a Update Tuesday release, engineering teams work to remediate or fix the issue as quickly as possible. The outcome is often a new update which may be released at any time, including during the 3rd or 4th week of the month. Such updates are independent of the regularly scheduled "C" and "D" update previews. These updates are created on-demand to remediate a customer impacting issue. In most cases they are qualified as a "non-security" update, and do not require a system reboot.
diff --git a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
index 737657aea5..1edbd81af3 100644
--- a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
+++ b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
@@ -22,30 +22,30 @@ ms.collection: m365initiative-coredeploy
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-In the past, traditional Windows deployments tended to be large, lengthy, and expensive. Windows 10 offers a new approach to deploying both quality and feature updates, making the process much simpler and therefore the planning much more straightforward. With Windows as a service, the methodology around updating Windows has completely changed, moving away from major upgrades every few years to iterative updates twice per year. Each iteration contains a smaller subset of changes so that they won’t seem like substantial differences, like they do today. This image illustrates the level of effort needed for traditional Windows deployments versus servicing Windows 10 and how it is now spread evenly over time versus spiking every few years.
+In the past, traditional Windows deployments tended to be large, lengthy, and expensive. Windows 10 offers a new approach to deploying both quality and feature updates, making the process much simpler and therefore the planning much more straightforward. With Windows as a service, the methodology around updating Windows has changed, moving away from major upgrades every few years to iterative updates twice per year. Each iteration contains a smaller subset of changes so that they won’t seem like substantial differences, like they do today. This image illustrates the level of effort needed for traditional Windows deployments versus servicing Windows 10 and how it is now spread evenly over time versus spiking every few years.
Windows 10 spreads the traditional deployment effort of a Windows upgrade, which typically occurred every few years, over smaller, continuous updates. With this change, you must approach the ongoing deployment and servicing of Windows differently. A strong Windows 10 deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update. Here’s an example of what this process might look like:
-- **Configure test devices.** Configure test devices in the Windows Insider Program so that Insiders can test feature updates before they’re available to the Semi-Annual Channel. Typically, this would be a small number of test devices that IT staff members use to evaluate pre-release builds of Windows. Microsoft provides current development builds to Windows Insider members approximately every week so that interested users can see the functionality Microsoft is adding. See the section Windows Insider for details on how to enroll in the Windows Insider Program on a Windows 10 device.
+- **Configure test devices.** Configure test devices in the Windows Insider Program so that Insiders can test feature updates before they’re available to the Semi-Annual Channel. Typically, this population would be a few test devices that IT staff members use to evaluate pre-release builds of Windows. Microsoft provides current development builds to Windows Insider members approximately every week so that interested users can see the functionality Microsoft is adding. See the section Windows Insider for details on how to enroll in the Windows Insider Program on a Windows 10 device.
- **Identify excluded devices.** For some organizations, special-purpose devices such as those used to control factory or medical equipment or run ATMs require a stricter, less frequent feature update cycle than the Semi-Annual Channel can offer. For those machines, you must install Windows 10 Enterprise LTSB to avoid feature updates for up to 10 years. Identify these devices, and separate them from the phased deployment and servicing cycles to help remove confusion for your administrators and ensure that devices are handled correctly.
- **Recruit volunteers.** The purpose of testing a deployment is to receive feedback. One effective way to recruit pilot users is to request volunteers. When doing so, clearly state that you’re looking for feedback rather than people to just “try it out” and that there could be occasional issues involved with accepting feature updates right away. With Windows as a service, the expectation is that there should be few issues, but if an issue does arise, you want testers to let you know as soon as possible. When considering whom to recruit for pilot groups, be sure to include members who provide the broadest set of applications and devices to validate the largest number of apps and devices possible.
-- **Update Group Policy.** Each feature update includes new group policies to manage new features. If you use Group Policy to manage devices, the Group Policy Admin for the Active Directory domain will need to download a .admx package and copy it to their [Central Store](https://support.microsoft.com/help/929841/how-to-create-the-central-store-for-group-policy-administrative-templa) (or to the [PolicyDefinitions](https://msdn.microsoft.com/library/bb530196.aspx) directory in the SYSVOL folder of a domain controller if not using a Central Store). Always manage new group polices from the version of Windows 10 they shipped with by using the Remote Server Administration Tools. The ADMX download package is created at the end of each development cycle and then posted for download. To find the ADMX download package for a given Windows build, search for “ADMX download for Windows build xxxx”. For details about Group Policy management, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra)
-- **Choose a servicing tool.** Decide which product you’ll use to manage the Windows updates in your environment. If you’re currently using Windows Server Update Services (WSUS) or Microsoft Endpoint Configuration Manager to manage your Windows updates, you can continue using those products to manage Windows 10 updates. Alternatively, you can use Windows Update for Business. In addition to which product you’ll use, consider how you’ll deliver the updates. With Windows 10, multiple peer-to-peer options are available to make update distribution faster. For a comparison of tools, see [Servicing tools](waas-overview.md#servicing-tools).
-- **Prioritize applications.** First, create an application portfolio. This list should include everything installed in your organization and any webpages your organization hosts. Next, prioritize this list to identify those that are the most business critical. Because the expectation is that application compatibility with Windows 10 will be high, only the most business critical applications should be tested before the pilot phase; everything else can be tested afterwards. For more information about identifying compatibility issues withe applications, see [Manage Windows upgrades with Upgrade Analytics](../upgrade/manage-windows-upgrades-with-upgrade-readiness.md).
+- **Update Group Policy.** Each feature update includes new group policies to manage new features. If you use Group Policy to manage devices, the Group Policy Admin for the Active Directory domain will need to download an .admx package and copy it to their [Central Store](https://support.microsoft.com/help/929841/how-to-create-the-central-store-for-group-policy-administrative-templa) (or to the [PolicyDefinitions](https://msdn.microsoft.com/library/bb530196.aspx) directory in the SYSVOL folder of a domain controller if not using a Central Store). Always manage new group policies from the version of Windows 10 they shipped with by using the Remote Server Administration Tools. The ADMX download package is created at the end of each development cycle and then posted for download. To find the ADMX download package for a given Windows build, search for “ADMX download for Windows build xxxx”. For details about Group Policy management, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra)
+- **Choose a servicing tool.** Decide which product you’ll use to manage the Windows updates in your environment. If you’re currently using Windows Server Update Services (WSUS) or Microsoft Endpoint Manager to manage your Windows updates, you can continue using those products to manage Windows 10 updates. Alternatively, you can use Windows Update for Business. In addition to which product you’ll use, consider how you’ll deliver the updates. With Windows 10, multiple peer-to-peer options are available to make update distribution faster. For a comparison of tools, see [Servicing tools](waas-overview.md#servicing-tools).
+- **Prioritize applications.** First, create an application portfolio. This list should include everything installed in your organization and any webpages your organization hosts. Next, prioritize this list to identify those apps that are the most business critical. Because the expectation is that application compatibility with Windows 10 will be high, only the most business critical applications should be tested before the pilot phase; everything else can be tested afterwards. For more information about identifying compatibility issues withe applications, see [Manage Windows upgrades with Upgrade Analytics](../upgrade/manage-windows-upgrades-with-upgrade-readiness.md).
> [!NOTE]
> This strategy is applicable to approaching an environment in which Windows 10 already exists. For information about how to deploy or upgrade to Windows 10 where another version of Windows exists, see [Plan for Windows 10 deployment](../planning/index.md).
>
-> Windows 10 Enterprise LTSB is a separate Long Term Servicing Channel version.
+> Windows 10 Enterprise LTSC is a separate Long-Term Servicing Channel version.
Each time Microsoft releases a Windows 10 feature update, the IT department should use the following high-level process to help ensure that the broad deployment is successful:
1. **Validate compatibility of business critical apps.** Test your most important business-critical applications for compatibility with the new Windows 10 feature update running on your Windows Insider machines identified in the earlier “Configure test machines” step of the Predeployment strategy section. The list of applications involved in this validation process should be small because most applications can be tested during the pilot phase. For more information about device and application compatibility in Windows 10, see the section Compatibility.
-2. **Target and react to feedback.** With Windows 10, Microsoft expects application and device compatibility to be high, but it’s still important to have targeted groups within both the IT department and business units to verify application compatibility for the remaining applications in your application portfolio. Because only the most business-critical applications are tested beforehand, this will represent the majority of application compatibility testing in your environment. This should not necessarily be a formal process but rather user validation through the use of a particular application. So, the next step is to deploy the feature update to early-adopting IT users and your targeted groups running in the Semi-Annual channel that you identified in the “Recruit volunteers” step of the Predeployment strategy section. Be sure to communicate clearly that you’re looking for feedback as soon as possible, and state exactly how users can submit feedback to you. Should an issue arise, have a remediation plan in place to address it.
-3. **Deploy broadly.** Finally, focus on the large-scale deployment using deployment rings, like the ones discussed in Table 1. Build deployment rings that target groups of computers in your selected update-management product. To reduce risk as much as possible, construct your deployment rings in a way that splits individual departments into multiple rings. This way, if you were to encounter an issue, you don’t prevent any critical business from continuing. By using this method, each deployment ring reduces risk as more and more people have been updated in any particular department.
+2. **Target and react to feedback.** With Windows 10, Microsoft expects application and device compatibility to be high, but it’s still important to have targeted groups within both the IT department and business units to verify application compatibility for the remaining applications in your application portfolio. Because only the most business-critical applications are tested beforehand, this activity will represent most of the application compatibility testing in your environment. It shouldn't necessarily be a formal process but rather user validation by using a particular application. So, the next step is to deploy the feature update to early-adopting IT users and your targeted groups running in the Semi-Annual channel that you identified in the “Recruit volunteers” step of the Predeployment strategy section. Be sure to communicate clearly that you’re looking for feedback as soon as possible, and state exactly how users can submit feedback to you. Should an issue arise, have a remediation plan in place to address it.
+3. **Deploy broadly.** Finally, focus on the large-scale deployment using deployment rings, like the ones discussed in Table 1. Build deployment rings that target groups of computers in your selected update-management product. To reduce risk as much as possible, construct your deployment rings in a way that splits individual departments into multiple rings. This way, if you were to encounter an issue, you don’t prevent any critical business from continuing. By using this method, each deployment ring reduces risk as more people have been updated in any particular department.
## Steps to manage updates for Windows 10
@@ -62,8 +62,7 @@ Each time Microsoft releases a Windows 10 feature update, the IT department shou
## Related topics
-- [Update Windows 10 in the enterprise](index.md)
-- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Update Windows 10 in the enterprise](index.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md
index 323e565a06..5240b3cf66 100644
--- a/windows/deployment/update/waas-wu-settings.md
+++ b/windows/deployment/update/waas-wu-settings.md
@@ -1,6 +1,6 @@
---
title: Manage additional Windows Update settings (Windows 10)
-description: Additional settings to control the behavior of Windows Update (WU) in Windows 10
+description: In this article, learn about additional settings to control the behavior of Windows Update in Windows 10.
ms.prod: w10
ms.mktglfcycl: deploy
audience: itpro
@@ -10,6 +10,7 @@ author: jaimeo
ms.reviewer:
manager: laurawi
ms.topic: article
+ms.custom: seo-marvel-apr2020
---
# Manage additional Windows Update settings
@@ -61,7 +62,7 @@ This setting lets you specify a server on your network to function as an interna
To use this setting in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update\Specify Intranet Microsoft update service location**. You must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update Agent to download updates from an alternate download server instead of the intranet update service.
-If the setting is set to **Enabled**, the Automatic Updates client connects to the specified intranet Microsoft update service (or alternate download server), instead of Windows Update, to search for and download updates. Enabling this setting means that end users in your organization don’t have to go through a firewall to get updates, and it gives you the opportunity to test updates after deploying them.
+If the setting is set to **Enabled**, the Automatic Updates client connects to the specified intranet Microsoft update service (or alternate download server), instead of Windows Update, to search for and download updates. Enabling this setting means that end users in your organization don't have to go through a firewall to get updates, and it gives you the opportunity to test updates after deploying them.
If the setting is set to **Disabled** or **Not Configured**, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet.
The alternate download server configures the Windows Update Agent to download files from an alternative download server instead of the intranet update service.
@@ -86,9 +87,9 @@ If the setting is set to **Enabled**, Windows will check for available updates a
If the setting is set to **Disabled** or **Not Configured**, Windows will check for available updates at the default interval of 22 hours.
>[!NOTE]
->The “Specify intranet Microsoft update service location” setting must be enabled for this policy to have effect.
+>The "Specify intranet Microsoft update service location" setting must be enabled for this policy to have effect.
>
->If the “Configure Automatic Updates” policy is disabled, this policy has no effect.
+>If the "Configure Automatic Updates" policy is disabled, this policy has no effect.
To configure this policy with MDM, use [DetectionFrequency](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-detectionfrequency).
@@ -116,7 +117,7 @@ If the setting is set to **Disabled** or **Not Configured**, no target group inf
If the intranet Microsoft update service supports multiple target groups, this policy can specify multiple group names separated by semicolons. Otherwise, a single group must be specified.
>[!NOTE]
->This policy applies only when the intranet Microsoft update service the device is directed to is configured to support client-side targeting. If the “Specify intranet Microsoft update service location” policy is disabled or not configured, this policy has no effect.
+>This policy applies only when the intranet Microsoft update service the device is directed to is configured to support client-side targeting. If the "Specify intranet Microsoft update service location" policy is disabled or not configured, this policy has no effect.
### Allow signed updates from an intranet Microsoft update service location
@@ -124,7 +125,7 @@ This policy setting allows you to manage whether Automatic Updates accepts updat
To configure this setting in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows update\Allow signed updates from an intranet Microsoft update service location**.
-If you enable this policy setting, Automatic Updates accepts updates received through an intranet Microsoft update service location, as specified by [Specify Intranet Microsoft update service location](#specify-intranet-microsoft-update-service-location), if they are signed by a certificate found in the “Trusted Publishers” certificate store of the local computer.
+If you enable this policy setting, Automatic Updates accepts updates received through an intranet Microsoft update service location, as specified by [Specify Intranet Microsoft update service location](#specify-intranet-microsoft-update-service-location), if they are signed by a certificate found in the "Trusted Publishers" certificate store of the local computer.
If you disable or do not configure this policy setting, updates from an intranet Microsoft update service location must be signed by Microsoft.
>[!NOTE]
@@ -251,7 +252,6 @@ HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\
- [Update Windows 10 in the enterprise](index.md)
- [Overview of Windows as a service](waas-overview.md)
-- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
diff --git a/windows/deployment/update/waas-wufb-csp-mdm.md b/windows/deployment/update/waas-wufb-csp-mdm.md
index d7a01438ab..07f5fbcc98 100644
--- a/windows/deployment/update/waas-wufb-csp-mdm.md
+++ b/windows/deployment/update/waas-wufb-csp-mdm.md
@@ -105,7 +105,7 @@ Now all devices are paused from updating for 35 days. When the pause is removed,
#### I want to stay on a specific version
-If you need a device to stay on a version beyond the point when deferrals on the next version would elapse or if you need to skip a version (for example, update fall release to fall release) use the [Update/TargetReleaseVersion](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-targetreleaseversion) (or Deploy Feature Updates Preview in Intune) instead of using feature update deferrals. When you use this policy, specify the version that you want your device(s) to move to or stay on (for example, "1909"). You can find version information at the [Windows 10 Release Information Page](https://docs.microsoft.com/windows/release-information/).
+If you need a device to stay on a version beyond the point when deferrals on the next version would elapse or if you need to skip a version (for example, update fall release to fall release) use the [Update/TargetReleaseVersion](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-targetreleaseversion) (or Deploy Feature Updates Preview in Intune) instead of using feature update deferrals. When you use this policy, specify the version that you want your device(s) to move to or stay on (for example, "1909"). You can find version information at the [Windows 10 Release Information Page](https://docs.microsoft.com/windows/release-health/release-information).
### Manage how users experience updates
@@ -205,8 +205,7 @@ If you use Windows Server Update Server (WSUS), you can prevent users from scann
- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
-- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md
index 5c22b5cd47..22086a9521 100644
--- a/windows/deployment/update/waas-wufb-group-policy.md
+++ b/windows/deployment/update/waas-wufb-group-policy.md
@@ -203,7 +203,6 @@ If you use Windows Server Update Server (WSUS), you can prevent users from scann
- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
diff --git a/windows/deployment/update/waas-wufb-intune.md b/windows/deployment/update/waas-wufb-intune.md
index 92ee39c436..84f56c8131 100644
--- a/windows/deployment/update/waas-wufb-intune.md
+++ b/windows/deployment/update/waas-wufb-intune.md
@@ -1,6 +1,6 @@
---
title: Walkthrough use Intune to configure Windows Update for Business (Windows 10)
-description: Configure Windows Update for Business settings using Microsoft Intune.
+description: In this article, learn how to configure Windows Update for Business settings using Microsoft Intune.
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro
@@ -29,7 +29,7 @@ author: jaimeo
>
>In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel.
-You can use Intune to configure Windows Update for Business even if you don’t have on-premises infrastructure when you use Intune in conjunction with Azure AD. Before configuring Windows Update for Business, consider a [deployment strategy](waas-servicing-strategy-windows-10-updates.md) for updates and feature updates in your environment.
+You can use Intune to configure Windows Update for Business even if you don't have on-premises infrastructure when you use Intune in conjunction with Azure AD. Before configuring Windows Update for Business, consider a [deployment strategy](waas-servicing-strategy-windows-10-updates.md) for updates and feature updates in your environment.
Windows Update for Business in Windows 10 version 1511 allows you to delay quality updates up to 4 weeks and feature updates up to an additional 8 months after Microsoft releases builds to the Current Branch for Business (CBB) servicing branch. In Windows 10 version 1607 and later, you can delay quality updates for up to 30 days and feature updates up to an additional 180 days after the release of either a Current Branch (CB) or CBB build.
@@ -42,7 +42,7 @@ To use Intune to manage quality and feature updates in your environment, you mus
In this example, you use two security groups to manage your updates: **Ring 4 Broad business users** and **Ring 5 Broad business users #2** from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md).
-- The **Ring 4 Broad business users** group contains PCs of IT members who test the updates as soon as they’re released for Windows clients in the Current Branch for Business (CBB) servicing branch. This phase typically occurs after testing on Current Branch (CB) devices.
+- The **Ring 4 Broad business users** group contains PCs of IT members who test the updates as soon as they're released for Windows clients in the Current Branch for Business (CBB) servicing branch. This phase typically occurs after testing on Current Branch (CB) devices.
- The **Ring 5 Broad business users #2** group consists of the first line-of-business (LOB) users, who consume quality updates after 1 week and feature updates 1 month after the CBB release.
>[!NOTE]
@@ -69,9 +69,9 @@ In this example, you use two security groups to manage your updates: **Ring 4 Br
>[!NOTE]
>The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) for the proper syntax.
- 
+ 
-8. For this deployment ring, you’re required to enable only CBB, so click **Save Policy**.
+8. For this deployment ring, you're required to enable only CBB, so click **Save Policy**.
9. In the **Deploy Policy: Windows Update for Business – CBB1** dialog box, click **Yes**.
@@ -156,7 +156,7 @@ In this example, you use three security groups from Table 1 in [Build deployment
>[!NOTE]
>The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) for the proper syntax.
- 
+ 
8. Because the **Ring 2 Pilot Business Users** deployment ring receives the CB feature updates after 28 days, in the **OMA-URI Settings** section, click **Add** to add another OMA-URI setting.
@@ -164,7 +164,7 @@ In this example, you use three security groups from Table 1 in [Build deployment
10. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays**.
11. In the **Value** box, type **28**, and then click **OK**.
- 
+ 
9. Click **Save Policy**.
@@ -175,7 +175,7 @@ In this example, you use three security groups from Table 1 in [Build deployment
10. In the **Manage Deployment: Windows Update for Business – CB2** dialog box, select the **Ring 2 Pilot Business Users** group, click **Add**, and then click **OK**.
-You have now configured the **Ring 2 Pilot Business Users** deployment ring to enable CB feature update deferment for 14 days. Now, you must configure **Ring 4 Broad business users** to receive CBB features updates as soon as they’re available.
+You have now configured the **Ring 2 Pilot Business Users** deployment ring to enable CB feature update deferment for 14 days. Now, you must configure **Ring 4 Broad business users** to receive CBB features updates as soon as they're available.
### Configure Ring 4 Broad business users policy
@@ -205,7 +205,7 @@ You have now configured the **Ring 2 Pilot Business Users** deployment ring to e
11. In the **Value** box, type **0**, and then click **OK**.
- 
+ 
12. Click **Save Policy**.
@@ -216,7 +216,7 @@ You have now configured the **Ring 2 Pilot Business Users** deployment ring to e
14. In the **Manage Deployment: Windows Update for Business – CBB1** dialog box, select the **Ring 4 Broad business users** group, click **Add**, and then click **OK**.
-You have now configured the **Ring 4 Broad business users** deployment ring to receive CBB feature updates as soon as they’re available. Finally, configure **Ring 5 Broad business users #2** to accommodate a 7-day delay for quality updates and a 14-day delay for feature updates.
+You have now configured the **Ring 4 Broad business users** deployment ring to receive CBB feature updates as soon as they're available. Finally, configure **Ring 5 Broad business users #2** to accommodate a 7-day delay for quality updates and a 14-day delay for feature updates.
### Configure Ring 5 Broad business users \#2 policy
@@ -255,7 +255,7 @@ You have now configured the **Ring 4 Broad business users** deployment ring to r
15. In the **Value** box, type **14**, and then click **OK**.
- 
+ 
16. Click **Save Policy**.
@@ -275,8 +275,7 @@ You have now configured the **Ring 4 Broad business users** deployment ring to r
- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
-- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-- [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
+- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
diff --git a/windows/deployment/update/windows-as-a-service.md b/windows/deployment/update/windows-as-a-service.md
index e992f49cb7..0851b39651 100644
--- a/windows/deployment/update/windows-as-a-service.md
+++ b/windows/deployment/update/windows-as-a-service.md
@@ -6,6 +6,7 @@ ms.manager: laurawi
audience: itpro
itproauthor: jaimeo
author: jaimeo
+ms.author: jaimeo
description: Discover the latest news articles, videos, and podcasts about Windows as a service. Find resources for using Windows as a service within your organization.
ms.audience: itpro
ms.reviewer:
@@ -46,7 +47,7 @@ The latest news:
## IT pro champs corner
Written by IT pros for IT pros, sharing real world examples and scenarios for Windows 10 deployment and servicing.
-
+
**NEW** Tactical considerations for creating Windows deployment rings
@@ -67,7 +68,7 @@ Written by IT pros for IT pros, sharing real world examples and scenarios for Wi
Learn more about Windows as a service and its value to your organization.
-
+
Overview of Windows as a service
@@ -82,7 +83,7 @@ Learn more about Windows as a service and its value to your organization.
Prepare to implement Windows as a service effectively using the right tools, products, and strategies.
-
+
Simplified updates
@@ -98,7 +99,7 @@ Prepare to implement Windows as a service effectively using the right tools, pro
Secure your organization's deployment investment.
-
+
Update Windows 10 in the enterprise
@@ -112,6 +113,6 @@ Secure your organization's deployment investment.
## Microsoft Ignite 2018
-
+
Looking to learn more? These informative session replays from Microsoft Ignite 2018 (complete with downloadable slide decks) can provide some great insights on Windows as a service. See [MyIgnite - Session catalog](https://myignite.techcommunity.microsoft.com/sessions).
diff --git a/windows/deployment/update/windows-update-error-reference.md b/windows/deployment/update/windows-update-error-reference.md
index 471073ea8f..fa6a49c1a0 100644
--- a/windows/deployment/update/windows-update-error-reference.md
+++ b/windows/deployment/update/windows-update-error-reference.md
@@ -12,6 +12,7 @@ ms.date: 09/18/2018
ms.reviewer:
manager: laurawi
ms.topic: article
+ms.custom: seo-marvel-apr2020
---
# Windows Update error codes by component
diff --git a/windows/deployment/update/windows-update-errors.md b/windows/deployment/update/windows-update-errors.md
index e3d4342c33..0cad11e031 100644
--- a/windows/deployment/update/windows-update-errors.md
+++ b/windows/deployment/update/windows-update-errors.md
@@ -1,16 +1,16 @@
---
title: Windows Update common errors and mitigation
-description: Learn about some common issues you might experience with Windows Update
+description: In this article, learn about some common issues you might experience with Windows Update, as well as steps to resolve them.
ms.prod: w10
ms.mktglfcycl:
audience: itpro
itproauthor: jaimeo
ms.audience: itpro
author: jaimeo
-ms.date: 09/18/2018
ms.reviewer:
manager: laurawi
ms.topic: article
+ms.custom: seo-marvel-apr2020
---
# Windows Update common errors and mitigation
@@ -22,18 +22,18 @@ The following table provides information about common errors you might run into
| Error Code | Message | Description | Mitigation |
|------------------------------------------|-----------------------------------|-----------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 0x8024402F | WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS | External cab file processing completed with some errors | One of the reasons we see this issue is due to the design of a software called Lightspeed Rocket for Web filtering.
The IP addresses of the computers you want to get updates successfully on, should be added to the exceptions list of Lightspeed |
-| 0x80242006 | WU_E_UH_INVALIDMETADATA | A handler operation could not be completed because the update contains invalid metadata. | Rename Software Redistribution Folder and attempt to download the updates again:
Rename the following folders to \*.BAK:
- %systemroot%\system32\catroot2
To do this, type the following commands at a command prompt. Press ENTER after you type each command.
- Ren %systemroot%\SoftwareDistribution\DataStore \*.bak
- Ren %systemroot%\SoftwareDistribution\Download \*.bak
Ren %systemroot%\system32\catroot2 \*.bak |
-| 0x80070BC9 | ERROR_FAIL_REBOOT_REQUIRED | The requested operation failed. A system reboot is required to roll back changes made. | Ensure that we do not have any policies that control the start behavior for the Windows Module Installer. This service should not be hardened to any start value and should be managed by the OS. |
-| 0x80200053 | BG_E_VALIDATION_FAILED | NA | Ensure that there is no Firewalls that filter downloads. The Firewall filtering may lead to invalid responses being received by the Windows Update Client.
If the issue still persists, run the [WU reset script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc). |
-| 0x80072EE2 | WININET_E_TIMEOUT | The operation timed out | This error message can be caused if the computer isn't connected to Internet. To fix this issue, following these steps: make sure these URLs are not blocked:
http://.update.microsoft.com
https://.update.microsoft.com
Additionally , you can take a network trace and see what is timing out. \
Add the IP addresses of devices you want to get updates to the exceptions list of Lightspeed |
+| 0x80242006 | WU_E_UH_INVALIDMETADATA | A handler operation could not be completed because the update contains invalid metadata. | Rename Software Redistribution Folder and attempt to download the updates again:
Rename the following folders to \*.BAK:
- %systemroot%\system32\catroot2
Type the following commands at a command prompt. Press ENTER after you type each command.
- Ren %systemroot%\SoftwareDistribution\DataStore \*.bak
- Ren %systemroot%\SoftwareDistribution\Download \*.bak
Ren %systemroot%\system32\catroot2 \*.bak |
+| 0x80070BC9 | ERROR_FAIL_REBOOT_REQUIRED | The requested operation failed. A system reboot is required to roll back changes made. | Ensure that you don't have any policies that control the start behavior for the Windows Module Installer. This service should be managed by the operating system. |
+| 0x80200053 | BG_E_VALIDATION_FAILED | NA | Ensure that there are no firewalls that filter downloads. Such filtering could lead to incorrect responses being received by the Windows Update Client.
If the issue still persists, run the [Windows Update reset script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc). |
+| 0x80072EE2 | WININET_E_TIMEOUT | The operation timed out | This error message can be caused if the computer isn't connected to the Internet. To fix this issue, follow these steps: make sure these URLs are not blocked:
http://.update.microsoft.com
https://.update.microsoft.com
You can also take a network trace to check what is timing out. \
0x80072EFE
0x80D02002 | TIME_OUT_ERRORS | The operation timed out | Make sure there are no firewall rules or proxy to block Microsoft download URLs.
Take a network monitor trace to understand better. \
Review [KB920659](https://support.microsoft.com/help/920659/the-microsoft-windows-server-update-services-wsus-selfupdate-service-d) for instructions to resolve the issue. |
| 0x80244007 | WU_E_PT_SOAPCLIENT_SOAPFAULT | SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_\* error codes. | This issue occurs because Windows cannot renew the cookies for Windows Update.
Review [KB2883975](https://support.microsoft.com/help/2883975/0x80244007-error-when-windows-tries-to-scan-for-updates-on-a-wsus-serv) for instructions to resolve the issue. |
diff --git a/windows/deployment/update/windows-update-logs.md b/windows/deployment/update/windows-update-logs.md
index 68d6b72b20..37dcc627f0 100644
--- a/windows/deployment/update/windows-update-logs.md
+++ b/windows/deployment/update/windows-update-logs.md
@@ -1,16 +1,16 @@
---
title: Windows Update log files
-description: Learn about the Windows Update log files and how to merge and convert WU trace files (.etl files) into a single readable WindowsUpdate.log file.
+description: Learn about the Windows Update log files and how to merge and convert Windows Update trace files (.etl files) into a single readable WindowsUpdate.log file.
ms.prod: w10
ms.mktglfcycl:
audience: itpro
itproauthor: jaimeo
ms.audience: itpro
author: jaimeo
-ms.date: 09/18/2018
ms.reviewer:
manager: laurawi
ms.topic: article
+ms.custom: seo-marvel-apr2020
---
# Windows Update log files
@@ -20,21 +20,21 @@ ms.topic: article
The following table describes the log files created by Windows Update.
-|Log file|Location|Description|When to Use |
+|Log file|Location|Description|When to use |
|-|-|-|-|
-|windowsupdate.log|C:\Windows\Logs\WindowsUpdate|Starting in Windows 8.1 and continuing in Windows 10, Windows Update client uses Event Tracing for Windows (ETW) to generate diagnostic logs.|If you receive an error message when you run Windows Update (WU), you can use the information that is included in the Windowsupdate.log log file to troubleshoot the issue.|
-|UpdateSessionOrchestration.etl|C:\ProgramData\USOShared\Logs|Starting Windows 10, the Update Orchestrator is responsible for sequence of downloading and installing various update types from Windows Update. And the events are logged to these etl files.|When you see that the updates are available but download is not getting triggered.
When Updates are downloaded but installation is not triggered.
When Updates are installed but reboot is not triggered. |
-|NotificationUxBroker.etl|C:\ProgramData\USOShared\Logs|Starting Windows 10, the notification toast or the banner is triggered by this NotificationUxBroker.exe . And the logs to check its working is this etl. |When you want to check whether the Notification was triggered or not for reboot or update availability etc. |
-|CBS.log|%systemroot%\Logs\CBS|This logs provides insight on the update installation part in the servicing stack.|To troubleshoot the issues related to WU installation.|
+|windowsupdate.log|C:\Windows\Logs\WindowsUpdate|Starting in Windows 8.1 and continuing in Windows 10, Windows Update client uses Event Tracing for Windows (ETW) to generate diagnostic logs.|If you receive an error message when you run Windows Update, you can use the information that is included in the Windowsupdate.log log file to troubleshoot the issue.|
+|UpdateSessionOrchestration.etl|C:\ProgramData\USOShared\Logs|Starting Windows 10, the Update Orchestrator is responsible for sequence of downloading and installing various update types from Windows Update. And the events are logged to these .etl files.|When you see that the updates are available but download is not getting triggered.
When Updates are downloaded but installation is not triggered.
When Updates are installed but reboot is not triggered. |
+|NotificationUxBroker.etl|C:\ProgramData\USOShared\Logs|Starting Windows 10, the notification toast or the banner is triggered by NotificationUxBroker.exe. |When you want to check whether the notification was triggered or not. |
+|CBS.log|%systemroot%\Logs\CBS|This log provides insight on the update installation part in the servicing stack.|To troubleshoot the issues related to Windows Update installation.|
## Generating WindowsUpdate.log
-To merge and convert WU trace files (.etl files) into a single readable WindowsUpdate.log file, see [Get-WindowsUpdateLog](https://docs.microsoft.com/powershell/module/windowsupdate/get-windowsupdatelog?view=win10-ps).
+To merge and convert Windows Update trace files (.etl files) into a single readable WindowsUpdate.log file, see [Get-WindowsUpdateLog](https://docs.microsoft.com/powershell/module/windowsupdate/get-windowsupdatelog?view=win10-ps&preserve-view=tru).
>[!NOTE]
->When you run the **Get-WindowsUpdateLog** cmdlet, an copy of WindowsUpdate.log file is created as a static log file. It does not update as the old WindowsUpate.log unless you run **Get-WindowsUpdateLog** again.
+>When you run the **Get-WindowsUpdateLog** cmdlet, an copy of WindowsUpdate.log file is created as a static log file. It does not update as the old WindowsUpdate.log unless you run **Get-WindowsUpdateLog** again.
### Windows Update log components
-The WU engine has different component names. The following are some of the most common components that appear in the WindowsUpdate.log file:
+The Windows Update engine has different component names. The following are some of the most common components that appear in the WindowsUpdate.log file:
- AGENT- Windows Update agent
- AU - Automatic Updates is performing this task
@@ -64,7 +64,7 @@ The WU engine has different component names. The following are some of the most
- IdleTimer - Tracking active calls, stopping a service
>[!NOTE]
->Many component log messages are invaluable if you are looking for problems in that specific area. However, they can be useless if you don't filter to exclude irrelevant components so that you can focus on what’s important.
+>Many component log messages are invaluable if you are looking for problems in that specific area. However, they can be useless if you don't filter to exclude irrelevant components so that you can focus on what's important.
### Windows Update log structure
The Windows update log structure is separated into four main identities:
@@ -92,12 +92,12 @@ The time stamp indicates the time at which the logging occurs.
The Process IDs and Thread IDs are random, and they can vary from log to log and even from service session to service session within the same log.
- The first four hex digits are the process ID.
- The next four hex digits are the thread ID.
-- Each component, such as the USO, WU engine, COM API callers, and WU installer handlers, has its own process ID.
+- Each component, such as the USO, Windows Update engine, COM API callers, and Windows Update installer handlers, has its own process ID.
#### Component name
-Search for and identify the components that are associated with the IDs. Different parts of the WU engine have different component names. Some of them are as follows:
+Search for and identify the components that are associated with the IDs. Different parts of the Windows Update engine have different component names. Some of them are as follows:
- ProtocolTalker - Client-server sync
- DownloadManager - Creates and monitors payload downloads
@@ -112,8 +112,8 @@ Search for and identify the components that are associated with the IDs. Differe
#### Update identifiers
##### Update ID and revision number
-There are different identifiers for the same update in different contexts. It’s important to know the identifier schemes.
-- Update ID: A GUID (indicated in the previous screen shot) that's assigned to a given update at publication time
+There are different identifiers for the same update in different contexts. It's important to know the identifier schemes.
+- Update ID: A GUID (indicated in the previous screenshot) that's assigned to a given update at publication time
- Revision number: A number incremented every time that a given update (that has a given update ID) is modified and republished on a service
- Revision numbers are reused from one update to another (not a unique identifier).
- The update ID and revision number are often shown together as "{GUID}.revision."
@@ -121,17 +121,17 @@ There are different identifiers for the same update in different contexts. It’
##### Revision ID
-- A Revision ID (do no confuse this with “revision number”) is a serial number that's issued when an update is initially published or revised on a given service.
-- An existing update that’s revised keeps the same update ID (GUID), has its revision number incremented (for example, from 100 to 101), but gets a completely new revision ID that is not related to the previous ID.
+- A Revision ID (don't confuse this value with "revision number") is a serial number that's issued when an update is initially published or revised on a given service.
+- An existing update that's revised keeps the same update ID (GUID), has its revision number incremented (for example, from 100 to 101), but gets a new revision ID that is not related to the previous ID.
- Revision IDs are unique on a given update source, but not across multiple sources.
-- The same update revision may have completely different revision IDs on WU and WSUS.
-- The same revision ID may represent different updates on WU and WSUS.
+- The same update revision might have different revision IDs on Windows Update and WSUS.
+- The same revision ID might represent different updates on Windows Update and WSUS.
##### Local ID
-- Local ID is a serial number issued when an update is received from a service by a given WU client
-- Usually seen in debug logs, especially involving the local cache for update info (Datastore)
+- Local ID is a serial number issued when an update is received from a service by a given Windows Update client
+- Typically seen in debug logs, especially involving the local cache for update info (Datastore)
- Different client PCs will assign different Local IDs to the same update
-- You can find the local IDs that a client is using by getting the client’s %WINDIR%\SoftwareDistribution\Datastore\Datastore.edb file
+- You can find the local IDs that a client is using by getting the client's %WINDIR%\SoftwareDistribution\Datastore\Datastore.edb file
##### Inconsistent terminology
- Sometimes the logs use terms inconsistently. For example, the InstalledNonLeafUpdateIDs list actually contains revision IDs, not update IDs.
diff --git a/windows/deployment/update/windows-update-overview.md b/windows/deployment/update/windows-update-overview.md
index d96f16274f..9706a55a92 100644
--- a/windows/deployment/update/windows-update-overview.md
+++ b/windows/deployment/update/windows-update-overview.md
@@ -27,6 +27,7 @@ Use the following information to get started with Windows Update:
- Learn how to [troubleshoot Windows Update](windows-update-troubleshooting.md)
- Review [common Windows Update errors](windows-update-errors.md) and check out the [error code reference](windows-update-error-reference.md)
- Review [other resources](windows-update-resources.md) to help you use Windows Update
+- Review [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows10Blog) section of Microsoft Blogs.
## Unified Update Platform (UUP) architecture
To understand the changes to the Windows Update architecture that UUP introduces let's start with some new key terms.
diff --git a/windows/deployment/update/windows-update-resources.md b/windows/deployment/update/windows-update-resources.md
index 49b83d23f1..b9eb08a9e3 100644
--- a/windows/deployment/update/windows-update-resources.md
+++ b/windows/deployment/update/windows-update-resources.md
@@ -6,7 +6,6 @@ ms.mktglfcycl:
audience: itpro
ms.localizationpriority: medium
ms.audience: itpro
-ms.date: 09/18/2018
ms.reviewer:
manager: laurawi
ms.topic: article
@@ -16,7 +15,15 @@ author: jaimeo
# Windows Update - additional resources
-> Applies to: Windows 10
+**Applies to**:
+
+- Windows 10
+- Windows Server 2016
+- Windows Server 2019
+
+> [!NOTE]
+> Windows Server 2016 supports policies available in Windows 10, version 1607. Windows Server 2019 supports policies available in Windows 10, version 1809.
+
The following resources provide additional information about using Windows Update.
@@ -32,9 +39,18 @@ The following resources provide additional information about using Windows Updat
## How do I reset Windows Update components?
-[Reset Windows Update Client settings script](https://gallery.technet.microsoft.com/scriptcenter/Reset-WindowsUpdateps1-e0c5eb78) will completely reset the Windows Update client settings. It has been tested on Windows 7, 8, 10, and Windows Server 2012 R2. It will configure the services and registry keys related to Windows Update for default settings. It will also clean up files related to Windows Update, in addition to BITS related data.
+- Try using the [Windows Update Troubleshooter](https://support.microsoft.com/windows/windows-update-troubleshooter-for-windows-10-19bc41ca-ad72-ae67-af3c-89ce169755dd), which will analyze the situation and reset any components that need it.
+- Try the steps in [Troubleshoot problems updating Windows 10](https://support.microsoft.com/windows/troubleshoot-problems-updating-windows-10-188c2b0f-10a7-d72f-65b8-32d177eb136c).
+- Try the steps in [Fix Windows Update](https://support.microsoft.com/sbs/windows/fix-windows-update-errors-18b693b5-7818-5825-8a7e-2a4a37d6d787) errors.
+
+If all else fails, try resetting the Windows Update Agent by running these commands from an elevated command prompt:
+
+ ``` console
+ net stop wuauserv
+ rd /s /q %systemroot%\SoftwareDistribution
+ net start wuauserv
+ ```
-[Reset Windows Update Agent script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc) allows you to reset the Windows Update Agent, resolving issues with Windows Update.
## Reset Windows Update components manually
@@ -42,29 +58,30 @@ The following resources provide additional information about using Windows Updat
``` console
cmd
```
-2. Stop the BITS service and the Windows Update service. To do this, type the following commands at a command prompt. Press ENTER after you type each command.
+2. Stop the **BITS service**, the **Windows Update service** and the **Cryptographic service**. To do this, type the following commands at a command prompt. Press ENTER after you type each command.
``` console
net stop bits
net stop wuauserv
+ net stop cryptsvc
```
-3. Delete the qmgr\*.dat files. To do this, type the following command at a command prompt, and then press ENTER:
+3. Delete the **qmgr\*.dat** files. To do this, type the following command at a command prompt, and then press ENTER:
``` console
Del "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr*.dat"
```
4. If this is your first attempt at resolving your Windows Update issues by using the steps in this article, go to step 5 without carrying out the steps in step 4. The steps in step 4 should only be performed at this point in the troubleshooting if you cannot resolve your Windows Update issues after following all steps but step 4. The steps in step 4 are also performed by the "Aggressive" mode of the Fix it Solution above.
1. Rename the following folders to *.BAK:
``` console
- %systemroot%\SoftwareDistribution\DataStore
- %systemroot%\SoftwareDistribution\Download
- %systemroot%\system32\catroot2
+ %Systemroot%\SoftwareDistribution\DataStore
+ %Systemroot%\SoftwareDistribution\Download
+ %Systemroot%\System32\catroot2
```
To do this, type the following commands at a command prompt. Press ENTER after you type each command.
``` console
- Ren %systemroot%\SoftwareDistribution\DataStore *.bak
- Ren %systemroot%\SoftwareDistribution\Download *.bak
- Ren %systemroot%\system32\catroot2 *.bak
+ Ren %Systemroot%\SoftwareDistribution\DataStore DataStore.bak
+ Ren %Systemroot%\SoftwareDistribution\Download Download.bak
+ Ren %Systemroot%\System32\catroot2 catroot2.bak
```
- 2. Reset the BITS service and the Windows Update service to the default security descriptor. To do this, type the following commands at a command prompt. Press ENTER after you type each command.
+ 2. Reset the **BITS service** and the **Windows Update service** to the default security descriptor. To do this, type the following commands at a command prompt. Press ENTER after you type each command.
``` console
sc.exe sdset bits D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
sc.exe sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
@@ -73,7 +90,7 @@ The following resources provide additional information about using Windows Updat
``` console
cd /d %windir%\system32
```
-6. Reregister the BITS files and the Windows Update files. To do this, type the following commands at a command prompt. Press ENTER after you type each command.
+6. Reregister the **BITS** files and the **Windows Update** files. To do this, type the following commands at a command prompt. Press ENTER after you type each command.
``` console
regsvr32.exe atl.dll
@@ -114,7 +131,7 @@ The following resources provide additional information about using Windows Updat
regsvr32.exe wuwebv.dll
```
-7. Reset Winsock. To do this, type the following command at a command prompt, and then press ENTER:
+7. Reset **Winsock**. To do this, type the following command at a command prompt, and then press ENTER:
``` console
netsh winsock reset
```
@@ -122,13 +139,13 @@ The following resources provide additional information about using Windows Updat
``` console
proxycfg.exe -d
```
-9. Restart the BITS service and the Windows Update service. To do this, type the following commands at a command prompt. Press ENTER after you type each command.
+9. Restart the **BITS service**, the **Windows Update service** and the **Cryptographic service**. To do this, type the following commands at a command prompt. Press ENTER after you type each command.
``` console
net start bits
-
- net start wuauserv
+ net start wuauserv
+ net start cryptsvc
```
-10. If you are running Windows Vista or Windows Server 2008, clear the BITS queue. To do this, type the following command at a command prompt, and then press ENTER:
+10. If you are running Windows Vista or Windows Server 2008, clear the **BITS** queue. To do this, type the following command at a command prompt, and then press ENTER:
``` console
bitsadmin.exe /reset /allusers
```
diff --git a/windows/deployment/update/windows-update-troubleshooting.md b/windows/deployment/update/windows-update-troubleshooting.md
index 81138d6e5b..92db02e305 100644
--- a/windows/deployment/update/windows-update-troubleshooting.md
+++ b/windows/deployment/update/windows-update-troubleshooting.md
@@ -10,6 +10,7 @@ author: jaimeo
ms.reviewer:
manager: laurawi
ms.topic: article
+ms.custom: seo-marvel-apr2020
---
# Windows Update troubleshooting
@@ -20,7 +21,7 @@ If you run into problems when using Windows Update, start with the following ste
1. Run the built-in Windows Update troubleshooter to fix common issues. Navigate to **Settings > Update & Security > Troubleshoot > Windows Update**.
-2. Install the most recent Servicing Stack Update (SSU) that matches your version of Windows from the Microsoft Update Catalog. See [Servicing stack updates](servicing-stack-updates.md) for more details on SSU.
+2. Install the most recent Servicing Stack Update (SSU) that matches your version of Windows from the Microsoft Update Catalog. See [Servicing stack updates](servicing-stack-updates.md) for more details on servicing stack updates.
3. Make sure that you install the latest Windows updates, cumulative updates, and rollup updates. To verify the update status, refer to the appropriate update history for your system:
@@ -40,8 +41,8 @@ Advanced users can also refer to the [log](windows-update-logs.md) generated by
You might encounter the following scenarios when using Windows Update.
-## Why am I offered an older update/upgrade?
-The update that is offered to a device depends on several factors. Some of the most common attributes include the following:
+## Why am I offered an older update?
+The update that is offered to a device depends on several factors. The following are some of the most common attributes:
- OS Build
- OS Branch
@@ -49,20 +50,20 @@ The update that is offered to a device depends on several factors. Some of the m
- OS Architecture
- Device update management configuration
-If the update you're offered isn't the most current available, it might be because your device is being managed by a WSUS server, and you're being offered the updates available on that server. It's also possible, if your device is part of a Windows as a Service deployment ring, that your admin is intentionally slowing the rollout of updates. Since the WaaS rollout is slow and measured to begin with, all devices will not receive the update on the same day.
+If the update you're offered isn't the most current available, it might be because your device is being managed by a WSUS server, and you're being offered the updates available on that server. It's also possible, if your device is part of a deployment group, that your admin is intentionally slowing the rollout of updates. Since the deployment is slow and measured to begin with, all devices will not receive the update on the same day.
## My device is frozen at scan. Why?
-The Settings UI is talking to the Update Orchestrator service which in turn is talking to Windows Update service. If these services stop unexpectedly then you might see this behavior. In such cases, do the following:
+The Settings UI communicates with the Update Orchestrator service that in turn communicates with to Windows Update service. If these services stop unexpectedly, then you might see this behavior. In such cases, follow these steps:
1. Close the Settings app and reopen it.
-2. Launch Services.msc and check if the following services are running:
+2. Start Services.msc and check if the following services are running:
- Update State Orchestrator
- Windows Update
## Feature updates are not being offered while other updates are
-Devices running Windows 10, version 1709 through Windows 10, version 1803 that are [configured to update from Windows Update](#BKMK_DCAT) (including Windows Update for Business scenarios) are able to install servicing and definition updates but are never offered feature updates.
+Devices running Windows 10, version 1709 through Windows 10, version 1803 that are [configured to update from Windows Update](#BKMK_DCAT) (including Windows Update for Business) are able to install servicing and definition updates but are never offered feature updates.
Checking the WindowsUpdate.log reveals the following error:
```console
@@ -94,12 +95,12 @@ The 0x80070426 error code translates to:
ERROR_SERVICE_NOT_ACTIVE - # The service has not been started.
```
-Microsoft Account Sign In Assistant (MSA or wlidsvc) is the service in question. The DCAT Flighting service (ServiceId: 855E8A7C-ECB4-4CA3-B045-1DFA50104289) relies on the Microsoft Account Sign In Assistant (MSA) to get the Global Device ID for the device. Without the MSA service running, the global device ID will not be generated and sent by the client and the search for feature updates never completes successfully.
+Microsoft Account Sign In Assistant (MSA or wlidsvc) is the service in question. The DCAT Flighting service (ServiceId: 855E8A7C-ECB4-4CA3-B045-1DFA50104289) relies on MSA to get the global device ID for the device. Without the MSA service running, the global device ID won't be generated and sent by the client and the search for feature updates never completes successfully.
-In order to solve this issue, we need to reset the MSA service to the default StartType of manual.
+To resolve this issue, reset the MSA service to the default StartType of "manual."
## Issues related to HTTP/Proxy
-Windows Update uses WinHttp with Partial Range requests (RFC 7233) to download updates and applications from Windows Update servers or on-premises WSUS servers. Because of this proxy servers configured on the network must support HTTP RANGE requests. If a proxy was configured in Internet Explorer (User level) but not in WinHTTP (System level), connections to Windows Update will fail.
+Windows Update uses WinHttp with Partial Range requests (RFC 7233) to download updates and applications from Windows Update servers or on-premises WSUS servers. Therefore proxy servers on the network must support HTTP RANGE requests. If a proxy was configured in Internet Explorer (User level) but not in WinHTTP (System level), connections to Windows Update will fail.
To fix this issue, configure a proxy in WinHTTP by using the following netsh command:
@@ -112,14 +113,13 @@ netsh winhttp set proxy ProxyServerName:PortNumber
If downloads through a proxy server fail with a 0x80d05001 DO_E_HTTP_BLOCKSIZE_MISMATCH error, or if you notice high CPU usage while updates are downloading, check the proxy configuration to permit HTTP RANGE requests to run.
-You may choose to apply a rule to permit HTTP RANGE requests for the following URLs:
+You might choose to apply a rule to permit HTTP RANGE requests for the following URLs:
-*.download.windowsupdate.com
-*.dl.delivery.mp.microsoft.com
-*.delivery.mp.microsoft.com
-*.emdl.ws.microsoft.com
+`*.download.windowsupdate.com`
+`*.dl.delivery.mp.microsoft.com`
+`*.delivery.mp.microsoft.com`
-If you cannot permit RANGE requests, keep in mind that this means you are downloading more content than needed in updates (as delta patching will not work).
+If you can't allow RANGE requests, you'll be downloading more content than needed in updates (as delta patching will not work).
## The update is not applicable to your computer
@@ -127,13 +127,13 @@ The most common reasons for this error are described in the following table:
|Cause|Explanation|Resolution|
|-----|-----------|----------|
-|Update is superseded|As updates for a component are released, the updated component will supersede an older component that is already on the system. When this occurs, the previous update is marked as superseded. If the update that you're trying to install already has a newer version of the payload on your system, you may encounter this error message.|Check that the package that you are installing contains newer versions of the binaries. Or, check that the package is superseded by another new package. |
+|Update is superseded|As updates for a component are released, the updated component will supersede an older component that is already on the system. When this occurs, the previous update is marked as superseded. If the update that you're trying to install already has a newer version of the payload on your system, you might receive this error message.|Check that the package that you are installing contains newer versions of the binaries. Or, check that the package is superseded by another new package. |
|Update is already installed|If the update that you're trying to install was previously installed, for example, by another update that carried the same payload, you may encounter this error message.|Verify that the package that you are trying to install was not previously installed.|
|Wrong update for architecture|Updates are published by CPU architecture. If the update that you're trying to install does not match the architecture for your CPU, you may encounter this error message. |Verify that the package that you're trying to install matches the Windows version that you are using. The Windows version information can be found in the "Applies To" section of the article for each update. For example, Windows Server 2012-only updates cannot be installed on Windows Server 2012 R2-based computers.
Also, verify that the package that you are installing matches the processor architecture of the Windows version that you are using. For example, an x86-based update cannot be installed on x64-based installations of Windows. |
-|Missing prerequisite update|Some updates require a prerequisite update before they can be applied to a system. If you are missing a prerequisite update, you may encounter this error message. For example, KB 2919355 must be installed on Windows 8.1 and Windows Server 2012 R2 computers before many of the updates that were released after April 2014 can be installed.|Check the related articles about the package in the Microsoft Knowledge Base (KB) to make sure that you have the prerequisite updates installed. For example, if you encounter the error message on Windows 8.1 or Windows Server 2012 R2, you may have to install the April 2014 update 2919355 as a prerequisite and one or more pre-requisite servicing updates (KB 2919442 and KB 3173424).
Note: To determine if these prerequisite updates are installed, run the following PowerShell command:
get-hotfix KB3173424,KB2919355,KB2919442
If the updates are installed, the command will return the installed date in the "InstalledOn" section of the output.
+|Missing prerequisite update|Some updates require a prerequisite update before they can be applied to a system. If you are missing a prerequisite update, you may encounter this error message. For example, KB 2919355 must be installed on Windows 8.1 and Windows Server 2012 R2 computers before many of the updates that were released after April 2014 can be installed.|Check the related articles about the package in the Microsoft Knowledge Base (KB) to make sure that you have the prerequisite updates installed. For example, if you encounter the error message on Windows 8.1 or Windows Server 2012 R2, you may have to install the April 2014 update 2919355 as a prerequisite and one or more pre-requisite servicing updates (KB 2919442 and KB 3173424).
To determine if these prerequisite updates are installed, run the following PowerShell command:
`get-hotfix KB3173424,KB2919355, KB2919442`.
If the updates are installed, the command will return the installed date in the `InstalledOn` section of the output.
## Issues related to firewall configuration
-Error that may be seen in the WU logs:
+Error that you might see in Windows Update logs:
```console
DownloadManager Error 0x800706d9 occurred while downloading update; notifying dependent calls.
```
@@ -149,40 +149,41 @@ DownloadManager [0]12F4.1FE8::09/29/2017-13:45:08.530 [agent]DO job {C6E2F6DC-5B
Go to Services.msc and ensure that Windows Firewall Service is enabled. Stopping the service associated with Windows Firewall with Advanced Security is not supported by Microsoft. For more information, see [I need to disable Windows Firewall](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc766337(v=ws.10)).
## Issues arising from configuration of conflicting policies
-Windows Update provides a wide range configuration policies to control the behavior of WU service in a managed environment. While these policies let you configure the settings at a granular level, misconfiguration or setting conflicting polices may lead to unexpected behaviors.
+Windows Update provides a wide range configuration policy to control the behavior of the Windows Update service in a managed environment. While these policies let you configure the settings at a granular level, misconfiguration or setting conflicting policies may lead to unexpected behaviors.
-See [How to configure automatic updates by using Group Policy or registry settings](https://support.microsoft.com/help/328010/how-to-configure-automatic-updates-by-using-group-policy-or-registry-s) for more information.
+For more information, see [How to configure automatic updates by using Group Policy or registry settings](https://support.microsoft.com/help/328010/how-to-configure-automatic-updates-by-using-group-policy-or-registry-s) for more information.
## Device cannot access update files
-Check that your device can access these Windows Update endpoints:
-- `http://windowsupdate.microsoft.com`
-- `http://*.windowsupdate.microsoft.com`
-- `https://*.windowsupdate.microsoft.com`
-- `http://*.update.microsoft.com`
-- `https://*.update.microsoft.com`
-- `http://*.windowsupdate.com`
-- `http://download.windowsupdate.com`
-- `https://download.microsoft.com`
-- `http://*.download.windowsupdate.com`
-- `http://wustat.windows.com`
-- `http://ntservicepack.microsoft.com`
-- `https://*.prod.do.dsp.mp.microsoft.com`
-- `http://*.dl.delivery.mp.microsoft.com`
-- `https://*.delivery.mp.microsoft.com`
-- `https://tsfe.trafficshaping.dsp.mp.microsoft.com`
-
- Allow these endpoints for future use.
+Ensure that devices can reach necessary Windows Update endpoints through the firewall. For example, for Windows 10, version 2004, the following protocols must be able to reach these respective endpoints:
+
+
+|Protocol |Endpoint URL |
+|---------|---------|
+|TLS 1.2 | `*.prod.do.dsp.mp.microsoft.com` |
+|HTTP | `emdl.ws.microsoft.com` |
+|HTTP | `*.dl.delivery.mp.microsoft.com` |
+|HTTP | `*.windowsupdate.com` |
+|HTTPS | `*.delivery.mp.microsoft.com` |
+|TLS 1.2 | `*.update.microsoft.com` |
+|TLS 1.2 | `tsfe.trafficshaping.dsp.mp.microsoft.com` |
+
+> [!NOTE]
+> Be sure not to use HTTPS for those endpoints that specify HTTP, and vice versa. The connection will fail.
+
+The specific endpoints can vary between Windows 10 versions. See, for example, [Windows 10 2004 Enterprise connection endpoints](https://docs.microsoft.com/windows/privacy/manage-windows-2004-endpoints). Similar articles for other Windows 10 versions are available in the table of contents nearby.
+
## Updates aren't downloading from the intranet endpoint (WSUS or Configuration Manager)
-Windows 10 devices can receive updates from a variety of sources, including Windows Update online, a Windows Server Update Services server, and others. To determine the source of Windows Updates currently being used on a device, follow these steps:
+Windows 10 devices can receive updates from a variety of sources, including Windows Update online, a Windows Server Update Services server, and others. To determine the source of Windows Updates currently being used on a device, follow these steps:
+
1. Start Windows PowerShell as an administrator.
2. Run \$MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager".
3. Run \$MUSM.Services.
Check the output for the Name and OffersWindowsUPdates parameters, which you can interpret according to this table.
-|Output|Interpretation|
+|Output|Meaning|
|-|-|
|- Name: Microsoft Update
-OffersWindowsUpdates: True| - The update source is Microsoft Update, which means that updates for other Microsoft products besides the operating system could also be delivered.
- Indicates that the client is configured to receive updates for all Microsoft Products (Office, etc.) |
|- Name: DCat Flighting Prod
- OffersWindowsUpdates: True |- Starting with Windows 10 1709, feature updates are always delivered through the DCAT service.
- Indicates that the client is configured to receive feature updates from Windows Update. |
@@ -191,14 +192,14 @@ Check the output for the Name and OffersWindowsUPdates parameters, which you can
|- Name: Windows Update
- OffersWindowsUpdates: True|- The source is Windows Update.
- The client is configured to receive updates from Windows Update Online.|
## You have a bad setup in the environment
-If we look at the GPO being set through registry, the system is configured to use WSUS to download updates:
+In this example, per the Group Policy set through registry, the system is configured to use WSUS to download updates (note the second line):
```console
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
-"UseWUServer"=dword:00000001 ===================================> it says use WSUS server.
+"UseWUServer"=dword:00000001
```
-From the WU logs:
+From Windows Update logs:
```console
2018-08-06 09:33:31:085 480 1118 Agent ** START ** Agent: Finding updates [CallerId = OperationalInsight Id = 49]
2018-08-06 09:33:31:085 480 1118 Agent *********
@@ -212,9 +213,9 @@ From the WU logs:
2018-08-06 09:33:32:554 480 1118 Agent ** END ** Agent: Finding updates [CallerId = OperationalInsight Id = 49]
```
-In the above log snippet, we see that the Criteria = "IsHidden = 0 AND DeploymentAction=*". "*" means there is nothing specified from the server. So, the scan happens but there is no direction to download or install to the agent. So it just scans the update and provides the results.
+In the above log snippet, we see that the `Criteria = "IsHidden = 0 AND DeploymentAction=*"`. "*" means there is nothing specified from the server. So, the scan happens but there is no direction to download or install to the agent. So it just scans the update and provides the results.
-Now if you look at the below logs, the Automatic update runs the scan and finds no update approved for it. So it reports there are 0 updates to install or download. This is due to bad setup or configuration in the environment. The WSUS side should approve the patches for WU so that it fetches the updates and installs it on the specified time according to the policy. Since this scenario doesn't include Configuration Manager, there's no way to install unapproved updates. And that is the problem you are facing. You expect that the scan should be done by the operational insight agent and automatically trigger download and install but that won’t happen here.
+As shown in the following logs, automatic update runs the scan and finds no update approved for it. So it reports there are no updates to install or download. This is due to an incorrect configuration. The WSUS side should approve the updates for Windows Update so that it fetches the updates and installs them at the specified time according to the policy. Since this scenario doesn't include Configuration Manager, there's no way to install unapproved updates. You're expecting the operational insight agent to do the scan and automatically trigger the download and installation but that won’t happen with this configuration.
```console
2018-08-06 10:58:45:992 480 5d8 Agent ** START ** Agent: Finding updates [CallerId = AutomaticUpdates Id = 57]
@@ -230,15 +231,15 @@ Now if you look at the below logs, the Automatic update runs the scan and finds
```
## High bandwidth usage on Windows 10 by Windows Update
-Users may see that Windows 10 is consuming all the bandwidth in the different offices under the system context. This behavior is by design. Components that may consume bandwidth expand beyond Windows Update components.
+Users might see that Windows 10 is consuming all the bandwidth in the different offices under the system context. This behavior is by design. Components that might consume bandwidth expand beyond Windows Update components.
-The following group policies can help mitigate this:
+The following group policies can help mitigate this situation:
- Blocking access to Windows Update servers: [Policy Turn off access to all Windows Update features](https://gpsearch.azurewebsites.net/#4728) (Set to enabled)
- Driver search: [Policy Specify search order for device driver source locations](https://gpsearch.azurewebsites.net/#183) (Set to "Do not search Windows Update")
- Windows Store automatic update: [Policy Turn off Automatic Download and Install of updates](https://gpsearch.azurewebsites.net/#10876) (Set to enabled)
-Other components that reach out to the internet:
+Other components that connect to the internet:
- Windows Spotlight: [Policy Configure Windows spotlight on lock screen](https://gpsearch.azurewebsites.net/#13362) (Set to disabled)
- Consumer experiences: [Policy Turn off Microsoft consumer experiences](https://gpsearch.azurewebsites.net/#13329) (Set to enabled)
diff --git a/windows/deployment/update/wufb-autoupdate.md b/windows/deployment/update/wufb-autoupdate.md
index 0fc1330492..055d3b723c 100644
--- a/windows/deployment/update/wufb-autoupdate.md
+++ b/windows/deployment/update/wufb-autoupdate.md
@@ -25,7 +25,7 @@ Automatic Update governs the "behind the scenes" download and installation proce
|-|-|
|Configure Automatic Updates|Governs the installation activity that happens in the background. This allows you to configure the installation to happen during the [maintenance window](https://docs.microsoft.com/configmgr/core/clients/manage/collections/use-maintenance-windows). Also, you can specify an installation time where the device will also try to install the latest packages. You can also pick a certain day and or week.|
|Automatic Update Detection Frequency|Lets you set the scan frequency the device will use to connect to Windows Update to see if there is any available content. Default is 22 hours, but you can increase or decrease the frequency. Keep in mind a desktop computer may need to scan less frequently than laptops, which can have intermittent internet connection.|
-|Specify Intranet Microsoft Update Service Location|Used for Windows Server Update Services or Microsoft Endpoint Configuration Manager users who want to install custom packages that are not offered through Windows Update.|
+|Specify Intranet Microsoft Update Service Location|Used for Windows Server Update Services or Microsoft Endpoint Manager users who want to install custom packages that are not offered through Windows Update.|
|Do not connect to any Windows Update Internet locations
Required for Dual Scan|Prevents access to Windows Update.|
## Suggested configuration
diff --git a/windows/deployment/update/wufb-basics.md b/windows/deployment/update/wufb-basics.md
index 0c8f5c32db..041169807e 100644
--- a/windows/deployment/update/wufb-basics.md
+++ b/windows/deployment/update/wufb-basics.md
@@ -1,12 +1,13 @@
---
title: Configure the Basic group policy for Windows Update for Business
-description: Learn how to get started using the Basic GPO in Windows Update for Business.
+description: In this article, you will learn how to configure the basic group policy for Windows Update for Business.
+ms.custom: seo-marvel-apr2020
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro
itproauthor: jaimeo
author: jaimeo
-ms.localizationprioauthor: jaimeo
+ms.localizationpriority: medium
ms.audience: itpro
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/update/wufb-compliancedeadlines.md b/windows/deployment/update/wufb-compliancedeadlines.md
index 67b6e07ec0..1fb426d25f 100644
--- a/windows/deployment/update/wufb-compliancedeadlines.md
+++ b/windows/deployment/update/wufb-compliancedeadlines.md
@@ -1,6 +1,7 @@
---
title: Enforce compliance deadlines with policies in Windows Update for Business (Windows 10)
-description: Learn how to enforce compliance deadlines using Windows Update for Business.
+description: This article contains information on how to enforce compliance deadlines using Windows Update for Business.
+ms.custom: seo-marvel-apr2020
ms.prod: w10
ms.mktglfcycl: manage
author: jaimeo
@@ -151,17 +152,17 @@ Before the deadline the device will be in two states: auto-restart period and en
Notification users get for quality update engaged deadline:
-
+
Notification users get for a quality update deadline:
-
+
Notification users get for a feature update engaged deadline:
-
+
Notification users get for a feature update deadline:
-
+
diff --git a/windows/deployment/update/wufb-managedrivers.md b/windows/deployment/update/wufb-managedrivers.md
index 56f956aae8..e0a6e9e21f 100644
--- a/windows/deployment/update/wufb-managedrivers.md
+++ b/windows/deployment/update/wufb-managedrivers.md
@@ -39,7 +39,7 @@ You can use an on-premises catalog, like WSUS, to deploy 3rd Party patches and u
|Policy| Description |
|-|-|
-|Specify Intranet Microsoft Update Service Location| Used for WSUS/Microsoft Endpoint Configuration Manager customers who want to install custom packages that are not offered through Windows Update.|
+|Specify Intranet Microsoft Update Service Location| Used for WSUS/Microsoft Endpoint Manager customers who want to install custom packages that are not offered through Windows Update.|
### Suggested configuration
diff --git a/windows/deployment/update/wufb-onboard.md b/windows/deployment/update/wufb-onboard.md
index de44721666..78f9b0cf84 100644
--- a/windows/deployment/update/wufb-onboard.md
+++ b/windows/deployment/update/wufb-onboard.md
@@ -1,6 +1,6 @@
---
title: Onboarding to Windows Update for Business (Windows 10)
-description: Get started using Windows Update for Business, a tool that enables IT pros and power users to manage content they want to receive from Windows Update Service.
+description: Get started using Windows Update for Business, a tool that enables IT pros and power users to manage content they want to receive from Windows Update.
ms.prod: w10
ms.mktglfcycl: manage
audience: itpro
diff --git a/windows/deployment/upgrade/log-files.md b/windows/deployment/upgrade/log-files.md
index a4c6a01688..1968dd1929 100644
--- a/windows/deployment/upgrade/log-files.md
+++ b/windows/deployment/upgrade/log-files.md
@@ -1,10 +1,11 @@
---
-title: Log files - Windows IT Pro
+title: Log files and resolving upgrade errors
ms.reviewer:
manager: laurawi
ms.author: greglin
-description: Learn how to interpret the log files generated during the Windows 10 upgrade process.
+description: Learn how to interpret and analyze the log files that are generated during the Windows 10 upgrade process.
keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro
+ms.custom: seo-marvel-apr2020
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/deployment/upgrade/quick-fixes.md b/windows/deployment/upgrade/quick-fixes.md
index 85f4601dbd..e25faa2c40 100644
--- a/windows/deployment/upgrade/quick-fixes.md
+++ b/windows/deployment/upgrade/quick-fixes.md
@@ -5,6 +5,7 @@ manager: laurawi
ms.author: greglin
description: Learn how to quickly resolve many problems, which may come up during a Windows 10 upgrade.
keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro
+ms.custom: seo-marvel-apr2020
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md
index bca001f87a..6abb0eac36 100644
--- a/windows/deployment/upgrade/setupdiag.md
+++ b/windows/deployment/upgrade/setupdiag.md
@@ -5,6 +5,7 @@ manager: laurawi
ms.author: greglin
description: SetupDiag works by examining Windows Setup log files. This article shows how to use the SetupDiag tool to diagnose Windows Setup errors.
keywords: deploy, troubleshoot, windows, 10, upgrade, update, setup, diagnose
+ms.custom: seo-marvel-apr2020
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -552,7 +553,7 @@ Refer to "https://docs.microsoft.com/windows/desktop/Debug/system-error-codes" f
## Sample registry key
-
+
## Related topics
diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md
index e2806e3c0c..033f0e0e0d 100644
--- a/windows/deployment/upgrade/windows-10-edition-upgrades.md
+++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md
@@ -93,7 +93,7 @@ You can run the changepk.exe command-line tool to upgrade devices to a supported
`changepk.exe /ProductKey
Set MIG_OFFLINE_PLATFORM_ARCH=32
-
<component context="UserAndSystem" type="Application">
<displayName _locID="migapp.msoffice2003">Microsoft Office 2003</displayName>
@@ -3846,7 +3844,7 @@ See the last component in the MigUser.xml file for an example of this element.
~~~
**Example:**
-If GenerateUserPattens('File','%userprofile% \[\*.doc\]','FALSE') is called while USMT is processing user A, then this function will only generate patterns for users B and C. You can use this helper function to build complex rules. For example, to migrate all .doc files from the source computer — but if user X is not migrated, then do not migrate any of the .doc files from user X’s profile.
+If GenerateUserPattens('File','%userprofile% \[\*.doc\]','FALSE') is called while USMT is processing user A, then this function will only generate patterns for users B and C. You can use this helper function to build complex rules. For example, to migrate all .doc files from the source computer — but if user X is not migrated, then do not migrate any of the .doc files from user X's profile.
The following is example code for this scenario. The first <rules> element migrates all.doc files on the source computer with the exception of those inside C:\\Documents and Settings. The second <rules> elements will migrate all .doc files from C:\\Documents and Settings with the exception of the .doc files in the profiles of the other users. Because the second <rules> element will be processed in each migrated user context, the end result will be the desired behavior. The end result is the one we expected.
@@ -4103,12 +4101,12 @@ Syntax:
MyComponent.InstallPath.MyComponent.InstallPath.
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V –All
+ Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All
This command works on all operating systems that support Hyper-V, but on Windows Server operating systems you must type an additional command to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. This command will also install Hyper-V if it isn't already installed, so if desired you can just type the following command on Windows Server 2012 or 2016 instead of using the Enable-WindowsOptionalFeature command:
@@ -541,8 +542,8 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
1. To add available space for the partition, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
- Resize-VHD –Path c:\VHD\2012R2-poc-2.vhd –SizeBytes 100GB
- $x = (Mount-VHD –Path c:\VHD\2012R2-poc-2.vhd -passthru | Get-Disk | Get-Partition | Get-Volume).DriveLetter
+ Resize-VHD -Path c:\VHD\2012R2-poc-2.vhd -SizeBytes 100GB
+ $x = (Mount-VHD -Path c:\VHD\2012R2-poc-2.vhd -passthru | Get-Disk | Get-Partition | Get-Volume).DriveLetter
Resize-Partition -DriveLetter $x -Size (Get-PartitionSupportedSize -DriveLetter $x).SizeMax
@@ -550,7 +551,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
Get-Volume -DriveLetter $x
- Dismount-VHD –Path c:\VHD\2012R2-poc-2.vhd
+ Dismount-VHD -Path c:\VHD\2012R2-poc-2.vhd
### Configure Hyper-V
@@ -711,7 +712,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
Rename-Computer DC1
- New-NetIPAddress –InterfaceAlias Ethernet –IPAddress 192.168.0.1 –PrefixLength 24 -DefaultGateway 192.168.0.2
+ New-NetIPAddress -InterfaceAlias Ethernet -IPAddress 192.168.0.1 -PrefixLength 24 -DefaultGateway 192.168.0.2
Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2
@@ -748,7 +749,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
netsh dhcp add securitygroups
Restart-Service DHCPServer
Add-DhcpServerInDC dc1.contoso.com 192.168.0.1
- Set-ItemProperty –Path registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerManager\Roles\12 –Name ConfigurationState –Value 2
+ Set-ItemProperty -Path registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerManager\Roles\12 -Name ConfigurationState -Value 2
10. Next, add a DHCP scope and set option values:
@@ -784,7 +785,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
**Configure service and user accounts**
- Windows 10 deployment with MDT and Microsoft Endpoint Configuration Manager requires specific accounts to perform some actions. Service accounts will be created to use for these tasks. A user account is also added in the contoso.com domain that can be used for testing purposes. In the test lab environment, passwords are set to never expire.
+ Windows 10 deployment with MDT and Microsoft Endpoint Manager requires specific accounts to perform some actions. Service accounts will be created to use for these tasks. A user account is also added in the contoso.com domain that can be used for testing purposes. In the test lab environment, passwords are set to never expire.
>To keep this test lab relatively simple, we will not create a custom OU structure and set permissions. Required permissions are enabled by adding accounts to the Domain Admins group. To configure these settings in a production environment, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md)
@@ -885,7 +886,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
Enable-VMIntegrationService -VMName PC1 -Name "Guest Service Interface"
- Copy-VMFile "PC1" –SourcePath "C:\VHD\pc1.ps1" –DestinationPath "C:\pc1.ps1" –CreateFullPath –FileSource Host
+ Copy-VMFile "PC1" -SourcePath "C:\VHD\pc1.ps1" -DestinationPath "C:\pc1.ps1" -CreateFullPath -FileSource Host
>In order for this command to work properly, PC1 must be running the vmicguestinterface (Hyper-V Guest Service Interface) service. If this service is not enabled in this step, then the copy-VMFile command will fail. In this case, you can try updating integration services on the VM by mounting the Hyper-V Integration Services Setup (vmguest.iso), which is located in C:\Windows\System32 on Windows Server 2012 and 2012 R2 operating systems that are running the Hyper-V role service.
@@ -916,7 +917,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
Rename-Computer SRV1
- New-NetIPAddress –InterfaceAlias Ethernet –IPAddress 192.168.0.2 –PrefixLength 24
+ New-NetIPAddress -InterfaceAlias Ethernet -IPAddress 192.168.0.2 -PrefixLength 24
Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2
Restart-Computer
diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md
index dba46b0368..e974dc183f 100644
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@@ -1,7 +1,8 @@
---
title: Windows 10 Subscription Activation
-description: How to dynamically enable Windows 10 Enterprise or Education subscriptions
+description: In this article, you will learn how to dynamically enable Windows 10 Enterprise or Education subscriptions.
keywords: upgrade, update, task sequence, deploy
+ms.custom: seo-marvel-apr2020
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
@@ -20,9 +21,9 @@ ms.topic: article
Starting with Windows 10, version 1703 Windows 10 Pro supports the Subscription Activation feature, enabling users to “step-up” from Windows 10 Pro to **Windows 10 Enterprise** automatically if they are subscribed to Windows 10 Enterprise E3 or E5.
-With Windows 10, version 1903 the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education to the Enterprise grade edition for educational institutions – **Windows 10 Education**.
+With Windows 10, version 1903 the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education to the Enterprise grade edition for educational institutions—**Windows 10 Education**.
-The Subscription Activation feature eliminates the need to manually deploy Windows 10 Enterprise or Education images on each target device, then later standing up on-prem key management services such as KMS or MAK based activation, entering GVLKs, and subsequently rebooting client devices.
+The Subscription Activation feature eliminates the need to manually deploy Windows 10 Enterprise or Education images on each target device, then later standing up on-prem key management services such as KMS or MAK based activation, entering Generic Volume License Keys (GVLKs), and subsequently rebooting client devices.
## Subscription Activation for Windows 10 Enterprise
@@ -39,7 +40,7 @@ Organizations that have an Enterprise agreement can also benefit from the new se
Subscription Activation for Education works the same as the Enterprise version, but in order to use Subscription Activation for Education, you must have a device running Windows 10 Pro Education, version 1903 or later and an active subscription plan with a Windows 10 Enterprise license. For more information, see the [requirements](#windows-10-education-requirements) section.
-## In this article
+## Summary
- [Inherited Activation](#inherited-activation): Description of a new feature available in Windows 10, version 1803 and later.
- [The evolution of Windows 10 deployment](#the-evolution-of-deployment): A short history of Windows deployment.
@@ -60,7 +61,6 @@ To support Inherited Activation, both the host computer and the VM must be runni
## The evolution of deployment
-> [!NOTE]
> The original version of this section can be found at [Changing between Windows SKUs](https://blogs.technet.microsoft.com/mniehaus/2017/10/09/changing-between-windows-skus/).
The following figure illustrates how deploying Windows 10 has evolved with each release. With this release, deployment is automatic.
@@ -68,12 +68,19 @@ The following figure illustrates how deploying Windows 10 has evolved with each
- **Windows 7** required you to redeploy the operating system using a full wipe-and-load process if you wanted to change from Windows 7 Professional to Windows 10 Enterprise.
+
- **Windows 8.1** added support for a Windows 8.1 Pro to Windows 8.1 Enterprise in-place upgrade (considered a “repair upgrade” because the OS version was the same before and after). This was a lot easier than wipe-and-load, but it was still time-consuming.
+
- **Windows 10, version 1507** added the ability to install a new product key using a provisioning package or using MDM to change the SKU. This required a reboot, which would install the new OS components, and took several minutes to complete. However, it was a lot quicker than in-place upgrade.
+
- **Windows 10, version 1607** made a big leap forward. Now you can just change the product key and the SKU instantly changes from Windows 10 Pro to Windows 10 Enterprise. In addition to provisioning packages and MDM, you can just inject a key using SLMGR.VBS (which injects the key into WMI), so it became trivial to do this using a command line.
+
- **Windows 10, version 1703** made this “step-up” from Windows 10 Pro to Windows 10 Enterprise automatic for those that subscribed to Windows 10 Enterprise E3 or E5 via the CSP program.
+
- **Windows 10, version 1709** adds support for Windows 10 Subscription Activation, very similar to the CSP support but for large enterprises, enabling the use of Azure AD for assigning licenses to users. When those users sign in on an AD or Azure AD-joined machine, it automatically steps up from Windows 10 Pro to Windows 10 Enterprise.
+
- **Windows 10, version 1803** updates Windows 10 Subscription Activation to enable pulling activation keys directly from firmware for devices that support firmware-embedded keys. It is no longer necessary to run a script to perform the activation step on Windows 10 Pro prior to activating Enterprise. For virtual machines and hosts running Windows 10, version 1803 [Inherited Activation](#inherited-activation) is also enabled.
+
- **Windows 10, version 1903** updates Windows 10 Subscription Activation to enable step up from Windows 10 Pro Education to Windows 10 Education for those with a qualifying Windows 10 or Microsoft 365 subscription.
## Requirements
@@ -83,6 +90,9 @@ The following figure illustrates how deploying Windows 10 has evolved with each
> [!NOTE]
> The following requirements do not apply to general Windows 10 activation on Azure. Azure activation requires a connection to Azure KMS only, and supports workgroup, Hybrid, and Azure AD-joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure Virtual Machines](https://docs.microsoft.com/azure/virtual-machines/troubleshooting/troubleshoot-activation-problems#understanding-azure-kms-endpoints-for-windows-product-activation-of-azure-virtual-machines).
+> [!NOTE]
+> Currently, Subscription Activation is only available on commercial tenants and is not currently available on US GCC or GCC High tenants.
+
For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following:
- Windows 10 (Pro or Enterprise) version 1703 or later installed on the devices to be upgraded.
@@ -91,7 +101,7 @@ For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products &
For Microsoft customers that do not have EA or MPSA, you can obtain Windows 10 Enterprise E3/E5 or A3/A5 through a cloud solution provider (CSP). Identity management and device requirements are the same when you use CSP to manage licenses, with the exception that Windows 10 Enterprise E3 is also available through CSP to devices running Windows 10, version 1607. For more information about obtaining Windows 10 Enterprise E3 through your CSP, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md).
-If devices are running Windows 7 or Windows 8.1, see [New Windows 10 upgrade benefits for Windows Cloud Subscriptions in CSP](https://blogs.windows.com/business/2017/01/19/new-windows-10-upgrade-benefits-windows-cloud-subscriptions-csp/)
+If devices are running Windows 7 or Windows 8.1, see [New Windows 10 upgrade benefits for Windows Cloud Subscriptions in CSP](https://www.microsoft.com/en-us/microsoft-365/blog/2017/01/19/new-windows-10-upgrade-benefits-windows-cloud-subscriptions-csp/)
#### Multi-factor authentication
@@ -102,22 +112,30 @@ To resolve this issue:
If the device is running Windows 10, version 1703, 1709, or 1803, the user must either sign in with an Azure AD account, or you must disable MFA for this user during the 30-day polling period and renewal.
If the device is running Windows 10, version 1809 or later:
-1. Windows 10, version 1809 must be updated with [KB4497934](https://support.microsoft.com/help/4497934/windows-10-update-kb4497934). Later versions of Windows 10 automatically include this patch.
-2. When the user signs in on a Hybrid Azure AD joined device with MFA enabled, a notification will indicate that there is a problem. Click the notification and then click **Fix now** to step through the subscription activation process. See the example below:
- 
- 
- 
+- Windows 10, version 1809 must be updated with [KB4497934](https://support.microsoft.com/help/4497934/windows-10-update-kb4497934). Later versions of Windows 10 automatically include this patch.
+
+- When the user signs in on a Hybrid Azure AD joined device with MFA enabled, a notification will indicate that there is a problem. Click the notification and then click **Fix now** to step through the subscription activation process. See the example below:
+
+ 
+
+ 
+
+ 
### Windows 10 Education requirements
-1. Windows 10 Pro Education, version 1903 or later installed on the devices to be upgraded.
-2. A device with a Windows 10 Pro Education digital license. You can confirm this information in Settings > Update & Security > Activation.
-3. The Education tenant must have an active subscription to Microsoft 365 with a Windows 10 Enterprise license or a Windows 10 Enterprise or Education subscription.
-4. Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices are not supported.
+- Windows 10 Pro Education, version 1903 or later installed on the devices to be upgraded.
+
+- A device with a Windows 10 Pro Education digital license. You can confirm this information in **Settings > Update & Security > Activation**.
+
+- The Education tenant must have an active subscription to Microsoft 365 with a Windows 10 Enterprise license or a Windows 10 Enterprise or Education subscription.
+
+- Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices are not supported.
> [!IMPORTANT]
-> If Windows 10 Pro is converted to Windows 10 Pro Education [by using benefits available in Store for Education](https://docs.microsoft.com/education/windows/change-to-pro-education#change-using-microsoft-store-for-education), then the feature will not work. You will need to re-image the device by using a Windows 10 Pro Education edition.
+> If Windows 10 Pro is converted to Windows 10 Pro Education by [using benefits available in Store for Education](https://docs.microsoft.com/education/windows/change-to-pro-education#change-using-microsoft-store-for-education), then the feature will not work. You will need to re-image the device using a Windows 10 Pro Education edition.
+
## Benefits
@@ -128,15 +146,19 @@ With Windows 10 Enterprise or Windows 10 Education, businesses and institutions
You can benefit by moving to Windows as an online service in the following ways:
-1. Licenses for Windows 10 Enterprise and Education are checked based on Azure Active Directory (Azure AD) credentials, so now businesses have a systematic way to assign licenses to end users and groups in their organization.
-2. User logon triggers a silent edition upgrade, with no reboot required
-3. Support for mobile worker/BYOD activation; transition away from on-prem KMS and MAK keys.
-4. Compliance support via seat assignment.
-5. Licenses can be updated to different users dynamically, enabling you to optimize your licensing investment against changing needs.
+- Licenses for Windows 10 Enterprise and Education are checked based on Azure Active Directory (Azure AD) credentials, so now businesses have a systematic way to assign licenses to end users and groups in their organization.
+
+- User logon triggers a silent edition upgrade, with no reboot required.
+
+- Support for mobile worker/BYOD activation; transition away from on-prem KMS and MAK keys.
+
+- Compliance support via seat assignment.
+
+- Licenses can be updated to different users dynamically, enabling you to optimize your licensing investment against changing needs.
## How it works
-The device is AAD joined from Settings > Accounts > Access work or school.
+The device is AAD joined from **Settings > Accounts > Access work or school**.
The IT administrator assigns Windows 10 Enterprise to a user. See the following figure.
@@ -155,26 +177,34 @@ After Windows 10, version 1903:
> [!NOTE]
+>
> - A Windows 10 Pro Education device will only step up to Windows 10 Education edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019).
>
> - A Windows 10 Pro device will only step up to Windows 10 Enterprise edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019).
### Scenarios
-**Scenario #1**: You are using Windows 10, version 1803 or above, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but haven’t yet deployed Windows 10 Enterprise).
+#### Scenario #1
+
+You are using Windows 10, version 1803 or above, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but haven’t yet deployed Windows 10 Enterprise).
All of your Windows 10 Pro devices will step-up to Windows 10 Enterprise, and devices that are already running Windows 10 Enterprise will migrate from KMS or MAK activated Enterprise edition to Subscription activated Enterprise edition when a Subscription Activation-enabled user signs in to the device.
-**Scenario #2**: You are using Windows 10, version 1607, 1703, or 1709 with KMS for activation, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but haven’t yet deployed Windows 10 Enterprise).
+#### Scenario #2
+
+You are using Windows 10, version 1607, 1703, or 1709 with KMS for activation, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but haven’t yet deployed Windows 10 Enterprise).
To change all of your Windows 10 Pro devices to Windows 10 Enterprise, run the following command on each computer:
-
+```console
cscript.exe c:\windows\system32\slmgr.vbs /ipk NPPR9-FWDCX-D2C8J-H872K-2YT43
+```
The command causes the OS to change to Windows 10 Enterprise and then seek out the KMS server to reactivate. This key comes from [Appendix A: KMS Client Setup Keys](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj612867(v=ws.11)) in the Volume Activation guide. It is also possible to inject the Windows 10 Pro key from this article if you wish to step back down from Enterprise to Pro.
-**Scenario #3**: Using Azure AD-joined devices or Active Directory-joined devices running Windows 10 1709 or later, and with Azure AD synchronization configured, just follow the steps in [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md) to acquire a $0 SKU and get a new Windows 10 Enterprise E3 or E5 license in Azure AD. Then, assign that license to all of your Azure AD users. These can be AD-synced accounts. The device will automatically change from Windows 10 Pro to Windows 10 Enterprise when that user signs in.
+#### Scenario #3
+
+Using Azure AD-joined devices or Active Directory-joined devices running Windows 10 1709 or later, and with Azure AD synchronization configured, just follow the steps in [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md) to acquire a $0 SKU and get a new Windows 10 Enterprise E3 or E5 license in Azure AD. Then, assign that license to all of your Azure AD users. These can be AD-synced accounts. The device will automatically change from Windows 10 Pro to Windows 10 Enterprise when that user signs in.
In summary, if you have a Windows 10 Enterprise E3 or E5 subscription, but are still running Windows 10 Pro, it’s really simple (and quick) to move to Windows 10 Enterprise using one of the scenarios above.
@@ -196,14 +226,13 @@ When you have the required Azure AD subscription, group-based licensing is the p
If you are running Windows 10, version 1803 or later, Subscription Activation will automatically pull the firmware-embedded Windows 10 activation key and activate the underlying Pro License. The license will then step-up to Windows 10 Enterprise using Subscription Activation. This automatically migrates your devices from KMS or MAK activated Enterprise to Subscription activated Enterprise.
-> [!CAUTION]
-> Firmware-embedded Windows 10 activation happens automatically only when we go through the Out-of-Box Experience (OOBE).
+Caution: Firmware-embedded Windows 10 activation happens automatically only when we go through OOBE(Out Of Box Experience)
If you are using Windows 10, version 1607, 1703, or 1709 and have already deployed Windows 10 Enterprise, but you want to move away from depending on KMS servers and MAK keys for Windows client machines, you can seamlessly transition as long as the computer has been activated with a firmware-embedded Windows 10 Pro product key.
If the computer has never been activated with a Pro key, run the following script. Copy the text below into a .cmd file and run the file from an elevated command prompt:
-
+```console
@echo off
FOR /F "skip=1" %%A IN ('wmic path SoftwareLicensingService get OA3xOriginalProductKey') DO (
SET "ProductKey=%%A"
@@ -217,18 +246,24 @@ echo No key present
echo Installing %ProductKey%
changepk.exe /ProductKey %ProductKey%
)
-
+```
### Obtaining an Azure AD license
Enterprise Agreement/Software Assurance (EA/SA):
+
- Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Azure AD (ideally to groups using the new Azure AD Premium feature for group assignment). For more information, see [Enabling Subscription Activation with an existing EA](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses#enabling-subscription-activation-with-an-existing-ea).
+
- The license administrator can assign seats to Azure AD users with the same process that is used for O365.
+
- New EA/SA Windows Enterprise customers can acquire both an SA subscription and an associated $0 cloud subscription.
Microsoft Products & Services Agreements (MPSA):
+
- Organizations with MPSA are automatically emailed the details of the new service. They must take steps to process the instructions.
+
- Existing MPSA customers will receive service activation emails that allow their customer administrator to assign users to the service.
+
- New MPSA customers who purchase the Software Subscription Windows Enterprise E3 and E5 will be enabled for both the traditional key-based and new subscriptions activation method.
### Deploying licenses
diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
index f0a7008b37..8a07ad9b20 100644
--- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
+++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
@@ -2,7 +2,7 @@
title: Demonstrate Autopilot deployment
ms.reviewer:
manager: laurawi
-description: Step-by-step instructions on how to set-up a Virtual Machine with a Windows Autopilot deployment
+description: In this article, find step-by-step instructions on how to set-up a Virtual Machine with a Windows Autopilot deployment.
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune, upgrade
ms.prod: w10
ms.mktglfcycl: deploy
@@ -13,7 +13,9 @@ author: greg-lindsay
ms.author: greglin
ms.collection: M365-modern-desktop
ms.topic: article
-ms.custom: autopilot
+ms.custom:
+ - autopilot
+ - seo-marvel-apr2020
---
@@ -51,6 +53,8 @@ These are the things you'll need to complete this lab:
A summary of the sections and procedures in the lab is provided below. Follow each section in the order it is presented, skipping the sections that do not apply to you. Optional procedures are provided in the appendix.
+> If you already have Hyper-V and a Windows 10 VM, you can skip directly to the [Capture the hardware ID](#capture-the-hardware-id) step. The VM must be running Windows 10, version 1903 or a later version.
+
[Verify support for Hyper-V](#verify-support-for-hyper-v)
[Enable Hyper-V](#enable-hyper-v)
[Create a demo VM](#create-a-demo-vm)
@@ -68,7 +72,8 @@ A summary of the sections and procedures in the lab is provided below. Follow ea
[Autopilot registration using MSfB](#autopilot-registration-using-msfb)
[Create and assign a Windows Autopilot deployment profile](#create-and-assign-a-windows-autopilot-deployment-profile)
[Create a Windows Autopilot deployment profile using Intune](#create-a-windows-autopilot-deployment-profile-using-intune)
-
[Assign the profile](#assign-the-profile)
+
[Create a device group](#create-a-device-group)
+
[Create the deployment profile](#create-the-deployment-profile)
[Create a Windows Autopilot deployment profile using MSfB](#create-a-windows-autopilot-deployment-profile-using-msfb)
[See Windows Autopilot in action](#see-windows-autopilot-in-action)
[Remove devices from Autopilot](#remove-devices-from-autopilot)
@@ -138,7 +143,7 @@ After we have set the ISO file location and determined the name of the appropria
You can download an ISO file for an evaluation version of the latest release of Windows 10 Enterprise [here](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise).
- When asked to select a platform, choose **64 bit**.
-After you download this file, the name will be extremely long (ex: 17763.107.101029-1455.rs5_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso).
+After you download this file, the name will be extremely long (ex: 19042.508.200927-1902.20h2_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso).
1. So that it is easier to type and remember, rename the file to **win10-eval.iso**.
2. Create a directory on your computer named **c:\iso** and move the **win10-eval.iso** file there, so the path to the file is **c:\iso\win10-eval.iso**.
@@ -161,7 +166,7 @@ For example, if the command above displays Ethernet but you wish to use Ethernet
All VM data will be created under the current path in your PowerShell prompt. Consider navigating into a new folder before running the following commands.
> [!IMPORTANT]
-> **VM switch**: a VM switch is how Hyper-V connects VMs to a network.
If you have previously enabled Hyper-V and your Internet-connected network interface is already bound to a VM switch, then the PowerShell commands below will fail. In this case, you can either delete the existing VM switch (so that the commands below can create one), or you can reuse this VM switch by skipping the first command below and either modifying the second command to replace the switch name **AutopilotExternal** with the name of your switch, or by renaming your existing switch to "AutopilotExternal."
If you have never created an external VM switch before, then just run the commands below.
+> **VM switch**: a VM switch is how Hyper-V connects VMs to a network.
If you have previously enabled Hyper-V and your Internet-connected network interface is already bound to a VM switch, then the PowerShell commands below will fail. In this case, you can either delete the existing VM switch (so that the commands below can create one), or you can reuse this VM switch by skipping the first command below and either modifying the second command to replace the switch name **AutopilotExternal** with the name of your switch, or by renaming your existing switch to "AutopilotExternal."
If you have never created an external VM switch before, then just run the commands below.
If you are not sure if you already have an External VM switch, enter **get-vmswitch** at a Windows PowerShell prompt to display a currently list of the VM switches that are provisioned in Hyper-V. If one of them is of SwitchType **External**, then you already have a VM switch configured on the server that is used to connect to the Internet. In this case, you need to skip the first command below and modify the others to use the name of your VM switch instead of the name "AutopilotExternal" (or change the name of your switch).
```powershell
New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name
@@ -216,24 +221,27 @@ PS C:\autopilot>
### Install Windows 10
+> [!NOTE]
+> The VM will be booted to gather a hardware ID, then it will be reset. The goal in the next few steps is to get to the desktop quickly so don't worry about how it is configured at this stage. The VM only needs to be connected to the Internet.
+
Ensure the VM booted from the installation ISO, click **Next** then click **Install now** and complete the Windows installation process. See the following examples:
- 
- 
- 
- 
- 
- 
+ 
+ 
+ 
+ 
+ 
+ 
-After the VM restarts, during OOBE, it’s fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen. This will offer the fastest way to the desktop. For example:
+After the VM restarts, during OOBE, it's fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen. This will offer the fastest way to the desktop. For example:
- 
+ 
-Once the installation is complete, sign in and verify that you are at the Windows 10 desktop, then create your first Hyper-V checkpoint. Checkpoints are used to restore the VM to a previous state. You will create multiple checkpoints throughout this lab, which can be used later to go through the process again.
+Once the installation is complete, sign in and verify that you are at the Windows 10 desktop, then create your first Hyper-V checkpoint. Checkpoints are used to restore the VM to a previous state.
- 
+ 
-To create your first checkpoint, open an elevated Windows PowerShell prompt on the computer running Hyper-V (not on the VM) and run the following:
+To create a checkpoint, open an elevated Windows PowerShell prompt on the computer running Hyper-V (not on the VM) and run the following:
```powershell
Checkpoint-VM -Name WindowsAutopilot -SnapshotName "Finished Windows install"
@@ -244,11 +252,11 @@ Click on the **WindowsAutopilot** VM in Hyper-V Manager and verify that you see
## Capture the hardware ID
> [!NOTE]
-> Normally, the Device ID is captured by the OEM as they run the OA3 Tool on each device in the factory. The OEM then submits the 4K HH created by the OA3 Tool to Microsoft by submitting it with a Computer Build Report (CBR). For purposes of this lab, you are acting as the OEM (capturing the 4K HH), but you’re not going to use the OA3 Tool to capture the full 4K HH for various reasons (you’d have to install the OA3 tool, your device couldn’t have a volume license version of Windows, it’s a more complicated process than using a PS script, etc.). Instead, you’ll simulate running the OA3 tool by running a PowerShell script, which captures the device 4K HH just like the OA3 tool.
+> Normally, the Device ID is captured by the OEM as they run the OA3 Tool on each device in the factory. The OEM then submits the 4K HH created by the OA3 Tool to Microsoft by submitting it with a Computer Build Report (CBR). For purposes of this lab, you are acting as the OEM (capturing the 4K HH), but you're not going to use the OA3 Tool to capture the full 4K HH for various reasons (you'd have to install the OA3 tool, your device couldn't have a volume license version of Windows, it's a more complicated process than using a PS script, etc.). Instead, you'll simulate running the OA3 tool by running a PowerShell script, which captures the device 4K HH just like the OA3 tool.
Follow these steps to run the PS script:
-1. Open an elevated Windows PowerShell prompt and run the following commands. These commands are the same regardless of whether you are using a VM or a physical device:
+1. **On the client VM**: Open an elevated Windows PowerShell prompt and run the following commands. These commands are the same regardless of whether you are using a VM or a physical device:
```powershell
md c:\HWID
@@ -261,18 +269,20 @@ Follow these steps to run the PS script:
When you are prompted to install the NuGet package, choose **Yes**.
-See the sample output below.
+See the sample output below. A 'dir' command is issued at the end to show the file that was created.
PS C:\> md c:\HWID
- Directory: C:\
+ Directory: C:\
-Mode LastWriteTime Length Name
----- ------------- ------ ----
-d----- 3/14/2019 11:33 AM HWID
-PS C:\> Set-Location c:\HWID
+Mode LastWriteTime Length Name
+---- ------------- ------ ----
+d----- 11/13/2020 3:00 PM HWID
+
+
+PS C:\Windows\system32> Set-Location c:\HWID
PS C:\HWID> Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force
PS C:\HWID> Install-Script -Name Get-WindowsAutopilotInfo -Force
@@ -285,13 +295,17 @@ import the NuGet provider now?
[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Y
PS C:\HWID> $env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
PS C:\HWID> Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
+Gathered details for device with serial number: 1804-7078-6805-7405-0796-0675-17
PS C:\HWID> dir
+
Directory: C:\HWID
-Mode LastWriteTime Length Name
----- ------------- ------ ----
--a---- 3/14/2019 11:33 AM 8184 AutopilotHWID.csv
+
+Mode LastWriteTime Length Name
+---- ------------- ------ ----
+-a---- 11/13/2020 3:01 PM 8184 AutopilotHWID.csv
+
PS C:\HWID>
@@ -303,7 +317,7 @@ Verify that there is an **AutopilotHWID.csv** file in the **c:\HWID** directory
-You will need to upload this data into Intune to register your device for Autopilot, so it needs to be transferred to the computer you will use to access the Azure portal. If you are using a physical device instead of a VM, you can copy the file to a USB stick. If you’re using a VM, you can right-click the AutopilotHWID.csv file and copy it, then right-click and paste the file to your desktop (outside the VM).
+You will need to upload this data into Intune to register your device for Autopilot, so the next step is to transfer this file to the computer you will use to access the Azure portal. If you are using a physical device instead of a VM, you can copy the file to a USB stick. If you’re using a VM, you can right-click the AutopilotHWID.csv file and copy it, then right-click and paste the file to your desktop (outside the VM).
If you have trouble copying and pasting the file, just view the contents in Notepad on the VM and copy the text into Notepad outside the VM. Do not use another text editor to do this.
@@ -315,7 +329,7 @@ If you have trouble copying and pasting the file, just view the contents in Note
With the hardware ID captured in a file, prepare your Virtual Machine for Windows Autopilot deployment by resetting it back to OOBE.
On the Virtual Machine, go to **Settings > Update & Security > Recovery** and click on **Get started** under **Reset this PC**.
-Select **Remove everything** and **Just remove my files**. Finally, click on **Reset**.
+Select **Remove everything** and **Just remove my files**. If you are asked **How would you like to reinstall Windows**, select Local reinstall. Finally, click on **Reset**.
@@ -331,11 +345,11 @@ For this lab, you need an AAD Premium subscription. You can tell if you have a
-If the configuration blade shown above does not appear, it’s likely that you don’t have a **Premium** subscription. Auto-enrollment is a feature only available in AAD Premium.
+If the configuration blade shown above does not appear, it's likely that you don't have a **Premium** subscription. Auto-enrollment is a feature only available in AAD Premium.
To convert your Intune trial account to a free Premium trial account, navigate to **Azure Active Directory** > **Licenses** > **All products** > **Try / Buy** and select **Free trial** for Azure AD Premium, or EMS E5.
-
+
## Configure company branding
@@ -361,7 +375,7 @@ Open [Mobility (MDM and MAM) in Azure Active Directory](https://portal.azure.com
For the purposes of this demo, select **All** under the **MDM user scope** and click **Save**.
-
+
## Register your VM
@@ -369,24 +383,24 @@ Your VM (or device) can be registered either via Intune or Microsoft Store for B
### Autopilot registration using Intune
-1. In Intune in the Azure portal, choose **Device enrollment** > **Windows enrollment** > **Devices** > **Import**.
+1. In the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/), choose **Devices** > **Device enrollment | Enroll devices** > **Windows enrollment** > **Windows Autopilot Deployment Program | Devices** and then on the **Windows Autopilot devices** page, choose **Import**.
- 
+ 
> [!NOTE]
> If menu items like **Windows enrollment** are not active for you, then look to the far-right blade in the UI. You might need to provide Intune configuration privileges in a challenge window that appeared.
-2. Under **Add Windows Autopilot devices** in the far right pane, browse to the **AutopilotHWID.csv** file you previously copied to your local computer. The file should contain the serial number and 4K HH of your VM (or device). It’s okay if other fields (Windows Product ID) are left blank.
+2. Under **Add Windows Autopilot devices** in the far right pane, browse to the **AutopilotHWID.csv** file you previously copied to your local computer. The file should contain the serial number and 4K HH of your VM (or device). It's okay if other fields (Windows Product ID) are left blank.
- 
+ 
You should receive confirmation that the file is formatted correctly before uploading it, as shown above.
3. Click **Import** and wait until the import process completes. This can take up to 15 minutes.
-4. Click **Sync** to sync the device you just registered. Wait a few moments before refreshing to verify your VM or device has been added. See the following example.
+4. Click **Refresh** to verify your VM or device has been added. See the following example.
- 
+ 
### Autopilot registration using MSfB
@@ -409,7 +423,7 @@ Select **Manage** from the top menu, then click the **Windows Autopilot Deployme
Click the **Add devices** link to upload your CSV file. A message will appear indicating your request is being processed. Wait a few moments before refreshing to see your new device has been added.
-
+
## Create and assign a Windows Autopilot deployment profile
@@ -423,17 +437,33 @@ Pick one:
### Create a Windows Autopilot deployment profile using Intune
> [!NOTE]
-> Even if you registered your device in MSfB, it will still appear in Intune, though you might have to **sync** and then **refresh** your device list first:
+> Even if you registered your device in MSfB, it will still appear in Intune, though you might have to **sync** and then **refresh** your device list.
-
+
-> The example above lists both a physical device and a VM. Your list should only include only one of these.
+#### Create a device group
-To create a Windows Autopilot profile, select **Device enrollment** > **Windows enrollment** > **Deployment profiles**
+The Autopilot deployment profile wizard will ask for a device group, so we must create one first. To create a device group:
-
+1. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Groups** > **New group**.
+2. In the **Group** blade:
+ 1. For **Group type**, choose **Security**.
+ 2. Type a **Group name** and **Group description** (ex: Autopilot Lab).
+ 3. Azure AD roles can be assigned to the group: **No**
+ 4. For **Membership type**, choose **Assigned**.
+3. Click **Members** and add the Autopilot VM to the group. See the following example:
-Click on **Create profile**.
+ 
+
+4. Click **Create**.
+
+#### Create the deployment profile
+
+To create a Windows Autopilot profile, scroll back to the left hand pane and click **Devices**, then under **Enroll devices | Windows enrollment** select **Deployment Profiles**.
+
+
+
+Click on **Create profile** and then select **Windows PC**.
@@ -442,22 +472,33 @@ On the **Create profile** blade, use the following values:
| Setting | Value |
|---|---|
| Name | Autopilot Lab profile |
-| Description | blank |
+| Description | Lab |
| Convert all targeted devices to Autopilot | No |
-| Deployment mode | User-driven |
-| Join to Azure AD as | Azure AD joined |
-Click on **Out-of-box experience (OOBE)** and configure the following settings:
+Click **Next** to continue with the **Out-of-box experience (OOBE)** settings:
| Setting | Value |
|---|---|
-| EULA | Hide |
+| Deployment mode | User-driven |
+| Join to Azure AD as | Azure AD joined |
+| Microsoft Sofware License Terms | Hide |
| Privacy Settings | Hide |
| Hide change account options | Hide |
| User account type | Standard |
+| Allow White Glove OOBE | No |
+| Language (Region) | Operating system default |
+| Automatically configure keyboard | Yes |
| Apply device name template | No |
-See the following example:
+Click **Next** to continue with the **Assignments** settings:
+
+| Setting | Value |
+|---|---|
+| Assign to | Selected groups |
+
+1. Click **Select groups to include**.
+2. Click the **Autopilot Lab** group, and then click **Select**.
+3. Click **Next** to continue and then click **Create**. See the following example:
@@ -465,40 +506,6 @@ Click on **OK** and then click on **Create**.
> If you want to add an app to your profile via Intune, the OPTIONAL steps for doing so can be found in [Appendix B: Adding apps to your profile](#appendix-b-adding-apps-to-your-profile).
-#### Assign the profile
-
-Profiles can only be assigned to Groups, so first you must create a group that contains the devices to which the profile should be applied. This guide will provide simple instructions to assign a profile, for more detailed instructions, see [Create an Autopilot device group](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Assign an Autopilot deployment profile to a device group](https://docs.microsoft.com/intune/enrollment-autopilot#assign-an-autopilot-deployment-profile-to-a-device-group), as optional reading.
-
-To create a Group, open the Azure portal and select **Azure Active Directory** > **Groups** > **All groups**:
-
-
-
-Select New group from the Groups blade to open the new groups UI. Select the “Security” group type, name the group, and select the “Assigned” membership type:
-
-Before clicking **Create**, expand the **Members** panel, click your device's serial number (it will then appear under **Selected members**) and then click **Select** to add that device to this group.
-
-
-
-Now click **Create** to finish creating the new group.
-
-Click on **All groups** and click **Refresh** to verify that your new group has been successfully created.
-
-With a group created containing your device, you can now go back and assign your profile to that group. Navigate back to the Intune page in the Azure portal (one way is to type **Intune** in the top banner search bar and select **Intune** from the results).
-
-From Intune, select **Device enrollment** > **Windows enrollment** > **Deployment Profiles** to open the profile blade. Click on the name of the profile you previously created (Autopilot Lab profile) to open the details blade for that profile:
-
-
-
-Under **Manage**, click **Assignments**, and then with the **Include** tab highlighted, expand the **Select groups** blade and click **AP Lab Group 1** (the group will appear under **Selected members**).
-
-
-
-Click **Select** and then click **Save**.
-
-
-
-It’s also possible to assign specific users to a profile, but we will not cover this scenario in the lab. For more detailed information, see [Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/intune/enrollment-autopilot).
-
### Create a Windows Autopilot deployment profile using MSfB
If you have already created and assigned a profile via Intune by using the steps immediately above, then skip this section.
@@ -517,15 +524,15 @@ To CREATE the profile:
Select your device from the **Devices** list:
-
+
On the Autopilot deployment dropdown menu, select **Create new profile**:
-
+
Name the profile, choose your desired settings, and then click **Create**:
-
+
The new profile is added to the Autopilot deployment list.
@@ -533,84 +540,73 @@ To ASSIGN the profile:
To assign (or reassign) the profile to a device, select the checkboxes next to the device you registered for this lab, then select the profile you want to assign from the **Autopilot deployment** dropdown menu as shown:
-
+
Confirm the profile was successfully assigned to the intended device by checking the contents of the **Profile** column:
-
+
> [!IMPORTANT]
> The new profile will only be applied if the device has not been started, and gone through OOBE. Settings from a different profile can't be applied when another profile has been applied. Windows would need to be reinstalled on the device for the second profile to be applied to the device.
## See Windows Autopilot in action
-If you shut down your VM after the last reset, it’s time to start it back up again, so it can progress through the Autopilot OOBE experience but do not attempt to start your device again until the **PROFILE STATUS** for your device in Intune has changed from **Not assigned** to **Assigning** and finally **Assigned**:
+If you shut down your VM after the last reset, it's time to start it back up again, so it can progress through the Autopilot OOBE experience but do not attempt to start your device again until the **PROFILE STATUS** for your device in Intune has changed from **Not assigned** to **Assigning** and finally **Assigned**:
Also, make sure to wait at least 30 minutes from the time you've [configured company branding](#configure-company-branding), otherwise these changes might not show up.
> [!TIP]
-> If you reset your device previously after collecting the 4K HH info, and then let it restart back to the first OOBE screen, then you might need to restart the device again to ensure the device is recognized as an Autopilot device and displays the Autopilot OOBE experience you’re expecting. If you do not see the Autopilot OOBE experience, then reset the device again (Settings > Update & Security > Recovery and click on Get started. Under Reset this PC, select Remove everything and Just remove my files. Click on Reset).
+> If you reset your device previously after collecting the 4K HH info, and then let it restart back to the first OOBE screen, then you might need to restart the device again to ensure the device is recognized as an Autopilot device and displays the Autopilot OOBE experience you're expecting. If you do not see the Autopilot OOBE experience, then reset the device again (Settings > Update & Security > Recovery and click on Get started. Under Reset this PC, select Remove everything and Just remove my files. Click on Reset).
- Ensure your device has an internet connection.
- Turn on the device
- Verify that the appropriate OOBE screens (with appropriate Company Branding) appear. You should see the region selection screen, the keyboard selection screen, and the second keyboard selection screen (which you can skip).
-
+
Soon after reaching the desktop, the device should show up in Intune as an **enabled** Autopilot device. Go into the Intune Azure portal, and select **Devices > All devices**, then **Refresh** the data to verify that your device has changed from disabled to enabled, and the name of the device is updated.
-
+
Once you select a language and a keyboard layout, your company branded sign-in screen should appear. Provide your Azure Active Directory credentials and you're all done.
-Windows Autopilot will now take over to automatically join your device into Azure Active Directory and enroll it to Microsoft Intune. Use the checkpoints you've created to go through this process again with different settings.
+> [!TIP]
+> If you receive a message that "Something went wrong" and it "Looks like we can't connect to the URL for your organization's MDM terms of use", verify that you have correctly [assigned licenses](https://docs.microsoft.com/mem/intune/fundamentals/licenses-assign) to the current user.
+
+Windows Autopilot will now take over to automatically join your device into Azure Active Directory and enroll it to Microsoft Intune. Use the checkpoint you've created to go through this process again with different settings.
## Remove devices from Autopilot
-To use the device (or VM) for other purposes after completion of this lab, you will need to remove (deregister) it from Autopilot via either Intune or MSfB, and then reset it. Instructions for deregistering devices can be found [here](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [here](https://docs.microsoft.com/intune/devices-wipe#delete-devices-from-the-azure-active-directory-portal) and below.
+To use the device (or VM) for other purposes after completion of this lab, you will need to remove (deregister) it from Autopilot via either Intune or MSfB, and then reset it. Instructions for deregistering devices can be found at [Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Remove devices by using wipe, retire, or manually unenrolling the device](https://docs.microsoft.com/intune/devices-wipe#delete-devices-from-the-azure-active-directory-portal) and below.
### Delete (deregister) Autopilot device
-You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure Active Directory), log into your Intune Azure portal, then navigate to **Intune > Devices > All Devices**. Select the checkbox next to the device you want to delete, then click the Delete button along the top menu.
+You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure Active Directory), log into the MEM admin center, then navigate to **Intune > Devices > All Devices**. Select the device you want to delete, then click the Delete button along the top menu.
-
-
-Click **X** when challenged to complete the operation:
-
-
+
This will remove the device from Intune management, and it will disappear from **Intune > Devices > All devices**. But this does not yet deregister the device from Autopilot, so the device should still appear under **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices**.
-
-
The **Intune > Devices > All Devices** list and the **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices** list mean different things and are two completely separate datastores. The former (All devices) is the list of devices currently enrolled into Intune.
> [!NOTE]
> A device will only appear in the All devices list once it has booted. The latter (Windows Autopilot Deployment Program > Devices) is the list of devices currently registered from that Intune account into the Autopilot program - which may or may not be enrolled to Intune.
-To remove the device from the Autopilot program, select the device and click Delete.
+To remove the device from the Autopilot program, select the device and click **Delete**. You will get a popup dialog box to confirm deletion.
-
-
-A warning message appears reminding you to first remove the device from Intune, which we previously did.
-
-
+
At this point, your device has been unenrolled from Intune and also deregistered from Autopilot. After several minutes, click the **Sync** button, followed by the **Refresh** button to confirm the device is no longer listed in the Autopilot program:
-
-
Once the device no longer appears, you are free to reuse it for other purposes.
If you also (optionally) want to remove your device from AAD, navigate to **Azure Active Directory > Devices > All Devices**, select your device, and click the delete button:
-
-
## Appendix A: Verify support for Hyper-V
-Starting with Windows 8, the host computer’s microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](https://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information.
+Starting with Windows 8, the host computer's microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](https://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information.
To verify your computer supports SLAT, open an administrator command prompt, type **systeminfo**, press ENTER, scroll down, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example:
@@ -654,19 +650,19 @@ EPT * Supports Intel extended page tables (SLAT)
#### Prepare the app for Intune
-Before we can pull an application into Intune to make it part of our AP profile, we need to “package” the application for delivery using the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool). After downloading the tool, gather the following three bits of information to use the tool:
+Before we can pull an application into Intune to make it part of our AP profile, we need to "package" the application for delivery using the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool). After downloading the tool, gather the following three bits of information to use the tool:
1. The source folder for your application
2. The name of the setup executable file
3. The output folder for the new file
-For the purposes of this lab, we’ll use the Notepad++ tool as our Win32 app.
+For the purposes of this lab, we'll use the Notepad++ tool as our Win32 app.
Download the Notepad++ msi package [here](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available) and then copy the file to a known location, such as C:\Notepad++msi.
Run the IntuneWinAppUtil tool, supplying answers to the three questions, for example:
-
+
After the tool finishes running, you should have an .intunewin file in the Output folder, which you can now upload into Intune using the following steps.
@@ -676,19 +672,19 @@ Log into the Azure portal and select **Intune**.
Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package.
-
+
Under **App Type**, select **Windows app (Win32)**:
-
+
On the **App package file** blade, browse to the **npp.7.6.3.installer.x64.intunewin** file in your output folder, open it, then click **OK**:
-
+
On the **App Information Configure** blade, provide a friendly name, description, and publisher, such as:
-
+
On the **Program Configuration** blade, supply the install and uninstall commands:
@@ -698,29 +694,29 @@ Uninstall: msiexec /x "{F188A506-C3C6-4411-BE3A-DA5BF1EA6737}" /q
> [!NOTE]
> Likely, you do not have to write the install and uninstall commands yourself because the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool) automatically generated them when it converted the .msi file into a .intunewin file.
-
+
-Simply using an install command like “notepad++.exe /S” will not actually install Notepad++; it will only launch the app. To actually install the program, we need to use the .msi file instead. Notepad++ doesn’t actually have an .msi version of their program, but we got an .msi version from a [third party provider](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available).
+Simply using an install command like "notepad++.exe /S" will not actually install Notepad++; it will only launch the app. To actually install the program, we need to use the .msi file instead. Notepad++ doesn't actually have an .msi version of their program, but we got an .msi version from a [third party provider](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available).
Click **OK** to save your input and activate the **Requirements** blade.
On the **Requirements Configuration** blade, specify the **OS architecture** and the **Minimum OS version**:
-
+
Next, configure the **Detection rules**. For our purposes, we will select manual format:
-
+
Click **Add** to define the rule properties. For **Rule type**, select **MSI**, which will automatically import the right MSI product code into the rule:
-
+
Click **OK** twice to save, as you back out to the main **Add app** blade again for the final configuration.
**Return codes**: For our purposes, leave the return codes at their default values:
-
+
Click **OK** to exit.
@@ -730,20 +726,20 @@ Click the **Add** button to finalize and save your app package.
Once the indicator message says the addition has completed.
-
+
You will be able to find your app in your app list:
-
+
#### Assign the app to your Intune profile
> [!NOTE]
-> The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile). If you have not done that, please return to the main part of the lab and complete those steps before returning here.
+> The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#create-a-device-group). If you have not done that, please return to the main part of the lab and complete those steps before returning here.
In the **Intune > Client Apps > Apps** pane, select the app package you already created to reveal its properties blade. Then click **Assignments** from the menu:
-
+
Select **Add Group** to open the **Add group** pane that is related to the app.
@@ -753,9 +749,9 @@ For our purposes, select **Required** from the **Assignment type** dropdown menu
Select **Included Groups** and assign the groups you previously created that will use this app:
-
+
-
+
In the **Select groups** pane, click the **Select** button.
@@ -765,7 +761,7 @@ In the **Add group** pane, select **OK**.
In the app **Assignments** pane, select **Save**.
-
+
At this point, you have completed steps to add a Win32 app to Intune.
@@ -779,15 +775,15 @@ Log into the Azure portal and select **Intune**.
Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package.
-
+
Under **App Type**, select **Office 365 Suite > Windows 10**:
-
+
Under the **Configure App Suite** pane, select the Office apps you want to install. For the purposes of this labe we have only selected Excel:
-
+
Click **OK**.
@@ -795,24 +791,24 @@ In the **App Suite Information** pane, enter a unique suite name, and a s
> Enter the name of the app suite as it is displayed in the company portal. Make sure that all suite names that you use are unique. If the same app suite name exists twice, only one of the apps is displayed to users in the company portal.
-
+
Click **OK**.
In the **App Suite Settings** pane, select **Monthly** for the **Update channel** (any selection would be fine for the purposes of this lab). Also select **Yes** for **Automatically accept the app end user license agreement**:
-
+
Click **OK** and then click **Add**.
#### Assign the app to your Intune profile
> [!NOTE]
-> The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile). If you have not done that, please return to the main part of the lab and complete those steps before returning here.
+> The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#create-a-device-group). If you have not done that, please return to the main part of the lab and complete those steps before returning here.
In the **Intune > Client Apps > Apps** pane, select the Office package you already created to reveal its properties blade. Then click **Assignments** from the menu:
-
+
Select **Add Group** to open the **Add group** pane that is related to the app.
@@ -822,9 +818,9 @@ For our purposes, select **Required** from the **Assignment type** dropdown menu
Select **Included Groups** and assign the groups you previously created that will use this app:
-
+
-
+
In the **Select groups** pane, click the **Select** button.
@@ -834,7 +830,7 @@ In the **Add group** pane, select **OK**.
In the app **Assignments** pane, select **Save**.
-
+
At this point, you have completed steps to add Office to Intune.
@@ -842,7 +838,7 @@ For more information on adding Office apps to Intune, see [Assign Office 365 app
If you installed both the win32 app (Notepad++) and Office (just Excel) per the instructions in this lab, your VM will show them in the apps list, although it could take several minutes to populate:
-
+
## Glossary
diff --git a/windows/deployment/windows-autopilot/images/ap-aad-mdm.png b/windows/deployment/windows-autopilot/images/ap-aad-mdm.png
new file mode 100644
index 0000000000..ece310f978
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/ap-aad-mdm.png differ
diff --git a/windows/deployment/windows-autopilot/images/autopilot-oobe.png b/windows/deployment/windows-autopilot/images/autopilot-oobe.png
new file mode 100644
index 0000000000..9cfea73377
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/autopilot-oobe.png differ
diff --git a/windows/deployment/windows-autopilot/images/create-profile.png b/windows/deployment/windows-autopilot/images/create-profile.png
index 52f087721d..d2816e9c89 100644
Binary files a/windows/deployment/windows-autopilot/images/create-profile.png and b/windows/deployment/windows-autopilot/images/create-profile.png differ
diff --git a/windows/deployment/windows-autopilot/images/delete-device1.png b/windows/deployment/windows-autopilot/images/delete-device1.png
index e73f929fbd..770c8e5b02 100644
Binary files a/windows/deployment/windows-autopilot/images/delete-device1.png and b/windows/deployment/windows-autopilot/images/delete-device1.png differ
diff --git a/windows/deployment/windows-autopilot/images/delete-device2.png b/windows/deployment/windows-autopilot/images/delete-device2.png
index ed764ac1ed..188c72d67b 100644
Binary files a/windows/deployment/windows-autopilot/images/delete-device2.png and b/windows/deployment/windows-autopilot/images/delete-device2.png differ
diff --git a/windows/deployment/windows-autopilot/images/device-status.png b/windows/deployment/windows-autopilot/images/device-status.png
index 5a78973ce5..a5627040ec 100644
Binary files a/windows/deployment/windows-autopilot/images/device-status.png and b/windows/deployment/windows-autopilot/images/device-status.png differ
diff --git a/windows/deployment/windows-autopilot/images/devices1.png b/windows/deployment/windows-autopilot/images/devices1.png
new file mode 100644
index 0000000000..459aa19c69
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/devices1.png differ
diff --git a/windows/deployment/windows-autopilot/images/dp.png b/windows/deployment/windows-autopilot/images/dp.png
new file mode 100644
index 0000000000..a133c72491
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/dp.png differ
diff --git a/windows/deployment/windows-autopilot/images/enroll1.png b/windows/deployment/windows-autopilot/images/enroll1.png
new file mode 100644
index 0000000000..4bc9be72bb
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/enroll1.png differ
diff --git a/windows/deployment/windows-autopilot/images/enroll2.png b/windows/deployment/windows-autopilot/images/enroll2.png
new file mode 100644
index 0000000000..62e7344da1
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/enroll2.png differ
diff --git a/windows/deployment/windows-autopilot/images/enroll3.png b/windows/deployment/windows-autopilot/images/enroll3.png
new file mode 100644
index 0000000000..3501d5036c
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/enroll3.png differ
diff --git a/windows/deployment/windows-autopilot/images/enroll4.png b/windows/deployment/windows-autopilot/images/enroll4.png
new file mode 100644
index 0000000000..fc7215b68f
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/enroll4.png differ
diff --git a/windows/deployment/windows-autopilot/images/group1.png b/windows/deployment/windows-autopilot/images/group1.png
new file mode 100644
index 0000000000..2ccc8db248
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/group1.png differ
diff --git a/windows/deployment/windows-autopilot/images/profile.png b/windows/deployment/windows-autopilot/images/profile.png
index 40cf26bee2..1c6c734a74 100644
Binary files a/windows/deployment/windows-autopilot/images/profile.png and b/windows/deployment/windows-autopilot/images/profile.png differ
diff --git a/windows/device-security/docfx.json b/windows/device-security/docfx.json
index 0dbfe2d2e9..42439e1e7b 100644
--- a/windows/device-security/docfx.json
+++ b/windows/device-security/docfx.json
@@ -40,7 +40,16 @@
"depot_name": "MSDN.win-device-security",
"folder_relative_path_in_docset": "./"
}
- }
+ },
+ "contributors_to_exclude": [
+ "rjagiewich",
+ "traya1",
+ "rmca14",
+ "claydetels19",
+ "jborsecnik",
+ "tiburd",
+ "garycentric"
+ ],
},
"fileMetadata": {},
"template": [],
diff --git a/windows/docfx.json b/windows/docfx.json
index 48b05bb454..b199d2a9c7 100644
--- a/windows/docfx.json
+++ b/windows/docfx.json
@@ -18,10 +18,11 @@
"audience": "ITPro",
"breadcrumb_path": "/itpro/windows/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
- "_op_documentIdPathDepotMapping": {
- "./": {
- "depot_name": "Win.windows"
- },
+ "_op_documentIdPathDepotMapping": {
+ "./": {
+ "depot_name": "Win.windows"
+ }
+ },
"contributors_to_exclude": [
"rjagiewich",
"traya1",
diff --git a/windows/eulas/docfx.json b/windows/eulas/docfx.json
index ff3ab96c92..5270a33f5d 100644
--- a/windows/eulas/docfx.json
+++ b/windows/eulas/docfx.json
@@ -37,7 +37,16 @@
"globalMetadata": {
"breadcrumb_path": "/windows/eulas/breadcrumb/toc.json",
"extendBreadcrumb": true,
- "feedback_system": "None"
+ "feedback_system": "None",
+ "contributors_to_exclude": [
+ "rjagiewich",
+ "traya1",
+ "rmca14",
+ "claydetels19",
+ "jborsecnik",
+ "tiburd",
+ "garycentric"
+ ],
},
"fileMetadata": {},
"template": [],
diff --git a/windows/hub/TOC.md b/windows/hub/TOC.md
index 25ef07d002..eaeb093642 100644
--- a/windows/hub/TOC.md
+++ b/windows/hub/TOC.md
@@ -1,6 +1,6 @@
# [Windows 10](index.yml)
## [What's new](/windows/whats-new)
-## [Release information](/windows/release-information)
+## [Release information](/windows/release-health)
## [Deployment](/windows/deployment)
## [Configuration](/windows/configuration)
## [Client management](/windows/client-management)
diff --git a/windows/hub/breadcrumb/toc.yml b/windows/hub/breadcrumb/toc.yml
index a28aaa3b77..e2971f2d84 100644
--- a/windows/hub/breadcrumb/toc.yml
+++ b/windows/hub/breadcrumb/toc.yml
@@ -27,7 +27,7 @@
topicHref: /windows/client-management/mdm/index
- name: Release information
tocHref: /windows/release-information/
- topicHref: /windows/release-information/index
+ topicHref: /windows/release-health/release-information
- name: Privacy
tocHref: /windows/privacy/
topicHref: /windows/privacy/index
diff --git a/windows/hub/docfx.json b/windows/hub/docfx.json
index 07a8ea153b..898e842c41 100644
--- a/windows/hub/docfx.json
+++ b/windows/hub/docfx.json
@@ -36,6 +36,7 @@
"globalMetadata": {
"audience": "ITPro",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
+ "uhfHeaderId": "MSDocsHeader-M365-IT",
"ms.technology": "windows",
"ms.topic": "article",
"feedback_system": "GitHub",
@@ -47,7 +48,16 @@
"folder_relative_path_in_docset": "./"
}
},
- "titleSuffix": "Windows 10 for IT Pros"
+ "titleSuffix": "Windows 10 for IT Pros",
+ "contributors_to_exclude": [
+ "rjagiewich",
+ "traya1",
+ "rmca14",
+ "claydetels19",
+ "jborsecnik",
+ "tiburd",
+ "garycentric"
+ ],
},
"fileMetadata": {},
"template": [],
diff --git a/windows/hub/index.yml b/windows/hub/index.yml
index 0ac1aa5523..bac6a47a7b 100644
--- a/windows/hub/index.yml
+++ b/windows/hub/index.yml
@@ -13,7 +13,7 @@ metadata:
ms.collection: windows-10
author: greg-lindsay #Required; your GitHub user alias, with correct capitalization.
ms.author: greglin #Required; microsoft alias of author; optional team alias.
- ms.date: 09/23/2020 #Required; mm/dd/yyyy format.
+ ms.date: 10/20/2020 #Required; mm/dd/yyyy format.
localization_priority: medium
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
@@ -26,14 +26,14 @@ landingContent:
linkLists:
- linkListType: overview
links:
+ - text: What's new in Windows 10, version 20H2
+ url: /windows/whats-new/whats-new-windows-10-version-20H2
- text: What's new in Windows 10, version 2004
url: /windows/whats-new/whats-new-windows-10-version-2004
- text: What's new in Windows 10, version 1909
url: /windows/whats-new/whats-new-windows-10-version-1909
- - text: What's new in Windows 10, version 1903
- url: /windows/whats-new/whats-new-windows-10-version-1903
- text: Windows 10 release information
- url: https://docs.microsoft.com/windows/release-information/
+ url: https://docs.microsoft.com/windows/release-health/release-information
# Card (optional)
- title: Configuration
@@ -42,7 +42,7 @@ landingContent:
links:
- text: Configure Windows 10
url: /windows/configuration/index
- - text: Accesasibility information for IT Pros
+ - text: Accessibility information for IT Pros
url: /windows/configuration/windows-10-accessibility-for-itpros
- text: Configure access to Microsoft Store
url: /windows/configuration/stop-employees-from-using-microsoft-store
diff --git a/windows/keep-secure/docfx.json b/windows/keep-secure/docfx.json
index 884e478dcb..eecc6e8b2e 100644
--- a/windows/keep-secure/docfx.json
+++ b/windows/keep-secure/docfx.json
@@ -36,7 +36,16 @@
"depot_name": "MSDN.keep-secure",
"folder_relative_path_in_docset": "./"
}
- }
+ },
+ "contributors_to_exclude": [
+ "rjagiewich",
+ "traya1",
+ "rmca14",
+ "claydetels19",
+ "jborsecnik",
+ "tiburd",
+ "garycentric"
+ ],
},
"fileMetadata": {},
"template": [],
diff --git a/windows/known-issues/docfx.json b/windows/known-issues/docfx.json
index ebcaf22f82..4592f86de8 100644
--- a/windows/known-issues/docfx.json
+++ b/windows/known-issues/docfx.json
@@ -38,7 +38,16 @@
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
- "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app"
+ "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app",
+ "contributors_to_exclude": [
+ "rjagiewich",
+ "traya1",
+ "rmca14",
+ "claydetels19",
+ "jborsecnik",
+ "tiburd",
+ "garycentric"
+ ],
},
"fileMetadata": {},
"template": [],
diff --git a/windows/manage/docfx.json b/windows/manage/docfx.json
index a65600c79b..e96e3ebf76 100644
--- a/windows/manage/docfx.json
+++ b/windows/manage/docfx.json
@@ -35,7 +35,16 @@
"depot_name": "MSDN.windows-manage",
"folder_relative_path_in_docset": "./"
}
- }
+ },
+ "contributors_to_exclude": [
+ "rjagiewich",
+ "traya1",
+ "rmca14",
+ "claydetels19",
+ "jborsecnik",
+ "tiburd",
+ "garycentric"
+ ],
},
"fileMetadata": {},
"template": [],
diff --git a/windows/media/phase-diagrams/deployment-phases.png b/windows/media/phase-diagrams/deployment-phases.png
new file mode 100644
index 0000000000..4d2a4fa946
Binary files /dev/null and b/windows/media/phase-diagrams/deployment-phases.png differ
diff --git a/windows/media/phase-diagrams/migration-phases.png b/windows/media/phase-diagrams/migration-phases.png
new file mode 100644
index 0000000000..d502450fba
Binary files /dev/null and b/windows/media/phase-diagrams/migration-phases.png differ
diff --git a/windows/media/phase-diagrams/onboard.png b/windows/media/phase-diagrams/onboard.png
new file mode 100644
index 0000000000..b6a29de3bf
Binary files /dev/null and b/windows/media/phase-diagrams/onboard.png differ
diff --git a/windows/media/phase-diagrams/prepare.png b/windows/media/phase-diagrams/prepare.png
new file mode 100644
index 0000000000..1001e41e0d
Binary files /dev/null and b/windows/media/phase-diagrams/prepare.png differ
diff --git a/windows/media/phase-diagrams/setup.png b/windows/media/phase-diagrams/setup.png
new file mode 100644
index 0000000000..1635785046
Binary files /dev/null and b/windows/media/phase-diagrams/setup.png differ
diff --git a/windows/plan/docfx.json b/windows/plan/docfx.json
index a05d2009a6..d4e156d3c2 100644
--- a/windows/plan/docfx.json
+++ b/windows/plan/docfx.json
@@ -35,7 +35,16 @@
"depot_name": "MSDN.windows-plan",
"folder_relative_path_in_docset": "./"
}
- }
+ },
+ "contributors_to_exclude": [
+ "rjagiewich",
+ "traya1",
+ "rmca14",
+ "claydetels19",
+ "jborsecnik",
+ "tiburd",
+ "garycentric"
+ ],
},
"fileMetadata": {},
"template": [],
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
index fc3ba2d75a..d3555a0e8a 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
@@ -13,7 +13,7 @@ manager: dansimp
ms.collection: M365-security-compliance
ms.topic: article
audience: ITPro
-ms.date: 03/27/2020
+ms.date: 09/30/2020
ms.reviewer:
---
@@ -33,6 +33,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th
You can learn more about Windows functional and diagnostic data through these articles:
+- [Windows 10, version 2004 and Windows 10, version 20H2 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md)
- [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md)
- [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
- [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md)
@@ -47,7 +48,7 @@ You can learn more about Windows functional and diagnostic data through these ar
### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount
-This event lists the types of objects and how many of each exist on the client device. This allows for a quick way to ensure that the records present on the server match what is present on the client.
+This event lists the types of objects and how many of each exist on the client device. This allows for a quick way to ensure that the records present on the server match what is present on the client. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -81,7 +82,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd
-This event sends compatibility information about a file to help keep Windows up-to-date.
+This event represents the basic metadata about specific application files installed on the system. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -97,7 +98,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove
-This event indicates that the DatasourceApplicationFile object is no longer present.
+This event indicates that the DatasourceApplicationFile object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -108,7 +109,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileStartSync
-This event indicates that a new set of DatasourceApplicationFileAdd events will be sent.
+This event indicates that a new set of DatasourceApplicationFileAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -136,7 +137,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpRemove
-This event indicates that the DatasourceDevicePnp object is no longer present.
+This event indicates that the DatasourceDevicePnp object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -147,7 +148,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpStartSync
-This event indicates that a new set of DatasourceDevicePnpAdd events will be sent.
+This event indicates that a new set of DatasourceDevicePnpAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -167,7 +168,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageRemove
-This event indicates that the DatasourceDriverPackage object is no longer present.
+This event indicates that the DatasourceDriverPackage object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -178,7 +179,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageStartSync
-This event indicates that a new set of DatasourceDriverPackageAdd events will be sent.
+This event indicates that a new set of DatasourceDriverPackageAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -198,7 +199,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove
-This event indicates that the DataSourceMatchingInfoBlock object is no longer present.
+This event indicates that the DataSourceMatchingInfoBlock object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -209,7 +210,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockStartSync
-This event indicates that a full set of DataSourceMatchingInfoBlockStAdd events have been sent.
+This event indicates that a full set of DataSourceMatchingInfoBlockStAdd events has completed being sent. This event is used to make compatibility decisions about files to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -229,7 +230,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveRemove
-This event indicates that the DataSourceMatchingInfoPassive object is no longer present.
+This event indicates that the DataSourceMatchingInfoPassive object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -240,7 +241,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveStartSync
-This event indicates that a new set of DataSourceMatchingInfoPassiveAdd events will be sent.
+This event indicates that a new set of DataSourceMatchingInfoPassiveAdd events will be sent. This event is used to make compatibility decisions about files to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -260,7 +261,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeRemove
-This event indicates that the DataSourceMatchingInfoPostUpgrade object is no longer present.
+This event indicates that the DataSourceMatchingInfoPostUpgrade object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -271,7 +272,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeStartSync
-This event indicates that a new set of DataSourceMatchingInfoPostUpgradeAdd events will be sent.
+This event indicates that a new set of DataSourceMatchingInfoPostUpgradeAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -292,7 +293,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosRemove
-This event indicates that the DatasourceSystemBios object is no longer present.
+This event indicates that the DatasourceSystemBios object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -303,7 +304,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosStartSync
-This event indicates that a new set of DatasourceSystemBiosAdd events will be sent.
+This event indicates that a new set of DatasourceSystemBiosAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -341,7 +342,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove
-This event indicates that the DecisionApplicationFile object is no longer present.
+This event indicates that the DecisionApplicationFile object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -352,7 +353,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionApplicationFileStartSync
-This event indicates that a new set of DecisionApplicationFileAdd events will be sent.
+This event indicates that a new set of DecisionApplicationFileAdd events will be sent. This event is used to make compatibility decisions about a file to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -386,7 +387,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionDevicePnpRemove
-This event indicates that the DecisionDevicePnp object is no longer present.
+This event Indicates that the DecisionDevicePnp object represented by the objectInstanceId is no longer present. This event is used to make compatibility decisions about PNP devices to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -397,7 +398,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionDevicePnpStartSync
-This event indicates that the DecisionDevicePnp object is no longer present.
+This event indicates that a new set of DecisionDevicePnpAdd events will be sent. This event is used to make compatibility decisions about PNP devices to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -422,7 +423,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionDriverPackageRemove
-This event indicates that the DecisionDriverPackage object is no longer present.
+This event indicates that the DecisionDriverPackage object represented by the objectInstanceId is no longer present. This event is used to make compatibility decisions about driver packages to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -433,7 +434,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionDriverPackageStartSync
-This event indicates that a new set of DecisionDriverPackageAdd events will be sent.
+The DecisionDriverPackageStartSync event indicates that a new set of DecisionDriverPackageAdd events will be sent. This event is used to make compatibility decisions about driver packages to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -459,7 +460,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockRemove
-This event indicates that the DecisionMatchingInfoBlock object is no longer present.
+This event indicates that the DecisionMatchingInfoBlock object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -470,7 +471,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockStartSync
-This event indicates that a new set of DecisionMatchingInfoBlockAdd events will be sent.
+This event indicates that a new set of DecisionMatchingInfoBlockAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -492,7 +493,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveRemove
-This event Indicates that the DecisionMatchingInfoPassive object is no longer present.
+This event Indicates that the DecisionMatchingInfoPassive object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -503,7 +504,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveStartSync
-This event indicates that a new set of DecisionMatchingInfoPassiveAdd events will be sent.
+This event indicates that a new set of DecisionMatchingInfoPassiveAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -527,7 +528,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeRemove
-This event indicates that the DecisionMatchingInfoPostUpgrade object is no longer present.
+This event indicates that the DecisionMatchingInfoPostUpgrade object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -538,7 +539,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeStartSync
-This event indicates that a new set of DecisionMatchingInfoPostUpgradeAdd events will be sent.
+This event indicates that a new set of DecisionMatchingInfoPostUpgradeAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -564,7 +565,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionMediaCenterRemove
-This event indicates that the DecisionMediaCenter object is no longer present.
+This event indicates that the DecisionMediaCenter object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -575,7 +576,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionMediaCenterStartSync
-This event indicates that a new set of DecisionMediaCenterAdd events will be sent.
+This event indicates that a new set of DecisionMediaCenterAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -597,7 +598,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionSystemBiosRemove
-This event indicates that the DecisionSystemBios object is no longer present.
+This event indicates that the DecisionSystemBios object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -608,7 +609,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionSystemBiosStartSync
-This event indicates that a new set of DecisionSystemBiosAdd events will be sent.
+This event indicates that a new set of DecisionSystemBiosAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -619,7 +620,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.EnterpriseScenarioWithDiagTrackServiceRunning
-This event indicates that Appraiser has been triggered to run an enterprise scenario while the DiagTrack service is installed. This event can only be sent if a special flag is used to trigger the enterprise scenario.
+This event indicates that Appraiser has been triggered to run an enterprise scenario while the DiagTrack service is installed. This event can only be sent if a special flag is used to trigger the enterprise scenario. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -643,7 +644,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryApplicationFileAdd
-This event represents the basic metadata about a file on the system. The file must be part of an app and either have a block in the compatibility database or be part of an antivirus program.
+This event represents the basic metadata about a file on the system. The file must be part of an app and either have a block in the compatibility database or be part of an antivirus program. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -666,7 +667,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryApplicationFileRemove
-This event indicates that the InventoryApplicationFile object is no longer present.
+This event indicates that the InventoryApplicationFile object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -677,7 +678,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync
-This event indicates that a new set of InventoryApplicationFileAdd events will be sent.
+This event indicates that a new set of InventoryApplicationFileAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -699,7 +700,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryLanguagePackRemove
-This event indicates that the InventoryLanguagePack object is no longer present.
+This event indicates that the InventoryLanguagePack object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -710,7 +711,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryLanguagePackStartSync
-This event indicates that a new set of InventoryLanguagePackAdd events will be sent.
+This event indicates that a new set of InventoryLanguagePackAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -737,7 +738,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryMediaCenterRemove
-This event indicates that the InventoryMediaCenter object is no longer present.
+This event indicates that the InventoryMediaCenter object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -748,7 +749,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryMediaCenterStartSync
-This event indicates that a new set of InventoryMediaCenterAdd events will be sent.
+This event indicates that a new set of InventoryMediaCenterAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -759,7 +760,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventorySystemBiosAdd
-This event sends basic metadata about the BIOS to determine whether it has a compatibility block.
+This event sends basic metadata about the BIOS to determine whether it has a compatibility block. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -772,7 +773,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventorySystemBiosRemove
-This event indicates that the InventorySystemBios object is no longer present.
+This event indicates that the InventorySystemBios object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -783,7 +784,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventorySystemBiosStartSync
-This event indicates that a new set of InventorySystemBiosAdd events will be sent.
+This event indicates that a new set of InventorySystemBiosAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -794,7 +795,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd
-This event is only runs during setup. It provides a listing of the uplevel driver packages that were downloaded before the upgrade. Is critical to understanding if failures in setup can be traced to not having sufficient uplevel drivers before the upgrade.
+This event runs only during setup. It provides a listing of the uplevel driver packages that were downloaded before the upgrade. It is critical in understanding if failures in setup can be traced to not having sufficient uplevel drivers before the upgrade. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -819,7 +820,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageRemove
-This event indicates that the InventoryUplevelDriverPackage object is no longer present.
+This event indicates that the InventoryUplevelDriverPackage object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -830,7 +831,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageStartSync
-This event indicates that a new set of InventoryUplevelDriverPackageAdd events will be sent.
+This event indicates that a new set of InventoryUplevelDriverPackageAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -841,7 +842,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.RunContext
-This event indicates what should be expected in the data payload.
+This event is sent at the beginning of an appraiser run, the RunContext indicates what should be expected in the following data payload. This event is used with the other Appraiser events to make compatibility decisions to keep Windows up to date.
The following fields are available:
@@ -871,7 +872,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemMemoryRemove
-This event that the SystemMemory object is no longer present.
+This event that the SystemMemory object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -882,7 +883,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemMemoryStartSync
-This event indicates that a new set of SystemMemoryAdd events will be sent.
+This event indicates that a new set of SystemMemoryAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -904,7 +905,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeRemove
-This event indicates that the SystemProcessorCompareExchange object is no longer present.
+This event indicates that the SystemProcessorCompareExchange object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -915,7 +916,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeStartSync
-This event indicates that a new set of SystemProcessorCompareExchangeAdd events will be sent.
+This event indicates that a new set of SystemProcessorCompareExchangeAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -937,7 +938,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfRemove
-This event indicates that the SystemProcessorLahfSahf object is no longer present.
+This event indicates that the SystemProcessorLahfSahf object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -948,7 +949,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfStartSync
-This event indicates that a new set of SystemProcessorLahfSahfAdd events will be sent.
+This event indicates that a new set of SystemProcessorLahfSahfAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -971,7 +972,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemProcessorNxRemove
-This event indicates that the SystemProcessorNx object is no longer present.
+This event indicates that the SystemProcessorNx object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -982,7 +983,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemProcessorNxStartSync
-This event indicates that a new set of SystemProcessorNxAdd events will be sent.
+This event indicates that a new set of SystemProcessorNxAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1004,7 +1005,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWRemove
-This event indicates that the SystemProcessorPrefetchW object is no longer present.
+This event indicates that the SystemProcessorPrefetchW object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1015,7 +1016,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWStartSync
-This event indicates that a new set of SystemProcessorPrefetchWAdd events will be sent.
+This event indicates that a new set of SystemProcessorPrefetchWAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1037,7 +1038,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Remove
-This event indicates that the SystemProcessorSse2 object is no longer present.
+This event indicates that the SystemProcessorSse2 object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1048,7 +1049,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemProcessorSse2StartSync
-This event indicates that a new set of SystemProcessorSse2Add events will be sent.
+This event indicates that a new set of SystemProcessorSse2Add events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1070,7 +1071,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemTouchRemove
-This event indicates that the SystemTouch object is no longer present.
+This event indicates that the SystemTouch object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1081,7 +1082,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemTouchStartSync
-This event indicates that a new set of SystemTouchAdd events will be sent.
+This event indicates that a new set of SystemTouchAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1103,7 +1104,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemWimRemove
-This event indicates that the SystemWim object is no longer present.
+This event indicates that the SystemWim object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1114,7 +1115,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemWimStartSync
-This event indicates that a new set of SystemWimAdd events will be sent.
+This event indicates that a new set of SystemWimAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1136,7 +1137,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusRemove
-This event indicates that the SystemWindowsActivationStatus object is no longer present.
+This event indicates that the SystemWindowsActivationStatus object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1147,7 +1148,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusStartSync
-This event indicates that a new set of SystemWindowsActivationStatusAdd events will be sent.
+This event indicates that a new set of SystemWindowsActivationStatusAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1173,7 +1174,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemWlanRemove
-This event indicates that the SystemWlan object is no longer present.
+This event indicates that the SystemWlan object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1184,7 +1185,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemWlanStartSync
-This event indicates that a new set of SystemWlanAdd events will be sent.
+This event indicates that a new set of SystemWlanAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1247,7 +1248,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.WmdrmRemove
-This event indicates that the Wmdrm object is no longer present.
+This event indicates that the Wmdrm object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1258,7 +1259,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.WmdrmStartSync
-This event indicates that a new set of WmdrmAdd events will be sent.
+The WmdrmStartSync event indicates that a new set of WmdrmAdd events will be sent. This event is used to understand the usage of older digital rights management on the system, to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1271,7 +1272,7 @@ The following fields are available:
### Census.App
-This event sends version data about the Apps running on this device, to help keep Windows up to date.
+This event sends version data about the Apps running on this device. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -1281,7 +1282,7 @@ The following fields are available:
### Census.Battery
-This event sends type and capacity data about the battery on the device, as well as the number of connected standby devices in use, type to help keep Windows up to date.
+This event sends type and capacity data about the battery on the device, as well as the number of connected standby devices in use. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -1292,19 +1293,9 @@ The following fields are available:
- **IsAlwaysOnAlwaysConnectedCapable** Represents whether the battery enables the device to be AlwaysOnAlwaysConnected . Boolean value.
-### Census.Camera
-
-This event sends data about the resolution of cameras on the device, to help keep Windows up to date.
-
-The following fields are available:
-
-- **FrontFacingCameraResolution** Represents the resolution of the front facing camera in megapixels. If a front facing camera does not exist, then the value is 0.
-- **RearFacingCameraResolution** Represents the resolution of the rear facing camera in megapixels. If a rear facing camera does not exist, then the value is 0.
-
-
### Census.Enterprise
-This event sends data about Azure presence, type, and cloud domain use in order to provide an understanding of the use and integration of devices in an enterprise, cloud, and server environment.
+This event sends data about Azure presence, type, and cloud domain use in order to provide an understanding of the use and integration of devices in an enterprise, cloud, and server environment. The data collected with this event is used to help keep Windows secure.
The following fields are available:
@@ -1321,14 +1312,14 @@ The following fields are available:
- **IsEDPEnabled** Represents if Enterprise data protected on the device.
- **IsMDMEnrolled** Whether the device has been MDM Enrolled or not.
- **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID
-- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in a Configuration Manager environment.
+- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise System Center Configuration Manager (SCCM) environment.
- **ServerFeatures** Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
- **SystemCenterID** The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier.
### Census.Firmware
-This event sends data about the BIOS and startup embedded in the device, to help keep Windows up to date.
+This event sends data about the BIOS and startup embedded in the device. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -1340,7 +1331,7 @@ The following fields are available:
### Census.Flighting
-This event sends Windows Insider data from customers participating in improvement testing and feedback programs, to help keep Windows up to date.
+This event sends Windows Insider data from customers participating in improvement testing and feedback programs. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -1355,7 +1346,7 @@ The following fields are available:
### Census.Hardware
-This event sends data about the device, including hardware type, OEM brand, model line, model, telemetry level setting, and TPM support, to help keep Windows up to date.
+This event sends data about the device, including hardware type, OEM brand, model line, model, telemetry level setting, and TPM support. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -1391,7 +1382,7 @@ The following fields are available:
### Census.Memory
-This event sends data about the memory on the device, including ROM and RAM, to help keep Windows up to date.
+This event sends data about the memory on the device, including ROM and RAM. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -1401,7 +1392,7 @@ The following fields are available:
### Census.Network
-This event sends data about the mobile and cellular network used by the device (mobile service provider, network, device ID, and service cost factors), to help keep Windows up to date.
+This event sends data about the mobile and cellular network used by the device (mobile service provider, network, device ID, and service cost factors). The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -1424,7 +1415,7 @@ The following fields are available:
### Census.OS
-This event sends data about the operating system such as the version, locale, update service configuration, when and how it was originally installed, and whether it is a virtual device, to help keep Windows up to date.
+This event sends data about the operating system such as the version, locale, update service configuration, when and how it was originally installed, and whether it is a virtual device. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -1466,7 +1457,7 @@ The following fields are available:
### Census.Processor
-This event sends data about the processor to help keep Windows up to date.
+This event sends data about the processor. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -1482,13 +1473,13 @@ The following fields are available:
### Census.Security
-Provides information on several important data points about security settings.
+This event provides information about security settings. The data collected with this event is used to help keep Windows secure and up to date.
### Census.Speech
-This event is used to gather basic speech settings on the device.
+This event is used to gather basic speech settings on the device. The data collected with this event is used to help keep Windows secure.
The following fields are available:
@@ -1505,7 +1496,7 @@ The following fields are available:
### Census.Storage
-This event sends data about the total capacity of the system volume and primary disk, to help keep Windows up to date.
+This event sends data about the total capacity of the system volume and primary disk. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -1516,7 +1507,7 @@ The following fields are available:
### Census.Userdefault
-This event sends data about the current user's default preferences for browser and several of the most popular extensions and protocols, to help keep Windows up to date.
+This event sends data about the current user's default preferences for browser and several of the most popular extensions and protocols. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -1526,7 +1517,7 @@ The following fields are available:
### Census.UserDisplay
-This event sends data about the logical/physical display size, resolution and number of internal/external displays, and VRAM on the system, to help keep Windows up to date.
+This event sends data about the logical/physical display size, resolution and number of internal/external displays, and VRAM on the system. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -1548,7 +1539,7 @@ The following fields are available:
### Census.UserNLS
-This event sends data about the default app language, input, and display language preferences set by the user, to help keep Windows up to date.
+This event sends data about the default app language, input, and display language preferences set by the user. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -1561,7 +1552,7 @@ The following fields are available:
### Census.VM
-This event sends data indicating whether virtualization is enabled on the device, and its various characteristics, to help keep Windows up to date.
+This event sends data indicating whether virtualization is enabled on the device, and its various characteristics. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -1574,7 +1565,7 @@ The following fields are available:
### Census.WU
-This event sends data about the Windows update server and other App store policies, to help keep Windows up to date.
+This event sends data about the Windows update server and other App store policies. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -1769,7 +1760,7 @@ The following fields are available:
### CbsServicingProvider.CbsCapabilitySessionFinalize
-This event provides information about the results of installing or uninstalling optional Windows content from Windows Update.
+This event provides information about the results of installing or uninstalling optional Windows content from Windows Update. The data collected with this event is used to help keep Windows up to date.
@@ -1868,7 +1859,7 @@ The following fields are available:
### TelClientSynthetic.AuthorizationInfo_RuntimeTransition
-This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC startup, to help keep Windows up to date. The telemetry opt-in level signals what data we are allowed to collect.
+This event is fired by UTC at state transitions to signal what data we are allowed to collect. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -1887,7 +1878,7 @@ The following fields are available:
### TelClientSynthetic.AuthorizationInfo_Startup
-This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC startup, to help keep Windows up to date. The telemetry opt-in level signals what data we are allowed to collect.
+This event is fired by UTC at startup to signal what data we are allowed to collect. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -1906,7 +1897,7 @@ The following fields are available:
### TelClientSynthetic.ConnectivityHeartBeat_0
-This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it sends an event. A Connectivity Heartbeat event is also sent when a device recovers from costed network to free network.
+This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it sends an event. A Connectivity Heartbeat event is also sent when a device recovers from costed network to free network. This event is fired by UTC during periods of no network as a heartbeat signal, to keep Windows secure and up to date.
The following fields are available:
@@ -2168,7 +2159,7 @@ The following fields are available:
### ChecksumDictionary
-The list of values sent by each object type.
+This event provides the list of values sent by each object type. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
@@ -2178,7 +2169,7 @@ The following fields are available:
### COMPID
-This event provides a device's internal application compatible ID, a vendor-defined identification that Windows uses to match a device to an INF file. A device can have a list of compatible IDs associated with it.
+This event provides a device's internal application compatible ID, a vendor-defined identification that Windows uses to match a device to an INF file. A device can have a list of compatible IDs associated with it. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
@@ -2188,7 +2179,7 @@ The following fields are available:
### HWID
-This event provides a device's internal hardware ID, a vendor-defined identification that Windows uses to match a device to an INF file. In most cases, a device has associated with it a list of hardware IDs.
+This event provides a device's internal hardware ID, a vendor-defined identification that Windows uses to match a device to an INF file. In most cases, a device has associated with it a list of hardware IDs. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
@@ -2198,7 +2189,7 @@ The following fields are available:
### InstallDateArpLastModified
-This event indicates the date the add/remove program (ARP) entry was last modified by an update.
+This event indicates the date the add/remove program (ARP) entry was last modified by an update. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
@@ -2208,7 +2199,7 @@ The following fields are available:
### InstallDateFromLinkFile
-This event provides the application installation date from the linked file.
+This event provides the application installation date from the linked file. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
@@ -2218,7 +2209,7 @@ The following fields are available:
### InstallDateMsi
-The install date from the Microsoft installer (MSI) database.
+This event provides the install date from the Microsoft installer (MSI) database. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
@@ -2228,7 +2219,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum
-This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they will always represent a count of a given object.
+This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they will always represent a count of a given object. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
@@ -2254,7 +2245,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.AmiTelCacheVersions
-This event sends inventory component versions for the Device Inventory data.
+This event sends inventory component versions for the Device Inventory data. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
@@ -2266,7 +2257,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.FileSigningInfoAdd
-This event enumerates the signatures of files, either driver packages or application executables. For driver packages, this data is collected on demand via Telecommand to limit it only to unrecognized driver packages, saving time for the client and space on the server. For applications, this data is collected for up to 10 random executables on a system.
+This event enumerates the signatures of files, either driver packages or application executables. For driver packages, this data is collected on demand via Telecommand to limit it only to unrecognized driver packages, saving time for the client and space on the server. For applications, this data is collected for up to 10 random executables on a system. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2283,7 +2274,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryApplicationAdd
-This event sends basic metadata about an application on the system to help keep Windows up to date.
+This event sends basic metadata about an application on the system. The data collected with this event is used to keep Windows performing properly and up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2312,31 +2303,31 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverAdd
-This event represents what drivers an application installs.
+This event represents what drivers an application installs. The data collected with this event is used to keep Windows performing properly.
### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync
-The InventoryApplicationDriverStartSync event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent.
+The InventoryApplicationDriverStartSync event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkAdd
-This event provides the basic metadata about the frameworks an application may depend on.
+This event provides the basic metadata about the frameworks an application may depend on. The data collected with this event is used to keep Windows performing properly.
### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkStartSync
-This event indicates that a new set of InventoryApplicationFrameworkAdd events will be sent.
+This event indicates that a new set of InventoryApplicationFrameworkAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
### Microsoft.Windows.Inventory.Core.InventoryApplicationRemove
-This event indicates that a new set of InventoryDevicePnpAdd events will be sent.
+This event indicates that a new set of InventoryDevicePnpAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2347,7 +2338,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryApplicationStartSync
-This event indicates that a new set of InventoryApplicationAdd events will be sent.
+This event indicates that a new set of InventoryApplicationAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2358,7 +2349,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerAdd
-This event sends basic metadata about a device container (such as a monitor or printer as opposed to a Plug and Play device) to help keep Windows up to date.
+This event sends basic metadata about a device container (such as a monitor or printer as opposed to a Plug and Play device). The data collected with this event is used to help keep Windows up to date and to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2382,7 +2373,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerRemove
-This event indicates that the InventoryDeviceContainer object is no longer present.
+This event indicates that the InventoryDeviceContainer object is no longer present. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2393,7 +2384,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerStartSync
-This event indicates that a new set of InventoryDeviceContainerAdd events will be sent.
+This event indicates that a new set of InventoryDeviceContainerAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2404,7 +2395,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceAdd
-This event retrieves information about what sensor interfaces are available on the device.
+This event retrieves information about what sensor interfaces are available on the device. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2433,7 +2424,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceStartSync
-This event indicates that a new set of InventoryDeviceInterfaceAdd events will be sent.
+This event indicates that a new set of InventoryDeviceInterfaceAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2444,7 +2435,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassAdd
-This event sends additional metadata about a Plug and Play device that is specific to a particular class of devices to help keep Windows up to date while reducing overall size of data payload.
+This event sends additional metadata about a Plug and Play device that is specific to a particular class of devices. The data collected with this event is used to help keep Windows up to date and performing properly while reducing overall size of data payload.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2457,7 +2448,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassRemove
-This event indicates that the InventoryDeviceMediaClassRemove object is no longer present.
+This event indicates that the InventoryDeviceMediaClass object represented by the objectInstanceId is no longer present. This event is used to understand a PNP device that is specific to a particular class of devices. The data collected with this event is used to help keep Windows up to date and performing properly while reducing overall size of data payload.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2468,7 +2459,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassStartSync
-This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent.
+This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2477,9 +2468,48 @@ The following fields are available:
- **InventoryVersion** The version of the inventory file generating the events.
+### Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd
+
+This event represents the basic metadata about a plug and play (PNP) device and its associated driver.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **Class** The device setup class of the driver loaded for the device.
+- **ClassGuid** The device class unique identifier of the driver package loaded on the device.
+- **COMPID** The list of “Compatible IDs” for this device. See [COMPID](#compid).
+- **ContainerId** The system-supplied unique identifier that specifies which group(s) the device(s) installed on the parent (main) device belong to.
+- **Description** The description of the device.
+- **DeviceState** Identifies the current state of the parent (main) device.
+- **DriverId** The unique identifier for the installed driver.
+- **DriverName** The name of the driver image file.
+- **DriverPackageStrongName** The immediate parent directory name in the Directory field of InventoryDriverPackage.
+- **DriverVerDate** The date of the driver loaded for the device
+- **DriverVerVersion** The version of the driver loaded for the device
+- **Enumerator** Identifies the bus that enumerated the device.
+- **HWID** A list of hardware IDs for the device. See [HWID](#hwid).
+- **Inf** The name of the INF file (possibly renamed by the OS, such as oemXX.inf).
+- **InstallState** The device installation state. For a list of values, see: https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx
+- **InventoryVersion** The version number of the inventory process generating the events.
+- **LowerClassFilters** The identifiers of the Lower Class filters installed for the device.
+- **LowerFilters** The identifiers of the Lower filters installed for the device.
+- **Manufacturer** The manufacturer of the device.
+- **MatchingID** The Hardware ID or Compatible ID that Windows uses to install a device instance.
+- **Model** Identifies the model of the device.
+- **objectInstanceId** Deprecated. The Device Instance ID of the device (uniquely identifies a device in the system). Example: pci\ven_8086&dev_0085&subsys_13118086&rev_34\4&2dded11c&0&00e1
+- **ParentId** The Device Instance ID of the parent of the device.
+- **ProblemCode** The error code currently returned by the device, if applicable.
+- **Provider** Identifies the device provider.
+- **Service** The name of the device service.
+- **STACKID** The list of hardware IDs for the stack. See [STACKID](#stackid).
+- **UpperClassFilters** The identifiers of the Upper Class filters installed for the device.
+- **UpperFilters** The identifiers of the Upper filters installed for the device.
+
+
### Microsoft.Windows.Inventory.Core.InventoryDevicePnpRemove
-This event indicates that the InventoryDevicePnpRemove object is no longer present.
+This event indicates that the InventoryDevicePnpRemove object is no longer present. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2490,7 +2520,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDevicePnpStartSync
-This event indicates that a new set of InventoryDevicePnpAdd events will be sent.
+This event indicates that a new set of InventoryDevicePnpAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2501,19 +2531,19 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassAdd
-This event sends basic metadata about the USB hubs on the device.
+This event sends basic metadata about the USB hubs on the device. The data collected with this event is used to keep Windows performing properly.
### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassStartSync
-This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent.
+This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryAdd
-This event sends basic metadata about driver binaries running on the system to help keep Windows up to date.
+This event sends basic metadata about driver binaries running on the system. The data collected with this event is used to help keep Windows up to date and performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2540,7 +2570,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryRemove
-This event indicates that the InventoryDriverBinary object is no longer present.
+This event indicates that the InventoryDriverBinary object is no longer present. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2551,7 +2581,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryStartSync
-This event indicates that a new set of InventoryDriverBinaryAdd events will be sent.
+This event indicates that a new set of InventoryDriverBinaryAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2562,7 +2592,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDriverPackageAdd
-This event sends basic metadata about drive packages installed on the system to help keep Windows up to date.
+This event sends basic metadata about drive packages installed on the system. The data collected with this event is used to help keep Windows up to date and performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2581,7 +2611,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDriverPackageRemove
-This event indicates that the InventoryDriverPackageRemove object is no longer present.
+This event indicates that the InventoryDriverPackageRemove object is no longer present. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2592,7 +2622,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDriverPackageStartSync
-This event indicates that a new set of InventoryDriverPackageAdd events will be sent.
+This event indicates that a new set of InventoryDriverPackageAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2601,9 +2631,17 @@ The following fields are available:
- **InventoryVersion** The version of the inventory file generating the events.
+### Microsoft.Windows.Inventory.General. InventoryMiscellaneousMemorySlotArrayInfoRemove
+
+This event indicates that this particular data object represented by the ObjectInstanceId is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+
+
### Microsoft.Windows.Inventory.General.AppHealthStaticAdd
-This event sends details collected for a specific application on the source device.
+This event sends details collected for a specific application on the source device. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
@@ -2630,7 +2668,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.AppHealthStaticStartSync
-This event indicates the beginning of a series of AppHealthStaticAdd events.
+This event indicates the beginning of a series of AppHealthStaticAdd events. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
@@ -2642,115 +2680,121 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd
-Invalid variant - Provides data on the installed Office Add-ins
+This event provides data on the installed Office add-ins. The data collected with this event is used to keep Windows performing properly.
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove
-Indicates that this particular data object represented by the objectInstanceId is no longer present.
+This event indicates that the particular data object represented by the objectInstanceId is no longer present. The data collected with this event is used to keep Windows performing properly.
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync
-This event indicates that a new sync is being generated for this object type.
+This event indicates that a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly.
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd
-Provides data on the Office identifiers.
+This event provides data on the Office identifiers. The data collected with this event is used to keep Windows performing properly.
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersStartSync
-Diagnostic event to indicate a new sync is being generated for this object type.
+This is a diagnostic event that indicates a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly.
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsAdd
-Provides data on Office-related Internet Explorer features.
+This event provides data on Office-related Internet Explorer features. The data collected with this event is used to keep Windows performing properly.
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsStartSync
-Diagnostic event to indicate a new sync is being generated for this object type.
+This is a diagnostic event that indicates a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly.
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsAdd
-This event provides insight data on the installed Office products
+This event provides insight data on the installed Office products. The data collected with this event is used to keep Windows performing properly.
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsRemove
-Indicates that this particular data object represented by the objectInstanceId is no longer present.
+This event indicates that the particular data object represented by the objectInstanceId is no longer present. The data collected with this event is used to keep Windows performing properly.
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsStartSync
-This diagnostic event indicates that a new sync is being generated for this object type.
+This diagnostic event indicates that a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly.
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd
-Describes Office Products installed.
+This event describes all installed Office products. The data collected with this event is used to keep Windows performing properly.
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsStartSync
-Diagnostic event to indicate a new sync is being generated for this object type.
+This is a diagnostic event that indicates a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly.
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsAdd
-This event describes various Office settings
+This event describes various Office settings. The data collected with this event is used to keep Windows performing properly.
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsStartSync
-Indicates a new sync is being generated for this object type.
+This is a diagnostic event that indicates a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly.
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsStartSync
-This event indicates that a new sync is being generated for this object type.
+This event indicates that a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly.
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAStartSync
-Diagnostic event to indicate a new sync is being generated for this object type.
+This diagnostic event indicates that a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly.
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd
-Provides data on Unified Update Platform (UUP) products and what version they are at.
+This event provides data on Unified Update Platform (UUP) products and what version they are at. The data collected with this event is used to keep Windows performing properly.
+
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoRemove
+
+This event indicates that this particular data object represented by the objectInstanceId is no longer present. The data collected with this event is used to keep Windows performing properly.
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoStartSync
-Diagnostic event to indicate a new sync is being generated for this object type.
+This is a diagnostic event that indicates a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly.
### Microsoft.Windows.Inventory.Indicators.Checksum
-This event summarizes the counts for the InventoryMiscellaneousUexIndicatorAdd events.
+This event summarizes the counts for the InventoryMiscellaneousUexIndicatorAdd events. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
@@ -2760,7 +2804,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorAdd
-These events represent the basic metadata about the OS indicators installed on the system which are used for keeping the device up to date.
+This event represents the basic metadata about the OS indicators installed on the system. The data collected with this event helps ensure the device is up to date and keeps Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2772,7 +2816,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorEndSync
-This event indicates that a new set of InventoryMiscellaneousUexIndicatorAdd events has been sent.
+This event indicates that a new set of InventoryMiscellaneousUexIndicatorAdd events has been sent. The data collected with this event helps ensure the device is up to date and keeps Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2780,7 +2824,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorRemove
-This event is a counterpart to InventoryMiscellaneousUexIndicatorAdd that indicates that the item has been removed.
+This event indicates that this particular data object represented by the objectInstanceId is no longer present. This event is used to understand the OS indicators installed on the system. The data collected with this event helps ensure the device is current and Windows is up to date and performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2788,7 +2832,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorStartSync
-This event indicates that a new set of InventoryMiscellaneousUexIndicatorAdd events will be sent.
+This event indicates that this particular data object represented by the objectInstanceId is no longer present. This event is used to understand the OS indicators installed on the system. The data collected with this event helps ensure the device is current and Windows is up to date and performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2796,7 +2840,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
### STACKID
-This event provides the internal compatible ID for the stack.
+This event provides the internal compatible ID for the stack. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
@@ -2818,7 +2862,7 @@ The following fields are available:
### Microsoft.Windows.Kernel.BootEnvironment.OsLaunch
-This event includes basic data about the Operating System, collected during Boot and used to evaluate the success of the upgrade process.
+This event includes basic data about the Operating System, collected during Boot and used to evaluate the success of the upgrade process. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
@@ -2843,7 +2887,7 @@ The following fields are available:
### Microsoft.Windows.Kernel.Power.OSStateChange
-This event denotes the transition between operating system states (e.g., On, Off, Sleep, etc.). By using this event with Windows Analytics, organizations can use this to help monitor reliability and performance of managed devices.
+This event denotes the transition between operating system states (e.g., On, Off, Sleep, etc.). By using this event with Windows Analytics, organizations can use this to help monitor reliability and performance of managed devices. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
@@ -2868,15 +2912,21 @@ The following fields are available:
## Migration events
+### Microsoft.Windows.MigrationCore.MigObjectCountDLUsr
+
+This event returns data to track the count of the migration objects across various phases during feature update. The data collected with this event is used to help keep Windows secure and to track data loss scenarios.
+
+
+
### Microsoft.Windows.MigrationCore.MigObjectCountKFSys
-This event returns data about the count of the migration objects across various phases during feature update.
+This event returns data about the count of the migration objects across various phases during feature update. The data collected with this event is used to help keep Windows secure and to track data loss scenarios.
### Microsoft.Windows.MigrationCore.MigObjectCountKFUsr
-This event returns data to track the count of the migration objects across various phases during feature update.
+This event returns data to track the count of the migration objects across various phases during feature update. The data collected with this event is used to help keep Windows secure and to track data loss scenarios.
@@ -2884,7 +2934,7 @@ This event returns data to track the count of the migration objects across vario
### Microsoft.OneDrive.Sync.Setup.APIOperation
-This event includes basic data about install and uninstall OneDrive API operations.
+This event includes basic data about install and uninstall OneDrive API operations. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -2897,7 +2947,7 @@ The following fields are available:
### Microsoft.OneDrive.Sync.Setup.EndExperience
-This event includes a success or failure summary of the installation.
+This event includes a success or failure summary of the installation. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -2909,7 +2959,7 @@ The following fields are available:
### Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation
-This event is related to the OS version when the OS is upgraded with OneDrive installed.
+This event is related to the OS version when the OS is upgraded with OneDrive installed. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -2925,7 +2975,7 @@ The following fields are available:
### Microsoft.OneDrive.Sync.Setup.RegisterStandaloneUpdaterAPIOperation
-This event is related to registering or unregistering the OneDrive update task.
+This event is related to registering or unregistering the OneDrive update task. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -2938,7 +2988,7 @@ The following fields are available:
### Microsoft.OneDrive.Sync.Updater.ComponentInstallState
-This event includes basic data about the installation state of dependent OneDrive components.
+This event includes basic data about the installation state of dependent OneDrive components. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -2948,7 +2998,7 @@ The following fields are available:
### Microsoft.OneDrive.Sync.Updater.OfficeRegistration
-This event indicates the status of the OneDrive integration with Microsoft Office.
+This event indicates the status of the OneDrive integration with Microsoft Office. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -2957,7 +3007,7 @@ The following fields are available:
### Microsoft.OneDrive.Sync.Updater.OverlayIconStatus
-This event indicates if the OneDrive overlay icon is working correctly. 0 = healthy; 1 = can be fixed; 2 = broken
+This event indicates if the OneDrive overlay icon is working correctly. 0 = healthy; 1 = can be fixed; 2 = broken. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -2967,7 +3017,7 @@ The following fields are available:
### Microsoft.OneDrive.Sync.Updater.RepairResult
-The event determines the result of the installation repair.
+The event determines the result of the installation repair. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -2976,7 +3026,7 @@ The following fields are available:
### Microsoft.OneDrive.Sync.Updater.SetupBinaryDownloadHResult
-This event indicates the status when downloading the OneDrive setup file.
+This event indicates the status when downloading the OneDrive setup file. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -2985,7 +3035,7 @@ The following fields are available:
### Microsoft.OneDrive.Sync.Updater.UpdateOverallResult
-This event sends information describing the result of the update.
+This event sends information describing the result of the update. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -2996,7 +3046,7 @@ The following fields are available:
### Microsoft.OneDrive.Sync.Updater.UpdateTierReg
-This event determines status of the update tier registry values.
+This event determines status of the update tier registry values. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -3006,7 +3056,7 @@ The following fields are available:
### Microsoft.OneDrive.Sync.Updater.UpdateXmlDownloadHResult
-This event determines the status when downloading the OneDrive update configuration file.
+This event determines the status when downloading the OneDrive update configuration file. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -3015,7 +3065,7 @@ The following fields are available:
### Microsoft.OneDrive.Sync.Updater.WebConnectionStatus
-This event determines the error code that was returned when verifying Internet connectivity.
+This event determines the error code that was returned when verifying Internet connectivity. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -3026,7 +3076,7 @@ The following fields are available:
### Microsoft.Windows.Shell.PrivacyNotifierLogging.PrivacyNotifierCompleted
-This event returns data to report the efficacy of a single-use tool to inform users impacted by a known issue and to take corrective action to address the issue.
+This event returns data to report the efficacy of a single-use tool to inform users impacted by a known issue and to take corrective action to address the issue. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -3043,7 +3093,7 @@ The following fields are available:
### Microsoft.Windows.QualityUpdateAssistant.Applicability
-This event sends basic info on whether the device should be updated to the latest cumulative update.
+This event sends basic info on whether the device should be updated to the latest cumulative update. The data collected with this event is used to help keep Windows up to date and secure.
The following fields are available:
@@ -3055,7 +3105,7 @@ The following fields are available:
### Microsoft.Windows.QualityUpdateAssistant.DeviceReadinessCheck
-This event sends basic info on whether the device is ready to download the latest cumulative update.
+This event sends basic info on whether the device is ready to download the latest cumulative update. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -3067,7 +3117,7 @@ The following fields are available:
### Microsoft.Windows.QualityUpdateAssistant.Download
-This event sends basic info when download of the latest cumulative update begins.
+This event sends basic info when download of the latest cumulative update begins. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -3079,7 +3129,7 @@ The following fields are available:
### Microsoft.Windows.QualityUpdateAssistant.Install
-This event sends basic info on the result of the installation of the latest cumulative update.
+This event sends basic info on the result of the installation of the latest cumulative update. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -3093,7 +3143,7 @@ The following fields are available:
### Microsoft.Windows.Remediation.Applicable
-deny
+This event indicates whether Windows Update sediment remediations need to be applied to the sediment device to keep Windows up to date. A sediment device is one that has been on a previous OS version for an extended period. The remediations address issues on the system that prevent the device from receiving OS updates.
The following fields are available:
@@ -3141,7 +3191,7 @@ The following fields are available:
- **RemediationNoisyHammerUserLoggedInAdmin** TRUE if there is the user currently logged in is an Admin.
- **RemediationShellDeviceManaged** TRUE if the device is WSUS managed or Windows Updated disabled.
- **RemediationShellDeviceNewOS** TRUE if the device has a recently installed OS.
-- **RemediationShellDeviceSccm** TRUE if the device is managed by Configuration Manager.
+- **RemediationShellDeviceSccm** TRUE if the device is managed by SCCM (Microsoft System Center Configuration Manager).
- **RemediationShellDeviceZeroExhaust** TRUE if the device has opted out of Windows Updates completely.
- **RemediationTargetMachine** Indicates whether the device is a target of the specified fix.
- **RemediationTaskHealthAutochkProxy** True/False based on the health of the AutochkProxy task.
@@ -3268,7 +3318,7 @@ The following fields are available:
### Microsoft.Windows.Remediation.DiskCleanUnExpectedErrorEvent
-This event indicates that an unexpected error occurred during an update and provides information to help address the issue.
+This event indicates that an unexpected error occurred during an update and provides information to help address the issue. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -3282,7 +3332,7 @@ The following fields are available:
### Microsoft.Windows.Remediation.Error
-This event indicates a Sediment Pack error (update stack failure) has been detected and provides information to help address the issue.
+This event indicates a Sediment Pack error (update stack failure) has been detected and provides information to help address the issue. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -3293,7 +3343,7 @@ The following fields are available:
### Microsoft.Windows.Remediation.FallbackError
-This event indicates an error when Self Update results in a Fallback and provides information to help address the issue.
+This event indicates an error when Self Update results in a Fallback and provides information to help address the issue. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -3303,7 +3353,7 @@ The following fields are available:
### Microsoft.Windows.Remediation.RemediationNotifyUserFixIssuesInvokeUIEvent
-This event occurs when the Notify User task executes and provides information about the cause of the notification.
+This event occurs when the Notify User task executes and provides information about the cause of the notification. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -3319,7 +3369,7 @@ The following fields are available:
### Microsoft.Windows.Remediation.RemediationShellFailedAutomaticAppUpdateModifyEventId
-This event provides the modification of the date on which an Automatic App Update scheduled task failed and provides information about the failure.
+This event provides the modification of the date on which an Automatic App Update scheduled task failed and provides information about the failure. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -3331,7 +3381,7 @@ The following fields are available:
### Microsoft.Windows.Remediation.RemediationShellUnexpectedExceptionId
-This event identifies the remediation plug-in that returned an unexpected exception and provides information about the exception.
+This event identifies the remediation plug-in that returned an unexpected exception and provides information about the exception. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -3343,7 +3393,7 @@ The following fields are available:
### Microsoft.Windows.Remediation.RemediationUHEnableServiceFailed
-This event tracks the health of key update (Remediation) services and whether they are enabled.
+This event tracks the health of key update (Remediation) services and whether they are enabled. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -3382,7 +3432,7 @@ The following fields are available:
### Microsoft.Windows.Remediation.Started
-deny
+This event is sent when Windows Update sediment remediations have started on the sediment device to keep Windows up to date. A sediment device is one that has been on a previous OS version for an extended period. The remediations address issues on the system that prevent the device from receiving OS updates.
The following fields are available:
@@ -3452,7 +3502,7 @@ The following fields are available:
### Microsoft.Windows.Sediment.Info.DetailedState
-This event is sent when detailed state information is needed from an update trial run.
+This event is sent when detailed state information is needed from an update trial run. The data collected with this event is used to help keep Windows up to date.
@@ -3473,7 +3523,7 @@ The following fields are available:
### Microsoft.Windows.Sediment.Info.DownloadServiceProgress
-This event indicates the progress of the downloader in 1% increments.
+This event indicates the progress of the downloader in 1% increments. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -3574,7 +3624,7 @@ The following fields are available:
### Microsoft.Windows.Sediment.OSRSS.Error
-This event indicates an error occurred in the Operating System Remediation System Service (OSRSS). The information provided helps ensure future upgrade/update attempts are more successful.
+This event indicates an error occurred in the Operating System Remediation System Service (OSRSS). The information provided helps ensure future upgrade/update attempts are more successful. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -3637,7 +3687,7 @@ The following fields are available:
### Microsoft.Windows.Sediment.OSRSS.SelfUpdate
-This event returns metadata after Operating System Remediation System Service (OSRSS) successfully replaces itself with a new version.
+This event returns metadata after Operating System Remediation System Service (OSRSS) successfully replaces itself with a new version. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -3648,7 +3698,7 @@ The following fields are available:
### Microsoft.Windows.Sediment.OSRSS.UrlState
-This event indicates the state the Operating System Remediation System Service (OSRSS) is in while attempting a download from the URL.
+This event indicates the state the Operating System Remediation System Service (OSRSS) is in while attempting a download from the URL. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -3662,7 +3712,7 @@ The following fields are available:
### Microsoft.Windows.Sediment.ServiceInstaller.ApplicabilityCheckFailed
-This event returns data relating to the error state after one of the applicability checks for the installer component of the Operating System Remediation System Service (OSRSS) has failed.
+This event returns data relating to the error state after one of the applicability checks for the installer component of the Operating System Remediation System Service (OSRSS) has failed. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -3693,7 +3743,7 @@ The following fields are available:
### Microsoft.Windows.Sediment.ServiceInstaller.Error
-This event indicates an error occurred in the Operating System Remediation System Service (OSRSS). The information provided helps ensure future upgrade/update attempts are more successful.
+This event indicates an error occurred in the Operating System Remediation System Service (OSRSS). The information provided helps ensure future upgrade/update attempts are more successful. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -3797,7 +3847,7 @@ The following fields are available:
### Microsoft.Windows.SedimentLauncher.Applicable
-This event is sent when the Windows Update sediment remediations launcher finds that an applicable plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period.
+This event is sent when the Windows Update sediment remediations launcher finds that an applicable plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -3813,7 +3863,7 @@ The following fields are available:
### Microsoft.Windows.SedimentLauncher.Completed
-This event is sent when the Windows Update sediment remediations launcher finishes running a plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period.
+This event is sent when the Windows Update sediment remediations launcher finishes running a plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -3828,7 +3878,7 @@ The following fields are available:
### Microsoft.Windows.SedimentLauncher.Error
-This event indicates an error occurred during the execution of the plug-in. The information provided helps ensure future upgrade/update attempts are more successful.
+This event indicates an error occurred during the execution of the plug-in. The information provided helps ensure future upgrade/update attempts are more successful. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -3839,7 +3889,7 @@ The following fields are available:
### Microsoft.Windows.SedimentLauncher.FallbackError
-This event indicates that an error occurred during execution of the plug-in fallback.
+This event indicates that an error occurred during execution of the plug-in fallback. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -3848,7 +3898,7 @@ The following fields are available:
### Microsoft.Windows.SedimentLauncher.Information
-This event provides general information returned from the plug-in.
+This event provides general information returned from the plug-in. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -3859,7 +3909,7 @@ The following fields are available:
### Microsoft.Windows.SedimentLauncher.Started
-This event is sent when the Windows Update sediment remediations launcher starts running a plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period.
+This event is sent when the Windows Update sediment remediations launcher starts running a plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -3872,7 +3922,7 @@ The following fields are available:
### Microsoft.Windows.SedimentLauncher.wilResult
-This event provides the result from the Windows internal library.
+This event provides the result from the Windows internal library. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -3897,7 +3947,7 @@ The following fields are available:
### Microsoft.Windows.SedimentService.Applicable
-This event is sent when the Windows Update sediment remediations service finds that an applicable plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period.
+This event is sent when the Windows Update sediment remediations service finds that an applicable plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -3913,7 +3963,7 @@ The following fields are available:
### Microsoft.Windows.SedimentService.Completed
-This event is sent when the Windows Update sediment remediations service finishes running a plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period.
+This event is sent when the Windows Update sediment remediations service finishes running a plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -3935,7 +3985,7 @@ The following fields are available:
### Microsoft.Windows.SedimentService.Error
-This event indicates whether an error condition occurred in the plug-in.
+This event indicates whether an error condition occurred in the plug-in. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -3946,7 +3996,7 @@ The following fields are available:
### Microsoft.Windows.SedimentService.FallbackError
-This event indicates whether an error occurred for a fallback in the plug-in.
+This event indicates whether an error occurred for a fallback in the plug-in. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -3955,7 +4005,7 @@ The following fields are available:
### Microsoft.Windows.SedimentService.Information
-This event provides general information returned from the plug-in.
+This event provides general information returned from the plug-in. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -3966,7 +4016,7 @@ The following fields are available:
### Microsoft.Windows.SedimentService.Started
-This event is sent when the Windows Update sediment remediations service starts running a plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period.
+This event is sent when the Windows Update sediment remediations service starts running a plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -3979,7 +4029,7 @@ The following fields are available:
### Microsoft.Windows.SedimentService.wilResult
-This event provides the result from the Windows internal library.
+This event provides the result from the Windows internal library. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -4070,7 +4120,7 @@ The following fields are available:
### wilActivity
-This event provides a Windows Internal Library context used for Product and Service diagnostics.
+This event provides a Windows Internal Library context used for Product and Service diagnostics. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -4095,7 +4145,7 @@ The following fields are available:
### wilResult
-This event provides a Windows Internal Library context used for Product and Service diagnostics.
+This event provides a Windows Internal Library context used for Product and Service diagnostics. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -4122,19 +4172,19 @@ The following fields are available:
### SIHEngineTelemetry.EvalApplicability
-This event is sent when targeting logic is evaluated to determine if a device is eligible for a given action.
+This event is sent when targeting logic is evaluated to determine if a device is eligible for a given action. The data collected with this event is used to help keep Windows up to date.
### SIHEngineTelemetry.ExecuteAction
-This event is triggered with SIH attempts to execute (e.g. install) the update or action in question. Includes important information like if the update required a reboot.
+This event is triggered with SIH attempts to execute (e.g. install) the update or action in question. Includes important information like if the update required a reboot. The data collected with this event is used to help keep Windows up to date.
### SIHEngineTelemetry.PostRebootReport
-This event reports the status of an action following a reboot, should one have been required.
+This event reports the status of an action following a reboot, should one have been required. The data collected with this event is used to help keep Windows up to date.
@@ -4142,7 +4192,7 @@ This event reports the status of an action following a reboot, should one have b
### SoftwareUpdateClientTelemetry.CheckForUpdates
-This event sends tracking data about the software distribution client check for content that is applicable to a device, to help keep Windows up to date
+This event sends tracking data about the software distribution client check for content that is applicable to a device, to help keep Windows up to date.
The following fields are available:
@@ -4339,7 +4389,7 @@ The following fields are available:
### SoftwareUpdateClientTelemetry.DownloadCheckpoint
-This event provides a checkpoint between each of the Windows Update download phases for UUP content
+This event provides a checkpoint between each of the Windows Update download phases for UUP content. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -4361,7 +4411,7 @@ The following fields are available:
### SoftwareUpdateClientTelemetry.DownloadHeartbeat
-This event allows tracking of ongoing downloads and contains data to explain the current state of the download
+This event allows tracking of ongoing downloads and contains data to explain the current state of the download. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -4466,7 +4516,7 @@ The following fields are available:
### SoftwareUpdateClientTelemetry.SLSDiscovery
-This event sends data about the ability of Windows to discover the location of a backend server with which it must connect to perform updates or content acquisition, in order to determine disruptions in availability of update services and provide context for Windows Update errors.
+This event sends data about the ability of Windows to discover the location of a backend server with which it must connect to perform updates or content acquisition, in order to determine disruptions in availability of update services and provide context for Windows Update errors. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -4482,7 +4532,7 @@ The following fields are available:
### SoftwareUpdateClientTelemetry.UpdateDetected
-This event sends data about an AppX app that has been updated from the Microsoft Store, including what app needs an update and what version/architecture is required, in order to understand and address problems with apps getting required updates.
+This event sends data about an AppX app that has been updated from the Microsoft Store, including what app needs an update and what version/architecture is required, in order to understand and address problems with apps getting required updates. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -4497,7 +4547,7 @@ The following fields are available:
### SoftwareUpdateClientTelemetry.UpdateMetadataIntegrity
-This event identifies whether updates have been tampered with and protects against man-in-the-middle attacks.
+This event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -4529,7 +4579,7 @@ The following fields are available:
### Microsoft.Windows.UpdateAssistant.Orchestrator.BlockingEventId
-The event sends basic info on the reason that Windows 10 was not updated due to compatibility issues, previous rollbacks, or admin policies.
+The event sends basic info on the reason that Windows 10 was not updated due to compatibility issues, previous rollbacks, or admin policies. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -4540,7 +4590,7 @@ The following fields are available:
- **DeviceIsMdmManaged** This device is MDM managed.
- **IsNetworkAvailable** If the device network is not available.
- **IsNetworkMetered** If network is metered.
-- **IsSccmManaged** This device is managed by Configuration Manager.
+- **IsSccmManaged** This device is SCCM managed.
- **NewlyInstalledOs** OS is newly installed quiet period.
- **PausedByPolicy** Updates are paused by policy.
- **RecoveredFromRS3** Previously recovered from RS3.
@@ -4553,7 +4603,7 @@ The following fields are available:
### Microsoft.Windows.UpdateAssistant.Orchestrator.DeniedLaunchEventId
-The event sends basic info when a device was blocked or prevented from updating to the latest Windows 10 version.
+The event sends basic info when a device was blocked or prevented from updating to the latest Windows 10 version. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -4564,7 +4614,7 @@ The following fields are available:
### Microsoft.Windows.UpdateAssistant.Orchestrator.FailedLaunchEventId
-Event to mark that Update Assistant Orchestrator failed to launch Update Assistant.
+This event indicates that Update Assistant Orchestrator failed to launch Update Assistant. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -4575,7 +4625,7 @@ The following fields are available:
### Microsoft.Windows.UpdateAssistant.Orchestrator.FailedOneSettingsQueryEventId
-Event indicating One Settings was not queried by update assistant.
+This event indicates that One Settings was not queried by update assistant. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -4585,7 +4635,7 @@ The following fields are available:
### Microsoft.Windows.UpdateAssistant.Orchestrator.LaunchEventId
-This event sends basic information on whether the device should be updated to the latest Windows 10 version.
+This event sends basic information on whether the device should be updated to the latest Windows 10 version. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -4599,7 +4649,7 @@ The following fields are available:
### Microsoft.Windows.UpdateAssistant.Orchestrator.RestoreEventId
-The event sends basic info on whether the Windows 10 update notification has previously launched.
+The event sends basic info on whether the Windows 10 update notification has previously launched. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -4612,7 +4662,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgent_DownloadRequest
-This event sends data during the download request phase of updating Windows.
+This event sends data during the download request phase of updating Windows. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -4639,7 +4689,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgent_FellBackToCanonical
-This event collects information when Express could not be used, and the update had to fall back to “canonical” during the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop.
+This event collects information when Express could not be used, and the update had to fall back to “canonical” during the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -4655,7 +4705,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgent_Initialize
-This event sends data during the initialize phase of updating Windows.
+This event sends data during the initialize phase of updating Windows. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -4673,7 +4723,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgent_Install
-This event sends data during the install phase of updating Windows.
+This event sends data during the install phase of updating Windows. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -4689,7 +4739,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgent_Merge
-This event sends data on the merge phase when updating Windows.
+This event sends data on the merge phase when updating Windows. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -4705,7 +4755,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgent_ModeStart
-This event sends data for the start of each mode during the process of updating Windows.
+This event sends data for the start of each mode during the process of updating Windows. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -4720,7 +4770,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgent_SetupBoxLaunch
-This event sends data during the launching of the setup box when updating Windows.
+This event sends data during the launching of the setup box when updating Windows. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -4737,7 +4787,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentCommit
-This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop.
+This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -4753,7 +4803,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentDownloadRequest
-This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile.
+This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -4784,7 +4834,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentExpand
-This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop.
+This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -4804,7 +4854,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentInitialize
-This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile.
+This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -4822,7 +4872,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentInstall
-This event sends data for the install phase of updating Windows.
+This event sends data for the install phase of updating Windows. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -4838,7 +4888,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentMitigationResult
-This event sends data indicating the result of each update agent mitigation.
+This event sends data indicating the result of each update agent mitigation. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -4864,13 +4914,13 @@ The following fields are available:
### Update360Telemetry.UpdateAgentMitigationSummary
-This event sends a summary of all the update agent mitigations available for an this update.
+This event sends a summary of all the update agent mitigations available for an this update. The data collected with this event is used to help keep Windows secure and up to date.
### Update360Telemetry.UpdateAgentModeStart
-This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile.
+This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -4886,13 +4936,13 @@ The following fields are available:
### Update360Telemetry.UpdateAgentOneSettings
-This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop.
+This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date.
### Update360Telemetry.UpdateAgentSetupBoxLaunch
-The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs.
+The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -4921,13 +4971,13 @@ This event indicates whether devices received additional or critical supplementa
### FacilitatorTelemetry.DUDownload
-This event returns data about the download of supplemental packages critical to upgrading a device to the next version of Windows.
+This event returns data about the download of supplemental packages critical to upgrading a device to the next version of Windows. The data collected with this event is used to help keep Windows secure and up to date.
### FacilitatorTelemetry.InitializeDU
-This event determines whether devices received additional or critical supplemental content during an OS upgrade.
+This event determines whether devices received additional or critical supplemental content during an OS upgrade. The data collected with this event is used to help keep Windows secure and up to date.
@@ -4975,7 +5025,7 @@ The following fields are available:
### Setup360Telemetry.OsUninstall
-This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, it indicates the outcome of an OS uninstall.
+This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, it indicates the outcome of an OS uninstall. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -5122,19 +5172,19 @@ This event helps determine whether the device received supplemental content duri
### Setup360Telemetry.Setup360MitigationResult
-This event sends data indicating the result of each setup mitigation.
+This event sends data indicating the result of each setup mitigation. The data collected with this event is used to help keep Windows secure and up to date.
### Setup360Telemetry.Setup360MitigationSummary
-This event sends a summary of all the setup mitigations available for this update.
+This event sends a summary of all the setup mitigations available for this update. The data collected with this event is used to help keep Windows secure and up to date.
### Setup360Telemetry.Setup360OneSettings
-This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop.
+This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date.
@@ -5222,7 +5272,7 @@ The following fields are available:
### Microsoft.Windows.Store.Partner.ReportApplication
-Report application event for Microsoft Store client.
+This is report application event for Microsoft Store client. The data collected with this event is used to help keep Windows up to date and secure.
@@ -5635,7 +5685,7 @@ The following fields are available:
### Microsoft.OSG.DU.DeliveryOptClient.DownloadCanceled
-This event describes when a download was canceled with Delivery Optimization. It's used to understand and address problems regarding downloads.
+This event describes when a download was canceled with Delivery Optimization. It's used to understand and address problems regarding downloads. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -5660,7 +5710,7 @@ The following fields are available:
### Microsoft.OSG.DU.DeliveryOptClient.DownloadCompleted
-This event describes when a download has completed with Delivery Optimization. It's used to understand and address problems regarding downloads.
+This event describes when a download has completed with Delivery Optimization. It's used to understand and address problems regarding downloads. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -5699,7 +5749,7 @@ The following fields are available:
### Microsoft.OSG.DU.DeliveryOptClient.DownloadPaused
-This event represents a temporary suspension of a download with Delivery Optimization. It's used to understand and address problems regarding downloads.
+This event represents a temporary suspension of a download with Delivery Optimization. It's used to understand and address problems regarding downloads. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -5717,7 +5767,7 @@ The following fields are available:
### Microsoft.OSG.DU.DeliveryOptClient.DownloadStarted
-This event sends data describing the start of a new download to enable Delivery Optimization. It's used to understand and address problems regarding downloads.
+This event sends data describing the start of a new download to enable Delivery Optimization. It's used to understand and address problems regarding downloads. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -5749,7 +5799,7 @@ The following fields are available:
### Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication
-This event represents a failure to download from a CDN with Delivery Optimization. It's used to understand and address problems regarding downloads.
+This event represents a failure to download from a CDN with Delivery Optimization. It's used to understand and address problems regarding downloads. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -5770,7 +5820,7 @@ The following fields are available:
### Microsoft.OSG.DU.DeliveryOptClient.JobError
-This event represents a Windows Update job error. It allows for investigation of top errors.
+This event represents a Windows Update job error. It allows for investigation of top errors. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -5826,7 +5876,7 @@ The following fields are available:
### Microsoft.Windows.Update.NotificationUx.DialogNotificationToBeDisplayed
-This event indicates that a notification dialog box is about to be displayed to user.
+This event indicates that a notification dialog box is about to be displayed to user. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -5850,7 +5900,7 @@ The following fields are available:
### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootAcceptAutoDialog
-This event indicates that the Enhanced Engaged restart "accept automatically" dialog box was displayed.
+This event indicates that the Enhanced Engaged restart "accept automatically" dialog box was displayed. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -5865,7 +5915,7 @@ The following fields are available:
### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootFirstReminderDialog
-This event indicates that the Enhanced Engaged restart "first reminder" dialog box was displayed.
+This event indicates that the Enhanced Engaged restart "first reminder" dialog box was displayed. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -5880,7 +5930,7 @@ The following fields are available:
### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootForcedPrecursorDialog
-This event indicates that the Enhanced Engaged restart "forced precursor" dialog box was displayed.
+This event indicates that the Enhanced Engaged restart "forced precursor" dialog box was displayed. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -5895,7 +5945,7 @@ The following fields are available:
### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootForcedWarningDialog
-This event indicates that the Enhanced Engaged "forced warning" dialog box was displayed.
+This event indicates that the Enhanced Engaged "forced warning" dialog box was displayed. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -5910,7 +5960,7 @@ The following fields are available:
### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootFailedDialog
-This event indicates that the Enhanced Engaged restart "restart failed" dialog box was displayed.
+This event indicates that the Enhanced Engaged restart "restart failed" dialog box was displayed. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -5925,7 +5975,7 @@ The following fields are available:
### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootImminentDialog
-This event indicates that the Enhanced Engaged restart "restart imminent" dialog box was displayed.
+This event indicates that the Enhanced Engaged restart "restart imminent" dialog box was displayed. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -5940,7 +5990,7 @@ The following fields are available:
### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootSecondReminderDialog
-This event indicates that the second reminder dialog box was displayed for Enhanced Engaged restart.
+This event indicates that the second reminder dialog box was displayed for Enhanced Engaged restart. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -5955,7 +6005,7 @@ The following fields are available:
### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootThirdReminderDialog
-This event indicates that the third reminder dialog box for Enhanced Engaged restart was displayed.
+This event indicates that the third reminder dialog box for Enhanced Engaged restart was displayed. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -5970,7 +6020,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.CommitFailed
-This event indicates that a device was unable to restart after an update.
+This event indicates that a device was unable to restart after an update. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -5980,7 +6030,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.DeferRestart
-This event indicates that a restart required for installing updates was postponed.
+This event indicates that a restart required for installing updates was postponed. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -5991,7 +6041,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.Detection
-This event indicates that a scan for a Windows Update occurred.
+This event sends launch data for a Windows Update scan to help keep Windows secure and up to date.
The following fields are available:
@@ -6010,7 +6060,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.Download
-This event sends launch data for a Windows Update download to help keep Windows up to date.
+This event sends launch data for a Windows Update download to help keep Windows secure and up to date.
The following fields are available:
@@ -6028,7 +6078,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.FlightInapplicable
-This event sends data on whether the update was applicable to the device, to help keep Windows up to date.
+This event sends data on whether the update was applicable to the device. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -6043,7 +6093,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.InitiatingReboot
-This event sends data about an Orchestrator requesting a reboot from power management to help keep Windows up to date.
+This event sends data about an Orchestrator requesting a reboot from power management to help keep Windows secure and up to date.
The following fields are available:
@@ -6060,7 +6110,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.Install
-This event sends launch data for a Windows Update install to help keep Windows up to date.
+This event sends launch data for a Windows Update install to help keep Windows secure and up to date.
The following fields are available:
@@ -6085,7 +6135,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.LowUptimes
-This event is sent if a device is identified as not having sufficient uptime to reliably process updates in order to keep secure.
+This event is sent if a device is identified as not having sufficient uptime to reliably process updates in order to keep secure. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -6097,7 +6147,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.OneshotUpdateDetection
-This event returns data about scans initiated through settings UI, or background scans that are urgent; to help keep Windows up to date.
+This event returns data about scans initiated through settings UI, or background scans that are urgent; to help keep Windows secure and up to date.
The following fields are available:
@@ -6109,7 +6159,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.PostInstall
-This event sends data about lite stack devices (mobile, IOT, anything non-PC) immediately before data migration is launched to help keep Windows up to date.
+This event sends data about lite stack devices (mobile, IOT, anything non-PC) immediately before data migration is launched to help keep Windows secure and up to date.
The following fields are available:
@@ -6125,7 +6175,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.PowerMenuOptionsChanged
-This event is sent when the options in power menu changed, usually due to an update pending reboot, or after a update is installed.
+This event is sent when the options in power menu changed, usually due to an update pending reboot, or after a update is installed. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -6137,7 +6187,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.PreShutdownStart
-This event is generated before the shutdown and commit operations.
+This event is generated before the shutdown and commit operations. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -6146,7 +6196,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.RebootFailed
-This event sends information about whether an update required a reboot and reasons for failure, to help keep Windows up to date.
+This event sends information about whether an update required a reboot and reasons for failure, to help keep Windows secure and up to date.
The following fields are available:
@@ -6166,7 +6216,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.RefreshSettings
-This event sends basic data about the version of upgrade settings applied to the system to help keep Windows up to date.
+This event sends basic data about the version of upgrade settings applied to the system to help keep Windows secure and up to date.
The following fields are available:
@@ -6178,7 +6228,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.RestoreRebootTask
-This event sends data indicating that a reboot task is missing unexpectedly on a device and the task is restored because a reboot is still required, to help keep Windows up to date.
+This event sends data indicating that a reboot task is missing unexpectedly on a device and the task is restored because a reboot is still required, to help keep Windows secure and up to date.
The following fields are available:
@@ -6190,7 +6240,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.SystemNeeded
-This event sends data about why a device is unable to reboot, to help keep Windows up to date.
+This event sends data about why a device is unable to reboot, to help keep Windows secure and up to date.
The following fields are available:
@@ -6206,7 +6256,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.UpdatePolicyCacheRefresh
-This event sends data on whether Update Management Policies were enabled on a device, to help keep Windows up to date.
+This event sends data on whether Update Management Policies were enabled on a device, to help keep Windows secure and up to date.
The following fields are available:
@@ -6219,7 +6269,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.UpdateRebootRequired
-This event sends data about whether an update required a reboot to help keep Windows up to date.
+This event sends data about whether an update required a reboot to help keep Windows secure and up to date.
The following fields are available:
@@ -6234,7 +6284,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.updateSettingsFlushFailed
-This event sends information about an update that encountered problems and was not able to complete.
+This event sends information about an update that encountered problems and was not able to complete. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -6244,7 +6294,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.USODiagnostics
-This event sends data on whether the state of the update attempt, to help keep Windows up to date.
+This event sends data on whether the state of the update attempt, to help keep Windows secure and up to date.
The following fields are available:
@@ -6257,7 +6307,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.UsoSession
-This event represents the state of the USO service at start and completion.
+This event represents the state of the USO service at start and completion. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -6293,7 +6343,7 @@ The following fields are available:
### Microsoft.Windows.Update.Ux.MusNotification.EnhancedEngagedRebootUxState
-This event sends information about the configuration of Enhanced Direct-to-Engaged (eDTE), which includes values for the timing of how eDTE will progress through each phase of the reboot.
+This event sends information about the configuration of Enhanced Direct-to-Engaged (eDTE), which includes values for the timing of how eDTE will progress through each phase of the reboot. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -6315,7 +6365,7 @@ The following fields are available:
### Microsoft.Windows.Update.Ux.MusNotification.RebootNoLongerNeeded
-This event is sent when a security update has successfully completed.
+This event is sent when a security update has successfully completed. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -6324,7 +6374,7 @@ The following fields are available:
### Microsoft.Windows.Update.Ux.MusNotification.RebootScheduled
-This event sends data about a required reboot that is scheduled with no user interaction, to help keep Windows up to date.
+This event sends basic information about scheduling an update-related reboot, to get security updates and to help keep Windows secure and up to date.
The following fields are available:
@@ -6342,7 +6392,7 @@ The following fields are available:
### Microsoft.Windows.Update.Ux.MusNotification.ToastDisplayedToScheduleReboot
-This event is sent when a toast notification is shown to the user about scheduling a device restart.
+This event is sent when a toast notification is shown to the user about scheduling a device restart. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -6351,7 +6401,7 @@ The following fields are available:
### Microsoft.Windows.Update.Ux.MusUpdateSettings.RebootScheduled
-This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows up to date.
+This event sends basic information for scheduling a device restart to install security updates. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -6371,7 +6421,7 @@ The following fields are available:
### Mitigation360Telemetry.MitigationCustom.CleanupSafeOsImages
-This event sends data specific to the CleanupSafeOsImages mitigation used for OS Updates.
+This event sends data specific to the CleanupSafeOsImages mitigation used for OS Updates. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -6395,7 +6445,7 @@ The following fields are available:
### Mitigation360Telemetry.MitigationCustom.FixupEditionId
-This event sends data specific to the FixupEditionId mitigation used for OS Updates.
+This event sends data specific to the FixupEditionId mitigation used for OS Updates. The data collected with this event is used to help keep Windows secure and up to date.
@@ -6403,25 +6453,25 @@ This event sends data specific to the FixupEditionId mitigation used for OS Upda
### Microsoft.Windows.UpdateReserveManager.CommitPendingHardReserveAdjustment
-This event is sent when the Update Reserve Manager commits a hard reserve adjustment that was pending.
+This event is sent when the Update Reserve Manager commits a hard reserve adjustment that was pending. The data collected with this event is used to help keep Windows secure and up to date.
### Microsoft.Windows.UpdateReserveManager.InitializeUpdateReserveManager
-This event returns data about the Update Reserve Manager, including whether it’s been initialized.
+This event returns data about the Update Reserve Manager, including whether it’s been initialized. The data collected with this event is used to help keep Windows secure and up to date.
### Microsoft.Windows.UpdateReserveManager.RemovePendingHardReserveAdjustment
-This event is sent when the Update Reserve Manager removes a pending hard reserve adjustment.
+This event is sent when the Update Reserve Manager removes a pending hard reserve adjustment. The data collected with this event is used to help keep Windows secure and up to date.
### Microsoft.Windows.UpdateReserveManager.UpdatePendingHardReserveAdjustment
-This event is sent when the Update Reserve Manager needs to adjust the size of the hard reserve after the option content is installed.
+This event is sent when the Update Reserve Manager needs to adjust the size of the hard reserve after the option content is installed. The data collected with this event is used to help keep Windows secure and up to date.
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
index 6c91cf051e..2be76e6660 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
@@ -13,7 +13,7 @@ manager: dansimp
ms.collection: M365-security-compliance
ms.topic: article
audience: ITPro
-ms.date: 03/27/2020
+ms.date: 09/30/2020
ms.reviewer:
---
@@ -33,6 +33,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th
You can learn more about Windows functional and diagnostic data through these articles:
+- [Windows 10, version 2004 and Windows 10, version 20H2 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md)
- [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md)
- [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
- [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md)
@@ -47,7 +48,7 @@ You can learn more about Windows functional and diagnostic data through these ar
### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount
-Invalid Signature - This event is superseded by an event that contains additional fields.
+This event lists the types of objects and how many of each exist on the client device. This allows for a quick way to ensure that the records present on the server match what is present on the client. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -89,7 +90,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd
-Represents the basic metadata about specific application files installed on the system.
+This event represents the basic metadata about specific application files installed on the system. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -107,7 +108,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove
-This event indicates that the DatasourceApplicationFile object is no longer present.
+This event indicates that the DatasourceApplicationFile object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -118,7 +119,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileStartSync
-This event indicates that a new set of DatasourceApplicationFileAdd events will be sent.
+This event indicates that a new set of DatasourceApplicationFileAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -145,7 +146,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpRemove
-This event indicates that the DatasourceDevicePnp object is no longer present.
+This event indicates that the DatasourceDevicePnp object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -156,7 +157,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpStartSync
-This event indicates that a new set of DatasourceDevicePnpAdd events will be sent.
+This event indicates that a new set of DatasourceDevicePnpAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -178,7 +179,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageRemove
-This event indicates that the DatasourceDriverPackage object is no longer present.
+This event indicates that the DatasourceDriverPackage object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -189,7 +190,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageStartSync
-This event indicates that a new set of DatasourceDriverPackageAdd events will be sent.
+This event indicates that a new set of DatasourceDriverPackageAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -211,7 +212,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove
-This event indicates that the DataSourceMatchingInfoBlock object is no longer present.
+This event indicates that the DataSourceMatchingInfoBlock object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -222,7 +223,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockStartSync
-This event indicates that a full set of DataSourceMatchingInfoBlockStAdd events have been sent.
+This event indicates that a full set of DataSourceMatchingInfoBlockStAdd events has completed being sent. This event is used to make compatibility decisions about files to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -244,7 +245,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveRemove
-This event indicates that the DataSourceMatchingInfoPassive object is no longer present.
+This event indicates that the DataSourceMatchingInfoPassive object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -255,7 +256,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveStartSync
-This event indicates that a new set of DataSourceMatchingInfoPassiveAdd events will be sent.
+This event indicates that a new set of DataSourceMatchingInfoPassiveAdd events will be sent. This event is used to make compatibility decisions about files to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -277,7 +278,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeRemove
-This event indicates that the DataSourceMatchingInfoPostUpgrade object is no longer present.
+This event indicates that the DataSourceMatchingInfoPostUpgrade object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -288,7 +289,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeStartSync
-This event indicates that a new set of DataSourceMatchingInfoPostUpgradeAdd events will be sent.
+This event indicates that a new set of DataSourceMatchingInfoPostUpgradeAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -310,7 +311,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosRemove
-This event indicates that the DatasourceSystemBios object is no longer present.
+This event indicates that the DatasourceSystemBios object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -321,7 +322,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosStartSync
-This event indicates that a new set of DatasourceSystemBiosAdd events will be sent.
+This event indicates that a new set of DatasourceSystemBiosAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -361,7 +362,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove
-This event indicates that the DecisionApplicationFile object is no longer present.
+This event indicates that the DecisionApplicationFile object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -372,7 +373,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionApplicationFileStartSync
-This event indicates that a new set of DecisionApplicationFileAdd events will be sent.
+This event indicates that a new set of DecisionApplicationFileAdd events will be sent. This event is used to make compatibility decisions about a file to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -409,7 +410,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionDevicePnpRemove
-This event indicates that the DecisionDevicePnp object is no longer present.
+This event Indicates that the DecisionDevicePnp object represented by the objectInstanceId is no longer present. This event is used to make compatibility decisions about PNP devices to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -420,7 +421,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionDevicePnpStartSync
-The DecisionDevicePnpStartSync event indicates that a new set of DecisionDevicePnpAdd events will be sent.
+This event indicates that a new set of DecisionDevicePnpAdd events will be sent. This event is used to make compatibility decisions about PNP devices to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -447,7 +448,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionDriverPackageRemove
-This event indicates that the DecisionDriverPackage object is no longer present.
+This event indicates that the DecisionDriverPackage object represented by the objectInstanceId is no longer present. This event is used to make compatibility decisions about driver packages to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -458,7 +459,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionDriverPackageStartSync
-This event indicates that a new set of DecisionDriverPackageAdd events will be sent.
+The DecisionDriverPackageStartSync event indicates that a new set of DecisionDriverPackageAdd events will be sent. This event is used to make compatibility decisions about driver packages to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -486,7 +487,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockRemove
-This event indicates that the DecisionMatchingInfoBlock object is no longer present.
+This event indicates that the DecisionMatchingInfoBlock object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -497,7 +498,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockStartSync
-This event indicates that a new set of DecisionMatchingInfoBlockAdd events will be sent.
+This event indicates that a new set of DecisionMatchingInfoBlockAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -521,7 +522,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveRemove
-This event Indicates that the DecisionMatchingInfoPassive object is no longer present.
+This event Indicates that the DecisionMatchingInfoPassive object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -532,7 +533,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveStartSync
-This event indicates that a new set of DecisionMatchingInfoPassiveAdd events will be sent.
+This event indicates that a new set of DecisionMatchingInfoPassiveAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -558,7 +559,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeRemove
-This event indicates that the DecisionMatchingInfoPostUpgrade object is no longer present.
+This event indicates that the DecisionMatchingInfoPostUpgrade object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -569,7 +570,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeStartSync
-This event indicates that a new set of DecisionMatchingInfoPostUpgradeAdd events will be sent.
+This event indicates that a new set of DecisionMatchingInfoPostUpgradeAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -597,7 +598,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionMediaCenterRemove
-This event indicates that the DecisionMediaCenter object is no longer present.
+This event indicates that the DecisionMediaCenter object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -608,7 +609,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionMediaCenterStartSync
-This event indicates that a new set of DecisionMediaCenterAdd events will be sent.
+This event indicates that a new set of DecisionMediaCenterAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -633,7 +634,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionSystemBiosRemove
-This event indicates that the DecisionSystemBios object is no longer present.
+This event indicates that the DecisionSystemBios object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -644,7 +645,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionSystemBiosStartSync
-This event indicates that a new set of DecisionSystemBiosAdd events will be sent.
+This event indicates that a new set of DecisionSystemBiosAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -669,7 +670,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryApplicationFileAdd
-This event represents the basic metadata about a file on the system. The file must be part of an app and either have a block in the compatibility database or be part of an antivirus program.
+This event represents the basic metadata about a file on the system. The file must be part of an app and either have a block in the compatibility database or be part of an antivirus program. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -698,7 +699,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryApplicationFileRemove
-This event indicates that the InventoryApplicationFile object is no longer present.
+This event indicates that the InventoryApplicationFile object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -709,7 +710,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync
-This event indicates that a new set of InventoryApplicationFileAdd events will be sent.
+This event indicates that a new set of InventoryApplicationFileAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -733,7 +734,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryLanguagePackRemove
-This event indicates that the InventoryLanguagePack object is no longer present.
+This event indicates that the InventoryLanguagePack object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -744,7 +745,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryLanguagePackStartSync
-This event indicates that a new set of InventoryLanguagePackAdd events will be sent.
+This event indicates that a new set of InventoryLanguagePackAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -773,7 +774,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryMediaCenterRemove
-This event indicates that the InventoryMediaCenter object is no longer present.
+This event indicates that the InventoryMediaCenter object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -784,7 +785,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryMediaCenterStartSync
-This event indicates that a new set of InventoryMediaCenterAdd events will be sent.
+This event indicates that a new set of InventoryMediaCenterAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -795,7 +796,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventorySystemBiosAdd
-This event sends basic metadata about the BIOS to determine whether it has a compatibility block.
+This event sends basic metadata about the BIOS to determine whether it has a compatibility block. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -810,7 +811,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventorySystemBiosRemove
-This event indicates that the InventorySystemBios object is no longer present.
+This event indicates that the InventorySystemBios object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -821,7 +822,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventorySystemBiosStartSync
-This event indicates that a new set of InventorySystemBiosAdd events will be sent.
+This event indicates that a new set of InventorySystemBiosAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -832,7 +833,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd
-This event is only runs during setup. It provides a listing of the uplevel driver packages that were downloaded before the upgrade. Is critical to understanding if failures in setup can be traced to not having sufficient uplevel drivers before the upgrade.
+This event runs only during setup. It provides a listing of the uplevel driver packages that were downloaded before the upgrade. It is critical in understanding if failures in setup can be traced to not having sufficient uplevel drivers before the upgrade. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -857,7 +858,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageRemove
-This event indicates that the InventoryUplevelDriverPackage object is no longer present.
+This event indicates that the InventoryUplevelDriverPackage object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -868,7 +869,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageStartSync
-This event indicates that a new set of InventoryUplevelDriverPackageAdd events will be sent.
+This event indicates that a new set of InventoryUplevelDriverPackageAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -879,7 +880,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.RunContext
-This event indicates what should be expected in the data payload.
+This event is sent at the beginning of an appraiser run, the RunContext indicates what should be expected in the following data payload. This event is used with the other Appraiser events to make compatibility decisions to keep Windows up to date.
The following fields are available:
@@ -912,7 +913,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemMemoryRemove
-This event that the SystemMemory object is no longer present.
+This event that the SystemMemory object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -923,7 +924,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemMemoryStartSync
-This event indicates that a new set of SystemMemoryAdd events will be sent.
+This event indicates that a new set of SystemMemoryAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -947,7 +948,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeRemove
-This event indicates that the SystemProcessorCompareExchange object is no longer present.
+This event indicates that the SystemProcessorCompareExchange object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -958,7 +959,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeStartSync
-This event indicates that a new set of SystemProcessorCompareExchangeAdd events will be sent.
+This event indicates that a new set of SystemProcessorCompareExchangeAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -982,7 +983,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfRemove
-This event indicates that the SystemProcessorLahfSahf object is no longer present.
+This event indicates that the SystemProcessorLahfSahf object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -993,7 +994,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfStartSync
-This event indicates that a new set of SystemProcessorLahfSahfAdd events will be sent.
+This event indicates that a new set of SystemProcessorLahfSahfAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1018,7 +1019,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemProcessorNxRemove
-This event indicates that the SystemProcessorNx object is no longer present.
+This event indicates that the SystemProcessorNx object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1029,7 +1030,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemProcessorNxStartSync
-This event indicates that a new set of SystemProcessorNxAdd events will be sent.
+This event indicates that a new set of SystemProcessorNxAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1053,7 +1054,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWRemove
-This event indicates that the SystemProcessorPrefetchW object is no longer present.
+This event indicates that the SystemProcessorPrefetchW object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1064,7 +1065,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWStartSync
-This event indicates that a new set of SystemProcessorPrefetchWAdd events will be sent.
+This event indicates that a new set of SystemProcessorPrefetchWAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1088,7 +1089,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Remove
-This event indicates that the SystemProcessorSse2 object is no longer present.
+This event indicates that the SystemProcessorSse2 object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1099,7 +1100,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemProcessorSse2StartSync
-This event indicates that a new set of SystemProcessorSse2Add events will be sent.
+This event indicates that a new set of SystemProcessorSse2Add events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1123,7 +1124,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemTouchRemove
-This event indicates that the SystemTouch object is no longer present.
+This event indicates that the SystemTouch object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1134,7 +1135,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemTouchStartSync
-This event indicates that a new set of SystemTouchAdd events will be sent.
+This event indicates that a new set of SystemTouchAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1158,7 +1159,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemWimRemove
-This event indicates that the SystemWim object is no longer present.
+This event indicates that the SystemWim object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1169,7 +1170,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemWimStartSync
-This event indicates that a new set of SystemWimAdd events will be sent.
+This event indicates that a new set of SystemWimAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1193,7 +1194,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusRemove
-This event indicates that the SystemWindowsActivationStatus object is no longer present.
+This event indicates that the SystemWindowsActivationStatus object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1204,7 +1205,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusStartSync
-This event indicates that a new set of SystemWindowsActivationStatusAdd events will be sent.
+This event indicates that a new set of SystemWindowsActivationStatusAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1232,7 +1233,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemWlanRemove
-This event indicates that the SystemWlan object is no longer present.
+This event indicates that the SystemWlan object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1243,7 +1244,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemWlanStartSync
-This event indicates that a new set of SystemWlanAdd events will be sent.
+This event indicates that a new set of SystemWlanAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1306,7 +1307,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.WmdrmRemove
-This event indicates that the Wmdrm object is no longer present.
+This event indicates that the Wmdrm object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1317,7 +1318,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.WmdrmStartSync
-This event indicates that a new set of WmdrmAdd events will be sent.
+The WmdrmStartSync event indicates that a new set of WmdrmAdd events will be sent. This event is used to understand the usage of older digital rights management on the system, to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1330,7 +1331,7 @@ The following fields are available:
### Census.App
-This event sends version data about the Apps running on this device, to help keep Windows up to date.
+This event sends version data about the Apps running on this device. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -1348,7 +1349,7 @@ The following fields are available:
### Census.Battery
-This event sends type and capacity data about the battery on the device, as well as the number of connected standby devices in use, type to help keep Windows up to date.
+This event sends type and capacity data about the battery on the device, as well as the number of connected standby devices in use. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -1359,19 +1360,9 @@ The following fields are available:
- **IsAlwaysOnAlwaysConnectedCapable** Represents whether the battery enables the device to be AlwaysOnAlwaysConnected . Boolean value.
-### Census.Camera
-
-This event sends data about the resolution of cameras on the device, to help keep Windows up to date.
-
-The following fields are available:
-
-- **FrontFacingCameraResolution** Represents the resolution of the front facing camera in megapixels. If a front facing camera does not exist, then the value is 0.
-- **RearFacingCameraResolution** Represents the resolution of the rear facing camera in megapixels. If a rear facing camera does not exist, then the value is 0.
-
-
### Census.Enterprise
-This event sends data about Azure presence, type, and cloud domain use in order to provide an understanding of the use and integration of devices in an enterprise, cloud, and server environment.
+This event sends data about Azure presence, type, and cloud domain use in order to provide an understanding of the use and integration of devices in an enterprise, cloud, and server environment. The data collected with this event is used to help keep Windows secure.
The following fields are available:
@@ -1389,14 +1380,14 @@ The following fields are available:
- **IsEDPEnabled** Represents if Enterprise data protected on the device.
- **IsMDMEnrolled** Whether the device has been MDM Enrolled or not.
- **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID
-- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in a Configuration Manager environment.
-- **ServerFeatures** Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
-- **SystemCenterID** The Configuration Manager ID is an anonymized one-way hash of the Active Directory Organization identifier
+- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise SCCM environment.
+- **ServerFeatures** Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
+- **SystemCenterID** The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier
### Census.Firmware
-This event sends data about the BIOS and startup embedded in the device, to help keep Windows up to date.
+This event sends data about the BIOS and startup embedded in the device. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -1408,7 +1399,7 @@ The following fields are available:
### Census.Flighting
-This event sends Windows Insider data from customers participating in improvement testing and feedback programs, to help keep Windows up to date.
+This event sends Windows Insider data from customers participating in improvement testing and feedback programs. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -1423,7 +1414,7 @@ The following fields are available:
### Census.Hardware
-This event sends data about the device, including hardware type, OEM brand, model line, model, telemetry level setting, and TPM support, to help keep Windows up to date.
+This event sends data about the device, including hardware type, OEM brand, model line, model, telemetry level setting, and TPM support. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -1464,7 +1455,7 @@ The following fields are available:
### Census.Memory
-This event sends data about the memory on the device, including ROM and RAM, to help keep Windows up to date.
+This event sends data about the memory on the device, including ROM and RAM. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -1474,7 +1465,7 @@ The following fields are available:
### Census.Network
-This event sends data about the mobile and cellular network used by the device (mobile service provider, network, device ID, and service cost factors), to help keep Windows up to date.
+This event sends data about the mobile and cellular network used by the device (mobile service provider, network, device ID, and service cost factors). The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -1497,7 +1488,7 @@ The following fields are available:
### Census.OS
-This event sends data about the operating system such as the version, locale, update service configuration, when and how it was originally installed, and whether it is a virtual device, to help keep Windows up to date.
+This event sends data about the operating system such as the version, locale, update service configuration, when and how it was originally installed, and whether it is a virtual device. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -1539,7 +1530,7 @@ The following fields are available:
### Census.Processor
-This event sends data about the processor to help keep Windows up to date.
+This event sends data about the processor. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -1561,7 +1552,7 @@ The following fields are available:
### Census.Security
-This event provides information on about security settings used to help keep Windows up to date and secure.
+This event provides information about security settings. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -1578,7 +1569,7 @@ The following fields are available:
### Census.Speech
-This event is used to gather basic speech settings on the device.
+This event is used to gather basic speech settings on the device. The data collected with this event is used to help keep Windows secure.
The following fields are available:
@@ -1595,7 +1586,7 @@ The following fields are available:
### Census.Storage
-This event sends data about the total capacity of the system volume and primary disk, to help keep Windows up to date.
+This event sends data about the total capacity of the system volume and primary disk. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -1606,7 +1597,7 @@ The following fields are available:
### Census.Userdefault
-This event sends data about the current user's default preferences for browser and several of the most popular extensions and protocols, to help keep Windows up to date.
+This event sends data about the current user's default preferences for browser and several of the most popular extensions and protocols. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -1616,7 +1607,7 @@ The following fields are available:
### Census.UserDisplay
-This event sends data about the logical/physical display size, resolution and number of internal/external displays, and VRAM on the system, to help keep Windows up to date.
+This event sends data about the logical/physical display size, resolution and number of internal/external displays, and VRAM on the system. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -1637,7 +1628,7 @@ The following fields are available:
### Census.UserNLS
-This event sends data about the default app language, input, and display language preferences set by the user, to help keep Windows up to date.
+This event sends data about the default app language, input, and display language preferences set by the user. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -1650,7 +1641,7 @@ The following fields are available:
### Census.VM
-This event sends data indicating whether virtualization is enabled on the device, and its various characteristics, to help keep Windows up to date.
+This event sends data indicating whether virtualization is enabled on the device, and its various characteristics. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -1665,7 +1656,7 @@ The following fields are available:
### Census.WU
-This event sends data about the Windows update server and other App store policies, to help keep Windows up to date.
+This event sends data about the Windows update server and other App store policies. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -1888,7 +1879,7 @@ The following fields are available:
### CbsServicingProvider.CbsCapabilitySessionFinalize
-This event provides information about the results of installing or uninstalling optional Windows content from Windows Update.
+This event provides information about the results of installing or uninstalling optional Windows content from Windows Update. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -1958,19 +1949,19 @@ The following fields are available:
### TelClientSynthetic.AuthorizationInfo_RuntimeTransition
-This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC startup, to help keep Windows up to date. The telemetry opt-in level signals what data we are allowed to collect.
+This event is fired by UTC at state transitions to signal what data we are allowed to collect. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
### TelClientSynthetic.AuthorizationInfo_Startup
-Fired by UTC at startup to signal what data we are allowed to collect.
+This event is fired by UTC at startup to signal what data we are allowed to collect. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
### TelClientSynthetic.ConnectivityHeartBeat_0
-This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it sends an event. A Connectivity Heartbeat event is also sent when a device recovers from costed network to free network.
+This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it sends an event. A Connectivity Heartbeat event is also sent when a device recovers from costed network to free network. This event is fired by UTC during periods of no network as a heartbeat signal, to keep Windows secure and up to date.
@@ -2016,6 +2007,25 @@ This event is triggered when UTC determines it needs to send information about p
## DxgKernelTelemetry events
+### DxgKrnlTelemetry.BddDiag
+
+This event records Microsoft basic display driver diagnostic information. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **BiosFlags** Bitwise flags that contain graphics related firmware information on the device such as the system was booted with display or not, system was using VBIOS or UEFI GOP, and VBIOS has a valid display mode list or not.
+- **CurrentMode** Information about the current display mode such as the resolution, rotation, and scaling.
+- **DefaultModeReason** Numeric value indicating the reason that the Microsoft Basic Display Driver is in use.
+- **DefaultModeResolution** Default resolution that Microsoft Basic Display Driver detected.
+- **DefaultResolutionProvider** Numeric value indicating the source of the default resolution.
+- **Flags** Bitwise flags containing Microsoft Basic Display Driver related information such as if it is running because there is no graphics driver or user PnP stopped the graphics driver, it has valid EDID or not on the connected monitor and where the EDID was from, it is running at gray scale mode or not, it is running without display or not.
+- **HeadlessReason** Numeric value indicating why there is no display.
+- **LogAssertionCount** Number of assertions that were encountered before this event was recorded.
+- **LogErrorCount** Number of errors that were encountered before this event was recorded.
+- **MonitorPowerState** Current power state of the monitor.
+- **Version** Version of the schema for this event.
+
+
### DxgKrnlTelemetry.GPUAdapterInventoryV2
This event sends basic GPU and display driver information to keep Windows and display drivers up-to-date.
@@ -2169,7 +2179,7 @@ The following fields are available:
### Microsoft.Windows.Upgrade.Uninstall.UninstallFailed
-This event sends diagnostic data about failures when uninstalling a feature update, to help resolve any issues preventing customers from reverting to a known state.
+This event sends diagnostic data about failures when uninstalling a feature update, to help resolve any issues preventing customers from reverting to a known state. The data collected with this event is used to help keep Windows up to date and performing properly.
The following fields are available:
@@ -2179,7 +2189,7 @@ The following fields are available:
### Microsoft.Windows.Upgrade.Uninstall.UninstallFinalizedAndRebootTriggered
-This event indicates that the uninstall was properly configured and that a system reboot was initiated.
+This event indicates that the uninstall was properly configured and that a system reboot was initiated. The data collected with this event is used to help keep Windows up to date and performing properly.
The following fields are available:
@@ -2223,7 +2233,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum
-This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they will always represent a count of a given object.
+This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they will always represent a count of a given object. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
@@ -2250,7 +2260,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.AmiTelCacheVersions
-This event sends inventory component versions for the Device Inventory data.
+This event sends inventory component versions for the Device Inventory data. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
@@ -2260,7 +2270,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryApplicationAdd
-This event sends basic metadata about an application on the system to help keep Windows up to date.
+This event sends basic metadata about an application on the system. The data collected with this event is used to keep Windows performing properly and up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2289,7 +2299,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverAdd
-This event represents what drivers an application installs.
+This event represents what drivers an application installs. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2301,7 +2311,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync
-This event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent.
+The InventoryApplicationDriverStartSync event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2312,7 +2322,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkAdd
-This event provides the basic metadata about the frameworks an application may depend on.
+This event provides the basic metadata about the frameworks an application may depend on. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2326,7 +2336,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkStartSync
-This event indicates that a new set of InventoryApplicationFrameworkAdd events will be sent.
+This event indicates that a new set of InventoryApplicationFrameworkAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2337,7 +2347,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryApplicationRemove
-This event indicates that a new set of InventoryDevicePnpAdd events will be sent.
+This event indicates that a new set of InventoryDevicePnpAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2348,7 +2358,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryApplicationStartSync
-This event indicates that a new set of InventoryApplicationAdd events will be sent.
+This event indicates that a new set of InventoryApplicationAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2359,7 +2369,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerAdd
-This event sends basic metadata about a device container (such as a monitor or printer as opposed to a Plug and Play device) to help keep Windows up to date.
+This event sends basic metadata about a device container (such as a monitor or printer as opposed to a Plug and Play device). The data collected with this event is used to help keep Windows up to date and to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2383,7 +2393,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerRemove
-This event indicates that the InventoryDeviceContainer object is no longer present.
+This event indicates that the InventoryDeviceContainer object is no longer present. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2394,7 +2404,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerStartSync
-This event indicates that a new set of InventoryDeviceContainerAdd events will be sent.
+This event indicates that a new set of InventoryDeviceContainerAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2405,7 +2415,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceAdd
-This event retrieves information about what sensor interfaces are available on the device.
+This event retrieves information about what sensor interfaces are available on the device. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2435,7 +2445,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceStartSync
-This event indicates that a new set of InventoryDeviceInterfaceAdd events will be sent.
+This event indicates that a new set of InventoryDeviceInterfaceAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2446,7 +2456,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassAdd
-This event sends additional metadata about a Plug and Play device that is specific to a particular class of devices to help keep Windows up to date while reducing overall size of data payload.
+This event sends additional metadata about a Plug and Play device that is specific to a particular class of devices. The data collected with this event is used to help keep Windows up to date and performing properly while reducing overall size of data payload.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2459,7 +2469,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassRemove
-This event indicates that the InventoryDeviceMediaClassRemove object is no longer present.
+This event indicates that the InventoryDeviceMediaClass object represented by the objectInstanceId is no longer present. This event is used to understand a PNP device that is specific to a particular class of devices. The data collected with this event is used to help keep Windows up to date and performing properly while reducing overall size of data payload.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2470,7 +2480,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassStartSync
-This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent.
+This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2520,7 +2530,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDevicePnpRemove
-This event indicates that the InventoryDevicePnpRemove object is no longer present.
+This event indicates that the InventoryDevicePnpRemove object is no longer present. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2531,7 +2541,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDevicePnpStartSync
-This event indicates that a new set of InventoryDevicePnpAdd events will be sent.
+This event indicates that a new set of InventoryDevicePnpAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2542,7 +2552,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassAdd
-This event sends basic metadata about the USB hubs on the device.
+This event sends basic metadata about the USB hubs on the device. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2555,7 +2565,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassStartSync
-This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent.
+This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2566,7 +2576,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryAdd
-This event sends basic metadata about driver binaries running on the system to help keep Windows up to date.
+This event sends basic metadata about driver binaries running on the system. The data collected with this event is used to help keep Windows up to date and performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2593,7 +2603,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryRemove
-This event indicates that the InventoryDriverBinary object is no longer present.
+This event indicates that the InventoryDriverBinary object is no longer present. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2604,7 +2614,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryStartSync
-This event indicates that a new set of InventoryDriverBinaryAdd events will be sent.
+This event indicates that a new set of InventoryDriverBinaryAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2615,7 +2625,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDriverPackageAdd
-This event sends basic metadata about drive packages installed on the system to help keep Windows up to date.
+This event sends basic metadata about drive packages installed on the system. The data collected with this event is used to help keep Windows up to date and performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2635,7 +2645,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDriverPackageRemove
-This event indicates that the InventoryDriverPackageRemove object is no longer present.
+This event indicates that the InventoryDriverPackageRemove object is no longer present. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2646,7 +2656,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDriverPackageStartSync
-This event indicates that a new set of InventoryDriverPackageAdd events will be sent.
+This event indicates that a new set of InventoryDriverPackageAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2655,9 +2665,17 @@ The following fields are available:
- **InventoryVersion** The version of the inventory file generating the events.
+### Microsoft.Windows.Inventory.General. InventoryMiscellaneousMemorySlotArrayInfoRemove
+
+This event indicates that this particular data object represented by the ObjectInstanceId is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+
+
### Microsoft.Windows.Inventory.General.AppHealthStaticAdd
-This event sends details collected for a specific application on the source device.
+This event sends details collected for a specific application on the source device. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
@@ -2684,7 +2702,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.AppHealthStaticStartSync
-This event indicates the beginning of a series of AppHealthStaticAdd events.
+This event indicates the beginning of a series of AppHealthStaticAdd events. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
@@ -2696,7 +2714,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd
-Invalid variant - Provides data on the installed Office Add-ins
+This event provides data on the installed Office add-ins. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2730,7 +2748,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove
-This event indicates that the particular data object represented by the objectInstanceId is no longer present.
+This event indicates that the particular data object represented by the objectInstanceId is no longer present. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2738,7 +2756,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync
-This event indicates that a new sync is being generated for this object type.
+This event indicates that a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2749,7 +2767,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd
-This event provides data on the Office identifiers
+This event provides data on the Office identifiers. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2767,7 +2785,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersStartSync
-Diagnostic event to indicate a new sync is being generated for this object type
+This is a diagnostic event that indicates a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2778,7 +2796,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsAdd
-This event includes the Office-related Internet Explorer features
+This event provides data on Office-related Internet Explorer features. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2804,7 +2822,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsStartSync
-Diagnostic event to indicate a new sync is being generated for this object type
+This is a diagnostic event that indicates a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2815,7 +2833,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsAdd
-Provides insight data on the installed Office products
+This event provides insight data on the installed Office products. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2830,7 +2848,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsRemove
-This event indicates that the particular data object represented by the objectInstanceId is no longer present.
+This event indicates that the particular data object represented by the objectInstanceId is no longer present. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2838,7 +2856,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsStartSync
-Diagnostic event to indicate a new sync is being generated for this object type
+This diagnostic event indicates that a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2849,7 +2867,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd
-This event list all installed Office products
+This event describes all installed Office products. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2864,7 +2882,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsStartSync
-Diagnostic event to indicate a new sync is being generated for this object type
+This is a diagnostic event that indicates a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2875,7 +2893,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsAdd
-This event describes various Office settings
+This event describes various Office settings. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2889,7 +2907,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsStartSync
-Diagnostic event to indicate a new sync is being generated for this object type
+This is a diagnostic event that indicates a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2900,7 +2918,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAAdd
-This event provides a summary rollup count of conditions encountered while performing a local scan of Office files, analyzing for known VBA programmability compatibility issues between legacy office version and ProPlus, and between 32 and 64-bit versions
+This event provides a summary rollup count of conditions encountered while performing a local scan of Office files, analyzing for known VBA programmability compatibility issues between legacy office version and ProPlus, and between 32 and 64-bit versions. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2931,7 +2949,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARemove
-This event indicates that the particular data object represented by the objectInstanceId is no longer present.
+This event indicates that the particular data object represented by the objectInstanceId is no longer present. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2939,7 +2957,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsAdd
-This event provides data on Microsoft Office VBA rule violations, including a rollup count per violation type, giving an indication of remediation requirements for an organization. The event identifier is a unique GUID, associated with the validation rule
+This event provides data on Microsoft Office VBA rule violations, including a rollup count per violation type, giving an indication of remediation requirements for an organization. The event identifier is a unique GUID, associated with the validation rule. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2950,7 +2968,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsRemove
-This event indicates that the particular data object represented by the objectInstanceId is no longer present.
+This event indicates that the particular data object represented by the objectInstanceId is no longer present. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2958,7 +2976,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsStartSync
-This event indicates that a new sync is being generated for this object type.
+This event indicates that a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2969,7 +2987,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAStartSync
-Diagnostic event to indicate a new sync is being generated for this object type
+This diagnostic event indicates that a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2980,7 +2998,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd
-Provides data on Unified Update Platform (UUP) products and what version they are at.
+This event provides data on Unified Update Platform (UUP) products and what version they are at. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -2995,7 +3013,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoRemove
-Indicates that this particular data object represented by the objectInstanceId is no longer present.
+This event indicates that this particular data object represented by the objectInstanceId is no longer present. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3003,7 +3021,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoStartSync
-Diagnostic event to indicate a new sync is being generated for this object type
+This is a diagnostic event that indicates a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3011,7 +3029,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
### Microsoft.Windows.Inventory.Indicators.Checksum
-This event summarizes the counts for the InventoryMiscellaneousUexIndicatorAdd events.
+This event summarizes the counts for the InventoryMiscellaneousUexIndicatorAdd events. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
@@ -3021,7 +3039,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorAdd
-These events represent the basic metadata about the OS indicators installed on the system which are used for keeping the device up to date.
+This event represents the basic metadata about the OS indicators installed on the system. The data collected with this event helps ensure the device is up to date and keeps Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3032,7 +3050,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorRemove
-This event is a counterpart to InventoryMiscellaneousUexIndicatorAdd that indicates that the item has been removed.
+This event indicates that this particular data object represented by the objectInstanceId is no longer present. This event is used to understand the OS indicators installed on the system. The data collected with this event helps ensure the device is current and Windows is up to date and performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3040,7 +3058,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorStartSync
-This event indicates that a new set of InventoryMiscellaneousUexIndicatorAdd events will be sent.
+This event indicates that this particular data object represented by the objectInstanceId is no longer present. This event is used to understand the OS indicators installed on the system. The data collected with this event helps ensure the device is current and Windows is up to date and performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3060,7 +3078,7 @@ The following fields are available:
### Microsoft.Windows.Kernel.BootEnvironment.OsLaunch
-OS information collected during Boot, used to evaluate the success of the upgrade process.
+This event includes basic data about the Operating System, collected during Boot and used to evaluate the success of the upgrade process. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
@@ -3087,19 +3105,19 @@ The following fields are available:
### Microsoft.Windows.MigrationCore.MigObjectCountDLUsr
-This event returns data to track the count of the migration objects across various phases during feature update.
+This event returns data to track the count of the migration objects across various phases during feature update. The data collected with this event is used to help keep Windows secure and to track data loss scenarios.
### Microsoft.Windows.MigrationCore.MigObjectCountKFSys
-This event returns data about the count of the migration objects across various phases during feature update.
+This event returns data about the count of the migration objects across various phases during feature update. The data collected with this event is used to help keep Windows secure and to track data loss scenarios.
### Microsoft.Windows.MigrationCore.MigObjectCountKFUsr
-This event returns data to track the count of the migration objects across various phases during feature update.
+This event returns data to track the count of the migration objects across various phases during feature update. The data collected with this event is used to help keep Windows secure and to track data loss scenarios.
@@ -3107,7 +3125,7 @@ This event returns data to track the count of the migration objects across vario
### Microsoft.OneDrive.Sync.Setup.APIOperation
-This event includes basic data about install and uninstall OneDrive API operations.
+This event includes basic data about install and uninstall OneDrive API operations. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -3120,7 +3138,7 @@ The following fields are available:
### Microsoft.OneDrive.Sync.Setup.EndExperience
-This event includes a success or failure summary of the installation.
+This event includes a success or failure summary of the installation. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -3132,7 +3150,7 @@ The following fields are available:
### Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation
-This event is related to the OS version when the OS is upgraded with OneDrive installed.
+This event is related to the OS version when the OS is upgraded with OneDrive installed. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -3148,7 +3166,7 @@ The following fields are available:
### Microsoft.OneDrive.Sync.Setup.RegisterStandaloneUpdaterAPIOperation
-This event is related to registering or unregistering the OneDrive update task.
+This event is related to registering or unregistering the OneDrive update task. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -3161,7 +3179,7 @@ The following fields are available:
### Microsoft.OneDrive.Sync.Updater.ComponentInstallState
-This event includes basic data about the installation state of dependent OneDrive components.
+This event includes basic data about the installation state of dependent OneDrive components. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -3171,7 +3189,7 @@ The following fields are available:
### Microsoft.OneDrive.Sync.Updater.OverlayIconStatus
-This event indicates if the OneDrive overlay icon is working correctly. 0 = healthy; 1 = can be fixed; 2 = broken
+This event indicates if the OneDrive overlay icon is working correctly. 0 = healthy; 1 = can be fixed; 2 = broken. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -3181,7 +3199,7 @@ The following fields are available:
### Microsoft.OneDrive.Sync.Updater.UpdateOverallResult
-This event sends information describing the result of the update.
+This event sends information describing the result of the update. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -3192,7 +3210,7 @@ The following fields are available:
### Microsoft.OneDrive.Sync.Updater.UpdateXmlDownloadHResult
-This event determines the status when downloading the OneDrive update configuration file.
+This event determines the status when downloading the OneDrive update configuration file. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -3201,7 +3219,7 @@ The following fields are available:
### Microsoft.OneDrive.Sync.Updater.WebConnectionStatus
-This event determines the error code that was returned when verifying Internet connectivity.
+This event determines the error code that was returned when verifying Internet connectivity. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -3212,7 +3230,7 @@ The following fields are available:
### Microsoft.Windows.Shell.PrivacyNotifierLogging.PrivacyNotifierCompleted
-This event returns data to report the efficacy of a single-use tool to inform users impacted by a known issue and to take corrective action to address the issue.
+This event returns data to report the efficacy of a single-use tool to inform users impacted by a known issue and to take corrective action to address the issue. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -3229,7 +3247,7 @@ The following fields are available:
### Microsoft.Windows.QualityUpdateAssistant.Applicability
-This event sends basic info on whether the device should be updated to the latest cumulative update.
+This event sends basic info on whether the device should be updated to the latest cumulative update. The data collected with this event is used to help keep Windows up to date and secure.
The following fields are available:
@@ -3241,7 +3259,7 @@ The following fields are available:
### Microsoft.Windows.QualityUpdateAssistant.DeviceReadinessCheck
-This event sends basic info on whether the device is ready to download the latest cumulative update.
+This event sends basic info on whether the device is ready to download the latest cumulative update. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -3253,7 +3271,7 @@ The following fields are available:
### Microsoft.Windows.QualityUpdateAssistant.Download
-This event sends basic info when download of the latest cumulative update begins.
+This event sends basic info when download of the latest cumulative update begins. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -3265,7 +3283,7 @@ The following fields are available:
### Microsoft.Windows.QualityUpdateAssistant.Install
-This event sends basic info on the result of the installation of the latest cumulative update.
+This event sends basic info on the result of the installation of the latest cumulative update. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -3279,7 +3297,7 @@ The following fields are available:
### Microsoft.Windows.Remediation.Applicable
-deny
+This event indicates whether Windows Update sediment remediations need to be applied to the sediment device to keep Windows up to date. A sediment device is one that has been on a previous OS version for an extended period. The remediations address issues on the system that prevent the device from receiving OS updates.
The following fields are available:
@@ -3326,7 +3344,7 @@ The following fields are available:
- **RemediationNoisyHammerUserLoggedInAdmin** TRUE if there is the user currently logged in is an Admin.
- **RemediationShellDeviceManaged** TRUE if the device is WSUS managed or Windows Updated disabled.
- **RemediationShellDeviceNewOS** TRUE if the device has a recently installed OS.
-- **RemediationShellDeviceSccm** TRUE if the device is managed by Configuration Manager.
+- **RemediationShellDeviceSccm** TRUE if the device is managed by SCCM (Microsoft System Center Configuration Manager).
- **RemediationShellDeviceZeroExhaust** TRUE if the device has opted out of Windows Updates completely.
- **RemediationTargetMachine** Indicates whether the device is a target of the specified fix.
- **RemediationTaskHealthAutochkProxy** True/False based on the health of the AutochkProxy task.
@@ -3362,7 +3380,7 @@ The following fields are available:
### Microsoft.Windows.Remediation.ChangePowerProfileDetection
-Indicates whether the remediation system can put in a request to defer a system-initiated sleep to enable installation of security or quality updates.
+This event indicates whether the remediation system can put in a request to defer a system-initiated sleep to enable installation of security or quality updates, to keep Windows secure and up to date.
The following fields are available:
@@ -3499,7 +3517,7 @@ The following fields are available:
### Microsoft.Windows.Remediation.RemediationShellMainExeEventId
-Enables tracking of completion of process that remediates issues preventing security and quality updates.
+This event enables tracking of completion of process that remediates issues preventing security and quality updates keep Windows up to date.
The following fields are available:
@@ -3530,7 +3548,7 @@ The following fields are available:
### Microsoft.Windows.Sediment.Info.DetailedState
-This event is sent when detailed state information is needed from an update trial run.
+This event is sent when detailed state information is needed from an update trial run. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -3594,7 +3612,7 @@ The following fields are available:
### Microsoft.Windows.Sediment.OSRSS.Error
-This event indicates an error occurred in the Operating System Remediation System Service (OSRSS). The information provided helps ensure future upgrade/update attempts are more successful.
+This event indicates an error occurred in the Operating System Remediation System Service (OSRSS). The information provided helps ensure future upgrade/update attempts are more successful. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -3657,7 +3675,7 @@ The following fields are available:
### Microsoft.Windows.Sediment.OSRSS.SelfUpdate
-This event returns metadata after Operating System Remediation System Service (OSRSS) successfully replaces itself with a new version.
+This event returns metadata after Operating System Remediation System Service (OSRSS) successfully replaces itself with a new version. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -3668,7 +3686,7 @@ The following fields are available:
### Microsoft.Windows.Sediment.OSRSS.UrlState
-This event indicates the state the Operating System Remediation System Service (OSRSS) is in while attempting a download from the URL.
+This event indicates the state the Operating System Remediation System Service (OSRSS) is in while attempting a download from the URL. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -3682,7 +3700,7 @@ The following fields are available:
### Microsoft.Windows.Sediment.ServiceInstaller.ApplicabilityCheckFailed
-This event returns data relating to the error state after one of the applicability checks for the installer component of the Operating System Remediation System Service (OSRSS) has failed.
+This event returns data relating to the error state after one of the applicability checks for the installer component of the Operating System Remediation System Service (OSRSS) has failed. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -3783,7 +3801,7 @@ The following fields are available:
### Microsoft.Windows.SedimentLauncher.Applicable
-This event is sent when the Windows Update sediment remediations launcher finds that an applicable plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period.
+This event is sent when the Windows Update sediment remediations launcher finds that an applicable plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -3799,7 +3817,7 @@ The following fields are available:
### Microsoft.Windows.SedimentLauncher.Completed
-This event is sent when the Windows Update sediment remediations launcher finishes running a plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period.
+This event is sent when the Windows Update sediment remediations launcher finishes running a plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -3814,7 +3832,7 @@ The following fields are available:
### Microsoft.Windows.SedimentLauncher.Error
-Error occurred during execution of the plugin.
+This event indicates an error occurred during the execution of the plug-in. The information provided helps ensure future upgrade/update attempts are more successful. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -3825,7 +3843,7 @@ The following fields are available:
### Microsoft.Windows.SedimentLauncher.FallbackError
-This event indicates that an error occurred during execution of the plug-in fallback.
+This event indicates that an error occurred during execution of the plug-in fallback. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -3835,7 +3853,7 @@ The following fields are available:
### Microsoft.Windows.SedimentLauncher.Information
-This event provides general information returned from the plug-in.
+This event provides general information returned from the plug-in. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -3846,7 +3864,7 @@ The following fields are available:
### Microsoft.Windows.SedimentLauncher.Started
-This event is sent when the Windows Update sediment remediations launcher starts running a plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period.
+This event is sent when the Windows Update sediment remediations launcher starts running a plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -3859,7 +3877,7 @@ The following fields are available:
### Microsoft.Windows.SedimentLauncher.wilResult
-This event provides the result from the Windows internal library.
+This event provides the result from the Windows internal library. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -3884,7 +3902,7 @@ The following fields are available:
### Microsoft.Windows.SedimentService.Applicable
-This event is sent when the Windows Update sediment remediations service finds that an applicable plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period.
+This event is sent when the Windows Update sediment remediations service finds that an applicable plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -3900,7 +3918,7 @@ The following fields are available:
### Microsoft.Windows.SedimentService.Completed
-This event is sent when the Windows Update sediment remediations service finishes running a plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period.
+This event is sent when the Windows Update sediment remediations service finishes running a plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -3922,7 +3940,7 @@ The following fields are available:
### Microsoft.Windows.SedimentService.Error
-This event indicates whether an error condition occurred in the plug-in.
+This event indicates whether an error condition occurred in the plug-in. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -3933,7 +3951,7 @@ The following fields are available:
### Microsoft.Windows.SedimentService.FallbackError
-This event indicates whether an error occurred for a fallback in the plug-in.
+This event indicates whether an error occurred for a fallback in the plug-in. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -3943,7 +3961,7 @@ The following fields are available:
### Microsoft.Windows.SedimentService.Information
-This event provides general information returned from the plug-in.
+This event provides general information returned from the plug-in. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -3954,7 +3972,7 @@ The following fields are available:
### Microsoft.Windows.SedimentService.Started
-This event is sent when the Windows Update sediment remediations service starts running a plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period.
+This event is sent when the Windows Update sediment remediations service starts running a plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -3967,7 +3985,7 @@ The following fields are available:
### Microsoft.Windows.SedimentService.wilResult
-This event provides the result from the Windows internal library.
+This event provides the result from the Windows internal library. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -4056,7 +4074,7 @@ The following fields are available:
### wilActivity
-This event provides a Windows Internal Library context used for Product and Service diagnostics.
+This event provides a Windows Internal Library context used for Product and Service diagnostics. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -4081,7 +4099,7 @@ The following fields are available:
### wilResult
-This event provides a Windows Internal Library context used for Product and Service diagnostics.
+This event provides a Windows Internal Library context used for Product and Service diagnostics. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -4108,7 +4126,7 @@ The following fields are available:
### SIHEngineTelemetry.EvalApplicability
-This event is sent when targeting logic is evaluated to determine if a device is eligible a given action.
+This event is sent when targeting logic is evaluated to determine if a device is eligible a given action. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -4126,7 +4144,7 @@ The following fields are available:
### SIHEngineTelemetry.ExecuteAction
-This event is triggered with SIH attempts to execute (e.g. install) the update or action in question. Includes important information like if the update required a reboot.
+This event is triggered with SIH attempts to execute (e.g. install) the update or action in question. Includes important information like if the update required a reboot. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -4142,7 +4160,7 @@ The following fields are available:
### SIHEngineTelemetry.PostRebootReport
-This event reports the status of an action following a reboot, should one have been required.
+This event reports the status of an action following a reboot, should one have been required. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -4157,7 +4175,7 @@ The following fields are available:
### SIHEngineTelemetry.ServiceStateChange
-This event reports the status of attempts to stop or start a service as part of executing an action.
+This event reports the status of attempts to stop or start a service as part of executing an action. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -4174,7 +4192,7 @@ The following fields are available:
### SIHEngineTelemetry.SLSActionData
-This event reports if the SIH client was able to successfully parse the manifest describing the actions to be evaluated.
+This event reports if the SIH client was able to successfully parse the manifest describing the actions to be evaluated. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -4191,7 +4209,7 @@ The following fields are available:
### SoftwareUpdateClientTelemetry.CheckForUpdates
-Scan process event on Windows Update client (see eventscenario field for specifics, e.g.: started/failed/succeeded)
+This event sends tracking data about the software distribution client check for content that is applicable to a device, to help keep Windows up to date.
The following fields are available:
@@ -4274,7 +4292,7 @@ The following fields are available:
### SoftwareUpdateClientTelemetry.Commit
-This event tracks the commit process post the update installation when software update client is trying to update the device.
+This event sends data on whether the Update Service has been called to execute an upgrade, to help keep Windows up to date.
The following fields are available:
@@ -4305,7 +4323,7 @@ The following fields are available:
### SoftwareUpdateClientTelemetry.Download
-Download process event for target update on Windows Update client (see eventscenario field for specifics, e.g.: started/failed/succeeded)
+This event sends tracking data about the software distribution client download of the content for that update, to help keep Windows up to date.
The following fields are available:
@@ -4382,7 +4400,7 @@ The following fields are available:
### SoftwareUpdateClientTelemetry.DownloadCheckpoint
-This event provides a checkpoint between each of the Windows Update download phases for UUP content
+This event provides a checkpoint between each of the Windows Update download phases for UUP content. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -4404,7 +4422,7 @@ The following fields are available:
### SoftwareUpdateClientTelemetry.DownloadHeartbeat
-This event allows tracking of ongoing downloads and contains data to explain the current state of the download
+This event allows tracking of ongoing downloads and contains data to explain the current state of the download. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -4504,7 +4522,7 @@ The following fields are available:
### SoftwareUpdateClientTelemetry.UpdateDetected
-This event sends data about an AppX app that has been updated from the Microsoft Store, including what app needs an update and what version/architecture is required, in order to understand and address problems with apps getting required updates.
+This event sends data about an AppX app that has been updated from the Microsoft Store, including what app needs an update and what version/architecture is required, in order to understand and address problems with apps getting required updates. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -4519,7 +4537,7 @@ The following fields are available:
### SoftwareUpdateClientTelemetry.UpdateMetadataIntegrity
-Ensures Windows Updates are secure and complete. Event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack.
+This event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -4551,7 +4569,7 @@ The following fields are available:
### Microsoft.Windows.UpdateAssistant.Orchestrator.BlockingEventId
-The event sends basic info on the reason that Windows 10 was not updated due to compatibility issues, previous rollbacks, or admin policies.
+The event sends basic info on the reason that Windows 10 was not updated due to compatibility issues, previous rollbacks, or admin policies. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -4562,7 +4580,7 @@ The following fields are available:
- **DeviceIsMdmManaged** This device is MDM managed.
- **IsNetworkAvailable** If the device network is not available.
- **IsNetworkMetered** If network is metered.
-- **IsSccmManaged** This device is managed by Configuration Manager.
+- **IsSccmManaged** This device is SCCM managed.
- **NewlyInstalledOs** OS is newly installed quiet period.
- **PausedByPolicy** Updates are paused by policy.
- **RecoveredFromRS3** Previously recovered from RS3.
@@ -4575,7 +4593,7 @@ The following fields are available:
### Microsoft.Windows.UpdateAssistant.Orchestrator.DeniedLaunchEventId
-The event sends basic info when a device was blocked or prevented from updating to the latest Windows 10 version.
+The event sends basic info when a device was blocked or prevented from updating to the latest Windows 10 version. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -4587,7 +4605,7 @@ The following fields are available:
### Microsoft.Windows.UpdateAssistant.Orchestrator.FailedLaunchEventId
-Event to mark that Update Assistant Orchestrator failed to launch Update Assistant.
+This event indicates that Update Assistant Orchestrator failed to launch Update Assistant. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -4598,7 +4616,7 @@ The following fields are available:
### Microsoft.Windows.UpdateAssistant.Orchestrator.FailedOneSettingsQueryEventId
-Event indicating One Settings was not queried by update assistant.
+This event indicates that One Settings was not queried by update assistant. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -4608,7 +4626,7 @@ The following fields are available:
### Microsoft.Windows.UpdateAssistant.Orchestrator.LaunchEventId
-This event sends basic information on whether the device should be updated to the latest Windows 10 version.
+This event sends basic information on whether the device should be updated to the latest Windows 10 version. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -4622,7 +4640,7 @@ The following fields are available:
### Microsoft.Windows.UpdateAssistant.Orchestrator.RestoreEventId
-The event sends basic info on whether the Windows 10 update notification has previously launched.
+The event sends basic info on whether the Windows 10 update notification has previously launched. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -4636,7 +4654,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgent_DownloadRequest
-This event sends data during the download request phase of updating Windows.
+This event sends data during the download request phase of updating Windows. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -4663,7 +4681,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgent_FellBackToCanonical
-This event collects information when Express could not be used, and the update had to fall back to “canonical” during the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop.
+This event collects information when Express could not be used, and the update had to fall back to “canonical” during the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -4679,7 +4697,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgent_Initialize
-This event sends data during the initialize phase of updating Windows.
+This event sends data during the initialize phase of updating Windows. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -4697,7 +4715,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgent_Install
-This event sends data during the install phase of updating Windows.
+This event sends data during the install phase of updating Windows. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -4713,7 +4731,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgent_Merge
-This event sends data on the merge phase when updating Windows.
+This event sends data on the merge phase when updating Windows. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -4729,7 +4747,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgent_ModeStart
-This event sends data for the start of each mode during the process of updating Windows.
+This event sends data for the start of each mode during the process of updating Windows. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -4744,7 +4762,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgent_SetupBoxLaunch
-This event sends data during the launching of the setup box when updating Windows.
+This event sends data during the launching of the setup box when updating Windows. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -4761,7 +4779,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentCommit
-This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop.
+This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -4777,7 +4795,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentDownloadRequest
-This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile.
+This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -4809,7 +4827,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentExpand
-This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop.
+This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -4829,7 +4847,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentFellBackToCanonical
-This event collects information when express could not be used and we fall back to canonical during the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop.
+This event collects information when express could not be used and we fall back to canonical during the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -4845,7 +4863,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentInitialize
-This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile.
+This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -4863,7 +4881,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentInstall
-This event sends data for the install phase of updating Windows.
+This event sends data for the install phase of updating Windows. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -4879,7 +4897,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentMerge
-The UpdateAgentMerge event sends data on the merge phase when updating Windows.
+The UpdateAgentMerge event sends data on the merge phase when updating Windows. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -4895,7 +4913,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentMitigationResult
-This event sends data indicating the result of each update agent mitigation.
+This event sends data indicating the result of each update agent mitigation. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -4921,7 +4939,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentMitigationSummary
-This event sends a summary of all the update agent mitigations available for an this update.
+This event sends a summary of all the update agent mitigations available for an this update. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -4941,7 +4959,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentModeStart
-This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile.
+This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -4957,7 +4975,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentOneSettings
-This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop.
+This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -4975,7 +4993,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentPostRebootResult
-This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario.
+This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -4992,7 +5010,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentSetupBoxLaunch
-The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs.
+The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -5015,7 +5033,7 @@ The following fields are available:
### Microsoft.Windows.UpdateNotificationPipeline.JavascriptJavascriptCriticalGenericMessage
-This event indicates that Javascript is reporting a schema and a set of values for critical telemetry.
+This event indicates that Javascript is reporting a schema and a set of values for critical telemetry. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -5062,7 +5080,7 @@ The following fields are available:
### Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignHeartbeat
-This event is sent at the start of each campaign, to be used as a heartbeat.
+This event is sent at the start of each campaign, to be used as a heartbeat. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -5078,7 +5096,7 @@ The following fields are available:
### Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignManagerCleaningCampaign
-This event indicates that the Campaign Manager is cleaning up the campaign content.
+This event indicates that the Campaign Manager is cleaning up the campaign content. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -5094,7 +5112,7 @@ The following fields are available:
### Microsoft.Windows.UpdateNotificationPipeline.UnpCampaignManagerGetIsCamppaignCompleteFailed
-This event is sent when a campaign completion status query fails.
+This event is sent when a campaign completion status query fails. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -5111,7 +5129,7 @@ The following fields are available:
### Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignManagerHeartbeat
-This event is sent at the start of the CampaignManager event and is intended to be used as a heartbeat.
+This event is sent at the start of the CampaignManager event and is intended to be used as a heartbeat. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -5127,7 +5145,7 @@ The following fields are available:
### Microsoft.Windows.UpdateNotificationPipeline.UnpCampaignManagerRunCampaignFailed
-This event is sent when the Campaign Manager encounters an unexpected error while running the campaign.
+This event is sent when the Campaign Manager encounters an unexpected error while running the campaign. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -5152,13 +5170,13 @@ This event indicates whether devices received additional or critical supplementa
### FacilitatorTelemetry.DUDownload
-This event returns data about the download of supplemental packages critical to upgrading a device to the next version of Windows.
+This event returns data about the download of supplemental packages critical to upgrading a device to the next version of Windows. The data collected with this event is used to help keep Windows secure and up to date.
### FacilitatorTelemetry.InitializeDU
-This event determines whether devices received additional or critical supplemental content during an OS upgrade.
+This event determines whether devices received additional or critical supplemental content during an OS upgrade. The data collected with this event is used to help keep Windows secure and up to date.
@@ -5206,7 +5224,7 @@ The following fields are available:
### Setup360Telemetry.OsUninstall
-This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, it indicates the outcome of an OS uninstall.
+This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, it indicates the outcome of an OS uninstall. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -5354,19 +5372,19 @@ This event helps determine whether the device received supplemental content duri
### Setup360Telemetry.Setup360MitigationResult
-This event sends data indicating the result of each setup mitigation.
+This event sends data indicating the result of each setup mitigation. The data collected with this event is used to help keep Windows secure and up to date.
### Setup360Telemetry.Setup360MitigationSummary
-This event sends a summary of all the setup mitigations available for this update.
+This event sends a summary of all the setup mitigations available for this update. The data collected with this event is used to help keep Windows secure and up to date.
### Setup360Telemetry.Setup360OneSettings
-This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop.
+This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -5406,16 +5424,25 @@ The following fields are available:
### Microsoft.Windows.WaaSAssessment.Error
-This event returns the name of the missing setting needed to determine the Operating System build age.
+This event returns the name of the missing setting needed to determine the Operating System build age. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
- **m** The WaaS (“Workspace as a Service”—cloud-based “workspace”) Assessment Error String.
+### Microsoft.Windows.WaaSMedic.EngineFailed
+
+This event indicates failure during medic engine execution. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **hResult** Error code from the execution.
+
+
### Microsoft.Windows.WaaSMedic.RemediationFailed
-This event is sent when the WaaS Medic update stack remediation tool fails to apply a described resolution to a problem that is blocking Windows Update from operating correctly on a target device.
+This event is sent when the WaaS Medic update stack remediation tool fails to apply a described resolution to a problem that is blocking Windows Update from operating correctly on a target device. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -5427,7 +5454,7 @@ The following fields are available:
### Microsoft.Windows.WaaSMedic.Summary
-This event provides the results of the WaaSMedic diagnostic run
+This event provides the results of the WaaSMedic diagnostic run. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -5446,7 +5473,7 @@ The following fields are available:
### Microsoft.Windows.WaaSMedic.SummaryEvent
-This event provides the results from the WaaSMedic engine
+This event provides the result of the WaaSMedic operation. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -5488,7 +5515,7 @@ The following fields are available:
### Microsoft.Windows.Store.Partner.ReportApplication
-Report application event for Microsoft Store client.
+This is report application event for Microsoft Store client. The data collected with this event is used to help keep Windows up to date and secure.
@@ -5882,7 +5909,7 @@ The following fields are available:
### Microsoft.OSG.DU.DeliveryOptClient.DownloadCanceled
-This event describes when a download was canceled with Delivery Optimization. It's used to understand and address problems regarding downloads.
+This event describes when a download was canceled with Delivery Optimization. It's used to understand and address problems regarding downloads. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -5915,7 +5942,7 @@ The following fields are available:
### Microsoft.OSG.DU.DeliveryOptClient.DownloadCompleted
-This event describes when a download has completed with Delivery Optimization. It's used to understand and address problems regarding downloads.
+This event describes when a download has completed with Delivery Optimization. It's used to understand and address problems regarding downloads. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -5963,7 +5990,7 @@ The following fields are available:
### Microsoft.OSG.DU.DeliveryOptClient.DownloadPaused
-This event represents a temporary suspension of a download with Delivery Optimization. It's used to understand and address problems regarding downloads.
+This event represents a temporary suspension of a download with Delivery Optimization. It's used to understand and address problems regarding downloads. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -5983,7 +6010,7 @@ The following fields are available:
### Microsoft.OSG.DU.DeliveryOptClient.DownloadStarted
-This event sends data describing the start of a new download to enable Delivery Optimization. It's used to understand and address problems regarding downloads.
+This event sends data describing the start of a new download to enable Delivery Optimization. It's used to understand and address problems regarding downloads. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -6020,7 +6047,7 @@ The following fields are available:
### Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication
-This event represents a failure to download from a CDN with Delivery Optimization. It's used to understand and address problems regarding downloads.
+This event represents a failure to download from a CDN with Delivery Optimization. It's used to understand and address problems regarding downloads. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -6043,7 +6070,7 @@ The following fields are available:
### Microsoft.OSG.DU.DeliveryOptClient.JobError
-This event represents a Windows Update job error. It allows for investigation of top errors.
+This event represents a Windows Update job error. It allows for investigation of top errors. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -6059,7 +6086,7 @@ The following fields are available:
### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentCommit
-This event collects information regarding the final commit phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages
+This event collects information regarding the final commit phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -6075,7 +6102,7 @@ The following fields are available:
### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentDownloadRequest
-This event collects information regarding the download request phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages
+This event collects information regarding the download request phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -6102,7 +6129,7 @@ The following fields are available:
### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInitialize
-This event sends data for initializing a new update session for the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages
+This event sends data for initializing a new update session for the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -6120,7 +6147,7 @@ The following fields are available:
### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInstall
-This event collects information regarding the install phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages
+This event collects information regarding the install phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -6136,7 +6163,7 @@ The following fields are available:
### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentModeStart
-This event sends data for the start of each mode during the process of updating device manifest assets via the UUP (Unified Update Platform) update scenario. The update scenario is used to install a device manifest describing a set of driver packages.
+This event sends data for the start of each mode during the process of updating device manifest assets via the UUP (Unified Update Platform) update scenario. The update scenario is used to install a device manifest describing a set of driver packages. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -6151,49 +6178,49 @@ The following fields are available:
### Microsoft.Windows.Update.NotificationUx.DialogNotificationToBeDisplayed
-This event indicates that a notification dialog box is about to be displayed to user.
+This event indicates that a notification dialog box is about to be displayed to user. The data collected with this event is used to help keep Windows secure and up to date.
### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootAcceptAutoDialog
-This event indicates that the Enhanced Engaged restart "accept automatically" dialog box was displayed.
+This event indicates that the Enhanced Engaged restart "accept automatically" dialog box was displayed. The data collected with this event is used to help keep Windows secure and up to date.
### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootFirstReminderDialog
-This event indicates that the Enhanced Engaged restart "first reminder" dialog box was displayed.
+This event indicates that the Enhanced Engaged restart "first reminder" dialog box was displayed. The data collected with this event is used to help keep Windows secure and up to date.
### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootFailedDialog
-This event indicates that the Enhanced Engaged restart "restart failed" dialog box was displayed.
+This event indicates that the Enhanced Engaged restart "restart failed" dialog box was displayed. The data collected with this event is used to help keep Windows secure and up to date.
### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootImminentDialog
-This event indicates that the Enhanced Engaged restart "restart imminent" dialog box was displayed.
+This event indicates that the Enhanced Engaged restart "restart imminent" dialog box was displayed. The data collected with this event is used to help keep Windows secure and up to date.
### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootSecondReminderDialog
-This event indicates that the second reminder dialog box was displayed for Enhanced Engaged restart.
+This event indicates that the second reminder dialog box was displayed for Enhanced Engaged restart. The data collected with this event is used to help keep Windows secure and up to date.
### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootThirdReminderDialog
-This event indicates that the third reminder dialog box for Enhanced Engaged restart was displayed.
+This event indicates that the third reminder dialog box for Enhanced Engaged restart was displayed. The data collected with this event is used to help keep Windows secure and up to date.
### Microsoft.Windows.Update.NotificationUx.RebootScheduled
-Indicates when a reboot is scheduled by the system or a user for a security, quality, or feature update.
+This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows secure and up-to-date by indicating when a reboot is scheduled by the system or a user for a security, quality, or feature update.
The following fields are available:
@@ -6211,25 +6238,25 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.ActivityRestrictedByActiveHoursPolicy
-This event indicates a policy is present that may restrict update activity to outside of active hours.
+This event indicates a policy is present that may restrict update activity to outside of active hours. The data collected with this event is used to help keep Windows secure and up to date.
### Microsoft.Windows.Update.Orchestrator.AttemptImmediateReboot
-This event sends data when the Windows Update Orchestrator is set to reboot immediately after installing the update.
+This event sends data when the Windows Update Orchestrator is set to reboot immediately after installing the update. The data collected with this event is used to help keep Windows secure and up to date.
### Microsoft.Windows.Update.Orchestrator.BlockedByActiveHours
-This event indicates that update activity was blocked because it is within the active hours window.
+This event indicates that update activity was blocked because it is within the active hours window. The data collected with this event is used to help keep Windows secure and up to date.
### Microsoft.Windows.Update.Orchestrator.CommitFailed
-This event indicates that a device was unable to restart after an update.
+This event indicates that a device was unable to restart after an update. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -6239,7 +6266,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.DeferRestart
-This event indicates that a restart required for installing updates was postponed.
+This event indicates that a restart required for installing updates was postponed. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -6251,7 +6278,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.Detection
-This event indicates that a scan for a Windows Update occurred.
+This event sends launch data for a Windows Update scan to help keep Windows secure and up to date.
The following fields are available:
@@ -6270,7 +6297,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.DisplayNeeded
-This event indicates the reboot was postponed due to needing a display.
+This event indicates the reboot was postponed due to needing a display. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -6286,7 +6313,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.Download
-This event sends launch data for a Windows Update download to help keep Windows up to date.
+This event sends launch data for a Windows Update download to help keep Windows secure and up to date.
The following fields are available:
@@ -6303,7 +6330,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.FlightInapplicable
-This event sends data on whether the update was applicable to the device, to help keep Windows up to date.
+This event sends data on whether the update was applicable to the device. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -6319,7 +6346,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.GameActive
-This event indicates that an enabled GameMode process prevented the device from restarting to complete an update.
+This event indicates that an enabled GameMode process prevented the device from restarting to complete an update. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -6330,7 +6357,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.InitiatingReboot
-This event sends data about an Orchestrator requesting a reboot from power management to help keep Windows up to date.
+This event sends data about an Orchestrator requesting a reboot from power management to help keep Windows secure and up to date.
The following fields are available:
@@ -6347,7 +6374,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.Install
-This event sends launch data for a Windows Update install to help keep Windows up to date.
+This event sends launch data for a Windows Update install to help keep Windows secure and up to date.
The following fields are available:
@@ -6372,7 +6399,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.LowUptimes
-This event is sent if a device is identified as not having sufficient uptime to reliably process updates in order to keep secure.
+This event is sent if a device is identified as not having sufficient uptime to reliably process updates in order to keep secure. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -6385,7 +6412,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.OneshotUpdateDetection
-This event returns data about scans initiated through settings UI, or background scans that are urgent; to help keep Windows up to date.
+This event returns data about scans initiated through settings UI, or background scans that are urgent; to help keep Windows secure and up to date.
The following fields are available:
@@ -6397,7 +6424,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.PostInstall
-This event sends data about lite stack devices (mobile, IOT, anything non-PC) immediately before data migration is launched to help keep Windows up to date.
+This event sends data about lite stack devices (mobile, IOT, anything non-PC) immediately before data migration is launched to help keep Windows secure and up to date.
The following fields are available:
@@ -6414,13 +6441,13 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.PowerMenuOptionsChanged
-This event is sent when the options in power menu changed, usually due to an update pending reboot, or after a update is installed.
+This event is sent when the options in power menu changed, usually due to an update pending reboot, or after a update is installed. The data collected with this event is used to help keep Windows secure and up to date.
### Microsoft.Windows.Update.Orchestrator.PreShutdownStart
-This event is generated before the shutdown and commit operations.
+This event is generated before the shutdown and commit operations. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -6429,7 +6456,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.RebootFailed
-This event sends information about whether an update required a reboot and reasons for failure, to help keep Windows up to date.
+This event sends information about whether an update required a reboot and reasons for failure, to help keep Windows secure and up to date.
The following fields are available:
@@ -6448,7 +6475,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.RefreshSettings
-This event sends basic data about the version of upgrade settings applied to the system to help keep Windows up to date.
+This event sends basic data about the version of upgrade settings applied to the system to help keep Windows secure and up to date.
The following fields are available:
@@ -6460,7 +6487,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.RestoreRebootTask
-This event sends data indicating that a reboot task is missing unexpectedly on a device and the task is restored because a reboot is still required, to help keep Windows up to date.
+This event sends data indicating that a reboot task is missing unexpectedly on a device and the task is restored because a reboot is still required, to help keep Windows secure and up to date.
The following fields are available:
@@ -6470,7 +6497,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.SystemNeeded
-This event sends data about why a device is unable to reboot, to help keep Windows up to date.
+This event sends data about why a device is unable to reboot, to help keep Windows secure and up to date.
The following fields are available:
@@ -6484,9 +6511,20 @@ The following fields are available:
- **wuDeviceid** Unique device ID used by Windows Update.
+### Microsoft.Windows.Update.Orchestrator.UpdateInstallPause
+
+This event indicates the data sent when the device pauses an in-progress update. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **updateClassificationGUID** The classification GUID for the update that was paused.
+- **updateId** An update ID for the update that was paused.
+- **wuDeviceid** A unique Device ID.
+
+
### Microsoft.Windows.Update.Orchestrator.UpdatePolicyCacheRefresh
-This event sends data on whether Update Management Policies were enabled on a device, to help keep Windows up to date.
+This event sends data on whether Update Management Policies were enabled on a device, to help keep Windows secure and up to date.
The following fields are available:
@@ -6499,7 +6537,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.UpdateRebootRequired
-This event sends data about whether an update required a reboot to help keep Windows up to date.
+This event sends data about whether an update required a reboot to help keep Windows secure and up to date.
The following fields are available:
@@ -6514,7 +6552,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.updateSettingsFlushFailed
-This event sends information about an update that encountered problems and was not able to complete.
+This event sends information about an update that encountered problems and was not able to complete. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -6524,7 +6562,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.USODiagnostics
-This event sends data on whether the state of the update attempt, to help keep Windows up to date.
+This event sends data on whether the state of the update attempt, to help keep Windows secure and up to date.
The following fields are available:
@@ -6566,7 +6604,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.UsoSession
-This event represents the state of the USO service at start and completion.
+This event represents the state of the USO service at start and completion. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -6580,9 +6618,21 @@ The following fields are available:
- **wuDeviceid** The Windows Update device GUID.
+### Microsoft.Windows.Update.Orchestrator.UUPFallBack
+
+This event indicates that USO determined UUP needs to fall back. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **EventPublishedTime** The current event time.
+- **UUPFallBackConfigured** The fall back error code.
+- **UUPFallBackErrorReason** The reason for fall back error.
+- **wuDeviceid** A Windows Update device ID.
+
+
### Microsoft.Windows.Update.Ux.MusNotification.EnhancedEngagedRebootUxState
-This event sends information about the configuration of Enhanced Direct-to-Engaged (eDTE), which includes values for the timing of how eDTE will progress through each phase of the reboot.
+This event sends information about the configuration of Enhanced Direct-to-Engaged (eDTE), which includes values for the timing of how eDTE will progress through each phase of the reboot. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -6604,7 +6654,7 @@ The following fields are available:
### Microsoft.Windows.Update.Ux.MusNotification.RebootNoLongerNeeded
-This event is sent when a security update has successfully completed.
+This event is sent when a security update has successfully completed. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -6613,7 +6663,7 @@ The following fields are available:
### Microsoft.Windows.Update.Ux.MusNotification.RebootRequestReasonsToIgnore
-This event is sent when the reboot can be deferred based on some reasons, before reboot attempts
+This event is sent when the reboot can be deferred based on some reasons, before reboot attempts. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -6622,7 +6672,7 @@ The following fields are available:
### Microsoft.Windows.Update.Ux.MusNotification.RebootScheduled
-This event sends basic information about scheduling an update-related reboot, to get security updates and to help keep Windows up-to-date.
+This event sends basic information about scheduling an update-related reboot, to get security updates and to help keep Windows secure and up to date.
The following fields are available:
@@ -6641,13 +6691,13 @@ The following fields are available:
### Microsoft.Windows.Update.Ux.MusNotification.UxBrokerFirstReadyToReboot
-This event is fired the first time when the reboot is required.
+This event is fired the first time when the reboot is required. The data collected with this event is used to help keep Windows secure and up to date.
### Microsoft.Windows.Update.Ux.MusNotification.UxBrokerScheduledTask
-This event is sent when MUSE broker schedules a task
+This event is sent when MUSE broker schedules a task. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -6657,7 +6707,7 @@ The following fields are available:
### Microsoft.Windows.Update.Ux.MusUpdateSettings.RebootScheduled
-This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows up to date.
+This event sends basic information for scheduling a device restart to install security updates. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -6678,7 +6728,7 @@ The following fields are available:
### Mitigation360Telemetry.MitigationCustom.CleanupSafeOsImages
-This event sends data specific to the CleanupSafeOsImages mitigation used for OS Updates.
+This event sends data specific to the CleanupSafeOsImages mitigation used for OS Updates. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -6704,25 +6754,25 @@ The following fields are available:
### Microsoft.Windows.UpdateReserveManager.CommitPendingHardReserveAdjustment
-This event is sent when the Update Reserve Manager commits a hard reserve adjustment that was pending.
+This event is sent when the Update Reserve Manager commits a hard reserve adjustment that was pending. The data collected with this event is used to help keep Windows secure and up to date.
### Microsoft.Windows.UpdateReserveManager.InitializeUpdateReserveManager
-This event returns data about the Update Reserve Manager, including whether it’s been initialized.
+This event returns data about the Update Reserve Manager, including whether it’s been initialized. The data collected with this event is used to help keep Windows secure and up to date.
### Microsoft.Windows.UpdateReserveManager.RemovePendingHardReserveAdjustment
-This event is sent when the Update Reserve Manager removes a pending hard reserve adjustment.
+This event is sent when the Update Reserve Manager removes a pending hard reserve adjustment. The data collected with this event is used to help keep Windows secure and up to date.
### Microsoft.Windows.UpdateReserveManager.UpdatePendingHardReserveAdjustment
-This event is sent when the Update Reserve Manager needs to adjust the size of the hard reserve after the option content is installed.
+This event is sent when the Update Reserve Manager needs to adjust the size of the hard reserve after the option content is installed. The data collected with this event is used to help keep Windows secure and up to date.
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
index 38c6834c3d..b9030aba9a 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
@@ -13,7 +13,7 @@ manager: dansimp
ms.collection: M365-security-compliance
ms.topic: article
audience: ITPro
-ms.date: 03/27/2020
+ms.date: 09/30/2020
ms.reviewer:
---
@@ -33,6 +33,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th
You can learn more about Windows functional and diagnostic data through these articles:
+- [Windows 10, version 2004 and Windows 10, version 20H2 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md)
- [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md)
- [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
- [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md)
@@ -47,7 +48,7 @@ You can learn more about Windows functional and diagnostic data through these ar
### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount
-This event lists the types of objects and how many of each exist on the client device. This allows for a quick way to ensure that the records present on the server match what is present on the client.
+This event lists the types of objects and how many of each exist on the client device. This allows for a quick way to ensure that the records present on the server match what is present on the client. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -123,7 +124,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd
-Represents the basic metadata about specific application files installed on the system.
+This event represents the basic metadata about specific application files installed on the system. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -141,7 +142,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove
-This event indicates that the DatasourceApplicationFile object is no longer present.
+This event indicates that the DatasourceApplicationFile object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -152,7 +153,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileStartSync
-This event indicates that a new set of DatasourceApplicationFileAdd events will be sent.
+This event indicates that a new set of DatasourceApplicationFileAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -179,7 +180,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpRemove
-This event indicates that the DatasourceDevicePnp object is no longer present.
+This event indicates that the DatasourceDevicePnp object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -190,7 +191,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpStartSync
-This event indicates that a new set of DatasourceDevicePnpAdd events will be sent.
+This event indicates that a new set of DatasourceDevicePnpAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -212,7 +213,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageRemove
-This event indicates that the DatasourceDriverPackage object is no longer present.
+This event indicates that the DatasourceDriverPackage object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -223,7 +224,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageStartSync
-This event indicates that a new set of DatasourceDriverPackageAdd events will be sent.
+This event indicates that a new set of DatasourceDriverPackageAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -245,7 +246,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove
-This event indicates that the DataSourceMatchingInfoBlock object is no longer present.
+This event indicates that the DataSourceMatchingInfoBlock object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -256,7 +257,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockStartSync
-This event indicates that a full set of DataSourceMatchingInfoBlockStAdd events have been sent.
+This event indicates that a full set of DataSourceMatchingInfoBlockStAdd events has completed being sent. This event is used to make compatibility decisions about files to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -278,7 +279,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveRemove
-This event indicates that the DataSourceMatchingInfoPassive object is no longer present.
+This event indicates that the DataSourceMatchingInfoPassive object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -289,7 +290,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveStartSync
-This event indicates that a new set of DataSourceMatchingInfoPassiveAdd events will be sent.
+This event indicates that a new set of DataSourceMatchingInfoPassiveAdd events will be sent. This event is used to make compatibility decisions about files to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -311,7 +312,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeRemove
-This event indicates that the DataSourceMatchingInfoPostUpgrade object is no longer present.
+This event indicates that the DataSourceMatchingInfoPostUpgrade object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -322,7 +323,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeStartSync
-This event indicates that a new set of DataSourceMatchingInfoPostUpgradeAdd events will be sent.
+This event indicates that a new set of DataSourceMatchingInfoPostUpgradeAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -344,7 +345,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosRemove
-This event indicates that the DatasourceSystemBios object is no longer present.
+This event indicates that the DatasourceSystemBios object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -355,7 +356,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosStartSync
-This event indicates that a new set of DatasourceSystemBiosAdd events will be sent.
+This event indicates that a new set of DatasourceSystemBiosAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -396,7 +397,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove
-This event indicates that the DecisionApplicationFile object is no longer present.
+This event indicates that the DecisionApplicationFile object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -407,7 +408,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionApplicationFileStartSync
-This event indicates that a new set of DecisionApplicationFileAdd events will be sent.
+This event indicates that a new set of DecisionApplicationFileAdd events will be sent. This event is used to make compatibility decisions about a file to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -445,7 +446,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionDevicePnpRemove
-This event indicates that the DecisionDevicePnp object is no longer present.
+This event Indicates that the DecisionDevicePnp object represented by the objectInstanceId is no longer present. This event is used to make compatibility decisions about PNP devices to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -456,7 +457,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionDevicePnpStartSync
-The DecisionDevicePnpStartSync event indicates that a new set of DecisionDevicePnpAdd events will be sent.
+This event indicates that a new set of DecisionDevicePnpAdd events will be sent. This event is used to make compatibility decisions about PNP devices to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -484,7 +485,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionDriverPackageRemove
-This event indicates that the DecisionDriverPackage object is no longer present.
+This event indicates that the DecisionDriverPackage object represented by the objectInstanceId is no longer present. This event is used to make compatibility decisions about driver packages to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -495,7 +496,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionDriverPackageStartSync
-This event indicates that a new set of DecisionDriverPackageAdd events will be sent.
+The DecisionDriverPackageStartSync event indicates that a new set of DecisionDriverPackageAdd events will be sent. This event is used to make compatibility decisions about driver packages to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -523,7 +524,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockRemove
-This event indicates that the DecisionMatchingInfoBlock object is no longer present.
+This event indicates that the DecisionMatchingInfoBlock object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -534,7 +535,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockStartSync
-This event indicates that a new set of DecisionMatchingInfoBlockAdd events will be sent.
+This event indicates that a new set of DecisionMatchingInfoBlockAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -559,7 +560,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveRemove
-This event Indicates that the DecisionMatchingInfoPassive object is no longer present.
+This event Indicates that the DecisionMatchingInfoPassive object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -570,7 +571,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveStartSync
-This event indicates that a new set of DecisionMatchingInfoPassiveAdd events will be sent.
+This event indicates that a new set of DecisionMatchingInfoPassiveAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -596,7 +597,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeRemove
-This event indicates that the DecisionMatchingInfoPostUpgrade object is no longer present.
+This event indicates that the DecisionMatchingInfoPostUpgrade object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -607,7 +608,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeStartSync
-This event indicates that a new set of DecisionMatchingInfoPostUpgradeAdd events will be sent.
+This event indicates that a new set of DecisionMatchingInfoPostUpgradeAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -635,7 +636,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionMediaCenterRemove
-This event indicates that the DecisionMediaCenter object is no longer present.
+This event indicates that the DecisionMediaCenter object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -646,7 +647,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionMediaCenterStartSync
-This event indicates that a new set of DecisionMediaCenterAdd events will be sent.
+This event indicates that a new set of DecisionMediaCenterAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -671,7 +672,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionSystemBiosRemove
-This event indicates that the DecisionSystemBios object is no longer present.
+This event indicates that the DecisionSystemBios object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -682,7 +683,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionSystemBiosStartSync
-This event indicates that a new set of DecisionSystemBiosAdd events will be sent.
+This event indicates that a new set of DecisionSystemBiosAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -707,7 +708,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryApplicationFileAdd
-This event represents the basic metadata about a file on the system. The file must be part of an app and either have a block in the compatibility database or be part of an antivirus program.
+This event represents the basic metadata about a file on the system. The file must be part of an app and either have a block in the compatibility database or be part of an antivirus program. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -736,7 +737,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryApplicationFileRemove
-This event indicates that the InventoryApplicationFile object is no longer present.
+This event indicates that the InventoryApplicationFile object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -747,7 +748,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync
-This event indicates that a new set of InventoryApplicationFileAdd events will be sent.
+This event indicates that a new set of InventoryApplicationFileAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -771,7 +772,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryLanguagePackRemove
-This event indicates that the InventoryLanguagePack object is no longer present.
+This event indicates that the InventoryLanguagePack object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -782,7 +783,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryLanguagePackStartSync
-This event indicates that a new set of InventoryLanguagePackAdd events will be sent.
+This event indicates that a new set of InventoryLanguagePackAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -811,7 +812,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryMediaCenterRemove
-This event indicates that the InventoryMediaCenter object is no longer present.
+This event indicates that the InventoryMediaCenter object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -822,7 +823,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryMediaCenterStartSync
-This event indicates that a new set of InventoryMediaCenterAdd events will be sent.
+This event indicates that a new set of InventoryMediaCenterAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -833,7 +834,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventorySystemBiosAdd
-This event sends basic metadata about the BIOS to determine whether it has a compatibility block.
+This event sends basic metadata about the BIOS to determine whether it has a compatibility block. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -848,7 +849,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventorySystemBiosRemove
-This event indicates that the InventorySystemBios object is no longer present.
+This event indicates that the InventorySystemBios object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -859,7 +860,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventorySystemBiosStartSync
-This event indicates that a new set of InventorySystemBiosAdd events will be sent.
+This event indicates that a new set of InventorySystemBiosAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -870,7 +871,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd
-This event is only runs during setup. It provides a listing of the uplevel driver packages that were downloaded before the upgrade. Is critical to understanding if failures in setup can be traced to not having sufficient uplevel drivers before the upgrade.
+This event runs only during setup. It provides a listing of the uplevel driver packages that were downloaded before the upgrade. It is critical in understanding if failures in setup can be traced to not having sufficient uplevel drivers before the upgrade. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -895,7 +896,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageRemove
-This event indicates that the InventoryUplevelDriverPackage object is no longer present.
+This event indicates that the InventoryUplevelDriverPackage object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -906,7 +907,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageStartSync
-This event indicates that a new set of InventoryUplevelDriverPackageAdd events will be sent.
+This event indicates that a new set of InventoryUplevelDriverPackageAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -917,7 +918,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.RunContext
-This event indicates what should be expected in the data payload.
+This event is sent at the beginning of an appraiser run, the RunContext indicates what should be expected in the following data payload. This event is used with the other Appraiser events to make compatibility decisions to keep Windows up to date.
The following fields are available:
@@ -949,7 +950,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemMemoryRemove
-This event that the SystemMemory object is no longer present.
+This event that the SystemMemory object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -960,7 +961,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemMemoryStartSync
-This event indicates that a new set of SystemMemoryAdd events will be sent.
+This event indicates that a new set of SystemMemoryAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -984,7 +985,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeRemove
-This event indicates that the SystemProcessorCompareExchange object is no longer present.
+This event indicates that the SystemProcessorCompareExchange object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -995,7 +996,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeStartSync
-This event indicates that a new set of SystemProcessorCompareExchangeAdd events will be sent.
+This event indicates that a new set of SystemProcessorCompareExchangeAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1019,7 +1020,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfRemove
-This event indicates that the SystemProcessorLahfSahf object is no longer present.
+This event indicates that the SystemProcessorLahfSahf object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1030,7 +1031,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfStartSync
-This event indicates that a new set of SystemProcessorLahfSahfAdd events will be sent.
+This event indicates that a new set of SystemProcessorLahfSahfAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1055,7 +1056,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemProcessorNxRemove
-This event indicates that the SystemProcessorNx object is no longer present.
+This event indicates that the SystemProcessorNx object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1066,7 +1067,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemProcessorNxStartSync
-This event indicates that a new set of SystemProcessorNxAdd events will be sent.
+This event indicates that a new set of SystemProcessorNxAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1090,7 +1091,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWRemove
-This event indicates that the SystemProcessorPrefetchW object is no longer present.
+This event indicates that the SystemProcessorPrefetchW object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1101,7 +1102,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWStartSync
-This event indicates that a new set of SystemProcessorPrefetchWAdd events will be sent.
+This event indicates that a new set of SystemProcessorPrefetchWAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1125,7 +1126,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Remove
-This event indicates that the SystemProcessorSse2 object is no longer present.
+This event indicates that the SystemProcessorSse2 object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1136,7 +1137,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemProcessorSse2StartSync
-This event indicates that a new set of SystemProcessorSse2Add events will be sent.
+This event indicates that a new set of SystemProcessorSse2Add events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1160,7 +1161,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemTouchRemove
-This event indicates that the SystemTouch object is no longer present.
+This event indicates that the SystemTouch object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1171,7 +1172,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemTouchStartSync
-This event indicates that a new set of SystemTouchAdd events will be sent.
+This event indicates that a new set of SystemTouchAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1195,7 +1196,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemWimRemove
-This event indicates that the SystemWim object is no longer present.
+This event indicates that the SystemWim object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1206,7 +1207,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemWimStartSync
-This event indicates that a new set of SystemWimAdd events will be sent.
+This event indicates that a new set of SystemWimAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1230,13 +1231,13 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusEndSync
-This event indicates that a full set of SystemWindowsActivationStatusAdd events has succeeded in being sent.
+This event indicates that a full set of SystemWindowsActivationStatusAdd events has succeeded in being sent. The data collected with this event is used to help keep Windows up to date.
### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusRemove
-This event indicates that the SystemWindowsActivationStatus object is no longer present.
+This event indicates that the SystemWindowsActivationStatus object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1247,7 +1248,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusStartSync
-This event indicates that a new set of SystemWindowsActivationStatusAdd events will be sent.
+This event indicates that a new set of SystemWindowsActivationStatusAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1275,7 +1276,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemWlanRemove
-This event indicates that the SystemWlan object is no longer present.
+This event indicates that the SystemWlan object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1286,7 +1287,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemWlanStartSync
-This event indicates that a new set of SystemWlanAdd events will be sent.
+This event indicates that a new set of SystemWlanAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1351,7 +1352,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.WmdrmRemove
-This event indicates that the Wmdrm object is no longer present.
+This event indicates that the Wmdrm object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1362,7 +1363,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.WmdrmStartSync
-This event indicates that a new set of WmdrmAdd events will be sent.
+The WmdrmStartSync event indicates that a new set of WmdrmAdd events will be sent. This event is used to understand the usage of older digital rights management on the system, to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1375,7 +1376,7 @@ The following fields are available:
### Census.App
-This event sends version data about the Apps running on this device, to help keep Windows up to date.
+This event sends version data about the Apps running on this device. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -1393,7 +1394,7 @@ The following fields are available:
### Census.Azure
-This event returns data from Microsoft-internal Azure server machines (only from Microsoft-internal machines with Server SKUs). All other machines (those outside Microsoft and/or machines that are not part of the “Azure fleet”) return empty data sets.
+This event returns data from Microsoft-internal Azure server machines (only from Microsoft-internal machines with Server SKUs). All other machines (those outside Microsoft and/or machines that are not part of the “Azure fleet”) return empty data sets. The data collected with this event is used to help keep Windows secure.
The following fields are available:
@@ -1405,7 +1406,7 @@ The following fields are available:
### Census.Battery
-This event sends type and capacity data about the battery on the device, as well as the number of connected standby devices in use, type to help keep Windows up to date.
+This event sends type and capacity data about the battery on the device, as well as the number of connected standby devices in use. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -1416,19 +1417,9 @@ The following fields are available:
- **IsAlwaysOnAlwaysConnectedCapable** Represents whether the battery enables the device to be AlwaysOnAlwaysConnected . Boolean value.
-### Census.Camera
-
-This event sends data about the resolution of cameras on the device, to help keep Windows up to date.
-
-The following fields are available:
-
-- **FrontFacingCameraResolution** Represents the resolution of the front facing camera in megapixels. If a front facing camera does not exist, then the value is 0.
-- **RearFacingCameraResolution** Represents the resolution of the rear facing camera in megapixels. If a rear facing camera does not exist, then the value is 0.
-
-
### Census.Enterprise
-This event sends data about Azure presence, type, and cloud domain use in order to provide an understanding of the use and integration of devices in an enterprise, cloud, and server environment.
+This event sends data about Azure presence, type, and cloud domain use in order to provide an understanding of the use and integration of devices in an enterprise, cloud, and server environment. The data collected with this event is used to help keep Windows secure.
The following fields are available:
@@ -1447,14 +1438,14 @@ The following fields are available:
- **IsEDPEnabled** Represents if Enterprise data protected on the device.
- **IsMDMEnrolled** Whether the device has been MDM Enrolled or not.
- **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID
-- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in a Configuration Manager environment.
+- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise SCCM environment.
- **ServerFeatures** Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
-- **SystemCenterID** The Configuration Manager ID is an anonymized one-way hash of the Active Directory Organization identifier
+- **SystemCenterID** The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier
### Census.Firmware
-This event sends data about the BIOS and startup embedded in the device, to help keep Windows up to date.
+This event sends data about the BIOS and startup embedded in the device. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -1466,7 +1457,7 @@ The following fields are available:
### Census.Flighting
-This event sends Windows Insider data from customers participating in improvement testing and feedback programs, to help keep Windows up to date.
+This event sends Windows Insider data from customers participating in improvement testing and feedback programs. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -1481,7 +1472,7 @@ The following fields are available:
### Census.Hardware
-This event sends data about the device, including hardware type, OEM brand, model line, model, telemetry level setting, and TPM support, to help keep Windows up to date.
+This event sends data about the device, including hardware type, OEM brand, model line, model, telemetry level setting, and TPM support. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -1522,7 +1513,7 @@ The following fields are available:
### Census.Memory
-This event sends data about the memory on the device, including ROM and RAM, to help keep Windows up to date.
+This event sends data about the memory on the device, including ROM and RAM. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -1532,7 +1523,7 @@ The following fields are available:
### Census.Network
-This event sends data about the mobile and cellular network used by the device (mobile service provider, network, device ID, and service cost factors), to help keep Windows up to date.
+This event sends data about the mobile and cellular network used by the device (mobile service provider, network, device ID, and service cost factors). The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -1555,7 +1546,7 @@ The following fields are available:
### Census.OS
-This event sends data about the operating system such as the version, locale, update service configuration, when and how it was originally installed, and whether it is a virtual device, to help keep Windows up to date.
+This event sends data about the operating system such as the version, locale, update service configuration, when and how it was originally installed, and whether it is a virtual device. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -1597,7 +1588,7 @@ The following fields are available:
### Census.PrivacySettings
-This event provides information about the device level privacy settings and whether device-level access was granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits represents the effective consent value, and the last 8 bits represent the authority that set the value. The effective consent (first 8 bits) is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent authority (last 8 bits) is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = system, 1 = a higher authority (a gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings.
+This event provides information about the device level privacy settings and whether device-level access was granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits represents the effective consent value, and the last 8 bits represent the authority that set the value. The effective consent (first 8 bits) is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent authority (last 8 bits) is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = system, 1 = a higher authority (a gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings. The data collected with this event is used to help keep Windows secure.
The following fields are available:
@@ -1641,7 +1632,7 @@ The following fields are available:
### Census.Processor
-This event sends data about the processor to help keep Windows up to date.
+This event sends data about the processor. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -1664,7 +1655,7 @@ The following fields are available:
### Census.Security
-This event provides information on about security settings used to help keep Windows up to date and secure.
+This event provides information about security settings. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -1682,7 +1673,7 @@ The following fields are available:
### Census.Speech
-This event is used to gather basic speech settings on the device.
+This event is used to gather basic speech settings on the device. The data collected with this event is used to help keep Windows secure.
The following fields are available:
@@ -1699,7 +1690,7 @@ The following fields are available:
### Census.Storage
-This event sends data about the total capacity of the system volume and primary disk, to help keep Windows up to date.
+This event sends data about the total capacity of the system volume and primary disk. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -1710,7 +1701,7 @@ The following fields are available:
### Census.Userdefault
-This event sends data about the current user's default preferences for browser and several of the most popular extensions and protocols, to help keep Windows up to date.
+This event sends data about the current user's default preferences for browser and several of the most popular extensions and protocols. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -1720,7 +1711,7 @@ The following fields are available:
### Census.UserDisplay
-This event sends data about the logical/physical display size, resolution and number of internal/external displays, and VRAM on the system, to help keep Windows up to date.
+This event sends data about the logical/physical display size, resolution and number of internal/external displays, and VRAM on the system. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -1741,7 +1732,7 @@ The following fields are available:
### Census.UserNLS
-This event sends data about the default app language, input, and display language preferences set by the user, to help keep Windows up to date.
+This event sends data about the default app language, input, and display language preferences set by the user. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -1754,7 +1745,7 @@ The following fields are available:
### Census.UserPrivacySettings
-This event provides information about the current users privacy settings and whether device-level access was granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits represents the effective consent value, and the last 8 bits represents the authority that set the value. The effective consent is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent authority is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = user, 1 = a higher authority (a gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings.
+This event provides information about the current users privacy settings and whether device-level access was granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits represents the effective consent value, and the last 8 bits represents the authority that set the value. The effective consent is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent authority is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = user, 1 = a higher authority (a gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings. The data collected with this event is used to help keep Windows secure.
The following fields are available:
@@ -1798,7 +1789,7 @@ The following fields are available:
### Census.VM
-This event sends data indicating whether virtualization is enabled on the device, and its various characteristics, to help keep Windows up to date.
+This event sends data indicating whether virtualization is enabled on the device, and its various characteristics. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -1813,7 +1804,7 @@ The following fields are available:
### Census.WU
-This event sends data about the Windows update server and other App store policies, to help keep Windows up to date.
+This event sends data about the Windows update server and other App store policies. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2030,7 +2021,7 @@ The following fields are available:
### Microsoft.Windows.Compatibility.Apphelp.SdbFix
-Product instrumentation for helping debug/troubleshoot issues with inbox compatibility components.
+Product instrumentation for helping debug/troubleshoot issues with inbox compatibility components. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
@@ -2066,7 +2057,7 @@ The following fields are available:
### CbsServicingProvider.CbsCapabilitySessionFinalize
-This event provides information about the results of installing or uninstalling optional Windows content from Windows Update.
+This event provides information about the results of installing or uninstalling optional Windows content from Windows Update. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -2193,7 +2184,7 @@ The following fields are available:
### DeploymentTelemetry.Deployment_End
-This event indicates that a Deployment 360 API has completed.
+This event indicates that a Deployment 360 API has completed. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2207,7 +2198,7 @@ The following fields are available:
### DeploymentTelemetry.Deployment_Initialize
-This event indicates that the Deployment 360 APIs have been initialized for use.
+This event indicates that the Deployment 360 APIs have been initialized for use. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2220,7 +2211,7 @@ The following fields are available:
### DeploymentTelemetry.Deployment_SetupBoxLaunch
-This event indicates that the Deployment 360 APIs have launched Setup Box.
+This event indicates that the Deployment 360 APIs have launched Setup Box. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2233,7 +2224,7 @@ The following fields are available:
### DeploymentTelemetry.Deployment_SetupBoxResult
-This event indicates that the Deployment 360 APIs have received a return from Setup Box.
+This event indicates that the Deployment 360 APIs have received a return from Setup Box. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2247,7 +2238,7 @@ The following fields are available:
### DeploymentTelemetry.Deployment_Start
-This event indicates that a Deployment 360 API has been called.
+This event indicates that a Deployment 360 API has been called. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2261,7 +2252,7 @@ The following fields are available:
### TelClientSynthetic.AuthorizationInfo_RuntimeTransition
-This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC startup, to help keep Windows up to date. The telemetry opt-in level signals what data we are allowed to collect.
+This event is fired by UTC at state transitions to signal what data we are allowed to collect. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -2280,7 +2271,7 @@ The following fields are available:
### TelClientSynthetic.AuthorizationInfo_Startup
-Fired by UTC at startup to signal what data we are allowed to collect.
+This event is fired by UTC at startup to signal what data we are allowed to collect. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -2312,6 +2303,21 @@ The following fields are available:
- **RestrictedNetworkTimeSec** The total number of seconds with restricted network during this heartbeat period.
+### TelClientSynthetic.ConnectivityHeartBeat_0
+
+This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it sends an event. A Connectivity Heartbeat event is also sent when a device recovers from costed network to free network. This event is fired by UTC during periods of no network as a heartbeat signal, to keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CensusExitCode** Last exit code of the Census task.
+- **CensusStartTime** Time of last Census run.
+- **CensusTaskEnabled** True if Census is enabled, false otherwise.
+- **LastFreeNetworkLossTime** The FILETIME at which the last free network loss occurred.
+- **NetworkState** The network state of the device.
+- **NoNetworkTimeSec** The total number of seconds without network during this heartbeat period.
+- **RestrictedNetworkTimeSec** The total number of seconds with restricted network during this heartbeat period.
+
+
### TelClientSynthetic.HeartBeat_5
This event sends data about the health and quality of the diagnostic data from the given device, to help keep Windows up to date. It also enables data analysts to determine how 'trusted' the data is from a given device.
@@ -2402,7 +2408,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCheckApplicability
-This event indicates that the Coordinator CheckApplicability call succeeded.
+This event indicates that the Coordinator CheckApplicability call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2415,7 +2421,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCheckApplicabilityGenericFailure
-This event indicatse that we have received an unexpected error in the Direct to Update (DTU) Coordinators CheckApplicability call.
+This event indicatse that we have received an unexpected error in the Direct to Update (DTU) Coordinators CheckApplicability call. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2428,7 +2434,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCleanupGenericFailure
-This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Cleanup call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Cleanup call. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2441,7 +2447,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCleanupSuccess
-This event indicates that the Coordinator Cleanup call succeeded.
+This event indicates that the Coordinator Cleanup call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2453,7 +2459,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCommitGenericFailure
-This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Commit call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Commit call. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2466,7 +2472,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCommitSuccess
-This event indicates that the Coordinator Commit call succeeded.
+This event indicates that the Coordinator Commit call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2478,7 +2484,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadGenericFailure
-This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Download call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Download call. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2491,7 +2497,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadIgnoredFailure
-This event indicates that we have received an error in the Direct to Update (DTU) Coordinator Download call that will be ignored.
+This event indicates that we have received an error in the Direct to Update (DTU) Coordinator Download call that will be ignored. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2504,7 +2510,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadSuccess
-This event indicates that the Coordinator Download call succeeded.
+This event indicates that the Coordinator Download call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2516,7 +2522,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorHandleShutdownGenericFailure
-This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator HandleShutdown call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator HandleShutdown call. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2529,7 +2535,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorHandleShutdownSuccess
-This event indicates that the Coordinator HandleShutdown call succeeded.
+This event indicates that the Coordinator HandleShutdown call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2541,7 +2547,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInitializeGenericFailure
-This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Initialize call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Initialize call. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2554,7 +2560,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInitializeSuccess
-This event indicates that the Coordinator Initialize call succeeded.
+This event indicates that the Coordinator Initialize call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2566,7 +2572,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallGenericFailure
-This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Install call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Install call. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2579,7 +2585,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallIgnoredFailure
-This event indicates that we have received an error in the Direct to Update (DTU) Coordinator Install call that will be ignored.
+This event indicates that we have received an error in the Direct to Update (DTU) Coordinator Install call that will be ignored. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2592,7 +2598,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallSuccess
-This event indicates that the Coordinator Install call succeeded.
+This event indicates that the Coordinator Install call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2604,7 +2610,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorProgressCallBack
-This event indicates that the Coordinator's progress callback has been called.
+This event indicates that the Coordinator's progress callback has been called. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2630,7 +2636,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorSetCommitReadySuccess
-This event indicates that the Coordinator SetCommitReady call succeeded.
+This event indicates that the Coordinator SetCommitReady call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2655,7 +2661,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiNotShown
-This event indicates that the Coordinator WaitForRebootUi call succeeded.
+This event indicates that the Coordinator WaitForRebootUi call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2668,7 +2674,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiSelection
-This event indicates that the user selected an option on the Reboot UI.
+This event indicates that the user selected an option on the Reboot UI. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2681,7 +2687,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiSuccess
-This event indicates that the Coordinator WaitForRebootUi call succeeded.
+This event indicates that the Coordinator WaitForRebootUi call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2693,7 +2699,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityGenericFailure
-This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler CheckApplicability call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler CheckApplicability call. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2707,7 +2713,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityInternalGenericFailure
-This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler CheckApplicabilityInternal call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler CheckApplicabilityInternal call. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2720,7 +2726,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityInternalSuccess
-This event indicates that the Handler CheckApplicabilityInternal call succeeded.
+This event indicates that the Handler CheckApplicabilityInternal call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2733,7 +2739,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilitySuccess
-This event indicates that the Handler CheckApplicability call succeeded.
+This event indicates that the Handler CheckApplicability call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2747,7 +2753,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckIfCoordinatorMinApplicableVersionGenericFailure
-This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler CheckIfCoordinatorMinApplicableVersion call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler CheckIfCoordinatorMinApplicableVersion call. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2760,7 +2766,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckIfCoordinatorMinApplicableVersionSuccess
-This event indicates that the Handler CheckIfCoordinatorMinApplicableVersion call succeeded.
+This event indicates that the Handler CheckIfCoordinatorMinApplicableVersion call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2773,7 +2779,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUHandlerCommitGenericFailure
-This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Commit call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Commit call. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2787,7 +2793,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUHandlerCommitSuccess
-This event indicates that the Handler Commit call succeeded.
+This event indicates that the Handler Commit call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2800,7 +2806,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabAlreadyDownloaded
-This event indicates that the Handler Download and Extract cab returned a value indicating that the cab has already been downloaded.
+This event indicates that the Handler Download and Extract cab returned a value indicating that the cab has already been downloaded. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2812,7 +2818,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabFailure
-This event indicates that the Handler Download and Extract cab call failed.
+This event indicates that the Handler Download and Extract cab call failed. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2826,7 +2832,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabSuccess
-This event indicates that the Handler Download and Extract cab call succeeded.
+This event indicates that the Handler Download and Extract cab call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2838,7 +2844,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadGenericFailure
-This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Download call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Download call. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2851,7 +2857,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadSuccess
-This event indicates that the Handler Download call succeeded.
+This event indicates that the Handler Download call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2863,7 +2869,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUHandlerInitializeGenericFailure
-This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Initialize call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Initialize call. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2877,7 +2883,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUHandlerInitializeSuccess
-This event indicates that the Handler Initialize call succeeded.
+This event indicates that the Handler Initialize call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2890,7 +2896,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUHandlerInstallGenericFailure
-This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Install call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Install call. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2903,7 +2909,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUHandlerInstallSuccess
-This event indicates that the Coordinator Install call succeeded.
+This event indicates that the Coordinator Install call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2915,7 +2921,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUHandlerSetCommitReadyGenericFailure
-This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler SetCommitReady call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler SetCommitReady call. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2928,7 +2934,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUHandlerSetCommitReadySuccess
-This event indicates that the Handler SetCommitReady call succeeded.
+This event indicates that the Handler SetCommitReady call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2940,7 +2946,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUHandlerWaitForRebootUiGenericFailure
-This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler WaitForRebootUi call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler WaitForRebootUi call. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2953,7 +2959,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUHandlerWaitForRebootUiSuccess
-This event indicates that the Handler WaitForRebootUi call succeeded.
+This event indicates that the Handler WaitForRebootUi call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -3127,7 +3133,7 @@ The following fields are available:
### Microsoft.Windows.Upgrade.Uninstall.UninstallFailed
-This event sends diagnostic data about failures when uninstalling a feature update, to help resolve any issues preventing customers from reverting to a known state.
+This event sends diagnostic data about failures when uninstalling a feature update, to help resolve any issues preventing customers from reverting to a known state. The data collected with this event is used to help keep Windows up to date and performing properly.
The following fields are available:
@@ -3137,7 +3143,7 @@ The following fields are available:
### Microsoft.Windows.Upgrade.Uninstall.UninstallFinalizedAndRebootTriggered
-This event indicates that the uninstall was properly configured and that a system reboot was initiated.
+This event indicates that the uninstall was properly configured and that a system reboot was initiated. The data collected with this event is used to help keep Windows up to date and performing properly.
@@ -3179,7 +3185,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum
-This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they will always represent a count of a given object.
+This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they will always represent a count of a given object. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
@@ -3213,7 +3219,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.AmiTelCacheVersions
-This event sends inventory component versions for the Device Inventory data.
+This event sends inventory component versions for the Device Inventory data. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
@@ -3223,7 +3229,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryApplicationAdd
-This event sends basic metadata about an application on the system to help keep Windows up to date.
+This event sends basic metadata about an application on the system. The data collected with this event is used to keep Windows performing properly and up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3252,7 +3258,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverAdd
-This event represents what drivers an application installs.
+This event represents what drivers an application installs. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3264,7 +3270,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync
-The InventoryApplicationDriverStartSync event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent.
+The InventoryApplicationDriverStartSync event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3275,7 +3281,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkAdd
-This event provides the basic metadata about the frameworks an application may depend on.
+This event provides the basic metadata about the frameworks an application may depend on. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3288,7 +3294,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkStartSync
-This event indicates that a new set of InventoryApplicationFrameworkAdd events will be sent.
+This event indicates that a new set of InventoryApplicationFrameworkAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3299,7 +3305,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryApplicationRemove
-This event indicates that a new set of InventoryDevicePnpAdd events will be sent.
+This event indicates that a new set of InventoryDevicePnpAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3310,7 +3316,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryApplicationStartSync
-This event indicates that a new set of InventoryApplicationAdd events will be sent.
+This event indicates that a new set of InventoryApplicationAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3321,7 +3327,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerAdd
-This event sends basic metadata about a device container (such as a monitor or printer as opposed to a Plug and Play device) to help keep Windows up to date.
+This event sends basic metadata about a device container (such as a monitor or printer as opposed to a Plug and Play device). The data collected with this event is used to help keep Windows up to date and to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3345,7 +3351,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerRemove
-This event indicates that the InventoryDeviceContainer object is no longer present.
+This event indicates that the InventoryDeviceContainer object is no longer present. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3356,7 +3362,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerStartSync
-This event indicates that a new set of InventoryDeviceContainerAdd events will be sent.
+This event indicates that a new set of InventoryDeviceContainerAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3367,7 +3373,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceAdd
-This event retrieves information about what sensor interfaces are available on the device.
+This event retrieves information about what sensor interfaces are available on the device. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3397,7 +3403,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceStartSync
-This event indicates that a new set of InventoryDeviceInterfaceAdd events will be sent.
+This event indicates that a new set of InventoryDeviceInterfaceAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3408,7 +3414,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassAdd
-This event sends additional metadata about a Plug and Play device that is specific to a particular class of devices to help keep Windows up to date while reducing overall size of data payload.
+This event sends additional metadata about a Plug and Play device that is specific to a particular class of devices. The data collected with this event is used to help keep Windows up to date and performing properly while reducing overall size of data payload.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3421,7 +3427,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassRemove
-This event indicates that the InventoryDeviceMediaClassRemove object is no longer present.
+This event indicates that the InventoryDeviceMediaClass object represented by the objectInstanceId is no longer present. This event is used to understand a PNP device that is specific to a particular class of devices. The data collected with this event is used to help keep Windows up to date and performing properly while reducing overall size of data payload.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3432,7 +3438,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassStartSync
-This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent.
+This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3482,7 +3488,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDevicePnpRemove
-This event indicates that the InventoryDevicePnpRemove object is no longer present.
+This event indicates that the InventoryDevicePnpRemove object is no longer present. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3493,7 +3499,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDevicePnpStartSync
-This event indicates that a new set of InventoryDevicePnpAdd events will be sent.
+This event indicates that a new set of InventoryDevicePnpAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3504,7 +3510,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassAdd
-This event sends basic metadata about the USB hubs on the device.
+This event sends basic metadata about the USB hubs on the device. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3517,7 +3523,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassStartSync
-This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent.
+This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3528,7 +3534,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryAdd
-This event sends basic metadata about driver binaries running on the system to help keep Windows up to date.
+This event sends basic metadata about driver binaries running on the system. The data collected with this event is used to help keep Windows up to date and performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3555,7 +3561,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryRemove
-This event indicates that the InventoryDriverBinary object is no longer present.
+This event indicates that the InventoryDriverBinary object is no longer present. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3566,7 +3572,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryStartSync
-This event indicates that a new set of InventoryDriverBinaryAdd events will be sent.
+This event indicates that a new set of InventoryDriverBinaryAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3577,7 +3583,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDriverPackageAdd
-This event sends basic metadata about drive packages installed on the system to help keep Windows up to date.
+This event sends basic metadata about drive packages installed on the system. The data collected with this event is used to help keep Windows up to date and performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3597,7 +3603,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDriverPackageRemove
-This event indicates that the InventoryDriverPackageRemove object is no longer present.
+This event indicates that the InventoryDriverPackageRemove object is no longer present. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3608,7 +3614,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDriverPackageStartSync
-This event indicates that a new set of InventoryDriverPackageAdd events will be sent.
+This event indicates that a new set of InventoryDriverPackageAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3617,9 +3623,17 @@ The following fields are available:
- **InventoryVersion** The version of the inventory file generating the events.
+### Microsoft.Windows.Inventory.General. InventoryMiscellaneousMemorySlotArrayInfoRemove
+
+This event indicates that this particular data object represented by the ObjectInstanceId is no longer present. The data collected with this event is used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+
+
### Microsoft.Windows.Inventory.General.AppHealthStaticAdd
-This event sends details collected for a specific application on the source device.
+This event sends details collected for a specific application on the source device. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3649,7 +3663,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.AppHealthStaticStartSync
-This event indicates the beginning of a series of AppHealthStaticAdd events.
+This event indicates the beginning of a series of AppHealthStaticAdd events. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3661,9 +3675,17 @@ The following fields are available:
- **StartTime** UTC date and time at which this event was sent.
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousMemorySlotArrayInfoStartSync
+
+This diagnostic event indicates a new sync is being generated for this object type.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+
+
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd
-Provides data on the installed Office Add-ins
+This event provides data on the installed Office add-ins. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3696,7 +3718,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove
-Indicates that this particular data object represented by the objectInstanceId is no longer present.
+This event indicates that the particular data object represented by the objectInstanceId is no longer present. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3707,7 +3729,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync
-This event indicates that a new sync is being generated for this object type.
+This event indicates that a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3718,7 +3740,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd
-Provides data on the Office identifiers
+This event provides data on the Office identifiers. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3736,7 +3758,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersStartSync
-Diagnostic event to indicate a new sync is being generated for this object type.
+This is a diagnostic event that indicates a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3747,7 +3769,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsAdd
-Office-related Internet Explorer features
+This event provides data on Office-related Internet Explorer features. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3773,7 +3795,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsStartSync
-Diagnostic event to indicate a new sync is being generated for this object type.
+This is a diagnostic event that indicates a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3784,7 +3806,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsAdd
-This event provides insight data on the installed Office products
+This event provides insight data on the installed Office products. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3799,7 +3821,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsRemove
-Indicates that this particular data object represented by the objectInstanceId is no longer present.
+This event indicates that the particular data object represented by the objectInstanceId is no longer present. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3810,7 +3832,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsStartSync
-This diagnostic event indicates that a new sync is being generated for this object type.
+This diagnostic event indicates that a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3821,7 +3843,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd
-Describes Office Products installed
+This event describes all installed Office products. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3836,7 +3858,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsStartSync
-Diagnostic event to indicate a new sync is being generated for this object type.
+This is a diagnostic event that indicates a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3847,7 +3869,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsAdd
-This event describes various Office settings
+This event describes various Office settings. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3861,7 +3883,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsStartSync
-Diagnostic event to indicate a new sync is being generated for this object type.
+This is a diagnostic event that indicates a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3872,7 +3894,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAAdd
-This event provides a summary rollup count of conditions encountered while performing a local scan of Office files, analyzing for known VBA programmability compatibility issues between legacy office version and ProPlus, and between 32 and 64-bit versions
+This event provides a summary rollup count of conditions encountered while performing a local scan of Office files, analyzing for known VBA programmability compatibility issues between legacy office version and ProPlus, and between 32 and 64-bit versions. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3904,7 +3926,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARemove
-Indicates that this particular data object represented by the objectInstanceId is no longer present.
+This event indicates that the particular data object represented by the objectInstanceId is no longer present. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3912,7 +3934,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsAdd
-This event provides data on Microsoft Office VBA rule violations, including a rollup count per violation type, giving an indication of remediation requirements for an organization. The event identifier is a unique GUID, associated with the validation rule
+This event provides data on Microsoft Office VBA rule violations, including a rollup count per violation type, giving an indication of remediation requirements for an organization. The event identifier is a unique GUID, associated with the validation rule. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3923,7 +3945,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsRemove
-Indicates that this particular data object represented by the objectInstanceId is no longer present.
+This event indicates that the particular data object represented by the objectInstanceId is no longer present. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3931,7 +3953,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsStartSync
-This event indicates that a new sync is being generated for this object type.
+This event indicates that a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3942,7 +3964,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAStartSync
-Diagnostic event to indicate a new sync is being generated for this object type.
+This diagnostic event indicates that a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3953,7 +3975,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd
-Provides data on Unified Update Platform (UUP) products and what version they are at.
+This event provides data on Unified Update Platform (UUP) products and what version they are at. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3968,7 +3990,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoRemove
-Indicates that this particular data object represented by the objectInstanceId is no longer present.
+This event indicates that this particular data object represented by the objectInstanceId is no longer present. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3976,7 +3998,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoStartSync
-Diagnostic event to indicate a new sync is being generated for this object type.
+This is a diagnostic event that indicates a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -3984,7 +4006,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
### Microsoft.Windows.Inventory.Indicators.Checksum
-This event summarizes the counts for the InventoryMiscellaneousUexIndicatorAdd events.
+This event summarizes the counts for the InventoryMiscellaneousUexIndicatorAdd events. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
@@ -3994,7 +4016,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorAdd
-These events represent the basic metadata about the OS indicators installed on the system which are used for keeping the device up to date.
+This event represents the basic metadata about the OS indicators installed on the system. The data collected with this event helps ensure the device is up to date and keeps Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4005,7 +4027,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorRemove
-This event is a counterpart to InventoryMiscellaneousUexIndicatorAdd that indicates that the item has been removed.
+This event indicates that this particular data object represented by the objectInstanceId is no longer present. This event is used to understand the OS indicators installed on the system. The data collected with this event helps ensure the device is current and Windows is up to date and performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4013,7 +4035,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorStartSync
-This event indicates that a new set of InventoryMiscellaneousUexIndicatorAdd events will be sent.
+This event indicates that this particular data object represented by the objectInstanceId is no longer present. This event is used to understand the OS indicators installed on the system. The data collected with this event helps ensure the device is current and Windows is up to date and performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4033,7 +4055,7 @@ The following fields are available:
### Microsoft.Windows.Kernel.BootEnvironment.OsLaunch
-OS information collected during Boot, used to evaluate the success of the upgrade process.
+This event includes basic data about the Operating System, collected during Boot and used to evaluate the success of the upgrade process. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
@@ -4062,7 +4084,7 @@ The following fields are available:
### Microsoft.Windows.Kernel.Power.OSStateChange
-This event indicates an OS state change.
+This event indicates an OS state change. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
@@ -4183,7 +4205,104 @@ The following fields are available:
### Aria.af397ef28e484961ba48646a5d38cf54.Microsoft.WebBrowser.Installer.EdgeUpdate.Ping
-This event sends hardware and software inventory information about the Microsoft Edge Update service, Microsoft Edge applications, and the current system environment, including app configuration, update configuration, and hardware capabilities. It's used to measure the reliability and performance of the EdgeUpdate service and if Microsoft Edge applications are up to date.
+This Ping event sends a detailed inventory of software and hardware information about the EdgeUpdate service, Edge applications, and the current system environment including app configuration, update configuration, and hardware capabilities. This event contains Device Connectivity and Configuration, Product and Service Performance, and Software Setup and Inventory data. One or more events is sent each time any installation, update, or uninstallation occurs with the EdgeUpdate service or with Edge applications. This event is used to measure the reliability and performance of the EdgeUpdate service and if Edge applications are up to date. This is an indication that the event is designed to keep Windows secure and up to date.
+
+The following fields are available:
+
+- **appAp** Any additional parameters for the specified application. Default: ''.
+- **appAppId** The GUID that identifies the product. Compatible clients must transmit this attribute. Please see the wiki for additional information. Default: undefined.
+- **appBrandCode** The brand code under which the product was installed, if any. A brand code is a short (4-character) string used to identify installations that took place as a result of partner deals or website promotions. Default: ''.
+- **appChannel** An integer indicating the channel of the installation (i.e. Canary or Dev).
+- **appClientId** A generalized form of the brand code that can accept a wider range of values and is used for similar purposes. Default: ''.
+- **appCohort** A machine-readable string identifying the release cohort (channel) that the app belongs to. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
+- **appCohortHint** A machine-readable enum indicating that the client has a desire to switch to a different release cohort. The exact legal values are app-specific and should be shared between the server and app implementations. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
+- **appCohortName** A stable non-localized human-readable enum indicating which (if any) set of messages the app should display to the user. For example, an app with a cohort Name of 'beta' might display beta-specific branding to the user. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
+- **appConsentState** Bit flags describing the diagnostic data disclosure and response flow where 1 indicates the affirmative and 0 indicates the negative or unspecified data. Bit 1 indicates consent was given, bit 2 indicates data originated from the download page, bit 18 indicates choice for sending data about how the browser is used, and bit 19 indicates choice for sending data about websites visited.
+- **appDayOfInstall** The date-based counting equivalent of appInstallTimeDiffSec (the numeric calendar day that the app was installed on). This value is provided by the server in the response to the first request in the installation flow. The client MAY fuzz this value to the week granularity (e.g. send '0' for 0 through 6, '7' for 7 through 13, etc.). The first communication to the server should use a special value of '-1'. A value of '-2' indicates that this value is not known. Please see the wiki for additional information. Default: '-2'.
+- **appExperiments** A key/value list of experiment identifiers. Experiment labels are used to track membership in different experimental groups, and may be set at install or update time. The experiments string is formatted as a semicolon-delimited concatenation of experiment label strings. An experiment label string is an experiment Name, followed by the '=' character, followed by an experimental label value. For example: 'crdiff=got_bsdiff;optimized=O3'. The client should not transmit the expiration date of any experiments it has, even if the server previously specified a specific expiration date. Default: ''.
+- **appIid** A GUID that identifies a particular installation flow. For example, each download of a product installer is tagged with a unique GUID. Attempts to install using that installer can then be grouped. A client SHOULD NOT persist the IID GUID after the installation flow of a product is complete.
+- **appInstallTimeDiffSec** The difference between the current time and the install date in seconds. '0' if unknown. Default: '-1'.
+- **appLang** The language of the product install, in IETF BCP 47 representation. Default: ''.
+- **appNextVersion** The version of the app that the update flow to which this event belongs attempted to reach, regardless of the success or failure of the update operation. Please see the wiki for additional information. Default: '0.0.0.0'.
+- **appPingEventAppSize** The total number of bytes of all downloaded packages. Default: '0'.
+- **appPingEventDownloadMetricsCdnCCC** ISO 2 character country code that matches to the country updated binaries are delivered from. E.g.: US.
+- **appPingEventDownloadMetricsCdnCID** Numeric value used to internally track the origins of the updated binaries. For example, 2.
+- **appPingEventDownloadMetricsDownloadedBytes** For events representing a download, the number of bytes expected to be downloaded. For events representing an entire update flow, the sum of all such expected bytes over the course of the update flow. Default: '0'.
+- **appPingEventDownloadMetricsDownloader** A string identifying the download algorithm and/or stack. Example values include: 'bits', 'direct', 'winhttp', 'p2p'. Sent in events that have an event type of '14' only. Default: ''.
+- **appPingEventDownloadMetricsDownloadTimeMs** For events representing a download, the time elapsed between the start of the download and the end of the download, in milliseconds. For events representing an entire update flow, the sum of all such download times over the course of the update flow. Sent in events that have an event type of '1', '2', '3', and '14' only. Default: '0'.
+- **appPingEventDownloadMetricsError** The error code (if any) of the operation, encoded as a signed base-10 integer. Default: '0'.
+- **appPingEventDownloadMetricsServerIpHint** For events representing a download, the CDN Host IP address that corresponds to the update file server. The CDN host is controlled by Microsoft servers and always maps to IP addresses hosting *.delivery.mp.microsoft.com or msedgesetup.azureedge.net. Default: ''.
+- **appPingEventDownloadMetricsTotalBytes** For events representing a download, the number of bytes expected to be downloaded. For events representing an entire update flow, the sum of all such expected bytes over the course of the update flow. Default: '0'.
+- **appPingEventDownloadMetricsUrl** For events representing a download, the CDN URL provided by the update server for the client to download the update, the URL is controlled by Microsoft servers and always maps back to either *.delivery.mp.microsoft.com or msedgesetup.azureedge.net. Default: ''.
+- **appPingEventDownloadTimeMs** For events representing a download, the time elapsed between the start of the download and the end of the download, in milliseconds. For events representing an entire update flow, the sum of all such download times over the course of the update flow. Sent in events that have an event type of '1', '2', '3', and '14' only. Default: '0'.
+- **appPingEventErrorCode** The error code (if any) of the operation, encoded as a signed, base-10 integer. Default: '0'.
+- **appPingEventEventResult** An enum indicating the result of the event. Please see the wiki for additional information. Default: '0'.
+- **appPingEventEventType** An enum indicating the type of the event. Compatible clients MUST transmit this attribute. Please see the wiki for additional information.
+- **appPingEventExtraCode1** Additional numeric information about the operation's result, encoded as a signed, base-10 integer. Default: '0'.
+- **appPingEventInstallTimeMs** For events representing an install, the time elapsed between the start of the install and the end of the install, in milliseconds. For events representing an entire update flow, the sum of all such durations. Sent in events that have an event type of '2' and '3' only. Default: '0'.
+- **appPingEventNumBytesDownloaded** The number of bytes downloaded for the specified application. Default: '0'.
+- **appPingEventSequenceId** An id that uniquely identifies particular events within one requestId. Since a request can contain multiple ping events, this field is necessary to uniquely identify each possible event.
+- **appPingEventSourceUrlIndex** For events representing a download, the position of the download URL in the list of URLs supplied by the server in a "urls" tag.
+- **appPingEventUpdateCheckTimeMs** For events representing an entire update flow, the time elapsed between the start of the update check and the end of the update check, in milliseconds. Sent in events that have an event type of '2' and '3' only. Default: '0'.
+- **appUpdateCheckIsUpdateDisabled** The state of whether app updates are restricted by group policy. True if updates have been restricted by group policy or false if they have not.
+- **appUpdateCheckTargetVersionPrefix** A component-wise prefix of a version number, or a complete version number suffixed with the $ character. The server should not return an update instruction to a version number that does not match the prefix or complete version number. The prefix is interpreted a dotted-tuple that specifies the exactly-matching elements; it is not a lexical prefix (for example, '1.2.3' must match '1.2.3.4' but must not match '1.2.34'). Default: ''.
+- **appUpdateCheckTtToken** An opaque access token that can be used to identify the requesting client as a member of a trusted-tester group. If non-empty, the request should be sent over SSL or another secure protocol. Default: ''.
+- **appVersion** The version of the product install. Please see the wiki for additional information. Default: '0.0.0.0'.
+- **eventType** A string indicating the type of the event. Please see the wiki for additional information.
+- **hwHasAvx** '1' if the client's hardware supports the AVX instruction set. '0' if the client's hardware does not support the AVX instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse** '1' if the client's hardware supports the SSE instruction set. '0' if the client's hardware does not support the SSE instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse2** '1' if the client's hardware supports the SSE2 instruction set. '0' if the client's hardware does not support the SSE2 instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse3** '1' if the client's hardware supports the SSE3 instruction set. '0' if the client's hardware does not support the SSE3 instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse41** '1' if the client's hardware supports the SSE4.1 instruction set. '0' if the client's hardware does not support the SSE4.1 instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse42** '1' if the client's hardware supports the SSE4.2 instruction set. '0' if the client's hardware does not support the SSE4.2 instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSsse3** '1' if the client's hardware supports the SSSE3 instruction set. '0' if the client's hardware does not support the SSSE3 instruction set. '-1' if unknown. Default: '-1'.
+- **hwPhysmemory** The physical memory available to the client, truncated down to the nearest gibibyte. '-1' if unknown. This value is intended to reflect the maximum theoretical storage capacity of the client, not including any hard drive or paging to a hard drive or peripheral. Default: '-1'.
+- **isMsftDomainJoined** '1' if the client is a member of a Microsoft domain. '0' otherwise. Default: '0'.
+- **osArch** The architecture of the operating system (e.g. 'x86', 'x64', 'arm'). '' if unknown. Default: ''.
+- **osPlatform** The operating system family that the within which the Omaha client is running (e.g. 'win', 'mac', 'linux', 'ios', 'android'). '' if unknown. The operating system Name should be transmitted in lowercase with minimal formatting. Default: ''.
+- **osServicePack** The secondary version of the operating system. '' if unknown. Default: ''.
+- **osVersion** The primary version of the operating system. '' if unknown. Default: ''.
+- **requestCheckPeriodSec** The update interval in seconds. The value is read from the registry. Default: '-1'.
+- **requestDlpref** A comma-separated list of values specifying the preferred download URL behavior. The first value is the highest priority, further values reflect secondary, tertiary, et cetera priorities. Legal values are '' (in which case the entire list must be empty, indicating unknown or no-preference) or 'cacheable' (the server should prioritize sending URLs that are easily cacheable). Default: ''.
+- **requestDomainJoined** '1' if the machine is part of a managed enterprise domain. Otherwise '0'.
+- **requestInstallSource** A string specifying the cause of the update flow. For example: 'ondemand', or 'scheduledtask'. Default: ''.
+- **requestIsMachine** '1' if the client is known to be installed with system-level or administrator privileges. '0' otherwise. Default: '0'.
+- **requestOmahaShellVersion** The version of the Omaha installation folder. Default: ''.
+- **requestOmahaVersion** The version of the Omaha updater itself (the entity sending this request). Default: '0.0.0.0'.
+- **requestProtocolVersion** The version of the Omaha protocol. Compatible clients MUST provide a value of '3.0'. Compatible clients must always transmit this attribute. Default: undefined.
+- **requestRequestId** A randomly-generated (uniformly distributed) GUID, corresponding to the Omaha request. Each request attempt should have (with high probability) a unique request id. Default: ''.
+- **requestSessionCorrelationVectorBase** A client generated random MS Correlation Vector base code used to correlate the update session with update and CDN servers. Default: ''.
+- **requestSessionId** A randomly-generated (uniformly distributed) GUID. Each single update flow (e.g. update check, update application, event ping sequence) should have (with high probability) a single unique session ID. Default: ''.
+- **requestTestSource** Either '', 'dev', 'qa', 'prober', 'auto', or 'ossdev'. Any value except '' indicates that the request is a test and should not be counted toward normal metrics. Default: ''.
+- **requestUid** A randomly-generated (uniformly distributed) GUID, corresponding to the Omaha user. Each request attempt SHOULD have (with high probability) a unique request id. Default: ''.
+
+
+### Aria.f4a7d46e472049dfba756e11bdbbc08f.Microsoft.WebBrowser.SystemInfo.Config
+
+This config event sends basic device connectivity and configuration information from Microsoft Edge about the current data collection consent, app version, and installation state to keep Microsoft Edge up to date and secure.
+
+The following fields are available:
+
+- **app_version** The internal Edge build version string, taken from the UMA metrics field system_profile.app_version.
+- **appConsentState** Bit flags describing consent for data collection on the machine or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000).
+- **Channel** An integer indicating the channel of the installation (Canary or Dev).
+- **client_id** A unique identifier with which all other diagnostic client data is associated, taken from the UMA metrics provider. This ID is effectively unique per device, per OS user profile, per release channel (e.g. Canary/Dev/Beta/Stable). client_id is not durable, based on user preferences. client_id is initialized on the first application launch under each OS user profile. client_id is linkable, but not unique across devices or OS user profiles. client_id is reset whenever UMA data collection is disabled, or when the application is uninstalled.
+- **ConnectionType** The first reported type of network connection currently connected. This can be one of Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth.
+- **container_client_id** The client ID of the container, if in WDAG mode. This will be different from the UMA log client ID, which is the client ID of the host in WDAG mode.
+- **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode.
+- **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied.
+- **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full.
+- **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour.
+- **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13).
+- **PayloadClass** The base class used to serialize and deserialize the Protobuf binary payload.
+- **PayloadGUID** A random identifier generated for each original monolithic Protobuf payload, before the payload is potentially broken up into manageably-sized chunks for transmission.
+- **PayloadLogType** The log type for the event correlating with 0 for unknown, 1 for stability, 2 for on-going, 3 for independent, 4 for UKM, or 5 for instance level.
+- **session_id** An identifier that is incremented each time the user launches the application, irrespective of any client_id changes. session_id is seeded during the initial installation of the application. session_id is effectively unique per client_id value. Several other internal identifier values, such as window or tab IDs, are only meaningful within a particular session. The session_id value is forgotten when the application is uninstalled, but not during an upgrade.
+
+
+### Microsoft.WebBrowser.Installer.EdgeUpdate.Ping
+
+This event sends hardware and software inventory information about the Microsoft Edge Update service, Microsoft Edge applications, and the current system environment, including app configuration, update configuration, and hardware capabilities. It's used to measure the reliability and performance of the EdgeUpdate service and if Microsoft Edge applications are up to date. This is an indication that the event is designed to keep Windows secure and up to date.
The following fields are available:
@@ -4203,6 +4322,8 @@ The following fields are available:
- **appLang** The language of the product install, in IETF BCP 47 representation. Default: ''.
- **appNextVersion** The version of the app that the update attempted to reach, regardless of the success or failure of the update operation. Default: '0.0.0.0'.
- **appPingEventAppSize** The total number of bytes of all downloaded packages. Default: '0'.
+- **appPingEventDownloadMetricsCdnCCC** ISO 2 character country code that matches to the country updated binaries are delivered from. E.g.: US.
+- **appPingEventDownloadMetricsCdnCID** Numeric value used to internally track the origins of the updated binaries. For example, 2.
- **appPingEventDownloadMetricsDownloadedBytes** For events representing a download, the number of bytes expected to be downloaded. For events representing an entire update flow, the sum of all such expected bytes over the course of the update flow. Default: '0'.
- **appPingEventDownloadMetricsDownloader** A string identifying the download algorithm and/or stack. Example values include: 'bits', 'direct', 'winhttp', 'p2p'. Sent in events that have an event type of '14' only. Default: ''.
- **appPingEventDownloadMetricsDownloadTimeMs** For events representing a download, the time elapsed between the start of the download and the end of the download, in milliseconds. For events representing an entire update flow, the sum of all such download times over the course of the update flow. Sent in events that have an event type of '1', '2', '3', and '14' only. Default: '0'.
@@ -4250,49 +4371,26 @@ The following fields are available:
- **requestSessionCorrelationVectorBase** A client generated random MS Correlation Vector base code used to correlate the update session with update and CDN servers. Default: ''.
- **requestSessionId** A randomly-generated (uniformly distributed) GUID. Each single update flow (e.g. update check, update application, event ping sequence) SHOULD have (with high probability) a single unique session ID. Default: ''.
- **requestTestSource** Either '', 'dev', 'qa', 'prober', 'auto', or 'ossdev'. Any value except '' indicates that the request is a test and should not be counted toward normal metrics. Default: ''.
-- **requestUid** A randomly-generated (uniformly distributed) GUID, corresponding to the Omaha user. Each request attempt should have (with high probability) a unique request id. Default: ''.
-
-
-### Aria.f4a7d46e472049dfba756e11bdbbc08f.Microsoft.WebBrowser.SystemInfo.Config
-
-This config event sends basic device connectivity and configuration information from Microsoft Edge about the current data collection consent, app version, and installation state to keep Microsoft Edge up to date and secure.
-
-The following fields are available:
-
-- **app_version** The internal Microsoft Edge build version string.
-- **appConsentState** Bit flags that describe the consent for data collection on the device, or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000).
-- **Channel** An integer indicating the channel of the installation (Canary or Dev).
-- **client_id** A non-durable unique identifier with which all other diagnostic client data is associated. This value is reset whenever UMA data collection is disabled, or when the application is uninstalled.
-- **ConnectionType** The first reported type of network connection currently connected. Possible values: Unknown, Ethernet, WiFi, 2G, 3G, 4G, None, or Bluetooth
-- **container_client_id** The client ID of the container if the device is in Windows Defender Application Guard mode.
-- **container_session_id** The session ID of the container if the device is in Windows Defender Application Guard mode.
-- **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. There is not value in this field is the device is at the Basic diagnostic data level.
-- **EventInfo.Level** The minimum Windows diagnostic data level required for the event. Possible values: 1 -- Basic, 2 -- Enhanced, 3 -- Full
-- **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour.
-- **installSource** An enumeration representing the source of this installation. Possible values: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13).
-- **PayloadClass** The base class used to serialize and deserialize the Protobuf binary payload.
-- **PayloadGUID** A random identifier generated for each original monolithic Protobuf payload, before the payload is potentially broken up into manageably-sized chunks for transmission.
-- **PayloadLogType** The log type for the event correlating with. Possible values: 0 -- Unknown, 1 -- Stability, 2 -- On-going, 3 -- Independent, 4 -- UKM, or 5 -- Instance level
-- **session_id** An ordered identifier that is guaranteed to be greater than the previous session identifier each time the user launches the application, reset on subsequent launch after client_id changes. session_id is seeded during the initial installation of the application. session_id is effectively unique per client_id value. Several other internal identifier values, such as window or tab IDs, are only meaningful within a particular session. The session_id value is forgotten when the application is uninstalled, but not during an upgrade.
+- **requestUid** A randomly-generated (uniformly distributed) GUID, corresponding to the Omaha user. Each request attempt SHOULD have (with high probability) a unique request id. Default: ''.
## Migration events
### Microsoft.Windows.MigrationCore.MigObjectCountDLUsr
-This event returns data to track the count of the migration objects across various phases during feature update.
+This event returns data to track the count of the migration objects across various phases during feature update. The data collected with this event is used to help keep Windows secure and to track data loss scenarios.
### Microsoft.Windows.MigrationCore.MigObjectCountKFSys
-This event returns data about the count of the migration objects across various phases during feature update.
+This event returns data about the count of the migration objects across various phases during feature update. The data collected with this event is used to help keep Windows secure and to track data loss scenarios.
### Microsoft.Windows.MigrationCore.MigObjectCountKFUsr
-This event returns data to track the count of the migration objects across various phases during feature update.
+This event returns data to track the count of the migration objects across various phases during feature update. The data collected with this event is used to help keep Windows secure and to track data loss scenarios.
@@ -4300,7 +4398,7 @@ This event returns data to track the count of the migration objects across vario
### Microsoft.Windows.Cast.Miracast.MiracastSessionEnd
-This event sends data at the end of a Miracast session that helps determine RTSP related Miracast failures along with some statistics about the session
+This event sends data at the end of a Miracast session that helps determine RTSP related Miracast failures along with some statistics about the session. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
@@ -4375,7 +4473,7 @@ The following fields are available:
### Microsoft.OneDrive.Sync.Setup.APIOperation
-This event includes basic data about install and uninstall OneDrive API operations.
+This event includes basic data about install and uninstall OneDrive API operations. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -4388,7 +4486,7 @@ The following fields are available:
### Microsoft.OneDrive.Sync.Setup.EndExperience
-This event includes a success or failure summary of the installation.
+This event includes a success or failure summary of the installation. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -4400,7 +4498,7 @@ The following fields are available:
### Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation
-This event is related to the OS version when the OS is upgraded with OneDrive installed.
+This event is related to the OS version when the OS is upgraded with OneDrive installed. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -4416,7 +4514,7 @@ The following fields are available:
### Microsoft.OneDrive.Sync.Setup.RegisterStandaloneUpdaterAPIOperation
-This event is related to registering or unregistering the OneDrive update task.
+This event is related to registering or unregistering the OneDrive update task. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -4429,7 +4527,7 @@ The following fields are available:
### Microsoft.OneDrive.Sync.Updater.ComponentInstallState
-This event includes basic data about the installation state of dependent OneDrive components.
+This event includes basic data about the installation state of dependent OneDrive components. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -4439,7 +4537,7 @@ The following fields are available:
### Microsoft.OneDrive.Sync.Updater.OverlayIconStatus
-This event indicates if the OneDrive overlay icon is working correctly. 0 = healthy; 1 = can be fixed; 2 = broken
+This event indicates if the OneDrive overlay icon is working correctly. 0 = healthy; 1 = can be fixed; 2 = broken. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -4449,7 +4547,7 @@ The following fields are available:
### Microsoft.OneDrive.Sync.Updater.UpdateOverallResult
-This event sends information describing the result of the update.
+This event sends information describing the result of the update. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -4460,7 +4558,7 @@ The following fields are available:
### Microsoft.OneDrive.Sync.Updater.UpdateXmlDownloadHResult
-This event determines the status when downloading the OneDrive update configuration file.
+This event determines the status when downloading the OneDrive update configuration file. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -4469,7 +4567,7 @@ The following fields are available:
### Microsoft.OneDrive.Sync.Updater.WebConnectionStatus
-This event determines the error code that was returned when verifying Internet connectivity.
+This event determines the error code that was returned when verifying Internet connectivity. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -4480,7 +4578,7 @@ The following fields are available:
### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted
-This event is used to determine whether the user successfully completed the privacy consent experience.
+This event is used to determine whether the user successfully completed the privacy consent experience. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -4492,7 +4590,7 @@ The following fields are available:
### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentPrep
-This event is used to determine whether the user needs to see the privacy consent experience or not.
+This event is used to determine whether the user needs to see the privacy consent experience or not. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -4502,7 +4600,7 @@ The following fields are available:
### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentStatus
-Event tells us effectiveness of new privacy experience.
+This event provides the effectiveness of new privacy experience. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -4515,7 +4613,7 @@ The following fields are available:
### Microsoft.Windows.Shell.PrivacyConsentLogging.wilActivity
-This event returns information if an error is encountered while computing whether the user needs to complete privacy consents in certain upgrade scenarios.
+This event returns information if an error is encountered while computing whether the user needs to complete privacy consents in certain upgrade scenarios. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -4539,7 +4637,7 @@ The following fields are available:
### Microsoft.Windows.Shell.PrivacyNotifierLogging.PrivacyNotifierCompleted
-This event returns data to report the efficacy of a single-use tool to inform users impacted by a known issue and to take corrective action to address the issue.
+This event returns data to report the efficacy of a single-use tool to inform users impacted by a known issue and to take corrective action to address the issue. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -4556,7 +4654,7 @@ The following fields are available:
### Microsoft.Windows.QualityUpdateAssistant.Applicability
-This event sends basic info on whether the device should be updated to the latest cumulative update.
+This event sends basic info on whether the device should be updated to the latest cumulative update. The data collected with this event is used to help keep Windows up to date and secure.
The following fields are available:
@@ -4568,7 +4666,7 @@ The following fields are available:
### Microsoft.Windows.QualityUpdateAssistant.DeviceReadinessCheck
-This event sends basic info on whether the device is ready to download the latest cumulative update.
+This event sends basic info on whether the device is ready to download the latest cumulative update. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -4580,7 +4678,7 @@ The following fields are available:
### Microsoft.Windows.QualityUpdateAssistant.Download
-This event sends basic info when download of the latest cumulative update begins.
+This event sends basic info when download of the latest cumulative update begins. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -4592,7 +4690,7 @@ The following fields are available:
### Microsoft.Windows.QualityUpdateAssistant.Install
-This event sends basic info on the result of the installation of the latest cumulative update.
+This event sends basic info on the result of the installation of the latest cumulative update. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -4606,7 +4704,7 @@ The following fields are available:
### Microsoft.Windows.Remediation.Applicable
-deny
+This event indicates whether Windows Update sediment remediations need to be applied to the sediment device to keep Windows up to date. A sediment device is one that has been on a previous OS version for an extended period. The remediations address issues on the system that prevent the device from receiving OS updates.
The following fields are available:
@@ -4654,7 +4752,7 @@ The following fields are available:
- **RemediationNoisyHammerUserLoggedInAdmin** TRUE if there is the user currently logged in is an Admin.
- **RemediationShellDeviceManaged** TRUE if the device is WSUS managed or Windows Updated disabled.
- **RemediationShellDeviceNewOS** TRUE if the device has a recently installed OS.
-- **RemediationShellDeviceSccm** TRUE if the device is managed by Configuration Manager.
+- **RemediationShellDeviceSccm** TRUE if the device is managed by SCCM (Microsoft System Center Configuration Manager).
- **RemediationShellDeviceZeroExhaust** TRUE if the device has opted out of Windows Updates completely.
- **RemediationTargetMachine** Indicates whether the device is a target of the specified fix.
- **RemediationTaskHealthAutochkProxy** True/False based on the health of the AutochkProxy task.
@@ -4690,7 +4788,7 @@ The following fields are available:
### Microsoft.Windows.Remediation.ChangePowerProfileDetection
-Indicates whether the remediation system can put in a request to defer a system-initiated sleep to enable installation of security or quality updates.
+This event indicates whether the remediation system can put in a request to defer a system-initiated sleep to enable installation of security or quality updates, to keep Windows secure and up to date.
The following fields are available:
@@ -4831,7 +4929,7 @@ The following fields are available:
### Microsoft.Windows.Remediation.RemediationShellMainExeEventId
-Enables tracking of completion of process that remediates issues preventing security and quality updates.
+This event enables tracking of completion of process that remediates issues preventing security and quality updates keep Windows up to date.
The following fields are available:
@@ -4863,7 +4961,7 @@ The following fields are available:
### Microsoft.Windows.Sediment.Info.DetailedState
-This event is sent when detailed state information is needed from an update trial run.
+This event is sent when detailed state information is needed from an update trial run. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -4932,7 +5030,7 @@ The following fields are available:
### Microsoft.Windows.Sediment.OSRSS.Error
-This event indicates an error occurred in the Operating System Remediation System Service (OSRSS). The information provided helps ensure future upgrade/update attempts are more successful.
+This event indicates an error occurred in the Operating System Remediation System Service (OSRSS). The information provided helps ensure future upgrade/update attempts are more successful. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -4995,7 +5093,7 @@ The following fields are available:
### Microsoft.Windows.Sediment.OSRSS.SelfUpdate
-This event returns metadata after Operating System Remediation System Service (OSRSS) successfully replaces itself with a new version.
+This event returns metadata after Operating System Remediation System Service (OSRSS) successfully replaces itself with a new version. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -5006,7 +5104,7 @@ The following fields are available:
### Microsoft.Windows.Sediment.OSRSS.UrlState
-This event indicates the state the Operating System Remediation System Service (OSRSS) is in while attempting a download from the URL.
+This event indicates the state the Operating System Remediation System Service (OSRSS) is in while attempting a download from the URL. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -5080,7 +5178,7 @@ The following fields are available:
### Microsoft.Windows.SedimentLauncher.Applicable
-This event is sent when the Windows Update sediment remediations launcher finds that an applicable plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period.
+This event is sent when the Windows Update sediment remediations launcher finds that an applicable plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -5096,7 +5194,7 @@ The following fields are available:
### Microsoft.Windows.SedimentLauncher.Completed
-This event is sent when the Windows Update sediment remediations launcher finishes running a plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period.
+This event is sent when the Windows Update sediment remediations launcher finishes running a plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -5111,7 +5209,7 @@ The following fields are available:
### Microsoft.Windows.SedimentLauncher.Started
-This event is sent when the Windows Update sediment remediations launcher starts running a plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period.
+This event is sent when the Windows Update sediment remediations launcher starts running a plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -5124,7 +5222,7 @@ The following fields are available:
### Microsoft.Windows.SedimentService.Applicable
-This event is sent when the Windows Update sediment remediations service finds that an applicable plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period.
+This event is sent when the Windows Update sediment remediations service finds that an applicable plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -5140,7 +5238,7 @@ The following fields are available:
### Microsoft.Windows.SedimentService.Completed
-This event is sent when the Windows Update sediment remediations service finishes running a plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period.
+This event is sent when the Windows Update sediment remediations service finishes running a plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -5162,7 +5260,7 @@ The following fields are available:
### Microsoft.Windows.SedimentService.Started
-This event is sent when the Windows Update sediment remediations service starts running a plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period.
+This event is sent when the Windows Update sediment remediations service starts running a plug-in to address issues that may be preventing the sediment device from receiving OS updates. A sediment device is one that has been on a previous OS version for an extended period. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -5239,7 +5337,7 @@ The following fields are available:
### wilActivity
-This event provides a Windows Internal Library context used for Product and Service diagnostics.
+This event provides a Windows Internal Library context used for Product and Service diagnostics. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -5264,7 +5362,7 @@ The following fields are available:
### wilResult
-This event provides a Windows Internal Library context used for Product and Service diagnostics.
+This event provides a Windows Internal Library context used for Product and Service diagnostics. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -5289,15 +5387,45 @@ The following fields are available:
## SIH events
+### SIHEngineTelemetry.EvalApplicability
+
+This event is sent when targeting logic is evaluated to determine if a device is eligible for a given action. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **ActionReasons** If an action has been assessed as inapplicable, the additional logic prevented it.
+- **AdditionalReasons** If an action has been assessed as inapplicable, the additional logic prevented it.
+- **CachedEngineVersion** The engine DLL version that is being used.
+- **EventInstanceID** A unique identifier for event instance.
+- **EventScenario** Indicates the purpose of sending this event – whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **HandlerReasons** If an action has been assessed as inapplicable, the installer technology-specific logic prevented it.
+- **IsExecutingAction** If the action is presently being executed.
+- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.).
+- **SihclientVersion** The client version that is being used.
+- **StandardReasons** If an action has been assessed as inapplicable, the standard logic the prevented it.
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **UpdateID** A unique identifier for the action being acted upon.
+- **WuapiVersion** The Windows Update API version that is currently installed.
+- **WuaucltVersion** The Windows Update client version that is currently installed.
+- **WuauengVersion** The Windows Update engine version that is currently installed.
+- **WUDeviceID** The unique identifier controlled by the software distribution client.
+
+
### SIHEngineTelemetry.ExecuteAction
-This event is triggered with SIH attempts to execute (e.g. install) the update or action in question. Includes important information like if the update required a reboot.
+This event is triggered with SIH attempts to execute (e.g. install) the update or action in question. Includes important information like if the update required a reboot. The data collected with this event is used to help keep Windows up to date.
+
+
+
+### SIHEngineTelemetry.PostRebootReport
+
+This event reports the status of an action following a reboot, should one have been required. The data collected with this event is used to help keep Windows up to date.
### SIHEngineTelemetry.SLSActionData
-This event reports if the SIH client was able to successfully parse the manifest describing the actions to be evaluated.
+This event reports if the SIH client was able to successfully parse the manifest describing the actions to be evaluated. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -5318,7 +5446,7 @@ The following fields are available:
### SoftwareUpdateClientTelemetry.CheckForUpdates
-Scan process event on Windows Update client (see eventscenario field for specifics, e.g.: started/failed/succeeded)
+This event sends tracking data about the software distribution client check for content that is applicable to a device, to help keep Windows up to date.
The following fields are available:
@@ -5401,7 +5529,7 @@ The following fields are available:
### SoftwareUpdateClientTelemetry.Commit
-This event tracks the commit process post the update installation when software update client is trying to update the device.
+This event sends data on whether the Update Service has been called to execute an upgrade, to help keep Windows up to date.
The following fields are available:
@@ -5431,7 +5559,7 @@ The following fields are available:
### SoftwareUpdateClientTelemetry.Download
-Download process event for target update on Windows Update client. See EventScenario field for specifics (started/failed/succeeded).
+This event sends tracking data about the software distribution client download of the content for that update, to help keep Windows up to date.
The following fields are available:
@@ -5505,7 +5633,7 @@ The following fields are available:
### SoftwareUpdateClientTelemetry.DownloadCheckpoint
-This event provides a checkpoint between each of the Windows Update download phases for UUP content
+This event provides a checkpoint between each of the Windows Update download phases for UUP content. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -5527,7 +5655,7 @@ The following fields are available:
### SoftwareUpdateClientTelemetry.DownloadHeartbeat
-This event allows tracking of ongoing downloads and contains data to explain the current state of the download
+This event allows tracking of ongoing downloads and contains data to explain the current state of the download. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -5623,7 +5751,7 @@ The following fields are available:
### SoftwareUpdateClientTelemetry.UpdateDetected
-This event sends data about an AppX app that has been updated from the Microsoft Store, including what app needs an update and what version/architecture is required, in order to understand and address problems with apps getting required updates.
+This event sends data about an AppX app that has been updated from the Microsoft Store, including what app needs an update and what version/architecture is required, in order to understand and address problems with apps getting required updates. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -5638,7 +5766,7 @@ The following fields are available:
### SoftwareUpdateClientTelemetry.UpdateMetadataIntegrity
-Ensures Windows Updates are secure and complete. Event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack.
+This event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -5671,7 +5799,7 @@ The following fields are available:
### Microsoft.Windows.UpdateAssistant.Orchestrator.BlockingEventId
-The event sends basic info on the reason that Windows 10 was not updated due to compatibility issues, previous rollbacks, or admin policies.
+The event sends basic info on the reason that Windows 10 was not updated due to compatibility issues, previous rollbacks, or admin policies. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -5682,7 +5810,7 @@ The following fields are available:
- **DeviceIsMdmManaged** This device is MDM managed.
- **IsNetworkAvailable** If the device network is not available.
- **IsNetworkMetered** If network is metered.
-- **IsSccmManaged** This device is managed by Configuration Manager.
+- **IsSccmManaged** This device is SCCM managed.
- **NewlyInstalledOs** OS is newly installed quiet period.
- **PausedByPolicy** Updates are paused by policy.
- **RecoveredFromRS3** Previously recovered from RS3.
@@ -5695,7 +5823,7 @@ The following fields are available:
### Microsoft.Windows.UpdateAssistant.Orchestrator.DeniedLaunchEventId
-The event sends basic info when a device was blocked or prevented from updating to the latest Windows 10 version.
+The event sends basic info when a device was blocked or prevented from updating to the latest Windows 10 version. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -5706,7 +5834,7 @@ The following fields are available:
### Microsoft.Windows.UpdateAssistant.Orchestrator.FailedLaunchEventId
-Event to mark that Update Assistant Orchestrator failed to launch Update Assistant.
+This event indicates that Update Assistant Orchestrator failed to launch Update Assistant. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -5718,7 +5846,7 @@ The following fields are available:
### Microsoft.Windows.UpdateAssistant.Orchestrator.FailedOneSettingsQueryEventId
-Event indicating One Settings was not queried by update assistant.
+This event indicates that One Settings was not queried by update assistant. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -5728,7 +5856,7 @@ The following fields are available:
### Microsoft.Windows.UpdateAssistant.Orchestrator.LaunchEventId
-This event sends basic information on whether the device should be updated to the latest Windows 10 version.
+This event sends basic information on whether the device should be updated to the latest Windows 10 version. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -5741,7 +5869,7 @@ The following fields are available:
### Microsoft.Windows.UpdateAssistant.Orchestrator.RestoreEventId
-The event sends basic info on whether the Windows 10 update notification has previously launched.
+The event sends basic info on whether the Windows 10 update notification has previously launched. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -5754,7 +5882,7 @@ The following fields are available:
### Update360Telemetry.Revert
-This event sends data relating to the Revert phase of updating Windows.
+This event sends data relating to the Revert phase of updating Windows. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -5771,7 +5899,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentCommit
-This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop.
+This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -5787,7 +5915,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentDownloadRequest
-This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile.
+This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -5819,7 +5947,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentExpand
-This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop.
+This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -5839,7 +5967,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentFellBackToCanonical
-This event collects information when express could not be used and we fall back to canonical during the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop.
+This event collects information when express could not be used and we fall back to canonical during the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -5855,7 +5983,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentInitialize
-This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile.
+This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -5873,7 +6001,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentInstall
-This event sends data for the install phase of updating Windows.
+This event sends data for the install phase of updating Windows. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -5891,7 +6019,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentMerge
-The UpdateAgentMerge event sends data on the merge phase when updating Windows.
+The UpdateAgentMerge event sends data on the merge phase when updating Windows. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -5907,7 +6035,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentMitigationResult
-This event sends data indicating the result of each update agent mitigation.
+This event sends data indicating the result of each update agent mitigation. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -5933,7 +6061,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentMitigationSummary
-This event sends a summary of all the update agent mitigations available for an this update.
+This event sends a summary of all the update agent mitigations available for an this update. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -5953,7 +6081,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentModeStart
-This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile.
+This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -5969,7 +6097,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentOneSettings
-This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop.
+This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -5987,7 +6115,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentPostRebootResult
-This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario.
+This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -6003,13 +6131,13 @@ The following fields are available:
### Update360Telemetry.UpdateAgentReboot
-This event sends information indicating that a request has been sent to suspend an update.
+This event sends information indicating that a request has been sent to suspend an update. The data collected with this event is used to help keep Windows secure and up to date.
### Update360Telemetry.UpdateAgentSetupBoxLaunch
-The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs.
+The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -6032,7 +6160,7 @@ The following fields are available:
### Microsoft.Windows.UpdateNotificationPipeline.JavascriptJavascriptCriticalGenericMessage
-This event indicates that Javascript is reporting a schema and a set of values for critical telemetry.
+This event indicates that Javascript is reporting a schema and a set of values for critical telemetry. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -6079,7 +6207,7 @@ The following fields are available:
### Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignHeartbeat
-This event is sent at the start of each campaign, to be used as a heartbeat.
+This event is sent at the start of each campaign, to be used as a heartbeat. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -6095,7 +6223,7 @@ The following fields are available:
### Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignManagerCleaningCampaign
-This event indicates that the Campaign Manager is cleaning up the campaign content.
+This event indicates that the Campaign Manager is cleaning up the campaign content. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -6111,7 +6239,7 @@ The following fields are available:
### Microsoft.Windows.UpdateNotificationPipeline.UnpCampaignManagerGetIsCamppaignCompleteFailed
-This event is sent when a campaign completion status query fails.
+This event is sent when a campaign completion status query fails. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -6128,7 +6256,7 @@ The following fields are available:
### Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignManagerHeartbeat
-This event is sent at the start of the CampaignManager event and is intended to be used as a heartbeat.
+This event is sent at the start of the CampaignManager event and is intended to be used as a heartbeat. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -6144,7 +6272,7 @@ The following fields are available:
### Microsoft.Windows.UpdateNotificationPipeline.UnpCampaignManagerRunCampaignFailed
-This event is sent when the Campaign Manager encounters an unexpected error while running the campaign.
+This event is sent when the Campaign Manager encounters an unexpected error while running the campaign. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -6177,7 +6305,7 @@ The following fields are available:
### FacilitatorTelemetry.DUDownload
-This event returns data about the download of supplemental packages critical to upgrading a device to the next version of Windows.
+This event returns data about the download of supplemental packages critical to upgrading a device to the next version of Windows. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -6187,7 +6315,7 @@ The following fields are available:
### FacilitatorTelemetry.InitializeDU
-This event determines whether devices received additional or critical supplemental content during an OS upgrade.
+This event determines whether devices received additional or critical supplemental content during an OS upgrade. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -6245,7 +6373,7 @@ The following fields are available:
### Setup360Telemetry.OsUninstall
-This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, it indicates the outcome of an OS uninstall.
+This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, it indicates the outcome of an OS uninstall. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -6409,7 +6537,7 @@ The following fields are available:
### Setup360Telemetry.Setup360MitigationResult
-This event sends data indicating the result of each setup mitigation.
+This event sends data indicating the result of each setup mitigation. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -6434,7 +6562,7 @@ The following fields are available:
### Setup360Telemetry.Setup360MitigationSummary
-This event sends a summary of all the setup mitigations available for this update.
+This event sends a summary of all the setup mitigations available for this update. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -6453,7 +6581,7 @@ The following fields are available:
### Setup360Telemetry.Setup360OneSettings
-This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop.
+This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -6492,9 +6620,45 @@ The following fields are available:
## Windows as a Service diagnostic events
+### Microsoft.Windows.WaaSMedic.DetectionFailed
+
+This event is sent when WaaSMedic fails to apply the named diagnostic. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **diagnostic** Parameter where the diagnostic failed.
+- **hResult** Error code from attempting the diagnostic.
+- **isDetected** Flag indicating whether the condition was detected.
+- **pluginName** Name of the attempted diagnostic.
+- **versionString** The version number of the remediation engine.
+
+
+### Microsoft.Windows.WaaSMedic.EngineFailed
+
+This event indicates failure during medic engine execution. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **hResult** Error code from the execution.
+- **versionString** Version of Medic engine.
+
+
+### Microsoft.Windows.WaaSMedic.RemediationFailed
+
+This event is sent when the WaaS Medic update stack remediation tool fails to apply a described resolution to a problem that is blocking Windows Update from operating correctly on a target device. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **diagnostic** Parameter where the resolution failed.
+- **hResult** Error code that resulted from attempting the resolution.
+- **isRemediated** Indicates whether the condition was remediated.
+- **pluginName** Name of the attempted resolution.
+- **versionString** Version of the engine.
+
+
### Microsoft.Windows.WaaSMedic.SummaryEvent
-Result of the WaaSMedic operation.
+This event provides the result of the WaaSMedic operation. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -6547,7 +6711,7 @@ The following fields are available:
### Microsoft.Windows.WER.MTT.Value
-This event is used for differential privacy.
+This event is used for differential privacy to help keep Windows up to date.
The following fields are available:
@@ -6953,7 +7117,7 @@ The following fields are available:
### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureFailed
-This event sends basic telemetry on the failure of the Feature Rollback.
+This event sends basic telemetry on the failure of the Feature Rollback. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -6968,7 +7132,7 @@ The following fields are available:
### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureNotApplicable
-This event sends basic telemetry on whether Feature Rollback (rolling back features updates) is applicable to a device.
+This event sends basic telemetry on whether Feature Rollback (rolling back features updates) is applicable to a device. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -6982,19 +7146,19 @@ The following fields are available:
### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureStarted
-This event sends basic information indicating that Feature Rollback has started.
+This event sends basic information indicating that Feature Rollback has started. The data collected with this event is used to help keep Windows secure and up to date.
### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureSucceeded
-This event sends basic telemetry on the success of the rollback of feature updates.
+This event sends basic telemetry on the success of the rollback of feature updates. The data collected with this event is used to help keep Windows secure and up to date.
### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityFailed
-This event sends basic telemetry on the failure of the rollback of the Quality/LCU builds.
+This event sends basic telemetry on the failure of the rollback of the Quality/LCU builds. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -7009,7 +7173,7 @@ The following fields are available:
### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityNotApplicable
-This event informs you whether a rollback of Quality updates is applicable to the devices that you are attempting to rollback.
+This event informs you whether a rollback of Quality updates is applicable to the devices that you are attempting to rollback. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -7023,13 +7187,13 @@ The following fields are available:
### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityStarted
-This event indicates that the Quality Rollback process has started.
+This event indicates that the Quality Rollback process has started. The data collected with this event is used to help keep Windows secure and up to date.
### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualitySucceeded
-This event sends basic telemetry on the success of the rollback of the Quality/LCU builds.
+This event sends basic telemetry on the success of the rollback of the Quality/LCU builds. The data collected with this event is used to help keep Windows secure and up to date.
@@ -7037,7 +7201,7 @@ This event sends basic telemetry on the success of the rollback of the Quality/L
### Microsoft.OSG.DU.DeliveryOptClient.DownloadCanceled
-This event describes when a download was canceled with Delivery Optimization. It's used to understand and address problems regarding downloads.
+This event describes when a download was canceled with Delivery Optimization. It's used to understand and address problems regarding downloads. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -7069,7 +7233,7 @@ The following fields are available:
### Microsoft.OSG.DU.DeliveryOptClient.DownloadCompleted
-This event describes when a download has completed with Delivery Optimization. It's used to understand and address problems regarding downloads.
+This event describes when a download has completed with Delivery Optimization. It's used to understand and address problems regarding downloads. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -7118,7 +7282,7 @@ The following fields are available:
### Microsoft.OSG.DU.DeliveryOptClient.DownloadPaused
-This event represents a temporary suspension of a download with Delivery Optimization. It's used to understand and address problems regarding downloads.
+This event represents a temporary suspension of a download with Delivery Optimization. It's used to understand and address problems regarding downloads. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -7138,7 +7302,7 @@ The following fields are available:
### Microsoft.OSG.DU.DeliveryOptClient.DownloadStarted
-This event sends data describing the start of a new download to enable Delivery Optimization. It's used to understand and address problems regarding downloads.
+This event sends data describing the start of a new download to enable Delivery Optimization. It's used to understand and address problems regarding downloads. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -7177,7 +7341,7 @@ The following fields are available:
### Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication
-This event represents a failure to download from a CDN with Delivery Optimization. It's used to understand and address problems regarding downloads.
+This event represents a failure to download from a CDN with Delivery Optimization. It's used to understand and address problems regarding downloads. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -7199,7 +7363,7 @@ The following fields are available:
### Microsoft.OSG.DU.DeliveryOptClient.JobError
-This event represents a Windows Update job error. It allows for investigation of top errors.
+This event represents a Windows Update job error. It allows for investigation of top errors. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -7215,7 +7379,7 @@ The following fields are available:
### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentAnalysisSummary
-This event collects information regarding the state of devices and drivers on the system following a reboot after the install phase of the new device manifest UUP (Unified Update Platform) update scenario which is used to install a device manifest describing a set of driver packages.
+This event collects information regarding the state of devices and drivers on the system following a reboot after the install phase of the new device manifest UUP (Unified Update Platform) update scenario which is used to install a device manifest describing a set of driver packages. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -7239,7 +7403,7 @@ The following fields are available:
### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentCommit
-This event collects information regarding the final commit phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages.
+This event collects information regarding the final commit phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -7255,7 +7419,7 @@ The following fields are available:
### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentDownloadRequest
-This event collects information regarding the download request phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages.
+This event collects information regarding the download request phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -7282,7 +7446,7 @@ The following fields are available:
### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInitialize
-This event sends data for initializing a new update session for the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages.
+This event sends data for initializing a new update session for the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -7300,7 +7464,7 @@ The following fields are available:
### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInstall
-This event collects information regarding the install phase of the new device manifest UUP (Unified Update Platform) update scenario which is used to install a device manifest describing a set of driver packages.
+This event collects information regarding the install phase of the new device manifest UUP (Unified Update Platform) update scenario which is used to install a device manifest describing a set of driver packages. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -7316,7 +7480,7 @@ The following fields are available:
### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentModeStart
-This event sends data for the start of each mode during the process of updating device manifest assets via the UUP (Unified Update Platform) update scenario which is used to install a device manifest describing a set of driver packages.
+This event sends data for the start of each mode during the process of updating device manifest assets via the UUP (Unified Update Platform) update scenario which is used to install a device manifest describing a set of driver packages. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -7331,7 +7495,7 @@ The following fields are available:
### Microsoft.Windows.Update.NotificationUx.DialogNotificationToBeDisplayed
-This event indicates that a notification dialog box is about to be displayed to user.
+This event indicates that a notification dialog box is about to be displayed to user. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -7357,7 +7521,7 @@ The following fields are available:
### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootAcceptAutoDialog
-This event indicates that the Enhanced Engaged restart "accept automatically" dialog box was displayed.
+This event indicates that the Enhanced Engaged restart "accept automatically" dialog box was displayed. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -7373,7 +7537,7 @@ The following fields are available:
### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootFirstReminderDialog
-This event indicates that the Enhanced Engaged restart "first reminder" dialog box was displayed.
+This event indicates that the Enhanced Engaged restart "first reminder" dialog box was displayed. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -7389,7 +7553,7 @@ The following fields are available:
### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootForcedPrecursorDialog
-This event indicates that the Enhanced Engaged restart "forced precursor" dialog box was displayed.
+This event indicates that the Enhanced Engaged restart "forced precursor" dialog box was displayed. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -7405,7 +7569,7 @@ The following fields are available:
### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootForcedWarningDialog
-This event indicates that the Enhanced Engaged "forced warning" dialog box was displayed.
+This event indicates that the Enhanced Engaged "forced warning" dialog box was displayed. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -7421,7 +7585,7 @@ The following fields are available:
### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootFailedDialog
-This event indicates that the Enhanced Engaged restart "restart failed" dialog box was displayed.
+This event indicates that the Enhanced Engaged restart "restart failed" dialog box was displayed. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -7437,7 +7601,7 @@ The following fields are available:
### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootImminentDialog
-This event indicates that the Enhanced Engaged restart "restart imminent" dialog box was displayed..
+This event indicates that the Enhanced Engaged restart "restart imminent" dialog box was displayed. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -7453,7 +7617,7 @@ The following fields are available:
### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootReminderDialog
-This event returns information relating to the Enhanced Engaged reboot reminder dialog that was displayed.
+This event returns information relating to the Enhanced Engaged reboot reminder dialog that was displayed. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -7469,7 +7633,7 @@ The following fields are available:
### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootSecondReminderDialog
-This event indicates that the second reminder dialog box was displayed for Enhanced Engaged restart.
+This event indicates that the second reminder dialog box was displayed for Enhanced Engaged restart. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -7485,7 +7649,7 @@ The following fields are available:
### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootThirdReminderDialog
-This event indicates that the third reminder dialog box for Enhanced Engaged restart was displayed.
+This event indicates that the third reminder dialog box for Enhanced Engaged restart was displayed. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -7507,7 +7671,7 @@ This event is sent when a second reminder dialog is displayed during Enhanced En
### Microsoft.Windows.Update.NotificationUx.RebootScheduled
-Indicates when a reboot is scheduled by the system or a user for a security, quality, or feature update.
+This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows secure and up-to-date by indicating when a reboot is scheduled by the system or a user for a security, quality, or feature update.
The following fields are available:
@@ -7526,7 +7690,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.ActivityRestrictedByActiveHoursPolicy
-This event indicates a policy is present that may restrict update activity to outside of active hours.
+This event indicates a policy is present that may restrict update activity to outside of active hours. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -7537,7 +7701,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.BlockedByActiveHours
-This event indicates that update activity was blocked because it is within the active hours window.
+This event indicates that update activity was blocked because it is within the active hours window. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -7550,7 +7714,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.BlockedByBatteryLevel
-This event indicates that Windows Update activity was blocked due to low battery level.
+This event indicates that Windows Update activity was blocked due to low battery level. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -7563,7 +7727,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.CommitFailed
-This event indicates that a device was unable to restart after an update.
+This event indicates that a device was unable to restart after an update. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -7573,7 +7737,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.DeferRestart
-This event indicates that a restart required for installing updates was postponed.
+This event indicates that a restart required for installing updates was postponed. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -7592,7 +7756,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.Detection
-This event indicates that a scan for a Windows Update occurred.
+This event sends launch data for a Windows Update scan to help keep Windows secure and up to date.
The following fields are available:
@@ -7614,7 +7778,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.DetectionResult
-This event runs when an update is detected. This helps ensure Windows is kept up to date.
+This event runs when an update is detected. This helps ensure Windows is secure and kept up to date.
The following fields are available:
@@ -7627,7 +7791,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.DisplayNeeded
-This event indicates the reboot was postponed due to needing a display.
+This event indicates the reboot was postponed due to needing a display. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -7643,7 +7807,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.Download
-This event sends launch data for a Windows Update download to help keep Windows up to date.
+This event sends launch data for a Windows Update download to help keep Windows secure and up to date.
The following fields are available:
@@ -7660,7 +7824,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.DTUCompletedWhenWuFlightPendingCommit
-This event indicates that DTU completed installation of the electronic software delivery (ESD), when Windows Update was already in Pending Commit phase of the feature update.
+This event indicates that DTU completed installation of the electronic software delivery (ESD), when Windows Update was already in Pending Commit phase of the feature update. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -7669,7 +7833,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.DTUEnabled
-This event indicates that Inbox DTU functionality was enabled.
+This event indicates that Inbox DTU functionality was enabled. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -7678,7 +7842,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.DTUInitiated
-This event indicates that Inbox DTU functionality was intiated.
+This event indicates that Inbox DTU functionality was initiated. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -7689,7 +7853,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.Escalation
-This event is sent when USO takes an Escalation action on a device.
+This event is sent when USO takes an Escalation action on a device. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -7702,7 +7866,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.EscalationRiskLevels
-This event is sent during update scan, download, or install, and indicates that the device is at risk of being out-of-date.
+This event is sent during update scan, download, or install, and indicates that the device is at risk of being out-of-date. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -7719,7 +7883,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.EscalationsRefreshFailed
-USO has a set of escalation actions to prevent a device from becoming out-of-date, and the actions are triggered based on the Escalation configuration that USO obtains from OneSettings. This event is sent when USO fails to refresh the escalation configuration from OneSettings.
+USO has a set of escalation actions to prevent a device from becoming out-of-date, and the actions are triggered based on the Escalation configuration that USO obtains from OneSettings. This event is sent when USO fails to refresh the escalation configuration from OneSettings. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -7730,7 +7894,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.FlightInapplicable
-This event sends data on whether the update was applicable to the device, to help keep Windows up to date.
+This event sends data on whether the update was applicable to the device. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -7746,7 +7910,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.GameActive
-This event indicates that an enabled GameMode process prevented the device from restarting to complete an update.
+This event indicates that an enabled GameMode process prevented the device from restarting to complete an update. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -7757,7 +7921,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.InitiatingReboot
-This event sends data about an Orchestrator requesting a reboot from power management to help keep Windows up to date.
+This event sends data about an Orchestrator requesting a reboot from power management to help keep Windows secure and up to date.
The following fields are available:
@@ -7774,7 +7938,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.Install
-This event sends launch data for a Windows Update install to help keep Windows up to date.
+This event sends launch data for a Windows Update install to help keep Windows secure and up to date.
The following fields are available:
@@ -7799,7 +7963,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.LowUptimes
-This event is sent if a device is identified as not having sufficient uptime to reliably process updates in order to keep secure.
+This event is sent if a device is identified as not having sufficient uptime to reliably process updates in order to keep secure. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -7812,7 +7976,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.OneshotUpdateDetection
-This event returns data about scans initiated through settings UI, or background scans that are urgent; to help keep Windows up to date.
+This event returns data about scans initiated through settings UI, or background scans that are urgent; to help keep Windows secure and up to date.
The following fields are available:
@@ -7822,9 +7986,22 @@ The following fields are available:
- **wuDeviceid** The Windows Update Device GUID (Globally-Unique ID).
+### Microsoft.Windows.Update.Orchestrator.OobeUpdate
+
+This event sends data to device when Oobe Update download is in progress. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **flightID** A flight ID.
+- **revisionNumber** A revision number.
+- **updateId** An update ID.
+- **updateScenarioType** A type of update scenario.
+- **wuDeviceid** A device ID associated with Windows Update.
+
+
### Microsoft.Windows.Update.Orchestrator.PostInstall
-This event sends data about lite stack devices (mobile, IOT, anything non-PC) immediately before data migration is launched to help keep Windows up to date.
+This event sends data about lite stack devices (mobile, IOT, anything non-PC) immediately before data migration is launched to help keep Windows secure and up to date.
The following fields are available:
@@ -7841,7 +8018,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.PowerMenuOptionsChanged
-This event is sent when the options in power menu changed, usually due to an update pending reboot, or after a update is installed.
+This event is sent when the options in power menu changed, usually due to an update pending reboot, or after a update is installed. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -7853,7 +8030,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.PreShutdownStart
-This event is generated before the shutdown and commit operations.
+This event is generated before the shutdown and commit operations. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -7862,7 +8039,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.Progress
-This event is sent when the download of a update reaches a milestone change, such as a change in network cost policy, completion of an internal phase, or change in a transient state.
+This event is sent when the download of a update reaches a milestone change, such as a change in network cost policy, completion of an internal phase, or change in a transient state. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -7880,7 +8057,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.RebootFailed
-This event sends information about whether an update required a reboot and reasons for failure, to help keep Windows up to date.
+This event sends information about whether an update required a reboot and reasons for failure, to help keep Windows secure and up to date.
The following fields are available:
@@ -7899,7 +8076,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.RefreshSettings
-This event sends basic data about the version of upgrade settings applied to the system to help keep Windows up to date.
+This event sends basic data about the version of upgrade settings applied to the system to help keep Windows secure and up to date.
The following fields are available:
@@ -7911,7 +8088,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.RestoreRebootTask
-This event sends data indicating that a reboot task is missing unexpectedly on a device and the task is restored because a reboot is still required, to help keep Windows up to date.
+This event sends data indicating that a reboot task is missing unexpectedly on a device and the task is restored because a reboot is still required, to help keep Windows secure and up to date.
The following fields are available:
@@ -7921,7 +8098,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.ScanTriggered
-This event indicates that Update Orchestrator has started a scan operation.
+This event indicates that Update Orchestrator has started a scan operation. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -7939,7 +8116,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.SeekerUpdateAvailable
-This event defines when an optional update is available for the device to help keep Windows up to date.
+This event defines when an optional update is available for the device to help keep Windows secure and up to date.
The following fields are available:
@@ -7952,7 +8129,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.SeekUpdate
-This event occurs when user initiates "seeker" scan. This helps keep Windows up to date.
+This event occurs when user initiates "seeker" scan. This helps keep Windows secure and up to date.
The following fields are available:
@@ -7965,7 +8142,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.SystemNeeded
-This event sends data about why a device is unable to reboot, to help keep Windows up to date.
+This event sends data about why a device is unable to reboot, to help keep Windows secure and up to date.
The following fields are available:
@@ -7981,7 +8158,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.TerminatedByActiveHours
-This event indicates that update activity was stopped due to active hours starting.
+This event indicates that update activity was stopped due to active hours starting. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -7993,7 +8170,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.TerminatedByBatteryLevel
-This event is sent when update activity was stopped due to a low battery level.
+This event is sent when update activity was stopped due to a low battery level. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -8003,9 +8180,20 @@ The following fields are available:
- **wuDeviceid** The device identifier.
+### Microsoft.Windows.Update.Orchestrator.UpdateInstallPause
+
+This event sends data when a device pauses an in-progress update, to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **updateClassificationGUID** The classification GUID for the update that was paused.
+- **updateId** An update ID for the update that was paused.
+- **wuDeviceid** A unique Device ID.
+
+
### Microsoft.Windows.Update.Orchestrator.UpdatePolicyCacheRefresh
-This event sends data on whether Update Management Policies were enabled on a device, to help keep Windows up to date.
+This event sends data on whether Update Management Policies were enabled on a device, to help keep Windows secure and up to date.
The following fields are available:
@@ -8018,7 +8206,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.UpdateRebootRequired
-This event sends data about whether an update required a reboot to help keep Windows up to date.
+This event sends data about whether an update required a reboot to help keep Windows secure and up to date.
The following fields are available:
@@ -8033,7 +8221,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.updateSettingsFlushFailed
-This event sends information about an update that encountered problems and was not able to complete.
+This event sends information about an update that encountered problems and was not able to complete. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -8043,7 +8231,7 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.USODiagnostics
-This event sends data on whether the state of the update attempt, to help keep Windows up to date.
+This event sends data on whether the state of the update attempt, to help keep Windows secure and up to date.
The following fields are available:
@@ -8079,9 +8267,21 @@ The following fields are available:
- **wuDeviceid** Unique ID for Device
+### Microsoft.Windows.Update.Orchestrator.UUPFallBack
+
+This event sends data when UUP needs to fall back, to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **EventPublishedTime** The current event time.
+- **UUPFallBackConfigured** The fall back error code.
+- **UUPFallBackErrorReason** The reason for fall back error.
+- **wuDeviceid** A Windows Update device ID.
+
+
### Microsoft.Windows.Update.Ux.MusNotification.EnhancedEngagedRebootUxState
-This event sends information about the configuration of Enhanced Direct-to-Engaged (eDTE), which includes values for the timing of how eDTE will progress through each phase of the reboot.
+This event sends information about the configuration of Enhanced Direct-to-Engaged (eDTE), which includes values for the timing of how eDTE will progress through each phase of the reboot. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -8103,7 +8303,7 @@ The following fields are available:
### Microsoft.Windows.Update.Ux.MusNotification.RebootNoLongerNeeded
-This event is sent when a security update has successfully completed.
+This event is sent when a security update has successfully completed. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -8112,7 +8312,7 @@ The following fields are available:
### Microsoft.Windows.Update.Ux.MusNotification.RebootRequestReasonsToIgnore
-This event is sent when the reboot can be deferred based on some reasons, before reboot attempts.
+This event is sent when the reboot can be deferred based on some reasons, before reboot attempts. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -8121,7 +8321,7 @@ The following fields are available:
### Microsoft.Windows.Update.Ux.MusNotification.RebootScheduled
-This event sends basic information about scheduling an update-related reboot, to get security updates and to help keep Windows up-to-date.
+This event sends basic information about scheduling an update-related reboot, to get security updates and to help keep Windows secure and up to date.
The following fields are available:
@@ -8140,13 +8340,13 @@ The following fields are available:
### Microsoft.Windows.Update.Ux.MusNotification.UxBrokerFirstReadyToReboot
-This event is fired the first time when the reboot is required.
+This event is fired the first time when the reboot is required. The data collected with this event is used to help keep Windows secure and up to date.
### Microsoft.Windows.Update.Ux.MusNotification.UxBrokerScheduledTask
-This event is sent when MUSE broker schedules a task.
+This event is sent when MUSE broker schedules a task. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -8156,7 +8356,7 @@ The following fields are available:
### Microsoft.Windows.Update.Ux.MusUpdateSettings.RebootScheduled
-This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows up to date.
+This event sends basic information for scheduling a device restart to install security updates. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -8177,7 +8377,7 @@ The following fields are available:
### Mitigation360Telemetry.MitigationCustom.CleanupSafeOsImages
-This event sends data specific to the CleanupSafeOsImages mitigation used for OS Updates.
+This event sends data specific to the CleanupSafeOsImages mitigation used for OS Updates. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -8201,7 +8401,7 @@ The following fields are available:
### Mitigation360Telemetry.MitigationCustom.FixAppXReparsePoints
-This event sends data specific to the FixAppXReparsePoints mitigation used for OS updates.
+This event sends data specific to the FixAppXReparsePoints mitigation used for OS updates. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -8223,7 +8423,7 @@ The following fields are available:
### Mitigation360Telemetry.MitigationCustom.FixupEditionId
-This event sends data specific to the FixupEditionId mitigation used for OS updates.
+This event sends data specific to the FixupEditionId mitigation used for OS updates. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -8248,37 +8448,37 @@ The following fields are available:
### Microsoft.Windows.UpdateReserveManager.CommitPendingHardReserveAdjustment
-This event is sent when the Update Reserve Manager commits a hard reserve adjustment that was pending.
+This event is sent when the Update Reserve Manager commits a hard reserve adjustment that was pending. The data collected with this event is used to help keep Windows secure and up to date.
### Microsoft.Windows.UpdateReserveManager.FunctionReturnedError
-This event is sent when the Update Reserve Manager returns an error from one of its internal functions.
+This event is sent when the Update Reserve Manager returns an error from one of its internal functions. The data collected with this event is used to help keep Windows secure and up to date.
### Microsoft.Windows.UpdateReserveManager.InitializeUpdateReserveManager
-This event returns data about the Update Reserve Manager, including whether it’s been initialized.
+This event returns data about the Update Reserve Manager, including whether it’s been initialized. The data collected with this event is used to help keep Windows secure and up to date.
### Microsoft.Windows.UpdateReserveManager.PrepareTIForReserveInitialization
-This event is sent when the Update Reserve Manager prepares the Trusted Installer to initialize reserves on the next boot.
+This event is sent when the Update Reserve Manager prepares the Trusted Installer to initialize reserves on the next boot. The data collected with this event is used to help keep Windows secure and up to date.
### Microsoft.Windows.UpdateReserveManager.RemovePendingHardReserveAdjustment
-This event is sent when the Update Reserve Manager removes a pending hard reserve adjustment.
+This event is sent when the Update Reserve Manager removes a pending hard reserve adjustment. The data collected with this event is used to help keep Windows secure and up to date.
### Microsoft.Windows.UpdateReserveManager.UpdatePendingHardReserveAdjustment
-This event is sent when the Update Reserve Manager needs to adjust the size of the hard reserve after the option content is installed.
+This event is sent when the Update Reserve Manager needs to adjust the size of the hard reserve after the option content is installed. The data collected with this event is used to help keep Windows secure and up to date.
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
index 8be2e02435..792337ed12 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
@@ -1,5 +1,5 @@
---
-description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level.
+description: Use this article to learn more about what Windows 10 version 1809 diagnostic data is gathered at the basic level.
title: Windows 10, version 1809 basic diagnostic events and fields (Windows 10)
keywords: privacy, telemetry
ms.prod: w10
@@ -13,7 +13,7 @@ manager: dansimp
ms.collection: M365-security-compliance
ms.topic: article
audience: ITPro
-ms.date: 03/27/2020
+ms.date: 09/30/2020
ms.reviewer:
---
@@ -33,7 +33,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th
You can learn more about Windows functional and diagnostic data through these articles:
-
+- [Windows 10, version 2004 and Windows 10, version 20H2 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md)
- [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md)
- [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md)
- [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md)
@@ -303,7 +303,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount
-This event lists the types of objects and how many of each exist on the client device. This allows for a quick way to ensure that the records present on the server match what is present on the client.
+This event lists the types of objects and how many of each exist on the client device. This allows for a quick way to ensure that the records present on the server match what is present on the client. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -312,7 +312,6 @@ The following fields are available:
- **DatasourceApplicationFile_19H1Setup** The count of the number of this particular object type present on this device.
- **DatasourceApplicationFile_20H1** The count of the number of this particular object type present on this device.
- **DatasourceApplicationFile_20H1Setup** The count of the number of this particular object type present on this device.
-- **DatasourceApplicationFile_21H1Setup** The count of the number of this particular object type present on this device.
- **DatasourceApplicationFile_RS1** An ID for the system, calculated by hashing hardware identifiers.
- **DatasourceApplicationFile_RS2** An ID for the system, calculated by hashing hardware identifiers.
- **DatasourceApplicationFile_RS3** The count of the number of this particular object type present on this device.
@@ -328,7 +327,6 @@ The following fields are available:
- **DatasourceDevicePnp_19H1Setup** The count of the number of this particular object type present on this device.
- **DatasourceDevicePnp_20H1** The count of the number of this particular object type present on this device.
- **DatasourceDevicePnp_20H1Setup** The count of the number of this particular object type present on this device.
-- **DatasourceDevicePnp_21H1Setup** The count of the number of this particular object type present on this device.
- **DatasourceDevicePnp_RS1** The total DataSourceDevicePnp objects targeting Windows 10 version 1607 on this device.
- **DatasourceDevicePnp_RS2** The count of the number of this particular object type present on this device.
- **DatasourceDevicePnp_RS3** The count of the number of this particular object type present on this device.
@@ -344,7 +342,6 @@ The following fields are available:
- **DatasourceDriverPackage_19H1Setup** The count of the number of this particular object type present on this device.
- **DatasourceDriverPackage_20H1** The count of the number of this particular object type present on this device.
- **DatasourceDriverPackage_20H1Setup** The count of the number of this particular object type present on this device.
-- **DatasourceDriverPackage_21H1Setup** The count of the number of this particular object type present on this device.
- **DatasourceDriverPackage_RS1** The total DataSourceDriverPackage objects targeting Windows 10 version 1607 on this device.
- **DatasourceDriverPackage_RS2** The total DataSourceDriverPackage objects targeting Windows 10, version 1703 on this device.
- **DatasourceDriverPackage_RS3** The count of the number of this particular object type present on this device.
@@ -360,7 +357,6 @@ The following fields are available:
- **DataSourceMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoBlock_20H1** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoBlock_20H1Setup** The count of the number of this particular object type present on this device.
-- **DataSourceMatchingInfoBlock_21H1Setup** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoBlock_RS1** The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1607 on this device.
- **DataSourceMatchingInfoBlock_RS2** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoBlock_RS3** The count of the number of this particular object type present on this device.
@@ -376,7 +372,6 @@ The following fields are available:
- **DataSourceMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoPassive_20H1** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoPassive_20H1Setup** The count of the number of this particular object type present on this device.
-- **DataSourceMatchingInfoPassive_21H1Setup** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoPassive_RS1** The total DataSourceMatchingInfoPassive objects targeting Windows 10 version 1607 on this device.
- **DataSourceMatchingInfoPassive_RS2** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoPassive_RS3** The count of the number of this particular object type present on this device.
@@ -392,7 +387,6 @@ The following fields are available:
- **DataSourceMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoPostUpgrade_20H1** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoPostUpgrade_20H1Setup** The count of the number of this particular object type present on this device.
-- **DataSourceMatchingInfoPostUpgrade_21H1Setup** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoPostUpgrade_RS1** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device.
- **DataSourceMatchingInfoPostUpgrade_RS2** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 on this device.
- **DataSourceMatchingInfoPostUpgrade_RS3** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device.
@@ -408,7 +402,6 @@ The following fields are available:
- **DatasourceSystemBios_19H1Setup** The count of the number of this particular object type present on this device.
- **DatasourceSystemBios_20H1** The count of the number of this particular object type present on this device.
- **DatasourceSystemBios_20H1Setup** The count of the number of this particular object type present on this device.
-- **DatasourceSystemBios_21H1Setup** The count of the number of this particular object type present on this device.
- **DatasourceSystemBios_RS1** The total DatasourceSystemBios objects targeting Windows 10 version 1607 present on this device.
- **DatasourceSystemBios_RS2** The total DatasourceSystemBios objects targeting Windows 10 version 1703 present on this device.
- **DatasourceSystemBios_RS3** The total DatasourceSystemBios objects targeting Windows 10 version 1709 present on this device.
@@ -424,7 +417,6 @@ The following fields are available:
- **DecisionApplicationFile_19H1Setup** The count of the number of this particular object type present on this device.
- **DecisionApplicationFile_20H1** The count of the number of this particular object type present on this device.
- **DecisionApplicationFile_20H1Setup** The count of the number of this particular object type present on this device.
-- **DecisionApplicationFile_21H1Setup** The count of the number of this particular object type present on this device.
- **DecisionApplicationFile_RS1** The count of the number of this particular object type present on this device.
- **DecisionApplicationFile_RS2** The count of the number of this particular object type present on this device.
- **DecisionApplicationFile_RS3** The count of the number of this particular object type present on this device.
@@ -440,7 +432,6 @@ The following fields are available:
- **DecisionDevicePnp_19H1Setup** The count of the number of this particular object type present on this device.
- **DecisionDevicePnp_20H1** The count of the number of this particular object type present on this device.
- **DecisionDevicePnp_20H1Setup** The count of the number of this particular object type present on this device.
-- **DecisionDevicePnp_21H1Setup** The count of the number of this particular object type present on this device.
- **DecisionDevicePnp_RS1** The total DecisionDevicePnp objects targeting Windows 10 version 1607 on this device.
- **DecisionDevicePnp_RS2** The count of the number of this particular object type present on this device.
- **DecisionDevicePnp_RS3** The count of the number of this particular object type present on this device.
@@ -456,7 +447,6 @@ The following fields are available:
- **DecisionDriverPackage_19H1Setup** The count of the number of this particular object type present on this device.
- **DecisionDriverPackage_20H1** The count of the number of this particular object type present on this device.
- **DecisionDriverPackage_20H1Setup** The count of the number of this particular object type present on this device.
-- **DecisionDriverPackage_21H1Setup** The count of the number of this particular object type present on this device.
- **DecisionDriverPackage_RS1** The total DecisionDriverPackage objects targeting Windows 10 version 1607 on this device.
- **DecisionDriverPackage_RS2** The count of the number of this particular object type present on this device.
- **DecisionDriverPackage_RS3** The count of the number of this particular object type present on this device.
@@ -472,7 +462,6 @@ The following fields are available:
- **DecisionMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoBlock_20H1** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoBlock_20H1Setup** The count of the number of this particular object type present on this device.
-- **DecisionMatchingInfoBlock_21H1Setup** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoBlock_RS1** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1607 present on this device.
- **DecisionMatchingInfoBlock_RS2** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1703 present on this device.
- **DecisionMatchingInfoBlock_RS3** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1709 present on this device.
@@ -488,7 +477,6 @@ The following fields are available:
- **DecisionMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoPassive_20H1** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoPassive_20H1Setup** The count of the number of this particular object type present on this device.
-- **DecisionMatchingInfoPassive_21H1Setup** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoPassive_RS1** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1607 on this device.
- **DecisionMatchingInfoPassive_RS2** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1703 on this device.
- **DecisionMatchingInfoPassive_RS3** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1803 on this device.
@@ -504,7 +492,6 @@ The following fields are available:
- **DecisionMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoPostUpgrade_20H1** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoPostUpgrade_20H1Setup** The count of the number of this particular object type present on this device.
-- **DecisionMatchingInfoPostUpgrade_21H1Setup** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoPostUpgrade_RS1** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device.
- **DecisionMatchingInfoPostUpgrade_RS2** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 on this device.
- **DecisionMatchingInfoPostUpgrade_RS3** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device.
@@ -520,7 +507,6 @@ The following fields are available:
- **DecisionMediaCenter_19H1Setup** The total DecisionMediaCenter objects targeting the next release of Windows on this device.
- **DecisionMediaCenter_20H1** The count of the number of this particular object type present on this device.
- **DecisionMediaCenter_20H1Setup** The count of the number of this particular object type present on this device.
-- **DecisionMediaCenter_21H1Setup** The count of the number of this particular object type present on this device.
- **DecisionMediaCenter_RS1** The total DecisionMediaCenter objects targeting Windows 10 version 1607 present on this device.
- **DecisionMediaCenter_RS2** The total DecisionMediaCenter objects targeting Windows 10 version 1703 present on this device.
- **DecisionMediaCenter_RS3** The total DecisionMediaCenter objects targeting Windows 10 version 1709 present on this device.
@@ -536,7 +522,6 @@ The following fields are available:
- **DecisionSystemBios_19H1Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device.
- **DecisionSystemBios_20H1** The count of the number of this particular object type present on this device.
- **DecisionSystemBios_20H1Setup** The count of the number of this particular object type present on this device.
-- **DecisionSystemBios_21H1Setup** The count of the number of this particular object type present on this device.
- **DecisionSystemBios_RS1** The total DecisionSystemBios objects targeting Windows 10 version 1607 on this device.
- **DecisionSystemBios_RS2** The total DecisionSystemBios objects targeting Windows 10 version 1703 on this device.
- **DecisionSystemBios_RS3** The total DecisionSystemBios objects targeting Windows 10 version 1709 on this device.
@@ -549,7 +534,6 @@ The following fields are available:
- **DecisionSystemBios_TH2** The count of the number of this particular object type present on this device.
- **DecisionSystemProcessor_RS2** The count of the number of this particular object type present on this device.
- **DecisionTest_20H1Setup** The count of the number of this particular object type present on this device.
-- **DecisionTest_21H1Setup** The count of the number of this particular object type present on this device.
- **DecisionTest_RS1** An ID for the system, calculated by hashing hardware identifiers.
- **InventoryApplicationFile** The count of the number of this particular object type present on this device.
- **InventoryDeviceContainer** A count of device container objects in cache.
@@ -579,7 +563,6 @@ The following fields are available:
- **Wmdrm_19H1Setup** The total Wmdrm objects targeting the next release of Windows on this device.
- **Wmdrm_20H1** The count of the number of this particular object type present on this device.
- **Wmdrm_20H1Setup** The count of the number of this particular object type present on this device.
-- **Wmdrm_21H1Setup** The count of the number of this particular object type present on this device.
- **Wmdrm_RS1** An ID for the system, calculated by hashing hardware identifiers.
- **Wmdrm_RS2** An ID for the system, calculated by hashing hardware identifiers.
- **Wmdrm_RS3** An ID for the system, calculated by hashing hardware identifiers.
@@ -594,7 +577,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd
-Represents the basic metadata about specific application files installed on the system.
+This event represents the basic metadata about specific application files installed on the system. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -612,7 +595,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove
-This event indicates that the DatasourceApplicationFile object is no longer present.
+This event indicates that the DatasourceApplicationFile object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -623,7 +606,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileStartSync
-This event indicates that a new set of DatasourceApplicationFileAdd events will be sent.
+This event indicates that a new set of DatasourceApplicationFileAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -655,7 +638,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpRemove
-This event indicates that the DatasourceDevicePnp object is no longer present.
+This event indicates that the DatasourceDevicePnp object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -666,7 +649,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpStartSync
-This event indicates that a new set of DatasourceDevicePnpAdd events will be sent.
+This event indicates that a new set of DatasourceDevicePnpAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -688,7 +671,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageRemove
-This event indicates that the DatasourceDriverPackage object is no longer present.
+This event indicates that the DatasourceDriverPackage object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -699,7 +682,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageStartSync
-This event indicates that a new set of DatasourceDriverPackageAdd events will be sent.
+This event indicates that a new set of DatasourceDriverPackageAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -722,7 +705,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove
-This event indicates that the DataSourceMatchingInfoBlock object is no longer present.
+This event indicates that the DataSourceMatchingInfoBlock object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -733,7 +716,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockStartSync
-This event indicates that a full set of DataSourceMatchingInfoBlockStAdd events have been sent.
+This event indicates that a full set of DataSourceMatchingInfoBlockStAdd events has completed being sent. This event is used to make compatibility decisions about files to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -755,7 +738,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveRemove
-This event indicates that the DataSourceMatchingInfoPassive object is no longer present.
+This event indicates that the DataSourceMatchingInfoPassive object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -766,7 +749,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveStartSync
-This event indicates that a new set of DataSourceMatchingInfoPassiveAdd events will be sent.
+This event indicates that a new set of DataSourceMatchingInfoPassiveAdd events will be sent. This event is used to make compatibility decisions about files to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -788,7 +771,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeRemove
-This event indicates that the DataSourceMatchingInfoPostUpgrade object is no longer present.
+This event indicates that the DataSourceMatchingInfoPostUpgrade object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -799,7 +782,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeStartSync
-This event indicates that a new set of DataSourceMatchingInfoPostUpgradeAdd events will be sent.
+This event indicates that a new set of DataSourceMatchingInfoPostUpgradeAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -821,7 +804,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosRemove
-This event indicates that the DatasourceSystemBios object is no longer present.
+This event indicates that the DatasourceSystemBios object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -832,7 +815,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosStartSync
-This event indicates that a new set of DatasourceSystemBiosAdd events will be sent.
+This event indicates that a new set of DatasourceSystemBiosAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -873,7 +856,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove
-This event indicates that the DecisionApplicationFile object is no longer present.
+This event indicates that the DecisionApplicationFile object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -884,7 +867,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionApplicationFileStartSync
-This event indicates that a new set of DecisionApplicationFileAdd events will be sent.
+This event indicates that a new set of DecisionApplicationFileAdd events will be sent. This event is used to make compatibility decisions about a file to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -922,7 +905,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionDevicePnpRemove
-This event indicates that the DecisionDevicePnp object is no longer present.
+This event Indicates that the DecisionDevicePnp object represented by the objectInstanceId is no longer present. This event is used to make compatibility decisions about PNP devices to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -933,7 +916,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionDevicePnpStartSync
-The DecisionDevicePnpStartSync event indicates that a new set of DecisionDevicePnpAdd events will be sent.
+This event indicates that a new set of DecisionDevicePnpAdd events will be sent. This event is used to make compatibility decisions about PNP devices to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -962,7 +945,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionDriverPackageRemove
-This event indicates that the DecisionDriverPackage object is no longer present.
+This event indicates that the DecisionDriverPackage object represented by the objectInstanceId is no longer present. This event is used to make compatibility decisions about driver packages to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -973,7 +956,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionDriverPackageStartSync
-This event indicates that a new set of DecisionDriverPackageAdd events will be sent.
+The DecisionDriverPackageStartSync event indicates that a new set of DecisionDriverPackageAdd events will be sent. This event is used to make compatibility decisions about driver packages to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1003,7 +986,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockRemove
-This event indicates that the DecisionMatchingInfoBlock object is no longer present.
+This event indicates that the DecisionMatchingInfoBlock object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1014,7 +997,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockStartSync
-This event indicates that a new set of DecisionMatchingInfoBlockAdd events will be sent.
+This event indicates that a new set of DecisionMatchingInfoBlockAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1039,7 +1022,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveRemove
-This event Indicates that the DecisionMatchingInfoPassive object is no longer present.
+This event Indicates that the DecisionMatchingInfoPassive object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1050,7 +1033,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveStartSync
-This event indicates that a new set of DecisionMatchingInfoPassiveAdd events will be sent.
+This event indicates that a new set of DecisionMatchingInfoPassiveAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1076,7 +1059,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeRemove
-This event indicates that the DecisionMatchingInfoPostUpgrade object is no longer present.
+This event indicates that the DecisionMatchingInfoPostUpgrade object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1087,7 +1070,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeStartSync
-This event indicates that a new set of DecisionMatchingInfoPostUpgradeAdd events will be sent.
+This event indicates that a new set of DecisionMatchingInfoPostUpgradeAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1115,7 +1098,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionMediaCenterRemove
-This event indicates that the DecisionMediaCenter object is no longer present.
+This event indicates that the DecisionMediaCenter object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1126,7 +1109,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionMediaCenterStartSync
-This event indicates that a new set of DecisionMediaCenterAdd events will be sent.
+This event indicates that a new set of DecisionMediaCenterAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1151,7 +1134,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionSystemBiosRemove
-This event indicates that the DecisionSystemBios object is no longer present.
+This event indicates that the DecisionSystemBios object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1162,7 +1145,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionSystemBiosStartSync
-This event indicates that a new set of DecisionSystemBiosAdd events will be sent.
+This event indicates that a new set of DecisionSystemBiosAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1187,7 +1170,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryApplicationFileAdd
-This event represents the basic metadata about a file on the system. The file must be part of an app and either have a block in the compatibility database or be part of an antivirus program.
+This event represents the basic metadata about a file on the system. The file must be part of an app and either have a block in the compatibility database or be part of an antivirus program. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1216,7 +1199,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryApplicationFileRemove
-This event indicates that the InventoryApplicationFile object is no longer present.
+This event indicates that the InventoryApplicationFile object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1227,7 +1210,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync
-This event indicates that a new set of InventoryApplicationFileAdd events will be sent.
+This event indicates that a new set of InventoryApplicationFileAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1251,7 +1234,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryLanguagePackRemove
-This event indicates that the InventoryLanguagePack object is no longer present.
+This event indicates that the InventoryLanguagePack object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1262,7 +1245,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryLanguagePackStartSync
-This event indicates that a new set of InventoryLanguagePackAdd events will be sent.
+This event indicates that a new set of InventoryLanguagePackAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1291,7 +1274,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryMediaCenterRemove
-This event indicates that the InventoryMediaCenter object is no longer present.
+This event indicates that the InventoryMediaCenter object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1302,7 +1285,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryMediaCenterStartSync
-This event indicates that a new set of InventoryMediaCenterAdd events will be sent.
+This event indicates that a new set of InventoryMediaCenterAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1313,7 +1296,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventorySystemBiosAdd
-This event sends basic metadata about the BIOS to determine whether it has a compatibility block.
+This event sends basic metadata about the BIOS to determine whether it has a compatibility block. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1332,7 +1315,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventorySystemBiosRemove
-This event indicates that the InventorySystemBios object is no longer present.
+This event indicates that the InventorySystemBios object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1343,7 +1326,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventorySystemBiosStartSync
-This event indicates that a new set of InventorySystemBiosAdd events will be sent.
+This event indicates that a new set of InventorySystemBiosAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1354,7 +1337,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd
-This event is only runs during setup. It provides a listing of the uplevel driver packages that were downloaded before the upgrade. Is critical to understanding if failures in setup can be traced to not having sufficient uplevel drivers before the upgrade.
+This event runs only during setup. It provides a listing of the uplevel driver packages that were downloaded before the upgrade. It is critical in understanding if failures in setup can be traced to not having sufficient uplevel drivers before the upgrade. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1379,7 +1362,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageRemove
-This event indicates that the InventoryUplevelDriverPackage object is no longer present.
+This event indicates that the InventoryUplevelDriverPackage object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1390,7 +1373,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageStartSync
-This event indicates that a new set of InventoryUplevelDriverPackageAdd events will be sent.
+This event indicates that a new set of InventoryUplevelDriverPackageAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1401,7 +1384,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.RunContext
-This event indicates what should be expected in the data payload.
+This event is sent at the beginning of an appraiser run, the RunContext indicates what should be expected in the following data payload. This event is used with the other Appraiser events to make compatibility decisions to keep Windows up to date.
The following fields are available:
@@ -1435,7 +1418,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemMemoryRemove
-This event that the SystemMemory object is no longer present.
+This event that the SystemMemory object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1446,7 +1429,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemMemoryStartSync
-This event indicates that a new set of SystemMemoryAdd events will be sent.
+This event indicates that a new set of SystemMemoryAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1470,7 +1453,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeRemove
-This event indicates that the SystemProcessorCompareExchange object is no longer present.
+This event indicates that the SystemProcessorCompareExchange object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1481,7 +1464,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeStartSync
-This event indicates that a new set of SystemProcessorCompareExchangeAdd events will be sent.
+This event indicates that a new set of SystemProcessorCompareExchangeAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1505,7 +1488,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfRemove
-This event indicates that the SystemProcessorLahfSahf object is no longer present.
+This event indicates that the SystemProcessorLahfSahf object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1516,7 +1499,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfStartSync
-This event indicates that a new set of SystemProcessorLahfSahfAdd events will be sent.
+This event indicates that a new set of SystemProcessorLahfSahfAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1541,7 +1524,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemProcessorNxRemove
-This event indicates that the SystemProcessorNx object is no longer present.
+This event indicates that the SystemProcessorNx object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1552,7 +1535,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemProcessorNxStartSync
-This event indicates that a new set of SystemProcessorNxAdd events will be sent.
+This event indicates that a new set of SystemProcessorNxAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1576,7 +1559,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWRemove
-This event indicates that the SystemProcessorPrefetchW object is no longer present.
+This event indicates that the SystemProcessorPrefetchW object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1587,7 +1570,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWStartSync
-This event indicates that a new set of SystemProcessorPrefetchWAdd events will be sent.
+This event indicates that a new set of SystemProcessorPrefetchWAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1611,7 +1594,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Remove
-This event indicates that the SystemProcessorSse2 object is no longer present.
+This event indicates that the SystemProcessorSse2 object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1622,7 +1605,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemProcessorSse2StartSync
-This event indicates that a new set of SystemProcessorSse2Add events will be sent.
+This event indicates that a new set of SystemProcessorSse2Add events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1646,7 +1629,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemTouchRemove
-This event indicates that the SystemTouch object is no longer present.
+This event indicates that the SystemTouch object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1657,7 +1640,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemTouchStartSync
-This event indicates that a new set of SystemTouchAdd events will be sent.
+This event indicates that a new set of SystemTouchAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1681,7 +1664,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemWimRemove
-This event indicates that the SystemWim object is no longer present.
+This event indicates that the SystemWim object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1692,7 +1675,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemWimStartSync
-This event indicates that a new set of SystemWimAdd events will be sent.
+This event indicates that a new set of SystemWimAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1716,7 +1699,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusRemove
-This event indicates that the SystemWindowsActivationStatus object is no longer present.
+This event indicates that the SystemWindowsActivationStatus object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1727,7 +1710,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusStartSync
-This event indicates that a new set of SystemWindowsActivationStatusAdd events will be sent.
+This event indicates that a new set of SystemWindowsActivationStatusAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1755,7 +1738,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemWlanRemove
-This event indicates that the SystemWlan object is no longer present.
+This event indicates that the SystemWlan object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1766,7 +1749,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemWlanStartSync
-This event indicates that a new set of SystemWlanAdd events will be sent.
+This event indicates that a new set of SystemWlanAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1833,7 +1816,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.WmdrmRemove
-This event indicates that the Wmdrm object is no longer present.
+This event indicates that the Wmdrm object is no longer present. The data collected with this event is used to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1844,7 +1827,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.WmdrmStartSync
-This event indicates that a new set of WmdrmAdd events will be sent.
+The WmdrmStartSync event indicates that a new set of WmdrmAdd events will be sent. This event is used to understand the usage of older digital rights management on the system, to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -1857,7 +1840,7 @@ The following fields are available:
### MicArrayGeometry
-This event provides information about the layout of the individual microphone elements in the microphone array.
+This event provides information about the layout of the individual microphone elements in the microphone array. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
@@ -1875,7 +1858,7 @@ The following fields are available:
### MicCoords
-This event provides information about the location and orientation of the microphone element.
+This event provides information about the location and orientation of the microphone element. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
@@ -1889,7 +1872,7 @@ The following fields are available:
### Microsoft.Windows.Audio.EndpointBuilder.DeviceInfo
-This event logs the successful enumeration of an audio endpoint (such as a microphone or speaker) and provides information about the audio endpoint.
+This event logs the successful enumeration of an audio endpoint (such as a microphone or speaker) and provides information about the audio endpoint. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
@@ -1914,7 +1897,7 @@ The following fields are available:
### Census.App
-This event sends version data about the Apps running on this device, to help keep Windows up to date.
+This event sends version data about the Apps running on this device. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -1932,7 +1915,7 @@ The following fields are available:
### Census.Azure
-This event returns data from Microsoft-internal Azure server machines (only from Microsoft-internal machines with Server SKUs). All other machines (those outside Microsoft and/or machines that are not part of the “Azure fleet”) return empty data sets.
+This event returns data from Microsoft-internal Azure server machines (only from Microsoft-internal machines with Server SKUs). All other machines (those outside Microsoft and/or machines that are not part of the “Azure fleet”) return empty data sets. The data collected with this event is used to help keep Windows secure.
The following fields are available:
@@ -1943,7 +1926,7 @@ The following fields are available:
### Census.Battery
-This event sends type and capacity data about the battery on the device, as well as the number of connected standby devices in use, type to help keep Windows up to date.
+This event sends type and capacity data about the battery on the device, as well as the number of connected standby devices in use. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -1954,19 +1937,9 @@ The following fields are available:
- **IsAlwaysOnAlwaysConnectedCapable** Represents whether the battery enables the device to be AlwaysOnAlwaysConnected . Boolean value.
-### Census.Camera
-
-This event sends data about the resolution of cameras on the device, to help keep Windows up to date.
-
-The following fields are available:
-
-- **FrontFacingCameraResolution** Represents the resolution of the front facing camera in megapixels. If a front facing camera does not exist, then the value is 0.
-- **RearFacingCameraResolution** Represents the resolution of the rear facing camera in megapixels. If a rear facing camera does not exist, then the value is 0.
-
-
### Census.Enterprise
-This event sends data about Azure presence, type, and cloud domain use in order to provide an understanding of the use and integration of devices in an enterprise, cloud, and server environment.
+This event sends data about Azure presence, type, and cloud domain use in order to provide an understanding of the use and integration of devices in an enterprise, cloud, and server environment. The data collected with this event is used to help keep Windows secure.
The following fields are available:
@@ -1985,14 +1958,14 @@ The following fields are available:
- **IsEDPEnabled** Represents if Enterprise data protected on the device.
- **IsMDMEnrolled** Whether the device has been MDM Enrolled or not.
- **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID
-- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in a Configuration Manager environment.
+- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise SCCM environment.
- **ServerFeatures** Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
-- **SystemCenterID** The Configuration Manager ID is an anonymized one-way hash of the Active Directory Organization identifier
+- **SystemCenterID** The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier
### Census.Firmware
-This event sends data about the BIOS and startup embedded in the device, to help keep Windows up to date.
+This event sends data about the BIOS and startup embedded in the device. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2004,7 +1977,7 @@ The following fields are available:
### Census.Flighting
-This event sends Windows Insider data from customers participating in improvement testing and feedback programs, to help keep Windows up to date.
+This event sends Windows Insider data from customers participating in improvement testing and feedback programs. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2019,7 +1992,7 @@ The following fields are available:
### Census.Hardware
-This event sends data about the device, including hardware type, OEM brand, model line, model, telemetry level setting, and TPM support, to help keep Windows up to date.
+This event sends data about the device, including hardware type, OEM brand, model line, model, telemetry level setting, and TPM support. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2062,7 +2035,7 @@ The following fields are available:
### Census.Memory
-This event sends data about the memory on the device, including ROM and RAM, to help keep Windows up to date.
+This event sends data about the memory on the device, including ROM and RAM. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2072,7 +2045,7 @@ The following fields are available:
### Census.Network
-This event sends data about the mobile and cellular network used by the device (mobile service provider, network, device ID, and service cost factors), to help keep Windows up to date.
+This event sends data about the mobile and cellular network used by the device (mobile service provider, network, device ID, and service cost factors). The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2095,7 +2068,7 @@ The following fields are available:
### Census.OS
-This event sends data about the operating system such as the version, locale, update service configuration, when and how it was originally installed, and whether it is a virtual device, to help keep Windows up to date.
+This event sends data about the operating system such as the version, locale, update service configuration, when and how it was originally installed, and whether it is a virtual device. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2137,7 +2110,7 @@ The following fields are available:
### Census.PrivacySettings
-This event provides information about the device level privacy settings and whether device-level access was granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits represents the effective consent value, and the last 8 bits represent the authority that set the value. The effective consent (first 8 bits) is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent authority (last 8 bits) is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = system, 1 = a higher authority (a gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings.
+This event provides information about the device level privacy settings and whether device-level access was granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits represents the effective consent value, and the last 8 bits represent the authority that set the value. The effective consent (first 8 bits) is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent authority (last 8 bits) is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = system, 1 = a higher authority (a gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings. The data collected with this event is used to help keep Windows secure.
The following fields are available:
@@ -2183,7 +2156,7 @@ The following fields are available:
### Census.Processor
-This event sends data about the processor to help keep Windows up to date.
+This event sends data about the processor. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2206,7 +2179,7 @@ The following fields are available:
### Census.Security
-This event provides information on about security settings used to help keep Windows up to date and secure.
+This event provides information about security settings. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2224,7 +2197,7 @@ The following fields are available:
### Census.Speech
-This event is used to gather basic speech settings on the device.
+This event is used to gather basic speech settings on the device. The data collected with this event is used to help keep Windows secure.
The following fields are available:
@@ -2243,7 +2216,7 @@ The following fields are available:
### Census.Storage
-This event sends data about the total capacity of the system volume and primary disk, to help keep Windows up to date.
+This event sends data about the total capacity of the system volume and primary disk. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2255,7 +2228,7 @@ The following fields are available:
### Census.Userdefault
-This event sends data about the current user's default preferences for browser and several of the most popular extensions and protocols, to help keep Windows up to date.
+This event sends data about the current user's default preferences for browser and several of the most popular extensions and protocols. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2268,7 +2241,7 @@ The following fields are available:
### Census.UserDisplay
-This event sends data about the logical/physical display size, resolution and number of internal/external displays, and VRAM on the system, to help keep Windows up to date.
+This event sends data about the logical/physical display size, resolution and number of internal/external displays, and VRAM on the system. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2289,7 +2262,7 @@ The following fields are available:
### Census.UserNLS
-This event sends data about the default app language, input, and display language preferences set by the user, to help keep Windows up to date.
+This event sends data about the default app language, input, and display language preferences set by the user. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2302,7 +2275,7 @@ The following fields are available:
### Census.UserPrivacySettings
-This event provides information about the current users privacy settings and whether device-level access was granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits represents the effective consent value, and the last 8 bits represents the authority that set the value. The effective consent is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent authority is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = user, 1 = a higher authority (a gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings.
+This event provides information about the current users privacy settings and whether device-level access was granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits represents the effective consent value, and the last 8 bits represents the authority that set the value. The effective consent is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent authority is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = user, 1 = a higher authority (a gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings. The data collected with this event is used to help keep Windows secure.
The following fields are available:
@@ -2348,7 +2321,7 @@ The following fields are available:
### Census.VM
-This event sends data indicating whether virtualization is enabled on the device, and its various characteristics, to help keep Windows up to date.
+This event sends data indicating whether virtualization is enabled on the device, and its various characteristics. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2364,7 +2337,7 @@ The following fields are available:
### Census.WU
-This event sends data about the Windows update server and other App store policies, to help keep Windows up to date.
+This event sends data about the Windows update server and other App store policies. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2470,7 +2443,6 @@ The following fields are available:
- **ext_container** Describes the properties of the container for events logged within a container. See [Common Data Extensions.container](#common-data-extensionscontainer).
- **ext_cs** Describes properties related to the schema of the event. See [Common Data Extensions.cs](#common-data-extensionscs).
- **ext_device** Describes the device-related fields. See [Common Data Extensions.device](#common-data-extensionsdevice).
-- **ext_m365a** Describes the Microsoft 365-related fields. See [Common Data Extensions.m365a](#common-data-extensionsm365a).
- **ext_os** Describes the operating system properties that would be populated by the client. See [Common Data Extensions.os](#common-data-extensionsos).
- **ext_sdk** Describes the fields related to a platform library required for a specific SDK. See [Common Data Extensions.sdk](#common-data-extensionssdk).
- **ext_user** Describes the fields related to a user. See [Common Data Extensions.user](#common-data-extensionsuser).
@@ -2483,14 +2455,6 @@ The following fields are available:
- **time** Represents the event date time in Coordinated Universal Time (UTC) when the event was generated on the client. This should be in ISO 8601 format.
- **ver** Represents the major and minor version of the extension.
-### Common Data Extensions.m365a
-
-Describes the Microsoft 365-related fields.
-
-The following fields are available:
-
-- **enrolledTenantId** The enrolled tenant ID.
-- **msp** A bitmask that lists the active programs.
### Common Data Extensions.os
@@ -2570,8 +2534,7 @@ The following fields are available:
- **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts.
- **xid** A list of base10-encoded XBOX User IDs.
-
-## Common data fields
+## Common Data Fields
### Ms.Device.DeviceInventoryChange
@@ -2579,18 +2542,17 @@ Describes the installation state for all hardware and software components availa
The following fields are available:
-- **action** The change that was invoked on a device inventory object.
-- **inventoryId** Device ID used for Compatibility testing
-- **objectInstanceId** Object identity which is unique within the device scope.
-- **objectType** Indicates the object type that the event applies to.
-- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object.
-
+- **action** The change that was invoked on a device inventory object.
+- **inventoryId** Device ID used for Compatibility testing
+- **objectInstanceId** Object identity which is unique within the device scope.
+- **objectType** Indicates the object type that the event applies to.
+- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object.
## Compatibility events
### Microsoft.Windows.Compatibility.Apphelp.SdbFix
-Product instrumentation for helping debug/troubleshoot issues with inbox compatibility components.
+Product instrumentation for helping debug/troubleshoot issues with inbox compatibility components. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
@@ -2626,7 +2588,7 @@ The following fields are available:
### CbsServicingProvider.CbsCapabilitySessionFinalize
-This event provides information about the results of installing or uninstalling optional Windows content from Windows Update.
+This event provides information about the results of installing or uninstalling optional Windows content from Windows Update. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
@@ -2763,7 +2725,7 @@ The following fields are available:
### DeploymentTelemetry.Deployment_End
-This event indicates that a Deployment 360 API has completed.
+This event indicates that a Deployment 360 API has completed. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2777,7 +2739,7 @@ The following fields are available:
### DeploymentTelemetry.Deployment_SetupBoxLaunch
-This event indicates that the Deployment 360 APIs have launched Setup Box.
+This event indicates that the Deployment 360 APIs have launched Setup Box. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2790,7 +2752,7 @@ The following fields are available:
### DeploymentTelemetry.Deployment_SetupBoxResult
-This event indicates that the Deployment 360 APIs have received a return from Setup Box.
+This event indicates that the Deployment 360 APIs have received a return from Setup Box. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2804,7 +2766,7 @@ The following fields are available:
### DeploymentTelemetry.Deployment_Start
-This event indicates that a Deployment 360 API has been called.
+This event indicates that a Deployment 360 API has been called. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2818,7 +2780,7 @@ The following fields are available:
### TelClientSynthetic.AbnormalShutdown_0
-This event sends data about boot IDs for which a normal clean shutdown was not observed, to help keep Windows up to date.
+This event sends data about boot IDs for which a normal clean shutdown was not observed. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -2887,7 +2849,7 @@ The following fields are available:
### TelClientSynthetic.AuthorizationInfo_RuntimeTransition
-This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC startup, to help keep Windows up to date. The telemetry opt-in level signals what data we are allowed to collect.
+This event is fired by UTC at state transitions to signal what data we are allowed to collect. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -2906,7 +2868,7 @@ The following fields are available:
### TelClientSynthetic.AuthorizationInfo_Startup
-Fired by UTC at startup to signal what data we are allowed to collect.
+This event is fired by UTC at startup to signal what data we are allowed to collect. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -2925,15 +2887,15 @@ The following fields are available:
### TelClientSynthetic.ConnectivityHeartBeat_0
-This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it sends an event. A Connectivity Heartbeat event is also sent when a device recovers from costed network to free network.
+This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it sends an event. A Connectivity Heartbeat event is also sent when a device recovers from costed network to free network. This event is fired by UTC during periods of no network as a heartbeat signal, to keep Windows secure and up to date.
The following fields are available:
-- **CensusExitCode** Returns last execution codes from census client run.
-- **CensusStartTime** Returns timestamp corresponding to last successful census run.
-- **CensusTaskEnabled** Returns Boolean value for the census task (Enable/Disable) on client machine.
+- **CensusExitCode** Last exit code of the Census task.
+- **CensusStartTime** Time of last Census run.
+- **CensusTaskEnabled** True if Census is enabled, false otherwise.
- **LastConnectivityLossTime** Retrieves the last time the device lost free network.
-- **NetworkState** Retrieves the network state: 0 = No network. 1 = Restricted network. 2 = Free network.
+- **NetworkState** The network state of the device.
- **NoNetworkTime** Retrieves the time spent with no network (since the last time) in seconds.
- **RestrictedNetworkTime** Retrieves the time spent on a metered (cost restricted) network in seconds.
@@ -3089,7 +3051,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCheckApplicability
-Event to indicate that the Coordinator CheckApplicability call succeeded.
+This event indicates that the Coordinator CheckApplicability call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -3105,7 +3067,7 @@ The following fields are available:
- **IsDeviceNetworkMetered** Indicates whether the device is connected to a metered network.
- **IsDeviceOobeBlocked** Indicates whether user approval is required to install updates on the device.
- **IsDeviceRequireUpdateApproval** Indicates whether user approval is required to install updates on the device.
-- **IsDeviceSccmManaged** Indicates whether the device is running the Configuration Manager client to keep the operating system and applications up to date.
+- **IsDeviceSccmManaged** Indicates whether the device is running the Microsoft SCCM (System Center Configuration Manager) to keep the operating system and applications up to date.
- **IsDeviceUninstallActive** Indicates whether the OS (operating system) on the device was recently updated.
- **IsDeviceUpdateNotificationLevel** Indicates whether the device has a set policy to control update notifications.
- **IsDeviceUpdateServiceManaged** Indicates whether the device uses WSUS (Windows Server Update Services).
@@ -3116,7 +3078,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCheckApplicabilityGenericFailure
-This event indicatse that we have received an unexpected error in the Direct to Update (DTU) Coordinators CheckApplicability call.
+This event indicatse that we have received an unexpected error in the Direct to Update (DTU) Coordinators CheckApplicability call. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -3129,7 +3091,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCleanupGenericFailure
-This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Cleanup call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Cleanup call. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -3142,7 +3104,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCleanupSuccess
-This event indicates that the Coordinator Cleanup call succeeded.
+This event indicates that the Coordinator Cleanup call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -3154,7 +3116,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCommitGenericFailure
-This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Commit call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Commit call. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -3167,7 +3129,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCommitSuccess
-This event indicates that the Coordinator Commit call succeeded.
+This event indicates that the Coordinator Commit call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -3179,7 +3141,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadGenericFailure
-This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Download call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Download call. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -3192,7 +3154,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadIgnoredFailure
-This event indicates that we have received an error in the Direct to Update (DTU) Coordinator Download call that will be ignored.
+This event indicates that we have received an error in the Direct to Update (DTU) Coordinator Download call that will be ignored. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -3205,7 +3167,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadSuccess
-This event indicates that the Coordinator Download call succeeded.
+This event indicates that the Coordinator Download call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -3217,7 +3179,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorHandleShutdownGenericFailure
-This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator HandleShutdown call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator HandleShutdown call. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -3230,7 +3192,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorHandleShutdownSuccess
-This event indicates that the Coordinator HandleShutdown call succeeded.
+This event indicates that the Coordinator HandleShutdown call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -3242,7 +3204,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInitializeGenericFailure
-This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Initialize call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Initialize call. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -3255,7 +3217,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInitializeSuccess
-This event indicates that the Coordinator Initialize call succeeded.
+This event indicates that the Coordinator Initialize call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -3267,7 +3229,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallGenericFailure
-This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Install call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Install call. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -3280,7 +3242,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallIgnoredFailure
-This event indicates that we have received an error in the Direct to Update (DTU) Coordinator Install call that will be ignored.
+This event indicates that we have received an error in the Direct to Update (DTU) Coordinator Install call that will be ignored. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -3293,7 +3255,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallSuccess
-This event indicates that the Coordinator Install call succeeded.
+This event indicates that the Coordinator Install call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -3305,7 +3267,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorProgressCallBack
-This event indicates that the Coordinator's progress callback has been called.
+This event indicates that the Coordinator's progress callback has been called. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -3318,7 +3280,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorSetCommitReadySuccess
-This event indicates that the Coordinator SetCommitReady call succeeded.
+This event indicates that the Coordinator SetCommitReady call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -3330,7 +3292,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiNotShown
-This event indicates that the Coordinator WaitForRebootUi call succeeded.
+This event indicates that the Coordinator WaitForRebootUi call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -3343,7 +3305,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiSelection
-This event indicates that the user selected an option on the Reboot UI.
+This event indicates that the user selected an option on the Reboot UI. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -3356,7 +3318,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiSuccess
-This event indicates that the Coordinator WaitForRebootUi call succeeded.
+This event indicates that the Coordinator WaitForRebootUi call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -3368,7 +3330,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityGenericFailure
-This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler CheckApplicability call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler CheckApplicability call. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -3382,7 +3344,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityInternalGenericFailure
-This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler CheckApplicabilityInternal call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler CheckApplicabilityInternal call. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -3395,7 +3357,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityInternalSuccess
-This event indicates that the Handler CheckApplicabilityInternal call succeeded.
+This event indicates that the Handler CheckApplicabilityInternal call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -3408,7 +3370,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilitySuccess
-This event indicates that the Handler CheckApplicability call succeeded.
+This event indicates that the Handler CheckApplicability call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -3422,7 +3384,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckIfCoordinatorMinApplicableVersionSuccess
-This event indicates that the Handler CheckIfCoordinatorMinApplicableVersion call succeeded.
+This event indicates that the Handler CheckIfCoordinatorMinApplicableVersion call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -3435,7 +3397,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUHandlerCommitGenericFailure
-This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Commit call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Commit call. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -3449,7 +3411,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUHandlerCommitSuccess
-This event indicates that the Handler Commit call succeeded.
+This event indicates that the Handler Commit call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -3462,7 +3424,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabFailure
-This event indicates that the Handler Download and Extract cab call failed.
+This event indicates that the Handler Download and Extract cab call failed. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -3476,7 +3438,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabSuccess
-This event indicates that the Handler Download and Extract cab call succeeded.
+This event indicates that the Handler Download and Extract cab call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -3488,7 +3450,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadGenericFailure
-This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Download call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Download call. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -3501,7 +3463,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadSuccess
-This event indicates that the Handler Download call succeeded.
+This event indicates that the Handler Download call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -3513,7 +3475,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUHandlerInitializeGenericFailure
-This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Initialize call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Initialize call. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -3527,7 +3489,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUHandlerInitializeSuccess
-This event indicates that the Handler Initialize call succeeded.
+This event indicates that the Handler Initialize call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -3540,7 +3502,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUHandlerInstallGenericFailure
-This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Install call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Install call. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -3553,7 +3515,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUHandlerInstallSuccess
-This event indicates that the Coordinator Install call succeeded.
+This event indicates that the Coordinator Install call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -3565,7 +3527,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUHandlerSetCommitReadySuccess
-This event indicates that the Handler SetCommitReady call succeeded.
+This event indicates that the Handler SetCommitReady call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -3577,7 +3539,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUHandlerWaitForRebootUiGenericFailure
-This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler WaitForRebootUi call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler WaitForRebootUi call. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -3590,7 +3552,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUHandlerWaitForRebootUiSuccess
-This event indicates that the Handler WaitForRebootUi call succeeded.
+This event indicates that the Handler WaitForRebootUi call succeeded. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -3602,9 +3564,83 @@ The following fields are available:
## DISM events
+### Microsoft.Windows.StartRep.DISMLatesInstalledLCU
+
+This event indicates that LCU is being uninstalled by DISM. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **DISMInstalledLCUPackageName** Package name of LCU that's uninstalled by using DISM
+
+
+### Microsoft.Windows.StartRep.DISMPendingInstall
+
+This event indicates that installation for the package is pending during recovery session. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **DISMPendingInstallPackageName** The name of the pending package.
+
+
+### Microsoft.Windows.StartRep.DISMRevertPendingActions
+
+This event indicates that the revert pending packages operation has been completed. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **ErrorCode** The result from the operation to revert pending packages.
+
+
+### Microsoft.Windows.StartRep.DISMUninstallLCU
+
+This event indicates the uninstall operation. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **ErrorCode** The error code that is being reported by DISM.
+
+
+### Microsoft.Windows.StartRep.SRTRepairActionEnd
+
+This event indicates that the SRT Repair has been completed. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **ErrorCode** The error code that is reported.
+- **SRTRepairAction** The action that was taken by SRT.
+
+
+### Microsoft.Windows.StartRep.SRTRepairActionStart
+
+This event sends data when SRT repair has started. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **SRTRepairAction** The action that is being taken by SRT.
+
+
+### Microsoft.Windows.StartRep.SRTRootCauseDiagEnd
+
+This event sends data when the root cause operation has completed. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **ErrorCode** The final result code for the root cause operation.
+- **SRTRootCauseDiag** The name of the root cause operation that ran.
+
+
+### Microsoft.Windows.StartRep.SRTRootCauseDiagStart
+
+This event indicates that a diagnostic in the recovery environment has been initiated. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **SRTRootCauseDiag** The name of a specific diagnostic.
+
+
### Microsoft.Windows.StartRepairCore.DISMLatestInstalledLCU
-The DISM Latest Installed LCU sends information to report result of search for latest installed LCU after last successful boot.
+The DISM Latest Installed LCU sends information to report result of search for latest installed LCU after last successful boot. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -3613,16 +3649,49 @@ The following fields are available:
### Microsoft.Windows.StartRepairCore.DISMPendingInstall
-The DISM Pending Install event sends information to report pending package installation found.
+The DISM Pending Install event sends information to report pending package installation found. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
- **dismPendingInstallPackageName** The name of the pending package.
+### Microsoft.Windows.StartRepairCore.DISMRevertPendingActions
+
+The DISM Pending Install event sends information to report pending package installation found. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **errorCode** The result code returned by the event.
+
+
+### Microsoft.Windows.StartRepairCore.SRTRepairActionEnd
+
+The SRT Repair Action End event sends information to report repair operation ended for given plug-in. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **errorCode** The result code returned by the event.
+- **failedUninstallCount** The number of driver updates that failed to uninstall.
+- **failedUninstallFlightIds** The Flight IDs (identifiers of beta releases) of driver updates that failed to uninstall.
+- **foundDriverUpdateCount** The number of found driver updates.
+- **srtRepairAction** The scenario name for a repair.
+- **successfulUninstallCount** The number of successfully uninstalled driver updates.
+- **successfulUninstallFlightIds** The Flight IDs (identifiers of beta releases) of successfully uninstalled driver updates.
+
+
+### Microsoft.Windows.StartRepairCore.SRTRepairActionStart
+
+The SRT Repair Action Start event sends information to report repair operation started for given plug-in. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+
+The following fields are available:
+
+- **srtRepairAction** The scenario name for a repair.
+
+
### Microsoft.Windows.StartRepairCore.SRTRootCauseDiagEnd
-The SRT Root Cause Diagnosis End event sends information to report diagnosis operation completed for given plug-in.
+The SRT Root Cause Diagnosis End event sends information to report diagnosis operation completed for given plug-in. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -3634,7 +3703,7 @@ The following fields are available:
### Microsoft.Windows.StartRepairCore.SRTRootCauseDiagStart
-The SRT Root Cause Diagnosis Start event sends information to report diagnosis operation started for given plug-in.
+The SRT Root Cause Diagnosis Start event sends information to report diagnosis operation started for given plug-in. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
@@ -3645,7 +3714,7 @@ The following fields are available:
### Microsoft.Windows.DriverInstall.DeviceInstall
-This critical event sends information about the driver installation that took place.
+This critical event sends information about the driver installation that took place. The data collected with this event is used to help keep Windows up to date and performing properly.
The following fields are available:
@@ -3699,7 +3768,7 @@ The following fields are available:
### Microsoft.Windows.DriverInstall.NewDevInstallDeviceEnd
-This event sends data about the driver installation once it is completed.
+This event sends data about the driver installation once it is completed. The data collected with this event is used to help keep Windows up to date and performing properly.
The following fields are available:
@@ -3718,7 +3787,7 @@ The following fields are available:
### Microsoft.Windows.DriverInstall.NewDevInstallDeviceStart
-This event sends data about the driver that the new driver installation is replacing.
+This event sends data about the driver that the new driver installation is replacing. The data collected with this event is used to help keep Windows up to date and performing properly.
The following fields are available:
@@ -3910,7 +3979,7 @@ The following fields are available:
### Microsoft.Windows.Upgrade.Uninstall.UninstallFinalizedAndRebootTriggered
-This event indicates that the uninstall was properly configured and that a system reboot was initiated.
+This event indicates that the uninstall was properly configured and that a system reboot was initiated. The data collected with this event is used to help keep Windows up to date and performing properly.
@@ -3952,7 +4021,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum
-This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they will always represent a count of a given object.
+This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they will always represent a count of a given object. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
@@ -4005,7 +4074,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.AmiTelCacheVersions
-This event sends inventory component versions for the Device Inventory data.
+This event sends inventory component versions for the Device Inventory data. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
@@ -4013,9 +4082,27 @@ The following fields are available:
- **devinv** The file version of the Device inventory component.
+### Microsoft.Windows.Inventory.Core.FileSigningInfoAdd
+
+This event enumerates the signatures of files, either driver packages or application executables. For driver packages, this data is collected on demand via Telecommand to limit it only to unrecognized driver packages, saving time for the client and space on the server. For applications, this data is collected for up to 10 random executables on a system. The data collected with this event is used to keep Windows performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **CatalogSigners** Signers from catalog. Each signer starts with Chain.
+- **DigestAlgorithm** The pseudonymizing (hashing) algorithm used when the file or package was signed.
+- **DriverPackageStrongName** Optional. Available only if FileSigningInfo is collected on a driver package.
+- **EmbeddedSigners** Embedded signers. Each signer starts with Chain.
+- **FileName** The file name of the file whose signatures are listed.
+- **FileType** Either exe or sys, depending on if a driver package or application executable.
+- **InventoryVersion** The version of the inventory file generating the events.
+- **Thumbprint** Comma separated hash of the leaf node of each signer. Semicolon is used to separate CatalogSigners from EmbeddedSigners. There will always be a trailing comma.
+
+
### Microsoft.Windows.Inventory.Core.InventoryApplicationAdd
-This event sends basic metadata about an application on the system to help keep Windows up to date.
+This event sends basic metadata about an application on the system. The data collected with this event is used to keep Windows performing properly and up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4044,7 +4131,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverAdd
-This event represents what drivers an application installs.
+This event represents what drivers an application installs. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4056,7 +4143,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync
-The InventoryApplicationDriverStartSync event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent.
+The InventoryApplicationDriverStartSync event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4067,7 +4154,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkAdd
-This event provides the basic metadata about the frameworks an application may depend on.
+This event provides the basic metadata about the frameworks an application may depend on. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4080,7 +4167,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkStartSync
-This event indicates that a new set of InventoryApplicationFrameworkAdd events will be sent.
+This event indicates that a new set of InventoryApplicationFrameworkAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4091,7 +4178,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryApplicationRemove
-This event indicates that a new set of InventoryDevicePnpAdd events will be sent.
+This event indicates that a new set of InventoryDevicePnpAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4102,7 +4189,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryApplicationStartSync
-This event indicates that a new set of InventoryApplicationAdd events will be sent.
+This event indicates that a new set of InventoryApplicationAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4113,7 +4200,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerAdd
-This event sends basic metadata about a device container (such as a monitor or printer as opposed to a Plug and Play device) to help keep Windows up to date.
+This event sends basic metadata about a device container (such as a monitor or printer as opposed to a Plug and Play device). The data collected with this event is used to help keep Windows up to date and to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4137,7 +4224,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerRemove
-This event indicates that the InventoryDeviceContainer object is no longer present.
+This event indicates that the InventoryDeviceContainer object is no longer present. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4148,7 +4235,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerStartSync
-This event indicates that a new set of InventoryDeviceContainerAdd events will be sent.
+This event indicates that a new set of InventoryDeviceContainerAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4159,7 +4246,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceAdd
-This event retrieves information about what sensor interfaces are available on the device.
+This event retrieves information about what sensor interfaces are available on the device. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4189,7 +4276,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceStartSync
-This event indicates that a new set of InventoryDeviceInterfaceAdd events will be sent.
+This event indicates that a new set of InventoryDeviceInterfaceAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4200,7 +4287,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassAdd
-This event sends additional metadata about a Plug and Play device that is specific to a particular class of devices to help keep Windows up to date while reducing overall size of data payload.
+This event sends additional metadata about a Plug and Play device that is specific to a particular class of devices. The data collected with this event is used to help keep Windows up to date and performing properly while reducing overall size of data payload.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4215,7 +4302,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassRemove
-This event indicates that the InventoryDeviceMediaClassRemove object is no longer present.
+This event indicates that the InventoryDeviceMediaClass object represented by the objectInstanceId is no longer present. This event is used to understand a PNP device that is specific to a particular class of devices. The data collected with this event is used to help keep Windows up to date and performing properly while reducing overall size of data payload.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4226,7 +4313,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassStartSync
-This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent.
+This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4282,7 +4369,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDevicePnpRemove
-This event indicates that the InventoryDevicePnpRemove object is no longer present.
+This event indicates that the InventoryDevicePnpRemove object is no longer present. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4293,7 +4380,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDevicePnpStartSync
-This event indicates that a new set of InventoryDevicePnpAdd events will be sent.
+This event indicates that a new set of InventoryDevicePnpAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4304,7 +4391,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassAdd
-This event sends basic metadata about the USB hubs on the device.
+This event sends basic metadata about the USB hubs on the device. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4317,7 +4404,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassStartSync
-This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent.
+This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4328,7 +4415,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryAdd
-This event sends basic metadata about driver binaries running on the system to help keep Windows up to date.
+This event sends basic metadata about driver binaries running on the system. The data collected with this event is used to help keep Windows up to date and performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4355,7 +4442,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryRemove
-This event indicates that the InventoryDriverBinary object is no longer present.
+This event indicates that the InventoryDriverBinary object is no longer present. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4366,7 +4453,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryStartSync
-This event indicates that a new set of InventoryDriverBinaryAdd events will be sent.
+This event indicates that a new set of InventoryDriverBinaryAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4377,7 +4464,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDriverPackageAdd
-This event sends basic metadata about drive packages installed on the system to help keep Windows up to date.
+This event sends basic metadata about drive packages installed on the system. The data collected with this event is used to help keep Windows up to date and performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4399,7 +4486,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDriverPackageRemove
-This event indicates that the InventoryDriverPackageRemove object is no longer present.
+This event indicates that the InventoryDriverPackageRemove object is no longer present. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4410,7 +4497,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDriverPackageStartSync
-This event indicates that a new set of InventoryDriverPackageAdd events will be sent.
+This event indicates that a new set of InventoryDriverPackageAdd events will be sent. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4437,21 +4524,54 @@ The following fields are available:
- **key** The globally unique identifier (GUID) used to identify the specific Json Trace logging session.
+### Microsoft.Windows.Inventory.General. InventoryMiscellaneousMemorySlotArrayInfoRemove
+
+This event indicates that this particular data object represented by the ObjectInstanceId is no longer present, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+
+
### Microsoft.Windows.Inventory.General.AppHealthStaticAdd
-This event sends details collected for a specific application on the source device.
+This event sends details collected for a specific application on the source device. The data collected with this event is used to keep Windows performing properly.
### Microsoft.Windows.Inventory.General.AppHealthStaticStartSync
-This event indicates the beginning of a series of AppHealthStaticAdd events.
+This event indicates the beginning of a series of AppHealthStaticAdd events. The data collected with this event is used to keep Windows performing properly.
+
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousMemorySlotArrayInfoAdd
+
+This event provides basic information about active memory slots on the device.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **Capacity** Memory size in bytes
+- **Manufacturer** Name of the DRAM manufacturer
+- **Model** Model and sub-model of the memory
+- **Slot** Slot to which the DRAM is plugged into the motherboard.
+- **Speed** MHZ the memory is currently configured & used at.
+- **Type** Reports DDR, etc. as an enumeration value as per the DMTF SMBIOS standard version 3.3.0, section 7.18.2.
+- **TypeDetails** Reports Non-volatile, etc. as a bit flag enumeration per DMTF SMBIOS standard version 3.3.0, section 7.18.3.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousMemorySlotArrayInfoStartSync
+
+This diagnostic event indicates a new sync is being generated for this object type.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd
-Provides data on the installed Office Add-ins.
+This event provides data on the installed Office add-ins. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4484,7 +4604,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove
-Indicates that this particular data object represented by the objectInstanceId is no longer present.
+This event indicates that the particular data object represented by the objectInstanceId is no longer present. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4495,7 +4615,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync
-This event indicates that a new sync is being generated for this object type.
+This event indicates that a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4506,7 +4626,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd
-Provides data on the Office identifiers.
+This event provides data on the Office identifiers. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4524,7 +4644,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersStartSync
-Diagnostic event to indicate a new sync is being generated for this object type.
+This is a diagnostic event that indicates a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4535,7 +4655,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsAdd
-Provides data on Office-related Internet Explorer features.
+This event provides data on Office-related Internet Explorer features. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4561,7 +4681,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsStartSync
-Diagnostic event to indicate a new sync is being generated for this object type.
+This is a diagnostic event that indicates a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4572,7 +4692,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsAdd
-This event provides insight data on the installed Office products
+This event provides insight data on the installed Office products. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4587,7 +4707,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsRemove
-Indicates that this particular data object represented by the objectInstanceId is no longer present.
+This event indicates that the particular data object represented by the objectInstanceId is no longer present. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4598,7 +4718,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsStartSync
-This diagnostic event indicates that a new sync is being generated for this object type.
+This diagnostic event indicates that a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4609,7 +4729,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd
-Describes Office Products installed.
+This event describes all installed Office products. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4624,7 +4744,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsStartSync
-Diagnostic event to indicate a new sync is being generated for this object type.
+This is a diagnostic event that indicates a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4635,7 +4755,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsAdd
-This event describes various Office settings
+This event describes various Office settings. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4649,7 +4769,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsStartSync
-Indicates a new sync is being generated for this object type.
+This is a diagnostic event that indicates a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4660,7 +4780,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAAdd
-This event provides a summary rollup count of conditions encountered while performing a local scan of Office files, analyzing for known VBA programmability compatibility issues between legacy office version and ProPlus, and between 32 and 64-bit versions
+This event provides a summary rollup count of conditions encountered while performing a local scan of Office files, analyzing for known VBA programmability compatibility issues between legacy office version and ProPlus, and between 32 and 64-bit versions. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4692,7 +4812,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARemove
-Indicates that this particular data object represented by the objectInstanceId is no longer present.
+This event indicates that the particular data object represented by the objectInstanceId is no longer present. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4703,7 +4823,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsAdd
-This event provides data on Microsoft Office VBA rule violations, including a rollup count per violation type, giving an indication of remediation requirements for an organization. The event identifier is a unique GUID, associated with the validation rule
+This event provides data on Microsoft Office VBA rule violations, including a rollup count per violation type, giving an indication of remediation requirements for an organization. The event identifier is a unique GUID, associated with the validation rule. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4715,7 +4835,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsRemove
-Indicates that this particular data object represented by the objectInstanceId is no longer present.
+This event indicates that the particular data object represented by the objectInstanceId is no longer present. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4726,7 +4846,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsStartSync
-This event indicates that a new sync is being generated for this object type.
+This event indicates that a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4737,7 +4857,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAStartSync
-Diagnostic event to indicate a new sync is being generated for this object type.
+This diagnostic event indicates that a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4748,7 +4868,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd
-Provides data on Unified Update Platform (UUP) products and what version they are at.
+This event provides data on Unified Update Platform (UUP) products and what version they are at. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4763,7 +4883,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoRemove
-Indicates that this particular data object represented by the objectInstanceId is no longer present.
+This event indicates that this particular data object represented by the objectInstanceId is no longer present. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4771,7 +4891,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoStartSync
-Diagnostic event to indicate a new sync is being generated for this object type.
+This is a diagnostic event that indicates a new sync is being generated for this object type. The data collected with this event is used to keep Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4779,7 +4899,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
### Microsoft.Windows.Inventory.Indicators.Checksum
-This event summarizes the counts for the InventoryMiscellaneousUexIndicatorAdd events.
+This event summarizes the counts for the InventoryMiscellaneousUexIndicatorAdd events. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
@@ -4790,7 +4910,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorAdd
-These events represent the basic metadata about the OS indicators installed on the system which are used for keeping the device up to date.
+This event represents the basic metadata about the OS indicators installed on the system. The data collected with this event helps ensure the device is up to date and keeps Windows performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4802,7 +4922,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorRemove
-This event is a counterpart to InventoryMiscellaneousUexIndicatorAdd that indicates that the item has been removed.
+This event indicates that this particular data object represented by the objectInstanceId is no longer present. This event is used to understand the OS indicators installed on the system. The data collected with this event helps ensure the device is current and Windows is up to date and performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4810,7 +4930,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorStartSync
-This event indicates that a new set of InventoryMiscellaneousUexIndicatorAdd events will be sent.
+This event indicates that this particular data object represented by the objectInstanceId is no longer present. This event is used to understand the OS indicators installed on the system. The data collected with this event helps ensure the device is current and Windows is up to date and performing properly.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -4827,10 +4947,9 @@ The following fields are available:
- **BytesRead** The total number of bytes read from or read by the OS upon system startup.
- **BytesWritten** The total number of bytes written to or written by the OS upon system startup.
-
### Microsoft.Windows.Kernel.BootEnvironment.OsLaunch
-OS information collected during Boot, used to evaluate the success of the upgrade process.
+This event includes basic data about the Operating System, collected during Boot and used to evaluate the success of the upgrade process. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
@@ -4861,7 +4980,7 @@ The following fields are available:
### Microsoft.Windows.Kernel.DeviceConfig.DeviceConfig
-This critical device configuration event provides information about drivers for a driver installation that took place within the kernel.
+This critical device configuration event provides information about drivers for a driver installation that took place within the kernel. The data collected with this event is used to help keep Windows up to date and performing properly.
The following fields are available:
@@ -4886,7 +5005,7 @@ The following fields are available:
### Microsoft.Windows.Kernel.PnP.AggregateClearDevNodeProblem
-This event is sent when a problem code is cleared from a device.
+This event is sent when a problem code is cleared from a device. The data collected with this event is used to help keep Windows up to date and performing properly.
The following fields are available:
@@ -4901,7 +5020,7 @@ The following fields are available:
### Microsoft.Windows.Kernel.PnP.AggregateSetDevNodeProblem
-This event is sent when a new problem code is assigned to a device.
+This event is sent when a new problem code is assigned to a device. The data collected with this event is used to help keep Windows up to date and performing properly.
The following fields are available:
@@ -4949,6 +5068,7 @@ This config event sends basic device connectivity and configuration information
The following fields are available:
+- **app_sample_rate** A number representing how often the client sends telemetry, expressed as a percentage. Low values indicate that said client sends more events and high values indicate that said client sends fewer events.
- **app_version** The internal Edge build version string, taken from the UMA metrics field system_profile.app_version.
- **appConsentState** Bit flags describing consent for data collection on the machine or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000).
- **Channel** An integer indicating the channel of the installation (Canary or Dev).
@@ -4974,6 +5094,7 @@ This config event sends basic device connectivity and configuration information
The following fields are available:
+- **app_sample_rate** A number representing how often the client sends telemetry, expressed as a percentage. Low values indicate that said client sends more events and high values indicate that said client sends fewer events.
- **app_version** The internal Edge build version string, taken from the UMA metrics field system_profile.app_version.
- **appConsentState** Bit flags describing consent for data collection on the machine or zero if the state was not retrieved. The following are true when the associated bit is set: consent was granted (0x1), consent was communicated at install (0x2), diagnostic data consent granted (0x20000), browsing data consent granted (0x40000).
- **Channel** An integer indicating the channel of the installation (Canary or Dev).
@@ -5021,24 +5142,24 @@ The following fields are available:
### Aria.af397ef28e484961ba48646a5d38cf54.Microsoft.WebBrowser.Installer.EdgeUpdate.Ping
-This event sends hardware and software inventory information about the Microsoft Edge Update service, Microsoft Edge applications, and the current system environment, including app configuration, update configuration, and hardware capabilities. It's used to measure the reliability and performance of the EdgeUpdate service and if Microsoft Edge applications are up to date.
+This Ping event sends a detailed inventory of software and hardware information about the EdgeUpdate service, Edge applications, and the current system environment including app configuration, update configuration, and hardware capabilities. This event contains Device Connectivity and Configuration, Product and Service Performance, and Software Setup and Inventory data. One or more events is sent each time any installation, update, or uninstallation occurs with the EdgeUpdate service or with Edge applications. This event is used to measure the reliability and performance of the EdgeUpdate service and if Edge applications are up to date. This is an indication that the event is designed to keep Windows secure and up to date.
The following fields are available:
-- **appAp** Microsoft Edge Update parameters, including channel, architecture, platform, and additional parameters identifying the release of Microsoft Edge to update and how to install it. Example: 'beta-arch_x64-full'. Default: ''.
-- **appAppId** The GUID that identifies the product channels such as Edge Canary, Dev, Beta, Stable, and Edge Update.
-- **appBrandCode** The 4-digit brand code under which the the product was installed, if any. Possible values: 'GGLS' (default), 'GCEU' (enterprise install), and '' (unknown).
-- **appChannel** An integer indicating the channel of the installation (e.g. Canary or Dev).
-- **appClientId** A generalized form of the brand code that can accept a wider range of values and is used for similar purposes. Default: ''.
-- **appCohort** A machine-readable string identifying the release channel that the app belongs to. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
-- **appCohortHint** A machine-readable enum indicating that the client has a desire to switch to a different release cohort. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
-- **appCohortName** A stable non-localized human-readable enum indicating which (if any) set of messages the app should display to the user. For example, an app with a cohort name of 'beta' might display beta-specific branding to the user. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
+- **appAp** Any additional parameters for the specified application. Default: ''.
+- **appAppId** The GUID that identifies the product. Compatible clients must transmit this attribute. Please see the wiki for additional information. Default: undefined.
+- **appBrandCode** The brand code under which the product was installed, if any. A brand code is a short (4-character) string used to identify installations that took place as a result of partner deals or website promotions. Default: ''.
+- **appChannel** An integer indicating the channel of the installation (i.e. Canary or Dev).
+- **appClientId** A generalized form of the brand code that can accept a wider range of values and is used for similar purposes. Default: ''.
+- **appCohort** A machine-readable string identifying the release cohort (channel) that the app belongs to. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
+- **appCohortHint** A machine-readable enum indicating that the client has a desire to switch to a different release cohort. The exact legal values are app-specific and should be shared between the server and app implementations. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
+- **appCohortName** A stable non-localized human-readable enum indicating which (if any) set of messages the app should display to the user. For example, an app with a cohort Name of 'beta' might display beta-specific branding to the user. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
- **appConsentState** Bit flags describing the diagnostic data disclosure and response flow where 1 indicates the affirmative and 0 indicates the negative or unspecified data. Bit 1 indicates consent was given, bit 2 indicates data originated from the download page, bit 18 indicates choice for sending data about how the browser is used, and bit 19 indicates choice for sending data about websites visited.
-- **appDayOfInstall** The date-based counting equivalent of appInstallTimeDiffSec (the numeric calendar day that the app was installed on). This value is provided by the server in the response to the first request in the installation flow. Default: '-2' (Unknown).
-- **appExperiments** A semicolon-delimited key/value list of experiment identifiers and treatment groups. This field is unused and always empty in Edge Update. Default: ''.
+- **appDayOfInstall** The date-based counting equivalent of appInstallTimeDiffSec (the numeric calendar day that the app was installed on). This value is provided by the server in the response to the first request in the installation flow. The client MAY fuzz this value to the week granularity (e.g. send '0' for 0 through 6, '7' for 7 through 13, etc.). The first communication to the server should use a special value of '-1'. A value of '-2' indicates that this value is not known. Please see the wiki for additional information. Default: '-2'.
+- **appExperiments** A key/value list of experiment identifiers. Experiment labels are used to track membership in different experimental groups, and may be set at install or update time. The experiments string is formatted as a semicolon-delimited concatenation of experiment label strings. An experiment label string is an experiment Name, followed by the '=' character, followed by an experimental label value. For example: 'crdiff=got_bsdiff;optimized=O3'. The client should not transmit the expiration date of any experiments it has, even if the server previously specified a specific expiration date. Default: ''.
- **appInstallTimeDiffSec** The difference between the current time and the install date in seconds. '0' if unknown. Default: '-1'.
- **appLang** The language of the product install, in IETF BCP 47 representation. Default: ''.
-- **appNextVersion** The version of the app that the update attempted to reach, regardless of the success or failure of the update operation. Default: '0.0.0.0'.
+- **appNextVersion** The version of the app that the update flow to which this event belongs attempted to reach, regardless of the success or failure of the update operation. Please see the wiki for additional information. Default: '0.0.0.0'.
- **appPingEventAppSize** The total number of bytes of all downloaded packages. Default: '0'.
- **appPingEventDownloadMetricsDownloadedBytes** For events representing a download, the number of bytes expected to be downloaded. For events representing an entire update flow, the sum of all such expected bytes over the course of the update flow. Default: '0'.
- **appPingEventDownloadMetricsDownloader** A string identifying the download algorithm and/or stack. Example values include: 'bits', 'direct', 'winhttp', 'p2p'. Sent in events that have an event type of '14' only. Default: ''.
@@ -5046,24 +5167,24 @@ The following fields are available:
- **appPingEventDownloadMetricsError** The error code (if any) of the operation, encoded as a signed base-10 integer. Default: '0'.
- **appPingEventDownloadMetricsServerIpHint** For events representing a download, the CDN Host IP address that corresponds to the update file server. The CDN host is controlled by Microsoft servers and always maps to IP addresses hosting *.delivery.mp.microsoft.com or msedgesetup.azureedge.net. Default: ''.
- **appPingEventDownloadMetricsTotalBytes** For events representing a download, the number of bytes expected to be downloaded. For events representing an entire update flow, the sum of all such expected bytes over the course of the update flow. Default: '0'.
-- **appPingEventDownloadMetricsUrl** For events representing a download, the CDN URL provided by the update server for the client to download the update, the URL is controlled by Microsoft servers and always maps back to either *.delivery.mp.microsoft.com or msedgesetup.azureedge.net. Default: ''.
+- **appPingEventDownloadMetricsUrl** For events representing a download, the CDN URL provided by the update server for the client to download the update, the URL is controlled by Microsoft servers and always maps back to either *.delivery.mp.microsoft.com or msedgesetup.azureedge.net. Default: ''.
- **appPingEventDownloadTimeMs** For events representing a download, the time elapsed between the start of the download and the end of the download, in milliseconds. For events representing an entire update flow, the sum of all such download times over the course of the update flow. Sent in events that have an event type of '1', '2', '3', and '14' only. Default: '0'.
- **appPingEventErrorCode** The error code (if any) of the operation, encoded as a signed, base-10 integer. Default: '0'.
-- **appPingEventEventResult** An enumeration indicating the result of the event. Common values are '0' (Error) and '1' (Success). Default: '0' (Error).
-- **appPingEventEventType** An enumeration indicating the type of the event and the event stage. Default: '0' (Unknown).
+- **appPingEventEventResult** An enum indicating the result of the event. Please see the wiki for additional information. Default: '0'.
+- **appPingEventEventType** An enum indicating the type of the event. Compatible clients MUST transmit this attribute. Please see the wiki for additional information.
- **appPingEventExtraCode1** Additional numeric information about the operation's result, encoded as a signed, base-10 integer. Default: '0'.
- **appPingEventInstallTimeMs** For events representing an install, the time elapsed between the start of the install and the end of the install, in milliseconds. For events representing an entire update flow, the sum of all such durations. Sent in events that have an event type of '2' and '3' only. Default: '0'.
- **appPingEventNumBytesDownloaded** The number of bytes downloaded for the specified application. Default: '0'.
-- **appPingEventSequenceId** An ID that uniquely identifies particular events within one requestId. Since a request can contain multiple ping events, this field is necessary to uniquely identify each possible event.
-- **appPingEventSourceUrlIndex** For events representing a download, the position of the download URL in the list of URLs supplied by the server in a
backgroundtaskhost | HTTPS | www.bing.com/threshold/xls.aspx |
## Certificates
@@ -164,13 +165,13 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper
The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses.
Additionally, it is used to download certificates that are publicly known to be fraudulent.
-These settings are critical for both Windows security and the overall security of the Internet.
+These settings are critical for both Windows security and the overall security of the Internet.
We do not recommend blocking this endpoint.
If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.
| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| svchost | HTTP | ctldl.windowsupdate.com |
+|:--------------:|:--------:|:------------|
+| svchost | HTTP | ctldl.windowsupdate.com |
## Device authentication
@@ -178,7 +179,7 @@ The following endpoint is used to authenticate a device.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), the device will not be authenticated.
| Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
| | HTTPS | login.live.com/ppsecure |
## Device metadata
@@ -187,7 +188,7 @@ The following endpoint is used to retrieve device metadata.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-devinst), metadata will not be updated for the device.
| Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
| | | dmd.metaservices.microsoft.com.akadns.net |
| | HTTP | dmd.metaservices.microsoft.com |
@@ -197,21 +198,21 @@ The following endpoint is used by the Connected User Experiences and Telemetry c
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.
| Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
| svchost | | cy2.vortex.data.microsoft.com.akadns.net |
The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.
| Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
| svchost | HTTPS | v10.vortex-win.data.microsoft.com/collect/v1 |
The following endpoints are used by Windows Error Reporting.
To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.
| Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
| wermgr | | watson.telemetry.microsoft.com |
| | TLS v1.2 | modern.watson.data.microsoft.com.akadns.net |
@@ -221,9 +222,9 @@ The following endpoints are used to download fonts on demand.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#font-streaming), you will not be able to download fonts on demand.
| Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
| svchost | | fs.microsoft.com |
-| | | fs.microsoft.com/fs/windows/config.json |
+| | | fs.microsoft.com/fs/windows/config.json |
## Licensing
@@ -231,7 +232,7 @@ The following endpoint is used for online activation and some app licensing.
To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.
| Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
| licensemanager | HTTPS | licensing.mp.microsoft.com/v7.0/licenses/content |
## Location
@@ -240,7 +241,7 @@ The following endpoint is used for location data.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location), apps cannot use location data.
| Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
| | HTTP | location-inference-westus.cloudapp.net |
| | HTTPS | inference.location.live.net |
@@ -250,16 +251,16 @@ The following endpoint is used to check for updates to maps that have been downl
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps), offline maps will not be updated.
| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| svchost | HTTPS | *g.akamaiedge.net |
+|:--------------:|:--------:|:------------|
+| svchost | HTTPS | *g.akamaiedge.net |
## Microsoft account
-The following endpoints are used for Microsoft accounts to sign in.
+The following endpoints are used for Microsoft accounts to sign in.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account), users cannot sign in with Microsoft accounts.
| Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
| | | login.msa.akadns6.net |
| | | login.live.com |
| | | account.live.com |
@@ -272,29 +273,29 @@ The following endpoint is used for the Windows Push Notification Services (WNS).
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.
| Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
| | HTTPS | *.wns.windows.com |
-The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.
+The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.
To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
| Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
| | HTTP | storecatalogrevocation.storequality.microsoft.com |
-The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps).
+The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps).
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
| Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
| | HTTPS | img-prod-cms-rt-microsoft-com.akamaized.net |
| backgroundtransferhost | HTTPS | store-images.microsoft.com |
-The following endpoints are used to communicate with Microsoft Store.
+The following endpoints are used to communicate with Microsoft Store.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
| Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
| | HTTP | storeedgefd.dsx.mp.microsoft.com |
| | HTTP \ HTTPS | pti.store.microsoft.com |
||TLS v1.2|cy2.\*.md.mp.microsoft.com.\*.|
@@ -302,48 +303,48 @@ If you [turn off traffic for these endpoints](manage-connections-from-windows-op
## Network Connection Status Indicator (NCSI)
-Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet.
+Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi), NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.
| Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
| | HTTP | www.msftconnecttest.com/connecttest.txt |
## Office
-The following endpoints are used to connect to the Microsoft 365 admin center's shared infrastructure, including Office. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity).
+The following endpoints are used to connect to the Microsoft 365 admin center's shared infrastructure, including Office. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity).
You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps.
If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.
| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| | | *.a-msedge.net |
-| hxstr | | *.c-msedge.net |
+|:--------------:|:--------:|:------------|
+| | | *.a-msedge.net |
+| hxstr | | *.c-msedge.net |
| | | *.e-msedge.net |
| | | *.s-msedge.net |
| | HTTPS | ocos-office365-s2s.msedge.net |
| | HTTPS | nexusrules.officeapps.live.com |
| | HTTPS | officeclient.microsoft.com |
-The following endpoint is used to connect to the Microsoft 365 admin center's shared infrastructure, including Office. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity).
+The following endpoint is used to connect to the Microsoft 365 admin center's shared infrastructure, including Office. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity).
You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps.
If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.
| Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
| system32\Auth.Host.exe | HTTPS | outlook.office365.com |
The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
| Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
|Windows Apps\Microsoft.Windows.Photos|HTTPS|client-office365-tas.msedge.net|
The following endpoint is used to connect the Office To-Do app to it's cloud service.
To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
| Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
| |HTTPS|to-do.microsoft.com|
## OneDrive
@@ -352,15 +353,15 @@ The following endpoint is a redirection service that’s used to automatically u
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive), anything that relies on g.live.com to get updated URL information will no longer work.
| Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
| onedrive | HTTP \ HTTPS | g.live.com/1rewlive5skydrive/ODSUProduction |
The following endpoint is used by OneDrive for Business to download and verify app updates. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US).
To turn off traffic for this endpoint, uninstall OneDrive for Business. In this case, your device will not able to get OneDrive for Business app updates.
| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| onedrive | HTTPS | oneclient.sfx.ms |
+|:--------------:|:--------:|:------------|
+| onedrive | HTTPS | oneclient.sfx.ms |
## Settings
@@ -368,21 +369,21 @@ The following endpoint is used as a way for apps to dynamically update their con
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working.
| Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
| dmclient | | cy2.settings.data.microsoft.com.akadns.net |
The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working.
| Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
| dmclient | HTTPS | settings.data.microsoft.com |
The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as Windows Connected User Experiences and Telemetry component and Windows Insider Program use it.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working.
| Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
| svchost | HTTPS | settings-win.data.microsoft.com |
## Skype
@@ -390,7 +391,7 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper
The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
| Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
|microsoft.windowscommunicationsapps.exe | HTTPS | config.edge.skype.com |
| | HTTPS | browser.pipe.aria.microsoft.com |
| | | skypeecs-prod-usw-0-b.cloudapp.net |
@@ -401,14 +402,14 @@ The following endpoint is used for Windows Defender when Cloud-based Protection
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection. For a detailed list of Microsoft Defender Antivirus cloud service connections, see [Allow connections to the Microsoft Defender Antivirus cloud service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus#allow-connections-to-the-microsoft-defender-antivirus-cloud-service).
| Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
| | | wdcp.microsoft.com |
The following endpoints are used for Windows Defender definition updates.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), definitions will not be updated.
| Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
| | | definitionupdates.microsoft.com |
|MpCmdRun.exe|HTTPS|go.microsoft.com |
@@ -416,10 +417,10 @@ The following endpoints are used for Windows Defender Smartscreen reporting and
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender-smartscreen), Windows Defender Smartscreen notifications will no appear.
| Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
| | HTTPS | ars.smartscreen.microsoft.com |
| | HTTPS | unitedstates.smartscreen-prod.microsoft.com |
-| | | smartscreen-sn3p.smartscreen.microsoft.com |
+| | | smartscreen-sn3p.smartscreen.microsoft.com |
## Windows Spotlight
@@ -427,7 +428,7 @@ The following endpoints are used to retrieve Windows Spotlight metadata that des
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight), Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see [Windows Spotlight](/windows/configuration/windows-spotlight).
| Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
| backgroundtaskhost | HTTPS | arc.msn.com |
| backgroundtaskhost | | g.msn.com.nsatc.net |
| |TLS v1.2| *.search.msn.com |
@@ -440,22 +441,22 @@ The following endpoint is used for Windows Update downloads of apps and OS updat
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates), Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.
| Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
| svchost | HTTPS | *.prod.do.dsp.mp.microsoft.com |
-The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store.
+The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to download updates for the operating system.
| Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
| svchost | HTTP | *.windowsupdate.com |
| svchost | HTTP | *.dl.delivery.mp.microsoft.com |
-The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store.
+The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store.
If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store.
| Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
| svchost | HTTPS | *.update.microsoft.com |
| svchost | HTTPS | *.delivery.mp.microsoft.com |
@@ -467,7 +468,7 @@ The following endpoint is used for content regulation.
If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.
| Source process | Protocol | Destination |
-|----------------|----------|------------|
+|:--------------:|:--------:|:------------|
| svchost | HTTPS | tsfe.trafficshaping.dsp.mp.microsoft.com |
@@ -478,7 +479,7 @@ The following endpoint is used by the Microsoft forward link redirection service
If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.
| Source process | Protocol | Destination |
-|----------------|----------|------------|
+|----------------|:--------:|------------|
|Various|HTTPS|go.microsoft.com|
## Other Windows 10 editions
@@ -496,4 +497,4 @@ To view endpoints for non-Enterprise Windows 10 editions, see:
## Related links
- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
-- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/intune/get-started/network-infrastructure-requirements-for-microsoft-intune)
+- [Network endpoints for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/intune-endpoints)
diff --git a/windows/privacy/manage-windows-1903-endpoints.md b/windows/privacy/manage-windows-1903-endpoints.md
index a2fffa2486..9aa743d944 100644
--- a/windows/privacy/manage-windows-1903-endpoints.md
+++ b/windows/privacy/manage-windows-1903-endpoints.md
@@ -187,6 +187,6 @@ To view endpoints for non-Enterprise Windows 10 editions, see:
## Related links
- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
-- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/intune/get-started/network-infrastructure-requirements-for-microsoft-intune)
+- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/intune-endpoints)
diff --git a/windows/privacy/manage-windows-1909-endpoints.md b/windows/privacy/manage-windows-1909-endpoints.md
index ba34b2d47b..9fe2ca8cc1 100644
--- a/windows/privacy/manage-windows-1909-endpoints.md
+++ b/windows/privacy/manage-windows-1909-endpoints.md
@@ -73,7 +73,6 @@ The following methodology was used to derive these network endpoints:
||The following endpoints are used for location data. If you turn off traffic for this endpoint, apps cannot use location data.|TLS v1.2|inference.location.live.net|
|Maps|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps)|
||The following endpoints are used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|HTTP|*maps.windows.com|
-|| The following endpoints are used to check for updates to maps that have been downloaded for offline use.|HTTP|fs.microsoft.com*|
|Microsoft Account|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account)|
||The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. |TLS v1.2|*login.live.com|
|Microsoft Edge|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#13-microsoft-edge)|
@@ -138,4 +137,4 @@ To view endpoints for non-Enterprise Windows 10 editions, see:
## Related links
- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
-- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/intune/get-started/network-infrastructure-requirements-for-microsoft-intune)
+- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/intune-endpoints)
diff --git a/windows/privacy/manage-windows-2004-endpoints.md b/windows/privacy/manage-windows-2004-endpoints.md
index 5c4ad7c28d..aea5913427 100644
--- a/windows/privacy/manage-windows-2004-endpoints.md
+++ b/windows/privacy/manage-windows-2004-endpoints.md
@@ -8,11 +8,11 @@ ms.sitesec: library
ms.localizationpriority: high
audience: ITPro
author: linque1
-ms.author: obezeajo
+ms.author: robsize
manager: robsize
ms.collection: M365-security-compliance
ms.topic: article
-ms.date: 6/9/2020
+ms.date: 10/22/2020
---
# Manage connection endpoints for Windows 10 Enterprise, version 2004
@@ -60,9 +60,8 @@ The following methodology was used to derive these network endpoints:
||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2|www.bing.com*|
|Device metadata|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#4-device-metadata-retrieval)|
||The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.|HTTPS|dmd.metaservices.microsoft.com|
-|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
+|Diagnostic Data|The following endpoints are used by the Windows Diagnostic Data, Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft improve our products and services, will not be sent back to Microsoft. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
|||TLSv1.2|v10.events.data.microsoft.com|
-|||TLSv1.2|v20.events.data.microsoft.com|
||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.|HTTPS|*.telecommand.telemetry.microsoft.com|
|||TLS v1.2|watson.*.microsoft.com|
|Font Streaming|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#6-font-streaming)|
@@ -114,6 +113,7 @@ The following methodology was used to derive these network endpoints:
|||HTTP|*.windowsupdate.com|
||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. These are dependent on also enabling "Device authentication" and "Microsoft Account" endpoints.|HTTPS|*.delivery.mp.microsoft.com|
|||TLSv1.2|*.update.microsoft.com|
+||The following endpoint is used for compatibility database updates for Windows.|HTTP|adl.windows.com|
||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly.|TLSv1.2|tsfe.trafficshaping.dsp.mp.microsoft.com|
|Xbox Live|The following endpoint is used for Xbox Live.||[Learn how to turn off traffic to all of the following endpoint(s).]( manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
|||TLSv1.2|dlassets-ssl.xboxlive.com|
@@ -138,4 +138,4 @@ To view endpoints for non-Enterprise Windows 10 editions, see:
## Related links
- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
-- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/intune/get-started/network-infrastructure-requirements-for-microsoft-intune)
+- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/intune-endpoints)
diff --git a/windows/privacy/manage-windows-20H2-endpoints.md b/windows/privacy/manage-windows-20H2-endpoints.md
new file mode 100644
index 0000000000..0d7d37c2fe
--- /dev/null
+++ b/windows/privacy/manage-windows-20H2-endpoints.md
@@ -0,0 +1,159 @@
+---
+title: Connection endpoints for Windows 10 Enterprise, version 20H2
+description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 10 Enterprise, version 20H2.
+keywords: privacy, manage connections to Microsoft, Windows 10
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.localizationpriority: high
+audience: ITPro
+author: gental-giant
+ms.author: v-hakima
+manager: robsize
+ms.collection: M365-security-compliance
+ms.topic: article
+ms.date: 12/17/2020
+---
+
+# Manage connection endpoints for Windows 10 Enterprise, version 20H2
+
+**Applies to**
+
+- Windows 10 Enterprise, version 20H2
+
+Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include:
+
+- Connecting to Microsoft Office and Windows sites to download the latest app and security updates.
+- Connecting to email servers to send and receive email.
+- Connecting to the web for every day web browsing.
+- Connecting to the cloud to store and access backups.
+- Using your location to show a weather forecast.
+
+Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
+Where applicable, each endpoint covered in this topic includes a link to the specific details on how to control that traffic.
+
+The following methodology was used to derive these network endpoints:
+
+1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
+2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device).
+3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
+4. Compile reports on traffic going to public IP addresses.
+5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
+6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
+7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
+8. These tests were conducted for one week, but if you capture traffic for longer you may have different results.
+
+> [!NOTE]
+> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
+
+## Windows 10 20H2 Enterprise connection endpoints
+
+|Area|Description|Protocol|Destination|
+|----------------|----------|----------|------------|
+|Apps|||[Learn how to turn off traffic to the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
+||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com|
+||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net|
+||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net
+|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to turn off traffic to this endpoint, but it is not recommended because as root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
+|||TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com|
+|Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)|
+||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2/HTTPS/HTTP|www.bing.com*|
+|||TLSv1.2/HTTPS/HTTP|fp.msedge.net|
+|||TLSv1.2|I-ring.msedge.net|
+|||HTTPS|s-ring.msedge.net|
+|Device authentication|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
+||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device will not be authenticated.|HTTPS|login.live.com*|
+|Device metadata|The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#4-device-metadata-retrieval)|
+|||HTTP|dmd.metaservices.microsoft.com|
+|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
+|||TLSv1.2/HTTPS/HTTP|v10.events.data.microsoft.com|
+|||TLSv1.2/HTTPS/HTTP|v20.events.data.microsoft.com|
+|||HTTP|www.microsoft.com|
+||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.|TLSv1.2|telecommand.telemetry.microsoft.com|
+|||TLS v1.2/HTTPS/HTTP|watson.*.microsoft.com|
+|Font Streaming|The following endpoints are used to download fonts on demand. If you turn off traffic for these endpoints, you will not be able to download fonts on demand.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#6-font-streaming)|
+|||HTTPS|fs.microsoft.com|
+|Licensing|The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#9-license-manager)|
+|||TLSv1.2/HTTPS/HTTP|licensing.mp.microsoft.com|
+|Maps|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps)|
+||The following endpoints are used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|TLSv1.2/HTTPS/HTTP|maps.windows.com|
+|Microsoft Account|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account)|
+||The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. |TLSv1.2/HTTPS|login.live.com|
+|Microsoft Edge|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#13-microsoft-edge)|
+||This traffic is related to the Microsoft Edge browser.|HTTPS|iecvlist.microsoft.com|
+||The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge won’t be able to check for and apply new edge updates.|TLSv1.2/HTTPS/HTTP|msedge.api.cdp.microsoft.com|
+|Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTP|go.microsoft.com|
+|Microsoft Store|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
+||The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com.akamaized.net|
+||The following endpoint is needed to load the content in the Microsoft Store app.|HTTPS|livetileedge.dsx.mp.microsoft.com|
+||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.|TLSv1.2/HTTPS|*.wns.windows.com|
+||The following endpoints are used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com|
+||The following endpoint is used to get Microsoft Store analytics.|HTTPS|manage.devcenter.microsoft.com|
+||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps cannot be installed or updated from the Microsoft Store.|TLSv1.2/HTTPS/HTTP|displaycatalog.mp.microsoft.com|
+|||HTTPS|pti.store.microsoft.com|
+|||HTTP|share.microsoft.com|
+||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com|
+|Network Connection Status Indicator (NCSI)|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi)|
+||Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you turn off traffic for this endpoint, NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.|HTTPS|www.msftconnecttest.com*|
+|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser. For more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
+|||HTTPS|www.office.com|
+|||HTTPS|blobs.officehome.msocdn.com|
+|||HTTPS|officehomeblobs.blob.core.windows.net|
+|||HTTPS|self.events.data.microsoft.com|
+|||TLSv1.2/HTTPS/HTTP|outlookmobile-office365-tas.msedge.net|
+|OneDrive|The following endpoints are related to OneDrive. If you turn off traffic for these endpoints, anything that relies on g.live.com to get updated URL information will no longer work.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive)|
+|||TLSv1.2/HTTPS/HTTP|g.live.com|
+|||TLSv1.2/HTTPS/HTTP|oneclient.sfx.ms|
+|||HTTPS| logincdn.msauth.net|
+|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this endpoint may stop working.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
+|||TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com|
+|||HTTPS|settings.data.microsoft.com|
+|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
+|||HTTPS/HTTP|*.pipe.aria.microsoft.com|
+|||TLSv1.2/HTTPS/HTTP|config.edge.skype.com|
+|Teams|The following endpoint is used for Microsoft Teams application.||[Learn how to turn off traffic to all of the following endpoint(s).]( manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
+|||TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com|
+|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device will not use Cloud-based Protection.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender)|
+|||HTTPS/TLSv1.2|wdcp.microsoft.com|
+||The following endpoints are used for Windows Defender SmartScreen reporting and notifications. If you turn off traffic for these endpoints, SmartScreen notifications will not appear.|HTTPS|*smartscreen-prod.microsoft.com|
+|||HTTPS/HTTP|checkappexec.microsoft.com|
+|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see Windows Spotlight.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight)|
+|||TLSv1.2/HTTPS/HTTP|arc.msn.com|
+|||HTTPS|ris.api.iris.microsoft.com|
+|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates)|
+|||TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com|
+|||HTTP|emdl.ws.microsoft.com|
+||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com|
+|||HTTP|*.windowsupdate.com|
+||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. These are dependent on also enabling "Device authentication" and "Microsoft Account" endpoints.|TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com|
+|||TLSv1.2/HTTPS/HTTP|*.update.microsoft.com|
+||The following endpoint is used for compatibility database updates for Windows.|HTTPS|adl.windows.com|
+||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com|
+|Xbox Live|The following endpoint is used for Xbox Live.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
+|||HTTPS|dlassets-ssl.xboxlive.com|
+
+
+## Other Windows 10 editions
+
+To view endpoints for other versions of Windows 10 Enterprise, see:
+
+- [Manage connection endpoints for Windows 10, version 2004](manage-windows-2004-endpoints.md)
+- [Manage connection endpoints for Windows 10, version 1909](manage-windows-1909-endpoints.md)
+- [Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md)
+- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md)
+- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md)
+- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md)
+
+To view endpoints for non-Enterprise Windows 10 editions, see:
+
+- [Windows 10, version 2004, connection endpoints for non-Enterprise editions](windows-endpoints-2004-non-enterprise-editions.md)
+- [Windows 10, version 1909, connection endpoints for non-Enterprise editions](windows-endpoints-1909-non-enterprise-editions.md)
+- [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md)
+- [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md)
+- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md)
+- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md)
+
+## Related links
+
+- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
+- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/intune-endpoints)
diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
index da656fd6ef..2605b80713 100644
--- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
+++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
@@ -1,6 +1,6 @@
---
-description: Use this article to learn more about what required Windows diagnostic data is gathered.
-title: Windows 10, version 2004 required diagnostic events and fields (Windows 10)
+description: Use this article to learn more about what required Windows 10 version 2004 and version 20H2 diagnostic data is gathered.
+title: Windows 10, version 20H2 and Windows 10, version 2004 required diagnostic events and fields (Windows 10)
keywords: privacy, telemetry
ms.prod: w10
ms.mktglfcycl: manage
@@ -13,11 +13,11 @@ manager: dansimp
ms.collection: M365-security-compliance
ms.topic: article
audience: ITPro
-ms.date: 08/31/2020
+ms.date: 09/30/2020
---
-# Windows 10, version 2004 required Windows diagnostic events and fields
+# Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic events and fields
> [!IMPORTANT]
@@ -26,6 +26,7 @@ ms.date: 08/31/2020
**Applies to**
+- Windows 10, version 20H2
- Windows 10, version 2004
@@ -37,7 +38,6 @@ Use this article to learn about diagnostic events, grouped by event area, and th
You can learn more about Windows functional and diagnostic data through these articles:
-
- [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md)
- [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
- [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md)
@@ -61,10 +61,6 @@ The following fields are available:
- **DatasourceApplicationFile_19H1Setup** The count of the number of this particular object type present on this device.
- **DatasourceApplicationFile_20H1** The count of the number of this particular object type present on this device.
- **DatasourceApplicationFile_20H1Setup** The count of the number of this particular object type present on this device.
-- **DatasourceApplicationFile_21H1** The count of the number of this particular object type present on this device.
-- **DatasourceApplicationFile_21H1Setup** The count of the number of this particular object type present on this device.
-- **DatasourceApplicationFile_RS1** An ID for the system, calculated by hashing hardware identifiers.
-- **DatasourceApplicationFile_RS2** An ID for the system, calculated by hashing hardware identifiers.
- **DatasourceApplicationFile_RS3** The count of the number of this particular object type present on this device.
- **DatasourceApplicationFile_RS4** The count of the number of this particular object type present on this device.
- **DatasourceApplicationFile_RS5** The count of the number of this particular object type present on this device.
@@ -74,8 +70,6 @@ The following fields are available:
- **DatasourceDevicePnp_19H1Setup** The count of the number of this particular object type present on this device.
- **DatasourceDevicePnp_20H1** The count of the number of this particular object type present on this device.
- **DatasourceDevicePnp_20H1Setup** The count of the number of this particular object type present on this device.
-- **DatasourceDevicePnp_21H1** The count of the number of this particular object type present on this device.
-- **DatasourceDevicePnp_21H1Setup** The count of the number of this particular object type present on this device.
- **DatasourceDevicePnp_RS1** The total DataSourceDevicePnp objects targeting Windows 10 version 1607 on this device.
- **DatasourceDevicePnp_RS2** The count of the number of this particular object type present on this device.
- **DatasourceDevicePnp_RS3** The count of the number of this particular object type present on this device.
@@ -89,8 +83,6 @@ The following fields are available:
- **DatasourceDriverPackage_19H1Setup** The count of the number of this particular object type present on this device.
- **DatasourceDriverPackage_20H1** The count of the number of this particular object type present on this device.
- **DatasourceDriverPackage_20H1Setup** The count of the number of this particular object type present on this device.
-- **DatasourceDriverPackage_21H1** The count of the number of this particular object type present on this device.
-- **DatasourceDriverPackage_21H1Setup** The count of the number of this particular object type present on this device.
- **DatasourceDriverPackage_RS1** The total DataSourceDriverPackage objects targeting Windows 10 version 1607 on this device.
- **DatasourceDriverPackage_RS2** The total DataSourceDriverPackage objects targeting Windows 10, version 1703 on this device.
- **DatasourceDriverPackage_RS3** The count of the number of this particular object type present on this device.
@@ -104,8 +96,6 @@ The following fields are available:
- **DataSourceMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoBlock_20H1** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoBlock_20H1Setup** The count of the number of this particular object type present on this device.
-- **DataSourceMatchingInfoBlock_21H1** The count of the number of this particular object type present on this device.
-- **DataSourceMatchingInfoBlock_21H1Setup** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoBlock_RS1** The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1607 on this device.
- **DataSourceMatchingInfoBlock_RS2** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoBlock_RS3** The count of the number of this particular object type present on this device.
@@ -117,8 +107,6 @@ The following fields are available:
- **DataSourceMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoPassive_20H1** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoPassive_20H1Setup** The count of the number of this particular object type present on this device.
-- **DataSourceMatchingInfoPassive_21H1** The count of the number of this particular object type present on this device.
-- **DataSourceMatchingInfoPassive_21H1Setup** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoPassive_RS1** The total DataSourceMatchingInfoPassive objects targeting Windows 10 version 1607 on this device.
- **DataSourceMatchingInfoPassive_RS2** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoPassive_RS3** The count of the number of this particular object type present on this device.
@@ -130,8 +118,6 @@ The following fields are available:
- **DataSourceMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoPostUpgrade_20H1** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoPostUpgrade_20H1Setup** The count of the number of this particular object type present on this device.
-- **DataSourceMatchingInfoPostUpgrade_21H1** The count of the number of this particular object type present on this device.
-- **DataSourceMatchingInfoPostUpgrade_21H1Setup** The count of the number of this particular object type present on this device.
- **DataSourceMatchingInfoPostUpgrade_RS1** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device.
- **DataSourceMatchingInfoPostUpgrade_RS2** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 on this device.
- **DataSourceMatchingInfoPostUpgrade_RS3** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device.
@@ -143,8 +129,6 @@ The following fields are available:
- **DatasourceSystemBios_19H1Setup** The count of the number of this particular object type present on this device.
- **DatasourceSystemBios_20H1** The count of the number of this particular object type present on this device.
- **DatasourceSystemBios_20H1Setup** The count of the number of this particular object type present on this device.
-- **DatasourceSystemBios_21H1** The count of the number of this particular object type present on this device.
-- **DatasourceSystemBios_21H1Setup** The count of the number of this particular object type present on this device.
- **DatasourceSystemBios_RS1** The total DatasourceSystemBios objects targeting Windows 10 version 1607 present on this device.
- **DatasourceSystemBios_RS2** The total DatasourceSystemBios objects targeting Windows 10 version 1703 present on this device.
- **DatasourceSystemBios_RS3** The total DatasourceSystemBios objects targeting Windows 10 version 1709 present on this device.
@@ -158,8 +142,6 @@ The following fields are available:
- **DecisionApplicationFile_19H1Setup** The count of the number of this particular object type present on this device.
- **DecisionApplicationFile_20H1** The count of the number of this particular object type present on this device.
- **DecisionApplicationFile_20H1Setup** The count of the number of this particular object type present on this device.
-- **DecisionApplicationFile_21H1** The count of the number of this particular object type present on this device.
-- **DecisionApplicationFile_21H1Setup** The count of the number of this particular object type present on this device.
- **DecisionApplicationFile_RS1** The count of the number of this particular object type present on this device.
- **DecisionApplicationFile_RS2** The count of the number of this particular object type present on this device.
- **DecisionApplicationFile_RS3** The count of the number of this particular object type present on this device.
@@ -171,8 +153,6 @@ The following fields are available:
- **DecisionDevicePnp_19H1Setup** The count of the number of this particular object type present on this device.
- **DecisionDevicePnp_20H1** The count of the number of this particular object type present on this device.
- **DecisionDevicePnp_20H1Setup** The count of the number of this particular object type present on this device.
-- **DecisionDevicePnp_21H1** The count of the number of this particular object type present on this device.
-- **DecisionDevicePnp_21H1Setup** The count of the number of this particular object type present on this device.
- **DecisionDevicePnp_RS1** The total DecisionDevicePnp objects targeting Windows 10 version 1607 on this device.
- **DecisionDevicePnp_RS2** The count of the number of this particular object type present on this device.
- **DecisionDevicePnp_RS3** The count of the number of this particular object type present on this device.
@@ -186,8 +166,6 @@ The following fields are available:
- **DecisionDriverPackage_19H1Setup** The count of the number of this particular object type present on this device.
- **DecisionDriverPackage_20H1** The count of the number of this particular object type present on this device.
- **DecisionDriverPackage_20H1Setup** The count of the number of this particular object type present on this device.
-- **DecisionDriverPackage_21H1** The count of the number of this particular object type present on this device.
-- **DecisionDriverPackage_21H1Setup** The count of the number of this particular object type present on this device.
- **DecisionDriverPackage_RS1** The total DecisionDriverPackage objects targeting Windows 10 version 1607 on this device.
- **DecisionDriverPackage_RS2** The count of the number of this particular object type present on this device.
- **DecisionDriverPackage_RS3** The count of the number of this particular object type present on this device.
@@ -201,8 +179,6 @@ The following fields are available:
- **DecisionMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoBlock_20H1** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoBlock_20H1Setup** The count of the number of this particular object type present on this device.
-- **DecisionMatchingInfoBlock_21H1** The count of the number of this particular object type present on this device.
-- **DecisionMatchingInfoBlock_21H1Setup** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoBlock_RS1** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1607 present on this device.
- **DecisionMatchingInfoBlock_RS2** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1703 present on this device.
- **DecisionMatchingInfoBlock_RS3** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1709 present on this device.
@@ -214,8 +190,6 @@ The following fields are available:
- **DecisionMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoPassive_20H1** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoPassive_20H1Setup** The count of the number of this particular object type present on this device.
-- **DecisionMatchingInfoPassive_21H1** The count of the number of this particular object type present on this device.
-- **DecisionMatchingInfoPassive_21H1Setup** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoPassive_RS1** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1607 on this device.
- **DecisionMatchingInfoPassive_RS2** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1703 on this device.
- **DecisionMatchingInfoPassive_RS3** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1803 on this device.
@@ -227,8 +201,6 @@ The following fields are available:
- **DecisionMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoPostUpgrade_20H1** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoPostUpgrade_20H1Setup** The count of the number of this particular object type present on this device.
-- **DecisionMatchingInfoPostUpgrade_21H1** The count of the number of this particular object type present on this device.
-- **DecisionMatchingInfoPostUpgrade_21H1Setup** The count of the number of this particular object type present on this device.
- **DecisionMatchingInfoPostUpgrade_RS1** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device.
- **DecisionMatchingInfoPostUpgrade_RS2** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 on this device.
- **DecisionMatchingInfoPostUpgrade_RS3** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1709 on this device.
@@ -240,8 +212,6 @@ The following fields are available:
- **DecisionMediaCenter_19H1Setup** The total DecisionMediaCenter objects targeting the next release of Windows on this device.
- **DecisionMediaCenter_20H1** The count of the number of this particular object type present on this device.
- **DecisionMediaCenter_20H1Setup** The count of the number of this particular object type present on this device.
-- **DecisionMediaCenter_21H1** The count of the number of this particular object type present on this device.
-- **DecisionMediaCenter_21H1Setup** The count of the number of this particular object type present on this device.
- **DecisionMediaCenter_RS1** The total DecisionMediaCenter objects targeting Windows 10 version 1607 present on this device.
- **DecisionMediaCenter_RS2** The total DecisionMediaCenter objects targeting Windows 10 version 1703 present on this device.
- **DecisionMediaCenter_RS3** The total DecisionMediaCenter objects targeting Windows 10 version 1709 present on this device.
@@ -253,8 +223,6 @@ The following fields are available:
- **DecisionSystemBios_19H1Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device.
- **DecisionSystemBios_20H1** The count of the number of this particular object type present on this device.
- **DecisionSystemBios_20H1Setup** The count of the number of this particular object type present on this device.
-- **DecisionSystemBios_21H1** The count of the number of this particular object type present on this device.
-- **DecisionSystemBios_21H1Setup** The count of the number of this particular object type present on this device.
- **DecisionSystemBios_RS1** The total DecisionSystemBios objects targeting Windows 10 version 1607 on this device.
- **DecisionSystemBios_RS2** The total DecisionSystemBios objects targeting Windows 10 version 1703 on this device.
- **DecisionSystemBios_RS3** The total DecisionSystemBios objects targeting Windows 10 version 1709 on this device.
@@ -265,8 +233,6 @@ The following fields are available:
- **DecisionSystemBios_TH1** The count of the number of this particular object type present on this device.
- **DecisionSystemBios_TH2** The count of the number of this particular object type present on this device.
- **DecisionTest_20H1Setup** The count of the number of this particular object type present on this device.
-- **DecisionTest_21H1** The count of the number of this particular object type present on this device.
-- **DecisionTest_21H1Setup** The count of the number of this particular object type present on this device.
- **InventoryApplicationFile** The count of the number of this particular object type present on this device.
- **InventoryLanguagePack** The count of the number of this particular object type present on this device.
- **InventoryMediaCenter** The count of the number of this particular object type present on this device.
@@ -288,8 +254,6 @@ The following fields are available:
- **Wmdrm_19H1Setup** The total Wmdrm objects targeting the next release of Windows on this device.
- **Wmdrm_20H1** The count of the number of this particular object type present on this device.
- **Wmdrm_20H1Setup** The total Wmdrm objects targeting the next release of Windows on this device.
-- **Wmdrm_21H1** The count of the number of this particular object type present on this device.
-- **Wmdrm_21H1Setup** The count of the number of this particular object type present on this device.
- **Wmdrm_RS1** An ID for the system, calculated by hashing hardware identifiers.
- **Wmdrm_RS2** An ID for the system, calculated by hashing hardware identifiers.
- **Wmdrm_RS3** An ID for the system, calculated by hashing hardware identifiers.
@@ -1166,14 +1130,6 @@ The following fields are available:
- **PrefetchWSupport** Does the processor support PrefetchW?
-### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWEndSync
-
-Deprecated in RS3. This event indicates that a full set of SystemProcessorPrefetchWAdd events has been sent. The data collected with this event is used to help keep Windows up to date.
-
-This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
-
-
-
### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWStartSync
This event indicates that a new set of SystemProcessorPrefetchWAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
@@ -1257,14 +1213,6 @@ The following fields are available:
- **RegistryWimBootValue** The raw value from the registry that is used to indicate if the device is running from a WIM.
-### Microsoft.Windows.Appraiser.General.SystemWimEndSync
-
-Deprecated in RS3. This event indicates that a full set of SystemWimAdd events has been sent. The data collected with this event is used to help keep Windows up to date.
-
-This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
-
-
-
### Microsoft.Windows.Appraiser.General.SystemWimStartSync
This event indicates that a new set of SystemWimAdd events will be sent. The data collected with this event is used to help keep Windows up to date.
@@ -1411,7 +1359,7 @@ The following fields are available:
### MicArrayGeometry
-This event provides information about the layout of the individual microphone elements in the microphone array.
+This event provides information about the layout of the individual microphone elements in the microphone array. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
@@ -1654,7 +1602,7 @@ The following fields are available:
- **LicenseStateReason** Retrieves why (or how) a system is licensed or unlicensed. The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the MS store.
- **OA3xOriginalProductKey** Retrieves the License key stamped by the OEM to the machine.
- **OSEdition** Retrieves the version of the current OS.
-- **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc
+- **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc.
- **OSOOBEDateTime** Retrieves Out of Box Experience (OOBE) Date in Coordinated Universal Time (UTC).
- **OSSKU** Retrieves the Friendly Name of OS Edition.
- **OSSubscriptionStatus** Represents the existing status for enterprise subscription feature for PRO machines.
@@ -1802,7 +1750,7 @@ This event sends data about the current user's default preferences for browser a
The following fields are available:
- **CalendarType** The calendar identifiers that are used to specify different calendars.
-- **DefaultApp** The current uer's default program selected for the following extension or protocol: .html, .htm, .jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf.
+- **DefaultApp** The current user's default program selected for the following extension or protocol: .html, .htm, .jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf.
- **DefaultBrowserProgId** The ProgramId of the current user's default browser.
- **LocaleName** Name of the current user locale given by LOCALE_SNAME via the GetLocaleInfoEx() function.
- **LongDateFormat** The long date format the user has selected.
@@ -2005,7 +1953,6 @@ The following fields are available:
- **ext_app** Describes the properties of the running application. This extension could be populated by either a client app or a web app. See [Common Data Extensions.app](#common-data-extensionsapp).
- **ext_container** Describes the properties of the container for events logged within a container. See [Common Data Extensions.container](#common-data-extensionscontainer).
- **ext_device** Describes the device-related fields. See [Common Data Extensions.device](#common-data-extensionsdevice).
-- **ext_m365a** Describes the Microsoft 365-related fields. See [Common Data Extensions.m365a](#common-data-extensionsm365a).
- **ext_mscv** Describes the correlation vector-related fields. See [Common Data Extensions.mscv](#common-data-extensionsmscv).
- **ext_os** Describes the operating system properties that would be populated by the client. See [Common Data Extensions.os](#common-data-extensionsos).
- **ext_sdk** Describes the fields related to a platform library required for a specific SDK. See [Common Data Extensions.sdk](#common-data-extensionssdk).
@@ -2017,14 +1964,6 @@ The following fields are available:
- **time** Represents the event date time in Coordinated Universal Time (UTC) when the event was generated on the client. This should be in ISO 8601 format.
- **ver** Represents the major and minor version of the extension.
-### Common Data Extensions.m365a
-
-Describes the Microsoft 365-related fields.
-
-The following fields are available:
-
-- **enrolledTenantId** The enrolled tenant ID.
-- **msp** A bitmask that lists the active programs.
### Common Data Extensions.mscv
@@ -2123,7 +2062,7 @@ The following fields are available:
- **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts.
- **xid** A list of base10-encoded XBOX User IDs.
-## Common Data Fields
+## Common data fields
### Ms.Device.DeviceInventoryChange
@@ -2131,11 +2070,10 @@ Describes the installation state for all hardware and software components availa
The following fields are available:
-- **action** The change that was invoked on a device inventory object.
-- **inventoryId** Device ID used for Compatibility testing
-- **objectInstanceId** Object identity which is unique within the device scope.
-- **objectType** Indicates the object type that the event applies to.
-- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object.
+- **action** The change that was invoked on a device inventory object.
+- **inventoryId** Device ID used for Compatibility testing
+- **objectInstanceId** Object identity which is unique within the device scope.
+- **objectType** Indicates the object type that the event applies to.
## Component-based servicing events
@@ -3167,6 +3105,7 @@ The following fields are available:
- **Categories** A comma separated list of functional categories in which the container belongs.
- **DiscoveryMethod** The discovery method for the device container.
- **FriendlyName** The name of the device container.
+- **Icon** Deprecated in RS3. The path or index to the icon file.
- **InventoryVersion** The version of the inventory file generating the events.
- **IsActive** Is the device connected, or has it been seen in the last 14 days?
- **IsConnected** For a physically attached device, this value is the same as IsPresent. For wireless a device, this value represents a communication link.
@@ -3851,6 +3790,14 @@ The following fields are available:
- **IndicatorValue** The indicator value.
+### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorRemove
+
+This event indicates that this particular data object represented by the objectInstanceId is no longer present. This event is used to understand the OS indicators installed on the system. The data collected with this event helps ensure the device is current and Windows is up to date and performing properly.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+
+
### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorStartSync
This event indicates that this particular data object represented by the objectInstanceId is no longer present. This event is used to understand the OS indicators installed on the system. The data collected with this event helps ensure the device is current and Windows is up to date and performing properly.
@@ -4378,32 +4325,6 @@ The following fields are available:
- **totalRuns** Total number of running/evaluation from last time.
-## Windows Admin Center events
-
-### Microsoft.ServerManagementExperience.Gateway.Service.GatewayStatus
-
-A periodic event that describes Windows Admin Center gateway app's version and other inventory and configuration parameters.
-
-The following fields are available:
-
-- **activeNodesByNodeId** A count of how many active nodes are on this gateway, deduplicated by Node ID.
-- **activeNodesByUuid** A count of how many active nodes are on this gateway, deduplicated by UUID.
-- **AvailableMemoryMByte** A snapshot of the available physical memory on the OS.
-- **azureADAppRegistered** If the gateway is registered with an Azure Active Directory.
-- **azureADAuthEnabled** If the gateway has enabled authentication using Azure Active Directory.
-- **friendlyOsName** A user-friendly name describing the OS version.
-- **gatewayCpuUtilizationPercent** A snapshot of CPU usage on the OS.
-- **gatewayVersion** The version string for this currently running Gateway application.
-- **gatewayWorkingSetMByte** A snapshot of the working set size of the gateway process.
-- **installationType** Identifies if the gateway was installed as a VM extension.
-- **installedDate** The date on which this gateway was installed.
-- **logicalProcessorCount** A snapshot of the how many logical processors the machine running this gateway has.
-- **otherProperties** This is an empty string, but may be used for another purpose in the future.
-- **registeredNodesByNodeId** A count of how many nodes are registered with this gateway, deduplicated by Node ID.
-- **registeredNodesByUuid** A count of how many nodes are registered with this gateway, deduplicated by UUID..
-- **totalCpuUtilizationPercent** A snapshot of the total CPU utilization of the machine running this gateway.
-
-
## Privacy consent logging events
### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted
@@ -5238,6 +5159,18 @@ The following fields are available:
- **UnifiedInstUnifiedInstallerDeviceIsHomeSkuHresultllerDeviceIsHomeSku** The result code from checking whether a device is Home SKU.
+### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsCachedNotificationRetrieved
+
+This event is sent when a notification is received. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CV** A correlation vector.
+- **GlobalEventCounter** This is a client side counter that indicates ordering of events sent by the user.
+- **PackageVersion** The package version of the label.
+- **UpdateHealthToolsBlobNotificationNotEmpty** A boolean that is true if the blob notification has valid content.
+
+
### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsDeviceInformationUploaded
This event is received when the UpdateHealthTools service uploads device information. The data collected with this event is used to help keep Windows secure and up to date.
@@ -5308,6 +5241,24 @@ The following fields are available:
- **UpdateHealthToolsPushCurrentStep** The current step for the push notification
+### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceBlobDocumentDetails
+
+The event indicates the details about the blob used for update health tools. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CV** A correlation vector.
+- **GlobalEventCounter** This is a client side counter which indicates ordering of events sent by the user.
+- **PackageVersion** The package version of the label.
+- **UpdateHealthToolsDevicePolicyFileName** The default name of the policy blob file.
+- **UpdateHealthToolsDssDeviceApiSegment** The URI segment for reading the DSS device pointer.
+- **UpdateHealthToolsDssDeviceId** The AAD ID of the device used to create the device ID hash.
+- **UpdateHealthToolsDssDevicePolicyApiSegment** The segment of the device policy API pointer.
+- **UpdateHealthToolsDssTenantId** The tenant id of the device used to create the tenant id hash.
+- **UpdateHealthToolsHashedDeviceId** The SHA256 hash of the device id.
+- **UpdateHealthToolsHashedTenantId** The SHA256 hash of the device tenant id.
+
+
### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceBlockedByNoAADJoin
This event indicates that the device is not AAD joined so service stops. The data collected with this event is used to help keep Windows secure and up to date.
@@ -5319,6 +5270,17 @@ The following fields are available:
- **PackageVersion** Current package version of UpdateHealthTools.
+### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceIsDSSJoin
+
+This event is sent when a device has been detected as DSS device. The data collected with this event is used to help keep Windows secure and up to date.
+
+The following fields are available:
+
+- **CV** A correlation vector.
+- **GlobalEventCounter** This is a client side counter which indicates ordering of events sent by this user.
+- **PackageVersion** The package version of the label.
+
+
### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceStarted
This event is sent when the service first starts. It is a heartbeat indicating that the service is available on the device. The data collected with this event is used to help keep Windows secure and up to date.
@@ -5955,6 +5917,32 @@ The following fields are available:
- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
+## Windows Admin Center events
+
+### Microsoft.ServerManagementExperience.Gateway.Service.GatewayStatus
+
+A periodic event that describes Windows Admin Center gateway app's version and other inventory and configuration parameters.
+
+The following fields are available:
+
+- **activeNodesByNodeId** A count of how many active nodes are on this gateway, deduplicated by Node ID.
+- **activeNodesByUuid** A count of how many active nodes are on this gateway, deduplicated by UUID.
+- **AvailableMemoryMByte** A snapshot of the available physical memory on the OS.
+- **azureADAppRegistered** If the gateway is registered with an Azure Active Directory.
+- **azureADAuthEnabled** If the gateway has enabled authentication using Azure Active Directory.
+- **friendlyOsName** A user-friendly name describing the OS version.
+- **gatewayCpuUtilizationPercent** A snapshot of CPU usage on the OS.
+- **gatewayVersion** The version string for this currently running Gateway application.
+- **gatewayWorkingSetMByte** A snapshot of the working set size of the gateway process.
+- **installationType** Identifies if the gateway was installed as a VM extension.
+- **installedDate** The date on which this gateway was installed.
+- **logicalProcessorCount** A snapshot of the how many logical processors the machine running this gateway has.
+- **otherProperties** This is an empty string, but may be used for another purpose in the future.
+- **registeredNodesByNodeId** A count of how many nodes are registered with this gateway, deduplicated by Node ID.
+- **registeredNodesByUuid** A count of how many nodes are registered with this gateway, deduplicated by UUID.
+- **totalCpuUtilizationPercent** A snapshot of the total CPU utilization of the machine running this gateway.
+
+
## Windows as a Service diagnostic events
### Microsoft.Windows.WaaSMedic.DetectionFailed
@@ -6028,7 +6016,7 @@ The following fields are available:
### Microsoft.Windows.Sense.Client.PerformanceScript.OnboardingScript
-This event is triggered whenever WDATP onboarding script is run. The data collected with this event is used to keep Windows performing properly.
+This event is triggered whenever Microsoft Defender for Endpoint onboarding script is run. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
@@ -6929,29 +6917,6 @@ The following fields are available:
- **updateId** ID of the update that is getting installed with this restart.
- **wuDeviceid** Unique device ID used by Windows Update.
-### wilActivity
-
-This event provides a Windows Internal Library context used for Product and Service diagnostics.
-
-The following fields are available:
-
-- **callContext** The function where the failure occurred.
-- **currentContextId** The ID of the current call context where the failure occurred.
-- **currentContextMessage** The message of the current call context where the failure occurred.
-- **currentContextName** The name of the current call context where the failure occurred.
-- **failureCount** The number of failures for this failure ID.
-- **failureId** The ID of the failure that occurred.
-- **failureType** The type of the failure that occurred.
-- **fileName** The file name where the failure occurred.
-- **function** The function where the failure occurred.
-- **hresult** The HResult of the overall activity.
-- **lineNumber** The line number where the failure occurred.
-- **message** The message of the failure that occurred.
-- **module** The module where the failure occurred.
-- **originatingContextId** The ID of the originating call context that resulted in the failure.
-- **originatingContextMessage** The message of the originating call context that resulted in the failure.
-- **originatingContextName** The name of the originating call context that resulted in the failure.
-- **threadId** The ID of the thread on which the activity is executing.
### Microsoft.Windows.Update.Orchestrator.ActivityError
@@ -7358,6 +7323,29 @@ The following fields are available:
- **UpdateId** Unique ID for each Update.
- **WuId** Unique ID for the Windows Update client.
+### wilActivity
+
+This event provides a Windows Internal Library context used for Product and Service diagnostics. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **callContext** The function where the failure occurred.
+- **currentContextId** The ID of the current call context where the failure occurred.
+- **currentContextMessage** The message of the current call context where the failure occurred.
+- **currentContextName** The name of the current call context where the failure occurred.
+- **failureCount** The number of failures for this failure ID.
+- **failureId** The ID of the failure that occurred.
+- **failureType** The type of the failure that occurred.
+- **fileName** The file name where the failure occurred.
+- **function** The function where the failure occurred.
+- **hresult** The HResult of the overall activity.
+- **lineNumber** The line number where the failure occurred.
+- **message** The message of the failure that occurred.
+- **module** The module where the failure occurred.
+- **originatingContextId** The ID of the originating call context that resulted in the failure.
+- **originatingContextMessage** The message of the originating call context that resulted in the failure.
+- **originatingContextName** The name of the originating call context that resulted in the failure.
+- **threadId** The ID of the thread on which the activity is executing.
## Windows Update Reserve Manager events
@@ -7532,8 +7520,6 @@ The following fields are available:
This event signals the completion of the setup process. It happens only once during the first logon.
-
-
## XDE events
### Microsoft.Emulator.Xde.RunTime.SystemReady
@@ -7584,3 +7570,6 @@ The following fields are available:
- **virtualMachineName** VM name.
- **waitForClientConnection** True if we should wait for client connection.
- **wp81NetworkStackDisabled** WP 8.1 networking stack disabled.
+
+
+
diff --git a/windows/privacy/toc.yml b/windows/privacy/toc.yml
index 6d801ea292..52a6ddd6da 100644
--- a/windows/privacy/toc.yml
+++ b/windows/privacy/toc.yml
@@ -15,9 +15,9 @@
href: Microsoft-DiagnosticDataViewer.md
- name: Required Windows diagnostic data events and fields
items:
- - name: Windows 10, version 2004 required Windows diagnostic data events and fields
+ - name: Windows 10, version 20H2 and Windows 10, version 2004 required Windows diagnostic data events and fields
href: required-windows-diagnostic-data-events-and-fields-2004.md
- - name: Windows 10, version 1903 and Windows 10, version 1909 required level Windows diagnostic events and fields
+ - name: Windows 10, version 1909 and Windows 10, version 1903 required level Windows diagnostic events and fields
href: basic-level-windows-diagnostic-events-and-fields-1903.md
- name: Windows 10, version 1809 required Windows diagnostic events and fields
href: basic-level-windows-diagnostic-events-and-fields-1809.md
@@ -41,6 +41,8 @@
href: manage-connections-from-windows-operating-system-components-to-microsoft-services.md
- name: Manage connections from Windows operating system components to Microsoft services using MDM
href: manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
+ - name: Connection endpoints for Windows 10, version 20H2
+ href: manage-windows-20H2-endpoints.md
- name: Connection endpoints for Windows 10, version 2004
href: manage-windows-2004-endpoints.md
- name: Connection endpoints for Windows 10, version 1909
@@ -53,6 +55,8 @@
href: manage-windows-1803-endpoints.md
- name: Connection endpoints for Windows 10, version 1709
href: manage-windows-1709-endpoints.md
+ - name: Connection endpoints for non-Enterprise editions of Windows 10, version 20H2
+ href: windows-endpoints-20H2-non-enterprise-editions.md
- name: Connection endpoints for non-Enterprise editions of Windows 10, version 2004
href: windows-endpoints-2004-non-enterprise-editions.md
- name: Connection endpoints for non-Enterprise editions of Windows 10, version 1909
diff --git a/windows/privacy/windows-diagnostic-data-1703.md b/windows/privacy/windows-diagnostic-data-1703.md
index ef7ec52739..ffa7858d15 100644
--- a/windows/privacy/windows-diagnostic-data-1703.md
+++ b/windows/privacy/windows-diagnostic-data-1703.md
@@ -42,7 +42,7 @@ Most diagnostic events contain a header of common data:
| Category Name | Examples |
| - | - |
-| Common Data | Information that is added to most diagnostic events, if relevant and available:
|
+| Common Data | Information that is added to most diagnostic events, if relevant and available:
|
## Device, Connectivity, and Configuration data
@@ -50,38 +50,38 @@ This type of data includes details about the device, its configuration and conne
| Category Name | Examples |
| - | - |
-| Device properties | Information about the OS and device hardware, such as:
|
-| Device capabilities | Information about the specific device capabilities such as:
|
-| Device preferences and settings | Information about the device settings and user preferences such as:
|
-| Device peripherals | Information about the device peripherals such as:
|
-| Device network info | Information about the device network configuration such as:
+| Device properties | Information about the OS and device hardware, such as:
|
+| Device capabilities | Information about the specific device capabilities such as:
|
+| Device preferences and settings | Information about the device settings and user preferences such as:
|
+| Device peripherals | Information about the device peripherals such as:
|
+| Device network info | Information about the device network configuration such as:
## Product and Service Usage data
-This type of data includes details about the usage of the device, operating system, applications and services.
+This type of data includes details about the usage of the device, operating system, applications, and services.
| Category Name | Examples |
| - | - |
-| App usage | Information about Windows and application usage such as:
|
-| App or product state | Information about Windows and application state such as:
|
+| App usage | Information about Windows and application usage such as:
|
+| App or product state | Information about Windows and application state such as:
|
| Login properties |
|
## Product and Service Performance data
-This type of data includes details about the health of the device, operating system, apps and drivers.
+This type of data includes details about the health of the device, operating system, apps, and drivers.
| Category Name | Description and Examples |
| - | - |
-|Device health and crash data | Information about the device and software health such as:
|
-|Device performance and reliability data | Information about the device and software performance such as:
|
-|Movies|Information about movie consumption functionality on the device. This isn't intended to capture user viewing, listening or habits.
|
-|On-device file query | Information about local search activity on the device such as:
|
-|Reading|Information about reading consumption functionality on the device. This isn't intended to capture user viewing, listening or habits.
|
-|Photos App|Information about photos usage on the device. This isn't intended to capture user viewing, listening or habits.
|
-|Purchasing| Information about purchases made on the device such as:
|
-|Entitlements | Information about entitlements on the device such as:
|
+|Device health and crash data | Information about the device and software health such as:
|
+|Device performance and reliability data | Information about the device and software performance such as:
|
+|Movies|Information about movie consumption functionality on the device. This information isn't intended to capture user viewing, listening, or habits.
|
+|On-device file query | Information about local search activity on the device such as:
|
+|Reading|Information about reading consumption functionality on the device. This information isn't intended to capture user viewing, listening, or habits.
|
+|Photos App|Information about photos usage on the device. This information isn't intended to capture user viewing, listening, or habits.
|
+|Purchasing| Information about purchases made on the device such as:
|
+|Entitlements | Information about entitlements on the device such as:
|
## Software Setup and Inventory data
@@ -90,7 +90,7 @@ This type of data includes software installation and update information on the d
| Category Name | Data Examples |
| - | - |
| Installed Applications and Install History | Information about apps, drivers, update packages, or OS components installed on the device such as:
|
-| Device update information | Information about Windows Update such as:
+| Device update information | Information about Windows Update such as:
## Browsing History data
@@ -98,7 +98,7 @@ This type of data includes details about web browsing in the Microsoft browsers.
| Category Name | Description and Examples |
| - | - |
-| Microsoft browser data | Information about Address bar and search box performance on the device such as:
|
+| Microsoft browser data | Information about Address bar and search box performance on the device such as:
|
## Inking Typing and Speech Utterance data
@@ -107,4 +107,4 @@ This type of data gathers details about the voice, inking, and typing input feat
| Category Name | Description and Examples |
| - | - |
-| Voice, inking, and typing | Information about voice, inking and typing features such as:
|
+| Voice, inking, and typing | Information about voice, inking, and typing features such as:
|
diff --git a/windows/privacy/windows-diagnostic-data.md b/windows/privacy/windows-diagnostic-data.md
index 153c7ca114..2fc94568eb 100644
--- a/windows/privacy/windows-diagnostic-data.md
+++ b/windows/privacy/windows-diagnostic-data.md
@@ -12,22 +12,23 @@ ms.author: dansimp
manager: dansimp
ms.collection: M365-security-compliance
ms.topic: article
-ms.date: 12/04/2019
ms.reviewer:
---
# Windows 10, version 1709 and newer optional diagnostic data
Applies to:
+- Windows 10, version 20H2
+- Windows 10, version 2004
- Windows 10, version 1909
- Windows 10, version 1903
- Windows 10, version 1809
- Windows 10, version 1803
- Windows 10, version 1709
-Microsoft uses Windows diagnostic data to keep Windows secure and up-to-date, troubleshoot problems, and make product improvements. For users who have turned on "Tailored experiences", it can also be used to offer you personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. This article describes all types of diagnostic data collected by Windows at the Full level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 2004 required diagnostic events and fields](https://docs.microsoft.com/windows/configuration/basic-level-windows-diagnostic-events-and-fields).
+Microsoft uses Windows diagnostic data to keep Windows secure and up-to-date, troubleshoot problems, and make product improvements. For users who have turned on "Tailored experiences", it can also be used to offer you personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. This article describes all types of diagnostic data collected by Windows at the Full level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 20H2 required diagnostic events and fields](https://docs.microsoft.com/windows/configuration/basic-level-windows-diagnostic-events-and-fields).
-In addition, this article provides references to equivalent definitions for the data types and examples from [ISO/IEC 19944:2017 Information technology -- Cloud computing -- Cloud services and devices: Data flow, data categories and data use](https://www.iso.org/standard/66674.html). Each data type also has a Data Use statement, for diagnostics and for Tailored experiences on the device, using the terms as defined by the standard. These Data Use statements define the purposes for which Microsoft processes each type of Windows diagnostic data, using a uniform set of definitions referenced at the end of this document and based on the ISO standard. Reference to the ISO standard provides additional clarity about the information collected, and allows easy comparison with other services or guidance that also references the standard.
+In addition, this article provides references to equivalent definitions for the data types and examples from [ISO/IEC 19944:2017 Information technology - Cloud computing - Cloud services and devices: Data flow, data categories, and data use](https://www.iso.org/standard/66674.html). Each data type also has a Data Use statement, for diagnostics and for Tailored experiences on the device, using the terms as defined by the standard. These Data Use statements define the purposes for which Microsoft processes each type of Windows diagnostic data, using a uniform set of definitions referenced at the end of this document and based on the ISO standard. Reference to the ISO standard provides additional clarity about the information collected, and allows easy comparison with other services or guidance that also references the standard.
The data covered in this article is grouped into the following types:
@@ -51,21 +52,21 @@ Header data supports the use of data associated with all diagnostic events. Ther
Information that is added to most diagnostic events, if relevant and available:
-- Diagnostic level -- Basic or Full, Sample level -- for sampled data, what sample level is this device opted into (8.2.3.2.4 Observed Usage of the Service Capability)
+- Diagnostic level - Basic or Full, Sample level - for sampled data, what sample level is this device opted into (8.2.3.2.4 Observed Usage of the Service Capability)
- Operating system name, version, build, and locale (8.2.3.2.2 Telemetry data)
- Event collection time (8.2.3.2.2 Telemetry data)
-- User ID -- a unique identifier associated with the user's Microsoft Account (if one is used) or local account. The user's Microsoft Account identifier is not collected from devices configured to send Basic - diagnostic data (8.2.5 Account data)
+- User ID - a unique identifier associated with the user's Microsoft Account (if one is used) or local account. The user's Microsoft Account identifier is not collected from devices configured to send Basic - diagnostic data (8.2.5 Account data)
- Xbox UserID (8.2.5 Account data)
-- Device ID -- This is not the user provided device name, but an ID that is unique for that device. (8.2.3.2.3 Connectivity data)
-- Device class -- Desktop, Server, or Mobile (8.2.3.2.3 Connectivity data)
-- Environment from which the event was logged -- Application ID of app or component that logged the event, Session GUID. Used to track events over a given period of time, such as the amount of time an app is running or between boots of the operating system (8.2.4 Cloud service provider data)
+- Device ID - This ID is not the user provided device name, but an ID that is unique for that device. (8.2.3.2.3 Connectivity data)
+- Device class - Desktop, Server, or Mobile (8.2.3.2.3 Connectivity data)
+- Environment from which the event was logged - Application ID of app or component that logged the event, Session GUID. Used to track events over a given period of time, such as the amount of time an app is running or between boots of the operating system (8.2.4 Cloud service provider data)
- Diagnostic event name, Event ID, ETW opcode, version, schema signature, keywords, and flags (8.2.4 Cloud service provider data)
- HTTP header information, including the IP address. This IP address is the source address that’s provided by the network packet header and received by the diagnostics ingestion service (8.2.4 Cloud service provider data)
- Various IDs that are used to correlate and sequence related events together (8.2.4 Cloud service provider data)
## Device, Connectivity, and Configuration data
-This type of data includes details about the device, its configuration and connectivity capabilities, and status. Device, Connectivity, and Configuration Data is equivalent to ISO/IEC 19944:2017, 8.2.3.2.3 Connectivity data.
+This type of data includes details about the device, its configuration and connectivity capabilities, and status. Device, Connectivity, and Configuration data is equivalent to ISO/IEC 19944:2017, 8.2.3.2.3 Connectivity data.
### Data Use for Device, Connectivity, and Configuration data
@@ -87,41 +88,41 @@ If a user has enabled Tailored experiences on the device, [Pseudonymized](#pseud
- Data about device properties and capabilities is used to provide tips about how to use or configure the device to get the best performance and user experience.
-- Data about device capabilities, such as whether the device is pen-enabled, is used to recommend (Microsoft and third-party) apps that are appropriate for the device. These may be free or paid apps.
+- Data about device capabilities, such as whether the device is pen-enabled, is used to recommend (Microsoft and third-party) apps that are appropriate for the device. These apps might be free or paid.
### Data Description for Device, Connectivity, and Configuration data type
-**Device properties sub-type:** Information about the operating system and device hardware
+**Device properties subtype:** Information about the operating system and device hardware
- Operating system - version name, edition
- Installation type, subscription status, and genuine operating system status
- Processor architecture, speed, number of cores, manufacturer, and model
-- OEM details --manufacturer, model, and serial number
+- OEM details - manufacturer, model, and serial number
- Device identifier and Xbox serial number
-- Firmware/BIOS operating system -- type, manufacturer, model, and version
-- Memory -- total memory, video memory, speed, and how much memory is available after the device has reserved memory
-- Storage -- total capacity and disk type
-- Battery -- charge capacity and InstantOn support
+- Firmware/BIOS operating system - type, manufacturer, model, and version
+- Memory - total memory, video memory, speed, and how much memory is available after the device has reserved memory
+- Storage - total capacity and disk type
+- Battery - charge capacity and InstantOn support
- Hardware chassis type, color, and form factor
-- Is this a virtual machine?
+- Is this machine a virtual machine?
-**Device capabilities sub-type:** Information about the capabilities of the device
+**Device capabilities subtype:** Information about the capabilities of the device
-- Camera -- whether the device has a front facing camera, a rear facing camera, or both.
-- Touch screen -- Whether the device has a touch screen? If yes, how many hardware touch points are supported?
-- Processor capabilities -- CompareExchange128, LahfSahf, NX, PrefetchW, and SSE2
-- Trusted Platform Module (TPM) -- whether a TPM exists and if yes, what version
-- Virtualization hardware -- whether an IOMMU exists, whether it includes SLAT support, and whether virtualization is enabled in the firmware
-- Voice -- whether voice interaction is supported and the number of active microphones
+- Camera - whether the device has a front facing camera, a rear facing camera, or both.
+- Touch screen - Does the device have a touch screen? If yes, how many hardware touch points are supported?
+- Processor capabilities - CompareExchange128, LahfSahf, NX, PrefetchW, and SSE2
+- Trusted Platform Module (TPM) - whether a TPM exists and if yes, what version
+- Virtualization hardware - whether an IOMMU exists, whether it includes SLAT support, and whether virtualization is enabled in the firmware
+- Voice - whether voice interaction is supported and the number of active microphones
- Number of displays, resolutions, and DPI
- Wireless capabilities
- OEM or platform face detection
- OEM or platform video stabilization and quality-level set
- Advanced Camera Capture mode (HDR versus Low Light), OEM versus platform implementation, HDR probability, and Low Light probability
-**Device preferences and settings sub-type:** Information about the device settings and user preferences
+**Device preferences and settings subtype:** Information about the device settings and user preferences
-- User Settings -- System, Device, Network & Internet, Personalization, Cortana, Apps, Accounts, Time & Language, Gaming, Ease of Access, Privacy, Update & Security
+- User Settings - System, Device, Network & Internet, Personalization, Cortana, Apps, Accounts, Time & Language, Gaming, Ease of Access, Privacy, Update & Security
- User-provided device name
- Whether device is domain-joined, or cloud-domain joined (for example, part of a company-managed network)
- Hashed representation of the domain name
@@ -135,7 +136,7 @@ If a user has enabled Tailored experiences on the device, [Pseudonymized](#pseud
- App store update settings
- Enterprise OrganizationID, Commercial ID
-**Device peripherals sub-type:** Information about the peripherals of the device
+**Device peripherals subtype:** Information about the peripherals of the device
- Peripheral name, device model, class, manufacturer, and description
- Peripheral device state, install state, and checksum
@@ -144,7 +145,7 @@ If a user has enabled Tailored experiences on the device, [Pseudonymized](#pseud
- Driver state, problem code, and checksum
- Whether driver is kernel mode, signed, and image size
-**Device network info sub-type:** Information about the device network configuration
+**Device network info subtype:** Information about the device network configuration
- Network system capabilities
- Local or Internet connectivity status
@@ -169,7 +170,7 @@ If a user has enabled Tailored experiences on the device, [Pseudonymized](#pseud
- Mobile Equipment ID (IMEI) and Mobile Country Code (MCCO)
- Mobile operator and service provider name
- Available SSIDs and BSSIDs
-- IP Address type -- IPv4 or IPv6
+- IP Address type - IPv4 or IPv6
- Signal Quality percentage and changes
- Hotspot presence detection and success rate
- TCP connection performance
@@ -177,7 +178,7 @@ If a user has enabled Tailored experiences on the device, [Pseudonymized](#pseud
- Hashed IP address
## Product and Service Usage data
-This type of data includes details about the usage of the device, operating system, applications and services. Product and Service Usage data is equivalent to ISO/IEC 19944:2017, 8.2.3.2.4 Observed Usage of the Service Capability.
+This type of data includes details about the usage of the device, operating system, applications, and services. Product and Service Usage data is equivalent to ISO/IEC 19944:2017, 8.2.3.2.4 Observed Usage of the Service Capability.
### Data Use for Product and Service Usage data
@@ -194,16 +195,16 @@ This type of data includes details about the usage of the device, operating syst
**With (optional) Tailored experiences:**
If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Usage data from Windows 10 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Usage data from Windows 10 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 users. For example:
-- If data shows that a user has not used a particular feature of Windows, we may recommend that the user try that feature.
-- Data about which apps are most-used on a device is used to provide recommendations for similar or complementary (Microsoft or third-party) apps. These may be free or paid apps.
+- If data shows that a user has not used a particular feature of Windows, we might recommend that the user try that feature.
+- Data about which apps are most-used on a device is used to provide recommendations for similar or complementary (Microsoft or third-party) apps. These apps might be free or paid.
### Data Description for Product and Service Usage data type
-**App usage sub-type:** Information about Windows and application usage
+**App usage subtype:** Information about Windows and application usage
- Operating system component and app feature usage
-- User navigation and interaction with app and Windows features. This could potentially include user input, such as name of a new alarm set, user menu choices, or user favorites
+- User navigation and interaction with app and Windows features. This information could include user input, such as the name of a new alarm set, user menu choices, or user favorites
- Time of and count of app and component launches, duration of use, session GUID, and process ID
- App time in various states –- running in the foreground or background, sleeping, or receiving active user interaction
- User interaction method and duration –- whether the user used a keyboard, mouse, pen, touch, speech, or game controller, and for how long
@@ -214,9 +215,9 @@ If a user has enabled Tailored experiences on the device, [pseudonymized](#pseud
- Incoming and outgoing calls and voicemail usage statistics on primary or secondary lines
- Emergency alerts are received or displayed statistics
- Content searches within an app
-- Reading activity -- bookmarked, printed, or had the layout changed
+- Reading activity - bookmarked, printed, or had the layout changed
-**App or product state sub-type:** Information about Windows and application state
+**App or product state subtype:** Information about Windows and application state
- Start Menu and Taskbar pins
- Online and offline status
@@ -224,18 +225,18 @@ If a user has enabled Tailored experiences on the device, [pseudonymized](#pseud
- Personalization impressions delivered
- Whether the user clicked on, or hovered over, UI controls or hotspots
- User provided feedback, such as Like, Dislike or a rating
-- Caret location or position within documents and media files -- how much has been read in a book in a single session, or how much of a song has been listened to.
+- Caret location or position within documents and media files - how much has been read in a book in a single session, or how much of a song has been listened to.
-**Purchasing sub-type:** Information about purchases made on the device
+**Purchasing subtype:** Information about purchases made on the device
-- Product ID, edition ID and product URI
-- Offer details -- price
+- Product ID, edition ID, and product URI
+- Offer details - price
- Date and time an order was requested
-- Microsoft Store client type -- web or native client
+- Microsoft Store client type - web or native client
- Purchase quantity and price
-- Payment type -- credit card type and PayPal
+- Payment type - credit card type and PayPal
-**Login properties sub-type:** Information about logins on the device
+**Login properties subtype:** Information about logins on the device
- Login success or failure
- Login sessions and state
@@ -258,21 +259,21 @@ If a user has enabled Tailored experiences on the device, [pseudonymized](#pseud
- Data about battery performance on a device may be used to recommend settings changes that can improve battery performance.
- If data shows a device is running low on file storage, we may recommend Windows-compatible cloud storage solutions to free up space.
-- If data shows the device is experiencing performance issues, we may provide recommendations for Windows apps that can help diagnose or resolve these issues. These may be free or paid apps.
+- If data shows the device is experiencing performance issues, we may provide recommendations for Windows apps that can help diagnose or resolve these issues. These apps might be free or paid.
**Microsoft doesn't use crash and hang dump data to [personalize](#personalize), [recommend](#recommend), [offer](#offer), or [promote](#promote) any product or service.**
### Data Description for Product and Service Performance data type
-**Device health and crash data sub-type:** Information about the device and software health
+**Device health and crash data subtype:** Information about the device and software health
- Error codes and error messages, name and ID of the app, and process reporting the error
-- DLL library predicted to be the source of the error -- for example, xyz.dll
-- System generated files -- app or product logs and trace files to help diagnose a crash or hang
+- DLL library predicted to be the source of the error - for example, xyz.dll
+- System-generated files - app or product logs and trace files to help diagnose a crash or hang
- System settings, such as registry keys
-- User generated files -- files that are indicated as a potential cause for a crash or hang. For example, .doc, .ppt, .csv files
+- User-generated files - files that are indicated as a potential cause for a crash or hang. For example, .doc, .ppt, .csv files
- Details and counts of abnormal shutdowns, hangs, and crashes
-- Crash failure data -- operating system, operating system component, driver, device, and 1st and 3rd-party app data
+- Crash failure data - operating system, operating system component, driver, device, and first-party and third-party app data
- Crash and hang dumps, including:
- The recorded state of the working memory at the point of the crash
- Memory in-use by the kernel at the point of the crash.
@@ -280,43 +281,43 @@ If a user has enabled Tailored experiences on the device, [pseudonymized](#pseud
- All the physical memory used by Windows at the point of the crash
- Class and function name within the module that failed.
-**Device performance and reliability data sub-type:** Information about the device and software performance
+**Device performance and reliability data subtype:** Information about the device and software performance
-- User interface interaction durations -- Start menu display times, browser tab switch times, app launch and switch times, and Cortana and Search performance and reliability
-- Device on and off performance -- Device boot, shutdown, power on and off, lock and unlock times, and user authentication times (fingerprint and face recognition durations)
-- In-app responsiveness -- time to set alarm, time to fully render in-app navigation menus, time to sync reading list, time to start GPS navigation, time to attach picture MMS, and time to complete a Microsoft Store transaction
-- User input responsiveness -- onscreen keyboard invocation times for different languages, time to show auto-complete words, pen or touch latencies, latency for handwriting recognition to words, Narrator screen reader responsiveness, and CPU score
-- UI and media performance and glitches versus smoothness -- video playback frame rate, audio glitches, animation glitches (stutter when bringing up Start), graphics score, time to first frame, play/pause/stop/seek responsiveness, time to render PDF, dynamic streaming of video from OneDrive performance
-- Disk footprint -- Free disk space, out of memory conditions, and disk score
-- Excessive resource utilization -- components impacting performance or battery life through high CPU usage during different screen and power states
-- Background task performance -- download times, Windows Update scan duration, Microsoft Defender Antivirus scan times, disk defrag times, mail fetch times, service startup and state transition times, and time to index on-device files for search results
-- Peripheral and devices -- USB device connection times, time to connect to a wireless display, printing times, network availability and connection times (time to connect to Wi-Fi, time to get an IP address from DHCP etc.), smart card authentication times, automatic brightness, and environmental response times
-- Device setup -- first setup experience times (time to install updates, install apps, connect to network, and so on), time to recognize connected devices (printer and monitor), and time to set up a Microsoft Account
-- Power and Battery life -- power draw by component (Process/CPU/GPU/Display), hours of time the screen is off, sleep state transition details, temperature and thermal throttling, battery drain in a power state (screen off or screen on), processes and components requesting power use while the screen is off, auto-brightness details, time device is plugged into AC versus battery, and battery state transitions
-- Service responsiveness -- Service URI, operation, latency, service success and error codes, and protocol
-- Diagnostic heartbeat -- regular signal used to validate the health of the diagnostics system
+- User interface interaction durations - Start menu display times, browser tab switch times, app launch and switch times, and Cortana and Search performance and reliability
+- Device on and off performance - Device boot, shutdown, power on and off, lock and unlock times, and user authentication times (fingerprint and face recognition durations)
+- In-app responsiveness - time to set alarm, time to fully render in-app navigation menus, time to sync reading list, time to start GPS navigation, time to attach picture MMS, and time to complete a Microsoft Store transaction
+- User input responsiveness - onscreen keyboard invocation times for different languages, time to show autocomplete words, pen or touch latencies, latency for handwriting recognition to words, Narrator screen reader responsiveness, and CPU score
+- UI and media performance and glitches versus smoothness - video playback frame rate, audio glitches, animation glitches (stutter when bringing up Start), graphics score, time to first frame, play/pause/stop/seek responsiveness, time to render PDF, dynamic streaming of video from OneDrive performance
+- Disk footprint - Free disk space, out of memory conditions, and disk score
+- Excessive resource utilization - components impacting performance or battery life through high CPU usage during different screen and power states
+- Background task performance - download times, Windows Update scan duration, Microsoft Defender Antivirus scan times, disk defrag times, mail fetch times, service startup and state transition times, and time to index on-device files for search results
+- Peripheral and devices - USB device connection times, time to connect to a wireless display, printing times, network availability and connection times (time to connect to Wi-Fi, time to get an IP address from DHCP etc.), smart card authentication times, automatic brightness, and environmental response times
+- Device setup - first setup experience times (time to install updates, install apps, connect to network, and so on), time to recognize connected devices (printer and monitor), and time to set up a Microsoft Account
+- Power and Battery life - power draw by component (Process/CPU/GPU/Display), hours of time the screen is off, sleep state transition details, temperature and thermal throttling, battery drain in a power state (screen off or screen on), processes and components requesting power use while the screen is off, autobrightness details, time device is plugged into AC versus battery, and battery state transitions
+- Service responsiveness - Service URI, operation, latency, service success and error codes, and protocol
+- Diagnostic heartbeat - regular signal used to validate the health of the diagnostics system
-**Movies sub-type:** Information about movie consumption functionality on the device
+**Movies subtype:** Information about movie consumption functionality on the device
> [!NOTE]
> This isn't intended to capture user viewing, listening, or habits.
- Video Width, height, color palette, encoding (compression) type, and encryption type
-- Instructions about how to stream content for the user -- the smooth streaming manifest of content file chunks that must be pieced together to stream the content based on screen resolution and bandwidth
+- Instructions about how to stream content for the user - the smooth streaming manifest of content file chunks that must be pieced together to stream the content based on screen resolution and bandwidth
- URL for a specific two-second chunk of content if there is an error
- Full-screen viewing mode details
-**Music & TV sub-type:** Information about music and TV consumption on the device
+**Music & TV subtype:** Information about music and TV consumption on the device
> [!NOTE]
> This isn't intended to capture user viewing, listening, or habits.
-- Service URL for song being downloaded from the music service -- collected when an error occurs to facilitate restoration of service
+- Service URL for song being downloaded from the music service - collected when an error occurs to facilitate restoration of service
- Content type (video, audio, or surround audio)
-- Local media library collection statistics -- number of purchased tracks and number of playlists
-- Region mismatch -- User's operating system region and Xbox Live region
+- Local media library collection statistics - number of purchased tracks and number of playlists
+- Region mismatch - User's operating system region and Xbox Live region
-**Reading sub-type:** Information about reading consumption functionality on the device
+**Reading subtype:** Information about reading consumption functionality on the device
> [!NOTE]
> This isn't intended to capture user viewing, listening, or habits.
@@ -326,42 +327,42 @@ If a user has enabled Tailored experiences on the device, [pseudonymized](#pseud
- Time spent reading content
- Content type and size details
-**Photos app sub-type:** Information about photos usage on the device
+**Photos app subtype:** Information about photos usage on the device
> [!NOTE]
> This isn't intended to capture user viewing, listening, or habits.
-- File source data -- local, SD card, network device, and OneDrive
+- File source data - local, SD card, network device, and OneDrive
- Image and video resolution, video length, file sizes types, and encoding
- Collection view or full screen viewer use and duration of view
-**On-device file query sub-type:** Information about local search activity on the device
+**On-device file query subtype:** Information about local search activity on the device
-- Kind of query issued and index type (ConstraintIndex or SystemIndex)
+- Type of query issued and index type (ConstraintIndex or SystemIndex)
- Number of items requested and retrieved
- File extension of search result with which the user interacted
- Launched item type, file extension, index of origin, and the App ID of the opening app
- Name of process calling the indexer and the amount of time to service the query
- A hash of the search scope (file, Outlook, OneNote, or IE history). The state of the indices (fully optimized, partially optimized, or being built)
-**Entitlements sub-type:** Information about entitlements on the device
+**Entitlements subtype:** Information about entitlements on the device
- Service subscription status and errors
-- DRM and license rights details -- Groove subscription or operating system volume license
+- DRM and license rights details - Groove subscription or operating system volume license
- Entitlement ID, lease ID, and package ID of the install package
- Entitlement revocation
- License type (trial, offline versus online) and duration
- License usage session
## Software Setup and Inventory data
-This type of data includes software installation and update information on the device. Software Setup and Inventory Data is a sub-type of ISO/IEC 19944:2017 8.2.3.2.4 Observed Usage of the Service Capability.
+This type of data includes software installation and update information on the device. Software Setup and Inventory Data is a subtype of ISO/IEC 19944:2017 8.2.3.2.4 Observed Usage of the Service Capability.
### Data Use for Software Setup and Inventory data
**For Diagnostics:**
[Pseudonymized](#pseudo) Software Setup and Inventory data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft product and services. For example:
-- Data about the specific drivers that are installed on a device is used to understand whether there are any hardware or driver compatibility issues which should block or delay a Windows update.
+- Data about the specific drivers that are installed on a device is used to understand whether there are any hardware or driver compatibility issues that should block or delay a Windows update.
- Data about when a download starts and finishes on a device is used to understand and address download problems.
- Data about the specific Microsoft Store apps that are installed on a device is used to determine which app updates to provide to the device.
- Data about the antimalware installed on a device is used to understand malware transmissions vectors.
@@ -373,7 +374,7 @@ If a user has enabled Tailored experiences on the device, [pseudonymized](#pseud
### Data Description for Software Setup and Inventory data type
-**Installed applications and install history sub-type:** Information about apps, drivers, update packages, or operating system components installed on the device
+**Installed applications and install history subtype:** Information about apps, drivers, update packages, or operating system components installed on the device
- App, driver, update package, or component’s Name, ID, or Package Family Name
- Product, SKU, availability, catalog, content, and Bundle IDs
@@ -382,13 +383,13 @@ If a user has enabled Tailored experiences on the device, [pseudonymized](#pseud
- MSI package and product code
- Original operating system version at install time
- User, administrator, or mandatory installation or update
-- Installation type -- clean install, repair, restore, OEM, retail, upgrade, or update
+- Installation type - clean install, repair, restore, OEM, retail, upgrade, or update
-**Device update information sub-type:** Information about apps, drivers, update packages, or operating system components installed on the device
+**Device update information subtype:** Information about apps, drivers, update packages, or operating system components installed on the device
- Update Readiness analysis of device hardware, operating system components, apps, and drivers (progress, status, and results)
- Number of applicable updates, importance, and type
-- Update download size and source -- CDN or LAN peers
+- Update download size and source - CDN or LAN peers
- Delay upgrade status and configuration
- Operating system uninstall and rollback status and count
- Windows Update server and service URL
@@ -396,7 +397,7 @@ If a user has enabled Tailored experiences on the device, [pseudonymized](#pseud
- Windows Insider build details
## Browsing History data
-This type of data includes details about web browsing in the Microsoft browsers. Browsing History data is equivalent to ISO/IEC 19944:2017 8.2.3.2.8 Client side browsing history.
+This type of data includes details about web browsing in the Microsoft browsers. Browsing History data is equivalent to ISO/IEC 19944:2017 8.2.3.2.8 Client-side browsing history.
### Data Use for Browsing History data
@@ -412,23 +413,23 @@ This type of data includes details about web browsing in the Microsoft browsers.
**With (optional) Tailored experiences:**
If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Browsing History data from Windows 10 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Browsing History data from Windows 10 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 users. For example:
-- We may recommend that a user download a compatible app from the Microsoft Store if they have browsed to the related website. For example, if a user uses the Facebook website, we may recommend the Facebook app.
+- We might recommend that a user download a compatible app from the Microsoft Store if they have browsed to the related website. For example, if a user uses the Facebook website, we may recommend the Facebook app.
### Data Description for Browsing History data type
-**Microsoft browser data sub-type:** Information about **Address** bar and **Search** box performance on the device
+**Microsoft browser data subtype:** Information about **Address** bar and **Search** box performance on the device
- Text typed in **Address** bar and **Search** box
- Text selected for an Ask Cortana search
- Service response time
-- Auto-completed text, if there was an auto-complete
+- Autocompleted text, if there was an autocomplete
- Navigation suggestions provided based on local history and favorites
- Browser ID
- URLs (may include search terms)
- Page title
## Inking Typing and Speech Utterance data
-This type of data gathers details about the voice, inking, and typing input features on the device. Inking, Typing and Speech Utterance data is a sub-type of ISO/IEC 19944:2017 8.2.3.2.1 End User Identifiable information.
+This type of data gathers details about the voice, inking, and typing input features on the device. Inking, Typing, and Speech Utterance data is a subtype of ISO/IEC 19944:2017 8.2.3.2.1 End User Identifiable information.
### Data Use for Inking, Typing, and Speech Utterance data
@@ -437,7 +438,7 @@ This type of data gathers details about the voice, inking, and typing input feat
- Data about words marked as spelling mistakes and replaced with another word from the context menu is used to improve the spelling feature.
- Data about alternate words shown and selected by the user after right-clicking is used to improve the word recommendation feature.
-- Data about auto-corrected words that were restored back to the original word by the user is used to improve the auto-correct feature.
+- Data about autocorrected words that were restored back to the original word by the user is used to improve the autocorrect feature.
- Data about whether Narrator detected and recognized a touch gesture is used to improve touch gesture recognition.
- Data about handwriting samples sent from the Handwriting Panel is used to help Microsoft improve handwriting recognition.
@@ -447,15 +448,15 @@ This type of data gathers details about the voice, inking, and typing input feat
### Data Description for Inking, Typing, and Speech Utterance data type
-**Voice, inking, and typing sub-type:** Information about voice, inking and typing features
+**Voice, inking, and typing subtype:** Information about voice, inking, and typing features
- Type of pen used (highlighter, ball point, or pencil), pen color, stroke height and width, and how long it is used
- Pen gestures (click, double click, pan, zoom, or rotate)
- Palm Touch x,y coordinates
- Input latency, missed pen signals, number of frames, strokes, first frame commit time, and sample rate
-- Ink strokes written, text before and after the ink insertion point, recognized text entered, input language -- processed to remove identifiers, sequencing information, and other data (such as email addresses and - numeric values), which could be used to reconstruct the original content or associate the input to the user
-- Text input from Windows 10 Mobile on-screen keyboards, except from password fields and private sessions -- processed to remove identifiers, sequencing information, and other data (such as email addresses and numeric values), which could be used to reconstruct the original content or associate the input to the user
-- Text of speech recognition results -- result codes and recognized text
+- Ink strokes written, text before and after the ink insertion point, recognized text entered, input language - processed to remove identifiers, sequencing information, and other data (such as email addresses and - numeric values), which could be used to reconstruct the original content or associate the input to the user
+- Text input from Windows 10 Mobile on-screen keyboards, except from password fields and private sessions - processed to remove identifiers, sequencing information, and other data (such as email addresses and numeric values), which could be used to reconstruct the original content or associate the input to the user
+- Text of speech recognition results - result codes and recognized text
- Language and model of the recognizer and the System Speech language
- App ID using speech features
- Whether user is known to be a child
@@ -495,9 +496,9 @@ Use of the specified data categories give recommendations about Microsoft produc
ISO/IEC 19944:2017 Reference: **9.3.5 Offer upgrades or upsell**
-Implies the source of the data is Microsoft products and services, and the upgrades offered come from Microsoft products and services that are relevant to the context of the current capability. The target audience for the offer is Microsoft customers.
+Implies that the source of the data is Microsoft products and services, and the upgrades offered come from Microsoft products and services that are relevant to the context of the current capability. The target audience for the offer is Microsoft customers.
-Specifically, use of the specified data categories to make an offer or upsell new capability or capacity of a Microsoft product or service which is (i) contextually relevant to the product or service in which it appears; (ii) likely to result in additional future revenue for Microsoft from end user; and (iii) Microsoft receives no consideration for placement.
+Specifically, use of the specified data categories to make an offer or upsell new capability or capacity of a Microsoft product or service that is (i) contextually relevant to the product or service in which it appears; (ii) likely to result in additional future revenue for Microsoft from end user; and (iii) Microsoft receives no consideration for placement.
### Promote
@@ -507,7 +508,7 @@ Use of the specified data categories to promote a product or service in or on a
### Data identification qualifiers
-Here are the list of data identification qualifiers and the ISO/IEC 19944:2017 reference:
+Here are the data identification qualifiers and the ISO/IEC 19944:2017 reference:
- **Pseudonymized Data** 8.3.3 Pseudonymized data. Microsoft usage notes are as defined.
- **Anonymized Data** 8.3.5 Anonymized data. Microsoft usage notes are as defined.
diff --git a/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md
index 7b104bdcb0..90ab13ce23 100644
--- a/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md
@@ -96,6 +96,7 @@ The following methodology was used to derive the network endpoints:
|activity.windows.com|TLSV1.2|Used by Activity Feed Service which enables multiple cross-device data roaming scenarios on Windows
|adl.windows.com|HTTP|Used for compatibility database updates for Windows
|spclient.wg.spotify.com|TLSV1.2|Used for Spotify Live Tile
+|cs.dds.microsoft.com|TLSV1.2|Used by Device Directory Service to keep track of user-device associations and storing metadata about the devices.
## Windows 10 Pro
@@ -161,6 +162,7 @@ The following methodology was used to derive the network endpoints:
|activity.windows.com|TLSV1.2|Used by Activity Feed Service which enables multiple cross-device data roaming scenarios on Windows
|adl.windows.com|HTTP|Used for compatibility database updates for Windows
|spclient.wg.spotify.com|TLSV1.2|Used for Spotify Live Tile
+|cs.dds.microsoft.com|TLSV1.2|Used by Device Directory Service to keep track of user-device associations and storing metadata about the devices.
## Windows 10 Education
diff --git a/windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md b/windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md
new file mode 100644
index 0000000000..66a3637398
--- /dev/null
+++ b/windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md
@@ -0,0 +1,266 @@
+---
+title: Windows 10, version 20H2, connection endpoints for non-Enterprise editions
+description: Explains what Windows 10 endpoints are used in non-Enterprise editions. Specific to Windows 10, version 20H2.
+keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.localizationpriority: high
+audience: ITPro
+author: gental-giant
+ms.author: v-hakima
+manager: robsize
+ms.collection: M365-security-compliance
+ms.topic: article
+ms.date: 12/17/2020
+---
+# Windows 10, version 20H2, connection endpoints for non-Enterprise editions
+
+ **Applies to**
+
+- Windows 10 Home, version 20H2
+- Windows 10 Professional, version 20H2
+- Windows 10 Education, version 20H2
+
+In addition to the endpoints listed for [Windows 10 Enterprise](manage-windows-2004-endpoints.md), the following endpoints are available on other non-Enterprise editions of Windows 10, version 20H2.
+
+The following methodology was used to derive the network endpoints:
+
+1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
+2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device).
+3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
+4. Compile reports on traffic going to public IP addresses.
+5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
+6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
+7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
+8. These tests were conducted for one week. If you capture traffic for longer you may have different results.
+
+> [!NOTE]
+> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
+
+## Windows 10 Family
+
+| **Area** | **Description** | **Protocol** | **Destination** |
+|-----------|--------------- |------------- |-----------------|
+| Activity Feed Service |The following endpoints are used by Activity Feed Service which enables multiple cross-device data roaming scenarios on Windows|TLSv1.2/HTTPS/HTTP|activity.windows.com|
+|Apps|The following endpoints are used for the Weather app.|TLSv1.2/HTTPS/HTTP|tile-service.weather.microsoft.com|
+||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|evoke-windowsservices-tas.msedge.net|
+||The following endpoint is used for OneNote Live Tile.|HTTPS/HTTP|cdn.onenote.net|
+||Used for Spotify Live Tile|HTTPS/HTTP|spclient.wg.spotify.com|
+|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available.|TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com/*|
+|Cortana and Live Tiles|The following endpoints are related to Cortana and Live Tiles|TLSv1.2/HTTPS/HTTP|www.bing.com*|
+|||HTTPS/HTTP|fp.msedge.net|
+|||HTTPS/HTTP|k-ring.msedge.net|
+|||TLSv1.2|b-ring.msedge.net|
+|Device authentication|The following endpoint is used to authenticate a device.|HTTPS|login.live.com*|
+|Device Directory Service|Used by Device Directory Service to keep track of user-device associations and storing metadata about the devices.|HTTPS/HTTP|cs.dds.microsoft.com|
+|Device metadata|The following endpoint is used to retrieve device metadata.|TLSv1.2/HTTP|dmd.metaservices.microsoft.com|
+|Diagnostic data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.|TLSv1.2/HTTP|v10.events.data.microsoft.com|
+|||TLSv1.2/HTTPS/HTTP|v20.events.data.microsoft.com|
+|||TLSv1.2/HTTP|www.microsoft.com|
+||The following endpoints are used by Windows Error Reporting.|TLSv1.2/HTTPS/HTTP|watson.telemetry.microsoft.com|
+|Font Streaming|The following endpoints are used to download fonts on demand.|TLSv1.2/HTTPS|fs.microsoft.com*|
+|Licensing|The following endpoint is used for online activation and some app licensing.|HTTPS/HTTP|*licensing.mp.microsoft.com|
+|||HTTPS|licensing.mp.microsoft.com/v7.0/licenses/content|
+|Location|The following endpoints are used for location data.|TLSV1.2|inference.location.live.net|
+|Maps|The following endpoints are used to check for updates to maps that have been downloaded for offline use.|HTTPS/HTTP|maps.windows.com|
+|||HTTPS/HTTP|*.ssl.ak.dynamic.tiles.virtualearth.net|
+|||HTTPS/HTTP|*.ssl.ak.tiles.virtualearth.net|
+|||HTTPS/HTTP|dev.virtualearth.net|
+|||HTTPS/HTTP|ecn.dev.virtualearth.net|
+|||HTTPS/HTTP|ssl.bing.com|
+|Microsoft Account|The following endpoints are used for Microsoft accounts to sign in|TLSv1.2/HTTPS/HTTP|*login.live.com|
+|Microsoft Edge|The following endpoints are used for Microsoft Edge Browser Services.|HTTPS/HTTP|edge.activity.windows.com|
+|||HTTPS/HTTP|edge.microsoft.com|
+||The following endpoint is used by Microsoft Edge Update service to check for new updates.|HTTPS/HTTP|msedge.api.cdp.microsoft.com|
+|Microsoft forward link redirection|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer|HTTP|go.microsoft.com/fwlink/|
+|||TLSv1.2/HTTPS/HTTP|go.microsoft.com|
+|Microsoft Store|The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps)|TLSv1.2/HTTPS/HTTP|img-prod-cms-rt-microsoft-com.akamaized.net|
+||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.|TLSv1.2/HTTPS|*.wns.windows.com|
+||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com|
+||The following endpoints are used to communicate with Microsoft Store.|TLSv1.2/HTTPS/HTTP|*displaycatalog.mp.microsoft.com|
+|||HTTPS|pti.store.microsoft.com|
+|||HTTPS|storesdk.dsx.mp.microsoft.com|
+||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com|
+||The following endpoints are used get images that are used for Microsoft Store suggestions|TLSv1.2|store-images.s-microsoft.com|
+|Network Connection Status Indicator (NCSI)|Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet.|TLSv1.2/HTTP|www.msftconnecttest.com*|
+|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|outlook.office365.com|
+|||TLSv1.2/HTTPS|office.com|
+|||TLSv1.2/HTTPS|blobs.officehome.msocdn.com|
+|||HTTPS/HTTP|officehomeblobs.blob.core.windows.net|
+|||HTTP/HTTPS|*.blob.core.windows.net|
+|||TLSv1.2|self.events.data.microsoft.com|
+|||HTTPS/HTTP|outlookmobile-office365-tas.msedge.net|
+|||HTTP|roaming.officeapps.live.com|
+|||HTTPS/HTTP|substrate.office.com|
+|OneDrive|The following endpoints are related to OneDrive.|HTTPS|g.live.com|
+|||TLSv1.2/HTTPS|oneclient.sfx.ms|
+|||HTTPS/TLSv1.2|logincdn.msauth.net|
+|||HTTPS/HTTP|windows.policies.live.net|
+|||HTTPS/HTTP|api.onedrive.com|
+|||HTTPS/HTTP|skydrivesync.policies.live.net|
+|||HTTPS/HTTP|*storage.live.com|
+|||HTTPS/HTTP|*settings.live.net|
+|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.|TLSv1.2/HTTPS/HTTP|settings.data.microsoft.com*|
+|||TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com*|
+|Skype|The following endpoint is used to retrieve Skype configuration values.|TLSv1.2/HTTPS/HTTP|*.pipe.aria.microsoft.com|
+|||TLSv1.2/HTTPS/HTTP|config.edge.skype.com|
+|Teams|The following endpoint is used for Microsoft Teams application.|TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com|
+|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled|TLSv1.2/HTTPS|wdcp.microsoft.com|
+||||wdcpalt.microsoft.com|
+|||HTTPS/HTTP|*.smartscreen-prod.microsoft.com|
+|||TLSv1.2|definitionupdates.microsoft.com|
+||The following endpoints are used for Windows Defender SmartScreen reporting and notifications.|TLSv1.2|*.smartscreen.microsoft.com|
+|||TLSv1.2/HTTP|checkappexec.microsoft.com|
+|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips.|TLSv1.2/HTTPS/HTTP|arc.msn.com*|
+|||TLSv1.2/HTTPS/HTTP|ris.api.iris.microsoft.com|
+|||HTTPS|mucp.api.account.microsoft.com|
+|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers.|TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com|
+|||TLSv1.2/HTTP|emdl.ws.microsoft.com|
+|||TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com|
+||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store.|TLSv1.2/HTTP|*.windowsupdate.com|
+|||TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com|
+||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store to help keep the device secure.|TLSv1.2/HTTPS/HTTP|*.update.microsoft.com|
+||The following endpoint is used for compatibility database updates for Windows.|HTTP/HTTPS|adl.windows.com|
+||The following endpoint is used for content regulation.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com|
+|Xbox Live|The following endpoints are used for Xbox Live.|
+|||TLSv1.2/HTTPS/HTTP|dlassets-ssl.xboxlive.com|
+|||TLSv1.2/HTTPS|da.xboxservices.com|
+|||HTTPS|www.xboxab.com|
+|
+
+## Windows 10 Pro
+
+| **Area** | **Description** | **Protocol** | **Destination** |
+| --- | --- | --- | ---|
+| Activity Feed Service |The following endpoints are used by Activity Feed Service which enables multiple cross-device data roaming scenarios on Windows|TLSv1.2/HTTPS/HTTP|activity.windows.com|
+|Apps|The following endpoints are used for the Weather app.|TLSv1.2/HTTPS/HTTP|tile-service.weather.microsoft.com|
+||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|evoke-windowsservices-tas.msedge.net|
+||The following endpoint is used for OneNote Live Tile.|HTTPS/HTTP|cdn.onenote.net|
+||Used for Spotify Live Tile|HTTPS/HTTP|spclient.wg.spotify.com|
+|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available.|TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com/*|
+|Cortana and Live Tiles|The following endpoints are related to Cortana and Live Tiles|TLSv1.2/HTTPS/HTTP|www.bing.com*|
+|Device authentication|The following endpoint is used to authenticate a device.|HTTPS|login.live.com*|
+|Device metadata|The following endpoint is used to retrieve device metadata.|TLSv1.2/HTTP|dmd.metaservices.microsoft.com|
+|Diagnostic data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.|TLSv1.2/HTTP|v10.events.data.microsoft.com|
+|||TLSv1.2/HTTPS/HTTP|v20.events.data.microsoft.com|
+|||TLSv1.2/HTTP|www.microsoft.com|
+||The following endpoints are used by Windows Error Reporting.|TLSv1.2/HTTPS/HTTP|watson.telemetry.microsoft.com|
+|Font Streaming|The following endpoints are used to download fonts on demand.|TLSv1.2/HTTPS|fs.microsoft.com*|
+|Licensing|The following endpoint is used for online activation and some app licensing.|HTTPS/HTTP|*licensing.mp.microsoft.com|
+|Maps|The following endpoints are used to check for updates to maps that have been downloaded for offline use.|HTTPS/HTTP|maps.windows.com|
+|Microsoft Account|The following endpoints are used for Microsoft accounts to sign in|TLSv1.2/HTTPS/HTTP|*login.live.com|
+|Microsoft Edge|The following endpoint is used by Microsoft Edge Update service to check for new updates.|HTTPS/HTTP|msedge.api.cdp.microsoft.com|
+|Microsoft forward link redirection|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer|TLSv1.2/HTTPS/HTTP|go.microsoft.com|
+|Microsoft Store|The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps)|TLSv1.2/HTTPS/HTTP|img-prod-cms-rt-microsoft-com.akamaized.net|
+||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.|TLSv1.2/HTTPS|*.wns.windows.com|
+||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com|
+||The following endpoints are used to communicate with Microsoft Store.|TLSv1.2/HTTPS/HTTP|*displaycatalog.mp.microsoft.com|
+|||HTTPS|pti.store.microsoft.com|
+|||HTTPS|storesdk.dsx.mp.microsoft.com|
+||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com|
+|Network Connection Status Indicator (NCSI)|Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet.|TLSv1.2/HTTP|www.msftconnecttest.com*|
+|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|outlook.office365.com|
+|||TLSv1.2/HTTPS|office.com|
+|||TLSv1.2/HTTPS|blobs.officehome.msocdn.com|
+|||HTTPS/HTTP|officehomeblobs.blob.core.windows.net|
+|||HTTP/HTTPS|*.blob.core.windows.net|
+|||TLSv1.2|self.events.data.microsoft.com|
+|||HTTPS/HTTP|outlookmobile-office365-tas.msedge.net|
+|||TLSv1.2/HTTPS/HTTP|officeclient.microsoft.com|
+|||HTTPS/HTTP|substrate.office.com|
+|OneDrive|The following endpoints are related to OneDrive.|HTTPS|g.live.com|
+|||TLSv1.2/HTTPS|oneclient.sfx.ms|
+|||HTTPS/TLSv1.2|logincdn.msauth.net|
+|||HTTPS/HTTP|windows.policies.live.net|
+|||HTTPS/HTTP|*storage.live.com|
+|||HTTPS/HTTP|*settings.live.net|
+|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.|TLSv1.2/HTTPS/HTTP|settings.data.microsoft.com*|
+|||TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com*|
+|Skype|The following endpoint is used to retrieve Skype configuration values.|TLSv1.2/HTTPS/HTTP|*.pipe.aria.microsoft.com|
+|||TLSv1.2/HTTPS/HTTP|config.edge.skype.com|
+|Teams|The following endpoint is used for Microsoft Teams application.|TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com|
+|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled|TLSv1.2/HTTPS|wdcp.microsoft.com|
+||||wdcpalt.microsoft.com|
+|||HTTPS/HTTP|*.smartscreen-prod.microsoft.com|
+||The following endpoints are used for Windows Defender SmartScreen reporting and notifications.|TLSv1.2|*.smartscreen.microsoft.com|
+|||TLSv1.2/HTTP|checkappexec.microsoft.com|
+|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips.|TLSv1.2/HTTPS/HTTP|arc.msn.com*|
+|||TLSv1.2/HTTPS/HTTP|ris.api.iris.microsoft.com|
+|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers.|TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com|
+|||TLSv1.2/HTTP|emdl.ws.microsoft.com|
+|||TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com|
+||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store.|TLSv1.2/HTTP|*.windowsupdate.com|
+|||TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com|
+||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store to help keep the device secure.|TLSv1.2/HTTPS/HTTP|*.update.microsoft.com|
+||The following endpoint is used for compatibility database updates for Windows.|HTTP/HTTPS|adl.windows.com|
+||The following endpoint is used for content regulation.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com|
+|Xbox Live|The following endpoints are used for Xbox Live.|
+|||TLSv1.2/HTTPS/HTTP|dlassets-ssl.xboxlive.com|
+|||TLSv1.2/HTTPS|da.xboxservices.com|
+|
+
+## Windows 10 Education
+
+| **Area** | **Description** | **Protocol** | **Destination** |
+| --- | --- | --- | ---|
+| Activity Feed Service |The following endpoints are used by Activity Feed Service which enables multiple cross-device data roaming scenarios on Windows|TLSv1.2/HTTPS/HTTP|activity.windows.com|
+|Apps|The following endpoints are used for the Weather app.|TLSv1.2/HTTPS/HTTP|tile-service.weather.microsoft.com|
+||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|evoke-windowsservices-tas.msedge.net|
+||The following endpoint is used for OneNote Live Tile.|HTTPS/HTTP|cdn.onenote.net|
+|Bing Search|The following endpoint is used by Microsoft Search in Bing enabling users to search across files, SharePoint sites, OneDrive content, Teams and Yammer conversations, and other shared data sources in an organization, as well as the web.|HTTPS|business.bing.com|
+|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available.|TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com/*|
+|Cortana and Live Tiles|The following endpoints are related to Cortana and Live Tiles|TLSv1.2/HTTPS/HTTP|www.bing.com*|
+|||HTTPS/HTTP|fp.msedge.net|
+|||TLSv1.2|odinvzc.azureedge.net|
+|||TLSv1.2|b-ring.msedge.net|
+|Device metadata|The following endpoint is used to retrieve device metadata.|TLSv1.2/HTTP|dmd.metaservices.microsoft.com|
+|Diagnostic data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.|TLSv1.2/HTTP|v10.events.data.microsoft.com|
+|||TLSv1.2/HTTPS/HTTP|v20.events.data.microsoft.com|
+|||TLSv1.2/HTTP|www.microsoft.com|
+||The following endpoints are used by Windows Error Reporting.|TLSv1.2/HTTPS/HTTP|watson.telemetry.microsoft.com|
+|Font Streaming|The following endpoints are used to download fonts on demand.|TLSv1.2/HTTPS|fs.microsoft.com*|
+|Licensing|The following endpoint is used for online activation and some app licensing.|HTTPS/HTTP|*licensing.mp.microsoft.com|
+|Location|The following endpoints are used for location data.|TLSV1.2|inference.location.live.net|
+|Maps|The following endpoints are used to check for updates to maps that have been downloaded for offline use.|HTTPS/HTTP|maps.windows.com|
+|Microsoft Account|The following endpoints are used for Microsoft accounts to sign in|TLSv1.2/HTTPS/HTTP|*login.live.com|
+|Microsoft Edge|The following endpoint is used by Microsoft Edge Update service to check for new updates.|HTTPS/HTTP|msedge.api.cdp.microsoft.com|
+|Microsoft forward link redirection|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer|TLSv1.2/HTTPS/HTTP|go.microsoft.com|
+|Microsoft Store|The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps)|TLSv1.2/HTTPS/HTTP|img-prod-cms-rt-microsoft-com.akamaized.net|
+||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.|TLSv1.2/HTTPS|*.wns.windows.com|
+||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com|
+|||TLSv1.2/HTTPS/HTTP|1storecatalogrevocation.storequality.microsoft.com|
+||The following endpoints are used to communicate with Microsoft Store.|TLSv1.2/HTTPS/HTTP|*displaycatalog.mp.microsoft.com|
+|||HTTPS|pti.store.microsoft.com|
+|||HTTPS|storesdk.dsx.mp.microsoft.com|
+||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com|
+|Network Connection Status Indicator (NCSI)|Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet.|TLSv1.2/HTTP|www.msftconnecttest.com*|
+|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS|office.com|
+|||HTTPS/HTTP|officehomeblobs.blob.core.windows.net|
+|||TLSv1.2|self.events.data.microsoft.com|
+|OneDrive|The following endpoints are related to OneDrive.|HTTPS|g.live.com|
+|||TLSv1.2/HTTPS|oneclient.sfx.ms|
+|||HTTPS/TLSv1.2|logincdn.msauth.net|
+|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.|TLSv1.2/HTTPS/HTTP|settings.data.microsoft.com*|
+|||TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com*|
+|Skype|The following endpoint is used to retrieve Skype configuration values.|TLSv1.2/HTTPS/HTTP|*.pipe.aria.microsoft.com|
+|||TLSv1.2/HTTPS/HTTP|config.edge.skype.com|
+|Teams|The following endpoint is used for Microsoft Teams application.|TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com|
+|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled|TLSv1.2/HTTPS|wdcp.microsoft.com|
+||||wdcpalt.microsoft.com|
+|||HTTPS/HTTP|*.smartscreen-prod.microsoft.com|
+||The following endpoints are used for Windows Defender SmartScreen reporting and notifications.|TLSv1.2|*.smartscreen.microsoft.com|
+|||TLSv1.2/HTTP|checkappexec.microsoft.com|
+|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips.|TLSv1.2/HTTPS/HTTP|arc.msn.com*|
+|||TLSv1.2/HTTPS/HTTP|ris.api.iris.microsoft.com|
+|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers.|TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com|
+|||TLSv1.2/HTTP|emdl.ws.microsoft.com|
+|||TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com|
+||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store.|TLSv1.2/HTTP|*.windowsupdate.com|
+|||TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com|
+||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store to help keep the device secure.|TLSv1.2/HTTPS/HTTP|*.update.microsoft.com|
+||The following endpoint is used for compatibility database updates for Windows.|HTTP/HTTPS|adl.windows.com|
+||The following endpoint is used for content regulation.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com|
+|Xbox Live|The following endpoints are used for Xbox Live.|
+|||TLSv1.2/HTTPS/HTTP|dlassets-ssl.xboxlive.com|
+|||TLSv1.2/HTTPS|da.xboxservices.com|
diff --git a/windows/release-information/docfx.json b/windows/release-information/docfx.json
index 4dcacaf204..40211ae3b7 100644
--- a/windows/release-information/docfx.json
+++ b/windows/release-information/docfx.json
@@ -41,7 +41,16 @@
"audience": "ITPro",
"titleSuffix": "Windows Release Information",
"extendBreadcrumb": true,
- "feedback_system": "None"
+ "feedback_system": "None",
+ "contributors_to_exclude": [
+ "rjagiewich",
+ "traya1",
+ "rmca14",
+ "claydetels19",
+ "jborsecnik",
+ "tiburd",
+ "garycentric"
+ ],
},
"fileMetadata": {},
"template": [],
diff --git a/windows/security/docfx.json b/windows/security/docfx.json
index ab00e42eba..e8accb5982 100644
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@@ -21,7 +21,8 @@
"files": [
"**/*.png",
"**/*.jpg",
- "**/*.gif"
+ "**/*.gif",
+ "**/*.svg"
],
"exclude": [
"**/obj/**",
@@ -33,6 +34,7 @@
"externalReference": [],
"globalMetadata": {
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
+ "uhfHeaderId": "MSDocsHeader-M365-IT",
"ms.topic": "article",
"manager": "dansimp",
"audience": "ITPro",
@@ -45,7 +47,17 @@
"folder_relative_path_in_docset": "./"
}
},
- "titleSuffix": "Microsoft 365 Security"
+ "titleSuffix": "Microsoft 365 Security",
+ "contributors_to_exclude": [
+ "rjagiewich",
+ "traya1",
+ "rmca14",
+ "claydetels19",
+ "jborsecnik",
+ "tiburd",
+ "garycentric"
+ ],
+ "searchScope": ["Windows 10"]
},
"fileMetadata": {
"titleSuffix":{
diff --git a/windows/security/identity-protection/TOC.md b/windows/security/identity-protection/TOC.md
index 7f7f58c2b8..16e55efb95 100644
--- a/windows/security/identity-protection/TOC.md
+++ b/windows/security/identity-protection/TOC.md
@@ -18,7 +18,7 @@
#### [User Account Control security policy settings](user-account-control\user-account-control-security-policy-settings.md)
#### [User Account Control Group Policy and registry key settings](user-account-control\user-account-control-group-policy-and-registry-key-settings.md)
-## [Windows Hello for Business](hello-for-business/hello-identity-verification.md)
+## [Windows Hello for Business](hello-for-business/index.yml)
## [Protect derived domain credentials with Credential Guard](credential-guard/credential-guard.md)
### [How Credential Guard works](credential-guard/credential-guard-how-it-works.md)
diff --git a/windows/security/identity-protection/access-control/access-control.md b/windows/security/identity-protection/access-control/access-control.md
index 8e6cf74f38..61288f4b01 100644
--- a/windows/security/identity-protection/access-control/access-control.md
+++ b/windows/security/identity-protection/access-control/access-control.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
audience: ITPro
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
ms.collection: M365-identity-device-management
diff --git a/windows/security/identity-protection/access-control/active-directory-accounts.md b/windows/security/identity-protection/access-control/active-directory-accounts.md
index 2ae163cea6..f207928d15 100644
--- a/windows/security/identity-protection/access-control/active-directory-accounts.md
+++ b/windows/security/identity-protection/access-control/active-directory-accounts.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
audience: ITPro
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
ms.collection: M365-identity-device-management
diff --git a/windows/security/identity-protection/access-control/active-directory-security-groups.md b/windows/security/identity-protection/access-control/active-directory-security-groups.md
index 61198672fc..e408ad9ba8 100644
--- a/windows/security/identity-protection/access-control/active-directory-security-groups.md
+++ b/windows/security/identity-protection/access-control/active-directory-security-groups.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
audience: ITPro
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
ms.collection: M365-identity-device-management
@@ -576,7 +576,7 @@ This security group has not changed since Windows Server 2008.
-
+
+
+
+
### Remote Desktop Users
The Remote Desktop Users group on an RD Session Host server is used to grant users and groups permissions to remotely connect to an RD Session Host server. This group cannot be renamed, deleted, or moved. It appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
@@ -3094,78 +3165,6 @@ This security group has not changed since Windows Server 2008.
+
+
+
+Attribute
+Value
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
@@ -3197,7 +3196,7 @@ This security group was introduced in Windows Server 2012, and it has not chang
-
-
-
-Attribute
-Value
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+You represent signal rules in XML. Each signal rule has an starting and ending **rule** element that contains the **schemaVersion** attribute and value. The current supported schema version is 1.0.
+
**Example**
-```
+```xml
+Each rule element has a **signal** element. All signal elements have a **type** element and value. Windows 10, version 1709 supports the **ipConfig** and **bluetooth** type values.
+
|Attribute|Value|
|---------|-----|
@@ -109,8 +111,8 @@ You define the bluetooth signal with additional attributes in the signal element
|rssiMin|"*number*"|no|
|rssiMaxDelta|"*number*"|no|
-Example:
-```
+**Example**
+```xml
+The IPv4 network prefix represented in Internet standard dotted-decimal notation. A network prefix that uses the Classless Inter-Domain Routing (CIDR) notation is required as part of the network string. A network port must not be present in the network string. A **signal** element may only contain one **ipv4Prefix** element.
+
**Example**
-```
+```xml
+The IPv4 network gateway represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv4Gateway** element.
+
**Example**
-```
+```xml
+The IPv4 DHCP server represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv4DhcpServer** element.
+
**Example**
-```
+```xml
+The IPv4 DNS server represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string.The **signal** element may contain one or more **ipv4DnsServer** elements.
+
**Example:**
-```
+```xml
+The IPv6 network prefix represented in IPv6 network using Internet standard hexadecimal encoding. A network prefix in CIDR notation is required as part of the network string. A network port or scope ID must not be present in the network string. A **signal** element may only contain one **ipv6Prefix** element.
+
**Example**
-```
+```xml
+The IPv6 network gateway represented in Internet standard hexadecimal encoding. An IPv6 scope ID may be present in the network string. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv6Gateway** element.
+
**Example**
-```
+```xml
+The IPv6 DNS server represented in Internet standard hexadecimal encoding. An IPv6 scope ID may be present in the network string. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv6DhcpServer** element.
+
**Example**
-```
+```xml
+The fully qualified domain name of your organization's internal DNS suffix where any part of the fully qualified domain name in this setting exists in the computer's primary DNS suffix. The **signal** element may contain one or more **dnsSuffix** elements.
+
**Example**
-```
+```xml
-```
+Contains the service set identifier (SSID) of a wireless network. The SSID is the name of the wireless network. The SSID element is required.
+
+```xml
+Contains the basic service set identifier (BSSID) of a wireless access point. the BSSID is the mac address of the wireless access point. The BSSID element is optional.
+
**Example**
-```
+```xml
+Contains the thumbprint of the trusted root certificate of the wireless network. This may be any valid trusted root certificate. The value is represented as hexadecimal string where each byte in the string is separated by a single space. This element is optional.
+
**Example**
-```
+```xml
+Contains numeric value ranging from 0 to 100 to represent the wireless network's signal strength needed to be considered a trusted signal.
+
**Example**
-```
+```xml
- 
-8. In the content pane, double-click **Configure device unlock factors**. Click **Enable**. The **Options** section populates the policy setting with default values.
- 
-9. Configure first and second unlock factors using the information in the [Configure Unlock Factors](#configuring-unlock-factors) section.
-10. If using trusted signals, configure the trusted signals used by the unlock factor using the information in the [Configure Signal Rules for the Trusted Signal Credential Provider](#configure-signal-rules-for-the-trusted-signal-credential-provider) section.
-11. Click **Ok** to close the **Group Policy Management Editor**. Use the **Group Policy Management Console** to deploy the newly created Group Policy object to your organization's computers.
+1. Start the **Group Policy Management Console** (gpmc.msc).
- ## Troubleshooting
- Multi-factor unlock writes events to event log under **Application and Services Logs\Microsoft\Windows\HelloForBusiness** with the category name **Device Unlock**.
+2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
+
+3. Right-click **Group Policy object** and select **New**.
+
+4. Type *Multifactor Unlock* in the name box and click **OK**.
+
+5. In the content pane, right-click the **Multifactor Unlock** Group Policy object and click **Edit**.
+
+6. In the navigation pane, expand **Policies** under **Computer Configuration**.
+
+7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**.
+
+ 
+
+8. In the content pane, double-click **Configure device unlock factors**. Click **Enable**. The **Options** section populates the policy setting with default values.
+
+ 
+
+9. Configure first and second unlock factors using the information in [Configure Unlock Factors](#configuring-unlock-factors).
+
+10. If using trusted signals, configure the trusted signals used by the unlock factor using the information in [Configure Signal Rules for the Trusted Signal Credential Provider](#configure-signal-rules-for-the-trusted-signal-credential-provider).
+
+11. Click **OK** to close the **Group Policy Management Editor**. Use the **Group Policy Management Console** to deploy the newly created Group Policy object to your organization's computers.
+
+## Troubleshooting
+Multi-factor unlock writes events to event log under **Application and Services Logs\Microsoft\Windows\HelloForBusiness** with the category name **Device Unlock**.
### Events
diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
index 01dffaef6d..d0857ccd72 100644
--- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
+++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
@@ -15,7 +15,7 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
-ms.date: 03/05/2020
+ms.date: 01/12/2021
---
# Windows Hello biometrics in the enterprise
@@ -53,7 +53,7 @@ The biometric data used to support Windows Hello is stored on the local device o
## Has Microsoft set any device requirements for Windows Hello?
We've been working with the device manufacturers to help ensure a high-level of performance and protection is met by each sensor and device, based on these requirements:
-- **False Accept Rate (FAR).** Represents the instance a biometric identification solution verifies an unauthorized person. This is normally represented as a ratio of number of instances in a given population size, for example 1 in 100 000. This can also be represented as a percentage of occurrence, for example, 0.001%. This measurement is heavily considered the most important with regards to the security of the biometric algorithm.
+- **False Accept Rate (FAR).** Represents the instance a biometric identification solution verifies an unauthorized person. This is normally represented as a ratio of number of instances in a given population size, for example 1 in 100 000. This can also be represented as a percentage of occurrence, for example, 0.001%. This measurement is heavily considered the most important with regard to the security of the biometric algorithm.
- **False Reject Rate (FRR).** Represents the instances a biometric identification solution fails to verify an authorized person correctly. Usually represented as a percentage, the sum of the True Accept Rate and False Reject Rate is 1. Can be with or without anti-spoofing or liveness detection.
@@ -81,6 +81,10 @@ To allow facial recognition, you must have devices with integrated special infra
- Effective, real world FRR with Anti-spoofing or liveness detection: <10%
+> [!NOTE]
+>Windows Hello face authentication does not currently support wearing a mask during enrollment or authentication. Wearing a mask to enroll is a security concern because other users wearing a similar mask may be able to unlock you device. The product group is aware of this behavior and is investigating this topic further. Please remove a mask if you are wearing one when you enroll or unlock with Windows Hello face authentication. If your working environment doesn’t allow you to remove a mask temporarily, please consider unenrolling from face authentication and only using PIN or fingerprint.
+
+
## Related topics
- [Windows Hello for Business](hello-identity-verification.md)
- [How Windows Hello for Business works](hello-how-it-works.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
index 4486823bc5..22d05b8312 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
@@ -13,7 +13,7 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
-ms.date: 08/19/2018
+ms.date: 01/14/2021
ms.reviewer:
---
# Prepare and Deploy Windows Server 2016 Active Directory Federation Services
@@ -39,17 +39,19 @@ A new Active Directory Federation Services farm should have a minimum of two fed
Prepare the Active Directory Federation Services deployment by installing and updating two Windows Server 2016 Servers. Ensure the update listed below is applied to each server before continuing.
> [!NOTE]
->For AD FS 2019, if Windows Hello for Business with a Hybrid Certificate trust is performed, a known PRT issue exists. You may encounter this error in ADFS Admin event logs: Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'. To remediate this error:
+> For AD FS 2019, if Windows Hello for Business with a Hybrid Certificate trust is performed, a known PRT issue exists. You may encounter this error in ADFS Admin event logs: Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'. To remediate this error:
>
-> 1. Launch AD FS management console. Brose to "Services > Scope Descriptions".
+> 1. Launch AD FS management console. Browse to "Services > Scope Descriptions".
> 2. Right click "Scope Descriptions" and select "Add Scope Description".
> 3. Under name type "ugs" and Click Apply > OK.
-> 4. Launch Powershell as Administrator.
-> 5. Execute the command "Get-AdfsApplicationPermission". Look for the ScopeNames :{openid, aza} that has the ClientRoleIdentifier Make a note of the ObjectIdentifier.
-> 6. Execute the command "Set-AdfsApplicationPermission -TargetIdentifier
-or-
Token was not found in the Authorization header.
-or-
Failed to read one or more objects.
-or-
The request sent to the server was invalid. | Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Azure Active Directory (Azure AD) and rejoin.
+| 0x801C03ED | Multi-factor authentication is required for a 'ProvisionKey' operation, but was not performed.
-or-
Token was not found in the Authorization header.
-or-
Failed to read one or more objects.
-or-
The request sent to the server was invalid.
-or-
User does not have permissions to join to Azure AD. | Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Azure AD and rejoin.
Allow user(s) to join to Azure AD under Azure AD Device settings.
| 0x801C03EE | Attestation failed. | Sign out and then sign in again. |
| 0x801C03EF | The AIK certificate is no longer valid. | Sign out and then sign in again. |
-| 0x801C03F2 | Windows Hello key registration failed. | ERROR\_BAD\_DIRECTORY\_REQUEST. Another object with the same value for property proxyAddresses already exists. To resolve the issue refer to [Duplicate Attributes Prevent Dirsync](https://docs.microsoft.com/office365/troubleshoot/administration/duplicate-attributes-prevent-dirsync).
+| 0x801C03F2 | Windows Hello key registration failed. | ERROR\_BAD\_DIRECTORY\_REQUEST. Another object with the same value for property proxyAddresses already exists. To resolve the issue, refer to [Duplicate Attributes Prevent Dirsync](https://docs.microsoft.com/office365/troubleshoot/administration/duplicate-attributes-prevent-dirsync). Also, if no sync conflict exists, please verify that the "Mail/Email address" in AAD and the Primary SMTP address are the same in the proxy address.
| 0x801C044D | Authorization token does not contain device ID. | Unjoin the device from Azure AD and rejoin. |
| | Unable to obtain user token. | Sign out and then sign in again. Check network and credentials. |
| 0x801C044E | Failed to receive user credentials input. | Sign out and then sign in again. |
diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.md b/windows/security/identity-protection/hello-for-business/hello-faq.md
deleted file mode 100644
index e6d36e6967..0000000000
--- a/windows/security/identity-protection/hello-for-business/hello-faq.md
+++ /dev/null
@@ -1,170 +0,0 @@
----
-title: Windows Hello for Business Frequently Asked Questions
-description: Use these frequently asked questions (FAQ) to learn important details about Windows Hello for Business.
-keywords: identity, PIN, biometric, Hello, passport
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
-author: mapalko
-ms.author: mapalko
-manager: dansimp
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
-ms.date: 08/19/2018
-ms.reviewer:
----
-# Windows Hello for Business Frequently Asked Questions
-
-**Applies to**
-- Windows 10
-
-## What about virtual smart cards?
-Windows Hello for Business is the modern, two-factor credential for Windows 10. Microsoft will be deprecating virtual smart cards in the future, but no date is set at this time. Customers using Windows 10 and virtual smart cards should move to Windows Hello for Business. Microsoft will publish the date early to ensure customers have adequate lead time to move to Windows Hello for Business. Microsoft recommends new Windows 10 deployments to use Windows Hello for Business. Virtual smart card remain supported for Windows 7 and Windows 8.
-
-## What about convenience PIN?
-Microsoft is committed to its vision of a world without passwords. We recognize the *convenience* provided by convenience PIN, but it stills uses a password for authentication. Microsoft recommends customers using Windows 10 and convenience PINs should move to Windows Hello for Business. New Windows 10 deployments should deploy Windows Hello for Business and not convenience PINs. Microsoft will be deprecating convenience PINs in the future and will publish the date early to ensure customers have adequate lead time to deploy Windows Hello for Business.
-
-## Can I use Windows Hello for Business key trust and RDP?
-RDP currently does not support using key based authentication and self signed certificates as supplied credentials. RDP with supplied credentials Windows Hello for Business is currently only supported with certificate based deployments. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/remote-credential-guard).
-
-## Can I deploy Windows Hello for Business using Microsoft Endpoint Configuration Manager?
-Windows Hello for Business deployments using Configuration Manager should use the hybrid deployment model that uses Active Directory Federation Services. Starting in Configuration Manager version 1910, certificate-based authentication with Windows Hello for Business settings isn't supported. Key-based authentication is still valid with Configuration Manager. For more information, see [Windows Hello for Business settings in Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-hello-for-business-settings).
-
-## How many users can enroll for Windows Hello for Business on a single Windows 10 computer?
-The maximum number of supported enrollments on a single Windows 10 computer is 10. That enables 10 users to each enroll their face and up to 10 fingerprints. While we support 10 enrollments, we will strongly encourage the use of Windows Hello security keys for the shared computer scenario when they become available.
-
-## How can a PIN be more secure than a password?
-When using Windows Hello for Business, the PIN is not a symmetric key where is the password is a symmetric key. With passwords, there is a server that has some representation of the password. With Windows Hello for Business, the PIN is user provided entropy used to load the private key in the TPM. The server does not have a copy of the PIN. For that matter, the Windows client does not have a copy of the current PIN either. The user must provide the entropy, the TPM protected key, and the TPM that generated that key to successfully have access to the private key.
-
-The statement "PIN is stronger than Password" is not directed at the strength of the entropy used by the PIN. It is about the difference of providing entropy vs continuing the use of a symmetric key (the password). The TPM has anti-hammering features which thwart brute-force PIN attacks (an attackers continuous attempt to try all combination of PINs). Some organizations may worry about shoulder surfing. For those organizations, rather than increased the complexity of the PIN, implement the [Multifactor Unlock](feature-multifactor-unlock.md) feature.
-
-## Why is the Key Admins group missing, I have Windows Server 2016 domain controller(s)?
-The **Key Admins** and **Enterprise Key Admins** groups are created when you install the first Windows Server 2016 domain controller into a domain. Domain controllers running previous versions of Windows Server cannot translate the security identifier (SID) to a name. To resolve this, transfer the PDC emulator domain role to a domain controller running Windows Server 2016.
-
-## Can I use a convenience PIN with Azure AD?
-It is currently possible to set a convenience PIN on Azure Active Directory Joined or Hybrid Active Directory Joined devices. Convenience PIN is not supported for Azure Active Directory user accounts. It is only supported for on-premises Domain Joined users and local account users.
-
-## Can I use an external camera when my laptop is closed or docked?
-No. Windows 10 currently only supports one Windows Hello for Business camera and does not fluidly switch to an external camera when the computer is docked with the lid closed. The product group is aware of this and is investigating this topic further.
-
-## Why does authentication fail immediately after provisioning Hybrid Key Trust?
-In a hybrid deployment, a user's public key must sync from Azure AD to AD before it can be used to authenticate against a domain controller. This sync is handled by Azure AD Connect and will occur during a normal sync cycle.
-
-## What is the password-less strategy?
-Watch Principal Program Manager Karanbir Singh's Ignite 2017 presentation **Microsoft's guide for going password-less**.
-
-[Microsoft's password-less strategy](hello-videos.md#microsofts-passwordless-strategy)
-
-## What is the user experience for Windows Hello for Business?
-The user experience for Windows Hello for Business occurs after user sign-in, after you deploy Windows Hello for Business policy settings to your environment.
-
-[Windows Hello for Business user enrollment experience](hello-videos.md#windows-hello-for-business-user-enrollment-experience)
-
-## What happens when my user forgets their PIN?
-If the user can sign-in with a password, they can reset their PIN by clicking the "I forgot my PIN" link in settings. Beginning with Windows 10 1709, users can reset their PIN above the lock screen by clicking the "I forgot my PIN" link on the PIN credential provider.
-
-[Windows Hello for Business forgotten PIN user experience](hello-videos.md#windows-hello-for-business-forgotten-pin-user-experience)
-
-For on-premises deployments, devices must be well-connected to their on-premises network (domain controllers and/or certificate authority) to reset their PINs. Hybrid customers can on-board their Azure tenant to use the Windows Hello for Business PIN reset service to reset their PINs without access to their corporate network.
-
-## What URLs do I need to allow for a hybrid deployment?
-Communicating with Azure Active Directory uses the following URLs:
-- enterpriseregistration.windows.net
-- login.microsoftonline.com
-- login.windows.net
-
-If your environment uses Microsoft Intune, you need these additional URLs:
-- enrollment.manage.microsoft.com
-- portal.manage.microsoft.com
-
-## What is the difference between non-destructive and destructive PIN reset?
-Windows Hello for Business has two types of PIN reset: non-destructive and destructive. Organizations running Windows 10 Enterprise and Azure Active Directory can take advantage of the Microsoft PIN Reset service. Once on-boarded to a tenant and deployed to computers, users who have forgotten their PINs can authenticate to Azure, provided a second factor of authentication, and reset their PIN without re-provisioning a new Windows Hello for Business enrollment. This is a non-destructive PIN reset because the user does not delete the current credential and obtain a new one. Read [PIN Reset](hello-feature-pin-reset.md) page for more information.
-
-Organizations that have the on-premises deployment of Windows Hello for Business, or those not using Windows 10 Enterprise can use destructive PIN reset. with destructive PIN reset, users that have forgotten their PIN can authenticate using their password, perform a second factor of authentication to re-provision their Windows Hello for Business credential. Re-provisioning deletes the old credential and requests a new credential and certificate. On-premises deployments need network connectivity to their domain controllers, Active Directory Federation Services, and their issuing certificate authority to perform a destructive PIN reset. Also, for hybrid deployments, destructive PIN reset is only supported with the certificate trust model and the latest updates to Active Directory Federation Services.
-
-## Which is better or more secure: Key trust or Certificate trust?
-The trust models of your deployment determine how you authenticate to Active Directory (on-premises). Both key trust and certificate trust use the same hardware-backed, two-factor credential. The difference between the two trust types are:
-- Required domain controllers
-- Issuing end entity certificates
-
-The **key trust** model authenticates to Active Directory using a raw key. Windows Server 2016 domain controllers enables this authentication. Key trust authenticate does not require an enterprise issued certificate, therefore you do not need to issue certificates to your end users (domain controller certificates are still needed).
-
-The **certificate trust** model authenticates to Active Directory using a certificate. Because this authentication uses a certificate, domain controllers running previous versions of Windows Server can authenticate the user. Therefore, you need to issue certificates to your end users, but you do not need Windows Server 2016 domain controllers. The certificate used in certificate trust uses the TPM protected private key to request a certificate from your enterprise's issuing certificate authority.
-
-## Do I need Windows Server 2016 domain controllers?
-There are many deployment options from which to choose. Some of those options require an adequate number of Windows Server 2016 domain controllers in the site where you have deployed Windows Hello for Business. There are other deployment options that use existing Windows Server 2008 R2 or later domain controllers. Choose the deployment option that best suits your environment.
-
-## What attributes are synchronized by Azure AD Connect with Windows Hello for Business?
-Review [Azure AD Connect sync: Attributes synchronized to Azure Active Directory](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized) for a list of attributes that are sync based on scenarios. The base scenarios that include Windows Hello for Business are [Windows 10](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#windows-10) scenario and the [Device writeback](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#device-writeback) scenario. Your environment may include additional attributes.
-
-## Is Windows Hello for Business multifactor authentication?
-Windows Hello for Business is two-factor authentication based on the observed authentication factors of: something you have, something you know, and something part of you. Windows Hello for Business incorporates two of these factors: something you have (the user's private key protected by the device's security module) and something you know (your PIN). With the proper hardware, you can enhance the user experience by introducing biometrics. Using biometrics, you can replace the "something you know" authentication factor with the "something that is part of you" factor, with the assurances that users can fall back to the "something you know factor".
-
-## What are the biometric requirements for Windows Hello for Business?
-Read [Windows Hello biometric requirements](https://docs.microsoft.com/windows-hardware/design/device-experiences/windows-hello-biometric-requirements) for more information.
-
-## Can I use both a PIN and biometrics to unlock my device?
-Starting in Windows 10, version 1709, you can use multi-factor unlock to require the user to provide an additional factor to unlock the device. Authentication remains two-factor, but another factor is required before Windows allows the user to reach the desktop. Read more about [multifactor unlock](feature-multifactor-unlock.md).
-
-## What is the difference between Windows Hello and Windows Hello for Business?
-Windows Hello represents the biometric framework provided in Windows 10. Windows Hello enables users to use biometrics to sign into their devices by securely storing their user name and password and releasing it for authentication when the user successfully identifies themselves using biometrics. Windows Hello for Business uses asymmetric keys protected by the device's security module that requires a user gesture (PIN or biometrics) to authenticate.
-
-## Why can't I enroll biometrics for my local built-in Administrator?
-Windows 10 does not allow the local administrator to enroll biometric gestures (face or fingerprint).
-
-## I have extended Active Directory to Azure Active Directory. Can I use the on-premises deployment model?
-No. If your organization is federated or using on-line services, such as Azure AD Connect, Office 365, or OneDrive, then you must use a hybrid deployment model. On-premises deployments are exclusive to organization who need more time before moving to the cloud and exclusively use Active Directory.
-
-## Does Windows Hello for Business prevent the use of simple PINs?
-Yes. Our simple PIN algorithm looks for and disallows any PIN that has a constant delta from one digit to the next. The algorithm counts the number of steps required to reach the next digit, overflowing at ten ('zero').
-So, for example:
-* The PIN 1111 has a constant delta of (0,0,0), so it is not allowed
-* The PIN 1234 has a constant delta of (1,1,1), so it is not allowed
-* The PIN 1357 has a constant delta of (2,2,2), so it is not allowed
-* The PIN 9630 has a constant delta of (7,7,7), so it is not allowed
-* The PIN 1593 has a constant delta of (4,4,4), so it is not allowed
-* The PIN 7036 has a constant delta of (3,3,3), so it is not allowed
-* The PIN 1231 does not have a constant delta (1,1,8), so it is allowed
-* The PIN 1872 does not have a constant delta (7,9,5), so it is allowed
-
-This prevents repeating numbers, sequential numbers, and simple patterns.
-It always results in a list of 100 disallowed PINs (independent of the PIN length).
-This algorithm does not apply to alphanumeric PINs.
-
-## How does PIN caching work with Windows Hello for Business?
-
-Windows Hello for Business provides a PIN caching user experience using a ticketing system. Rather than caching a PIN, processes cache a ticket they can use to request private key operations. Azure AD and Active Directory sign-in keys are cached under lock. This means the keys remain available for use without prompting as long as the user is interactively signed-in. Microsoft Account sign-in keys are considered transactional keys, which means the user is always prompted when accessing the key.
-
-Beginning with Windows 10, version 1709, Windows Hello for Business used as a smart card (smart card emulation that is enabled by default) provides the same user experience of default smart card PIN caching. Each process requesting a private key operation will prompt the user for the PIN on first use. Subsequent private key operations will not prompt the user for the PIN.
-
-The smart card emulation feature of Windows Hello for Business verifies the PIN and then discards the PIN in exchange for a ticket. The process does not receive the PIN, but rather the ticket that grants them private key operations. Windows 10 does not provide any Group Policy settings to adjust this caching.
-
-## Can I disable the PIN while using Windows Hello for Business?
-No. The movement away from passwords is accomplished by gradually reducing the use of the password. In the occurrence where you cannot authenticate with biometrics, you need a fall back mechanism that is not a password. The PIN is the fall back mechanism. Disabling or hiding the PIN credential provider disabled the use of biometrics.
-
-## How are keys protected?
-Wherever possible, Windows Hello for Business takes advantage of trusted platform module (TPM) 2.0 hardware to generate and protect keys. However, Windows Hello and Windows Hello for Business does not require a TPM. Administrators can choose to allow key operations in software.
-
-Whenever possible, Microsoft strongly recommends the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. The TPM provides an additional layer of protection after an account lockout, too. When the TPM has locked the key material, the user will have to reset the PIN (which means he or she will have to use MFA to re-authenticate to the IDP before the IDP allows him or her to re-register).
-
-## Can Windows Hello for Business work in air-gapped environments?
-Yes. You can use the on-premises Windows Hello for Business deployment and combine it with a third-party MFA provider that does not require Internet connectivity to achieve an air-gapped Windows Hello for Business deployment.
-
-## Can I use third-party authentication providers with Windows Hello for Business?
-Yes, if you are federated hybrid deployment, you can use any third-party that provides an Active Directory Federation Services (AD FS) multi-factor authentication adapter. A list of third-party MFA adapters can be found [here](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods).
-
-## Does Windows Hello for Business work with third party federation servers?
-Windows Hello for Business can work with any third-party federation servers that support the protocols used during provisioning experience. Interested third-parties can inquiry at [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration).
-
-| Protocol | Description |
-| :---: | :--- |
-| [[MS-KPP]: Key Provisioning Protocol](https://msdn.microsoft.com/library/mt739755.aspx) | Specifies the Key Provisioning Protocol, which defines a mechanism for a client to register a set of cryptographic keys on a user and device pair. |
-| [[MS-OAPX]: OAuth 2.0 Protocol Extensions](https://msdn.microsoft.com/library/dn392779.aspx)| Specifies the OAuth 2.0 Protocol Extensions, which are used to extend the OAuth 2.0 Authorization Framework. These extensions enable authorization features such as resource specification, request identifiers, and login hints. |
-| [[MS-OAPXBC]: OAuth 2.0 Protocol Extensions for Broker Clients](https://msdn.microsoft.com/library/mt590278.aspx) | Specifies the OAuth 2.0 Protocol Extensions for Broker Clients, extensions to RFC6749 (The OAuth 2.0 Authorization Framework) that allow a broker client to obtain access tokens on behalf of calling clients. |
-| [[MS-OIDCE]: OpenID Connect 1.0 Protocol Extensions](https://msdn.microsoft.com/library/mt766592.aspx) | Specifies the OpenID Connect 1.0 Protocol Extensions. These extensions define additional claims to carry information about the end user, including the user principal name, a locally unique identifier, a time for password expiration, and a URL for password change. These extensions also define additional provider meta-data that enable the discovery of the issuer of access tokens and give additional information about provider capabilities. |
-
-## Does Windows Hello for Business work with Mac and Linux clients?
-Windows Hello for Business is a feature of Windows 10. At this time, Microsoft is not developing clients for other platforms. However, Microsoft is open to third parties who are interested in moving these platforms away from passwords. Interested third parties can get more information by emailing [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration).
diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml
new file mode 100644
index 0000000000..ae0af27fe6
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml
@@ -0,0 +1,222 @@
+### YamlMime:FAQ
+metadata:
+ title: Windows Hello for Business Frequently Asked Questions (FAQ)
+ description: Use these frequently asked questions (FAQ) to learn important details about Windows Hello for Business.
+ keywords: identity, PIN, biometric, Hello, passport
+ ms.prod: w10
+ ms.mktglfcycl: deploy
+ ms.sitesec: library
+ ms.pagetype: security, mobile
+ audience: ITPro
+ author: mapalko
+ ms.author: mapalko
+ manager: dansimp
+ ms.collection: M365-identity-device-management
+ ms.topic: article
+ localizationpriority: medium
+ ms.date: 01/14/2021
+ ms.reviewer:
+
+title: Windows Hello for Business Frequently Asked Questions (FAQ)
+summary: |
+ Applies to: Windows 10
+
+
+sections:
+ - name: Ignored
+ questions:
+ - question: What about virtual smart cards?
+ answer: |
+ Windows Hello for Business is the modern, two-factor credential for Windows 10. Microsoft will be deprecating virtual smart cards in the future, but no date is set at this time. Customers using Windows 10 and virtual smart cards should move to Windows Hello for Business. Microsoft will publish the date early to ensure customers have adequate lead time to move to Windows Hello for Business. Microsoft recommends that new Windows 10 deployments use Windows Hello for Business. Virtual smart card remain supported for Windows 7 and Windows 8.
+
+ - question: What about convenience PIN?
+ answer: |
+ Microsoft is committed to its vision of a world without passwords. We recognize the *convenience* provided by convenience PIN, but it stills uses a password for authentication. Microsoft recommends that customers using Windows 10 and convenience PINs should move to Windows Hello for Business. New Windows 10 deployments should deploy Windows Hello for Business and not convenience PINs. Microsoft will be deprecating convenience PINs in the future and will publish the date early to ensure customers have adequate lead time to deploy Windows Hello for Business.
+
+ - question: Can I use Windows Hello for Business key trust and RDP?
+ answer: |
+ Remote Desktop Protocol (RDP) does not currently support using key-based authentication and self-signed certificates as supplied credentials. RDP with supplied credentials is currently only supported with certificate-based deployments. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/remote-credential-guard).
+
+ - question: Can I deploy Windows Hello for Business by using Microsoft Endpoint Configuration Manager?
+ answer: |
+ Windows Hello for Business deployments using Configuration Manager should follow the hybrid deployment model that uses Active Directory Federation Services. Starting in Configuration Manager version 1910, certificate-based authentication with Windows Hello for Business settings isn't supported. Key-based authentication is still valid with Configuration Manager. For more information, see [Windows Hello for Business settings in Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-hello-for-business-settings).
+
+ - question: How many users can enroll for Windows Hello for Business on a single Windows 10 computer?
+ answer: |
+ The maximum number of supported enrollments on a single Windows 10 computer is 10. This lets 10 users each enroll their face and up to 10 fingerprints. While we support 10 enrollments, we will strongly encourage the use of Windows Hello security keys for the shared computer scenario when they become available.
+
+ - question: How can a PIN be more secure than a password?
+ answer: |
+ When using Windows Hello for Business, the PIN is not a symmetric key, whereas the password is a symmetric key. With passwords, there's a server that has some representation of the password. With Windows Hello for Business, the PIN is user-provided entropy used to load the private key in the Trusted Platform Module (TPM). The server does not have a copy of the PIN. For that matter, the Windows client does not have a copy of the current PIN either. The user must provide the entropy, the TPM-protected key, and the TPM that generated that key in order to successfully access the private key.
+
+ The statement "PIN is stronger than Password" is not directed at the strength of the entropy used by the PIN. It's about the difference between providing entropy versus continuing the use of a symmetric key (the password). The TPM has anti-hammering features that thwart brute-force PIN attacks (an attacker's continuous attempt to try all combination of PINs). Some organizations may worry about shoulder surfing. For those organizations, rather than increase the complexity of the PIN, implement the [Multifactor Unlock](feature-multifactor-unlock.md) feature.
+
+ - question: How does Windows Hello for Business work with Azure AD registered devices?
+ answer: |
+ On Azure AD registered devices, a user will be asked to provision a Windows Hello for Business key if the feature is enabled by mobile device management policy. If the user has an existing Windows Hello container for use with their local or Microsoft connected account, the Windows Hello for Business key will be enrolled in their existing container and will be protected using their exiting gestures.
+
+ If a user has signed into their Azure AD registered device with Windows Hello, their Windows Hello for Business key will be used to authenticate the user's work identity when they try to use Azure AD resources. The Windows Hello for Business key meets Azure AD multi-factor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources.
+
+ It is possible to Azure AD register a domain joined device. If the domain joined device has a convenience PIN, login with the convenience PIN will no longer work. This configuration is not supported by Windows Hello for Business.
+
+ For more information please read [Azure AD registered devices](https://docs.microsoft.com/azure/active-directory/devices/concept-azure-ad-register).
+
+ - question: I have Windows Server 2016 domain controller(s), so why is the Key Admins group missing?
+ answer: |
+ The **Key Admins** and **Enterprise Key Admins** groups are created when you install the first Windows Server 2016 domain controller into a domain. Domain controllers running previous versions of Windows Server cannot translate the security identifier (SID) to a name. To resolve this, transfer the PDC emulator domain role to a domain controller running Windows Server 2016.
+
+ - question: Can I use a convenience PIN with Azure Active Directory?
+ answer: |
+ It's currently possible to set a convenience PIN on Azure Active Directory Joined or Hybrid Active Directory Joined devices. Convenience PIN is not supported for Azure Active Directory user accounts (synchronized identities included). It's only supported for on-premises Domain Joined users and local account users.
+
+ - question: Can I use an external camera when my laptop is closed or docked?
+ answer: |
+ No. Windows 10 currently only supports one Windows Hello for Business camera and does not fluidly switch to an external camera when the computer is docked with the lid closed. The product group is aware of this and is investigating this topic further.
+
+ - question: Why does authentication fail immediately after provisioning hybrid key trust?
+ answer: |
+ In a hybrid deployment, a user's public key must sync from Azure AD to AD before it can be used to authenticate against a domain controller. This sync is handled by Azure AD Connect and will occur during a normal sync cycle.
+
+ - question: What is the password-less strategy?
+ answer: |
+ Watch Principal Program Manager Karanbir Singh's **Microsoft's guide for going password-less** Ignite 2017 presentation.
+
+ [Microsoft's password-less strategy](hello-videos.md#microsofts-passwordless-strategy)
+
+ - question: What is the user experience for Windows Hello for Business?
+ answer: |
+ The user experience for Windows Hello for Business occurs after user sign-in, after you deploy Windows Hello for Business policy settings to your environment.
+
+ [Windows Hello for Business user enrollment experience](hello-videos.md#windows-hello-for-business-user-enrollment-experience)
+
+ - question: What happens when a user forgets their PIN?
+ answer: |
+ If the user can sign-in with a password, they can reset their PIN by selecting the "I forgot my PIN" link in Settings. Beginning with Windows 10 1709, users can reset their PIN above the lock screen by selecting the "I forgot my PIN" link on the PIN credential provider.
+
+ [Windows Hello for Business forgotten PIN user experience](hello-videos.md#windows-hello-for-business-forgotten-pin-user-experience)
+
+ For on-premises deployments, devices must be well-connected to their on-premises network (domain controllers and/or certificate authority) to reset their PINs. Hybrid customers can on-board their Azure tenant to use the Windows Hello for Business PIN reset service to reset their PINs without access to their corporate network.
+
+ - question: What URLs do I need to allow for a hybrid deployment?
+ answer: |
+ Communicating with Azure Active Directory uses the following URLs:
+ - enterpriseregistration.windows.net
+ - login.microsoftonline.com
+ - login.windows.net
+ - account.live.com
+ - accountalt.azureedge.net
+ - secure.aadcdn.microsoftonline-p.com
+
+ If your environment uses Microsoft Intune, you need these additional URLs:
+ - enrollment.manage.microsoft.com
+ - portal.manage.microsoft.com
+
+ - question: What's the difference between non-destructive and destructive PIN reset?
+ answer: |
+ Windows Hello for Business has two types of PIN reset: non-destructive and destructive. Organizations running Windows 10 Enterprise and Azure Active Directory can take advantage of the Microsoft PIN Reset service. Once onboarded to a tenant and deployed to computers, users who have forgotten their PINs can authenticate to Azure, provide a second factor of authentication, and reset their PIN without re-provisioning a new Windows Hello for Business enrollment. This is a non-destructive PIN reset because the user doesn't delete the current credential and obtain a new one. For more information, see [PIN Reset](hello-feature-pin-reset.md).
+
+ Organizations that have the on-premises deployment of Windows Hello for Business, or those not using Windows 10 Enterprise can use destructive PIN reset. With destructive PIN reset, users that have forgotten their PIN can authenticate by using their password and then performing a second factor of authentication to re-provision their Windows Hello for Business credential. Re-provisioning deletes the old credential and requests a new credential and certificate. On-premises deployments need network connectivity to their domain controllers, Active Directory Federation Services, and their issuing certificate authority to perform a destructive PIN reset. Also, for hybrid deployments, destructive PIN reset is only supported with the certificate trust model and the latest updates to Active Directory Federation Services.
+
+ - question: |
+ Which is better or more secure: key trust or certificate trust?
+ answer: |
+ The trust models of your deployment determine how you authenticate to Active Directory (on-premises). Both key trust and certificate trust use the same hardware-backed, two-factor credential. The difference between the two trust types are:
+ - Required domain controllers
+ - Issuing end entity certificates
+
+ The **key trust** model authenticates to Active Directory by using a raw key. Windows Server 2016 domain controllers enable this authentication. Key trust authenticate does not require an enterprise issued certificate, therefore you don't need to issue certificates to users (domain controller certificates are still needed).
+
+ The **certificate trust** model authenticates to Active Directory by using a certificate. Because this authentication uses a certificate, domain controllers running previous versions of Windows Server can authenticate the user. Therefore, you need to issue certificates to users, but you don't need Windows Server 2016 domain controllers. The certificate used in certificate trust uses the TPM-protected private key to request a certificate from your enterprise's issuing certificate authority.
+
+ - question: Do I need Windows Server 2016 domain controllers?
+ answer: |
+ There are many deployment options from which to choose. Some of those options require an adequate number of Windows Server 2016 domain controllers in the site where you've deployed Windows Hello for Business. There are other deployment options that use existing Windows Server 2008 R2 or later domain controllers. Choose the deployment option that best suits your environment.
+
+ - question: What attributes are synchronized by Azure AD Connect with Windows Hello for Business?
+ answer: |
+ Review [Azure AD Connect sync: Attributes synchronized to Azure Active Directory](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized) for a list of attributes that sync based on scenarios. The base scenarios that include Windows Hello for Business are the [Windows 10](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#windows-10) scenario and the [Device writeback](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#device-writeback) scenario. Your environment may include additional attributes.
+
+ - question: Is Windows Hello for Business multi-factor authentication?
+ answer: |
+ Windows Hello for Business is two-factor authentication based on the observed authentication factors of: something you have, something you know, and something that's part of you. Windows Hello for Business incorporates two of these factors: something you have (the user's private key protected by the device's security module) and something you know (your PIN). With the proper hardware, you can enhance the user experience by introducing biometrics. By using biometrics, you can replace the "something you know" authentication factor with the "something that is part of you" factor, with the assurances that users can fall back to the "something you know factor".
+
+ - question: What are the biometric requirements for Windows Hello for Business?
+ answer: |
+ Read [Windows Hello biometric requirements](https://docs.microsoft.com/windows-hardware/design/device-experiences/windows-hello-biometric-requirements) for more information.
+
+ - question: Can I use both a PIN and biometrics to unlock my device?
+ answer: |
+ Starting in Windows 10, version 1709, you can use multi-factor unlock to require users to provide an additional factor to unlock their device. Authentication remains two-factor, but another factor is required before Windows allows the user to reach the desktop. To learn more, see [Multifactor Unlock](feature-multifactor-unlock.md).
+
+ - question: Can I wear a mask to enroll or unlock using Windows Hello face authentication?
+ answer: |
+ Wearing a mask to enroll is a security concern because other users wearing a similar mask may be able to unlock you device. The product group is aware of this behavior and is investigating this topic further. Please remove a mask if you are wearing one when you enroll or unlock with Windows Hello face authentication. If your working environment doesn’t allow you to remove a mask temporarily, please consider unenrolling from face authentication and only using PIN or fingerprint.
+
+ - question: What's the difference between Windows Hello and Windows Hello for Business?
+ answer: |
+ Windows Hello represents the biometric framework provided in Windows 10. Windows Hello lets users use biometrics to sign in to their devices by securely storing their user name and password and releasing it for authentication when the user successfully identifies themselves using biometrics. Windows Hello for Business uses asymmetric keys protected by the device's security module that requires a user gesture (PIN or biometrics) to authenticate.
+
+ - question: Why can't I enroll biometrics for my local, built-in administrator?
+ answer: |
+ Windows 10 does not allow the local administrator to enroll biometric gestures (face or fingerprint).
+
+ - question: I have extended Active Directory to Azure Active Directory. Can I use the on-premises deployment model?
+ answer: |
+ No. If your organization is federated or using online services, such as Azure AD Connect, Office 365, or OneDrive, then you must use a hybrid deployment model. On-premises deployments are exclusive to organizations who need more time before moving to the cloud and exclusively use Active Directory.
+
+ - question: Does Windows Hello for Business prevent the use of simple PINs?
+ answer: |
+ Yes. Our simple PIN algorithm looks for and disallows any PIN that has a constant delta from one digit to the next. The algorithm counts the number of steps required to reach the next digit, overflowing at ten ('zero').
+ So, for example:
+
+ - The PIN 1111 has a constant delta of (0,0,0), so it is not allowed
+ - The PIN 1234 has a constant delta of (1,1,1), so it is not allowed
+ - The PIN 1357 has a constant delta of (2,2,2), so it is not allowed
+ - The PIN 9630 has a constant delta of (7,7,7), so it is not allowed
+ - The PIN 1593 has a constant delta of (4,4,4), so it is not allowed
+ - The PIN 7036 has a constant delta of (3,3,3), so it is not allowed
+ - The PIN 1231 does not have a constant delta (1,1,8), so it is allowed
+ - The PIN 1872 does not have a constant delta (7,9,5), so it is allowed
+
+ This prevents repeating numbers, sequential numbers, and simple patterns. It always results in a list of 100 disallowed PINs (independent of the PIN length). This algorithm does not apply to alphanumeric PINs.
+
+ - question: How does PIN caching work with Windows Hello for Business?
+ answer: |
+ Windows Hello for Business provides a PIN caching user experience by using a ticketing system. Rather than caching a PIN, processes cache a ticket they can use to request private key operations. Azure AD and Active Directory sign-in keys are cached under lock. This means the keys remain available for use without prompting, as long as the user is interactively signed-in. Microsoft Account sign-in keys are considered transactional keys, which means the user is always prompted when accessing the key.
+
+ Beginning with Windows 10, version 1709, Windows Hello for Business used as a smart card (smart card emulation that is enabled by default) provides the same user experience of default smart card PIN caching. Each process requesting a private key operation will prompt the user for the PIN on first use. Subsequent private key operations will not prompt the user for the PIN.
+
+ The smart card emulation feature of Windows Hello for Business verifies the PIN and then discards the PIN in exchange for a ticket. The process does not receive the PIN, but rather the ticket that grants them private key operations. Windows 10 does not provide any Group Policy settings to adjust this caching.
+
+ - question: Can I disable the PIN while using Windows Hello for Business?
+ answer: |
+ No. The movement away from passwords is accomplished by gradually reducing the use of the password. In situations where you can't authenticate by using biometrics, you need a fallback mechanism that is not a password. The PIN is the fallback mechanism. Disabling or hiding the PIN credential provider will disable the use of biometrics.
+
+ - question: How are keys protected?
+ answer: |
+ Wherever possible, Windows Hello for Business takes advantage of Trusted Platform Module (TPM) 2.0 hardware to generate and protect keys. However, Windows Hello and Windows Hello for Business do not require a TPM. Administrators can choose to allow key operations in software.
+
+ Whenever possible, Microsoft strongly recommends the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. The TPM provides an additional layer of protection after an account lockout, too. When the TPM has locked the key material, the user will need to reset the PIN (which means they'll need to use MFA to re-authenticate to the IDP before the IDP allows them to re-register).
+
+ - question: Can Windows Hello for Business work in air-gapped environments?
+ answer: |
+ Yes. You can use the on-premises Windows Hello for Business deployment and combine it with a third-party MFA provider that does not require internet connectivity to achieve an air-gapped Windows Hello for Business deployment.
+
+ - question: Can I use third-party authentication providers with Windows Hello for Business?
+ answer: |
+ Yes, if you're using federated hybrid deployment, you can use any third-party that provides an Active Directory Federation Services (AD FS) multi-factor authentication adapter. A list of third-party MFA adapters can be found [here](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods).
+
+ - question: Does Windows Hello for Business work with third-party federation servers?
+ answer: |
+ Windows Hello for Business works with any third-party federation servers that support the protocols used during the provisioning experience. Interested third-parties can inquiry at [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration).
+
+ | Protocol | Description |
+ | :---: | :--- |
+ | [[MS-KPP]: Key Provisioning Protocol](https://msdn.microsoft.com/library/mt739755.aspx) | Specifies the Key Provisioning Protocol, which defines a mechanism for a client to register a set of cryptographic keys on a user and device pair. |
+ | [[MS-OAPX]: OAuth 2.0 Protocol Extensions](https://msdn.microsoft.com/library/dn392779.aspx)| Specifies the OAuth 2.0 Protocol Extensions, which are used to extend the OAuth 2.0 Authorization Framework. These extensions enable authorization features such as resource specification, request identifiers, and login hints. |
+ | [[MS-OAPXBC]: OAuth 2.0 Protocol Extensions for Broker Clients](https://msdn.microsoft.com/library/mt590278.aspx) | Specifies the OAuth 2.0 Protocol Extensions for Broker Clients, extensions to RFC6749 (the OAuth 2.0 Authorization Framework) that allow a broker client to obtain access tokens on behalf of calling clients. |
+ | [[MS-OIDCE]: OpenID Connect 1.0 Protocol Extensions](https://msdn.microsoft.com/library/mt766592.aspx) | Specifies the OpenID Connect 1.0 Protocol Extensions. These extensions define additional claims to carry information about the user, including the user principal name, a locally unique identifier, a time for password expiration, and a URL for password change. These extensions also define additional provider meta-data that enables the discovery of the issuer of access tokens and gives additional information about provider capabilities. |
+
+ - question: Does Windows Hello for Business work with Mac and Linux clients?
+ answer: |
+ Windows Hello for Business is a feature of Windows 10. At this time, Microsoft is not developing clients for other platforms. However, Microsoft is open to third-parties who are interested in moving these platforms away from passwords. Interested third-parties can get more information by emailing [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration).
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md b/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md
index 73e734e99b..470d856d45 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md
@@ -32,7 +32,7 @@ In a mobile-first, cloud-first world, Azure Active Directory enables single sign
To improve productivity, Azure Active Directory provides your users with a broad range of options to access your corporate assets. With application access management, Azure Active Directory enables you to ensure that only the right people can access your applications. What if you want to have more control over how the right people are accessing your resources under certain conditions? What if you even have conditions under which you want to block access to certain applications even for the right people? For example, it might be OK for you if the right people are accessing certain applications from a trusted network; however, you might not want them to access these applications from a network you don't trust. You can address these questions using conditional access.
> [!NOTE]
-> For more details about the way Windows Hello for Business interacts with Azure Multi Factor Authentication and Conditional Access, see [this article](https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/why-are-my-users-not-prompted-for-mfa-as-expected/ba-p/1449032).
+> For more details about the way Windows Hello for Business interacts with Azure AD Multi-Factor Authentication and Conditional Access, see [this article](https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/why-are-my-users-not-prompted-for-mfa-as-expected/ba-p/1449032).
Read [Conditional access in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-azure-portal) to learn more about Conditional Access. Afterwards, read [Getting started with conditional access in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-azure-portal-get-started) to start deploying Conditional access.
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
index f6a0ebc776..e558366ee8 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
@@ -13,7 +13,7 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
-ms.date: 09/09/2019
+ms.date: 12/22/2020
ms.reviewer:
---
@@ -44,53 +44,58 @@ Before you can remotely reset PINs, you must on-board the Microsoft PIN reset se
### Connect Azure Active Directory with the PIN reset service
1. Go to the [Microsoft PIN Reset Service Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant.
-2. After you have logged in, choose **Accept** to give consent for the PIN reset service to access your account.
-
-3. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant.
-4. After you have logged in, choose **Accept** to give consent for the PIN reset client to access your account.
+2. After you have logged in, choose **Accept** to give consent for the PIN reset service to access your account.
+
+ 
+
+3. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant.
+
+4. After you have logged in, choose **Accept** to give consent for the PIN reset client to access your account.
+ 
> [!NOTE]
> After you have accepted the PIN reset service and client requests, you will land on a page that states "You do not have permission to view this directory or page." This behavior is expected. Be sure to confirm that the two PIN reset applications are listed for your tenant.
-
-
-
5. In the [Azure portal](https://portal.azure.com), verify that the Microsoft PIN Reset Service and Microsoft PIN Reset Client are integrated from the **Enterprise applications** blade. Filter to application status "Enabled" and both Microsoft Pin Reset Service Production and Microsoft Pin Reset Client Production will show up in your tenant.
-
+
+ > [!div class="mx-imgBorder"]
+ > 
### Configure Windows devices to use PIN reset using Group Policy
You configure Windows 10 to use the Microsoft PIN Reset service using the computer configuration portion of a Group Policy object.
1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer accounts in Active Directory.
-2. Edit the Group Policy object from step 1.
-3. Enable the **Use PIN Recovery** policy setting located under **Computer Configuration->Administrative Templates->Windows Components->Windows Hello for Business**.
+
+2. Edit the Group Policy object from Step 1.
+
+3. Enable the **Use PIN Recovery** policy setting located under **Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business**.
+
4. Close the Group Policy Management Editor to save the Group Policy object. Close the GPMC.
-### Configure Windows devices to use PIN reset using Microsoft Intune
-
-To configure PIN reset on Windows devices you manage, use an [Intune Windows 10 custom device policy](https://docs.microsoft.com/intune/custom-settings-windows-10) to enable the feature. Configure the policy using the following Windows policy configuration service provider (CSP):
-
#### Create a PIN Reset Device configuration profile using Microsoft Intune
-1. Sign-in to [Azure Portal](https://portal.azure.com) using a Global administrator account.
-2. You need your tenant ID to complete the following task. You can discover your tenant ID by viewing the **Properties** of your Azure Active Directory from the Azure Portal. It will be listed under Directory ID. You can also use the following command in a Command window on any Azure AD-joined or hybrid Azure AD-joined computer.
+1. Sign-in to [Endpoint Manager admin center](https://endpoint.microsoft.com/) using a Global administrator account.
- ```
- dsregcmd /status | findstr -snip "tenantid"
- ```
+2. Click **Endpoint Security** > **Account Protection** > **Properties**.
+
+3. Set **Enable PIN recovery** to **Yes**.
+
+> [!NOTE]
+> You can also setup PIN recovery using configuration profiles.
+> 1. Sign in to Endpoint Manager.
+>
+> 2. Click **Devices** > **Configuration Profiles** > Create a new profile or edit an existing profile using the Identity Protection profile type.
+>
+> 3. Set **Enable PIN recovery** to **Yes**.
-1. Navigate to the Microsoft Intune blade. Click **Device configuration**. Click **Profiles**. Click **Create profile**.
-1. Type **Use PIN Recovery** in the **Name** field. Select **Windows 10 and later** from the **Platform** list. Select **Custom** from the **Profile type** list.
-1. In the **Custom OMA-URI Settings** blade, Click **Add**.
-1. In the **Add Row** blade, type **PIN Reset Settings** in the **Name** field. In the **OMA-URI** field, type **./Device/Vendor/MSFT/PassportForWork/*tenant ID*/Policies/EnablePinRecovery** where *tenant ID* is your Azure Active Directory tenant ID from step 2.
-1. Select **Boolean** from the **Data type** list and select **True** from the **Value** list.
-1. Click **OK** to save the row configuration. Click **OK** to close the Custom OMA-URI Settings blade. Click **Create to save the profile.
-
#### Assign the PIN Reset Device configuration profile using Microsoft Intune
-1. Sign in to the [Azure Portal](https://portal.azure.com) using a Global administrator account.
+1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator account.
+
2. Navigate to the Microsoft Intune blade. Choose **Device configuration** > **Profiles**. From the list of device configuration profiles, choose the profile that contains the PIN reset configuration.
+
3. In the device configuration profile, select **Assignments**.
+
4. Use the **Include** and/or **Exclude** tabs to target the device configuration profile to select groups.
## On-premises Deployments
@@ -115,13 +120,15 @@ On-premises deployments provide users with the ability to reset forgotten PINs e
#### Reset PIN above the Lock Screen
- 1. On Windows 10, version 1709, click **I forgot my PIN** from the Windows Sign-in
- 2. Enter your password and press enter.
- 3. Follow the instructions provided by the provisioning process
- 4. When finished, unlock your desktop using your newly created PIN.
+1. On Windows 10, version 1709, click **I forgot my PIN** from the Windows Sign-in
+2. Enter your password and press enter.
+3. Follow the instructions provided by the provisioning process
+4. When finished, unlock your desktop using your newly created PIN.
->[!NOTE]
-> Visit the [Windows Hello for Business Videos](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos.md) page and watch the [Windows Hello for Business forgotten PIN user experience](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience) video.
+You may find that PIN reset from settings only works post login, and that the "lock screen" PIN reset function will not work if you have any matching limitation of SSPR password reset from the lock screen. For more information, see [Enable Azure Active Directory self-service password reset at the Windows sign-in screen - **General limitations**](https://docs.microsoft.com/azure/active-directory/authentication/howto-sspr-windows#general-limitations).
+
+> [!NOTE]
+> Visit the [Windows Hello for Business Videos](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos.md) page and watch [Windows Hello for Business forgotten PIN user experience](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience).
## Related topics
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
index 0ebcd33ec5..4ce58b8818 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
@@ -1,6 +1,6 @@
---
title: Remote Desktop
-description: Learn how Windows Hello for Business supports using a certificate deployed to a WHFB container to a remote desktop to a server or another device.
+description: Learn how Windows Hello for Business supports using biometrics with remote desktop
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, remote desktop, RDP
ms.prod: w10
ms.mktglfcycl: deploy
@@ -13,7 +13,7 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
-ms.date: 09/16/2020
+ms.date: 02/24/2021
ms.reviewer:
---
@@ -22,10 +22,8 @@ ms.reviewer:
**Requirements**
- Windows 10
-- Certificate trust deployments
-- Hybrid and On-premises Windows Hello for Business deployments
+- Cloud only, Hybrid, and On-premises only Windows Hello for Business deployments
- Azure AD joined, Hybrid Azure AD joined, and Enterprise joined devices
-- Certificate trust deployments
Windows Hello for Business supports using a certificate deployed to a Windows Hello for Business container as a supplied credential to establish a remote desktop connection to a server or another device. This functionality is not supported for key trust deployments. This feature takes advantage of the redirected smart card capabilities of the remote desktop protocol. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/remote-credential-guard).
@@ -35,9 +33,8 @@ Microsoft continues to investigate supporting using keys trust for supplied cred
**Requirements**
-- Hybrid and On-premises Windows Hello for Business deployments
+- Cloud only, Hybrid, and On-premises only Windows Hello for Business deployments
- Azure AD joined, Hybrid Azure AD joined, and Enterprise joined devices
-- Certificate trust deployments
- Biometric enrollments
- Windows 10, version 1809
@@ -57,7 +54,8 @@ Windows Hello for Business emulates a smart card for application compatibility.
Users appreciate convenience of biometrics and administrators value the security however, you may experience compatibility issues with your applications and Windows Hello for Business certificates. You can relax knowing a Group Policy setting and a [MDM URI](https://docs.microsoft.com/windows/client-management/mdm/passportforwork-csp) exist to help you revert to the previous behavior for those users who need it.
-
+> [!div class="mx-imgBorder"]
+> 
> [!IMPORTANT]
> The remote desktop with biometric feature does not work with [Dual Enrollment](hello-feature-dual-enrollment.md) feature or scenarios where the user provides alternative credentials. Microsoft continues to investigate supporting the feature.
diff --git a/windows/security/identity-protection/hello-for-business/hello-features.md b/windows/security/identity-protection/hello-for-business/hello-features.md
deleted file mode 100644
index d35d4dea64..0000000000
--- a/windows/security/identity-protection/hello-for-business/hello-features.md
+++ /dev/null
@@ -1,57 +0,0 @@
----
-title: Windows Hello for Business Features
-description: Consider additional features you can use after your organization deploys Windows Hello for Business.
-ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E
-ms.reviewer:
-keywords: identity, PIN, biometric, Hello, passport, WHFB, Windows Hello, PIN Reset, Dynamic Lock, Multifactor Unlock, Forgot PIN, Privileged credentials
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
-author: mapalko
-ms.author: mapalko
-manager: dansimp
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
-ms.date: 11/27/2019
----
-# Windows Hello for Business Features
-
-**Applies to:**
-
-- Windows 10
-
-Consider these additional features you can use after your organization deploys Windows Hello for Business.
-
-## Conditional access
-
-Azure Active Directory provides a wide set of options for protecting access to corporate resources. Conditional access provides more fine grained control over who can access certain resources and under what conditions. For more information see [Conditional Access](hello-feature-conditional-access.md).
-
-## Dynamic lock
-
-Dynamic lock uses a paired Bluetooth device to determine user presence and locks the device if a user is not present. For more information and configuration steps see [Dynamic Lock](hello-feature-dynamic-lock.md).
-
-## PIN reset
-
-Windows Hello for Business supports user self-management of their PIN. If a user forgets their PIN, they have the ability to reset it from Settings or the lock screen. The Microsoft PIN reset service can be used for completing this reset without the user needing to enroll a new Windows Hello for Business credential. For more information and configuration steps see [Pin Reset](hello-feature-pin-reset.md).
-
-## Dual Enrollment
-
-This feature enables provisioning of administrator Windows Hello for Business credentials that can be used by non-privileged accounts to perform administrative actions. These credentials can be used from the non-privileged accounts using **Run as different user** or **Run as administrator**. For more information and configuration steps see [Dual Enrollment](hello-feature-dual-enrollment.md).
-
-## Remote Desktop
-
-Users with Windows Hello for Business certificate trust can use their credential to authenticate to remote desktop sessions over RDP. When authenticating to the session, biometric gestures can be used if they are enrolled. For more information and configuration steps see [Remote Desktop](hello-feature-remote-desktop.md).
-
-## Related topics
-
-- [Windows Hello for Business](hello-identity-verification.md)
-- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
-- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
-- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
-- [Windows Hello and password changes](hello-and-password-changes.md)
-- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
-- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md
deleted file mode 100644
index 0e03beb9e3..0000000000
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md
+++ /dev/null
@@ -1,49 +0,0 @@
----
-title: How Windows Hello for Business works - Technical Deep Dive
-description: Deeply explore how Windows Hello for Business works, and how it can help your users authenticate to services.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust, works
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
-author: mapalko
-ms.author: mapalko
-manager: dansimp
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
-ms.date: 08/19/2018
-ms.reviewer:
----
-# Technical Deep Dive
-
-**Applies to:**
-- Windows 10
-
-Windows Hello for Business authentication works through collection of components and infrastructure working together. You can group the infrastructure and components in three categories:
-- [Registration](#registration)
-- [Provisioning](#provisioning)
-- [Authentication](#authentication)
-
-## Registration
-
-Registration is a fundamental prerequisite for Windows Hello for Business. Without registration, Windows Hello for Business provisioning cannot start. Registration is where the device **registers** its identity with the identity provider. For cloud and hybrid deployments, the identity provider is Azure Active Directory and the device registers with the Azure Device Registration Service (ADRS). For on-premises deployments, the identity provider is Active Directory Federation Services (AD FS), and the device registers with the enterprise device registration service hosted on the federation servers (AD FS).
-
-[How Device Registration Works](hello-how-it-works-device-registration.md)
-
-
-## Provisioning
-
-Provisioning is when the user uses one form of authentication to request a new Windows Hello for Business credential. Typically the user signs in to Windows using user name and password. The provisioning flow requires a second factor of authentication before it will create a strong, two-factor Windows Hello for Business credential.
-After successfully completing the second factor of authentication, the user is asked to enroll biometrics (if available on the device) and create PIN as a backup gesture. Windows then registers the public version of the Windows Hello for Business credential with the identity provider.
-For cloud and hybrid deployments, the identity provider is Azure Active Directory and the user registers their key with the Azure Device Registration Service (ADRS). For on-premises deployments, the identity provider is Active Directory Federation Services (AD FS), and the user registers their key with the enterprise device registration service hosted on the federation servers.
-Provision can occur automatically through the out-of-box-experience (OOBE) on Azure Active Directory joined devices, or on hybrid Azure Active Directory joined devices where the user or device is influenced by Windows Hello for Business policy settings. Users can start provisioning through **Add PIN** from Windows Settings. Watch the [Windows Hello for Business enrollment experience](hello-videos.md#windows-hello-for-business-user-enrollment-experience) from our [Videos](hello-videos.md) page.
-
-[How Windows Hello for Business provisioning works](hello-how-it-works-provisioning.md)
-
-## Authentication
-
-Authentication using Windows Hello for Business is the goal, and the first step in getting to a passwordless environment. With the device registered, and provisioning complete. Users can sign-in to Windows 10 using biometrics or a PIN. PIN is the most common gesture and is available on most computers and devices. Regardless of the gesture used, authentication occurs using the private portion of the Windows Hello for Business credential. The PIN nor the private portion of the credential are never sent to the identity provider, and the PIN is not stored on the device. It is user provided entropy when performing operations that use the private portion of the credential.
-
-[How Windows Hello for Business authentication works](hello-how-it-works-authentication.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
index 72cba7a12e..cf3fb265d2 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
@@ -162,7 +162,7 @@ Primarily for large enterprise organizations with more complex authentication re
For more than a decade, many organizations have used the domain join to their on-premises Active Directory to enable:
- IT departments to manage work-owned devices from a central location.
- Users to sign in to their devices with their Active Directory work or school accounts.
-Typically, organizations with an on-premises footprint rely on imaging methods to provision devices, and they often use Microsoft Endpoint Configuration Manager or group policy (GP) to manage them.
+Typically, organizations with an on-premises footprint rely on imaging methods to provision devices, and they often use or group policy (GP) to manage them.
If your environment has an on-premises AD footprint and you also want benefit from the capabilities provided by Azure Active Directory, you can implement hybrid Azure AD joined devices. These are devices that are both, joined to your on-premises Active Directory and your Azure Active Directory.
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
index 528c1b6fe8..c9844c3d80 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
@@ -19,29 +19,46 @@ ms.reviewer:
**Applies to**
-- Windows 10
+- Windows 10
-Windows Hello for Business is a modern, two-factor credential that is the more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Azure Active Directory joined, Hybrid Azure Active Directory joined, or Azure Active Directory registered devices. Windows Hello for Business also works for domain joined devices.
+Windows Hello for Business is a modern, two-factor credential that is the more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Azure Active Directory joined, Hybrid Azure Active Directory joined, or Azure Active Directory registered devices. Windows Hello for Business also works for domain joined devices.
Watch this quick video where Pieter Wigleven gives a simple explanation of how Windows Hello for Business works and some of its supporting features.
> [!VIDEO https://www.youtube.com/embed/G-GJuDWbBE8]
## Technical Deep Dive
-Windows Hello for Business is a distributed system that uses several components to accomplish device registration, provisioning, and authentication. Use this section to gain a better understanding of each of the components and how they support Windows Hello for Business.
+Windows Hello for Business is a distributed system that uses several components to accomplish device registration, provisioning, and authentication. Use this section to gain a better understanding of each of the categories and how they support Windows Hello for Business.
-Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business provisioning and authentication work.
+### Device Registration
+
+Registration is a fundamental prerequisite for Windows Hello for Business. Without registration, Windows Hello for Business provisioning cannot start. Registration is where the device **registers** its identity with the identity provider. For cloud and hybrid deployments, the identity provider is Azure Active Directory and the device registers with the Azure Device Registration Service (ADRS). For on-premises deployments, the identity provider is Active Directory Federation Services (AD FS), and the device registers with the enterprise device registration service hosted on the federation servers (AD FS).
+
+For more information read [how device registration works](hello-how-it-works-device-registration.md).
+
+### Provisioning
+
+Provisioning is when the user uses one form of authentication to request a new Windows Hello for Business credential. Typically the user signs in to Windows using user name and password. The provisioning flow requires a second factor of authentication before it will create a strong, two-factor Windows Hello for Business credential.
+
+Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business provisioning works.
> [!VIDEO https://www.youtube.com/embed/RImGsIjSJ1s]
+
+For more information read [how provisioning works](hello-how-it-works-provisioning.md).
+
+### Authentication
+
+With the device registered and provisioning complete, users can sign-in to Windows 10 using biometrics or a PIN. PIN is the most common gesture and is available on all computers unless restricted by policy requiring a TPM. Regardless of the gesture used, authentication occurs using the private portion of the Windows Hello for Business credential. Neither the PIN nor the private portion of the credential are ever sent to the identity provider, and the PIN is not stored on the device. It is user provided entropy when performing operations that use the private portion of the credential.
+
+Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business authentication works.
+
> [!VIDEO https://www.youtube.com/embed/WPmzoP_vMek]
-- [Technology and Terminology](hello-how-it-works-technology.md)
-- [Device Registration](hello-how-it-works-device-registration.md)
-- [Provisioning](hello-how-it-works-provisioning.md)
-- [Authentication](hello-how-it-works-authentication.md)
+For more information read [how authentication works](hello-how-it-works-authentication.md).
## Related topics
+- [Technology and Terminology](hello-how-it-works-technology.md)
- [Windows Hello for Business](hello-identity-verification.md)
- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
index cd9f264b8a..d9ccb2db53 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
@@ -13,12 +13,13 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
-ms.date: 08/19/2018
+ms.date: 01/14/2021
ms.reviewer:
---
# Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business
**Applies to**
+
- Windows 10
- Azure Active Directory joined
- Hybrid Deployment
@@ -63,6 +64,7 @@ If your CRL distribution point does not list an HTTP distribution point, then yo
> If your CA has published both the Base and the Delta CRL, please make sure you have included publishing the Delta CRL in the HTTP path. Include web server to fetch the Delta CRL by allowing double escaping in the (IIS) web server.
### Windows Server 2016 Domain Controllers
+
If you are interested in configuring your environment to use the Windows Hello for Business key rather than a certificate, then your environment must have an adequate number of Windows Server 2016 domain controllers. Only Windows Server 2016 domain controllers are capable of authenticating user with a Windows Hello for Business key. What do we mean by adequate? We are glad you asked. Read [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
If you are interested in configuring your environment to use the Windows Hello for Business certificate rather than key, then you are the right place. The same certificate configuration on the domain controllers is needed, whether you are using Windows Server 2016 domain controllers or domain controllers running earlier versions of Windows Server. You can simply ignore the Windows Server 2016 domain controller requirement.
@@ -73,20 +75,20 @@ Certificate authorities write CRL distribution points in certificates as they ar
#### Why does Windows need to validate the domain controller certificate?
-Windows Hello for Business enforces the strict KDC validation security feature, which imposes more restrictive criteria that must be met by the Key Distribution Center (KDC). When authenticating using Windows Hello for Business, the Windows 10 client validates the reply from the domain controller by ensuring all of the following are met:
+Windows Hello for Business enforces the strict KDC validation security feature when authenticating from an Azure AD joined device to a domain. This enforcement imposes more restrictive criteria that must be met by the Key Distribution Center (KDC). When authenticating using Windows Hello for Business on an Azure AD joined device, the Windows 10 client validates the reply from the domain controller by ensuring all of the following are met:
- The domain controller has the private key for the certificate provided.
- The root CA that issued the domain controller's certificate is in the device's **Trusted Root Certificate Authorities**.
- Use the **Kerberos Authentication certificate template** instead of any other older template.
-- The domain controller's certificate has the **KDC Authentication** enhanced key usage.
+- The domain controller's certificate has the **KDC Authentication** enhanced key usage (EKU).
- The domain controller's certificate's subject alternate name has a DNS Name that matches the name of the domain.
- The domain controller's certificate's signature hash algorithm is **sha256**.
- The domain controller's certificate's public key is **RSA (2048 Bits)**.
+Authenticating from a Hybrid Azure AD joined device to a domain using Windows Hello for Business does not enforce that the domain controller certificate includes the **KDC Authentication** EKU. If you are adding Azure AD joined devices to an existing domain environment, make sure to verify that your domain controller certificate has been updated to include the **KDC Authentication** EKU. If you need to update your domain controller certificate to include the **KDC Authentication** EKU, follow the instructions in [Configure Hybrid Windows Hello for Business: Public Key Infrastructure](hello-hybrid-key-whfb-settings-pki.md)
> [!Tip]
> If you are using Windows Server 2008, **Kerberos Authentication** is not the default template, so make sure to use the correct template when issuing or re-issuing the certificate.
-
## Configuring a CRL Distribution Point for an issuing certificate authority
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index 1df6239643..1c550a85f6 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -1,7 +1,7 @@
---
title: Using Certificates for AADJ On-premises Single-sign On single sign-on
description: If you want to use certificates for on-premises single-sign on for Azure Active Directory joined devices, then follow these additional steps.
-keywords: identity, PIN, biometric, Hello, passport, AADJ, SSO,
+keywords: identity, PIN, biometric, Hello, passport, AADJ, SSO,
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -14,11 +14,12 @@ ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 08/19/2018
-ms.reviewer:
+ms.reviewer:
---
+
# Using Certificates for AADJ On-premises Single-sign On
-**Applies to**
+**Applies to:**
- Windows 10
- Azure Active Directory joined
- Hybrid Deployment
@@ -27,7 +28,7 @@ ms.reviewer:
If you plan to use certificates for on-premises single-sign on, then follow these **additional** steps to configure the environment to enroll Windows Hello for Business certificates for Azure AD joined devices.
> [!IMPORTANT]
-> Ensure you have performed the configurations in [Azure AD joined devices for On-premises Single-Sign On](hello-hybrid-aadj-sso-base.md) before you continue.
+> Ensure you have performed the configurations in [Azure AD joined devices for On-premises Single-Sign On](hello-hybrid-aadj-sso-base.md) before you continue.
Steps you will perform include:
- [Prepare Azure AD Connect](#prepare-azure-ad-connect)
@@ -45,7 +46,7 @@ You need to install and configure additional infrastructure to provide Azure AD
- A Windows Server 2012 R2 domain joined server that hosts the Network Device Enrollment Services role
### High Availaibilty
-The Network Device Enrollment Services (NDES) server role acts as a certificate registration authority. Certificate registration servers enroll certificates on behalf of the user. Users request certificates from the NDES service rather than directly from the issuing certificate authority.
+The Network Device Enrollment Services (NDES) server role acts as a certificate registration authority. Certificate registration servers enroll certificates on behalf of the user. Users request certificates from the NDES service rather than directly from the issuing certificate authority.
The architecture of the NDES server prevents it from being clustered or load balanced for high availability. To provide high availability, you need to install more than one identically configured NDES servers and use Microsoft Intune to load balance then (in round-robin fashion).
@@ -55,17 +56,17 @@ The Network Device Enrollment Service (NDES) server role can issue up to three u
- Encryption
- Signature and Encryption
-If you need to deploy more than three types of certificates to the Azure AD joined device, you need additional NDES servers. Alternatively, consider consolidating certificates templates to reduce the number of certificate templates.
+If you need to deploy more than three types of certificates to the Azure AD joined device, you need additional NDES servers. Alternatively, consider consolidating certificate templates to reduce the number of certificate templates.
### Network Requirements
-All communication occurs securely over port 443.
+All communication occurs securely over port 443.
## Prepare Azure AD Connect
Successful authentication to on-premises resources using a certificate requires the certificate to provide a hint about the on-premises domain. The hint can be the user's Active Directory distinguished name as the subject of the certificate, or the hint can be the user's user principal name where the suffix matches the Active Directory domain name.
Most environments change the user principal name suffix to match the organization's external domain name (or vanity domain), which prevents the user principal name as a hint to locate a domain controller. Therefore, the certificate needs the user's on-premises distinguished name in the subject to properly locate a domain controller.
-To include the on-premises distinguished name in the certificate's subject, Azure AD Connect must replicate the Active Directory **distinguishedName** attribute to the Azure Active Directory **onPremisesDistinguishedName** attribute. Azure AD Connect version 1.1.819 includes the proper synchronization rules need to for these attributes.
+To include the on-premises distinguished name in the certificate's subject, Azure AD Connect must replicate the Active Directory **distinguishedName** attribute to the Azure Active Directory **onPremisesDistinguishedName** attribute. Azure AD Connect version 1.1.819 includes the proper synchronization rules needed for these attributes.
### Verify AAD Connect version
Sign-in to computer running Azure AD Connect with access equivalent to _local administrator_.
@@ -100,8 +101,8 @@ Sign-in to a domain controller or management workstation with access equivalent
Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
1. Open **Active Directory Users and Computers**.
-2. Expand the domain node from the navigation pane.
-3. Click **Computers** from the navigation pane. Right-click the name of the NDES server that will host the NDES server role. Click **Add to a group...**.
+2. Expand the domain node from the navigation pane.
+3. Click **Computers** from the navigation pane. Right-click the name of the NDES server that will host the NDES server role. Click **Add to a group...**.
4. Type **NDES Servers** in **Enter the object names to select**. Click **OK**. Click **OK** on the **Active Directory Domain Services** success dialog.
> [!NOTE]
@@ -118,10 +119,10 @@ Sign-in to a domain controller or management workstation with access equivalent
4. Click **Finish**.
> [!IMPORTANT]
-> Configuring the service's account password to **Password never expires** may be more convenient, but it presents a security risk. Normal service account passwords should expire in accordance with the organizations user password expiration policy. Create a reminder to change the service account's password two weeks before it will expire. Share the reminder with others that are allowed to change the password to ensure the password is changed before it expires.
+> Configuring the service's account password to **Password never expires** may be more convenient, but it presents a security risk. Normal service account passwords should expire in accordance with the organizations user password expiration policy. Create a reminder to change the service account's password two weeks before it will expire. Share the reminder with others that are allowed to change the password to ensure the password is changed before it expires.
### Create the NDES Service User Rights Group Policy object
-The Group Policy object ensures the NDES Service account has the proper user right assign all the NDES servers in the **NDES Servers** group. As you add new NDES servers to your environment and this group, the service account automatically receives the proper user rights through Group Policy.
+The Group Policy object ensures the NDES Service account has the proper user right to assign all the NDES servers in the **NDES Servers** group. As you add new NDES servers to your environment and this group, the service account automatically receives the proper user rights through the Group Policy.
Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials.
@@ -135,10 +136,10 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv
8. In the content pane, double-click **Allow log on locally**. Select **Define these policy settings** and click **OK**. Click **Add User or Group...**. In the **Add User or Group** dialog box, click **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Click **OK** twice.
9. In the content pane, double-click **Log on as a batch job**. Select **Define these policy settings** and click **OK**. Click **Add User or Group...**. In the **Add User or Group** dialog box, click **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Performance Log Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Click **OK** twice.
10. In the content pane, double-click **Log on as a service**. Select **Define these policy settings** and click **OK**. Click **Add User or Group...**. In the **Add User or Group** dialog box, click **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **NT SERVICE\ALL SERVICES;DOMAINNAME\NDESSvc** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Click **OK** three times.
-11. Close the **Group Policy Management Editor**.
+11. Close the **Group Policy Management Editor**.
### Configure security for the NDES Service User Rights Group Policy object
-The best way to deploy the **NDES Service User Rights** Group Policy object is to use security group filtering. This enables you to easily manage the computers that receive the Group Policy settings by adding them to a group.
+The best way to deploy the **NDES Service User Rights** Group Policy object is to use security group filtering. This enables you to easily manage the computers that receive the Group Policy settings by adding them to a group.
Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
@@ -159,7 +160,7 @@ Sign-in to a domain controller or management workstation with access equivalent
3. In the **Select GPO** dialog box, select **NDES Service User Rights** or the name of the Group Policy object you previously created and click **OK**.
> [!IMPORTANT]
-> Linking the **NDES Service User Rights** Group Policy object to the domain ensures the Group Policy object is in scope for all computers. However, not all computers will have the policy settings applied to them. Only computers that are members of the **NDES Servers** global security group receive the policy settings. All others computers ignore the Group Policy object.
+> Linking the **NDES Service User Rights** Group Policy object to the domain ensures the Group Policy object is in scope for all computers. However, not all computers will have the policy settings applied to them. Only computers that are members of the **NDES Servers** global security group receive the policy settings. All others computers ignore the Group Policy object.
## Prepare Active Directory Certificate Authority
You must prepare the public key infrastructure and the issuing certificate authority to support issuing certificates using Microsoft Intune and the Network Devices Enrollment Services (NDES) server role. In this task, you will
@@ -177,46 +178,52 @@ When deploying certificates using Microsoft Intune, you have the option of provi
Sign-in to the issuing certificate authority with access equivalent to _local administrator_.
-1. Open and elevated command prompt. Type the command
+1. Open an elevated command prompt and type the following command:
```
certutil -setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE
```
-2. Restart the **Active Directory Certificate Services** service.
+2. Restart the **Active Directory Certificate Services** service.
### Create an NDES-Intune authentication certificate template
-NDES uses a server authentication certificate to authenticate the server endpoint, which encrypts the communication between it and the connecting client. The Intune Certificate Connector uses a client authentication certificate template to authenticate to the certificate registration point.
+NDES uses a server authentication certificate to authenticate the server endpoint, which encrypts the communication between it and the connecting client. The Intune Certificate Connector uses a client authentication certificate template to authenticate to the certificate registration point.
Sign-in to the issuing certificate authority or management workstations with _Domain Admin_ equivalent credentials.
-1. Open the **Certificate Authority** management console.
+1. Open the **Certificate Authority** management console.
2. Right-click **Certificate Templates** and click **Manage**.
3. In the **Certificate Template Console**, right-click the **Computer** template in the details pane and click **Duplicate Template**.
-4. On the **General** tab, type **NDES-Intune Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs.
- **Note:** If you use different template names, you'll need to remember and substitute these names in different portions of the lab.
-5. On the **Subject** tab, select **Supply in the request**.
-6. On the **Cryptography** tab, validate the **Minimum key size** is **2048**.
-7. On the **Security** tab, click **Add**.
-8. Type **NDES server** in the **Enter the object names to select** text box and click **OK**.
-9. Select **NDES server** from the **Group or users names** list. In the **Permissions for** section, select the **Allow** check box for the **Enroll** permission. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**.
-10. Click on the **Apply** to save changes and close the console.
+4. On the **General** tab, type **NDES-Intune Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs.
+
+ > [!NOTE]
+ > If you use different template names, you'll need to remember and substitute these names in different portions of the lab.
+
+5. On the **Subject** tab, select **Supply in the request**.
+6. On the **Cryptography** tab, validate the **Minimum key size** is **2048**.
+7. On the **Security** tab, click **Add**.
+8. Type **NDES server** in the **Enter the object names to select** text box and click **OK**.
+9. Select **NDES server** from the **Group or users names** list. In the **Permissions for** section, select the **Allow** check box for the **Enroll** permission. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**.
+10. Click on the **Apply** to save changes and close the console.
### Create an Azure AD joined Windows Hello for Business authentication certificate template
-During Windows Hello for Business provisioning, Windows 10 requests an authentication certificate from the Microsoft Intune, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You use the name of the certificate template when configuring the NDES Server.
+During Windows Hello for Business provisioning, Windows 10 requests an authentication certificate from Microsoft Intune, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You use the name of the certificate template when configuring the NDES Server.
-Sign-in a certificate authority or management workstations with _Domain Admin equivalent_ credentials.
+Sign in a certificate authority or management workstations with _Domain Admin equivalent_ credentials.
1. Open the **Certificate Authority** management console.
2. Right-click **Certificate Templates** and click **Manage**.
3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**.
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
-5. On the **General** tab, type **AADJ WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs.
- **Note:** If you use different template names, you'll need to remember and substitute these names in different portions of the deployment.
-6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list.
+5. On the **General** tab, type **AADJ WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs.
+
+ > [!NOTE]
+ > If you use different template names, you'll need to remember and substitute these names in different portions of the deployment.
+
+6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list.
7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**.
8. On the **Subject** tab, select **Supply in the request**.
9. On the **Request Handling** tab, select **Signature and encryption** from the **Purpose** list. Select the **Renew with same key** check box. Select **Enroll subject without requiring any user input**.
10. On the **Security** tab, click **Add**. Type **NDESSvc** in the **Enter the object names to select** text box and click **OK**.
-12. Select **NDESSvc** from the **Group or users names** list. In the **Permissions for NDES Servers** section, select the **Allow** check box for the **Read**, **Enroll**. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**.
+12. Select **NDESSvc** from the **Group or users names** list. In the **Permissions for NDES Servers** section, select the **Allow** check box for **Read** and **Enroll**. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**.
13. Close the console.
### Publish certificate templates
@@ -231,7 +238,7 @@ Sign-in to the certificate authority or management workstations with an _Enterpr
2. Expand the parent node from the navigation pane.
3. Click **Certificate Templates** in the navigation pane.
4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template** to issue.
-5. In the **Enable Certificates Templates** window, select the **NDES-Intune Authentication** and **AADJ WHFB Authentication** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority.
+5. In the **Enable Certificates Templates** window, select the **NDES-Intune Authentication** and **AADJ WHFB Authentication** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority.
6. Close the console.
## Install and Configure the NDES Role
@@ -250,10 +257,10 @@ Install the Network Device Enrollment Service role on a computer other than the
Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials.
1. Open **Server Manager** on the NDES server.
-2. Click **Manage**. Click **Add Roles and Features**.
+2. Click **Manage**. Click **Add Roles and Features**.
3. In the **Add Roles and Features Wizard**, on the **Before you begin** page, click **Next**. Select **Role-based or feature-based installation** on the **Select installation type** page. Click **Next**. Click **Select a server from the server pool**. Select the local server from the **Server Pool** list. Click **Next**.
-4. On the **Select server roles** page, select **Active Directory Certificate Services** from the **Roles** list.
+4. On the **Select server roles** page, select **Active Directory Certificate Services** from the **Roles** list.
Click **Add Features** on the **Add Roles and Feature Wizard** dialog box. Click **Next**.
@@ -270,8 +277,8 @@ Sign-in to the certificate authority or management workstations with an _Enterpr
* **Management Tools > IIS 6 Management Compatibility > IIS 6 WMI Compatibility**
9. Click **Install**. When the installation completes, continue with the next procedure. **Do not click Close**.
- > [!Important]
- > The .NET Framework 3.5 is not included in the typical installation. If the server is connected to the Internet, the installation attempts to get the files using Windows Update. If the server is not connected to the Internet, you need to **Specify an alternate source path** such as \
-```setspn -s http/[FqdnOfNdesServer] [DomainName\\NdesServiceAccount]```
-where **[FqdnOfNdesServer]** is the fully qualified domain name of the NDES server and **[DomainName\NdesServiceAccount]** is the domain name and NDES service account name separated by a backslash (\\). An example of the command looks like the following.
-```setspn -s http/ndes.corp.contoso.com contoso\ndessvc```
+2. Type the following command to register the service principal name
+ ```
+ setspn -s http/[FqdnOfNdesServer] [DomainName\\NdesServiceAccount]
+ ```
+ where **[FqdnOfNdesServer]** is the fully qualified domain name of the NDES server and **[DomainName\NdesServiceAccount]** is the domain name and NDES service account name separated by a backslash (\\). An example of the command looks like the following:
+ ```
+ setspn -s http/ndes.corp.contoso.com contoso\ndessvc
+ ```
> [!NOTE]
> If you use the same service account for multiple NDES Servers, repeat the following task for each NDES server under which the NDES service runs.
@@ -306,16 +317,16 @@ Sign-in a domain controller with a minimum access equivalent to _Domain Admins_.
1. Open **Active Directory Users and Computers**
2. Locate the NDES Service account (NDESSvc). Right-click and select **Properties**. Click the **Delegation** tab.
-
+ 
3. Select **Trust this user for delegation to specified services only**.
4. Select **Use any authentication protocol**.
5. Click **Add**.
6. Click **Users or Computers...** Type the name of the _NDES Server_ you use to issue Windows Hello for Business authentication certificates to Azure AD joined devices. From the **Avaiable services** list, select **HOST**. Click **OK**.
-
-7. Repeat steps 5 and 6 for each NDES server using this service account.8. Click **Add**.
+ 
+7. Repeat steps 5 and 6 for each NDES server using this service account. Click **Add**.
8. Click **Users or computers...** Type the name of the issuing certificate authority this NDES service account uses to issue Windows Hello for Business authentication certificates to Azure AD joined devices. From the **Available services** list, select **dcom**. Hold the **CTRL** key and select **HOST**. Click **OK**.
9. Repeat steps 8 and 9 for each issuing certificate authority from which one or more NDES servers request certificates.
-
+ 
10. Click **OK**. Close **Active Directory Users and Computers**.
### Configure the NDES Role and Certificate Templates
@@ -325,63 +336,67 @@ This task configures the NDES role and the certificate templates the NDES server
Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials.
> [!NOTE]
-> If you closed Server Manger from the last set of tasks, start Server Manager and click the action flag that shows a yellow exclamation point.
+> If you closed Server Manger from the last set of tasks, start Server Manager and click the action flag that shows a yellow exclamation point.
1. Click the **Configure Active Directory Certificate Services on the destination server** link.
2. On the **Credentials** page, click **Next**.
-
+ 
3. On the **Role Services** page, select **Network Device Enrollment Service** and then click **Next**
-
-4. On the **Service Account for NDES** page, select **Specify service account (recommended)**. Click **Select...** Type the user name and password for the NDES service account in the **Windows Security** dialog box. Click **Next**.
-
+ 
+4. On the **Service Account for NDES** page, select **Specify service account (recommended)**. Click **Select...**. Type the user name and password for the NDES service account in the **Windows Security** dialog box. Click **Next**.
+ 
5. On the **CA for NDES** page, select **CA name**. Click **Select...**. Select the issuing certificate authority from which the NDES server requests certificates. Click **Next**.
-
+ 
6. On the **RA Information**, click **Next**.
7. On the **Cryptography for NDES** page, click **Next**.
8. Review the **Confirmation** page. Click **Configure**.
-
+ 
8. Click **Close** after the configuration completes.
#### Configure Certificate Templates on NDES
-A single NDES server can request a maximum of three certificate template. The NDES server determines which certificate to issue based on the incoming certificate request that is assigned in the Microsoft Intune SCEP certificate profile. The Microsoft Intune SCEP certificate profile has three values.
+A single NDES server can request a maximum of three certificate templates. The NDES server determines which certificate to issue based on the incoming certificate request that is assigned in the Microsoft Intune SCEP certificate profile. The Microsoft Intune SCEP certificate profile has three values.
* Digital Signature
* Key Encipherment
* Key Encipherment, Digital Signature
-Each value maps to a registry value name in the NDES server. The NDES server translate an incoming SCEP provide value into the correspond certificate template. The table belows shows the SCEP profile value to the NDES certificate template registry value name
+Each value maps to a registry value name in the NDES server. The NDES server translates an incoming SCEP provided value into the corresponding certificate template. The table below shows the SCEP profile values of the NDES certificate template registry value names.
-|SCEP Profile Key usage| NDES Registry Value Name|
-|:----------:|:-----------------------:|
-|Digital Signature|SignatureTemplate|
-|Key Encipherment|EncryptionTemplate|
-|Key Encipherment
Digital Signature|GeneralPurposeTemplate|
+| SCEP Profile Key usage| NDES Registry Value Name |
+| :-------------------: | :----------------------: |
+| Digital Signature | SignatureTemplate |
+| Key Encipherment | EncryptionTemplate |
+| Key Encipherment
Digital Signature | GeneralPurposeTemplate |
-Ideally, you should match the certificate request with registry value name to keep the configuration intuitive (encryption certificates use the encryptionTemplate, signature certificates use the signature template, etc.). A result of this intuitive design is the potential exponential growth in NDES server. Imagine an organization that needs to issue nine unique signature certificates across their enterprise.
+Ideally, you should match the certificate request with the registry value name to keep the configuration intuitive (encryption certificates use the encryption template, signature certificates use the signature template, etc.). A result of this intuitive design is the potential exponential growth in the NDES server. Imagine an organization that needs to issue nine unique signature certificates across their enterprise.
- If the need arises, you can configure a signature certificate in the encryption registry value name or an encryption certificate in the signature registry value to maximize the use of your NDES infrastructure. This unintuitive design requires current and accurate documentation of the configuration to ensure the SCEP certificate profile is configured to enroll the correct certificate, regardless of the actual purpose. Each organization needs to balance ease of configuration and administration with additional NDES infrastructure and the management overhead that comes with it.
+If the need arises, you can configure a signature certificate in the encryption registry value name or an encryption certificate in the signature registry value to maximize the use of your NDES infrastructure. This unintuitive design requires current and accurate documentation of the configuration to ensure the SCEP certificate profile is configured to enroll the correct certificate, regardless of the actual purpose. Each organization needs to balance ease of configuration and administration with additional NDES infrastructure and the management overhead that comes with it.
Sign-in to the NDES Server with _local administrator_ equivalent credentials.
1. Open an elevated command prompt.
2. Using the table above, decide which registry value name you will use to request Windows Hello for Business authentication certificates for Azure AD joined devices.
-3. Type the following command
-```reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v [registryValueName] /t REG_SZ /d [certificateTemplateName]```
-where **registryValueName** is one of the three value names from the above table and where **certificateTemplateName** is the name of the certificate template you created for Windows Hello for Business Azure AD joined devices. Example:
-```reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v SignatureTemplate /t REG_SZ /d AADJWHFBAuthentication```
+3. Type the following command:
+ ```
+ reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v [registryValueName] /t REG_SZ /d [certificateTemplateName]
+ ```
+ where **registryValueName** is one of the three value names from the above table and where **certificateTemplateName** is the name of the certificate template you created for Windows Hello for Business Azure AD joined devices. Example:
+ ```
+ reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v SignatureTemplate /t REG_SZ /d AADJWHFBAuthentication
+ ```
4. Type **Y** when the command asks for permission to overwrite the existing value.
5. Close the command prompt.
> [!IMPORTANT]
-> Use the **name** of the certificate template; not the **display name**. The certificate template name does not include spaces. You can view the certificate names by looking at the **General** tab of the certificate template's properties in the **Certificates Templates** management console (certtmpl.msc).
+> Use the **name** of the certificate template; not the **display name**. The certificate template name does not include spaces. You can view the certificate names by looking at the **General** tab of the certificate template's properties in the **Certificates Templates** management console (`certtmpl.msc`).
### Create a Web Application Proxy for the internal NDES URL.
Certificate enrollment for Azure AD joined devices occurs over the Internet. As a result, the internal NDES URLs must be accessible externally. You can do this easily and securely using Azure Active Directory Application Proxy. Azure AD Application Proxy provides single sign-on and secure remote access for web applications hosted on-premises, such as Network Device Enrollment Services.
-Ideally, you configure your Microsoft Intune SCEP certificate profile to use multiple external NDES URLs. This enables Microsoft Intune to round-robin load balance the certificate requests to identically configured NDES Servers (each NDES server can accommodate approximately 300 concurrent requests). Microsoft Intune sends these requests to Azure AD Application Proxies.
+Ideally, you configure your Microsoft Intune SCEP certificate profile to use multiple external NDES URLs. This enables Microsoft Intune to round-robin load balance the certificate requests to identically configured NDES Servers (each NDES server can accommodate approximately 300 concurrent requests). Microsoft Intune sends these requests to Azure AD Application Proxies.
-Azure AD Application proxies are serviced by lightweight Application Proxy Connector agents. These agents are installed on your on-premises, domain joined devices and make authenticated secure outbound connection to Azure, waiting to process requests from Azure AD Application Proxies. You can create connector groups in Azure Active Directory to assign specific connectors to service specific applications.
+Azure AD Application proxies are serviced by lightweight Application Proxy Connector agents. See [What is Application Proxy](https://docs.microsoft.com/azure/active-directory/manage-apps/application-proxy#what-is-application-proxy) for more details. These agents are installed on your on-premises, domain joined devices and make authenticated secure outbound connection to Azure, waiting to process requests from Azure AD Application Proxies. You can create connector groups in Azure Active Directory to assign specific connectors to service specific applications.
Connector group automatically round-robin, load balance the Azure AD Application proxy requests to the connectors within the assigned connector group. This ensures Windows Hello for Business certificate requests have multiple dedicated Azure AD Application Proxy connectors exclusively available to satisfy enrollment requests. Load balancing the NDES servers and connectors should ensure users enroll their Windows Hello for Business certificates in a timely manner.
@@ -395,7 +410,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
5. Sign-in the computer that will run the connector with access equivalent to a _domain user_.
> [!IMPORTANT]
- > Install a minimum of two Azure Active Directory Proxy connectors for each NDES Application Proxy. Strategtically locate Azure AD application proxy connectors throughout your organization to ensure maximum availablity. Remember, devices running the connector must be able to communicate with Azure and the on-premises NDES servers.
+ > Install a minimum of two Azure Active Directory Proxy connectors for each NDES Application Proxy. Strategically locate Azure AD application proxy connectors throughout your organization to ensure maximum availability. Remember, devices running the connector must be able to communicate with Azure and the on-premises NDES servers.
6. Start **AADApplicationProxyConnectorInstaller.exe**.
7. Read the license terms and then select **I agree to the license terms and conditions**. Click **Install**.
@@ -412,9 +427,9 @@ Sign-in a workstation with access equivalent to a _domain user_.
1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
2. Select **All Services**. Type **Azure Active Directory** to filter the list of services. Under **SERVICES**, Click **Azure Active Directory**.
3. Under **MANAGE**, click **Application proxy**.
-
+ 
4. Click **New Connector Group**. Under **Name**, type **NDES WHFB Connectors**.
-
+ 
5. Select each connector agent in the **Connectors** list that will service Windows Hello for Business certificate enrollment requests.
6. Click **Save**.
@@ -426,18 +441,18 @@ Sign-in a workstation with access equivalent to a _domain user_.
3. Under **MANAGE**, click **Application proxy**.
4. Click **Configure an app**.
5. Under **Basic Settings** next to **Name**, type **WHFB NDES 01**. Choose a name that correlates this Azure AD Application Proxy setting with the on-premises NDES server. Each NDES server must have its own Azure AD Application Proxy as two NDES servers cannot share the same internal URL.
-6. Next to **Internal Url**, type the internal, fully qualified DNS name of the NDES server associated with this Azure AD Application Proxy. For example, https://ndes.corp.mstepdemo.net). You need to match the primary host name (AD Computer Account name) of the NDES server, and prefix the URL with **https**.
-7. Under **Internal Url**, select **https://** from the first list. In the text box next to **https://**, type the hostname you want to use as your external hostname for the Azure AD Application Proxy. In the list next to the hostname you typed, select a DNS suffix you want to use externally for the Azure AD Application Proxy. It is recommended to use the default, -[tenantName].msapproxy.net where **[tenantName]** is your current Azure Active Directory tenant name (-mstephendemo.msappproxy.net).
+6. Next to **Internal URL**, type the internal, fully qualified DNS name of the NDES server associated with this Azure AD Application Proxy. For example, https://ndes.corp.mstepdemo.net). You need to match the primary host name (AD Computer Account name) of the NDES server, and prefix the URL with **https**.
+7. Under **Internal URL**, select **https://** from the first list. In the text box next to **https://**, type the hostname you want to use as your external hostname for the Azure AD Application Proxy. In the list next to the hostname you typed, select a DNS suffix you want to use externally for the Azure AD Application Proxy. It is recommended to use the default, -[tenantName].msapproxy.net where **[tenantName]** is your current Azure Active Directory tenant name (-mstephendemo.msappproxy.net).
8. Select **Passthrough** from the **Pre Authentication** list.
9. Select **NDES WHFB Connectors** from the **Connector Group** list.
-10. Under **Additional Settings**, select **Default** from **Backend Application Timeout**. Under the **Translate URLLs In** section, select **Yes** next to **Headers** and select **No** next to **Application Body**.
+10. Under **Additional Settings**, select **Default** from **Backend Application Timeout**. Under the **Translate URLs In** section, select **Yes** next to **Headers** and select **No** next to **Application Body**.
11. Click **Add**.
12. Sign-out of the Azure Portal.
+
> [!IMPORTANT]
> Write down the internal and external URLs. You will need this information when you enroll the NDES-Intune Authentication certificate.
-
### Enroll the NDES-Intune Authentication certificate
This task enrolls a client and server authentication certificate used by the Intune connector and the NDES server.
@@ -449,8 +464,8 @@ Sign-in the NDES server with access equivalent to _local administrators_.
4. Click **Next** on the **Before You Begin** page.
5. Click **Next** on the **Select Certificate Enrollment Policy** page.
6. On the **Request Certificates** page, Select the **NDES-Intune Authentication** check box.
-7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link
- 
+7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link
+ 
8. Under **Subject name**, select **Common Name** from the **Type** list. Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**) and then click **Add**.
9. Under **Alternative name**, select **DNS** from the **Type** list. Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**). Click **Add**. Type the external URL used in the previous task (without the https://, for example **ndes-mstephendemo.msappproxy.net**). Click **Add**. Click **OK** when finished.
9. Click **Enroll**
@@ -462,44 +477,46 @@ This task configures the Web Server role on the NDES server to use the server au
Sign-in the NDES server with access equivalent to _local administrator_.
1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**.
-2. Expand the node that has the name of the NDES server. Expand **Sites** and select **Default Web Site**.
-
+2. Expand the node that has the name of the NDES server. Expand **Sites** and select **Default Web Site**.
+ 
3. Click **Bindings...*** under **Actions**. Click **Add**.
-
+ 
4. Select **https** from **Type**. Confirm the value for **Port** is **443**.
5. Select the certificate you previously enrolled from the **SSL certificate** list. Select **OK**.
-
-6. Select **http** from the **Site Bindings** list. Click **Remove**.
+ 
+6. Select **http** from the **Site Bindings** list. Click **Remove**.
7. Click **Close** on the **Site Bindings** dialog box.
-8. Close **Internet Information Services (IIS) Manager**.
+8. Close **Internet Information Services (IIS) Manager**.
### Verify the configuration
This task confirms the TLS configuration for the NDES server.
Sign-in the NDES server with access equivalent to _local administrator_.
-#### Disable Internet Explorer Enhanced Security Configuration
+#### Disable Internet Explorer Enhanced Security Configuration
1. Open **Server Manager**. Click **Local Server** from the navigation pane.
2. Click **On** next to **IE Enhanced Security Configuration** in the **Properties** section.
3. In the **Internet Explorer Enhanced Security Configuration** dialog, under **Administrators**, select **Off**. Click **OK**.
4. Close **Server Manager**.
#### Test the NDES web server
-1. Open **Internet Explorer**.
-2. In the navigation bar, type
-```https://[fqdnHostName]/certsrv/mscep/mscep.dll```
-where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server.
+1. Open **Internet Explorer**.
+2. In the navigation bar, type
+ ```
+ https://[fqdnHostName]/certsrv/mscep/mscep.dll
+ ```
+ where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server.
-A web page similar to the following should appear in your web browser. If you do not see similar page, or you get a **503 Service unavailable**, ensure the NDES Service account as the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source.
+A web page similar to the following should appear in your web browser. If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source.
-Confirm the web site uses the server authentication certificate.
+Confirm the web site uses the server authentication certificate.
## Configure Network Device Enrollment Services to work with Microsoft Intune
-You have successfully configured the Network Device Enrollment Services. You must now modify the configuration to work with the Intune Certificate Connector. In this task, you will enable the NDES server and http.sys to handle long URLs.
+You have successfully configured the Network Device Enrollment Services. You must now modify the configuration to work with the Intune Certificate Connector. In this task, you will enable the NDES server and http.sys to handle long URLs.
- Configure NDES to support long URLs
@@ -510,7 +527,7 @@ Sign-in the NDES server with access equivalent to _local administrator_.
1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**.
2. Expand the node that has the name of the NDES server. Expand **Sites** and select **Default Web Site**.
3. In the content pane, double-click **Request Filtering**. Click **Edit Feature Settings...** in the action pane.
-
+ 
4. Select **Allow unlisted file name extensions**.
5. Select **Allow unlisted verbs**.
6. Select **Allow high-bit characters**.
@@ -521,56 +538,58 @@ Sign-in the NDES server with access equivalent to _local administrator_.
#### Configure Parameters for HTTP.SYS
1. Open an elevated command prompt.
-2. Run the following commands
-```reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxFieldLength /t REG_DWORD /d 65534```
-```reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxRequestBytes /t REG_DWORD /d 65534```
+2. Run the following commands:
+ ```
+ reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxFieldLength /t REG_DWORD /d 65534
+ reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxRequestBytes /t REG_DWORD /d 65534
+ ```
3. Restart the NDES server.
## Download, Install and Configure the Intune Certificate Connector
-The Intune Certificate Connector application enables Microsoft Intune to enroll certificates using your on-premises PKI for users on devices managed by Microsoft Intune.
+The Intune Certificate Connector application enables Microsoft Intune to enroll certificates using your on-premises PKI for users on devices managed by Microsoft Intune.
-### Download Intune Certificate Connector
+### Download Intune Certificate Connector
Sign-in a workstation with access equivalent to a _domain user_.
-1. Sign-in to the [Azure Portal](https://portal.azure.com/).
-2. Select **All Services**. Type **Intune** to filter the list of services. Click **Microsoft Intune**.
-
-3. Select **Device Configuration**, and then select **Certificate Connectors**.
-
-4. Click **Add**, and then click **Download the certificate connector software** under the **Steps to install connector for SCEP** section.
-
-5. Save the downloaded file (NDESConnectorSetup.exe) to a location accessible from the NDES server.
-6. Sign-out of the Azure Portal.
+1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
+2. Select **Tenant administration** > **Connectors and tokens** > **Certificate connectors** > **Add**.
+3. Click **Download the certificate connector software** under the **Install Certificate Connectors** section.
+ 
+4. Save the downloaded file (NDESConnectorSetup.exe) to a location accessible from the NDES server.
+5. Sign-out of the Microsoft Endpoint Manager admin center.
### Install the Intune Certificate Connector
Sign-in the NDES server with access equivalent to _domain administrator_.
1. Copy the Intune Certificate Connector Setup (NDESConnectorSetup.exe) downloaded in the previous task locally to the NDES server.
2. Run **NDESConnectorSetup.exe** as an administrator. If the setup shows a dialog that reads **Microsoft Intune NDES Connector requires HTTP Activation**, ensure you started the application as an administrator, then check HTTP Activation is enabled on the NDES server.
-3. On the **Microsoft Intune** page, click **Next**.
+3. On the **Microsoft Intune** page, click **Next**.
4. Read the **End User License Agreement**. Click **Next** to accept the agreement and to proceed with the installation.
5. On the **Destination Folder** page, click **Next**.
6. On the **Installation Options** page, select **SCEP and PFX Profile Distribution** and click **Next**.
-7. On the **Client certificate for Microsoft Intune** page, Click **Select**. Select the certificate previously enrolled for the NDES server. Click **Next**.
+7. On the **Client certificate for Microsoft Intune** page, Click **Select**. Select the certificate previously enrolled for the NDES server. Click **Next**.
+
> [!NOTE]
> The **Client certificate for Microsoft Intune** page does not update after selecting the client authentication certificate. However, the application rembers the selection and shows it in the next page.
8. On the **Client certificate for the NDES Policy Module** page, verify the certificate information and then click **Next**.
9. ON the **Ready to install Microsoft Intune Connector** page. Click **Install**.
- > [!NOTE]
- > You can review the results of the install using the **SetupMsi.log** file located in the **C:\\NDESConnectorSetupMsi** folder
-10. When the installation completes, select **Launch Intune Connector** and click Finish. Proceed to the Configure the Intune Certificate Connector task.
+ > [!NOTE]
+ > You can review the results of the install using the **SetupMsi.log** file located in the **C:\\NDESConnectorSetupMsi** folder.
+
+10. When the installation completes, select **Launch Intune Connector** and click Finish. Proceed to the Configure the Intune Certificate Connector task.
### Configure the Intune Certificate Connector
Sign-in the NDES server with access equivalent to _domain administrator_.
1. The **NDES Connector** user interface should be open from the last task.
+
> [!NOTE]
> If the **NDES Connector** user interface is not open, you can start it from **\
## Follow the Windows Hello for Business hybrid certificate trust deployment guide
+
1. [Overview](hello-hybrid-cert-trust.md)
2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md)
3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
index 51e6922080..958991988c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
@@ -110,13 +110,13 @@ The next step of the deployment is to follow the [Creating an Azure AD tenant](h
## Multifactor Authentication Services
Windows Hello for Business uses multifactor authentication during provisioning and during user initiated PIN reset scenarios, such as when a user forgets their PIN. There are two preferred multifactor authentication configurations with hybrid deployments—Azure MFA and AD FS using Azure MFA or a third-party MFA adapter
-Review the [What is Azure Multi-Factor Authentication](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication) topic to familiarize yourself its purpose and how it works.
+Review the [What is Azure AD Multi-Factor Authentication](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication) topic to familiarize yourself its purpose and how it works.
-### Azure Multi-Factor Authentication (MFA) Cloud
+### Azure AD Multi-Factor Authentication (MFA) Cloud
> [!IMPORTANT]
-> As long as your users have licenses that include Azure Multi-Factor Authentication, there's nothing that you need to do to turn on Azure MFA. You can start requiring two-step verification on an individual user basis. The licenses that enable Azure MFA are:
-> * Azure Multi-Factor Authentication
+> As long as your users have licenses that include Azure AD Multi-Factor Authentication, there's nothing that you need to do to turn on Azure MFA. You can start requiring two-step verification on an individual user basis. The licenses that enable Azure MFA are:
+> * Azure AD Multi-Factor Authentication
> * Azure Active Directory Premium
> * Enterprise Mobility + Security
>
@@ -124,7 +124,7 @@ Review the [What is Azure Multi-Factor Authentication](https://docs.microsoft.co
#### Configure Azure MFA Settings
-Review the [Configure Azure Multi-Factor Authentication settings](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-whats-next) section to configure your settings.
+Review the [Configure Azure AD Multi-Factor Authentication settings](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-whats-next) section to configure your settings.
#### Azure MFA User States
After you have completed configuring your Azure MFA settings, you want to review [How to require two-step verification for a user](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-user-states) to understand user states. User states determine how you enable Azure MFA for your users.
@@ -135,12 +135,12 @@ Alternatively, you can configure Windows Server 2016 Active Directory Federation
### Section Review
> [!div class="checklist"]
-> * Review the overview and uses of Azure Multifactor Authentication.
-> * Review your Azure Active Directory subscription for Azure Multifactor Authentication.
-> * Create an Azure Multifactor Authentication Provider, if necessary.
-> * Configure Azure Multifactor Authentication features and settings.
-> * Understand the different User States and their effect on Azure Multifactor Authentication.
-> * Consider using Azure Multifactor Authentication or a third-party multifactor authentication provider with Windows Server Active Directory Federation Services, if necessary.
+> * Review the overview and uses of Azure AD Multi-Factor Authentication.
+> * Review your Azure Active Directory subscription for Azure AD Multi-Factor Authentication.
+> * Create an Azure AD Multi-Factor Authentication Provider, if necessary.
+> * Configure Azure AD Multi-Factor Authentication features and settings.
+> * Understand the different User States and their effect on Azure AD Multi-Factor Authentication.
+> * Consider using Azure AD Multi-Factor Authentication or a third-party multifactor authentication provider with Windows Server Active Directory Federation Services, if necessary.
> [!div class="nextstepaction"]
> [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
index fa3b1d7a97..1a946e82dc 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
@@ -67,16 +67,15 @@ Key trust deployments do not need client issued certificates for on-premises aut
The minimum required Enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012, but you can also use a third-party Enterprise certification authority. The requirements for the domain controller certificate are shown below. For more details, see [Requirements for domain controller certificates from a third-party CA](https://support.microsoft.com/help/291010/requirements-for-domain-controller-certificates-from-a-third-party-ca).
-* The certificate must have a Certificate Revocation List (CRL) distribution point extension that points to a valid CRL.
+* The certificate must have a Certificate Revocation List (CRL) distribution point extension that points to a valid CRL, or an Authority Information Access (AIA) extension that points to an Online Certificate Status Protocol (OCSP) responder.
* The certificate Subject section should contain the directory path of the server object (the distinguished name).
* The certificate Key Usage section must contain Digital Signature and Key Encipherment.
* Optionally, the certificate Basic Constraints section should contain: [Subject Type=End Entity, Path Length Constraint=None].
* The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1), and KDC Authentication (1.3.6.1.5.2.3.5).
* The certificate Subject Alternative Name section must contain the Domain Name System (DNS) name.
* The certificate template must have an extension that has the value "DomainController", encoded as a [BMPstring](https://docs.microsoft.com/windows/win32/seccertenroll/about-bmpstring). If you are using Windows Server Enterprise Certificate Authority, this extension is already included in the domain controller certificate template.
-* The domain controller certificate must be installed in the local computer's certificate store.
+* The domain controller certificate must be installed in the local computer's certificate store. See [Configure Hybrid Windows Hello for Business: Public Key Infrastructure](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki) for details.
-
> [!IMPORTANT]
> For Azure AD joined device to authenticate to and use on-premises resources, ensure you:
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
index 73e002c7c2..5a790c046a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
@@ -57,9 +57,6 @@ The remainder of the provisioning includes Windows Hello for Business requesting
> **This synchronization latency delays the user's ability to authenticate and use on-premises resources until the user's public key has synchronized to Active Directory.** Once synchronized, the user can authenticate and use on-premises resources.
> Read [Azure AD Connect sync: Scheduler](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler) to view and adjust the **synchronization cycle** for your organization.
-> [!NOTE]
-> Microsoft is actively investigating ways to reduce the synchronization latency and delays.
-
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
index 87b70bbd2c..7ab3353cab 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
@@ -13,31 +13,31 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
-ms.date: 08/19/2018
+ms.date: 01/14/2021
ms.reviewer:
---
# Configure Hybrid Windows Hello for Business: Public Key Infrastructure
**Applies to**
-- Windows 10, version 1703 or later
-- Hybrid Deployment
-- Key trust
+- Windows 10, version 1703 or later
+- Hybrid Deployment
+- Key trust
Windows Hello for Business deployments rely on certificates. Hybrid deployments uses publicly issued server authentication certificates to validate the name of the server to which they are connecting and to encrypt the data that flows them and the client computer.
-All deployments use enterprise issued certificates for domain controllers as a root of trust.
+All deployments use enterprise issued certificates for domain controllers as a root of trust.
## Certificate Templates
-This section has you configure certificate templates on your Windows Server 2012 or later issuing certificate authority.
+This section has you configure certificate templates on your Windows Server 2012 or later issuing certificate authority.
### Domain Controller certificate template
Clients need to trust domain controllers and the best way to do this is to ensure each domain controller has a Kerberos Authentication certificate. Installing a certificate on the domain controller enables the Key Distribution Center (KDC) to prove its identity to other members of the domain. This provides clients a root of trust external to the domain - namely the enterprise certificate authority.
-Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise certificate authority is added to Active Directory. However, certificates based on the *Domain Controller* and *Domain Controller Authentication* certificate templates do not include the **KDC Authentication** object identifier (OID), which was later added to the Kerberos RFC. Therefore, domain controllers need to request a certificate based on the Kerberos Authentication certificate template.
+Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise certificate authority is added to Active Directory. However, certificates based on the *Domain Controller* and *Domain Controller Authentication* certificate templates do not include the **KDC Authentication** object identifier (OID), which was later added to the Kerberos RFC. Inclusion of the **KDC Authentication** OID in domain controller certificate is not required for key trust authentication from Hybrid Azure AD joined devices. The OID is required for enabling authentication with Windows Hello for Business to on-premises resources by Azure AD joined devices. The steps below to update the domain controller certificate to include the **KDC Authentication** OID may be skipped if you only have Hybrid Azure AD Joined devices in your environment, but we recommend completing these steps if you are considering adding Azure AD joined devices to your environment in the future.
By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template. However, the cryptography configuration included in the provided template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the **Kerberos Authentication** certificate template a baseline to create an updated domain controller certificate template.
@@ -49,10 +49,10 @@ Sign-in a certificate authority or management workstations with _Domain Admin_ e
2. Right-click **Certificate Templates** and click **Manage**.
3. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**.
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2008 R2** from the **Certification Authority** list. Select **Windows 7.Server 2008 R2** from the **Certification Recipient** list.
-5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise's needs.
+5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise's needs.
**Note**If you use different template names, you'll need to remember and substitute these names in different portions of the lab.
6. On the **Subject Name** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **None** from the **Subject name format** list. Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items.
-7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**.
+7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**.
8. Close the console.
>[!NOTE]
@@ -81,7 +81,13 @@ Sign-in a certificate authority or management workstations with _Enterprise Admi
The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities.
> [!NOTE]
-> The domain controller's certificate must chain to a root in the NTAuth store. By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store. If you are using a third-party CA, this may not be done by default. If the domain controller certificate does not chain to a root in the NTAuth store, user authentication will fail.
+> The certificate for the CA issuing the domain controller certificate must be included in the NTAuth store. By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store. If you are using a multi-tier CA hierarchy or a third-party CA, this may not be done by default. If the Domain Controller certificate does not directly chain to a CA certificate in the NTAuth store, user authentication will fail.
+
+The following PowerShell command can be used to check all certificates in the NTAuth store:
+
+```powershell
+Certutil -viewstore -enterprise NTAuth
+```
### Publish Certificate Templates to a Certificate Authority
@@ -113,13 +119,13 @@ Sign-in to the certificate authority or management workstation with _Enterprise
5. Repeat step 4 for the **Domain Controller Authentication** and **Kerberos Authentication** certificate templates.
### Section Review
+
> [!div class="checklist"]
> * Domain Controller certificate template
> * Configure superseded domain controller certificate templates
> * Publish Certificate templates to certificate authorities
> * Unpublish superseded certificate templates
->
->
+> s
> [!div class="step-by-step"]
> [< Configure Azure AD Connect](hello-hybrid-key-whfb-settings-dir-sync.md)
> [Configure policy settings >](hello-hybrid-key-whfb-settings-policy.md)
@@ -129,6 +135,7 @@ Sign-in to the certificate authority or management workstation with _Enterprise
## Follow the Windows Hello for Business hybrid key trust deployment guide
+
1. [Overview](hello-hybrid-cert-trust.md)
2. [Prerequisites](hello-hybrid-key-trust-prereqs.md)
3. [New Installation Baseline](hello-hybrid-key-new-install.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
index a5a6d5a9a2..d53a57bff1 100644
--- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
+++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
@@ -1,6 +1,6 @@
---
-title: Windows Hello for Business (Windows 10)
-description: Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices.
+title: Windows Hello for Business Deployment Prerequisite Overview
+description: Overview of all the different infrastructure requirements for Windows Hello for Business deployment models
ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E
ms.reviewer:
keywords: identity, PIN, biometric, Hello, passport
@@ -15,39 +15,25 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
-ms.date: 05/05/2018
+ms.date: 1/22/2021
---
-# Windows Hello for Business
+# Windows Hello for Business Deployment Prerequisite Overview
-In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN.
-Windows Hello for Business lets user authenticate to an Active Directory or Azure Active Directory account.
+This article lists the infrastructure requirements for the different deployment models for Windows Hello for Business.
-Windows Hello addresses the following problems with passwords:
-
-- Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites.
-- Server breaches can expose symmetric network credentials (passwords).
-- Passwords are subject to [replay attacks](https://go.microsoft.com/fwlink/p/?LinkId=615673).
-- Users can inadvertently expose their passwords due to [phishing attacks](https://docs.microsoft.com/windows/security/threat-protection/intelligence/phishing).
-
-> | | | |
-> | :---: | :---: | :---: |
-> | [](hello-overview.md)[Overview](hello-overview.md) | [](hello-why-pin-is-better-than-password.md)[Why PIN is better than a password](hello-why-pin-is-better-than-password.md) | [](hello-manage-in-organization.md)[Manage Windows Hello in your Organization](hello-manage-in-organization.md) |
-
-## Prerequisites
-
-### Cloud Only Deployment
+## Cloud Only Deployment
* Windows 10, version 1511 or later
* Microsoft Azure Account
* Azure Active Directory
-* Azure Multi-factor authentication
+* Azure AD Multi-Factor Authentication
* Modern Management (Intune or supported third-party MDM), *optional*
* Azure AD Premium subscription - *optional*, needed for automatic MDM enrollment when the device joins Azure Active Directory
-### Hybrid Deployments
+## Hybrid Deployments
-The table shows the minimum requirements for each deployment. For key trust in a multi-domain/multi-forest deployment, the following requirements are applicable for each domain/forest that hosts Windows Hello for business components or is involved in the Kerberos referral process.
+The table shows the minimum requirements for each deployment. For key trust in a multi-domain/multi-forest deployment, the following requirements are applicable for each domain/forest that hosts Windows Hello for business components or is involved in the Kerberos referral process.
| Key trustGroup Policy managed | Certificate trustMixed managed | Key trustModern managed | Certificate trustModern managed |
| --- | --- | --- | --- |
@@ -75,7 +61,7 @@ The table shows the minimum requirements for each deployment. For key trust in a
> Reset above lock screen - Windows 10, version 1709, Professional
> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903
-### On-premises Deployments
+## On-premises Deployments
The table shows the minimum requirements for each deployment.
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
index a908e96533..2a2c07e715 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
@@ -298,7 +298,13 @@ Sign-in the domain controller or administrative workstation with domain administ
3. In the navigation pane, select the node that has the name of your internal Active Directory domain name.
4. In the navigation pane, right-click the domain name node and click **New Host (A or AAAA)**.
5. In the **name** box, type the name of the federation service. In the **IP address** box, type the IP address of your federation server. Click **Add Host**.
-6. Close the DNS Management console
+6. Right-click the `domain_name` node and select **New Alias (CNAME)**.
+7. In the **New Resource Record** dialog box, type "enterpriseregistration" in the **Alias** name box.
+8. In the **fully qualified domain name (FQDN)** of the target host box, type `federation_service_farm_name.domain_name.com`, and click OK.
+9. Close the DNS Management console.
+
+> [!NOTE]
+> If your forest has multiple UPN suffixes, please make sure that `enterpriseregistration.upnsuffix.com` is present for each suffix.
## Configure the Intranet Zone to include the federation service
@@ -342,5 +348,3 @@ Before you continue with the deployment, validate your deployment progress by re
3. Prepare and Deploy Windows Server 2016 Active Directory Federation Services (*You are here*)
4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-key-trust-validate-deploy-mfa.md)
5. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md)
-
-
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
index 26a28b9593..8042bad1d8 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
@@ -24,10 +24,10 @@ ms.reviewer:
- Key trust
-You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
+You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703.
-Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10, version 1703 to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information.
+Alternatively, you can create a copy of the .ADMX and .ADML files from a Windows 10, version 1703 installation setup template folder to their respective language folder on a Windows Server, or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information.
On-premises certificate-based deployments of Windows Hello for Business needs one Group Policy setting: Enable Windows Hello for Business
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
index 51d246f3f4..1a4dcd1e37 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
@@ -1,12 +1,12 @@
---
-title: Key registration for on-premises deployment of Windows Hello for Business
+title: Key registration for on-premises deployment of Windows Hello for Business
description: How to Validate Active Directory prerequisites for Windows Hello for Business when deploying with the key trust model.
keywords: identity, PIN, biometric, Hello, passport
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, mobile
-author: DaniHalfin
+author: dansimp
audience: ITPro
ms.author: dolmont
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
index 6377afa5a8..ce54bf0ffb 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
@@ -19,7 +19,7 @@ ms.reviewer:
# Validate and Deploy Multi-factor Authentication (MFA)
> [!IMPORTANT]
-> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multi-factor authentication from their users should use cloud-based Azure Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual.
+> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multi-factor authentication from their users should use cloud-based Azure AD Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual.
**Applies to**
diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
index 18f6f3dbf0..c21280812b 100644
--- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
+++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
@@ -15,7 +15,7 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
-ms.date: 4/16/2017
+ms.date: 1/20/2021
---
# Manage Windows Hello for Business in your organization
@@ -369,9 +369,11 @@ For more information about using the PIN recovery service for PIN reset see [Win
Windows Hello for Business is designed to be managed by Group Policy or MDM but not a combination of both. If policies are set from both sources it can result in a mixed result of what is actually enforced for a user or device.
-Policies for Windows Hello for Business are enforced using the following hierarchy: User Group Policy > Computer Group Policy > User MDM > Device MDM > Device Lock policy. All PIN complexity policies are grouped together and enforced from a single policy source.
+Policies for Windows Hello for Business are enforced using the following hierarchy: User Group Policy > Computer Group Policy > User MDM > Device MDM > Device Lock policy.
-Use a hardware security device and RequireSecurityDevice enforcement are also grouped together with PIN complexity policy. Conflict resolution for other Windows Hello for Business policies is enforced on a per policy basis.
+Feature enablement policy and certificate trust policy are grouped together and enforced from the same source (either GP or MDM), based on the rule above. The Use Passport for Work policy is used to determine the winning policy source.
+
+All PIN complexity policies, are grouped separately from feature enablement and are enforced from a single policy source. Use a hardware security device and RequireSecurityDevice enforcement are also grouped together with PIN complexity policy. Conflict resolution for other Windows Hello for Business policies are enforced on a per policy basis.
>[!NOTE]
> Windows Hello for Business policy conflict resolution logic does not respect the ControlPolicyConflict/MDMWinsOverGP policy in the Policy CSP.
@@ -382,8 +384,6 @@ Use a hardware security device and RequireSecurityDevice enforcement are also gr
>
>- Use Windows Hello for Business - Enabled
>- User certificate for on-premises authentication - Enabled
->- Require digits - Enabled
->- Minimum PIN length - 6
>
>The following are configured using device MDM Policy:
>
@@ -398,8 +398,10 @@ Use a hardware security device and RequireSecurityDevice enforcement are also gr
>
>- Use Windows Hello for Business - Enabled
>- Use certificate for on-premises authentication - Enabled
->- Require digits - Enabled
->- Minimum PIN length - 6d
+>- MinimumPINLength - 8
+>- Digits - 1
+>- LowercaseLetters - 1
+>- SpecialCharacters - 1
## How to use Windows Hello for Business with Azure Active Directory
diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
index ea3430b5dd..57805caf8b 100644
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
@@ -19,13 +19,15 @@ ms.reviewer:
# Planning a Windows Hello for Business Deployment
**Applies to**
-- Windows 10
+
+- Windows 10
Congratulations! You are taking the first step forward in helping move your organizations away from password to a two-factor, convenience authentication for Windows — Windows Hello for Business. This planning guide helps you understand the different topologies, architectures, and components that encompass a Windows Hello for Business infrastructure.
This guide explains the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of the infrastructure. Armed with your planning worksheet, you'll use that information to select the correct deployment guide for your needs.
-If you have an Azure tenant, you can use our online, interactive Passwordless Wizard which walks through the same choices instead of using our manual guide below. The Passwordless Wizard is available in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup).
+> [!Note]
+>If you have an Azure tenant, you can use our online, interactive Passwordless Wizard which walks through the same choices instead of using our manual guide below. The Passwordless Wizard is available in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup).
## Using this guide
@@ -38,12 +40,13 @@ This guide removes the appearance of complexity by helping you make decisions on
Read this document and record your decisions on the worksheet. When finished, your worksheet has all the necessary information for your Windows Hello for Business deployment.
There are six major categories you need to consider for a Windows Hello for Business deployment. Those categories are:
-* Deployment Options
-* Client
-* Management
-* Active Directory
-* Public Key Infrastructure
-* Cloud
+
+- Deployment Options
+- Client
+- Management
+- Active Directory
+- Public Key Infrastructure
+- Cloud
### Baseline Prerequisites
@@ -58,13 +61,16 @@ The goal of Windows Hello for Business is to enable deployments for all organiza
There are three deployment models from which you can choose: cloud only, hybrid, and on-premises.
##### Cloud only
+
The cloud only deployment model is for organizations who only have cloud identities and do not access on-premises resources. These organizations typically join their devices to the cloud and exclusively use resources in the cloud such as SharePoint, OneDrive, and others. Also, because these users do not use on-premises resources, they do not need certificates for things like VPN because everything they need is hosted in Azure.
##### Hybrid
+
The hybrid deployment model is for organizations that:
-* Are federated with Azure Active Directory
-* Have identities synchronized to Azure Active Directory using Azure Active Directory Connect
-* Use applications hosted in Azure Active Directory, and want a single sign-in user experience for both on-premises and Azure Active Directory resources
+
+- Are federated with Azure Active Directory
+- Have identities synchronized to Azure Active Directory using Azure Active Directory Connect
+- Use applications hosted in Azure Active Directory, and want a single sign-in user experience for both on-premises and Azure Active Directory resources
> [!Important]
> Hybrid deployments support non-destructive PIN reset that works with both the certificate trust and key trust models.
@@ -106,13 +112,13 @@ The built-in Windows Hello for Business provisioning experience creates a hardwa
#### Multifactor authentication
> [!IMPORTANT]
-> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who require multi-factor authentication for their users should use cloud-based Azure Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1, 2019 will be able to download the latest version, future updates and generate activation credentials as usual. See [Getting started with the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/active-directory/authentication/howto-mfaserver-deploy) for more details.
+> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who require multi-factor authentication for their users should use cloud-based Azure AD Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1, 2019 will be able to download the latest version, future updates and generate activation credentials as usual. See [Getting started with the Azure AD Multi-Factor Authentication Server](https://docs.microsoft.com/azure/active-directory/authentication/howto-mfaserver-deploy) for more details.
The goal of Windows Hello for Business is to move organizations away from passwords by providing them a strong credential that provides easy two-factor authentication. The built-in provisioning experience accepts the user's weak credentials (username and password) as the first factor authentication; however, the user must provide a second factor of authentication before Windows provisions a strong credential.
-Cloud only and hybrid deployments provide many choices for multi-factor authentication. On-premises deployments must use a multi-factor authentication that provides an AD FS multi-factor adapter to be used in conjunction with the on-premises Windows Server 2016 AD FS server role. Organizations can use the on-premises Azure Multi-factor Authentication server, or choose from several third parties (Read [Microsoft and third-party additional authentication methods](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods) for more information).
+Cloud only and hybrid deployments provide many choices for multi-factor authentication. On-premises deployments must use a multi-factor authentication that provides an AD FS multi-factor adapter to be used in conjunction with the on-premises Windows Server 2016 AD FS server role. Organizations can use the on-premises Azure AD Multi-Factor Authentication server, or choose from several third parties (Read [Microsoft and third-party additional authentication methods](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods) for more information).
> [!NOTE]
-> Azure Multi-Factor Authentication is available through:
+> Azure AD Multi-Factor Authentication is available through:
> * Microsoft Enterprise Agreement
> * Open Volume License Program
> * Cloud Solution Providers program
@@ -154,7 +160,7 @@ The Windows Hello for Business deployment depends on an enterprise public key in
### Cloud
-Some deployment combinations require an Azure account, and some require Azure Active Directory for user identities. These cloud requirements may only need an Azure account while other features need an Azure Active Directory Premium subscription. The planning process identifies and differentiates the components that are needed from the those that are optional.
+Some deployment combinations require an Azure account, and some require Azure Active Directory for user identities. These cloud requirements may only need an Azure account while other features need an Azure Active Directory Premium subscription. The planning process identifies and differentiates the components that are needed from those that are optional.
## Planning a Deployment
@@ -332,7 +338,7 @@ Windows Hello for Business does not require an Azure AD premium subscription. H
If box **1a** on your planning worksheet reads **on-premises**, write **No** in box **6c** on your planning worksheet.
-If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the free Azure Active Directory account (additional costs needed for multi-factor authentication).
+If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the Azure Active Directory free tier. All Azure Active Directory free accounts can use Azure AD Multi-Factor Authentication through the use of security defaults. Some Azure AD Multi-Factor Authentication features require a license. For more details, see [Features and licenses for Azure AD Multi-Factor Authentication](https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-licensing).
If box **5b** on your planning worksheet reads **AD FS RA**, write **Yes** in box **6c** on your planning worksheet. Enrolling a certificate using the AD FS registration authority requires devices to authenticate to the AD FS server, which requires device write-back, an Azure AD Premium feature.
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/profile01.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/profile01.png
new file mode 100644
index 0000000000..46db47b6f0
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/profile01.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/profile02.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/profile02.png
new file mode 100644
index 0000000000..215b22ec23
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/profile02.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/profile03.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/profile03.png
new file mode 100644
index 0000000000..91dc9f58ba
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/profile03.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/profile04.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/profile04.png
new file mode 100644
index 0000000000..d15801152e
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/profile04.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-client-home-screen.png b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-client-home-screen.png
new file mode 100644
index 0000000000..fce622e7f7
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-client-home-screen.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-option.png b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-option.png
new file mode 100644
index 0000000000..7415de9616
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-option.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-application.png b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-application.png
new file mode 100644
index 0000000000..970e9f8109
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-application.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-home-screen.png b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-home-screen.png
new file mode 100644
index 0000000000..9903a59bf5
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/pinreset/pin-reset-service-home-screen.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/rdpcert/certificatetemplatetoissue.png b/windows/security/identity-protection/hello-for-business/images/rdpcert/certificatetemplatetoissue.png
new file mode 100644
index 0000000000..174cf0a790
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/rdpcert/certificatetemplatetoissue.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/rdpcert/duplicatetemplate.png b/windows/security/identity-protection/hello-for-business/images/rdpcert/duplicatetemplate.png
new file mode 100644
index 0000000000..028f06544c
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/rdpcert/duplicatetemplate.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/rdpcert/requestnewcertificate.png b/windows/security/identity-protection/hello-for-business/images/rdpcert/requestnewcertificate.png
new file mode 100644
index 0000000000..322a4fcbdc
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/rdpcert/requestnewcertificate.png differ
diff --git a/windows/security/identity-protection/hello-for-business/index.yml b/windows/security/identity-protection/hello-for-business/index.yml
new file mode 100644
index 0000000000..4282b8e701
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/index.yml
@@ -0,0 +1,110 @@
+### YamlMime:Landing
+
+title: Windows Hello for Business documentation
+summary: Learn how to manage and deploy Windows Hello for Business.
+
+metadata:
+ title: Windows Hello for Business documentation
+ description: Learn how to manage and deploy Windows Hello for Business.
+ ms.prod: w10
+ ms.topic: landing-page
+ author: mapalko
+ manager: dansimp
+ ms.author: mapalko
+ ms.date: 01/22/2021
+ ms.collection: M365-identity-device-management
+
+# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | whats-new
+
+landingContent:
+# Cards and links should be based on top customer tasks or top subjects
+# Start card title with a verb
+ # Card
+ - title: About Windows Hello For Business
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Windows Hello for Business Overview
+ url: hello-overview.md
+ - linkListType: concept
+ links:
+ - text: Passwordless Strategy
+ url: passwordless-strategy.md
+ - text: Why a PIN is better than a password
+ url: hello-why-pin-is-better-than-password.md
+ - text: Windows Hello biometrics in the enterprise
+ url: hello-biometrics-in-enterprise.md
+ - text: How Windows Hello for Business works
+ url: hello-how-it-works.md
+ - linkListType: learn
+ links:
+ - text: Technical Deep Dive - Device Registration
+ url: hello-how-it-works-device-registration.md
+ - text: Technical Deep Dive - Provisioning
+ url: hello-how-it-works-provisioning.md
+ - text: Technical Deep Dive - Authentication
+ url: hello-how-it-works-authentication.md
+ - text: Technology and Terminology
+ url: hello-how-it-works-technology.md
+ - text: Frequently Asked Questions (FAQ)
+ url: hello-faq.yml
+
+ # Card
+ - title: Configure and manage Windows Hello for Business
+ linkLists:
+ - linkListType: concept
+ links:
+ - text: Windows Hello for Business Deployment Overview
+ url: hello-deployment-guide.md
+ - text: Planning a Windows Hello for Business Deployment
+ url: hello-planning-guide.md
+ - text: Deployment Prerequisite Overview
+ url: hello-identity-verification.md
+ - linkListType: how-to-guide
+ links:
+ - text: Hybrid Azure AD Joined Key Trust Deployment
+ url: hello-hybrid-key-trust.md
+ - text: Hybrid Azure AD Joined Certificate Trust Deployment
+ url: hello-hybrid-cert-trust.md
+ - text: On-premises SSO for Azure AD Joined Devices
+ url: hello-hybrid-aadj-sso.md
+ - text: On-premises Key Trust Deployment
+ url: hello-deployment-key-trust.md
+ - text: On-premises Certificate Trust Deployment
+ url: hello-deployment-cert-trust.md
+ - linkListType: learn
+ links:
+ - text: Manage Windows Hello for Business in your organization
+ url: hello-manage-in-organization.md
+ - text: Windows Hello and password changes
+ url: hello-and-password-changes.md
+ - text: Prepare people to use Windows Hello
+ url: hello-prepare-people-to-use.md
+
+ # Card
+ - title: Windows Hello for Business Features
+ linkLists:
+ - linkListType: how-to-guide
+ links:
+ - text: Conditional Access
+ url: hello-feature-conditional-access.md
+ - text: PIN Reset
+ url: hello-feature-pin-reset.md
+ - text: Dual Enrollment
+ url: hello-feature-dual-enrollment.md
+ - text: Dynamic Lock
+ url: hello-feature-dynamic-lock.md
+ - text: Multi-factor Unlock
+ url: feature-multifactor-unlock.md
+ - text: Remote Desktop
+ url: hello-feature-remote-desktop.md
+
+ # Card
+ - title: Windows Hello for Business Troubleshooting
+ linkLists:
+ - linkListType: how-to-guide
+ links:
+ - text: Known Deployment Issues
+ url: hello-deployment-issues.md
+ - text: Errors During PIN Creation
+ url: hello-errors-during-pin-creation.md
diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
index dd1b6b18e0..87e71bc747 100644
--- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
+++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
@@ -216,7 +216,7 @@ The policy name for these operating systems is **Interactive logon: Require Wind
When you enable this security policy setting, Windows prevents users from signing in or unlocking with a password. The password credential provider remains visible to the user. If a user tries to use a password, Windows informs the user they must use Windows Hello for Business or a smart card.
#### Excluding the password credential provider
-You can use Group Policy to deploy an administrative template policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Administrative Templates > Logon**
+You can use Group Policy to deploy an administrative template policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Administrative Templates > System > Logon**
The name of the policy setting is **Exclude credential providers**. The value to enter in the policy to hide the password credential provider is **60b78e88-ead8-445c-9cfd-0b87f74ea6cd**.
diff --git a/windows/security/identity-protection/hello-for-business/toc.md b/windows/security/identity-protection/hello-for-business/toc.md
deleted file mode 100644
index 8ec19c126f..0000000000
--- a/windows/security/identity-protection/hello-for-business/toc.md
+++ /dev/null
@@ -1,70 +0,0 @@
-# [Windows Hello for Business](hello-identity-verification.md)
-
-## [Password-less Strategy](passwordless-strategy.md)
-
-## [Windows Hello for Business Overview](hello-overview.md)
-## [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
-## [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
-
-## [Windows Hello for Business Features](hello-features.md)
-### [Conditional Access](hello-feature-conditional-access.md)
-### [Dual Enrollment](hello-feature-dual-enrollment.md)
-### [Dynamic Lock](hello-feature-dynamic-lock.md)
-### [Multifactor Unlock](feature-multifactor-unlock.md)
-### [PIN Reset](hello-feature-pin-reset.md)
-### [Remote Desktop](hello-feature-remote-desktop.md)
-
-## [How Windows Hello for Business works](hello-how-it-works.md)
-### [Technical Deep Dive](hello-how-it-works.md#technical-deep-dive)
-#### [Device Registration](hello-how-it-works-device-registration.md)
-#### [Provisioning](hello-how-it-works-provisioning.md)
-#### [Authentication](hello-how-it-works-authentication.md)
-#### [Technology and Terminology](hello-how-it-works-technology.md)
-
-## [Planning a Windows Hello for Business Deployment](hello-planning-guide.md)
-
-## [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
-
-## [Windows Hello for Business Deployment Guide](hello-deployment-guide.md)
-
-### [Hybrid Azure AD Joined Key Trust Deployment](hello-hybrid-key-trust.md)
-#### [Prerequisites](hello-hybrid-key-trust-prereqs.md)
-#### [New Installation Baseline](hello-hybrid-key-new-install.md)
-#### [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
-#### [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)
-#### [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md)
-#### [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
-
-### [Hybrid Azure AD Joined Certificate Trust Deployment](hello-hybrid-cert-trust.md)
-#### [Prerequisites](hello-hybrid-cert-trust-prereqs.md)
-#### [New Installation Baseline](hello-hybrid-cert-new-install.md)
-#### [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
-#### [Configure Windows Hello for Business policy settings](hello-hybrid-cert-whfb-settings.md)
-#### [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
-
-### [Azure AD Join Single Sign-on Deployment Guides](hello-hybrid-aadj-sso.md)
-#### [Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business](hello-hybrid-aadj-sso-base.md)
-#### [Using Certificates for AADJ On-premises Single-sign On](hello-hybrid-aadj-sso-cert.md)
-
-### [On Premises Key Trust Deployment](hello-deployment-key-trust.md)
-#### [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md)
-#### [Validate and Configure Public Key Infrastructure](hello-key-trust-validate-pki.md)
-#### [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-key-trust-adfs.md)
-##### [Validate and Deploy Multifactor Authentication Services (MFA)](hello-key-trust-validate-deploy-mfa.md)
-#### [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md)
-
-### [On Premises Certificate Trust Deployment](hello-deployment-cert-trust.md)
-#### [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md)
-#### [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md)
-#### [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md)
-#### [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md)
-#### [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md)
-
-## [Windows Hello and password changes](hello-and-password-changes.md)
-## [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
-
-## [Windows Hello for Business Frequently Asked Questions (FAQ)](hello-faq.md)
-### [Windows Hello for Business Videos](hello-videos.md)
-
-## [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-## [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml
new file mode 100644
index 0000000000..5c90875208
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/toc.yml
@@ -0,0 +1,139 @@
+- name: Windows Hello for Business documentation
+ href: index.yml
+- name: Overview
+ items:
+ - name: Windows Hello for Business Overview
+ href: hello-overview.md
+- name: Concepts
+ expanded: true
+ items:
+ - name: Passwordless Strategy
+ href: passwordless-strategy.md
+ - name: Why a PIN is better than a password
+ href: hello-why-pin-is-better-than-password.md
+ - name: Windows Hello biometrics in the enterprise
+ href: hello-biometrics-in-enterprise.md
+ - name: How Windows Hello for Business works
+ href: hello-how-it-works.md
+ - name: Technical Deep Dive
+ items:
+ - name: Device Registration
+ href: hello-how-it-works-device-registration.md
+ - name: Provisioning
+ href: hello-how-it-works-provisioning.md
+ - name: Authentication
+ href: hello-how-it-works-authentication.md
+- name: How-to Guides
+ items:
+ - name: Windows Hello for Business Deployment Overview
+ href: hello-deployment-guide.md
+ - name: Planning a Windows Hello for Business Deployment
+ href: hello-planning-guide.md
+ - name: Deployment Prerequisite Overview
+ href: hello-identity-verification.md
+ - name: Prepare people to use Windows Hello
+ href: hello-prepare-people-to-use.md
+ - name: Deployment Guides
+ items:
+ - name: Hybrid Azure AD Joined Key Trust
+ items:
+ - name: Hybrid Azure AD Joined Key Trust Deployment
+ href: hello-hybrid-key-trust.md
+ - name: Prerequisites
+ href: hello-hybrid-key-trust-prereqs.md
+ - name: New Installation Baseline
+ href: hello-hybrid-key-new-install.md
+ - name: Configure Directory Synchronization
+ href: hello-hybrid-key-trust-dirsync.md
+ - name: Configure Azure Device Registration
+ href: hello-hybrid-key-trust-devreg.md
+ - name: Configure Windows Hello for Business settings
+ href: hello-hybrid-key-whfb-settings.md
+ - name: Sign-in and Provisioning
+ href: hello-hybrid-key-whfb-provision.md
+ - name: Hybrid Azure AD Joined Certificate Trust
+ items:
+ - name: Hybrid Azure AD Joined Certificate Trust Deployment
+ href: hello-hybrid-cert-trust.md
+ - name: Prerequisites
+ href: hello-hybrid-cert-trust-prereqs.md
+ - name: New Installation Baseline
+ href: hello-hybrid-cert-new-install.md
+ - name: Configure Azure Device Registration
+ href: hello-hybrid-cert-trust-devreg.md
+ - name: Configure Windows Hello for Business settings
+ href: hello-hybrid-cert-whfb-settings.md
+ - name: Sign-in and Provisioning
+ href: hello-hybrid-cert-whfb-provision.md
+ - name: On-premises SSO for Azure AD Joined Devices
+ items:
+ - name: On-premises SSO for Azure AD Joined Devices Deployment
+ href: hello-hybrid-aadj-sso.md
+ - name: Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business
+ href: hello-hybrid-aadj-sso-base.md
+ - name: Using Certificates for AADJ On-premises Single-sign On
+ href: hello-hybrid-aadj-sso-cert.md
+ - name: On-premises Key Trust
+ items:
+ - name: On-premises Key Trust Deployment
+ href: hello-deployment-key-trust.md
+ - name: Validate Active Directory Prerequisites
+ href: hello-key-trust-validate-ad-prereq.md
+ - name: Validate and Configure Public Key Infrastructure
+ href: hello-key-trust-validate-pki.md
+ - name: Prepare and Deploy Windows Server 2016 Active Directory Federation Services
+ href: hello-key-trust-adfs.md
+ - name: Validate and Deploy Multi-factor Authentication (MFA) Services
+ href: hello-key-trust-validate-deploy-mfa.md
+ - name: Configure Windows Hello for Business policy settings
+ href: hello-key-trust-policy-settings.md
+ - name: On-premises Certificate Trust
+ items:
+ - name: On-premises Certificate Trust Deployment
+ href: hello-deployment-cert-trust.md
+ - name: Validate Active Directory Prerequisites
+ href: hello-cert-trust-validate-ad-prereq.md
+ - name: Validate and Configure Public Key Infrastructure
+ href: hello-cert-trust-validate-pki.md
+ - name: Prepare and Deploy Windows Server 2016 Active Directory Federation Services
+ href: hello-cert-trust-adfs.md
+ - name: Validate and Deploy Multi-factor Authentication (MFA) Services
+ href: hello-cert-trust-validate-deploy-mfa.md
+ - name: Configure Windows Hello for Business policy settings
+ href: hello-cert-trust-policy-settings.md
+ - name: Managing Windows Hello for Business in your organization
+ href: hello-manage-in-organization.md
+ - name: Deploying Certificates to Key Trust Users to Enable RDP
+ href: hello-deployment-rdp-certs.md
+ - name: Windows Hello for Business Features
+ items:
+ - name: Conditional Access
+ href: hello-feature-conditional-access.md
+ - name: PIN Reset
+ href: hello-feature-pin-reset.md
+ - name: Dual Enrollment
+ href: hello-feature-dual-enrollment.md
+ - name: Dynamic Lock
+ href: hello-feature-dynamic-lock.md
+ - name: Multi-factor Unlock
+ href: feature-multifactor-unlock.md
+ - name: Remote Desktop
+ href: hello-feature-remote-desktop.md
+ - name: Troubleshooting
+ items:
+ - name: Known Deployment Issues
+ href: hello-deployment-issues.md
+ - name: Errors During PIN Creation
+ href: hello-errors-during-pin-creation.md
+ - name: Event ID 300 - Windows Hello successfully created
+ href: hello-event-300.md
+ - name: Windows Hello and password changes
+ href: hello-and-password-changes.md
+- name: Reference
+ items:
+ - name: Technology and Terminology
+ href: hello-how-it-works-technology.md
+ - name: Frequently Asked Questions (FAQ)
+ href: hello-faq.yml
+ - name: Windows Hello for Business videos
+ href: hello-videos.md
diff --git a/windows/security/identity-protection/index.md b/windows/security/identity-protection/index.md
index 98e0bb9835..dd87cded73 100644
--- a/windows/security/identity-protection/index.md
+++ b/windows/security/identity-protection/index.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
audience: ITPro
-author: danihalfin
+author: dansimp
ms.author: daniha
manager: dansimp
ms.collection: M365-identity-device-management
@@ -31,5 +31,5 @@ Learn more about identity and access management technologies in Windows 10 and
| [Virtual Smart Cards](virtual-smart-cards/virtual-smart-card-overview.md) | Provides information about deploying and managing virtual smart cards, which are functionally similar to physical smart cards and appear in Windows as smart cards that are always-inserted. Virtual smart cards use the Trusted Platform Module (TPM) chip that is available on computers in many organizations, rather than requiring the use of a separate physical smart card and reader. |
| [VPN technical guide](vpn/vpn-guide.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. |
| [Smart Cards](smart-cards/smart-card-windows-smart-card-technical-reference.md) | Provides a collection of references topics about smart cards, which are tamper-resistant portable storage devices that can enhance the security of tasks such as authenticating clients, signing code, securing e-mail, and signing in with a Windows domain account. |
-| [Windows Hello for Business](hello-for-business/hello-identity-verification.md) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. |
+| [Windows Hello for Business](hello-for-business/index.yml) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. |
| [Windows 10 Credential Theft Mitigation Guide Abstract](windows-credential-theft-mitigation-guide-abstract.md) | Learn more about credential theft mitigation in Windows 10. |
diff --git a/windows/security/identity-protection/installing-digital-certificates-on-windows-10-mobile.md b/windows/security/identity-protection/installing-digital-certificates-on-windows-10-mobile.md
index 65e353cb81..fc906d9e08 100644
--- a/windows/security/identity-protection/installing-digital-certificates-on-windows-10-mobile.md
+++ b/windows/security/identity-protection/installing-digital-certificates-on-windows-10-mobile.md
@@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
audience: ITPro
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
ms.collection: M365-identity-device-management
diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md
index 373339ebcd..d3fb9810b8 100644
--- a/windows/security/identity-protection/remote-credential-guard.md
+++ b/windows/security/identity-protection/remote-credential-guard.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
audience: ITPro
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
ms.collection: M365-identity-device-management
@@ -53,7 +53,7 @@ Use the following table to compare different Remote Desktop connection security
-| **Feature** | **Remote Desktop** | **Windows Defender Remote Credential Guard** | **Restricted Admin mode** |
+| Feature | Remote Desktop | Windows Defender Remote Credential Guard | Restricted Admin mode |
|--------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **Protection benefits** | Credentials on the server are not protected from Pass-the-Hash attacks. | User credentials remain on the client. An attacker can act on behalf of the user *only* when the session is ongoing | User logs on to the server as local administrator, so an attacker cannot act on behalf of the “domain user”. Any attack is local to the server |
| **Version support** | The remote computer can run any Windows operating system | Both the client and the remote computer must be running **at least Windows 10, version 1607, or Windows Server 2016**. | The remote computer must be running **at least patched Windows 7 or patched Windows Server 2008 R2**.
For more information about patches (software updates) related to Restricted Admin mode, see [Microsoft Security Advisory 2871997](https://technet.microsoft.com/library/security/2871997.aspx). |
@@ -67,7 +67,7 @@ Use the following table to compare different Remote Desktop connection security
For further technical information, see [Remote Desktop Protocol](https://msdn.microsoft.com/library/aa383015(v=vs.85).aspx)
-and [How Kerberos works](https://technet.microsoft.com/library/cc961963.aspx(d=robot))
+and [How Kerberos works](https://technet.microsoft.com/library/cc961963.aspx(d=robot)).
@@ -92,9 +92,12 @@ To use Windows Defender Remote Credential Guard, the Remote Desktop client and r
The Remote Desktop client device:
-- Must be running at least Windows 10, version 1703 to be able to supply credentials, which is sent to the remote device. This allows users to run as different users without having to send credentials to the remote machine.
+- Must be running at least Windows 10, version 1703 to be able to supply credentials, which is sent to the remote device. This allows users to run as different users without having to send credentials to the remote machine.
+
- Must be running at least Windows 10, version 1607 or Windows Server 2016 to use the user’s signed-in credentials. This requires the user’s account be able to sign in to both the client device and the remote host.
+
- Must be running the Remote Desktop Classic Windows application. The Remote Desktop Universal Windows Platform application doesn't support Windows Defender Remote Credential Guard.
+
- Must use Kerberos authentication to connect to the remote host. If the client cannot connect to a domain controller, then RDP attempts to fall back to NTLM. Windows Defender Remote Credential Guard does not allow NTLM fallback because this would expose credentials to risk.
The Remote Desktop remote host:
@@ -108,9 +111,13 @@ There are no hardware requirements for Windows Defender Remote Credential Guard.
> [!NOTE]
> Remote Desktop client devices running earlier versions, at minimum Windows 10 version 1607, only support signed-in credentials, so the client device must also be joined to an Active Directory domain. Both Remote Desktop client and server must either be joined to the same domain, or the Remote Desktop server can be joined to a domain that has a trust relationship to the client device's domain.
+>
+> GPO [Remote host allows delegation of non-exportable credentials](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-credentialsdelegation) should be enabled for delegation of non-exportable credentials.
- For Windows Defender Remote Credential Guard to be supported, the user must authenticate to the remote host using Kerberos authentication.
+
- The remote host must be running at least Windows 10 version 1607, or Windows Server 2016.
+
- The Remote Desktop classic Windows app is required. The Remote Desktop Universal Windows Platform app doesn't support Windows Defender Remote Credential Guard.
## Enable Windows Defender Remote Credential Guard
@@ -118,15 +125,20 @@ There are no hardware requirements for Windows Defender Remote Credential Guard.
You must enable Restricted Admin or Windows Defender Remote Credential Guard on the remote host by using the Registry.
1. Open Registry Editor on the remote host.
+
2. Enable Restricted Admin and Windows Defender Remote Credential Guard:
+
- Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa.
+
- Add a new DWORD value named **DisableRestrictedAdmin**.
+
- To turn on Restricted Admin and Windows Defender Remote Credential Guard, set the value of this registry setting to 0 to turn on Windows Defender Remote Credential Guard.
+
3. Close Registry Editor.
You can add this by running the following command from an elevated command prompt:
-```
+```console
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD
```
@@ -143,6 +155,7 @@ Beginning with Windows 10 version 1703, you can enable Windows Defender Remote C
3. Under **Use the following restricted mode**:
+
- If you want to require either [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx) or Windows Defender Remote Credential Guard, choose **Restrict Credential Delegation**. In this configuration, Windows Defender Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Windows Defender Remote Credential Guard cannot be used.
> [!NOTE]
@@ -163,12 +176,12 @@ Beginning with Windows 10 version 1703, you can enable Windows Defender Remote C
If you don't use Group Policy in your organization, or if not all your remote hosts support Remote Credential Guard, you can add the remoteGuard parameter when you start Remote Desktop Connection to turn on Windows Defender Remote Credential Guard for that connection.
-```
+```console
mstsc.exe /remoteGuard
```
> [!NOTE]
-> The user must be part of administrators group.
+> The user must be authorized to connect to the remote server using Remote Desktop Protocol, for example by being a member of the Remote Desktop Users local group on the remote computer.
## Considerations when using Windows Defender Remote Credential Guard
diff --git a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
index 5e5003aa9f..f8baa1b11c 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
audience: ITPro
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
ms.collection: M365-identity-device-management
diff --git a/windows/security/identity-protection/smart-cards/smart-card-architecture.md b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
index 89ddb7fa8a..bb2559ccf0 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-architecture.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
audience: ITPro
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
ms.collection: M365-identity-device-management
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
index 997384b9e0..ae671b4ace 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
audience: ITPro
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
ms.collection: M365-identity-device-management
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
index 17564fc13b..3d76ae2b17 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
audience: ITPro
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
ms.collection: M365-identity-device-management
diff --git a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
index 4bf706bbbc..824c20a5f1 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
@@ -26,9 +26,9 @@ Debugging and tracing smart card issues requires a variety of tools and approach
- [Certutil](#certutil)
-- [Debugging and tracing using WPP](#debugging-and-tracing-using-wpp)
+- [Debugging and tracing using Windows software trace preprocessor (WPP)](#debugging-and-tracing-using-wpp)
-- [Kerberos protocol, KDC, and NTLM debugging and tracing](#kerberos-protocol-kdc-and-ntlm-debugging-and-tracing)
+- [Kerberos protocol, Key Distribution Center (KDC), and NTLM debugging and tracing](#kerberos-protocol-kdc-and-ntlm-debugging-and-tracing)
- [Smart Card service](#smart-card-service)
@@ -42,22 +42,22 @@ For a complete description of Certutil including examples that show how to use i
### List certificates available on the smart card
-To list certificates that are available on the smart card, type certutil -scinfo.
+To list certificates that are available on the smart card, type `certutil -scinfo`.
> [!NOTE]
> Entering a PIN is not required for this operation. You can press ESC if you are prompted for a PIN.
### Delete certificates on the smart card
-Each certificate is enclosed in a container. When you delete a certificate on the smart card, you are deleting the container for the certificate.
+Each certificate is enclosed in a container. When you delete a certificate on the smart card, you're deleting the container for the certificate.
-To find the container value, type certutil -scinfo.
+To find the container value, type `certutil -scinfo`.
To delete a container, type **certutil -delkey -csp "Microsoft Base Smart Card Crypto Provider"** "<*ContainerValue*>".
## Debugging and tracing using WPP
-Windows software trace preprocessor (WPP) simplifies tracing the operation of the trace provider. It provides a mechanism for the trace provider to log real-time binary messages. Logged messages can be converted to a human-readable trace of the operation. For more information, see [Diagnostics with WPP - The NDIS blog](https://blogs.msdn.com/b/ndis/archive/2011/04/06/diagnostics-with-wpp.aspx).
+WPP simplifies tracing the operation of the trace provider. It provides a mechanism for the trace provider to log real-time binary messages. Logged messages can be converted to a human-readable trace of the operation. For more information, see [Diagnostics with WPP - The NDIS blog](https://blogs.msdn.com/b/ndis/archive/2011/04/06/diagnostics-with-wpp.aspx).
### Enable the trace
@@ -65,21 +65,21 @@ Using WPP, use one of the following commands to enable tracing:
- **tracelog.exe -kd -rt -start** <*FriendlyName*> **-guid \#**<*GUID*> **-f .\\**<*LogFileName*>**.etl -flags** <*flags*> **-ft 1**
-- **logman start** <*FriendlyName*> **-ets -p {**<*GUID*>**} -**<*Flags*> **-ft 1 -rt -o .\\**<*LogFileName*>**.etl -mode 0x00080000*
+- **logman start** <*FriendlyName*> **-ets -p {**<*GUID*>**} -**<*Flags*> **-ft 1 -rt -o .\\**<*LogFileName*>**.etl -mode 0x00080000**
You can use the parameters in the following table.
| Friendly name | GUID | Flags |
|-------------------|--------------------------------------|-----------|
-| scardsvr | 13038e47-ffec-425d-bc69-5707708075fe | 0xffff |
-| winscard | 3fce7c5f-fb3b-4bce-a9d8-55cc0ce1cf01 | 0xffff |
-| basecsp | 133a980d-035d-4e2d-b250-94577ad8fced | 0x7 |
-| scksp | 133a980d-035d-4e2d-b250-94577ad8fced | 0x7 |
-| msclmd | fb36caf4-582b-4604-8841-9263574c4f2c | 0x7 |
-| credprov | dba0e0e0-505a-4ab6-aa3f-22f6f743b480 | 0xffff |
-| certprop | 30eae751-411f-414c-988b-a8bfa8913f49 | 0xffff |
-| scfilter | eed7f3c9-62ba-400e-a001-658869df9a91 | 0xffff |
-| wudfusbccid | a3c09ba3-2f62-4be5-a50f-8278a646ac9d | 0xffff |
+| `scardsvr` | 13038e47-ffec-425d-bc69-5707708075fe | 0xffff |
+| `winscard` | 3fce7c5f-fb3b-4bce-a9d8-55cc0ce1cf01 | 0xffff |
+| `basecsp` | 133a980d-035d-4e2d-b250-94577ad8fced | 0x7 |
+| `scksp` | 133a980d-035d-4e2d-b250-94577ad8fced | 0x7 |
+| `msclmd` | fb36caf4-582b-4604-8841-9263574c4f2c | 0x7 |
+| `credprov` | dba0e0e0-505a-4ab6-aa3f-22f6f743b480 | 0xffff |
+| `certprop` | 30eae751-411f-414c-988b-a8bfa8913f49 | 0xffff |
+| `scfilter` | eed7f3c9-62ba-400e-a001-658869df9a91 | 0xffff |
+| `wudfusbccid` | a3c09ba3-2f62-4be5-a50f-8278a646ac9d | 0xffff |
Examples
@@ -109,7 +109,7 @@ To stop a trace:
- **logman -stop scardsvr -ets**
-## Kerberos protocol, KDC and NTLM debugging and tracing
+## Kerberos protocol, KDC, and NTLM debugging and tracing
@@ -119,11 +119,11 @@ You can use these resources to troubleshoot these protocols and the KDC:
- [Windows Driver Kit (WDK) and Debugging Tools for Windows (WinDbg)](https://developer.microsoft.com/en-us/windows/hardware/windows-driver-kit). You can use the trace log tool in this SDK to debug Kerberos authentication failures.
-To begin tracing, you can use Tracelog. Different components use different control GUIDs as explained in these examples. For more information, see [Tracelog](https://msdn.microsoft.com/library/windows/hardware/ff552994.aspx).
+To begin tracing, you can use `Tracelog`. Different components use different control GUIDs as explained in these examples. For more information, see [`Tracelog`](https://msdn.microsoft.com/library/windows/hardware/ff552994.aspx).
### NTLM
-To enable tracing for NTLM authentication, run the following at the command line:
+To enable tracing for NTLM authentication, run the following command on the command line:
- **tracelog.exe -kd -rt -start ntlm -guid \#5BBB6C18-AA45-49b1-A15F-085F7ED0AA90 -f .\\ntlm.etl -flags 0x15003 -ft 1**
@@ -143,11 +143,11 @@ To stop tracing for Kerberos authentication, run this command:
### KDC
-To enable tracing for the Key Distribution Center (KDC), run the following at the command line:
+To enable tracing for the KDC, run the following command on the command line:
- **tracelog.exe -kd -rt -start kdc -guid \#1BBA8B19-7F31-43c0-9643-6E911F79A06B -f .\\kdc.etl -flags 0x803 -ft 1**
-To stop tracing for the KDC, run the following at the command line:
+To stop tracing for the KDC, run the following command on the command line:
- **tracelog.exe -stop kdc**
@@ -166,7 +166,7 @@ You can also configure tracing by editing the Kerberos registry values shown in
| Kerberos | HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos
Value name: LogToFile
Value type: DWORD
Value data: 00000001
HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos\\Parameters
Value name: KerbDebugLevel
Value type: DWORD
Value data: c0000043
HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos\\Parameters
Value name: LogToFile
Value type: DWORD
Value data: 00000001 |
| KDC | HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Kdc
Value name: KdcDebugLevel
Value type: DWORD
Value data: c0000803 |
-If you used Tracelog, look for the following log file in your current directory: kerb.etl/kdc.etl/ntlm.etl.
+If you used `Tracelog`, look for the following log file in your current directory: kerb.etl/kdc.etl/ntlm.etl.
If you used the registry key settings shown in the previous table, look for the trace log files in the following locations:
@@ -176,7 +176,7 @@ If you used the registry key settings shown in the previous table, look for the
- KDC: %systemroot%\\tracing\\kdcsvc
-To decode event trace files, you can use Tracefmt (tracefmt.exe). Tracefmt is a command-line tool that formats and displays trace messages from an event trace log file (.etl) or a real-time trace session. Tracefmt can display the messages in the Command Prompt window or save them in a text file. It is located in the \\tools\\tracing subdirectory of the Windows Driver Kit (WDK). For more information, see [Tracefmt](https://msdn.microsoft.com/library/ff552974.aspx).
+To decode event trace files, you can use `Tracefmt` (tracefmt.exe). `Tracefmt` is a command-line tool that formats and displays trace messages from an event trace log file (.etl) or a real-time trace session. `Tracefmt` can display the messages in the Command Prompt window or save them in a text file. It is located in the \\tools\\tracing subdirectory of the Windows Driver Kit (WDK). For more information, see [`Tracefmt`](https://msdn.microsoft.com/library/ff552974.aspx).
## Smart Card service
@@ -184,11 +184,11 @@ The smart card resource manager service runs in the context of a local service.
**To check if Smart Card service is running**
-1. Press CTRL+ALT+DEL, and then click **Start Task Manager**.
+1. Press CTRL+ALT+DEL, and then select **Start Task Manager**.
-2. In the **Windows Task Manager** dialog box, click the **Services** tab.
+2. In the **Windows Task Manager** dialog box, select the **Services** tab.
-3. Click the **Name** column to sort the list alphabetically, and then type **s**.
+3. Select the **Name** column to sort the list alphabetically, and then type **s**.
4. In the **Name** column, look for **SCardSvr**, and then look under the **Status** column to see if the service is running or stopped.
@@ -196,15 +196,15 @@ The smart card resource manager service runs in the context of a local service.
1. Run as administrator at the command prompt.
-2. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
+2. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**.
-3. At the command prompt, type **net stop SCardSvr**.
+3. At the command prompt, type `net stop SCardSvr`.
-4. At the command prompt, type **net start SCardSvr**.
+4. At the command prompt, type `net start SCardSvr`.
-You can use the following command at the command prompt to check whether the service is running: **sc queryex scardsvr**.
+You can use the following command at the command prompt to check whether the service is running: `sc queryex scardsvr`.
-This is an example output from this command:
+The following code sample is an example output from this command:
```console
SERVICE_NAME: scardsvr
@@ -228,14 +228,14 @@ As with any device connected to a computer, Device Manager can be used to view p
1. Navigate to **Computer**.
-2. Right-click **Computer**, and then click **Properties**.
+2. Right-click **Computer**, and then select **Properties**.
-3. Under **Tasks**, click **Device Manager**.
+3. Under **Tasks**, select **Device Manager**.
-4. In Device Manager, expand **Smart card readers**, select the name of the smart card reader you want to check, and then click **Properties**.
+4. In Device Manager, expand **Smart card readers**, select the name of the smart card reader you want to check, and then select **Properties**.
> [!NOTE]
-> If the smart card reader is not listed in Device Manager, in the **Action** menu, click **Scan for hardware changes**.
+> If the smart card reader is not listed in Device Manager, in the **Action** menu, select **Scan for hardware changes**.
## CryptoAPI 2.0 Diagnostics
diff --git a/windows/security/identity-protection/smart-cards/smart-card-events.md b/windows/security/identity-protection/smart-cards/smart-card-events.md
index d905fbf992..dbaa8112f7 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-events.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-events.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
audience: ITPro
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
ms.collection: M365-identity-device-management
diff --git a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
index 04e43174e8..50d2b45bb2 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
audience: ITPro
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
ms.collection: M365-identity-device-management
diff --git a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
index 56228dff85..9939c9ec73 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
audience: ITPro
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
ms.collection: M365-identity-device-management
diff --git a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
index dd8812970c..fa36cf563f 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
audience: ITPro
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
ms.collection: M365-identity-device-management
diff --git a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
index a913f4c769..e4548fc317 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
audience: ITPro
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
ms.collection: M365-identity-device-management
diff --git a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
index 794b8e096c..74fdcc3e8f 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
audience: ITPro
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
ms.collection: M365-identity-device-management
diff --git a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
index 53ebc5b4f6..99defcec30 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
audience: ITPro
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
ms.collection: M365-identity-device-management
diff --git a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
index 560f4b240c..10ffd31a84 100644
--- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
+++ b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: operate
ms.sitesec: library
ms.pagetype: security
audience: ITPro
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
ms.collection: M365-identity-device-management
@@ -109,9 +109,7 @@ To better understand each component, review the table below:
Description
-
-
+User
@@ -138,9 +136,7 @@ To better understand each component, review the table below:
-
-
+System
@@ -248,8 +244,7 @@ To better understand each component, review the table below:
-
- Kernel
@@ -276,9 +271,11 @@ The slider will never turn UAC completely off. If you set it to Never notify<
- Cause all elevation request initiated by administrators to be auto-approved without showing a UAC prompt.
- Automatically deny all elevation requests for standard users.
-> **Important:** In order to fully disable UAC you must disable the policy **User Account Control: Run all administrators in Admin Approval Mode**.
->
-> **Warning:** Universal Windows apps will not work when UAC is disabled.
+> [!IMPORTANT]
+> In order to fully disable UAC you must disable the policy **User Account Control: Run all administrators in Admin Approval Mode**.
+
+> [!WARNING]
+> Some Universal Windows Platform apps may not work when UAC is disabled.
### Virtualization
@@ -291,7 +288,9 @@ Most app tasks operate properly by using virtualization features. Although virtu
Virtualization is not an option in the following scenarios:
- Virtualization does not apply to apps that are elevated and run with a full administrative access token.
+
- Virtualization supports only 32-bit apps. Non-elevated 64-bit apps simply receive an access denied message when they attempt to acquire a handle (a unique identifier) to a Windows object. Native Windows 64-bit apps are required to be compatible with UAC and to write data into the correct locations.
+
- Virtualization is disabled if the app includes an app manifest with a requested execution level attribute.
### Request execution levels
@@ -319,6 +318,8 @@ Before a 32-bit process is created, the following attributes are checked to dete
- Key attributes in the resource script data are linked in the executable file.
- There are targeted sequences of bytes within the executable file.
-> **Note:** The keywords and sequences of bytes were derived from common characteristics observed from various installer technologies.
->
-> **Note:** The User Account Control: Detect application installations and prompt for elevation policy setting must be enabled for installer detection to detect installation programs. For more info, see [User Account Control security policy settings](user-account-control-security-policy-settings.md).
+> [!NOTE]
+> The keywords and sequences of bytes were derived from common characteristics observed from various installer technologies.
+
+> [!NOTE]
+> The User Account Control: Detect application installations and prompt for elevation policy setting must be enabled for installer detection to detect installation programs. For more info, see [User Account Control security policy settings](user-account-control-security-policy-settings.md).
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
index e8d50dc97f..130688534d 100644
--- a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
+++ b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
audience: ITPro
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
ms.collection: M365-identity-device-management
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-overview.md b/windows/security/identity-protection/user-account-control/user-account-control-overview.md
index 9c9011d7ad..a95145abaa 100644
--- a/windows/security/identity-protection/user-account-control/user-account-control-overview.md
+++ b/windows/security/identity-protection/user-account-control/user-account-control-overview.md
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
ms.collection: M365-identity-device-management
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md
index 9cb4e34436..793fe303aa 100644
--- a/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md
+++ b/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
audience: ITPro
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
ms.collection: M365-identity-device-management
@@ -65,7 +65,7 @@ This policy setting controls the behavior of the elevation prompt for standard u
This policy setting controls the behavior of application installation detection for the computer.
- **Enabled** (Default) When an app installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
-- **Disabled** App installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies, such as Group Policy or Microsoft Endpoint Configuration Manager should disable this policy setting. In this case, installer detection is unnecessary.
+- **Disabled** App installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies, such as Group Policy or Microsoft Endpoint Manager should disable this policy setting. In this case, installer detection is unnecessary.
## User Account Control: Only elevate executable files that are signed and validated
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
index 5e643f7d75..a168874b63 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
audience: ITPro
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
ms.collection: M365-identity-device-management
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
index f0b0220678..6fb462eb81 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
audience: ITPro
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
ms.collection: M365-identity-device-management
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
index 34daf7a11e..6810a79d95 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
audience: ITPro
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
ms.collection: M365-identity-device-management
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
index aa61d00b97..29bb2adede 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
audience: ITPro
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
ms.collection: M365-identity-device-management
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
index a979d2b781..c37a9a9b29 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
audience: ITPro
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
ms.collection: M365-identity-device-management
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
index 0194ee2c80..d7c394285f 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
audience: ITPro
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
ms.collection: M365-identity-device-management
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
index 0737f18fec..30671f6e4a 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
audience: ITPro
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
ms.collection: M365-identity-device-management
diff --git a/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md b/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
index 6b9868b0f0..97ee24eb64 100644
--- a/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
+++ b/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, networking
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
ms.localizationpriority: medium
ms.date: 02/08/2018
diff --git a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
index 0b6ff85b21..24a4378ebe 100644
--- a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
+++ b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-author: dulcemontemayor
+author: dansimp
ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
diff --git a/windows/security/identity-protection/vpn/images/vpn-connection-intune.png b/windows/security/identity-protection/vpn/images/vpn-connection-intune.png
index bf551eabb7..8098b3445e 100644
Binary files a/windows/security/identity-protection/vpn/images/vpn-connection-intune.png and b/windows/security/identity-protection/vpn/images/vpn-connection-intune.png differ
diff --git a/windows/security/identity-protection/vpn/images/vpn-custom-xml-intune.png b/windows/security/identity-protection/vpn/images/vpn-custom-xml-intune.png
index 94cbb2c5cb..c6437e95d1 100644
Binary files a/windows/security/identity-protection/vpn/images/vpn-custom-xml-intune.png and b/windows/security/identity-protection/vpn/images/vpn-custom-xml-intune.png differ
diff --git a/windows/security/identity-protection/vpn/vpn-authentication.md b/windows/security/identity-protection/vpn/vpn-authentication.md
index 3fe2c08d57..5f4cf0a2b1 100644
--- a/windows/security/identity-protection/vpn/vpn-authentication.md
+++ b/windows/security/identity-protection/vpn/vpn-authentication.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, networking
-author: dulcemontemayor
+author: dansimp
ms.localizationpriority: medium
ms.date: 07/27/2017
ms.reviewer:
diff --git a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
index 29c8f5e474..59ffc5f231 100644
--- a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
+++ b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, networking
-author: dulcemontemayor
+author: dansimp
ms.localizationpriority: medium
ms.date: 07/27/2017
ms.reviewer:
diff --git a/windows/security/identity-protection/vpn/vpn-conditional-access.md b/windows/security/identity-protection/vpn/vpn-conditional-access.md
index fc09e68a62..0d608b647c 100644
--- a/windows/security/identity-protection/vpn/vpn-conditional-access.md
+++ b/windows/security/identity-protection/vpn/vpn-conditional-access.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, networking
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
ms.reviewer:
@@ -31,6 +31,7 @@ Conditional Access Platform components used for Device Compliance include the fo
- [Windows Health Attestation Service](https://technet.microsoft.com/itpro/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices#device-health-attestation) (optional)
- Azure AD Certificate Authority - It is a requirement that the client certificate used for the cloud-based device compliance solution be issued by an Azure Active Directory-based Certificate Authority (CA). An Azure AD CA is essentially a mini-CA cloud tenant in Azure. The Azure AD CA cannot be configured as part of an on-premises Enterprise CA.
+See also [Always On VPN deployment for Windows Server and Windows 10](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy).
- Azure AD-issued short-lived certificates - When a VPN connection attempt is made, the Azure AD Token Broker on the local device communicates with Azure Active Directory, which then checks for health based on compliance rules. If compliant, Azure AD sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. When that certificate expires, the client will again check with Azure AD for health validation before a new certificate is issued.
@@ -74,10 +75,12 @@ Two client-side configuration service providers are leveraged for VPN device com
- Collects TPM data used to verify health states
- Forwards the data to the Health Attestation Service (HAS)
- Provisions the Health Attestation Certificate received from the HAS
- - Upon request, forwards the Health Attestation Certificate (received from HAS) and related runtime information to the MDM server for verification
+ - Upon request, forward the Health Attestation Certificate (received from HAS) and related runtime information to the MDM server for verification
> [!NOTE]
-> Currently, it is required that certificates used for obtaining Kerberos tickets must be issued from an on-premises CA, and that SSO must be enabled in the user’s VPN profile. This will enable the user to access on-premises resources.
+> Currently, it is required that certificates used for obtaining Kerberos tickets must be issued from an on-premises CA, and that SSO must be enabled in the user’s VPN profile. This will enable the user to access on-premises resources.
+>
+> In the case of AzureAD-only joined devices (not hybrid joined devices), if the user certificate issued by the on-premises CA has the user UPN from AzureAD in Subject and SAN (Subject Alternative Name), the VPN profile must be modified to ensure that the client does not cache the credentials used for VPN authentication. To do this, after deploying the VPN profile to the client, modify the *Rasphone.pbk* on the client by changing the entry **UseRasCredentials** from 1 (default) to 0 (zero).
## Client connection flow
diff --git a/windows/security/identity-protection/vpn/vpn-connection-type.md b/windows/security/identity-protection/vpn/vpn-connection-type.md
index 92c4d2b8c5..89a4c83d9b 100644
--- a/windows/security/identity-protection/vpn/vpn-connection-type.md
+++ b/windows/security/identity-protection/vpn/vpn-connection-type.md
@@ -5,9 +5,9 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, networking
-author: dulcemontemayor
+author: dansimp
ms.localizationpriority: medium
-ms.date: 07/27/2017
+ms.date: 11/13/2020
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -42,6 +42,9 @@ There are many options for VPN clients. In Windows 10, the built-in plug-in and
- [SSTP](https://technet.microsoft.com/library/ff687819.aspx)
SSTP is supported for Windows desktop editions only. SSTP cannot be configured using mobile device management (MDM), but it is one of the protocols attempted in the **Automatic** option.
+
+ > [!NOTE]
+ > When a VPN plug-in is used, the adapter will be listed as an SSTP adapter, even though the VPN protocol used is the plug-in's protocol.
- Automatic
@@ -61,13 +64,15 @@ There are a number of Universal Windows Platform VPN applications, such as Pulse
See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) for XML configuration.
-The following image shows connection options in a VPN Profile configuration policy using Microsoft Intune.
+The following image shows connection options in a VPN Profile configuration policy using Microsoft Intune:
-
+> [!div class="mx-imgBorder"]
+> 
-In Intune, you can also include custom XML for third-party plug-in profiles.
+In Intune, you can also include custom XML for third-party plug-in profiles:
-
+> [!div class="mx-imgBorder"]
+> 
## Related topics
@@ -85,4 +90,3 @@ In Intune, you can also include custom XML for third-party plug-in profiles.
-
diff --git a/windows/security/identity-protection/vpn/vpn-guide.md b/windows/security/identity-protection/vpn/vpn-guide.md
index cb543ad1cd..1ec959d53e 100644
--- a/windows/security/identity-protection/vpn/vpn-guide.md
+++ b/windows/security/identity-protection/vpn/vpn-guide.md
@@ -1,12 +1,12 @@
---
title: Windows 10 VPN technical guide (Windows 10)
-description: Learn about decisions to make for Windows 10 clients in your enterprise VPN solution and how to configure your deployment.
+description: Learn about decisions to make for Windows 10 clients in your enterprise VPN solution and how to configure your deployment.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-author: dulcemontemayor
+author: dansimp
ms.localizationpriority: medium
-ms.date: 07/27/2017
+ms.date: 11/13/2020
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -20,12 +20,12 @@ ms.author: dansimp
- Windows 10
- Windows 10 Mobile
-This guide will walk you through the decisions you will make for Windows 10 clients in your enterprise VPN solution and how to configure your deployment. This guide references the [VPNv2 Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) and provides mobile device management (MDM) configuration instructions using Microsoft Intune and the VPN Profile template for Windows 10.
+This guide will walk you through the decisions you will make for Windows 10 clients in your enterprise VPN solution and how to configure your deployment. This guide references the [VPNv2 Configuration Service Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/vpnv2-csp) and provides mobile device management (MDM) configuration instructions using Microsoft Intune and the VPN Profile template for Windows 10.
-
+To create a Windows 10 VPN device configuration profile see: [Windows 10 and Windows Holographic device settings to add VPN connections using Intune](https://docs.microsoft.com/mem/intune/configuration/vpn-settings-windows-10).
->[!NOTE]
->This guide does not explain server deployment.
+> [!NOTE]
+> This guide does not explain server deployment.
## In this guide
@@ -43,7 +43,5 @@ This guide will walk you through the decisions you will make for Windows 10 clie
## Learn more
-- [VPN connections in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/vpn-connections-in-microsoft-intune)
-
-
+- [Create VPN profiles to connect to VPN servers in Intune](https://docs.microsoft.com/mem/intune/configuration/vpn-settings-configure)
diff --git a/windows/security/identity-protection/vpn/vpn-name-resolution.md b/windows/security/identity-protection/vpn/vpn-name-resolution.md
index 6ff26370e3..2076d89817 100644
--- a/windows/security/identity-protection/vpn/vpn-name-resolution.md
+++ b/windows/security/identity-protection/vpn/vpn-name-resolution.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, networking
-author: dulcemontemayor
+author: dansimp
ms.localizationpriority: medium
ms.date: 07/27/2017
ms.reviewer:
@@ -52,7 +52,7 @@ Primary DNS suffix is set using the **VPNv2/*ProfileName*/DnsSuffix** node.
## Persistent
-You can also configure *persistent* name resolution rules. Name resolution for specified items will only performed over VPN.
+You can also configure *persistent* name resolution rules. Name resolution for specified items will only be performed over the VPN.
Persistent name resolution is set using the **VPNv2/*ProfileName*/DomainNameInformationList//*dniRowId*/Persistent** node.
diff --git a/windows/security/identity-protection/vpn/vpn-profile-options.md b/windows/security/identity-protection/vpn/vpn-profile-options.md
index 19df534358..d47c757946 100644
--- a/windows/security/identity-protection/vpn/vpn-profile-options.md
+++ b/windows/security/identity-protection/vpn/vpn-profile-options.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, networking
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
ms.localizationpriority: medium
ms.date: 05/17/2018
@@ -34,7 +34,6 @@ The following table lists the VPN settings and whether the setting can be config
| Routing: forced-tunnel | yes |
| Authentication (EAP) | yes, if connection type is built-in |
| Conditional access | yes |
-| Proxy settings | yes, by PAC/WPAD file or server and port |
| Name resolution: NRPT | yes |
| Name resolution: DNS suffix | no |
| Name resolution: persistent | no |
@@ -45,6 +44,10 @@ The following table lists the VPN settings and whether the setting can be config
| LockDown | no |
| Windows Information Protection (WIP) | yes |
| Traffic filters | yes |
+| Proxy settings | yes, by PAC/WPAD file or server and port |
+
+> [!NOTE]
+> VPN proxy settings are only used on Force Tunnel Connections. On Split Tunnel Connections, the general proxy settings are used.
The ProfileXML node was added to the VPNv2 CSP to allow users to deploy VPN profile as a single blob. This is particularly useful for deploying profiles with features that are not yet supported by MDMs. You can get additional examples in the [ProfileXML XSD](https://msdn.microsoft.com/library/windows/hardware/mt755930.aspx) topic.
@@ -316,7 +319,7 @@ After you configure the settings that you want using ProfileXML, you can apply i
## Learn more
-- [Learn how to configure VPN connections in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/vpn-connections-in-microsoft-intune)
+- [Create VPN profiles to connect to VPN servers in Intune](https://docs.microsoft.com/mem/intune/configuration/vpn-settings-configure)
- [VPNv2 configuration service provider (CSP) reference](https://go.microsoft.com/fwlink/p/?LinkId=617588)
- [How to Create VPN Profiles in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=618028)
diff --git a/windows/security/identity-protection/vpn/vpn-routing.md b/windows/security/identity-protection/vpn/vpn-routing.md
index 416bc57d04..fd26221328 100644
--- a/windows/security/identity-protection/vpn/vpn-routing.md
+++ b/windows/security/identity-protection/vpn/vpn-routing.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, networking
-author: dulcemontemayor
+author: dansimp
ms.localizationpriority: medium
ms.date: 07/27/2017
ms.reviewer:
diff --git a/windows/security/identity-protection/vpn/vpn-security-features.md b/windows/security/identity-protection/vpn/vpn-security-features.md
index d8f4768540..96964c7d9b 100644
--- a/windows/security/identity-protection/vpn/vpn-security-features.md
+++ b/windows/security/identity-protection/vpn/vpn-security-features.md
@@ -5,7 +5,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, networking
-author: dulcemontemayor
+author: dansimp
ms.localizationpriority: medium
ms.date: 07/27/2017
ms.reviewer:
@@ -20,23 +20,6 @@ ms.author: dansimp
- Windows 10 Mobile
-## LockDown VPN
-
-A VPN profile configured with LockDown secures the device to only allow network traffic over the VPN interface. It has the following features:
-
-- The system attempts to keep the VPN connected at all times.
-- The user cannot disconnect the VPN connection.
-- The user cannot delete or modify the VPN profile.
-- The VPN LockDown profile uses forced tunnel connection.
-- If the VPN connection is not available, outbound network traffic is blocked.
-- Only one VPN LockDown profile is allowed on a device.
-
-> [!NOTE]
-> For built-in VPN, LockDown VPN is only available for the Internet Key Exchange version 2 (IKEv2) connection type.
-
-Deploy this feature with caution, as the resultant connection will not be able to send or receive any network traffic without the VPN being connected.
-
-
## Windows Information Protection (WIP) integration with VPN
Windows Information Protection provides capabilities allowing the separation and protection of enterprise data against disclosure across both company and personally owned devices, without requiring additional changes to the environments or the apps themselves. Additionally, when used with Rights Management Services (RMS), WIP can help to protect enterprise data locally.
@@ -78,6 +61,24 @@ The following image shows the interface to configure traffic rules in a VPN Prof
+
+## LockDown VPN
+
+A VPN profile configured with LockDown secures the device to only allow network traffic over the VPN interface. It has the following features:
+
+- The system attempts to keep the VPN connected at all times.
+- The user cannot disconnect the VPN connection.
+- The user cannot delete or modify the VPN profile.
+- The VPN LockDown profile uses forced tunnel connection.
+- If the VPN connection is not available, outbound network traffic is blocked.
+- Only one VPN LockDown profile is allowed on a device.
+
+> [!NOTE]
+> For built-in VPN, LockDown VPN is only available for the Internet Key Exchange version 2 (IKEv2) connection type.
+
+Deploy this feature with caution, as the resultant connection will not be able to send or receive any network traffic without the VPN being connected.
+
+
## Related topics
- [VPN technical guide](vpn-guide.md)
diff --git a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
index 26db02bc64..2c1a02b8db 100644
--- a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
+++ b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
audience: ITPro
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
ms.collection: M365-identity-device-management
diff --git a/windows/security/includes/improve-request-performance.md b/windows/security/includes/improve-request-performance.md
index c2499cf092..efaf6664a9 100644
--- a/windows/security/includes/improve-request-performance.md
+++ b/windows/security/includes/improve-request-performance.md
@@ -16,7 +16,7 @@ ms.collection: M365-security-compliance
ms.topic: article
---
->[!NOTE]
+>[!TIP]
>For better performance, you can use server closer to your geo location:
> - api-us.securitycenter.microsoft.com
> - api-eu.securitycenter.microsoft.com
diff --git a/windows/security/includes/machineactionsnote.md b/windows/security/includes/machineactionsnote.md
index 246c89eb92..542eec5756 100644
--- a/windows/security/includes/machineactionsnote.md
+++ b/windows/security/includes/machineactionsnote.md
@@ -1,6 +1,6 @@
---
-title: Perform a Machine Action via the Microsoft Defender ATP API
-description: This page focuses on performing a machine action via the Microsoft Defender Advanced Threat Protection (MDATP) API.
+title: Perform a Machine Action via the Microsoft Defender for Endpoint API
+description: This page focuses on performing a machine action via the Microsoft Defender for Endpoint API.
ms.date: 08/28/2017
ms.reviewer:
manager: dansimp
@@ -10,4 +10,4 @@ ms.prod: w10
---
>[!Note]
-> This page focuses on performing a machine action via API. See [take response actions on a machine](../threat-protection/microsoft-defender-atp/respond-machine-alerts.md) for more information about response actions functionality via Microsoft Defender ATP.
+> This page focuses on performing a machine action via API. See [take response actions on a machine](../threat-protection/microsoft-defender-atp/respond-machine-alerts.md) for more information about response actions functionality via Microsoft Defender for Endpoint.
diff --git a/windows/security/includes/microsoft-defender-api-usgov.md b/windows/security/includes/microsoft-defender-api-usgov.md
new file mode 100644
index 0000000000..4f58a3d8d5
--- /dev/null
+++ b/windows/security/includes/microsoft-defender-api-usgov.md
@@ -0,0 +1,20 @@
+---
+title: Microsoft Defender for Endpoint API URIs for US Government
+description: Microsoft Defender for Endpoint API URIs for US Government
+keywords: defender, endpoint, api, government, gov
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+---
+
+>[!NOTE]
+>If you are a US Government customer, please use the URIs listed in [Microsoft Defender for Endpoint for US Government customers](../threat-protection/microsoft-defender-atp/gov.md#api).
diff --git a/windows/security/includes/microsoft-defender.md b/windows/security/includes/microsoft-defender.md
index 46153786b9..0cf05d9d0d 100644
--- a/windows/security/includes/microsoft-defender.md
+++ b/windows/security/includes/microsoft-defender.md
@@ -1,14 +1,14 @@
---
-title: Microsoft Defender rebrand guidance
-description: A note in regard to the Microsoft Defender rebrand.
-ms.date: 09/21/2020
+title: Microsoft Defender important guidance
+description: A note in regard to important Microsoft Defender guidance.
+ms.date:
ms.reviewer:
manager: dansimp
-ms.author: daniha
-author: danihalfin
+ms.author: dansimp
+author: dansimp
ms.prod: w10
ms.topic: include
---
> [!IMPORTANT]
-> Welcome to **Microsoft Defender for Endpoint**, the new name for **Microsoft Defender Advanced Threat Protection**. Read more about this and other updates [here](https://www.microsoft.com/security/blog/?p=91813). We'll be updating names in products and in the docs in the near future.
+> The improved [Microsoft 365 security center](https://security.microsoft.com) is now available in public preview. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. [Learn what's new](https://docs.microsoft.com/microsoft-365/security/mtp/overview-security-center). This topic might apply to both Microsoft Defender for Endpoint and Microsoft 365 Defender. Refer to the **Applies To** section and look for specific call outs in this article where there might be differences.
diff --git a/windows/security/includes/prerelease.md b/windows/security/includes/prerelease.md
index a83544340f..a008aa45d7 100644
--- a/windows/security/includes/prerelease.md
+++ b/windows/security/includes/prerelease.md
@@ -1,6 +1,6 @@
---
-title: Microsoft Defender ATP Pre-release Disclaimer
-description: Disclaimer for pre-release version of Microsoft Defender ATP.
+title: Microsoft Defender for Endpoint Pre-release Disclaimer
+description: Disclaimer for pre-release version of Microsoft Defender for Endpoint.
ms.date: 08/28/2017
ms.reviewer:
manager: dansimp
diff --git a/windows/security/information-protection/TOC.md b/windows/security/information-protection/TOC.md
index 6fe54f4f4d..442b60a184 100644
--- a/windows/security/information-protection/TOC.md
+++ b/windows/security/information-protection/TOC.md
@@ -3,9 +3,9 @@
## [BitLocker](bitlocker\bitlocker-overview.md)
### [Overview of BitLocker Device Encryption in Windows 10](bitlocker\bitlocker-device-encryption-overview-windows-10.md)
### [BitLocker frequently asked questions (FAQ)](bitlocker\bitlocker-frequently-asked-questions.md)
-#### [Overview and requirements](bitlocker\bitlocker-overview-and-requirements-faq.md)
+#### [Overview and requirements](bitlocker\bitlocker-overview-and-requirements-faq.yml)
#### [Upgrading](bitlocker\bitlocker-upgrading-faq.md)
-#### [Deployment and administration](bitlocker\bitlocker-deployment-and-administration-faq.md)
+#### [Deployment and administration](bitlocker\bitlocker-deployment-and-administration-faq.yml)
#### [Key management](bitlocker\bitlocker-key-management-faq.md)
#### [BitLocker To Go](bitlocker\bitlocker-to-go-faq.md)
#### [Active Directory Domain Services](bitlocker\bitlocker-and-adds-faq.md)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md
index d6bad09f03..c248a61b46 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md
@@ -29,16 +29,16 @@ ms.custom: bitlocker
Stored information | Description
-------------------|------------
Hash of the TPM owner password | Beginning with Windows 10, the password hash is not stored in AD DS by default. The password hash can be stored only if the TPM is owned and the ownership was taken by using components of Windows 8.1 or earlier, such as the BitLocker Setup Wizard or the TPM snap-in.
-BitLocker recovery password | The recovery password allows you to unlock and access the drive in the event of a recovery incident. Domain administrators can view the BitLocker recovery password by using the BitLocker Recovery Password Viewer. For more information about this tool, see [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md).
-BitLocker key package | The key package helps to repair damage to the hard disk that would otherwise prevent standard recovery. Using the key package for recovery requires the BitLocker Repair Tool, Repair-bde.
+BitLocker recovery password | The recovery password allows you to unlock and access the drive after a recovery incident. Domain administrators can view the BitLocker recovery password by using the BitLocker Recovery Password Viewer. For more information about this tool, see [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md).
+BitLocker key package | The key package helps to repair damage to the hard disk that would otherwise prevent standard recovery. Using the key package for recovery requires the BitLocker Repair Tool, `Repair-bde`.
## What if BitLocker is enabled on a computer before the computer has joined the domain?
-If BitLocker is enabled on a drive before Group Policy has been applied to enforce backup, the recovery information will not be automatically backed up to AD DS when the computer joins the domain or when Group Policy is subsequently applied. However, you can use the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed drives can be recovered** and **Choose how BitLocker-protected removable drives can be recovered** Group Policy settings to require that the computer be connected to a domain before BitLocker can be enabled to help ensure that recovery information for BitLocker-protected drives in your organization is backed up to AD DS.
+If BitLocker is enabled on a drive before Group Policy has been applied to enforce a backup, the recovery information will not be automatically backed up to AD DS when the computer joins the domain or when Group Policy is subsequently applied. However, you can use the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed drives can be recovered**, and **Choose how BitLocker-protected removable drives can be recovered** Group Policy settings to require the computer to be connected to a domain before BitLocker can be enabled to help ensure that recovery information for BitLocker-protected drives in your organization is backed up to AD DS.
For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
-The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information; however, BitLocker does not automatically manage this process. The manage-bde command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the `$env:SystemDrive` to AD DS, you would use the following command script from an elevated command prompt:
+The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information; however, BitLocker does not automatically manage this process. The `manage-bde` command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the `$env:SystemDrive` to AD DS, you would use the following command script from an elevated command prompt:
```PowerShell
$BitLocker = Get-BitLockerVolume -MountPoint $env:SystemDrive
@@ -61,13 +61,13 @@ Ultimately, determining whether a legitimate backup exists in AD DS requires qu
No. By design, BitLocker recovery password entries do not get deleted from AD DS; therefore, you might see multiple passwords for each drive. To identify the latest password, check the date on the object.
-## What happens if the backup initially fails? Will BitLocker retry the backup?
+## What happens if the backup initially fails? Will BitLocker retry it?
If the backup initially fails, such as when a domain controller is unreachable at the time when the BitLocker setup wizard is run, BitLocker does not try again to back up the recovery information to AD DS.
-When an administrator selects the **Require BitLocker backup to AD DS** check box of the **Store BitLocker recovery information in Active Directory Domain Service (Windows 2008 and Windows Vista)** policy setting, or the equivalent **Do not enable BitLocker until recovery information is stored in AD DS for (operating system | fixed data | removable data) drives** check box in any of the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed data drives can be recovered**, **Choose how BitLocker-protected removable data drives can be recovered** policy settings, this prevents users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. With these settings configured if the backup fails, BitLocker cannot be enabled, ensuring that administrators will be able to recover BitLocker-protected drives in the organization.
+When an administrator selects the **Require BitLocker backup to AD DS** check box of the **Store BitLocker recovery information in Active Directory Domain Service (Windows 2008 and Windows Vista)** policy setting, or the equivalent **Do not enable BitLocker until recovery information is stored in AD DS for (operating system | fixed data | removable data) drives** check box in any of the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed data drives can be recovered**, and **Choose how BitLocker-protected removable data drives can be recovered** policy settings, users can't enable BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. With these settings configured if the backup fails, BitLocker cannot be enabled, ensuring that administrators will be able to recover BitLocker-protected drives in the organization.
For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
-When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker will not automatically retry the backup if it fails. Instead, administrators can create a script for the backup, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain) to capture the information after connectivity is restored.
+When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker will not automatically retry the backup if it fails. Instead, administrators can create a backup script, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain) to capture the information after connectivity is restored.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
index dc0d879c78..8ad995065c 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
@@ -1,6 +1,6 @@
---
title: BitLocker basic deployment (Windows 10)
-description: This topic for the IT professional explains how BitLocker features can be used to protect your data through drive encryption.
+description: This article for the IT professional explains how BitLocker features can be used to protect your data through drive encryption.
ms.assetid: 97c646cb-9e53-4236-9678-354af41151c4
ms.reviewer:
ms.prod: w10
@@ -24,7 +24,7 @@ ms.custom: bitlocker
- Windows 10
-This topic for the IT professional explains how BitLocker features can be used to protect your data through drive encryption.
+This article for the IT professional explains how BitLocker features can be used to protect your data through drive encryption.
## Using BitLocker to encrypt volumes
@@ -39,12 +39,12 @@ BitLocker encryption can be done using the following methods:
- BitLocker control panel
- Windows Explorer
-- manage-bde command line interface
+- manage-bde command-line interface
- BitLocker Windows PowerShell cmdlets
### Encrypting volumes using the BitLocker control panel
-Encrypting volumes with the BitLocker control panel (click **Start**, type **bitlocker**, click **Manage BitLocker**) is how many users will utilize BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet.
+Encrypting volumes with the BitLocker control panel (select **Start**, type *bitlocker*, select **Manage BitLocker**) is how many users will utilize BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data, and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet.
To start encryption for a volume, select **Turn on BitLocker** for the appropriate drive to initialize the BitLocker Drive Encryption Wizard. BitLocker Drive Encryption Wizard options vary based on volume type (operating system volume or data volume).
### Operating system volume
@@ -54,7 +54,7 @@ Upon launch, the BitLocker Drive Encryption Wizard verifies the computer meets t
|Requirement|Description|
|--- |--- |
|Hardware configuration|The computer must meet the minimum requirements for the supported Windows versions.|
-|Operating system|BitLocker is an optional feature which can be installed by Server Manager on Windows Server 2012 and later.|
+|Operating system|BitLocker is an optional feature that can be installed by Server Manager on Windows Server 2012 and later.|
|Hardware TPM|TPM version 1.2 or 2.0.
For computers with legacy BIOS firmware, at least two NTFS disk partitions, one for the system drive and one for the operating system drive.
For either firmware, the system drive partition must be at least 350 megabytes (MB) and set as the active partition.|
@@ -75,11 +75,11 @@ It is recommended that drives with little to no data utilize the **used disk spa
> [!NOTE]
> Deleted files appear as free space to the file system, which is not encrypted by **used disk space only**. Until they are wiped or overwritten, deleted files hold information that could be recovered with common data forensic tools.
-Selecting an encryption type and choosing **Next** will give the user the option of running a BitLocker system check (selected by default) which will ensure that BitLocker can properly access the recovery and encryption keys before the volume encryption begins. It is recommended to run this system check before starting the encryption process. If the system check is not run and a problem is encountered when the operating system attempts to start, the user will need to provide the recovery key to start Windows.
+Selecting an encryption type and choosing **Next** will give the user the option of running a BitLocker system check (selected by default) which will ensure that BitLocker can properly access the recovery and encryption keys before the volume encryption begins. We recommend running this system check before starting the encryption process. If the system check is not run and a problem is encountered when the operating system attempts to start, the user will need to provide the recovery key to start Windows.
After completing the system check (if selected), the BitLocker Drive Encryption Wizard will restart the computer to begin encryption. Upon reboot, users are required to enter the password chosen to boot into the operating system volume. Users can check encryption status by checking the system notification area or the BitLocker control panel.
-Until encryption is completed, the only available options for managing BitLocker involve manipulation of the password protecting the operating system volume, backing up the recovery key, and turning BitLocker off.
+Until encryption is completed, the only available options for managing BitLocker involve manipulation of the password protecting the operating system volume, backing up the recovery key, and turning off BitLocker.
### Data volume
@@ -97,12 +97,12 @@ Encryption status displays in the notification area or within the BitLocker cont
There is a new option for storing the BitLocker recovery key using the OneDrive. This option requires that computers are not members of a domain and that the user is using a Microsoft Account. Local accounts do not give the option to utilize OneDrive. Using the OneDrive option is the default, recommended recovery key storage method for computers that are not joined to a domain.
-Users can verify the recovery key was saved properly by checking their OneDrive for the BitLocker folder which is created automatically during the save process. The folder will contain two files, a readme.txt and the recovery key. For users storing more than one recovery password on their OneDrive,
+Users can verify the recovery key was saved properly by checking their OneDrive for the BitLocker folder that is created automatically during the save process. The folder will contain two files, a readme.txt and the recovery key. For users storing more than one recovery password on their OneDrive,
they can identify the required recovery key by looking at the file name. The recovery key ID is appended to the end of the file name.
### Using BitLocker within Windows Explorer
-Windows Explorer allows users to launch the BitLocker Drive Encryption wizard by right clicking on a volume and selecting **Turn On BitLocker**. This option is available on client computers by default. On servers, you must first install the BitLocker and Desktop-Experience features for this option to be available. After selecting **Turn on BitLocker**, the wizard works exactly as it does when launched using the BitLocker control panel.
+Windows Explorer allows users to launch the BitLocker Drive Encryption wizard by right-clicking a volume and selecting **Turn On BitLocker**. This option is available on client computers by default. On servers, you must first install the BitLocker and Desktop-Experience features for this option to be available. After selecting **Turn on BitLocker**, the wizard works exactly as it does when launched using the BitLocker control panel.
## Down-level compatibility
@@ -118,13 +118,13 @@ Table 1: Cross compatibility for Windows 10, Windows 8.1, Windows 8, and Window
|Fully encrypted volume from Windows 7|Presents as fully encrypted|Presented as fully encrypted|N/A|
|Partially encrypted volume from Windows 7|Windows 10 and Windows 8.1 will complete encryption regardless of policy|Windows 8 will complete encryption regardless of policy|N/A|
-## Encrypting volumes using the manage-bde command line interface
+## Encrypting volumes using the manage-bde command-line interface
Manage-bde is a command-line utility that can be used for scripting BitLocker operations. Manage-bde offers additional options not displayed in the BitLocker control panel. For a complete list of the options, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).
-Manage-bde offers a multitude of wider options for configuring BitLocker. This means that using the command syntax may require care and possibly later customization by the user. For example, using just the `manage-bde -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected.
+Manage-bde offers a multitude of wider options for configuring BitLocker. So using the command syntax may require care and possibly later customization by the user. For example, using just the `manage-bde -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected.
-Command line users need to determine the appropriate syntax for a given situation. The following section covers general encryption for operating system volumes and data volumes.
+Command-line users need to determine the appropriate syntax for a given situation. The following section covers general encryption for operating system volumes and data volumes.
### Operating system volume
@@ -136,7 +136,7 @@ A good practice when using manage-bde is to determine the volume status on the t
`manage-bde -status`
-This command returns the volumes on the target, current encryption status and volume type (operating system or data) for each volume. Using this information, users can determine the best encryption method for their environment.
+This command returns the volumes on the target, current encryption status, and volume type (operating system or data) for each volume. Using this information, users can determine the best encryption method for their environment.
**Enabling BitLocker without a TPM**
@@ -149,29 +149,29 @@ manage-bde -on C:
**Enabling BitLocker with a TPM only**
-It is possible to encrypt the operating system volume without any defined protectors using manage-bde. The command to do this is:
+It is possible to encrypt the operating system volume without any defined protectors by using manage-bde. Use this command:
`manage-bde -on C:`
-This will encrypt the drive using the TPM as the protector. If a user is unsure of the protector for a volume, they can use the -protectors option in manage-bde to list this information with the command:
+This command will encrypt the drive using the TPM as the protector. If a user is unsure of the protector for a volume, they can use the -protectors option in manage-bde to list this information with the command:
`manage-bde -protectors -get Get-BitLockerVolume cmdlet.
-The Get-BitLockerVolume cmdlet output gives information on the volume type, protectors, protection status and other details.
+The Get-BitLockerVolume cmdlet output gives information on the volume type, protectors, protection status, and other details.
>**Tip:** Occasionally, all protectors may not be shown when using `Get-BitLockerVolume` due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a full listing of the protectors.
`Get-BitLockerVolume C: | fl`
@@ -263,9 +263,9 @@ $vol = Get-BitLockerVolume
$keyprotectors = $vol.KeyProtector
```
-Using this, you can display the information in the $keyprotectors variable to determine the GUID for each protector.
+By using this script, you can display the information in the $keyprotectors variable to determine the GUID for each protector.
-Using this information, you can then remove the key protector for a specific volume using the command:
+By using this information, you can then remove the key protector for a specific volume using the command:
```powershell
Remove-BitLockerKeyProtector
-\[1\] Applies only to Home, Pro, Enterprise, Education and S
+\[1\] Applies only to Home, Pro, Enterprise, Education, and S.
-\[2\] Applies only to Pro, Enterprise, Education, S, Mobile and Surface Hub
+\[2\] Applies only to Pro, Enterprise, Education, S, Mobile, and Surface Hub
-\[3\] Applies only to Pro, Enterprise Education and S
+\[3\] Applies only to Pro, Enterprise, Education, and S
##### Windows 10 Anniversary Update (Version 1607)
@@ -332,7 +409,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile
**Binary Name:** mspaint.exe
**App Type:** Desktop app |
| Microsoft Remote Desktop | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** mstsc.exe
**App Type:** Desktop app |
| Microsoft MAPI Repair Tool | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Binary Name:** fixmapi.exe
**App Type:** Desktop app |
+| Microsoft To Do | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Todos
**App Type:** Store app |
>[!NOTE]
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
diff --git a/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md b/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md
index 576fe7cf71..bbfa13516c 100644
--- a/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md
+++ b/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md
@@ -9,7 +9,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
diff --git a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
index 27d3f1d9c9..bf2e926154 100644
--- a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
+++ b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
@@ -28,7 +28,7 @@ This list provides all of the tasks and settings that are required for the opera
|Task|Description|
|----|-----------|
|Add at least one app to the **Protected apps** list in your WIP policy.|You must have at least one app added to your **Protected apps** list. For more info about where this area is and how to add apps, see the **Add apps to your Protected apps list** section of the policy creation topics.|
-|Choose your WIP protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Block**. For more info about where this area is and how to decide on your protection level, see the **Manage the WIP protection mode for your enterprise data** section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).|
+|Choose your WIP protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Block**. For more info about where this area is and how to decide on your protection level, see the [Manage the WIP protection mode for your enterprise data](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr#manage-the-wip-protection-level-for-your-enterprise-data) section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).|
|Specify your corporate identity.|This field is automatically filled out for you by Microsoft Intune. However, you must manually correct it if it’s incorrect or if you need to add additional domains. For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics.
|Specify your network domain names.|Starting with Windows 10, version 1703, this field is optional.
Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics.|
|Specify your enterprise IPv4 or IPv6 ranges.|Starting with Windows 10, version 1703, this field is optional.
Specify the addresses for a valid IPv4 or IPv6 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries. For more info about where this area is and what it means, see the table that appears in the **Define your enterprise-managed corporate identity** section of the policy creation topics.|
diff --git a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
index a1e662c65e..419f25c61c 100644
--- a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
+++ b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
@@ -1,6 +1,6 @@
---
-title: Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager (Windows 10)
-description: Microsoft Endpoint Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
+title: Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Manager (Windows 10)
+description: Microsoft Endpoint Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
ms.assetid: d2059e74-94bd-4e54-ab59-1a7b9b52bdc6
ms.reviewer:
ms.prod: w10
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
@@ -23,11 +23,11 @@ ms.date: 02/26/2019
- Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later
-Microsoft Endpoint Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
+Microsoft Endpoint Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
## In this section
|Topic |Description |
|------|------------|
-|[Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-configmgr.md) |Microsoft Endpoint Configuration Manager helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
+|[Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-configmgr.md) |Microsoft Endpoint Manager helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. |
|[Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md) |Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP). |
diff --git a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md
index e40c2405a1..42f746faba 100644
--- a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md
+++ b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md
@@ -1,6 +1,6 @@
---
title: Create a Windows Information Protection (WIP) policy using Microsoft Intune (Windows 10)
-description: Microsoft Intune and Microsoft Endpoint Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy.
+description: Microsoft Intune and Microsoft Endpoint Manager helps you create and deploy your enterprise data protection (WIP) policy.
ms.assetid: d2059e74-94bd-4e54-ab59-1a7b9b52bdc6
ms.reviewer:
ms.prod: w10
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
diff --git a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
index 9af557f950..336a37f408 100644
--- a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
+++ b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
@@ -9,7 +9,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
@@ -110,7 +110,7 @@ WIP is the mobile application management (MAM) mechanism on Windows 10. WIP give
- **Remove access to enterprise data from enterprise-protected devices.** WIP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can use Microsoft Intune to unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable.
>[!NOTE]
- >For management of Surface devices it is recommended that you use the Current Branch of Microsoft Endpoint Configuration Manager.
Microsoft Endpoint Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device.
+ >For management of Surface devices it is recommended that you use the Current Branch of Microsoft Endpoint Configuration Manager.
Microsoft Endpoint Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device.
## How WIP works
WIP helps address your everyday challenges in the enterprise. Including:
diff --git a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
index fee621245c..d2ff6e2a2f 100644
--- a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
+++ b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
diff --git a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
index 7353daae25..2eefdaf76e 100644
--- a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
+++ b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
@@ -9,7 +9,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
diff --git a/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md b/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md
index 94df767962..c7caa873dc 100644
--- a/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md
+++ b/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
diff --git a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
index 5a8333cab2..b54cc7cbe1 100644
--- a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
+++ b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
audience: ITPro
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index f69cdfadb5..dae95369d9 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -1,81 +1,11 @@
# [Threat protection](index.md)
-## [Overview]()
-### [What is Microsoft Defender Advanced Threat Protection?](microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md)
-### [Minimum requirements](microsoft-defender-atp/minimum-requirements.md)
-### [What's new in Microsoft Defender ATP](microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md)
-### [Preview features](microsoft-defender-atp/preview.md)
-### [Data storage and privacy](microsoft-defender-atp/data-storage-privacy.md)
-### [Overview of Microsoft Defender Security Center](microsoft-defender-atp/use.md)
-### [Portal overview](microsoft-defender-atp/portal-overview.md)
-### [Microsoft Defender ATP for US Government Community Cloud High customers](microsoft-defender-atp/commercial-gov.md)
-### [Microsoft Defender ATP for non-Windows platforms](microsoft-defender-atp/non-windows.md)
-
-## [Evaluate capabilities](microsoft-defender-atp/evaluation-lab.md)
-
-## [Plan deployment](microsoft-defender-atp/deployment-strategy.md)
-
-## [Deployment guide]()
-### [Deployment phases](microsoft-defender-atp/deployment-phases.md)
-### [Phase 1: Prepare](microsoft-defender-atp/prepare-deployment.md)
-### [Phase 2: Set up](microsoft-defender-atp/production-deployment.md)
-### [Phase 3: Onboard]()
-#### [Onboarding overview](microsoft-defender-atp/onboarding.md)
-##### [Onboarding using Microsoft Endpoint Configuration Manager](microsoft-defender-atp/onboarding-endpoint-configuration-manager.md)
-##### [Onboarding using Microsoft Endpoint Manager](microsoft-defender-atp/onboarding-endpoint-manager.md)
-
-
-## [Migration guides](microsoft-defender-atp/migration-guides.md)
-### [Switch from McAfee to Microsoft Defender for Endpoint]()
-#### [Overview of migration](microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md)
-#### [Phase 1: Prepare](microsoft-defender-atp/mcafee-to-microsoft-defender-prepare.md)
-#### [Phase 2: Setup](microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md)
-#### [Phase 3: Onboard](microsoft-defender-atp/mcafee-to-microsoft-defender-onboard.md)
-### [Switch from Symantec to Microsoft Defender for Endpoint]()
-#### [Overview of migration](microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md)
-#### [Phase 1: Prepare](microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md)
-#### [Phase 2: Setup](microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md)
-#### [Phase 3: Onboard](microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md)
-### [Switch from your non-Microsoft endpoint security solution to Microsoft Defender for Endpoint]()
-#### [Overview of migration](microsoft-defender-atp/switch-to-microsoft-defender-migration.md)
-#### [Phase 1: Prepare](microsoft-defender-atp/switch-to-microsoft-defender-prepare.md)
-#### [Phase 2: Setup](microsoft-defender-atp/switch-to-microsoft-defender-setup.md)
-#### [Phase 3: Onboard](microsoft-defender-atp/switch-to-microsoft-defender-onboard.md)
-### [Manage Microsoft Defender for Endpoint after migration]()
-#### [Overview of managing Microsoft Defender for Endpoint](microsoft-defender-atp/manage-atp-post-migration.md)
-#### [Intune (recommended)](microsoft-defender-atp/manage-atp-post-migration-intune.md)
-#### [Configuration Manager](microsoft-defender-atp/manage-atp-post-migration-configuration-manager.md)
-#### [Group Policy Objects](microsoft-defender-atp/manage-atp-post-migration-group-policy-objects.md)
-#### [PowerShell, WMI, and MPCmdRun.exe](microsoft-defender-atp/manage-atp-post-migration-other-tools.md)
-
## [Security administration]()
-### [Threat & Vulnerability Management]()
-#### [Overview of Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
-#### [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md)
-#### [Dashboard insights](microsoft-defender-atp/tvm-dashboard-insights.md)
-#### [Exposure score](microsoft-defender-atp/tvm-exposure-score.md)
-#### [Microsoft Secure Score for Devices](microsoft-defender-atp/tvm-microsoft-secure-score-devices.md)
-#### [Security recommendations](microsoft-defender-atp/tvm-security-recommendation.md)
-#### [Remediation and exception](microsoft-defender-atp/tvm-remediation.md)
-#### [Software inventory](microsoft-defender-atp/tvm-software-inventory.md)
-#### [Weaknesses](microsoft-defender-atp/tvm-weaknesses.md)
-#### [Event timeline](microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md)
-#### [Scenarios](microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md)
### [Attack surface reduction]()
-#### [Overview of attack surface reduction](microsoft-defender-atp/overview-attack-surface-reduction.md)
-#### [Evaluate attack surface reduction rules](microsoft-defender-atp/evaluate-attack-surface-reduction.md)
-#### [Attack surface reduction configuration settings](microsoft-defender-atp/configure-attack-surface-reduction.md)
-#### [Attack surface reduction FAQ](microsoft-defender-atp/attack-surface-reduction-faq.md)
-
-#### [Attack surface reduction controls]()
-##### [Attack surface reduction rules](microsoft-defender-atp/attack-surface-reduction.md)
-##### [Enable attack surface reduction rules](microsoft-defender-atp/enable-attack-surface-reduction.md)
-##### [Customize attack surface reduction rules](microsoft-defender-atp/customize-attack-surface-reduction.md)
-##### [View attack surface reduction events](microsoft-defender-atp/event-views.md)
#### [Hardware-based isolation]()
-##### [Hardware-based isolation in Windows 10](microsoft-defender-atp/overview-hardware-based-isolation.md)
+
##### [Hardware-based isolation evaluation](microsoft-defender-application-guard/test-scenarios-md-app-guard.md)
##### [Application isolation]()
@@ -94,42 +24,12 @@
#### [Device control]()
##### [Code integrity](device-guard/enable-virtualization-based-protection-of-code-integrity.md)
##### [Control USB devices](device-control/control-usb-devices-using-intune.md)
-
-
-#### [Exploit protection]()
-##### [Protect devices from exploits](microsoft-defender-atp/exploit-protection.md)
-##### [Exploit protection evaluation](microsoft-defender-atp/evaluate-exploit-protection.md)
-##### [Enable exploit protection](microsoft-defender-atp/enable-exploit-protection.md)
-##### [Customize exploit protection](microsoft-defender-atp/customize-exploit-protection.md)
-##### [Import, export, and deploy exploit protection configurations](microsoft-defender-atp/import-export-exploit-protection-emet-xml.md)
-##### [Exploit protection reference](microsoft-defender-atp/exploit-protection-reference.md )
-
-#### [Network protection]()
-##### [Protect your network](microsoft-defender-atp/network-protection.md)
-##### [Evaluate network protection](microsoft-defender-atp/evaluate-network-protection.md)
-##### [Turn on network protection](microsoft-defender-atp/enable-network-protection.md)
-
-#### [Web protection]()
-##### [Web protection overview](microsoft-defender-atp/web-protection-overview.md)
-##### [Web threat protection]()
-###### [Web threat protection overview](microsoft-defender-atp/web-threat-protection.md)
-###### [Monitor web security](microsoft-defender-atp/web-protection-monitoring.md)
-###### [Respond to web threats](microsoft-defender-atp/web-protection-response.md)
-##### [Web content filtering](microsoft-defender-atp/web-content-filtering.md)
-
-#### [Controlled folder access]()
-##### [Protect folders](microsoft-defender-atp/controlled-folders.md)
-##### [Evaluate controlled folder access](microsoft-defender-atp/evaluate-controlled-folder-access.md)
-##### [Enable controlled folder access](microsoft-defender-atp/enable-controlled-folders.md)
-##### [Customize controlled folder access](microsoft-defender-atp/customize-controlled-folders.md)
-
-
+##### [Device control report](device-control/device-control-report.md)
#### [Network firewall]()
##### [Network firewall overview](windows-firewall/windows-firewall-with-advanced-security.md)
##### [Network firewall evaluation](windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md)
-
### [Next-generation protection]()
#### [Next-generation protection overview](microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md)
#### [Evaluate next-generation protection](microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md)
@@ -150,7 +50,7 @@
###### [Detect and block Potentially Unwanted Applications](microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md)
###### [Enable and configure always-on protection and monitoring](microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md)
-##### [Antivirus on Windows Server 2016](microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md)
+##### [Antivirus on Windows Server](microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md)
##### [Antivirus compatibility]()
###### [Compatibility charts](microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md)
@@ -158,39 +58,35 @@
##### [Manage next-generation protection in your business]()
###### [Management overview](microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md)
-###### [Use Microsoft Intune and Microsoft Endpoint Configuration Manager to manage next-generation protection](microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md)
+###### [Use Microsoft Intune and Microsoft Endpoint Manager to manage next-generation protection](microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md)
###### [Use Group Policy settings to manage next-generation protection](microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md)
###### [Use PowerShell cmdlets to manage next-generation protection](microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md)
###### [Use Windows Management Instrumentation (WMI) to manage next-generation protection](microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md)
###### [Use the mpcmdrun.exe command line tool to manage next-generation protection](microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md)
-###### [Handle false positives/negatives in Microsoft Defender Antivirus](microsoft-defender-antivirus/antivirus-false-positives-negatives.md)
##### [Deploy, manage updates, and report on antivirus]()
###### [Preparing to deploy](microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md)
###### [Deploy and enable antivirus](microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md)
-####### [Deployment guide for VDI environments](microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md)
+###### [Deployment guide for VDI environments](microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md)
###### [Report on antivirus protection]()
-####### [Review protection status and alerts](microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md)
-####### [Troubleshoot antivirus reporting in Update Compliance](microsoft-defender-antivirus/troubleshoot-reporting.md)
-
-###### [Manage updates and apply baselines]()
-####### [Learn about the different kinds of updates](microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md)
-####### [Manage protection and security intelligence updates](microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md)
-####### [Manage when protection updates should be downloaded and applied](microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md)
-####### [Manage updates for endpoints that are out of date](microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md)
-####### [Manage event-based forced updates](microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md)
-####### [Manage updates for mobile devices and VMs](microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)
+###### [Review protection status and alerts](microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md)
+###### [Troubleshoot antivirus reporting in Update Compliance](microsoft-defender-antivirus/troubleshoot-reporting.md)
+###### [Learn about the recent updates](microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md)
+###### [Manage protection and security intelligence updates](microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md)
+###### [Manage when protection updates should be downloaded and applied](microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md)
+###### [Manage updates for endpoints that are out of date](microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md)
+###### [Manage event-based forced updates](microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md)
+###### [Manage updates for mobile devices and VMs](microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)
##### [Customize, initiate, and review the results of scans and remediation]()
###### [Configuration overview](microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
-###### [Configure and validate exclusions in antivirus scans]()
-####### [Exclusions overview](microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md)
-####### [Configure and validate exclusions based on file name, extension, and folder location](microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md)
-####### [Configure and validate exclusions for files opened by processes](microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
-####### [Configure antivirus exclusions Windows Server 2016](microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md)
-####### [Common mistakes when defining exclusions](microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md)
+###### [Configure and validate exclusions in antivirus scans](microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md)
+###### [Configure and validate exclusions based on file name, extension, and folder location](microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md)
+###### [Configure and validate exclusions for files opened by processes](microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
+###### [Configure antivirus exclusions Windows Server](microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md)
+###### [Common mistakes when defining exclusions](microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md)
###### [Configure scanning antivirus options](microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md)
###### [Configure remediation for scans](microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md)
###### [Configure scheduled scans](microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md)
@@ -204,10 +100,10 @@
###### [Management overview](microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
###### [Configure and validate exclusions in antivirus scans]()
-####### [Exclusions overview](microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md)
-####### [Configure and validate exclusions based on file name, extension, and folder location](microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md)
-####### [Configure and validate exclusions for files opened by processes](microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
-####### [Configure antivirus exclusions on Windows Server 2016](microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md)
+###### [Exclusions overview](microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md)
+###### [Configure and validate exclusions based on file name, extension, and folder location](microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md)
+###### [Configure and validate exclusions for files opened by processes](microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
+###### [Configure antivirus exclusions on Windows Server](microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md)
###### [Configure scanning options](microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md)
@@ -219,501 +115,15 @@
###### [Run and review the results of an offline scan](microsoft-defender-antivirus/microsoft-defender-offline.md)
###### [Restore quarantined files](microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md)
-#### [Better together: Microsoft Defender Antivirus and Microsoft Defender ATP](microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md)
+#### [Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint](microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md)
#### [Better together: Microsoft Defender Antivirus and Office 365](microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md)
-
-### [Microsoft Defender Advanced Threat Protection for Mac]()
-#### [Overview of Microsoft Defender ATP for Mac](microsoft-defender-atp/microsoft-defender-atp-mac.md)
-#### [What's New](microsoft-defender-atp/mac-whatsnew.md)
-
-#### [Deploy]()
-##### [Microsoft Intune-based deployment](microsoft-defender-atp/mac-install-with-intune.md)
-##### [JAMF Pro-based deployment]()
-###### [Deploying Microsoft Defender ATP for macOS using Jamf Pro](microsoft-defender-atp/mac-install-with-jamf.md)
-###### [Login to Jamf Pro](microsoft-defender-atp/mac-install-jamfpro-login.md)
-###### [Set up device groups](microsoft-defender-atp/mac-jamfpro-device-groups.md)
-###### [Set up policies](microsoft-defender-atp/mac-jamfpro-policies.md)
-###### [Enroll devices](microsoft-defender-atp/mac-jamfpro-enroll-devices.md)
-
-##### [Deployment with a different Mobile Device Management (MDM) system](microsoft-defender-atp/mac-install-with-other-mdm.md)
-##### [Manual deployment](microsoft-defender-atp/mac-install-manually.md)
-#### [Update](microsoft-defender-atp/mac-updates.md)
-
-#### [Configure]()
-##### [Configure and validate exclusions](microsoft-defender-atp/mac-exclusions.md)
-##### [Set preferences](microsoft-defender-atp/mac-preferences.md)
-##### [Detect and block Potentially Unwanted Applications](microsoft-defender-atp/mac-pua.md)
-##### [Schedule scans](microsoft-defender-atp/mac-schedule-scan-atp.md)
-
-#### [Troubleshoot]()
-##### [Troubleshoot installation issues](microsoft-defender-atp/mac-support-install.md)
-##### [Troubleshoot performance issues](microsoft-defender-atp/mac-support-perf.md)
-##### [Troubleshoot kernel extension issues](microsoft-defender-atp/mac-support-kext.md)
-##### [Troubleshoot license issues](microsoft-defender-atp/mac-support-license.md)
-
-#### [Privacy](microsoft-defender-atp/mac-privacy.md)
-#### [Resources](microsoft-defender-atp/mac-resources.md)
-
-
-
-
-### [Microsoft Defender Advanced Threat Protection for iOS]()
-#### [Overview of Microsoft Defender Advanced Threat Protection for iOS](microsoft-defender-atp/microsoft-defender-atp-ios.md)
-
-#### [Deploy]()
-##### [App-based deployment](microsoft-defender-atp/ios-install.md)
-
-#### [Configure]()
-##### [Configure iOS features](microsoft-defender-atp/ios-configure-features.md)
-
-
-### [Microsoft Defender Advanced Threat Protection for Linux]()
-#### [Overview of Microsoft Defender ATP for Linux](microsoft-defender-atp/microsoft-defender-atp-linux.md)
-#### [What's New](microsoft-defender-atp/linux-whatsnew.md)
-#### [Deploy]()
-##### [Manual deployment](microsoft-defender-atp/linux-install-manually.md)
-##### [Puppet based deployment](microsoft-defender-atp/linux-install-with-puppet.md)
-##### [Ansible based deployment](microsoft-defender-atp/linux-install-with-ansible.md)
-
-#### [Update](microsoft-defender-atp/linux-updates.md)
-
-
-#### [Configure]()
-##### [Configure and validate exclusions](microsoft-defender-atp/linux-exclusions.md)
-##### [Static proxy configuration](microsoft-defender-atp/linux-static-proxy-configuration.md)
-##### [Set preferences](microsoft-defender-atp/linux-preferences.md)
-##### [Detect and block Potentially Unwanted Applications](microsoft-defender-atp/linux-pua.md)
-
-#### [Troubleshoot]()
-##### [Troubleshoot installation issues](microsoft-defender-atp/linux-support-install.md)
-##### [Troubleshoot cloud connectivity issues](microsoft-defender-atp/linux-support-connectivity.md)
-##### [Troubleshoot performance issues](microsoft-defender-atp/linux-support-perf.md)
-
-
-#### [Privacy](microsoft-defender-atp/linux-privacy.md)
-#### [Resources](microsoft-defender-atp/linux-resources.md)
-
-
-### [Microsoft Defender Advanced Threat Protection for Android]()
-#### [Overview of Microsoft Defender ATP for Android](microsoft-defender-atp/microsoft-defender-atp-android.md)
-
-#### [Deploy]()
-##### [Deploy Microsoft Defender ATP for Android with Microsoft Intune](microsoft-defender-atp/android-intune.md)
-
-#### [Configure]()
-##### [Configure Microsoft Defender ATP for Android features](microsoft-defender-atp/android-configure.md)
-
-#### [Privacy]()
-##### [Microsoft Defender ATP for Android - Privacy information](microsoft-defender-atp/android-privacy.md)
-
-#### [Troubleshoot]()
-##### [Troubleshoot issues](microsoft-defender-atp/android-support-signin.md)
-
-
-### [Configure and manage Microsoft Threat Experts capabilities](microsoft-defender-atp/configure-microsoft-threat-experts.md)
-
-## [Security operations]()
-
-### [Endpoint detection and response]()
-#### [Endpoint detection and response overview](microsoft-defender-atp/overview-endpoint-detection-response.md)
-#### [Security operations dashboard](microsoft-defender-atp/security-operations-dashboard.md)
-#### [Incidents queue]()
-##### [View and organize the Incidents queue](microsoft-defender-atp/view-incidents-queue.md)
-##### [Manage incidents](microsoft-defender-atp/manage-incidents.md)
-##### [Investigate incidents](microsoft-defender-atp/investigate-incidents.md)
-
-
-#### [Alerts queue]()
-##### [View and organize the Alerts queue](microsoft-defender-atp/alerts-queue.md)
-##### [Review alerts](microsoft-defender-atp/review-alerts.md)
-##### [Manage alerts](microsoft-defender-atp/manage-alerts.md)
-##### [Investigate alerts](microsoft-defender-atp/investigate-alerts.md)
-##### [Investigate files](microsoft-defender-atp/investigate-files.md)
-##### [Investigate devices](microsoft-defender-atp/investigate-machines.md)
-##### [Investigate an IP address](microsoft-defender-atp/investigate-ip.md)
-##### [Investigate a domain](microsoft-defender-atp/investigate-domain.md)
-###### [Investigate connection events that occur behind forward proxies](microsoft-defender-atp/investigate-behind-proxy.md)
-##### [Investigate a user account](microsoft-defender-atp/investigate-user.md)
-
-#### [Devices list]()
-##### [View and organize the Devices list](microsoft-defender-atp/machines-view-overview.md)
-##### [Device timeline event flags](microsoft-defender-atp/device-timeline-event-flag.md)
-##### [Manage device group and tags](microsoft-defender-atp/machine-tags.md)
-
-#### [Take response actions]()
-##### [Take response actions on a device]()
-###### [Response actions on devices](microsoft-defender-atp/respond-machine-alerts.md)
-###### [Manage tags](microsoft-defender-atp/respond-machine-alerts.md#manage-tags)
-###### [Start an automated investigation](microsoft-defender-atp/respond-machine-alerts.md#initiate-automated-investigation)
-###### [Start a Live Response session](microsoft-defender-atp/respond-machine-alerts.md#initiate-live-response-session)
-###### [Collect investigation package](microsoft-defender-atp/respond-machine-alerts.md#collect-investigation-package-from-devices)
-###### [Run antivirus scan](microsoft-defender-atp/respond-machine-alerts.md#run-microsoft-defender-antivirus-scan-on-devices)
-###### [Restrict app execution](microsoft-defender-atp/respond-machine-alerts.md#restrict-app-execution)
-###### [Isolate devices from the network](microsoft-defender-atp/respond-machine-alerts.md#isolate-devices-from-the-network)
-###### [Consult a threat expert](microsoft-defender-atp/respond-machine-alerts.md#consult-a-threat-expert)
-###### [Check activity details in Action center](microsoft-defender-atp/respond-machine-alerts.md#check-activity-details-in-action-center)
-
-##### [Take response actions on a file]()
-###### [Response actions on files](microsoft-defender-atp/respond-file-alerts.md)
-###### [Stop and quarantine files in your network](microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network)
-###### [Restore file from quarantine](microsoft-defender-atp/respond-file-alerts.md#restore-file-from-quarantine)
-###### [Add indicators to block or allow a file](microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file)
-###### [Consult a threat expert](microsoft-defender-atp/respond-file-alerts.md#consult-a-threat-expert)
-###### [Check activity details in Action center](microsoft-defender-atp/respond-file-alerts.md#check-activity-details-in-action-center)
-###### [Download or collect file](microsoft-defender-atp/respond-file-alerts.md#download-or-collect-file)
-###### [Deep analysis](microsoft-defender-atp/respond-file-alerts.md#deep-analysis)
-
-#### [View and approve remediation actions](microsoft-defender-atp/manage-auto-investigation.md)
-##### [View details and results of automated investigations](microsoft-defender-atp/auto-investigation-action-center.md)
-
-#### [Investigate entities using Live response]()
-##### [Investigate entities on devices](microsoft-defender-atp/live-response.md)
-##### [Live response command examples](microsoft-defender-atp/live-response-command-examples.md)
-
-
-
-#### [Use sensitivity labels to prioritize incident response](microsoft-defender-atp/information-protection-investigation.md)
-
-#### [Reporting]()
-##### [Power BI - How to use API - Samples](microsoft-defender-atp/api-power-bi.md)
-##### [Threat protection reports](microsoft-defender-atp/threat-protection-reports.md)
-#### [Device health and compliance reports](microsoft-defender-atp/machine-reports.md)
-
-### [Behavioral blocking and containment]()
-#### [Behavioral blocking and containment](microsoft-defender-atp/behavioral-blocking-containment.md)
-#### [Client behavioral blocking](microsoft-defender-atp/client-behavioral-blocking.md)
-#### [Feedback-loop blocking](microsoft-defender-atp/feedback-loop-blocking.md)
-#### [EDR in block mode](microsoft-defender-atp/edr-in-block-mode.md)
-
-### [Automated investigation and response (AIR)]()
-#### [Overview of AIR](microsoft-defender-atp/automated-investigations.md)
-#### [Configure AIR capabilities](microsoft-defender-atp/configure-automated-investigations-remediation.md)
-
-### [Advanced hunting]()
-#### [Advanced hunting overview](microsoft-defender-atp/advanced-hunting-overview.md)
-#### [Learn, train, & get examples]()
-##### [Learn the query language](microsoft-defender-atp/advanced-hunting-query-language.md)
-##### [Use shared queries](microsoft-defender-atp/advanced-hunting-shared-queries.md)
-#### [Work with query results](microsoft-defender-atp/advanced-hunting-query-results.md)
-#### [Optimize & handle errors]()
-##### [Apply query best practices](microsoft-defender-atp/advanced-hunting-best-practices.md)
-##### [Handle errors](microsoft-defender-atp/advanced-hunting-errors.md)
-##### [Service limits](microsoft-defender-atp/advanced-hunting-limits.md)
-#### [Data schema]()
-##### [Understand the schema](microsoft-defender-atp/advanced-hunting-schema-reference.md)
-##### [DeviceAlertEvents](microsoft-defender-atp/advanced-hunting-devicealertevents-table.md)
-##### [DeviceFileEvents](microsoft-defender-atp/advanced-hunting-devicefileevents-table.md)
-##### [DeviceImageLoadEvents](microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md)
-##### [DeviceLogonEvents](microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md)
-##### [DeviceInfo](microsoft-defender-atp/advanced-hunting-deviceinfo-table.md)
-##### [DeviceNetworkInfo](microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md)
-##### [DeviceEvents](microsoft-defender-atp/advanced-hunting-deviceevents-table.md)
-##### [DeviceFileCertificateInfo](microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md)
-##### [DeviceNetworkEvents](microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md)
-##### [DeviceProcessEvents](microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md)
-##### [DeviceRegistryEvents](microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md)
-##### [DeviceTvmSoftwareInventoryVulnerabilities](microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md)
-##### [DeviceTvmSoftwareVulnerabilitiesKB](microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md)
-##### [DeviceTvmSecureConfigurationAssessment](microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md)
-##### [DeviceTvmSecureConfigurationAssessmentKB](microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md)
-#### [Custom detections]()
-##### [Custom detections overview](microsoft-defender-atp/overview-custom-detections.md)
-##### [Create detection rules](microsoft-defender-atp/custom-detection-rules.md)
-##### [View & manage detection rules](microsoft-defender-atp/custom-detections-manage.md)
-
-### [Microsoft Threat Experts](microsoft-defender-atp/microsoft-threat-experts.md)
-
-### [Threat analytics](microsoft-defender-atp/threat-analytics.md)
-
-
-
-
-
-
-
-
-
-
-
-## [How-to]()
-### [Onboard devices to the service]()
-#### [Onboard devices to Microsoft Defender ATP](microsoft-defender-atp/onboard-configure.md)
-#### [Onboard previous versions of Windows](microsoft-defender-atp/onboard-downlevel.md)
-#### [Onboard Windows 10 devices]()
-##### [Onboarding tools and methods](microsoft-defender-atp/configure-endpoints.md)
-##### [Onboard devices using Group Policy](microsoft-defender-atp/configure-endpoints-gp.md)
-##### [Onboard devices using Microsoft Endpoint Configuration Manager](microsoft-defender-atp/configure-endpoints-sccm.md)
-##### [Onboard devices using Mobile Device Management tools](microsoft-defender-atp/configure-endpoints-mdm.md)
-##### [Onboard devices using a local script](microsoft-defender-atp/configure-endpoints-script.md)
-##### [Onboard non-persistent virtual desktop infrastructure (VDI) devices](microsoft-defender-atp/configure-endpoints-vdi.md)
-
-#### [Onboard servers](microsoft-defender-atp/configure-server-endpoints.md)
-#### [Onboard non-Windows devices](microsoft-defender-atp/configure-endpoints-non-windows.md)
-#### [Onboard devices without Internet access](microsoft-defender-atp/onboard-offline-machines.md)
-#### [Run a detection test on a newly onboarded device](microsoft-defender-atp/run-detection-test.md)
-#### [Run simulated attacks on devices](microsoft-defender-atp/attack-simulations.md)
-#### [Configure proxy and Internet connectivity settings](microsoft-defender-atp/configure-proxy-internet.md)
-#### [Create an onboarding or offboarding notification rule](microsoft-defender-atp/onboarding-notification.md)
-
-#### [Troubleshoot onboarding issues]()
-##### [Troubleshoot issues during onboarding](microsoft-defender-atp/troubleshoot-onboarding.md)
-##### [Troubleshoot subscription and portal access issues](microsoft-defender-atp/troubleshoot-onboarding-error-messages.md)
-
-### [Manage device configuration]()
-#### [Ensure your devices are configured properly](microsoft-defender-atp/configure-machines.md)
-#### [Monitor and increase device onboarding](microsoft-defender-atp/configure-machines-onboarding.md)
-#### [Increase compliance to the security baseline](microsoft-defender-atp/configure-machines-security-baseline.md)
-#### [Optimize attack surface reduction rule deployment and detections](microsoft-defender-atp/configure-machines-asr.md)
-
-### [Configure portal settings]()
-#### [Set up preferences](microsoft-defender-atp/preferences-setup.md)
-#### [General]()
-##### [Verify data storage location and update data retention settings](microsoft-defender-atp/data-retention-settings.md)
-##### [Configure alert notifications](microsoft-defender-atp/configure-email-notifications.md)
-##### [Configure advanced features](microsoft-defender-atp/advanced-features.md)
-
-#### [Permissions]()
-##### [Use basic permissions to access the portal](microsoft-defender-atp/basic-permissions.md)
-##### [Manage portal access using RBAC](microsoft-defender-atp/rbac.md)
-###### [Create and manage roles](microsoft-defender-atp/user-roles.md)
-###### [Create and manage device groups](microsoft-defender-atp/machine-groups.md)
-###### [Create and manage device tags](microsoft-defender-atp/machine-tags.md)
-
-
-#### [Rules]()
-##### [Manage suppression rules](microsoft-defender-atp/manage-suppression-rules.md)
-##### [Create indicators](microsoft-defender-atp/manage-indicators.md)
-###### [Create indicators for files](microsoft-defender-atp/indicator-file.md)
-###### [Create indicators for IPs and URLs/domains](microsoft-defender-atp/indicator-ip-domain.md)
-###### [Create indicators for certificates](microsoft-defender-atp/indicator-certificates.md)
-###### [Manage indicators](microsoft-defender-atp/indicator-manage.md)
-##### [Manage automation file uploads](microsoft-defender-atp/manage-automation-file-uploads.md)
-##### [Manage automation folder exclusions](microsoft-defender-atp/manage-automation-folder-exclusions.md)
-
-#### [Device management]()
-##### [Onboarding devices](microsoft-defender-atp/onboard-configure.md)
-##### [Offboarding devices](microsoft-defender-atp/offboard-machines.md)
-
-#### [Configure Microsoft Defender Security Center time zone settings](microsoft-defender-atp/time-settings.md)
-
-### [Configure integration with other Microsoft solutions]()
-#### [Configure conditional access](microsoft-defender-atp/configure-conditional-access.md)
-#### [Configure Microsoft Cloud App Security integration](microsoft-defender-atp/microsoft-cloud-app-security-config.md)
-
-### [Use audit mode](microsoft-defender-atp/audit-windows-defender.md)
-
## Reference
-### [Management and APIs]()
-#### [Overview of management and APIs](microsoft-defender-atp/management-apis.md)
-#### [Microsoft Defender ATP API]()
-##### [Get started]()
-###### [Microsoft Defender ATP API license and terms](microsoft-defender-atp/api-terms-of-use.md)
-###### [Access the Microsoft Defender ATP APIs](microsoft-defender-atp/apis-intro.md)
-###### [Hello World](microsoft-defender-atp/api-hello-world.md)
-###### [Get access with application context](microsoft-defender-atp/exposed-apis-create-app-webapp.md)
-###### [Get access with user context](microsoft-defender-atp/exposed-apis-create-app-nativeapp.md)
-###### [Get partner application access](microsoft-defender-atp/exposed-apis-create-app-partners.md)
-##### [Microsoft Defender ATP APIs Schema]()
-###### [Supported Microsoft Defender ATP APIs](microsoft-defender-atp/exposed-apis-list.md)
-###### [Common REST API error codes](microsoft-defender-atp/common-errors.md)
-###### [Advanced Hunting](microsoft-defender-atp/run-advanced-query-api.md)
-
-###### [Alert]()
-####### [Alert methods and properties](microsoft-defender-atp/alerts.md)
-####### [List alerts](microsoft-defender-atp/get-alerts.md)
-####### [Create alert](microsoft-defender-atp/create-alert-by-reference.md)
-####### [Update Alert](microsoft-defender-atp/update-alert.md)
-####### [Get alert information by ID](microsoft-defender-atp/get-alert-info-by-id.md)
-####### [Get alert related domains information](microsoft-defender-atp/get-alert-related-domain-info.md)
-####### [Get alert related file information](microsoft-defender-atp/get-alert-related-files-info.md)
-####### [Get alert related IPs information](microsoft-defender-atp/get-alert-related-ip-info.md)
-####### [Get alert related device information](microsoft-defender-atp/get-alert-related-machine-info.md)
-####### [Get alert related user information](microsoft-defender-atp/get-alert-related-user-info.md)
-
-###### [Machine]()
-####### [Machine methods and properties](microsoft-defender-atp/machine.md)
-####### [List machines](microsoft-defender-atp/get-machines.md)
-####### [Get machine by ID](microsoft-defender-atp/get-machine-by-id.md)
-####### [Get machine log on users](microsoft-defender-atp/get-machine-log-on-users.md)
-####### [Get machine related alerts](microsoft-defender-atp/get-machine-related-alerts.md)
-####### [Get installed software](microsoft-defender-atp/get-installed-software.md)
-####### [Get discovered vulnerabilities](microsoft-defender-atp/get-discovered-vulnerabilities.md)
-####### [Get security recommendations](microsoft-defender-atp/get-security-recommendations.md)
-####### [Add or Remove machine tags](microsoft-defender-atp/add-or-remove-machine-tags.md)
-####### [Find machines by IP](microsoft-defender-atp/find-machines-by-ip.md)
-####### [Get missing KBs](microsoft-defender-atp/get-missing-kbs-machine.md)
-####### [Set device value](microsoft-defender-atp/set-device-value.md)
-
-###### [Machine Action]()
-####### [Machine Action methods and properties](microsoft-defender-atp/machineaction.md)
-####### [List Machine Actions](microsoft-defender-atp/get-machineactions-collection.md)
-####### [Get Machine Action](microsoft-defender-atp/get-machineaction-object.md)
-####### [Collect investigation package](microsoft-defender-atp/collect-investigation-package.md)
-####### [Get investigation package SAS URI](microsoft-defender-atp/get-package-sas-uri.md)
-####### [Isolate machine](microsoft-defender-atp/isolate-machine.md)
-####### [Release machine from isolation](microsoft-defender-atp/unisolate-machine.md)
-####### [Restrict app execution](microsoft-defender-atp/restrict-code-execution.md)
-####### [Remove app restriction](microsoft-defender-atp/unrestrict-code-execution.md)
-####### [Run antivirus scan](microsoft-defender-atp/run-av-scan.md)
-####### [Offboard machine](microsoft-defender-atp/offboard-machine-api.md)
-####### [Stop and quarantine file](microsoft-defender-atp/stop-and-quarantine-file.md)
-
-###### [Automated Investigation]()
-####### [Investigation methods and properties](microsoft-defender-atp/investigation.md)
-####### [List Investigation](microsoft-defender-atp/get-investigation-collection.md)
-####### [Get Investigation](microsoft-defender-atp/get-investigation-object.md)
-####### [Start Investigation](microsoft-defender-atp/initiate-autoir-investigation.md)
-
-###### [Indicators]()
-####### [Indicators methods and properties](microsoft-defender-atp/ti-indicator.md)
-####### [Submit Indicator](microsoft-defender-atp/post-ti-indicator.md)
-####### [List Indicators](microsoft-defender-atp/get-ti-indicators-collection.md)
-####### [Delete Indicator](microsoft-defender-atp/delete-ti-indicator-by-id.md)
-
-###### [Domain]()
-####### [Get domain related alerts](microsoft-defender-atp/get-domain-related-alerts.md)
-####### [Get domain related machines](microsoft-defender-atp/get-domain-related-machines.md)
-####### [Get domain statistics](microsoft-defender-atp/get-domain-statistics.md)
-
-###### [File]()
-####### [File methods and properties](microsoft-defender-atp/files.md)
-####### [Get file information](microsoft-defender-atp/get-file-information.md)
-####### [Get file related alerts](microsoft-defender-atp/get-file-related-alerts.md)
-####### [Get file related machines](microsoft-defender-atp/get-file-related-machines.md)
-####### [Get file statistics](microsoft-defender-atp/get-file-statistics.md)
-
-###### [IP]()
-####### [Get IP related alerts](microsoft-defender-atp/get-ip-related-alerts.md)
-####### [Get IP statistics](microsoft-defender-atp/get-ip-statistics.md)
-
-###### [User]()
-####### [User methods](microsoft-defender-atp/user.md)
-####### [Get user related alerts](microsoft-defender-atp/get-user-related-alerts.md)
-####### [Get user related machines](microsoft-defender-atp/get-user-related-machines.md)
-
-###### [Score]()
-####### [Score methods and properties](microsoft-defender-atp/score.md)
-####### [List exposure score by machine group](microsoft-defender-atp/get-machine-group-exposure-score.md)
-####### [Get exposure score](microsoft-defender-atp/get-exposure-score.md)
-####### [Get device secure score](microsoft-defender-atp/get-device-secure-score.md)
-
-###### [Software]()
-####### [Software methods and properties](microsoft-defender-atp/software.md)
-####### [List software](microsoft-defender-atp/get-software.md)
-####### [Get software by Id](microsoft-defender-atp/get-software-by-id.md)
-####### [List software version distribution](microsoft-defender-atp/get-software-ver-distribution.md)
-####### [List machines by software](microsoft-defender-atp/get-machines-by-software.md)
-####### [List vulnerabilities by software](microsoft-defender-atp/get-vuln-by-software.md)
-####### [Get missing KBs](microsoft-defender-atp/get-missing-kbs-software.md)
-
-###### [Vulnerability]()
-####### [Vulnerability methods and properties](microsoft-defender-atp/vulnerability.md)
-####### [List vulnerabilities](microsoft-defender-atp/get-all-vulnerabilities.md)
-####### [List vulnerabilities by machine and software](microsoft-defender-atp/get-all-vulnerabilities-by-machines.md)
-####### [Get vulnerability by Id](microsoft-defender-atp/get-vulnerability-by-id.md)
-####### [List machines by vulnerability](microsoft-defender-atp/get-machines-by-vulnerability.md)
-
-###### [Recommendation]()
-####### [Recommendation methods and properties](microsoft-defender-atp/recommendation.md)
-####### [List all recommendations](microsoft-defender-atp/get-all-recommendations.md)
-####### [Get recommendation by Id](microsoft-defender-atp/get-recommendation-by-id.md)
-####### [Get recommendation by software](microsoft-defender-atp/get-recommendation-software.md)
-####### [List machines by recommendation](microsoft-defender-atp/get-recommendation-machines.md)
-####### [List vulnerabilities by recommendation](microsoft-defender-atp/get-recommendation-vulnerabilities.md)
-
-##### [How to use APIs - Samples]()
-###### [Microsoft Flow](microsoft-defender-atp/api-microsoft-flow.md)
-###### [Power BI](microsoft-defender-atp/api-power-bi.md)
-###### [Advanced Hunting using Python](microsoft-defender-atp/run-advanced-query-sample-python.md)
-###### [Advanced Hunting using PowerShell](microsoft-defender-atp/run-advanced-query-sample-powershell.md)
-###### [Using OData Queries](microsoft-defender-atp/exposed-apis-odata-samples.md)
-
-#### [Raw data streaming API]()
-##### [Raw data streaming](microsoft-defender-atp/raw-data-export.md)
-##### [Stream advanced hunting events to Azure Events hub](microsoft-defender-atp/raw-data-export-event-hub.md)
-##### [Stream advanced hunting events to your storage account](microsoft-defender-atp/raw-data-export-storage.md)
-
-#### [SIEM integration]()
-##### [Understand threat intelligence concepts](microsoft-defender-atp/threat-indicator-concepts.md)
-##### [Learn about different ways to pull detections](microsoft-defender-atp/configure-siem.md)
-##### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md)
-##### [Configure Micro Focus ArcSight to pull detections](microsoft-defender-atp/configure-arcsight.md)
-##### [Microsoft Defender ATP detection fields](microsoft-defender-atp/api-portal-mapping.md)
-##### [Pull detections using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api.md)
-##### [Fetch alerts from customer tenant](microsoft-defender-atp/fetch-alerts-mssp.md)
-##### [Troubleshoot SIEM tool integration issues](microsoft-defender-atp/troubleshoot-siem.md)
-
-#### [Partners & APIs]()
-##### [Partner applications](microsoft-defender-atp/partner-applications.md)
-##### [Connected applications](microsoft-defender-atp/connected-applications.md)
-##### [API explorer](microsoft-defender-atp/api-explorer.md)
-
-#### [Role-based access control]()
-##### [Manage portal access using RBAC](microsoft-defender-atp/rbac.md)
-##### [Create and manage roles](microsoft-defender-atp/user-roles.md)
-##### [Create and manage device groups]()
-###### [Using device groups](microsoft-defender-atp/machine-groups.md)
-###### [Create and manage device tags](microsoft-defender-atp/machine-tags.md)
-
-#### [Managed security service provider (MSSP) integration]()
-##### [Configure managed security service provider integration](microsoft-defender-atp/configure-mssp-support.md)
-##### [Supported managed security service providers](microsoft-defender-atp/mssp-list.md)
-##### [Grant MSSP access to the portal](microsoft-defender-atp/grant-mssp-access.md)
-##### [Access the MSSP customer portal](microsoft-defender-atp/access-mssp-portal.md)
-##### [Configure alert notifications](microsoft-defender-atp/configure-mssp-notifications.md)
-##### [Get partner application access](microsoft-defender-atp/exposed-apis-create-app-partners.md)
-
-### [Partner integration scenarios]()
-#### [Technical partner opportunities](microsoft-defender-atp/partner-integration.md)
-#### [Managed security service provider opportunity](microsoft-defender-atp/mssp-support.md)
-#### [Become a Microsoft Defender ATP partner](microsoft-defender-atp/get-started-partner-integration.md)
-
-
-### [Integrations]()
-#### [Microsoft Defender ATP integrations](microsoft-defender-atp/threat-protection-integration.md)
-#### [Protect users, data, and devices with conditional access](microsoft-defender-atp/conditional-access.md)
-#### [Microsoft Cloud App Security integration overview](microsoft-defender-atp/microsoft-cloud-app-security-integration.md)
-
-
-### [Information protection in Windows overview]()
-#### [Windows integration](microsoft-defender-atp/information-protection-in-windows-overview.md)
-
-### [Access the Microsoft Defender ATP Community Center](microsoft-defender-atp/community.md)
-
-### [Helpful resources](microsoft-defender-atp/helpful-resources.md)
-
-
-
-### [Troubleshoot Microsoft Defender ATP]()
-#### [Troubleshoot sensor state]()
-##### [Check sensor state](microsoft-defender-atp/check-sensor-status.md)
-##### [Fix unhealthy sensors](microsoft-defender-atp/fix-unhealthy-sensors.md)
-##### [Inactive devices](microsoft-defender-atp/fix-unhealthy-sensors.md#inactive-devices)
-##### [Misconfigured devices](microsoft-defender-atp/fix-unhealthy-sensors.md#misconfigured-devices)
-##### [Review sensor events and errors on machines with Event Viewer](microsoft-defender-atp/event-error-codes.md)
+### [Troubleshoot Microsoft Defender Antivirus]()
-#### [Troubleshoot Microsoft Defender ATP service issues]()
-##### [Troubleshoot service issues](microsoft-defender-atp/troubleshoot-mdatp.md)
-##### [Check service health](microsoft-defender-atp/service-status.md)
-##### [Contact Microsoft Defender ATP support](microsoft-defender-atp/contact-support.md)
-
-
-#### [Troubleshoot live response issues](microsoft-defender-atp/troubleshoot-live-response.md)
-
-#### [Collect support logs using LiveAnalyzer ](microsoft-defender-atp/troubleshoot-collect-support-log.md)
-
-#### [Troubleshoot attack surface reduction issues]()
-##### [Network protection](microsoft-defender-atp/troubleshoot-np.md)
-##### [Attack surface reduction rules](microsoft-defender-atp/troubleshoot-asr.md)
-
-#### [Troubleshoot next-generation protection](microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md)
-#### [Troubleshoot migration issues](microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md)
-
-
-
-
+#### [Troubleshoot Microsoft Defender Antivirus issues](microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md)
+#### [Troubleshoot Microsoft Defender Antivirus migration issues](microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md)
## [Security intelligence](intelligence/index.md)
@@ -739,7 +149,7 @@
#### [Virus information alliance](intelligence/virus-information-alliance-criteria.md)
#### [Microsoft virus initiative](intelligence/virus-initiative-criteria.md)
#### [Coordinated malware eradication](intelligence/coordinated-malware-eradication.md)
-### [Information for developers](intelligence/developer-info.md)
+### [Information for developers]()
#### [Software developer FAQ](intelligence/developer-faq.md)
#### [Software developer resources](intelligence/developer-resources.md)
@@ -1326,8 +736,9 @@
#### [Windows security baselines](windows-security-configuration-framework/windows-security-baselines.md)
##### [Security Compliance Toolkit](windows-security-configuration-framework/security-compliance-toolkit-10.md)
##### [Get support](windows-security-configuration-framework/get-support-for-security-baselines.md)
-### [MBSA removal and alternatives](mbsa-removal-and-guidance.md)
### [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md)
## [Change history for Threat protection](change-history-for-threat-protection.md)
+
+
diff --git a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
index 1ce7884399..6df69c3b35 100644
--- a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
+++ b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
@@ -4,7 +4,7 @@ description: This reference for IT professionals provides information about the
ms.assetid: 93b28b92-796f-4036-a53b-8b9e80f9f171
ms.reviewer: This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate.
ms.author: dansimp
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
+ms.technology: mde
---
# Advanced security audit policy settings
@@ -42,7 +43,7 @@ Configuring policy settings in this category can help you document attempts to a
- [Audit Credential Validation](audit-credential-validation.md)
- [Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md)
- [Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md)
-- [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
+- [Audit Other Account Logon Events](audit-other-account-logon-events.md)
## Account Management
@@ -150,8 +151,8 @@ Auditors will be able to prove that every resource in the system is protected by
Resource SACLs are also useful for diagnostic scenarios. For example, setting the Global Object Access Auditing policy to log all the activity for a specific user and enabling the policy to track "Access denied" events for the file system or registry can help administrators quickly identify which object in a system is denying a user access.
-> **Note:** If a file or folder SACL and a Global Object Access Auditing policy setting (or a single registry setting SACL and a Global Object Access Auditing policy setting) are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the Global Object
-Access Auditing policy. This means that an audit event is generated if an activity matches the file or folder SACL or the Global Object Access Auditing policy.
+> [!NOTE]
+> If a file or folder SACL and a Global Object Access Auditing policy setting (or a single registry setting SACL and a Global Object Access Auditing policy setting) are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the Global Object Access Auditing policy. This means that an audit event is generated if an activity matches the file or folder SACL or the Global Object Access Auditing policy.
This category includes the following subcategories:
- [File System (Global Object Access Auditing)](file-system-global-object-access-auditing.md)
diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.md b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.md
index 99b8a989c4..86a39fc1b7 100644
--- a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.md
+++ b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.md
@@ -4,7 +4,7 @@ description: This topic for the IT professional lists questions and answers abou
ms.assetid: 80f8f187-0916-43c2-a7e8-ea712b115a06
ms.reviewer:
ms.author: dansimp
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
+ms.technology: mde
---
# Advanced security auditing FAQ
diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing.md b/windows/security/threat-protection/auditing/advanced-security-auditing.md
index 7c55d51d21..4a3608816f 100644
--- a/windows/security/threat-protection/auditing/advanced-security-auditing.md
+++ b/windows/security/threat-protection/auditing/advanced-security-auditing.md
@@ -4,7 +4,7 @@ description: Advanced security audit policy settings may appear to overlap with
ms.assetid: 6FE8AC10-F48E-4BBF-979B-43A5DFDC5DFC
ms.reviewer:
ms.author: dansimp
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
+ms.technology: mde
---
# Advanced security audit policies
diff --git a/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md b/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
index 505da9bbb0..c892db7b11 100644
--- a/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
+++ b/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
@@ -2,7 +2,7 @@
title: Appendix A, Security monitoring recommendations for many audit events (Windows 10)
description: Learn about recommendations for the type of monitoring required for certain classes of security audit events.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# Appendix A: Security monitoring recommendations for many audit events
diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
index a18783d92c..2d63b25eb8 100644
--- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
+++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
@@ -4,7 +4,7 @@ description: Apply audit policies to individual files and folders on your comput
ms.assetid: 565E7249-5CD0-4B2E-B2C0-B3A0793A51E2
ms.reviewer:
ms.author: dansimp
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 07/25/2018
+ms.technology: mde
---
# Apply a basic audit policy on a file or folder
diff --git a/windows/security/threat-protection/auditing/audit-account-lockout.md b/windows/security/threat-protection/auditing/audit-account-lockout.md
index 1ea3e878e6..77f8126a98 100644
--- a/windows/security/threat-protection/auditing/audit-account-lockout.md
+++ b/windows/security/threat-protection/auditing/audit-account-lockout.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 07/16/2018
+ms.technology: mde
---
# Audit Account Lockout
diff --git a/windows/security/threat-protection/auditing/audit-application-generated.md b/windows/security/threat-protection/auditing/audit-application-generated.md
index b594ba40ca..9215959064 100644
--- a/windows/security/threat-protection/auditing/audit-application-generated.md
+++ b/windows/security/threat-protection/auditing/audit-application-generated.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit Application Generated
diff --git a/windows/security/threat-protection/auditing/audit-application-group-management.md b/windows/security/threat-protection/auditing/audit-application-group-management.md
index 8dce282dfa..a06d67b8d9 100644
--- a/windows/security/threat-protection/auditing/audit-application-group-management.md
+++ b/windows/security/threat-protection/auditing/audit-application-group-management.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit Application Group Management
diff --git a/windows/security/threat-protection/auditing/audit-audit-policy-change.md b/windows/security/threat-protection/auditing/audit-audit-policy-change.md
index 376cab2bcf..81422c0d3f 100644
--- a/windows/security/threat-protection/auditing/audit-audit-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-audit-policy-change.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit Audit Policy Change
diff --git a/windows/security/threat-protection/auditing/audit-authentication-policy-change.md b/windows/security/threat-protection/auditing/audit-authentication-policy-change.md
index 4a6f754c01..8bf74ed78f 100644
--- a/windows/security/threat-protection/auditing/audit-authentication-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-authentication-policy-change.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit Authentication Policy Change
diff --git a/windows/security/threat-protection/auditing/audit-authorization-policy-change.md b/windows/security/threat-protection/auditing/audit-authorization-policy-change.md
index b13bec6cbc..c00445582a 100644
--- a/windows/security/threat-protection/auditing/audit-authorization-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-authorization-policy-change.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit Authorization Policy Change
diff --git a/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md b/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md
index f655b5d8c6..e607b7c276 100644
--- a/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md
+++ b/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit Central Access Policy Staging
diff --git a/windows/security/threat-protection/auditing/audit-certification-services.md b/windows/security/threat-protection/auditing/audit-certification-services.md
index a1e50c1538..24af233cc3 100644
--- a/windows/security/threat-protection/auditing/audit-certification-services.md
+++ b/windows/security/threat-protection/auditing/audit-certification-services.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit Certification Services
diff --git a/windows/security/threat-protection/auditing/audit-computer-account-management.md b/windows/security/threat-protection/auditing/audit-computer-account-management.md
index ab838fd042..677244f857 100644
--- a/windows/security/threat-protection/auditing/audit-computer-account-management.md
+++ b/windows/security/threat-protection/auditing/audit-computer-account-management.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit Computer Account Management
diff --git a/windows/security/threat-protection/auditing/audit-credential-validation.md b/windows/security/threat-protection/auditing/audit-credential-validation.md
index 9ce3b5aa5b..4fdf9060db 100644
--- a/windows/security/threat-protection/auditing/audit-credential-validation.md
+++ b/windows/security/threat-protection/auditing/audit-credential-validation.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit Credential Validation
diff --git a/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md b/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md
index 859859fc2b..a6f472d018 100644
--- a/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md
+++ b/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit Detailed Directory Service Replication
diff --git a/windows/security/threat-protection/auditing/audit-detailed-file-share.md b/windows/security/threat-protection/auditing/audit-detailed-file-share.md
index 69a9d636c7..4428aad464 100644
--- a/windows/security/threat-protection/auditing/audit-detailed-file-share.md
+++ b/windows/security/threat-protection/auditing/audit-detailed-file-share.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit Detailed File Share
@@ -37,9 +38,9 @@ There are no system access control lists (SACLs) for shared folders. If this pol
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | No | Yes | No | Yes | Audit Success for this subcategory on domain controllers typically will lead to very high volume of events, especially for SYSVOL share.
We recommend monitoring Failure access attempts: the volume should not be very high. You will be able to see who was not able to get access to a file or folder on a network share on a computer. |
-| Member Server | IF | Yes | IF | Yes | IF – If a server has shared network folders which typically get many access requests (File Server, for example), the volume of events might be very high. If you really need to track all successful access events for every file or folder located on a shared folder, enable Success auditing or use the [Audit File System](audit-file-system.md) subcategory, although that subcategory excludes some information in Audit Detailed File Share, for example, the client’s IP address.
The volume of Failure events for member servers should not be very high (if they are not File Servers). With Failure auditing, you will be able to see who was not able to get access to a file or folder on a network share on this computer. |
-| Workstation | IF | Yes | IF | Yes | IF – If a workstation has shared network folders which typically get many access requests, the volume of events might be very high. If you really need to track all successful access events for every file or folder located on a shared folder, enable Success auditing or use Audit File System subcategory, although that subcategory excludes some information in Audit Detailed File Share, for example, the client’s IP address.
The volume of Failure events for workstations should not be very high. With Failure auditing, you will be able to see who was not able to get access to a file or folder on a network share on this computer. |
+| Domain Controller | No | Yes | No | Yes | Audit Success for this subcategory on domain controllers typically will lead to high volume of events, especially for SYSVOL share.
We recommend monitoring Failure access attempts: the volume should not be high. You will be able to see who was not able to get access to a file or folder on a network share on a computer. |
+| Member Server | IF | Yes | IF | Yes | IF – If a server has shared network folders that typically get many access requests (File Server, for example), the volume of events might be high. If you really need to track all successful access events for every file or folder located on a shared folder, enable Success auditing or use the [Audit File System](audit-file-system.md) subcategory, although that subcategory excludes some information in Audit Detailed File Share, for example, the client’s IP address.
The volume of Failure events for member servers should not be high (if they are not File Servers). With Failure auditing, you can see who can't access a file or folder on a network share on this computer. |
+| Workstation | IF | Yes | IF | Yes | IF – If a workstation has shared network folders that typically get many access requests, the volume of events might be high. If you really need to track all successful access events for every file or folder located on a shared folder, enable Success auditing or use Audit File System subcategory, although that subcategory excludes some information in Audit Detailed File Share, for example, the client’s IP address.
The volume of Failure events for workstations should not be high. With Failure auditing, you can see who can't access a file or folder on a network share on this computer. |
**Events List:**
diff --git a/windows/security/threat-protection/auditing/audit-directory-service-access.md b/windows/security/threat-protection/auditing/audit-directory-service-access.md
index 0a13f90a87..db603d8330 100644
--- a/windows/security/threat-protection/auditing/audit-directory-service-access.md
+++ b/windows/security/threat-protection/auditing/audit-directory-service-access.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit Directory Service Access
diff --git a/windows/security/threat-protection/auditing/audit-directory-service-changes.md b/windows/security/threat-protection/auditing/audit-directory-service-changes.md
index 1a962ee86f..f81b20e2a5 100644
--- a/windows/security/threat-protection/auditing/audit-directory-service-changes.md
+++ b/windows/security/threat-protection/auditing/audit-directory-service-changes.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit Directory Service Changes
diff --git a/windows/security/threat-protection/auditing/audit-directory-service-replication.md b/windows/security/threat-protection/auditing/audit-directory-service-replication.md
index dffea817d4..df8ddc7f12 100644
--- a/windows/security/threat-protection/auditing/audit-directory-service-replication.md
+++ b/windows/security/threat-protection/auditing/audit-directory-service-replication.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit Directory Service Replication
diff --git a/windows/security/threat-protection/auditing/audit-distribution-group-management.md b/windows/security/threat-protection/auditing/audit-distribution-group-management.md
index 2bacdbe3a1..352eea4cfe 100644
--- a/windows/security/threat-protection/auditing/audit-distribution-group-management.md
+++ b/windows/security/threat-protection/auditing/audit-distribution-group-management.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit Distribution Group Management
diff --git a/windows/security/threat-protection/auditing/audit-dpapi-activity.md b/windows/security/threat-protection/auditing/audit-dpapi-activity.md
index fc94d79d95..7c346e1e52 100644
--- a/windows/security/threat-protection/auditing/audit-dpapi-activity.md
+++ b/windows/security/threat-protection/auditing/audit-dpapi-activity.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit DPAPI Activity
diff --git a/windows/security/threat-protection/auditing/audit-file-share.md b/windows/security/threat-protection/auditing/audit-file-share.md
index ccab879b4f..88b51b6a3f 100644
--- a/windows/security/threat-protection/auditing/audit-file-share.md
+++ b/windows/security/threat-protection/auditing/audit-file-share.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit File Share
diff --git a/windows/security/threat-protection/auditing/audit-file-system.md b/windows/security/threat-protection/auditing/audit-file-system.md
index 57ea7bc917..ef4138dc66 100644
--- a/windows/security/threat-protection/auditing/audit-file-system.md
+++ b/windows/security/threat-protection/auditing/audit-file-system.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit File System
@@ -20,6 +21,8 @@ ms.date: 04/19/2017
- Windows 10
- Windows Server 2016
+> [!NOTE]
+> For more details about applicability on older operating system versions, read the article [Audit File System](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn319068(v=ws.11)).
Audit File System determines whether the operating system generates audit events when users attempt to access file system objects.
@@ -60,4 +63,3 @@ Only one event, “[4658](event-4658.md): The handle to an object was closed,”
- [5051](event-5051.md)(-): A file was virtualized.
- [4670](event-4670.md)(S): Permissions on an object were changed.
-
diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md b/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md
index 52475e4276..e45f321af3 100644
--- a/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md
+++ b/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit Filtering Platform Connection
diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md b/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md
index bdaff33b06..fabd2a6b86 100644
--- a/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md
+++ b/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit Filtering Platform Packet Drop
diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md b/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md
index 204a9b6320..72b892151f 100644
--- a/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit Filtering Platform Policy Change
diff --git a/windows/security/threat-protection/auditing/audit-group-membership.md b/windows/security/threat-protection/auditing/audit-group-membership.md
index e9047b6c8a..37a86a6424 100644
--- a/windows/security/threat-protection/auditing/audit-group-membership.md
+++ b/windows/security/threat-protection/auditing/audit-group-membership.md
@@ -1,17 +1,18 @@
---
title: Audit Group Membership (Windows 10)
-description: The advanced security audit policy setting, Audit Group Membership, enables you to audit group memberships when they are enumerated on the client PC.
+description: Using the advanced security audit policy setting, Audit Group Membership, you can audit group memberships when they're enumerated on the client PC.
ms.assetid: 1CD7B014-FBD9-44B9-9274-CC5715DE58B9
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit Group Membership
@@ -20,8 +21,7 @@ ms.date: 04/19/2017
- Windows 10
- Windows Server 2016
-
-Audit Group Membership enables you to audit group memberships when they are enumerated on the client computer.
+By using Audit Group Membership, you can audit group memberships when they're enumerated on the client computer.
This policy allows you to audit the group membership information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created.
@@ -33,15 +33,15 @@ Multiple events are generated if the group membership information cannot fit in
**Event volume**:
-- Low on a client computer.
+- Low on a client computer.
-- Medium on a domain controller or network servers.
+- Medium on a domain controller or network servers.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | Yes | No | Yes | No | Group membership information for logged in user can help to detect that member of specific domain or local group logged in to the machine (for example, member of database administrators, built-in local administrators, domain administrators, service accounts group or other high value groups).
For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Member Server | Yes | No | Yes | No | Group membership information for logged in user can help to detect that member of specific domain or local group logged in to the machine (for example, member of database administrators, built-in local administrators, domain administrators, service accounts group or other high value groups).
For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Workstation | Yes | No | Yes | No | Group membership information for logged in user can help to detect that member of specific domain or local group logged in to the machine (for example, member of database administrators, built-in local administrators, domain administrators, service accounts group or other high value groups).
For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Domain Controller | Yes | No | Yes | No | Group membership information for a logged-in user can help to detect that member of specific domain or local group logged in to the machine (for example, member of database administrators, built-in local administrators, domain administrators, service accounts group, or other high value groups).
For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.
This subcategory doesn’t have Failure events, so this subcategory doesn't have a recommendation to enable Failure auditing. |
+| Member Server | Yes | No | Yes | No | Group membership information for logged in user can help to detect that member of specific domain or local group logged in to the machine (for example, member of database administrators, built-in local administrators, domain administrators, service accounts group, or other high value groups).
For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.
This subcategory doesn’t have Failure events, so this subcategory doesn't have a recommendation to enable Failure auditing. |
+| Workstation | Yes | No | Yes | No | Group membership information for a logged-in user can help to detect that member of specific domain or local group logged in to the machine (for example, member of database administrators, built-in local administrators, domain administrators, service accounts group, or other high value groups).
For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.
This subcategory doesn’t have Failure events, so this subcategory doesn't have a recommendation to enable Failure auditing. |
**Events List:**
diff --git a/windows/security/threat-protection/auditing/audit-handle-manipulation.md b/windows/security/threat-protection/auditing/audit-handle-manipulation.md
index 64fd2edce2..e82188ac78 100644
--- a/windows/security/threat-protection/auditing/audit-handle-manipulation.md
+++ b/windows/security/threat-protection/auditing/audit-handle-manipulation.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit Handle Manipulation
diff --git a/windows/security/threat-protection/auditing/audit-ipsec-driver.md b/windows/security/threat-protection/auditing/audit-ipsec-driver.md
index d396f0ed40..606acf77a3 100644
--- a/windows/security/threat-protection/auditing/audit-ipsec-driver.md
+++ b/windows/security/threat-protection/auditing/audit-ipsec-driver.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 10/02/2018
+ms.technology: mde
---
# Audit IPsec Driver
diff --git a/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md
index 37421d3b3e..179c4e5e22 100644
--- a/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md
+++ b/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 10/02/2018
+ms.technology: mde
---
# Audit IPsec Extended Mode
diff --git a/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md
index bf2db28b53..092717cc70 100644
--- a/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md
+++ b/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 10/02/2018
+ms.technology: mde
---
# Audit IPsec Main Mode
diff --git a/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md
index 290c41687a..fefab72132 100644
--- a/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md
+++ b/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 10/02/2018
+ms.technology: mde
---
# Audit IPsec Quick Mode
diff --git a/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md b/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md
index 529003459d..14495b2794 100644
--- a/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md
+++ b/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit Kerberos Authentication Service
diff --git a/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md b/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md
index 0c95144cb1..555de3229e 100644
--- a/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md
+++ b/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit Kerberos Service Ticket Operations
diff --git a/windows/security/threat-protection/auditing/audit-kernel-object.md b/windows/security/threat-protection/auditing/audit-kernel-object.md
index 60f0a374d8..35d10b40fa 100644
--- a/windows/security/threat-protection/auditing/audit-kernel-object.md
+++ b/windows/security/threat-protection/auditing/audit-kernel-object.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit Kernel Object
diff --git a/windows/security/threat-protection/auditing/audit-logoff.md b/windows/security/threat-protection/auditing/audit-logoff.md
index c4d6606795..a07a10fd9a 100644
--- a/windows/security/threat-protection/auditing/audit-logoff.md
+++ b/windows/security/threat-protection/auditing/audit-logoff.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 07/16/2018
+ms.technology: mde
---
# Audit Logoff
@@ -23,7 +24,7 @@ ms.date: 07/16/2018
Audit Logoff determines whether the operating system generates audit events when logon sessions are terminated.
-These events occur on the computer that was accessed. In the case of an interactive logon, these events are generated on the computer that was logged on to.
+These events occur on the computer that was accessed. For an interactive logon, these events are generated on the computer that was logged on to.
There is no failure event in this subcategory because failed logoffs (such as when a system abruptly shuts down) do not generate an audit record.
@@ -31,13 +32,13 @@ Logon events are essential to understanding user activity and detecting potentia
**Event volume**: High.
-This subcategory allows you to audit events generated by the closing of a logon session. These events occur on the computer that was accessed. For an interactive logoff the security audit event is generated on the computer that the user account logged on to.
+This subcategory allows you to audit events generated by the closing of a logon session. These events occur on the computer that was accessed. For an interactive logoff, the security audit event is generated on the computer that the user account logged on to.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events, which typically have little security relevance. It is more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.
Enable Success audit if you want to track, for example, for how long session was active (in correlation with [Audit Logon](audit-logon.md) events) and when user actually logged off.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Member Server | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events, which typically have little security relevance. It is more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.
Enable Success audit if you want to track, for example, for how long session was active (in correlation with [Audit Logon](audit-logon.md) events) and when user actually logged off.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Workstation | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events, which typically have little security relevance. It is more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.
Enable Success audit if you want to track, for example, for how long session was active (in correlation with [Audit Logon](audit-logon.md) events) and when user actually logged off.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Domain Controller | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events, which typically have little security relevance. It's more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.
Enable Success audit if you want to track, for example, for how long a session was active (in correlation with [Audit Logon](audit-logon.md) events) and when a user logged off.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Member Server | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events, which typically have little security relevance. It's more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.
Enable Success audit if you want to track, for example, for how long a session was active (in correlation with [Audit Logon](audit-logon.md) events) and when a user logged off.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Workstation | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events, which typically have little security relevance. It's more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.
Enable Success audit if you want to track, for example, for how long a session was active (in correlation with [Audit Logon](audit-logon.md) events) and when a user logged off.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
**Events List:**
diff --git a/windows/security/threat-protection/auditing/audit-logon.md b/windows/security/threat-protection/auditing/audit-logon.md
index 711c16301c..e87dd6ad1d 100644
--- a/windows/security/threat-protection/auditing/audit-logon.md
+++ b/windows/security/threat-protection/auditing/audit-logon.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit Logon
diff --git a/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md b/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md
index d58bafa0de..5107277a3d 100644
--- a/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit MPSSVC Rule-Level Policy Change
diff --git a/windows/security/threat-protection/auditing/audit-network-policy-server.md b/windows/security/threat-protection/auditing/audit-network-policy-server.md
index 697ae99b16..78f17fb1a1 100644
--- a/windows/security/threat-protection/auditing/audit-network-policy-server.md
+++ b/windows/security/threat-protection/auditing/audit-network-policy-server.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit Network Policy Server
diff --git a/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md b/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md
index f1227802bd..8cf59016dd 100644
--- a/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md
+++ b/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md
@@ -1,27 +1,28 @@
---
-title: Audit Non Sensitive Privilege Use (Windows 10)
-description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Non-Sensitive Privilege Use, which determines whether the operating system generates audit events when non-sensitive privileges (user rights) are used.
+title: Audit Non-Sensitive Privilege Use (Windows 10)
+description: This article for the IT professional describes the Advanced Security Audit policy setting, Audit Non-Sensitive Privilege Use, which determines whether the operating system generates audit events when non-sensitive privileges (user rights) are used.
ms.assetid: 8fd74783-1059-443e-aa86-566d78606627
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
+ms.technology: mde
---
-# Audit Non Sensitive Privilege Use
+# Audit Non-Sensitive Privilege Use
**Applies to**
- Windows 10
- Windows Server 2016
-Audit Non Sensitive Privilege Use contains events that show usage of non-sensitive privileges. This is the list of non-sensitive privileges:
+Audit Non-Sensitive Privilege Use contains events that show usage of non-sensitive privileges. This is the list of non-sensitive privileges:
- Access Credential Manager as a trusted caller
diff --git a/windows/security/threat-protection/auditing/audit-other-account-logon-events.md b/windows/security/threat-protection/auditing/audit-other-account-logon-events.md
index 959a951636..39fa1e83de 100644
--- a/windows/security/threat-protection/auditing/audit-other-account-logon-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-account-logon-events.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit Other Account Logon Events
diff --git a/windows/security/threat-protection/auditing/audit-other-account-management-events.md b/windows/security/threat-protection/auditing/audit-other-account-management-events.md
index 2795a0bb73..bb5d7120a3 100644
--- a/windows/security/threat-protection/auditing/audit-other-account-management-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-account-management-events.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit Other Account Management Events
diff --git a/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md b/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md
index 9265129828..d50fe53957 100644
--- a/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit Other Logon/Logoff Events
diff --git a/windows/security/threat-protection/auditing/audit-other-object-access-events.md b/windows/security/threat-protection/auditing/audit-other-object-access-events.md
index 54b132e114..a485aa2d07 100644
--- a/windows/security/threat-protection/auditing/audit-other-object-access-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-object-access-events.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 05/29/2017
+ms.technology: mde
---
# Audit Other Object Access Events
diff --git a/windows/security/threat-protection/auditing/audit-other-policy-change-events.md b/windows/security/threat-protection/auditing/audit-other-policy-change-events.md
index 2ceacf7bd7..5f55e34285 100644
--- a/windows/security/threat-protection/auditing/audit-other-policy-change-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-policy-change-events.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit Other Policy Change Events
diff --git a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md
index 9adb4cfd74..87c74a4998 100644
--- a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md
@@ -2,16 +2,17 @@
title: Audit Other Privilege Use Events (Windows 10)
description: Learn about the audit other privilege use events, an auditing subcategory that should not have any events in it but enables generation of event 4985(S).
ms.assetid: 5f7f5b25-42a6-499f-8aa2-01ac79a2a63c
-ms.reviewer:
+ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit Other Privilege Use Events
diff --git a/windows/security/threat-protection/auditing/audit-other-system-events.md b/windows/security/threat-protection/auditing/audit-other-system-events.md
index 314723a738..7554066d42 100644
--- a/windows/security/threat-protection/auditing/audit-other-system-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-system-events.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit Other System Events
diff --git a/windows/security/threat-protection/auditing/audit-pnp-activity.md b/windows/security/threat-protection/auditing/audit-pnp-activity.md
index 2d1298584a..16b696e3a2 100644
--- a/windows/security/threat-protection/auditing/audit-pnp-activity.md
+++ b/windows/security/threat-protection/auditing/audit-pnp-activity.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit PNP Activity
diff --git a/windows/security/threat-protection/auditing/audit-process-creation.md b/windows/security/threat-protection/auditing/audit-process-creation.md
index 2eb2aa20f8..456c7082b1 100644
--- a/windows/security/threat-protection/auditing/audit-process-creation.md
+++ b/windows/security/threat-protection/auditing/audit-process-creation.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit Process Creation
diff --git a/windows/security/threat-protection/auditing/audit-process-termination.md b/windows/security/threat-protection/auditing/audit-process-termination.md
index 7ba49fbd59..97b0a91741 100644
--- a/windows/security/threat-protection/auditing/audit-process-termination.md
+++ b/windows/security/threat-protection/auditing/audit-process-termination.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit Process Termination
diff --git a/windows/security/threat-protection/auditing/audit-registry.md b/windows/security/threat-protection/auditing/audit-registry.md
index 4b0d88838f..8b5fa48820 100644
--- a/windows/security/threat-protection/auditing/audit-registry.md
+++ b/windows/security/threat-protection/auditing/audit-registry.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit Registry
diff --git a/windows/security/threat-protection/auditing/audit-removable-storage.md b/windows/security/threat-protection/auditing/audit-removable-storage.md
index 82d5170b7c..d09d98cb1d 100644
--- a/windows/security/threat-protection/auditing/audit-removable-storage.md
+++ b/windows/security/threat-protection/auditing/audit-removable-storage.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit Removable Storage
diff --git a/windows/security/threat-protection/auditing/audit-rpc-events.md b/windows/security/threat-protection/auditing/audit-rpc-events.md
index b35eacaf51..59202d82fa 100644
--- a/windows/security/threat-protection/auditing/audit-rpc-events.md
+++ b/windows/security/threat-protection/auditing/audit-rpc-events.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit RPC Events
diff --git a/windows/security/threat-protection/auditing/audit-sam.md b/windows/security/threat-protection/auditing/audit-sam.md
index 6e60284ead..2d23fcdcce 100644
--- a/windows/security/threat-protection/auditing/audit-sam.md
+++ b/windows/security/threat-protection/auditing/audit-sam.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit SAM
diff --git a/windows/security/threat-protection/auditing/audit-security-group-management.md b/windows/security/threat-protection/auditing/audit-security-group-management.md
index d75b85e522..c80fe834a9 100644
--- a/windows/security/threat-protection/auditing/audit-security-group-management.md
+++ b/windows/security/threat-protection/auditing/audit-security-group-management.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 02/28/2019
+ms.technology: mde
---
# Audit Security Group Management
diff --git a/windows/security/threat-protection/auditing/audit-security-state-change.md b/windows/security/threat-protection/auditing/audit-security-state-change.md
index c10e8072f7..19614087bb 100644
--- a/windows/security/threat-protection/auditing/audit-security-state-change.md
+++ b/windows/security/threat-protection/auditing/audit-security-state-change.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit Security State Change
diff --git a/windows/security/threat-protection/auditing/audit-security-system-extension.md b/windows/security/threat-protection/auditing/audit-security-system-extension.md
index 8c764f65c4..b787507ef4 100644
--- a/windows/security/threat-protection/auditing/audit-security-system-extension.md
+++ b/windows/security/threat-protection/auditing/audit-security-system-extension.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit Security System Extension
diff --git a/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md b/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md
index 3bdb900b00..2f23c9cbcc 100644
--- a/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md
+++ b/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit Sensitive Privilege Use
diff --git a/windows/security/threat-protection/auditing/audit-special-logon.md b/windows/security/threat-protection/auditing/audit-special-logon.md
index ec7e84c990..b17dccbcb1 100644
--- a/windows/security/threat-protection/auditing/audit-special-logon.md
+++ b/windows/security/threat-protection/auditing/audit-special-logon.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit Special Logon
diff --git a/windows/security/threat-protection/auditing/audit-system-integrity.md b/windows/security/threat-protection/auditing/audit-system-integrity.md
index 89d27ff3cb..b461299ea0 100644
--- a/windows/security/threat-protection/auditing/audit-system-integrity.md
+++ b/windows/security/threat-protection/auditing/audit-system-integrity.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit System Integrity
diff --git a/windows/security/threat-protection/auditing/audit-token-right-adjusted.md b/windows/security/threat-protection/auditing/audit-token-right-adjusted.md
index bb9d974920..266ab2e3c9 100644
--- a/windows/security/threat-protection/auditing/audit-token-right-adjusted.md
+++ b/windows/security/threat-protection/auditing/audit-token-right-adjusted.md
@@ -5,7 +5,8 @@ manager: dansimp
author: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
+ms.technology: mde
---
# Audit Token Right Adjusted
diff --git a/windows/security/threat-protection/auditing/audit-user-account-management.md b/windows/security/threat-protection/auditing/audit-user-account-management.md
index 5b2d45cc98..145e04e477 100644
--- a/windows/security/threat-protection/auditing/audit-user-account-management.md
+++ b/windows/security/threat-protection/auditing/audit-user-account-management.md
@@ -6,12 +6,13 @@ ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit User Account Management
diff --git a/windows/security/threat-protection/auditing/audit-user-device-claims.md b/windows/security/threat-protection/auditing/audit-user-device-claims.md
index 74c7755cb8..6051e50d2f 100644
--- a/windows/security/threat-protection/auditing/audit-user-device-claims.md
+++ b/windows/security/threat-protection/auditing/audit-user-device-claims.md
@@ -1,17 +1,18 @@
---
title: Audit User/Device Claims (Windows 10)
-description: Audit User/Device Claims is an audit policy setting which enables you to audit security events that are generated by user and device claims.
+description: Audit User/Device Claims is an audit policy setting that enables you to audit security events that are generated by user and device claims.
ms.assetid: D3D2BFAF-F2C0-462A-9377-673DB49D5486
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit User/Device Claims
@@ -25,7 +26,7 @@ Audit User/Device Claims allows you to audit user and device claims information
For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource.
-***Important***: [Audit Logon](audit-logon.md) subcategory must also be enabled in order to get events from this subcategory.
+***Important***: Enable the [Audit Logon](audit-logon.md) subcategory in order to get events from this subcategory.
**Event volume**:
diff --git a/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md
index f345a84336..7e9d098f5d 100644
--- a/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md
+++ b/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md
@@ -4,7 +4,7 @@ description: Determines whether to audit each instance of a user logging on to o
ms.assetid: 84B44181-E325-49A1-8398-AECC3CE0A516
ms.reviewer:
ms.author: dansimp
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit account logon events
diff --git a/windows/security/threat-protection/auditing/basic-audit-account-management.md b/windows/security/threat-protection/auditing/basic-audit-account-management.md
index e699a88ac1..10a7cb1c8c 100644
--- a/windows/security/threat-protection/auditing/basic-audit-account-management.md
+++ b/windows/security/threat-protection/auditing/basic-audit-account-management.md
@@ -4,7 +4,7 @@ description: Determines whether to audit each event of account management on a d
ms.assetid: 369197E1-7E0E-45A4-89EA-16D91EF01689
ms.reviewer:
ms.author: dansimp
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit account management
diff --git a/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md b/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md
index 530a4255bc..e52e2e7382 100644
--- a/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md
+++ b/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md
@@ -4,7 +4,7 @@ description: Determines whether to audit the event of a user accessing an Active
ms.assetid: 52F02EED-3CFE-4307-8D06-CF1E27693D09
ms.reviewer:
ms.author: dansimp
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit directory service access
diff --git a/windows/security/threat-protection/auditing/basic-audit-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-logon-events.md
index 5c7672c13a..c730790cfa 100644
--- a/windows/security/threat-protection/auditing/basic-audit-logon-events.md
+++ b/windows/security/threat-protection/auditing/basic-audit-logon-events.md
@@ -4,7 +4,7 @@ description: Determines whether to audit each instance of a user logging on to o
ms.assetid: 78B5AFCB-0BBD-4C38-9FE9-6B4571B94A35
ms.reviewer:
ms.author: dansimp
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit logon events
@@ -38,33 +39,12 @@ You can configure this security setting by opening the appropriate policy under
| Logon events | Description |
| - | - |
-| 528 | A user successfully logged on to a computer. For information about the type of logon, see the Logon Types table below. |
-| 529 | Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password. |
-| 530 | Logon failure. A logon attempt was made user account tried to log on outside of the allowed time. |
-| 531 | Logon failure. A logon attempt was made using a disabled account. |
-| 532 | Logon failure. A logon attempt was made using an expired account. |
-| 533 | Logon failure. A logon attempt was made by a user who is not allowed to log on at this computer. |
-| 534 | Logon failure. The user attempted to log on with a type that is not allowed. |
-| 535 | Logon failure. The password for the specified account has expired. |
-| 536 | Logon failure. The Net Logon service is not active. |
-| 537 | Logon failure. The logon attempt failed for other reasons. |
-| 538 | The logoff process was completed for a user. |
-| 539 | Logon failure. The account was locked out at the time the logon attempt was made. |
-| 540 | A user successfully logged on to a network. |
-| 541 | Main mode Internet Key Exchange (IKE) authentication was completed between the local computer and the listed peer identity (establishing a security association), or quick mode has established a data channel. |
-| 542 | A data channel was terminated. |
-| 543 | Main mode was terminated. |
-| 544 | Main mode authentication failed because the peer did not provide a valid certificate or the signature was not validated. |
-| 545 | Main mode authentication failed because of a Kerberos failure or a password that is not valid. |
-| 546 | IKE security association establishment failed because the peer sent a proposal that is not valid. A packet was received that contained data that is not valid. |
-| 547 | A failure occurred during an IKE handshake. |
-| 548 | Logon failure. The security ID (SID) from a trusted domain does not match the account domain SID of the client. |
-| 549 | Logon failure. All SIDs corresponding to untrusted namespaces were filtered out during an authentication across forests. |
-| 550 | Notification message that could indicate a possible denial-of-service attack. |
-| 551 | A user initiated the logoff process. |
-| 552 | A user successfully logged on to a computer using explicit credentials while already logged on as a different user. |
-| 682 | A user has reconnected to a disconnected terminal server session. |
-| 683 | A user disconnected a terminal server session without logging off. |
+| 4624 | A user successfully logged on to a computer. For information about the type of logon, see the Logon Types table below. |
+| 4625 | Logon failure. A logon attempt was made with an unknown user name or a known user name with a bad password. |
+| 4634 | The logoff process was completed for a user. |
+| 4647 | A user initiated the logoff process. |
+| 4648 | A user successfully logged on to a computer using explicit credentials while already logged on as a different user. |
+| 4779 | A user disconnected a terminal server session without logging off. |
When event 528 is logged, a logon type is also listed in the event log. The following table describes each logon type.
diff --git a/windows/security/threat-protection/auditing/basic-audit-object-access.md b/windows/security/threat-protection/auditing/basic-audit-object-access.md
index c3bada3ea8..7bb1357af3 100644
--- a/windows/security/threat-protection/auditing/basic-audit-object-access.md
+++ b/windows/security/threat-protection/auditing/basic-audit-object-access.md
@@ -4,7 +4,7 @@ description: The policy setting, Audit object access, determines whether to audi
ms.assetid: D15B6D67-7886-44C2-9972-3F192D5407EA
ms.reviewer:
ms.author: dansimp
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit object access
diff --git a/windows/security/threat-protection/auditing/basic-audit-policy-change.md b/windows/security/threat-protection/auditing/basic-audit-policy-change.md
index b80e5788af..a04167e8c2 100644
--- a/windows/security/threat-protection/auditing/basic-audit-policy-change.md
+++ b/windows/security/threat-protection/auditing/basic-audit-policy-change.md
@@ -4,7 +4,7 @@ description: Determines whether to audit every incident of a change to user righ
ms.assetid: 1025A648-6B22-4C85-9F47-FE0897F1FA31
ms.reviewer:
ms.author: dansimp
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit policy change
diff --git a/windows/security/threat-protection/auditing/basic-audit-privilege-use.md b/windows/security/threat-protection/auditing/basic-audit-privilege-use.md
index a3e7893fe6..4b6a28a415 100644
--- a/windows/security/threat-protection/auditing/basic-audit-privilege-use.md
+++ b/windows/security/threat-protection/auditing/basic-audit-privilege-use.md
@@ -4,7 +4,7 @@ description: Determines whether to audit each instance of a user exercising a us
ms.assetid: C5C6DAAF-8B58-4DFB-B1CE-F0675AE0E9F8
ms.reviewer:
ms.author: dansimp
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit privilege use
diff --git a/windows/security/threat-protection/auditing/basic-audit-process-tracking.md b/windows/security/threat-protection/auditing/basic-audit-process-tracking.md
index 4f02eab9a3..c2e1ff94ca 100644
--- a/windows/security/threat-protection/auditing/basic-audit-process-tracking.md
+++ b/windows/security/threat-protection/auditing/basic-audit-process-tracking.md
@@ -4,7 +4,7 @@ description: Determines whether to audit detailed tracking information for event
ms.assetid: 91AC5C1E-F4DA-4B16-BEE2-C92D66E4CEEA
ms.reviewer:
ms.author: dansimp
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit process tracking
diff --git a/windows/security/threat-protection/auditing/basic-audit-system-events.md b/windows/security/threat-protection/auditing/basic-audit-system-events.md
index 7811de4253..8c5e33028e 100644
--- a/windows/security/threat-protection/auditing/basic-audit-system-events.md
+++ b/windows/security/threat-protection/auditing/basic-audit-system-events.md
@@ -4,7 +4,7 @@ description: Determines whether to audit when a user restarts or shuts down the
ms.assetid: BF27588C-2AA7-4365-A4BF-3BB377916447
ms.reviewer:
ms.author: dansimp
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
+ms.technology: mde
---
# Audit system events
diff --git a/windows/security/threat-protection/auditing/basic-security-audit-policies.md b/windows/security/threat-protection/auditing/basic-security-audit-policies.md
index 3856637432..fd291c792a 100644
--- a/windows/security/threat-protection/auditing/basic-security-audit-policies.md
+++ b/windows/security/threat-protection/auditing/basic-security-audit-policies.md
@@ -4,7 +4,7 @@ description: Learn about basic security audit policies that specify the categori
ms.assetid: 3B678568-7AD7-4734-9BB4-53CF5E04E1D3
ms.reviewer:
ms.author: dansimp
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
+ms.technology: mde
---
# Basic security audit policies
diff --git a/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md
index 686cdfdc71..0ddb0a6152 100644
--- a/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md
+++ b/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md
@@ -4,7 +4,7 @@ description: Basic security audit policy settings are found under Computer Confi
ms.assetid: 31C2C453-2CFC-4D9E-BC88-8CE1C1A8F900
ms.reviewer:
ms.author: dansimp
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
+ms.technology: mde
---
# Basic security audit policy settings
diff --git a/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md b/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md
index 745c787671..526946d4b5 100644
--- a/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md
+++ b/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md
@@ -4,7 +4,7 @@ description: By defining auditing settings for specific event categories, you ca
ms.assetid: C9F52751-B40D-482E-BE9D-2C61098249D3
ms.reviewer:
ms.author: dansimp
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
+ms.technology: mde
---
# Create a basic audit policy for an event category
diff --git a/windows/security/threat-protection/auditing/event-1100.md b/windows/security/threat-protection/auditing/event-1100.md
index 251aa8834c..f3fbd46308 100644
--- a/windows/security/threat-protection/auditing/event-1100.md
+++ b/windows/security/threat-protection/auditing/event-1100.md
@@ -2,7 +2,7 @@
title: 1100(S) The event logging service has shut down. (Windows 10)
description: Describes security event 1100(S) The event logging service has shut down.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 1100(S): The event logging service has shut down.
diff --git a/windows/security/threat-protection/auditing/event-1102.md b/windows/security/threat-protection/auditing/event-1102.md
index 4a9b1e8b3a..fecf1badde 100644
--- a/windows/security/threat-protection/auditing/event-1102.md
+++ b/windows/security/threat-protection/auditing/event-1102.md
@@ -2,7 +2,7 @@
title: 1102(S) The audit log was cleared. (Windows 10)
description: Though you shouldn't normally see it, this event generates every time Windows Security audit log is cleared. This is for event 1102(S).
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 1102(S): The audit log was cleared.
diff --git a/windows/security/threat-protection/auditing/event-1104.md b/windows/security/threat-protection/auditing/event-1104.md
index fbcbb7dad9..8dbb841dce 100644
--- a/windows/security/threat-protection/auditing/event-1104.md
+++ b/windows/security/threat-protection/auditing/event-1104.md
@@ -1,8 +1,8 @@
---
title: 1104(S) The security log is now full. (Windows 10)
-description: This event generates every time Windows security log becomes full and the event log retention method is set to "Do not overwrite events."
+description: This event generates every time Windows security log becomes full and the event log retention method is set to Do not overwrite events.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 1104(S): The security log is now full.
diff --git a/windows/security/threat-protection/auditing/event-1105.md b/windows/security/threat-protection/auditing/event-1105.md
index e00e49b666..c08fa7be61 100644
--- a/windows/security/threat-protection/auditing/event-1105.md
+++ b/windows/security/threat-protection/auditing/event-1105.md
@@ -2,7 +2,7 @@
title: 1105(S) Event log automatic backup. (Windows 10)
description: This event generates every time Windows security log becomes full and new event log file was created.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,9 +11,10 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
-# 1105(S): Event log automatic backup.
+# 1105(S): Event log automatic backup
**Applies to**
- Windows 10
@@ -71,7 +72,7 @@ This event generates, for example, if the maximum size of Security Event Log fil
***Field Descriptions:***
-**Log** \[Type = UnicodeString\]: the name of the log which was archived (new event log file was created and previous event log was archived). Always “**Security”** for Security Event Logs.
+**Log** \[Type = UnicodeString\]: the name of the log that was archived (new event log file was created and previous event log was archived). Always “**Security”** for Security Event Logs.
**File**: \[Type = FILETIME\]: full path and filename of archived log file.
diff --git a/windows/security/threat-protection/auditing/event-1108.md b/windows/security/threat-protection/auditing/event-1108.md
index 0aaa3b6a99..cd3bf45ca4 100644
--- a/windows/security/threat-protection/auditing/event-1108.md
+++ b/windows/security/threat-protection/auditing/event-1108.md
@@ -2,7 +2,7 @@
title: The event logging service encountered an error (Windows 10)
description: Describes security event 1108(S) The event logging service encountered an error while processing an incoming event published from %1.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 1108(S): The event logging service encountered an error while processing an incoming event published from %1.
diff --git a/windows/security/threat-protection/auditing/event-4608.md b/windows/security/threat-protection/auditing/event-4608.md
index 5f0730407d..6372e6acc2 100644
--- a/windows/security/threat-protection/auditing/event-4608.md
+++ b/windows/security/threat-protection/auditing/event-4608.md
@@ -2,7 +2,7 @@
title: 4608(S) Windows is starting up. (Windows 10)
description: Describes security event 4608(S) Windows is starting up. This event is logged when the LSASS.EXE process starts and the auditing subsystem is initialized.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4608(S): Windows is starting up.
diff --git a/windows/security/threat-protection/auditing/event-4610.md b/windows/security/threat-protection/auditing/event-4610.md
index c9be68814f..b85a2d5918 100644
--- a/windows/security/threat-protection/auditing/event-4610.md
+++ b/windows/security/threat-protection/auditing/event-4610.md
@@ -2,7 +2,7 @@
title: 4610(S) An authentication package has been loaded by the Local Security Authority. (Windows 10)
description: Describes security event 4610(S) An authentication package has been loaded by the Local Security Authority.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4610(S): An authentication package has been loaded by the Local Security Authority.
diff --git a/windows/security/threat-protection/auditing/event-4611.md b/windows/security/threat-protection/auditing/event-4611.md
index 6862a8d6a8..c3174b766e 100644
--- a/windows/security/threat-protection/auditing/event-4611.md
+++ b/windows/security/threat-protection/auditing/event-4611.md
@@ -2,7 +2,7 @@
title: 4611(S) A trusted logon process has been registered with the Local Security Authority. (Windows 10)
description: Describes security event 4611(S) A trusted logon process has been registered with the Local Security Authority.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4611(S): A trusted logon process has been registered with the Local Security Authority.
diff --git a/windows/security/threat-protection/auditing/event-4612.md b/windows/security/threat-protection/auditing/event-4612.md
index 2ca7cca35a..c4561550d5 100644
--- a/windows/security/threat-protection/auditing/event-4612.md
+++ b/windows/security/threat-protection/auditing/event-4612.md
@@ -2,7 +2,7 @@
title: 4612(S) Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. (Windows 10)
description: Describes security event 4612(S) Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4612(S): Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.
diff --git a/windows/security/threat-protection/auditing/event-4614.md b/windows/security/threat-protection/auditing/event-4614.md
index f86b22408c..5bc966978c 100644
--- a/windows/security/threat-protection/auditing/event-4614.md
+++ b/windows/security/threat-protection/auditing/event-4614.md
@@ -2,7 +2,7 @@
title: 4614(S) A notification package has been loaded by the Security Account Manager. (Windows 10)
description: Describes security event 4614(S) A notification package has been loaded by the Security Account Manager.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4614(S): A notification package has been loaded by the Security Account Manager.
diff --git a/windows/security/threat-protection/auditing/event-4615.md b/windows/security/threat-protection/auditing/event-4615.md
index 0490e0ae3e..6c8f9cd7ac 100644
--- a/windows/security/threat-protection/auditing/event-4615.md
+++ b/windows/security/threat-protection/auditing/event-4615.md
@@ -2,7 +2,7 @@
title: 4615(S) Invalid use of LPC port. (Windows 10)
description: Describes security event 4615(S) Invalid use of LPC port. It appears that the Invalid use of LPC port event never occurs.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4615(S): Invalid use of LPC port.
diff --git a/windows/security/threat-protection/auditing/event-4616.md b/windows/security/threat-protection/auditing/event-4616.md
index 3f700f0719..690bde945f 100644
--- a/windows/security/threat-protection/auditing/event-4616.md
+++ b/windows/security/threat-protection/auditing/event-4616.md
@@ -2,7 +2,7 @@
title: 4616(S) The system time was changed. (Windows 10)
description: Describes security event 4616(S) The system time was changed. This event is generated every time system time is changed.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4616(S): The system time was changed.
diff --git a/windows/security/threat-protection/auditing/event-4618.md b/windows/security/threat-protection/auditing/event-4618.md
index 9dcc575df1..c1bc41f942 100644
--- a/windows/security/threat-protection/auditing/event-4618.md
+++ b/windows/security/threat-protection/auditing/event-4618.md
@@ -2,7 +2,7 @@
title: 4618(S) A monitored security event pattern has occurred. (Windows 10)
description: Describes security event 4618(S) A monitored security event pattern has occurred.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4618(S): A monitored security event pattern has occurred.
@@ -32,7 +33,7 @@ Account must have **SeAuditPrivilege** (Generate security audits) to be able to
- Only **OrgEventID**, **ComputerName**, and **EventCount** are required—others are optional. Fields not specified appear with “**-**“ in the event description field.
-- If a field doesn’t match the expected data type, the event is not generated. (i.e., if **EventCount** = “XYZ” then no event is generated.)
+- If a field doesn’t match the expected data type, the event is not generated. That is, if **EventCount** = “XYZ”, then no event is generated.
- **UserSid**, **UserName**, and **UserDomain** are not related to each other (think **SubjectUser** fields, where they are)
@@ -98,5 +99,5 @@ Account must have **SeAuditPrivilege** (Generate security audits) to be able to
For 4618(S): A monitored security event pattern has occurred.
-- This event can be invoked only manually/intentionally, it is up to you how interpret this event depends on information you put inside of it.
+- This event can be invoked only manually/intentionally, it is up to you how to interpret this event depends on information you put inside of it.
diff --git a/windows/security/threat-protection/auditing/event-4621.md b/windows/security/threat-protection/auditing/event-4621.md
index f3365acf99..8868b9b584 100644
--- a/windows/security/threat-protection/auditing/event-4621.md
+++ b/windows/security/threat-protection/auditing/event-4621.md
@@ -2,7 +2,7 @@
title: 4621(S) Administrator recovered system from CrashOnAuditFail. (Windows 10)
description: Describes security event 4621(S) Administrator recovered system from CrashOnAuditFail.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4621(S): Administrator recovered system from CrashOnAuditFail.
diff --git a/windows/security/threat-protection/auditing/event-4622.md b/windows/security/threat-protection/auditing/event-4622.md
index 385f508b09..3579709147 100644
--- a/windows/security/threat-protection/auditing/event-4622.md
+++ b/windows/security/threat-protection/auditing/event-4622.md
@@ -2,7 +2,7 @@
title: 4622(S) A security package has been loaded by the Local Security Authority. (Windows 10)
description: Describes security event 4622(S) A security package has been loaded by the Local Security Authority.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4622(S): A security package has been loaded by the Local Security Authority.
diff --git a/windows/security/threat-protection/auditing/event-4624.md b/windows/security/threat-protection/auditing/event-4624.md
index b310cd06ca..49f1a0d83c 100644
--- a/windows/security/threat-protection/auditing/event-4624.md
+++ b/windows/security/threat-protection/auditing/event-4624.md
@@ -2,7 +2,7 @@
title: 4624(S) An account was successfully logged on. (Windows 10)
description: Describes security event 4624(S) An account was successfully logged on.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4624(S): An account was successfully logged on.
@@ -156,7 +157,7 @@ This event generates when a logon session is created (on destination machine). I
| `9` | `NewCredentials` | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. |
| `10` | `RemoteInteractive` | A user logged on to this computer remotely using Terminal Services or Remote Desktop. |
| `11` | `CachedInteractive` | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. |
-| `12` | `CashedRemoteInteractive` | Same as RemoteInteractive. This is used for internal auditing. |
+| `12` | `CachedRemoteInteractive` | Same as RemoteInteractive. This is used for internal auditing. |
| `13` | `CachedUnlock` | Workstation logon. |
- **Restricted Admin Mode** \[Version 2\] \[Type = UnicodeString\]**:** Only populated for **RemoteInteractive** logon type sessions. This is a Yes/No flag indicating if the credentials provided were passed using Restricted Admin mode. Restricted Admin mode was added in Win8.1/2012R2 but this flag was added to the event in Win10.
diff --git a/windows/security/threat-protection/auditing/event-4625.md b/windows/security/threat-protection/auditing/event-4625.md
index 84cf52d450..9dcf332398 100644
--- a/windows/security/threat-protection/auditing/event-4625.md
+++ b/windows/security/threat-protection/auditing/event-4625.md
@@ -2,7 +2,7 @@
title: 4625(F) An account failed to log on. (Windows 10)
description: Describes security event 4625(F) An account failed to log on. This event is generated if an account logon attempt failed for a locked out account.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4625(F): An account failed to log on.
@@ -99,7 +100,7 @@ This event generates on domain controllers, member servers, and workstations.
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that reported information about logon failure.
-- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+- **Account Domain** \[Type = UnicodeString\]**:** subject's domain or computer name. Here are some examples of formats:
- Domain NETBIOS name example: CONTOSO
@@ -111,7 +112,7 @@ This event generates on domain controllers, member servers, and workstations.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-- **Logon Type** \[Type = UInt32\]**:** the type of logon which was performed. “Table 11. Windows Logon Types” contains the list of possible values for this field.
+- **Logon Type** \[Type = UInt32\]**:** the type of logon that was performed. “Table 11. Windows Logon Types” contains the list of possible values for this field.
**Table 11: Windows Logon Types**
@@ -138,7 +139,7 @@ This event generates on domain controllers, member servers, and workstations.
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that was specified in the logon attempt.
-- **Account Domain** \[Type = UnicodeString\]**:** domain or computer name. Formats vary, and include the following:
+- **Account Domain** \[Type = UnicodeString\]**:** domain or computer name. Here are some examples of formats:
- Domain NETBIOS name example: CONTOSO
@@ -154,9 +155,9 @@ This event generates on domain controllers, member servers, and workstations.
**Failure Information:**
-- **Failure Reason** \[Type = UnicodeString\]**:** textual explanation of **Status** field value. For this event it typically has “**Account locked out**” value.
+- **Failure Reason** \[Type = UnicodeString\]**:** textual explanation of **Status** field value. For this event, it typically has “**Account locked out**” value.
-- **Status** \[Type = HexInt32\]**:** the reason why logon failed. For this event it typically has “**0xC0000234**” value. The most common status codes are listed in Table 12. Windows logon status codes.
+- **Status** \[Type = HexInt32\]**:** the reason why logon failed. For this event, it typically has “**0xC0000234**” value. The most common status codes are listed in Table 12. Windows logon status codes.
**Table 12: Windows logon status codes.**
@@ -165,31 +166,31 @@ This event generates on domain controllers, member servers, and workstations.
| 0XC000005E | There are currently no logon servers available to service the logon request. |
| 0xC0000064 | User logon with misspelled or bad user account |
| 0xC000006A | User logon with misspelled or bad password |
- | 0XC000006D | This is either due to a bad username or authentication information |
- | 0XC000006E | Unknown user name or bad password. |
+ | 0XC000006D | The cause is either a bad username or authentication information |
+ | 0XC000006E | Indicates a referenced user name and authentication information are valid, but some user account restriction has prevented successful authentication (such as time-of-day restrictions). |
| 0xC000006F | User logon outside authorized hours |
| 0xC0000070 | User logon from unauthorized workstation |
| 0xC0000071 | User logon with expired password |
| 0xC0000072 | User logon to account disabled by administrator |
| 0XC00000DC | Indicates the Sam Server was in the wrong state to perform the desired operation. |
| 0XC0000133 | Clocks between DC and other computer too far out of sync |
- | 0XC000015B | The user has not been granted the requested logon type (aka logon right) at this machine |
+ | 0XC000015B | The user has not been granted the requested logon type (also called the *logon right*) at this machine |
| 0XC000018C | The logon request failed because the trust relationship between the primary domain and the trusted domain failed. |
- | 0XC0000192 | An attempt was made to logon, but the N**etlogon** service was not started. |
+ | 0XC0000192 | An attempt was made to logon, but the **Netlogon** service was not started. |
| 0xC0000193 | User logon with expired account |
| 0XC0000224 | User is required to change password at next logon |
| 0XC0000225 | Evidently a bug in Windows and not a risk |
| 0xC0000234 | User logon with account locked |
| 0XC00002EE | Failure Reason: An Error occurred during Logon |
- | 0XC0000413 | Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine. |
+ | 0XC0000413 | Logon Failure: The machine you are logging on to is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine. |
| 0x0 | Status OK. |
> [!NOTE]
-> To see the meaning of other status\\sub-status codes you may also check for status code in the Window header file ntstatus.h in Windows SDK.
+> To see the meaning of other status or substatus codes, you might also check for status code in the Window header file ntstatus.h in Windows SDK.
More information:
**Failure Information\\Sub Status** | 0XC000005E – “There are currently no logon servers available to service the logon request.”
This is typically not a security issue but it can be an infrastructure or availability issue. |
- | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000064 – “User logon with misspelled or bad user account”.
Especially if you get a number of these in a row, it can be a sign of user enumeration attack. |
+ | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC000005E – “There are currently no logon servers available to service the logon request.”
This issue is typically not a security issue, but it can be an infrastructure or availability issue. |
+ | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000064 – “User logon with misspelled or bad user account”.
Especially if you get several of these events in a row, it can be a sign of a user enumeration attack. |
| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC000006A – “User logon with misspelled or bad password” for critical accounts or service accounts.
Especially watch for a number of such events in a row. |
| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC000006D – “This is either due to a bad username or authentication information” for critical accounts or service accounts.
Especially watch for a number of such events in a row. |
| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC000006F – “User logon outside authorized hours”. |
| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000070 – “User logon from unauthorized workstation”. |
| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000072 – “User logon to account disabled by administrator”. |
| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC000015B – “The user has not been granted the requested logon type (aka logon right) at this machine”. |
- | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC0000192 – “An attempt was made to logon, but the Netlogon service was not started”.
This is typically not a security issue but it can be an infrastructure or availability issue. |
+ | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC0000192 – “An attempt was made to logon, but the Netlogon service was not started”.
This issue is typically not a security issue but it can be an infrastructure or availability issue. |
| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000193 – “User logon with expired account”. |
| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC0000413 – “Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine”. |
diff --git a/windows/security/threat-protection/auditing/event-4626.md b/windows/security/threat-protection/auditing/event-4626.md
index 2adc4b2f1b..667de4c561 100644
--- a/windows/security/threat-protection/auditing/event-4626.md
+++ b/windows/security/threat-protection/auditing/event-4626.md
@@ -2,7 +2,7 @@
title: 4626(S) User/Device claims information. (Windows 10)
description: Describes security event 4626(S) User/Device claims information. This event is generated for new account logons.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4626(S): User/Device claims information.
diff --git a/windows/security/threat-protection/auditing/event-4627.md b/windows/security/threat-protection/auditing/event-4627.md
index fb47564ea9..ff63c0c122 100644
--- a/windows/security/threat-protection/auditing/event-4627.md
+++ b/windows/security/threat-protection/auditing/event-4627.md
@@ -2,7 +2,7 @@
title: 4627(S) Group membership information. (Windows 10)
description: Describes security event 4627(S) Group membership information. This event is generated with event 4624(S) An account was successfully logged on.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4627(S): Group membership information.
diff --git a/windows/security/threat-protection/auditing/event-4634.md b/windows/security/threat-protection/auditing/event-4634.md
index d76dc2df61..b0541e2dbb 100644
--- a/windows/security/threat-protection/auditing/event-4634.md
+++ b/windows/security/threat-protection/auditing/event-4634.md
@@ -2,7 +2,7 @@
title: 4634(S) An account was logged off. (Windows 10)
description: Describes security event 4634(S) An account was logged off. This event is generated when a logon session is terminated and no longer exists.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 11/20/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4634(S): An account was logged off.
diff --git a/windows/security/threat-protection/auditing/event-4647.md b/windows/security/threat-protection/auditing/event-4647.md
index 26bbcd86f8..14dc2a7083 100644
--- a/windows/security/threat-protection/auditing/event-4647.md
+++ b/windows/security/threat-protection/auditing/event-4647.md
@@ -2,7 +2,7 @@
title: 4647(S) User initiated logoff. (Windows 10)
description: Describes security event 4647(S) User initiated logoff. This event is generated when a logoff is initiated. No further user-initiated activity can occur.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4647(S): User initiated logoff.
diff --git a/windows/security/threat-protection/auditing/event-4648.md b/windows/security/threat-protection/auditing/event-4648.md
index 5a44bd38f1..8483ee08ac 100644
--- a/windows/security/threat-protection/auditing/event-4648.md
+++ b/windows/security/threat-protection/auditing/event-4648.md
@@ -2,7 +2,7 @@
title: 4648(S) A logon was attempted using explicit credentials. (Windows 10)
description: Describes security event 4648(S) A logon was attempted using explicit credentials.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4648(S): A logon was attempted using explicit credentials.
diff --git a/windows/security/threat-protection/auditing/event-4649.md b/windows/security/threat-protection/auditing/event-4649.md
index dce0305250..06ae9ca1aa 100644
--- a/windows/security/threat-protection/auditing/event-4649.md
+++ b/windows/security/threat-protection/auditing/event-4649.md
@@ -2,7 +2,7 @@
title: 4649(S) A replay attack was detected. (Windows 10)
description: Describes security event 4649(S) A replay attack was detected. This event is generated when a KRB_AP_ERR_REPEAT Kerberos response is sent to the client.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4649(S): A replay attack was detected.
diff --git a/windows/security/threat-protection/auditing/event-4656.md b/windows/security/threat-protection/auditing/event-4656.md
index 918d665121..f0ce074332 100644
--- a/windows/security/threat-protection/auditing/event-4656.md
+++ b/windows/security/threat-protection/auditing/event-4656.md
@@ -2,7 +2,7 @@
title: 4656(S, F) A handle to an object was requested. (Windows 10)
description: Describes security event 4656(S, F) A handle to an object was requested.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4656(S, F): A handle to an object was requested.
diff --git a/windows/security/threat-protection/auditing/event-4657.md b/windows/security/threat-protection/auditing/event-4657.md
index cb009c97df..f7ebcac31c 100644
--- a/windows/security/threat-protection/auditing/event-4657.md
+++ b/windows/security/threat-protection/auditing/event-4657.md
@@ -2,7 +2,7 @@
title: 4657(S) A registry value was modified. (Windows 10)
description: Describes security event 4657(S) A registry value was modified. This event is generated when a registry key value is modified.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4657(S): A registry value was modified.
diff --git a/windows/security/threat-protection/auditing/event-4658.md b/windows/security/threat-protection/auditing/event-4658.md
index c461aa3d20..85b56fb6d0 100644
--- a/windows/security/threat-protection/auditing/event-4658.md
+++ b/windows/security/threat-protection/auditing/event-4658.md
@@ -2,7 +2,7 @@
title: 4658(S) The handle to an object was closed. (Windows 10)
description: Describes security event 4658(S) The handle to an object was closed. This event is generated when the handle to an object is closed.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4658(S): The handle to an object was closed.
diff --git a/windows/security/threat-protection/auditing/event-4660.md b/windows/security/threat-protection/auditing/event-4660.md
index 0823b6ae3e..db4a9fd649 100644
--- a/windows/security/threat-protection/auditing/event-4660.md
+++ b/windows/security/threat-protection/auditing/event-4660.md
@@ -2,7 +2,7 @@
title: 4660(S) An object was deleted. (Windows 10)
description: Describes security event 4660(S) An object was deleted. This event is generated when an object is deleted.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4660(S): An object was deleted.
diff --git a/windows/security/threat-protection/auditing/event-4661.md b/windows/security/threat-protection/auditing/event-4661.md
index 13513c1eb8..1fd43e2292 100644
--- a/windows/security/threat-protection/auditing/event-4661.md
+++ b/windows/security/threat-protection/auditing/event-4661.md
@@ -2,7 +2,7 @@
title: 4661(S, F) A handle to an object was requested. (Windows 10)
description: Describes security event 4661(S, F) A handle to an object was requested.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4661(S, F): A handle to an object was requested.
diff --git a/windows/security/threat-protection/auditing/event-4662.md b/windows/security/threat-protection/auditing/event-4662.md
index 31fd7fd716..8998dbb81a 100644
--- a/windows/security/threat-protection/auditing/event-4662.md
+++ b/windows/security/threat-protection/auditing/event-4662.md
@@ -2,7 +2,7 @@
title: 4662(S, F) An operation was performed on an object. (Windows 10)
description: Describes security event 4662(S, F) An operation was performed on an object.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4662(S, F): An operation was performed on an object.
diff --git a/windows/security/threat-protection/auditing/event-4663.md b/windows/security/threat-protection/auditing/event-4663.md
index 44da729457..367e5eb029 100644
--- a/windows/security/threat-protection/auditing/event-4663.md
+++ b/windows/security/threat-protection/auditing/event-4663.md
@@ -2,7 +2,7 @@
title: 4663(S) An attempt was made to access an object. (Windows 10)
description: Describes security event 4663(S) An attempt was made to access an object.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4663(S): An attempt was made to access an object.
diff --git a/windows/security/threat-protection/auditing/event-4664.md b/windows/security/threat-protection/auditing/event-4664.md
index 6f60cce3a7..9c99e5f2bc 100644
--- a/windows/security/threat-protection/auditing/event-4664.md
+++ b/windows/security/threat-protection/auditing/event-4664.md
@@ -2,7 +2,7 @@
title: 4664(S) An attempt was made to create a hard link. (Windows 10)
description: Describes security event 4664(S) An attempt was made to create a hard link.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4664(S): An attempt was made to create a hard link.
diff --git a/windows/security/threat-protection/auditing/event-4670.md b/windows/security/threat-protection/auditing/event-4670.md
index bc6d20907b..c52b274d4f 100644
--- a/windows/security/threat-protection/auditing/event-4670.md
+++ b/windows/security/threat-protection/auditing/event-4670.md
@@ -2,7 +2,7 @@
title: 4670(S) Permissions on an object were changed. (Windows 10)
description: Describes security event 4670(S) Permissions on an object were changed.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4670(S): Permissions on an object were changed.
diff --git a/windows/security/threat-protection/auditing/event-4671.md b/windows/security/threat-protection/auditing/event-4671.md
index 3e81e5f2f6..fb46f1fb5a 100644
--- a/windows/security/threat-protection/auditing/event-4671.md
+++ b/windows/security/threat-protection/auditing/event-4671.md
@@ -2,7 +2,7 @@
title: 4671(-) An application attempted to access a blocked ordinal through the TBS. (Windows 10)
description: Describes security event 4671(-) An application attempted to access a blocked ordinal through the TBS.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4671(-): An application attempted to access a blocked ordinal through the TBS.
diff --git a/windows/security/threat-protection/auditing/event-4672.md b/windows/security/threat-protection/auditing/event-4672.md
index 81b9fd94a0..60e95bde44 100644
--- a/windows/security/threat-protection/auditing/event-4672.md
+++ b/windows/security/threat-protection/auditing/event-4672.md
@@ -2,7 +2,7 @@
title: 4672(S) Special privileges assigned to new logon. (Windows 10)
description: Describes security event 4672(S) Special privileges assigned to new logon.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 12/20/2018
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4672(S): Special privileges assigned to new logon.
diff --git a/windows/security/threat-protection/auditing/event-4673.md b/windows/security/threat-protection/auditing/event-4673.md
index c647485d66..579be30565 100644
--- a/windows/security/threat-protection/auditing/event-4673.md
+++ b/windows/security/threat-protection/auditing/event-4673.md
@@ -2,7 +2,7 @@
title: 4673(S, F) A privileged service was called. (Windows 10)
description: Describes security event 4673(S, F) A privileged service was called. This event is generated for an attempt to perform privileged system service operations.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4673(S, F): A privileged service was called.
diff --git a/windows/security/threat-protection/auditing/event-4674.md b/windows/security/threat-protection/auditing/event-4674.md
index 5781254277..5eecd1f2b5 100644
--- a/windows/security/threat-protection/auditing/event-4674.md
+++ b/windows/security/threat-protection/auditing/event-4674.md
@@ -2,7 +2,7 @@
title: 4674(S, F) An operation was attempted on a privileged object. (Windows 10)
description: Describes security event 4674(S, F) An operation was attempted on a privileged object.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4674(S, F): An operation was attempted on a privileged object.
diff --git a/windows/security/threat-protection/auditing/event-4675.md b/windows/security/threat-protection/auditing/event-4675.md
index 978d25bf39..0af7742f2c 100644
--- a/windows/security/threat-protection/auditing/event-4675.md
+++ b/windows/security/threat-protection/auditing/event-4675.md
@@ -2,7 +2,7 @@
title: 4675(S) SIDs were filtered. (Windows 10)
description: Describes security event 4675(S) SIDs were filtered. This event is generated when SIDs were filtered for a specific Active Directory trust.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4675(S): SIDs were filtered.
diff --git a/windows/security/threat-protection/auditing/event-4688.md b/windows/security/threat-protection/auditing/event-4688.md
index 4c48e4623a..31baef1ba5 100644
--- a/windows/security/threat-protection/auditing/event-4688.md
+++ b/windows/security/threat-protection/auditing/event-4688.md
@@ -2,7 +2,7 @@
title: 4688(S) A new process has been created. (Windows 10)
description: Describes security event 4688(S) A new process has been created. This event is generated when a new process starts.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4688(S): A new process has been created.
diff --git a/windows/security/threat-protection/auditing/event-4689.md b/windows/security/threat-protection/auditing/event-4689.md
index 81c27d0423..99bee451d9 100644
--- a/windows/security/threat-protection/auditing/event-4689.md
+++ b/windows/security/threat-protection/auditing/event-4689.md
@@ -2,7 +2,7 @@
title: 4689(S) A process has exited. (Windows 10)
description: Describes security event 4689(S) A process has exited. This event is generates when a process exits.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4689(S): A process has exited.
diff --git a/windows/security/threat-protection/auditing/event-4690.md b/windows/security/threat-protection/auditing/event-4690.md
index be4ce4de7c..d7a23d1da4 100644
--- a/windows/security/threat-protection/auditing/event-4690.md
+++ b/windows/security/threat-protection/auditing/event-4690.md
@@ -2,7 +2,7 @@
title: 4690(S) An attempt was made to duplicate a handle to an object. (Windows 10)
description: Describes security event 4690(S) An attempt was made to duplicate a handle to an object.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4690(S): An attempt was made to duplicate a handle to an object.
diff --git a/windows/security/threat-protection/auditing/event-4691.md b/windows/security/threat-protection/auditing/event-4691.md
index 001cce1266..cadefa2220 100644
--- a/windows/security/threat-protection/auditing/event-4691.md
+++ b/windows/security/threat-protection/auditing/event-4691.md
@@ -2,7 +2,7 @@
title: 4691(S) Indirect access to an object was requested. (Windows 10)
description: Describes security event 4691(S) Indirect access to an object was requested.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4691(S): Indirect access to an object was requested.
diff --git a/windows/security/threat-protection/auditing/event-4692.md b/windows/security/threat-protection/auditing/event-4692.md
index 15199dbda5..5d421a4e9f 100644
--- a/windows/security/threat-protection/auditing/event-4692.md
+++ b/windows/security/threat-protection/auditing/event-4692.md
@@ -2,7 +2,7 @@
title: 4692(S, F) Backup of data protection master key was attempted. (Windows 10)
description: Describes security event 4692(S, F) Backup of data protection master key was attempted.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4692(S, F): Backup of data protection master key was attempted.
@@ -30,7 +31,7 @@ This event generates every time that a backup is attempted for the [DPAPI](https
When a computer is a member of a domain, DPAPI has a backup mechanism to allow unprotection of the data. When a Master Key is generated, DPAPI communicates with a domain controller. Domain controllers have a domain-wide public/private key pair, associated solely with DPAPI. The local DPAPI client gets the domain controller public key from a domain controller by using a mutually authenticated and privacy protected RPC call. The client encrypts the Master Key with the domain controller public key. It then stores this backup Master Key along with the Master Key protected by the user's password.
-Periodically, a domain-joined machine will try to send an RPC request to a domain controller to back up the user’s master key so that the user can recover secrets in case his or her password has to be reset. Although the user's keys are stored in the user profile, a domain controller must be contacted to encrypt the master key with a domain recovery key.
+Periodically, a domain-joined machine tries to send an RPC request to a domain controller to back up the user’s master key so that the user can recover secrets in case their password has to be reset. Although the user's keys are stored in the user profile, a domain controller must be contacted to encrypt the master key with a domain recovery key.
This event also generates every time a new DPAPI Master Key is generated, for example.
@@ -91,7 +92,7 @@ Failure event generates when a Master Key backup operation fails for some reason
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested backup operation.
-- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Here are some examples of formats:
- Domain NETBIOS name example: CONTOSO
@@ -107,17 +108,17 @@ Failure event generates when a Master Key backup operation fails for some reason
**Key Information:**
-- **Key Identifier** \[Type = UnicodeString\]: unique identifier of a master key which backup was created. The Master Key is used, with some additional data, to generate an actual symmetric session key to encrypt\\decrypt the data using DPAPI. All of user's Master Keys are located in user profile -> %APPDATA%\\Roaming\\Microsoft\\Windows\\Protect\\%SID% folder. The name of every Master Key file is it’s ID.
+- **Key Identifier** \[Type = UnicodeString\]: unique identifier of a master key which backup was created. The Master Key is used, with some additional data, to generate an actual symmetric session key to encrypt\\decrypt the data using DPAPI. All of user's Master Keys are located in user profile -> %APPDATA%\\Roaming\\Microsoft\\Windows\\Protect\\%SID% folder. The name of every Master Key file is its ID.
- **Recovery Server** \[Type = UnicodeString\]: the name (typically – DNS name) of the computer that you contacted to back up your Master Key. For domain joined machines, it’s typically a name of a domain controller. This parameter might not be captured in the event, and in that case will be empty.
-- **Recovery Key ID** \[Type = UnicodeString\]**:** unique identifier of a recovery key. The recovery key is generated when a user chooses to create a Password Reset Disk (PRD) from the user's Control Panel or when first Master Key is generated. First, DPAPI generates a RSA public/private key pair, which is the recovery key. In this field you will see unique Recovery key ID which was used for Master key backup operation.
+- **Recovery Key ID** \[Type = UnicodeString\]**:** unique identifier of a recovery key. The recovery key is generated when a user chooses to create a Password Reset Disk (PRD) from the user's Control Panel or when first Master Key is generated. First, DPAPI generates an RSA public/private key pair, which is the recovery key. In this field, you will see unique Recovery key ID that was used for Master key backup operation.
- For Failure events this field is typically empty.
+ For Failure events, this field is typically empty.
**Status Information:**
-- **Status Code** \[Type = HexInt32\]**:** hexadecimal unique status code of performed operation. For Success events this field is typically “**0x0**”. To see the meaning of status code you need to convert it to decimal value and us “**net helpmsg STATUS\_CODE**” command to see the description for specific STATUS\_CODE. Here is an example of “net helpmsg” command output for status code 0x3A:
+- **Status Code** \[Type = HexInt32\]**:** hexadecimal unique status code of performed operation. For Success events, this field is typically “**0x0**”. To see the meaning of status code you need to convert it to decimal value and us “**net helpmsg STATUS\_CODE**” command to see the description for specific STATUS\_CODE. Here is an example of “net helpmsg” command output for status code 0x3A:
> \[Net helpmsg 58 illustration](..images/net-helpmsg-58.png)
diff --git a/windows/security/threat-protection/auditing/event-4693.md b/windows/security/threat-protection/auditing/event-4693.md
index 72c5473fe1..705ede7a61 100644
--- a/windows/security/threat-protection/auditing/event-4693.md
+++ b/windows/security/threat-protection/auditing/event-4693.md
@@ -2,7 +2,7 @@
title: 4693(S, F) Recovery of data protection master key was attempted. (Windows 10)
description: Describes security event 4693(S, F) Recovery of data protection master key was attempted.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4693(S, F): Recovery of data protection master key was attempted.
diff --git a/windows/security/threat-protection/auditing/event-4694.md b/windows/security/threat-protection/auditing/event-4694.md
index 9d96a529ac..3d9e4f51cf 100644
--- a/windows/security/threat-protection/auditing/event-4694.md
+++ b/windows/security/threat-protection/auditing/event-4694.md
@@ -2,7 +2,7 @@
title: 4694(S, F) Protection of auditable protected data was attempted. (Windows 10)
description: Describes security event 4694(S, F) Protection of auditable protected data was attempted.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4694(S, F): Protection of auditable protected data was attempted.
diff --git a/windows/security/threat-protection/auditing/event-4695.md b/windows/security/threat-protection/auditing/event-4695.md
index 675ba33601..cbca831957 100644
--- a/windows/security/threat-protection/auditing/event-4695.md
+++ b/windows/security/threat-protection/auditing/event-4695.md
@@ -2,7 +2,7 @@
title: 4695(S, F) Unprotection of auditable protected data was attempted. (Windows 10)
description: Describes security event 4695(S, F) Unprotection of auditable protected data was attempted.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4695(S, F): Unprotection of auditable protected data was attempted.
diff --git a/windows/security/threat-protection/auditing/event-4696.md b/windows/security/threat-protection/auditing/event-4696.md
index 0268cd25a8..520d0d5d1e 100644
--- a/windows/security/threat-protection/auditing/event-4696.md
+++ b/windows/security/threat-protection/auditing/event-4696.md
@@ -2,7 +2,7 @@
title: 4696(S) A primary token was assigned to process. (Windows 10)
description: Describes security event 4696(S) A primary token was assigned to process.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4696(S): A primary token was assigned to process.
diff --git a/windows/security/threat-protection/auditing/event-4697.md b/windows/security/threat-protection/auditing/event-4697.md
index d454c05905..090b2436e1 100644
--- a/windows/security/threat-protection/auditing/event-4697.md
+++ b/windows/security/threat-protection/auditing/event-4697.md
@@ -2,7 +2,7 @@
title: 4697(S) A service was installed in the system. (Windows 10)
description: Describes security event 4697(S) A service was installed in the system.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4697(S): A service was installed in the system.
diff --git a/windows/security/threat-protection/auditing/event-4698.md b/windows/security/threat-protection/auditing/event-4698.md
index a6f3256c16..567815e3b8 100644
--- a/windows/security/threat-protection/auditing/event-4698.md
+++ b/windows/security/threat-protection/auditing/event-4698.md
@@ -2,7 +2,7 @@
title: 4698(S) A scheduled task was created. (Windows 10)
description: Describes security event 4698(S) A scheduled task was created. This event is generated when a scheduled task is created.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4698(S): A scheduled task was created.
diff --git a/windows/security/threat-protection/auditing/event-4699.md b/windows/security/threat-protection/auditing/event-4699.md
index 48148e6246..5b2861c4d1 100644
--- a/windows/security/threat-protection/auditing/event-4699.md
+++ b/windows/security/threat-protection/auditing/event-4699.md
@@ -2,7 +2,7 @@
title: 4699(S) A scheduled task was deleted. (Windows 10)
description: Describes security event 4699(S) A scheduled task was deleted. This event is generated every time a scheduled task is deleted.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4699(S): A scheduled task was deleted.
diff --git a/windows/security/threat-protection/auditing/event-4700.md b/windows/security/threat-protection/auditing/event-4700.md
index 8d39b0e38d..90e9f7b574 100644
--- a/windows/security/threat-protection/auditing/event-4700.md
+++ b/windows/security/threat-protection/auditing/event-4700.md
@@ -2,7 +2,7 @@
title: 4700(S) A scheduled task was enabled. (Windows 10)
description: Describes security event 4700(S) A scheduled task was enabled. This event is generated every time a scheduled task is enabled.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4700(S): A scheduled task was enabled.
diff --git a/windows/security/threat-protection/auditing/event-4701.md b/windows/security/threat-protection/auditing/event-4701.md
index ef24c397fc..bc81734079 100644
--- a/windows/security/threat-protection/auditing/event-4701.md
+++ b/windows/security/threat-protection/auditing/event-4701.md
@@ -2,7 +2,7 @@
title: 4701(S) A scheduled task was disabled. (Windows 10)
description: Describes security event 4701(S) A scheduled task was disabled. This event is generated every time a scheduled task is disabled.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4701(S): A scheduled task was disabled.
diff --git a/windows/security/threat-protection/auditing/event-4702.md b/windows/security/threat-protection/auditing/event-4702.md
index 393a0619d6..f6d5b753e4 100644
--- a/windows/security/threat-protection/auditing/event-4702.md
+++ b/windows/security/threat-protection/auditing/event-4702.md
@@ -2,7 +2,7 @@
title: 4702(S) A scheduled task was updated. (Windows 10)
description: Describes security event 4702(S) A scheduled task was updated. This event is generated when a scheduled task is updated/changed.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4702(S): A scheduled task was updated.
diff --git a/windows/security/threat-protection/auditing/event-4703.md b/windows/security/threat-protection/auditing/event-4703.md
index 7483483ea2..e0a624d4fb 100644
--- a/windows/security/threat-protection/auditing/event-4703.md
+++ b/windows/security/threat-protection/auditing/event-4703.md
@@ -2,7 +2,7 @@
title: 4703(S) A user right was adjusted. (Windows 10)
description: Describes security event 4703(S) A user right was adjusted. This event is generated when token privileges are enabled or disabled for a specific account.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4703(S): A user right was adjusted.
diff --git a/windows/security/threat-protection/auditing/event-4704.md b/windows/security/threat-protection/auditing/event-4704.md
index bc3e9d5c3a..d1d045bb0d 100644
--- a/windows/security/threat-protection/auditing/event-4704.md
+++ b/windows/security/threat-protection/auditing/event-4704.md
@@ -2,7 +2,7 @@
title: 4704(S) A user right was assigned. (Windows 10)
description: Describes security event 4704(S) A user right was assigned. This event is generated when a user right is assigned to an account.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4704(S): A user right was assigned.
diff --git a/windows/security/threat-protection/auditing/event-4705.md b/windows/security/threat-protection/auditing/event-4705.md
index 5b337c9941..317b3b23fb 100644
--- a/windows/security/threat-protection/auditing/event-4705.md
+++ b/windows/security/threat-protection/auditing/event-4705.md
@@ -2,7 +2,7 @@
title: 4705(S) A user right was removed. (Windows 10)
description: Describes security event 4705(S) A user right was removed. This event is generated when a user right is removed from an account.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4705(S): A user right was removed.
diff --git a/windows/security/threat-protection/auditing/event-4706.md b/windows/security/threat-protection/auditing/event-4706.md
index 2a57c47db5..d39473364c 100644
--- a/windows/security/threat-protection/auditing/event-4706.md
+++ b/windows/security/threat-protection/auditing/event-4706.md
@@ -2,7 +2,7 @@
title: 4706(S) A new trust was created to a domain. (Windows 10)
description: Describes security event 4706(S) A new trust was created to a domain. This event is generated when a new trust is created for a domain.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4706(S): A new trust was created to a domain.
diff --git a/windows/security/threat-protection/auditing/event-4707.md b/windows/security/threat-protection/auditing/event-4707.md
index dc7e2f5419..f16f66bdcd 100644
--- a/windows/security/threat-protection/auditing/event-4707.md
+++ b/windows/security/threat-protection/auditing/event-4707.md
@@ -2,7 +2,7 @@
title: 4707(S) A trust to a domain was removed. (Windows 10)
description: Describes security event 4707(S) A trust to a domain was removed. This event is generated when a domain trust is removed.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4707(S): A trust to a domain was removed.
diff --git a/windows/security/threat-protection/auditing/event-4713.md b/windows/security/threat-protection/auditing/event-4713.md
index 69c6f2f153..3c7ada997e 100644
--- a/windows/security/threat-protection/auditing/event-4713.md
+++ b/windows/security/threat-protection/auditing/event-4713.md
@@ -2,7 +2,7 @@
title: 4713(S) Kerberos policy was changed. (Windows 10)
description: Describes security event 4713(S) Kerberos policy was changed. This event is generated when Kerberos policy is changed.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4713(S): Kerberos policy was changed.
diff --git a/windows/security/threat-protection/auditing/event-4714.md b/windows/security/threat-protection/auditing/event-4714.md
index c81891ffc9..36dec3a969 100644
--- a/windows/security/threat-protection/auditing/event-4714.md
+++ b/windows/security/threat-protection/auditing/event-4714.md
@@ -2,7 +2,7 @@
title: 4714(S) Encrypted data recovery policy was changed. (Windows 10)
description: Describes security event 4714(S) Encrypted data recovery policy was changed.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4714(S): Encrypted data recovery policy was changed.
diff --git a/windows/security/threat-protection/auditing/event-4715.md b/windows/security/threat-protection/auditing/event-4715.md
index c51f51c999..d4e9d14839 100644
--- a/windows/security/threat-protection/auditing/event-4715.md
+++ b/windows/security/threat-protection/auditing/event-4715.md
@@ -2,7 +2,7 @@
title: 4715(S) The audit policy (SACL) on an object was changed. (Windows 10)
description: Describes security event 4715(S) The audit policy (SACL) on an object was changed.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4715(S): The audit policy (SACL) on an object was changed.
diff --git a/windows/security/threat-protection/auditing/event-4716.md b/windows/security/threat-protection/auditing/event-4716.md
index 4ab122d7f1..35b1bfc9d2 100644
--- a/windows/security/threat-protection/auditing/event-4716.md
+++ b/windows/security/threat-protection/auditing/event-4716.md
@@ -2,7 +2,7 @@
title: 4716(S) Trusted domain information was modified. (Windows 10)
description: Describes security event 4716(S) Trusted domain information was modified.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/04/2019
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4716(S): Trusted domain information was modified.
diff --git a/windows/security/threat-protection/auditing/event-4717.md b/windows/security/threat-protection/auditing/event-4717.md
index ffe87e87e0..ddbd9f66db 100644
--- a/windows/security/threat-protection/auditing/event-4717.md
+++ b/windows/security/threat-protection/auditing/event-4717.md
@@ -2,7 +2,7 @@
title: 4717(S) System security access was granted to an account. (Windows 10)
description: Describes security event 4717(S) System security access was granted to an account.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4717(S): System security access was granted to an account.
diff --git a/windows/security/threat-protection/auditing/event-4718.md b/windows/security/threat-protection/auditing/event-4718.md
index ecef74c71a..0e7892c9c8 100644
--- a/windows/security/threat-protection/auditing/event-4718.md
+++ b/windows/security/threat-protection/auditing/event-4718.md
@@ -2,7 +2,7 @@
title: 4718(S) System security access was removed from an account. (Windows 10)
description: Describes security event 4718(S) System security access was removed from an account.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4718(S): System security access was removed from an account.
diff --git a/windows/security/threat-protection/auditing/event-4719.md b/windows/security/threat-protection/auditing/event-4719.md
index e634cf0bbf..98469b6945 100644
--- a/windows/security/threat-protection/auditing/event-4719.md
+++ b/windows/security/threat-protection/auditing/event-4719.md
@@ -2,7 +2,7 @@
title: 4719(S) System audit policy was changed. (Windows 10)
description: Describes security event 4719(S) System audit policy was changed. This event is generated when the computer audit policy changes.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4719(S): System audit policy was changed.
diff --git a/windows/security/threat-protection/auditing/event-4720.md b/windows/security/threat-protection/auditing/event-4720.md
index d18fd86200..1569aebb53 100644
--- a/windows/security/threat-protection/auditing/event-4720.md
+++ b/windows/security/threat-protection/auditing/event-4720.md
@@ -2,7 +2,7 @@
title: 4720(S) A user account was created. (Windows 10)
description: Describes security event 4720(S) A user account was created. This event is generated a user object is created.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4720(S): A user account was created.
diff --git a/windows/security/threat-protection/auditing/event-4722.md b/windows/security/threat-protection/auditing/event-4722.md
index 97a958aba9..e156a9bedf 100644
--- a/windows/security/threat-protection/auditing/event-4722.md
+++ b/windows/security/threat-protection/auditing/event-4722.md
@@ -2,7 +2,7 @@
title: 4722(S) A user account was enabled. (Windows 10)
description: Describes security event 4722(S) A user account was enabled. This event is generated when a user or computer object is enabled.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4722(S): A user account was enabled.
diff --git a/windows/security/threat-protection/auditing/event-4723.md b/windows/security/threat-protection/auditing/event-4723.md
index 4622d802a2..8a2eb1aa9b 100644
--- a/windows/security/threat-protection/auditing/event-4723.md
+++ b/windows/security/threat-protection/auditing/event-4723.md
@@ -2,7 +2,7 @@
title: 4723(S, F) An attempt was made to change an account's password. (Windows 10)
description: Describes security event 4723(S, F) An attempt was made to change an account's password.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4723(S, F): An attempt was made to change an account's password.
diff --git a/windows/security/threat-protection/auditing/event-4724.md b/windows/security/threat-protection/auditing/event-4724.md
index 3d9bbc1a0d..f360a13828 100644
--- a/windows/security/threat-protection/auditing/event-4724.md
+++ b/windows/security/threat-protection/auditing/event-4724.md
@@ -2,7 +2,7 @@
title: 4724(S, F) An attempt was made to reset an account's password. (Windows 10)
description: Describes security event 4724(S, F) An attempt was made to reset an account's password.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4724(S, F): An attempt was made to reset an account's password.
diff --git a/windows/security/threat-protection/auditing/event-4725.md b/windows/security/threat-protection/auditing/event-4725.md
index c1bdc4c1f4..5be795b261 100644
--- a/windows/security/threat-protection/auditing/event-4725.md
+++ b/windows/security/threat-protection/auditing/event-4725.md
@@ -2,7 +2,7 @@
title: 4725(S) A user account was disabled. (Windows 10)
description: Describes security event 4725(S) A user account was disabled. This event is generated when a user or computer object is disabled.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4725(S): A user account was disabled.
diff --git a/windows/security/threat-protection/auditing/event-4726.md b/windows/security/threat-protection/auditing/event-4726.md
index ae0997e85e..f8f7ffba8c 100644
--- a/windows/security/threat-protection/auditing/event-4726.md
+++ b/windows/security/threat-protection/auditing/event-4726.md
@@ -2,7 +2,7 @@
title: 4726(S) A user account was deleted. (Windows 10)
description: Describes security event 4726(S) A user account was deleted. This event is generated when a user object is deleted.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4726(S): A user account was deleted.
diff --git a/windows/security/threat-protection/auditing/event-4731.md b/windows/security/threat-protection/auditing/event-4731.md
index 5fcdcba641..78d8e0e0c8 100644
--- a/windows/security/threat-protection/auditing/event-4731.md
+++ b/windows/security/threat-protection/auditing/event-4731.md
@@ -2,7 +2,7 @@
title: 4731(S) A security-enabled local group was created. (Windows 10)
description: Describes security event 4731(S) A security-enabled local group was created.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4731(S): A security-enabled local group was created.
diff --git a/windows/security/threat-protection/auditing/event-4732.md b/windows/security/threat-protection/auditing/event-4732.md
index 65ba0ae840..94a84c0054 100644
--- a/windows/security/threat-protection/auditing/event-4732.md
+++ b/windows/security/threat-protection/auditing/event-4732.md
@@ -2,7 +2,7 @@
title: 4732(S) A member was added to a security-enabled local group. (Windows 10)
description: Describes security event 4732(S) A member was added to a security-enabled local group.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4732(S): A member was added to a security-enabled local group.
diff --git a/windows/security/threat-protection/auditing/event-4733.md b/windows/security/threat-protection/auditing/event-4733.md
index b970a918bc..b23bf184d3 100644
--- a/windows/security/threat-protection/auditing/event-4733.md
+++ b/windows/security/threat-protection/auditing/event-4733.md
@@ -2,7 +2,7 @@
title: 4733(S) A member was removed from a security-enabled local group. (Windows 10)
description: Describes security event 4733(S) A member was removed from a security-enabled local group.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4733(S): A member was removed from a security-enabled local group.
diff --git a/windows/security/threat-protection/auditing/event-4734.md b/windows/security/threat-protection/auditing/event-4734.md
index 5e439c5e46..144c20c935 100644
--- a/windows/security/threat-protection/auditing/event-4734.md
+++ b/windows/security/threat-protection/auditing/event-4734.md
@@ -2,7 +2,7 @@
title: 4734(S) A security-enabled local group was deleted. (Windows 10)
description: Describes security event 4734(S) A security-enabled local group was deleted.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4734(S): A security-enabled local group was deleted.
diff --git a/windows/security/threat-protection/auditing/event-4735.md b/windows/security/threat-protection/auditing/event-4735.md
index 07ff8c48cf..98843abaa0 100644
--- a/windows/security/threat-protection/auditing/event-4735.md
+++ b/windows/security/threat-protection/auditing/event-4735.md
@@ -2,7 +2,7 @@
title: 4735(S) A security-enabled local group was changed. (Windows 10)
description: Describes security event 4735(S) A security-enabled local group was changed.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4735(S): A security-enabled local group was changed.
diff --git a/windows/security/threat-protection/auditing/event-4738.md b/windows/security/threat-protection/auditing/event-4738.md
index 3ad4e0bb93..6262726e51 100644
--- a/windows/security/threat-protection/auditing/event-4738.md
+++ b/windows/security/threat-protection/auditing/event-4738.md
@@ -2,7 +2,7 @@
title: 4738(S) A user account was changed. (Windows 10)
description: Describes security event 4738(S) A user account was changed. This event is generated when a user object is changed.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4738(S): A user account was changed.
diff --git a/windows/security/threat-protection/auditing/event-4739.md b/windows/security/threat-protection/auditing/event-4739.md
index 644aa94187..900d034c18 100644
--- a/windows/security/threat-protection/auditing/event-4739.md
+++ b/windows/security/threat-protection/auditing/event-4739.md
@@ -2,7 +2,7 @@
title: 4739(S) Domain Policy was changed. (Windows 10)
description: Describes security event 4739(S) Domain Policy was changed. This event is generated when certain changes are made to the local computer security policy.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4739(S): Domain Policy was changed.
diff --git a/windows/security/threat-protection/auditing/event-4740.md b/windows/security/threat-protection/auditing/event-4740.md
index 68838caedf..db7139e935 100644
--- a/windows/security/threat-protection/auditing/event-4740.md
+++ b/windows/security/threat-protection/auditing/event-4740.md
@@ -2,7 +2,7 @@
title: 4740(S) A user account was locked out. (Windows 10)
description: Describes security event 4740(S) A user account was locked out. This event is generated every time a user account is locked out.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4740(S): A user account was locked out.
diff --git a/windows/security/threat-protection/auditing/event-4741.md b/windows/security/threat-protection/auditing/event-4741.md
index 22809b4f8f..466e46e06b 100644
--- a/windows/security/threat-protection/auditing/event-4741.md
+++ b/windows/security/threat-protection/auditing/event-4741.md
@@ -2,7 +2,7 @@
title: 4741(S) A computer account was created. (Windows 10)
description: Describes security event 4741(S) A computer account was created. This event is generated every time a computer object is created.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4741(S): A computer account was created.
diff --git a/windows/security/threat-protection/auditing/event-4742.md b/windows/security/threat-protection/auditing/event-4742.md
index 0d9f50526b..c692aef6e1 100644
--- a/windows/security/threat-protection/auditing/event-4742.md
+++ b/windows/security/threat-protection/auditing/event-4742.md
@@ -2,7 +2,7 @@
title: 4742(S) A computer account was changed. (Windows 10)
description: Describes security event 4742(S) A computer account was changed. This event is generated every time a computer object is changed.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4742(S): A computer account was changed.
diff --git a/windows/security/threat-protection/auditing/event-4743.md b/windows/security/threat-protection/auditing/event-4743.md
index 3cc90698fb..3402a5e1d7 100644
--- a/windows/security/threat-protection/auditing/event-4743.md
+++ b/windows/security/threat-protection/auditing/event-4743.md
@@ -2,7 +2,7 @@
title: 4743(S) A computer account was deleted. (Windows 10)
description: Describes security event 4743(S) A computer account was deleted. This event is generated every time a computer object is deleted.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4743(S): A computer account was deleted.
diff --git a/windows/security/threat-protection/auditing/event-4749.md b/windows/security/threat-protection/auditing/event-4749.md
index cb2cbe96a6..478ae9e021 100644
--- a/windows/security/threat-protection/auditing/event-4749.md
+++ b/windows/security/threat-protection/auditing/event-4749.md
@@ -2,7 +2,7 @@
title: 4749(S) A security-disabled global group was created. (Windows 10)
description: Describes security event 4749(S) A security-disabled global group was created.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4749(S): A security-disabled global group was created.
diff --git a/windows/security/threat-protection/auditing/event-4750.md b/windows/security/threat-protection/auditing/event-4750.md
index 7d5ba9d12e..4bdfe79f69 100644
--- a/windows/security/threat-protection/auditing/event-4750.md
+++ b/windows/security/threat-protection/auditing/event-4750.md
@@ -2,7 +2,7 @@
title: 4750(S) A security-disabled global group was changed. (Windows 10)
description: Describes security event 4750(S) A security-disabled global group was changed.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4750(S): A security-disabled global group was changed.
diff --git a/windows/security/threat-protection/auditing/event-4751.md b/windows/security/threat-protection/auditing/event-4751.md
index e72bc3b3a0..c86b86e123 100644
--- a/windows/security/threat-protection/auditing/event-4751.md
+++ b/windows/security/threat-protection/auditing/event-4751.md
@@ -2,7 +2,7 @@
title: 4751(S) A member was added to a security-disabled global group. (Windows 10)
description: Describes security event 4751(S) A member was added to a security-disabled global group.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4751(S): A member was added to a security-disabled global group.
diff --git a/windows/security/threat-protection/auditing/event-4752.md b/windows/security/threat-protection/auditing/event-4752.md
index b1fc1df98f..791b2886aa 100644
--- a/windows/security/threat-protection/auditing/event-4752.md
+++ b/windows/security/threat-protection/auditing/event-4752.md
@@ -2,7 +2,7 @@
title: 4752(S) A member was removed from a security-disabled global group. (Windows 10)
description: Describes security event 4752(S) A member was removed from a security-disabled global group.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4752(S): A member was removed from a security-disabled global group.
diff --git a/windows/security/threat-protection/auditing/event-4753.md b/windows/security/threat-protection/auditing/event-4753.md
index 0eef2ab038..501018ce26 100644
--- a/windows/security/threat-protection/auditing/event-4753.md
+++ b/windows/security/threat-protection/auditing/event-4753.md
@@ -2,7 +2,7 @@
title: 4753(S) A security-disabled global group was deleted. (Windows 10)
description: Describes security event 4753(S) A security-disabled global group was deleted.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4753(S): A security-disabled global group was deleted.
diff --git a/windows/security/threat-protection/auditing/event-4764.md b/windows/security/threat-protection/auditing/event-4764.md
index 86df9d9645..1697b853f9 100644
--- a/windows/security/threat-protection/auditing/event-4764.md
+++ b/windows/security/threat-protection/auditing/event-4764.md
@@ -1,8 +1,8 @@
---
title: 4764(S) A group's type was changed. (Windows 10)
-description: "Describes security event 4764(S) A group's type was changed. This event is generated when the type of a group is changed."
+description: Describes security event 4764(S) A group's type was changed. This event is generated when the type of a group is changed.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4764(S): A group’s type was changed.
diff --git a/windows/security/threat-protection/auditing/event-4765.md b/windows/security/threat-protection/auditing/event-4765.md
index 3ea2c4e756..3a23558650 100644
--- a/windows/security/threat-protection/auditing/event-4765.md
+++ b/windows/security/threat-protection/auditing/event-4765.md
@@ -2,7 +2,7 @@
title: 4765(S) SID History was added to an account. (Windows 10)
description: Describes security event 4765(S) SID History was added to an account. This event is generated when SID History is added to an account.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4765(S): SID History was added to an account.
diff --git a/windows/security/threat-protection/auditing/event-4766.md b/windows/security/threat-protection/auditing/event-4766.md
index d8dab9d004..afac5f0fe1 100644
--- a/windows/security/threat-protection/auditing/event-4766.md
+++ b/windows/security/threat-protection/auditing/event-4766.md
@@ -2,7 +2,7 @@
title: 4766(F) An attempt to add SID History to an account failed. (Windows 10)
description: Describes security event 4766(F) An attempt to add SID History to an account failed.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4766(F): An attempt to add SID History to an account failed.
diff --git a/windows/security/threat-protection/auditing/event-4767.md b/windows/security/threat-protection/auditing/event-4767.md
index 87baefbc54..cf7b13e4f0 100644
--- a/windows/security/threat-protection/auditing/event-4767.md
+++ b/windows/security/threat-protection/auditing/event-4767.md
@@ -2,7 +2,7 @@
title: 4767(S) A user account was unlocked. (Windows 10)
description: Describes security event 4767(S) A user account was unlocked. This event is generated every time a user account is unlocked.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4767(S): A user account was unlocked.
diff --git a/windows/security/threat-protection/auditing/event-4768.md b/windows/security/threat-protection/auditing/event-4768.md
index 1da086eb93..22df11d465 100644
--- a/windows/security/threat-protection/auditing/event-4768.md
+++ b/windows/security/threat-protection/auditing/event-4768.md
@@ -2,7 +2,7 @@
title: 4768(S, F) A Kerberos authentication ticket (TGT) was requested. (Windows 10)
description: Describes security event 4768(S, F) A Kerberos authentication ticket (TGT) was requested.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4768(S, F): A Kerberos authentication ticket (TGT) was requested.
diff --git a/windows/security/threat-protection/auditing/event-4769.md b/windows/security/threat-protection/auditing/event-4769.md
index 64f7bf4503..522068cbbb 100644
--- a/windows/security/threat-protection/auditing/event-4769.md
+++ b/windows/security/threat-protection/auditing/event-4769.md
@@ -2,7 +2,7 @@
title: 4769(S, F) A Kerberos service ticket was requested. (Windows 10)
description: Describes security event 4769(S, F) A Kerberos service ticket was requested.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4769(S, F): A Kerberos service ticket was requested.
diff --git a/windows/security/threat-protection/auditing/event-4770.md b/windows/security/threat-protection/auditing/event-4770.md
index 0085dcf3ff..8ec543b090 100644
--- a/windows/security/threat-protection/auditing/event-4770.md
+++ b/windows/security/threat-protection/auditing/event-4770.md
@@ -2,7 +2,7 @@
title: 4770(S) A Kerberos service ticket was renewed. (Windows 10)
description: Describes security event 4770(S) A Kerberos service ticket was renewed.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4770(S): A Kerberos service ticket was renewed.
diff --git a/windows/security/threat-protection/auditing/event-4771.md b/windows/security/threat-protection/auditing/event-4771.md
index af44f02711..840d05eefb 100644
--- a/windows/security/threat-protection/auditing/event-4771.md
+++ b/windows/security/threat-protection/auditing/event-4771.md
@@ -2,7 +2,7 @@
title: 4771(F) Kerberos pre-authentication failed. (Windows 10)
description: Describes security event 4771(F) Kerberos pre-authentication failed. This event is generated when the Key Distribution Center fails to issue a Kerberos TGT.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 07/23/2020
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4771(F): Kerberos pre-authentication failed.
@@ -26,7 +27,7 @@ ms.author: dansimp
***Event Description:***
-This event generates every time the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT). This can occur when a domain controller doesn’t have a certificate installed for smart card authentication (for example, with a “Domain Controller” or “Domain Controller Authentication” template), the user’s password has expired, or the wrong password was provided.
+This event generates every time the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT). This problem can occur when a domain controller doesn’t have a certificate installed for smart card authentication (for example, with a “Domain Controller” or “Domain Controller Authentication” template), the user’s password has expired, or the wrong password was provided.
This event generates only on domain controllers.
@@ -103,7 +104,7 @@ This event is not generated if “Do not require Kerberos preauthentication” o
**Network Information:**
-- **Client Address** \[Type = UnicodeString\]**:** IP address of the computer from which the TGT request was received. Formats vary, and include the following:
+- **Client Address** \[Type = UnicodeString\]**:** IP address of the computer from which the TGT request was received. Here are some examples of formats:
- **IPv6** or **IPv4** address.
@@ -117,7 +118,7 @@ This event is not generated if “Do not require Kerberos preauthentication” o
**Additional Information:**
-- **Ticket Options**: \[Type = HexInt32\]: this is a set of different Ticket Flags in hexadecimal format.
+- **Ticket Options**: \[Type = HexInt32\]: this set of different Ticket Flags is in hexadecimal format.
Example:
@@ -125,7 +126,7 @@ This event is not generated if “Do not require Kerberos preauthentication” o
- Binary view: 01000000100000010000000000010000
- - Using **MSB 0** bit numbering we have bit 1, 8, 15 and 27 set = Forwardable, Renewable, Canonicalize, Renewable-ok.
+ - Using **MSB 0**-bit numbering, we have bit 1, 8, 15 and 27 set = Forwardable, Renewable, Canonicalize, Renewable-ok.
> **Note** In the table below **“MSB 0”** bit numbering is used, because RFC documents use this style. In “MSB 0” style bit numbering begins from left.
@@ -146,15 +147,15 @@ The most common values:
| 4 | Proxy | Indicates that the network address in the ticket is different from the one in the TGT used to obtain the ticket. |
| 5 | Allow-postdate | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension). |
| 6 | Postdated | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension). |
-| 7 | Invalid | This flag indicates that a ticket is invalid, and it must be validated by the KDC before use. Application servers must reject tickets which have this flag set. |
+| 7 | Invalid | This flag indicates that a ticket is invalid, and it must be validated by the KDC before use. Application servers must reject tickets that have this flag set. |
| 8 | Renewable | Used in combination with the End Time and Renew Till fields to cause tickets with long life spans to be renewed at the KDC periodically. |
| 9 | Initial | Indicates that a ticket was issued using the authentication service (AS) exchange and not issued based on a TGT. |
| 10 | Pre-authent | Indicates that the client was authenticated by the KDC before a ticket was issued. This flag usually indicates the presence of an authenticator in the ticket. It can also flag the presence of credentials taken from a smart card logon. |
| 11 | Opt-hardware-auth | This flag was originally intended to indicate that hardware-supported authentication was used during pre-authentication. This flag is no longer recommended in the Kerberos V5 protocol. KDCs MUST NOT issue a ticket with this flag set. KDCs SHOULD NOT preserve this flag if it is set by another KDC. |
| 12 | Transited-policy-checked | KILE MUST NOT check for transited domains on servers or a KDC. Application servers MUST ignore the TRANSITED-POLICY-CHECKED flag. |
| 13 | Ok-as-delegate | The KDC MUST set the OK-AS-DELEGATE flag if the service account is trusted for delegation. |
-| 14 | Request-anonymous | KILE not use this flag. |
-| 15 | Name-canonicalize | In order to request referrals the Kerberos client MUST explicitly request the "canonicalize" KDC option for the AS-REQ or TGS-REQ. |
+| 14 | Request-anonymous | KILE does not use this flag. |
+| 15 | Name-canonicalize | To request referrals, the Kerberos client MUST explicitly request the "canonicalize" KDC option for the AS-REQ or TGS-REQ. |
| 16-25 | Unused | - |
| 26 | Disable-transited-check | By default the KDC will check the transited field of a TGT against the policy of the local realm before it will issue derivative tickets based on the TGT. If this flag is set in the request, checking of the transited field is disabled. Tickets issued without the performance of this check will be noted by the reset (0) value of the TRANSITED-POLICY-CHECKED flag, indicating to the application server that the transited field must be checked locally. KDCs are encouraged but not required to honor
the DISABLE-TRANSITED-CHECK option.
Should not be in use, because Transited-policy-checked flag is not supported by KILE. |
| 27 | Renewable-ok | The RENEWABLE-OK option indicates that a renewable ticket will be acceptable if a ticket with the requested life cannot otherwise be provided, in which case a renewable ticket may be issued with a renew-till equal to the requested end time. The value of the renew-till field may still be limited by local limits, or limits selected by the individual principal or server. |
@@ -169,11 +170,11 @@ The most common values:
| Code | Code Name | Description | Possible causes |
|------|--------------------------------|--------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data) | Smart card logon is being attempted and the proper certificate cannot be located. This can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller.
It can also happen when a domain controller doesn’t have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates). |
+| 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data) | Smart card logon is being attempted and the proper certificate cannot be located. This problem can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller.
It can also happen when a domain controller doesn’t have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates). |
| 0x17 | KDC\_ERR\_KEY\_EXPIRED | Password has expired—change password to reset | The user’s password has expired. |
| 0x18 | KDC\_ERR\_PREAUTH\_FAILED | Pre-authentication information was invalid | The wrong password was provided. |
-- **Pre-Authentication Type** \[Type = UnicodeString\]: the code of [pre-Authentication](https://technet.microsoft.com/library/cc772815(v=ws.10).aspx) type which was used in TGT request.
+- **Pre-Authentication Type** \[Type = UnicodeString\]: the code of [pre-Authentication](https://technet.microsoft.com/library/cc772815(v=ws.10).aspx) type that was used in TGT request.
## Table 5. Kerberos Pre-Authentication types.
@@ -181,7 +182,7 @@ The most common values:
| Type | Type Name | Description |
|------|------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 0 | - | Logon without Pre-Authentication. |
-| 2 | PA-ENC-TIMESTAMP | This is a normal type for standard password authentication. |
+| 2 | PA-ENC-TIMESTAMP | This type is normal for standard password authentication. |
| 11 | PA-ETYPE-INFO | The ETYPE-INFO pre-authentication type is sent by the KDC in a KRB-ERROR indicating a requirement for additional pre-authentication. It is usually used to notify a client of which key to use for the encryption of an encrypted timestamp for the purposes of sending a PA-ENC-TIMESTAMP pre-authentication value.
Never saw this Pre-Authentication Type in Microsoft Active Directory environment. |
| 15 | PA-PK-AS-REP\_OLD | Used for Smart Card logon authentication. |
| 16 | PA-PK-AS-REQ | Request sent to KDC in Smart Card authentication scenarios.|
@@ -193,7 +194,7 @@ The most common values:
**Certificate Information:**
-- **Certificate Issuer Name** \[Type = UnicodeString\]**:** the name of Certification Authority which issued smart card certificate. Populated in **Issued by** field in certificate. Always empty for [4771](event-4771.md) events.
+- **Certificate Issuer Name** \[Type = UnicodeString\]**:** the name of Certification Authority that issued smart card certificate. Populated in **Issued by** field in certificate. Always empty for [4771](event-4771.md) events.
- **Certificate Serial Number** \[Type = UnicodeString\]**:** smart card certificate’s serial number. Can be found in **Serial number** field in the certificate. Always empty for [4771](event-4771.md) events.
@@ -208,14 +209,14 @@ For 4771(F): Kerberos pre-authentication failed.
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Security ID”** that corresponds to the high-value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Security ID”** (with other information) to monitor how or when a particular account is being used. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Security ID”** that corresponds to the accounts that should never be used. |
-| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Security ID”** for accounts that are outside the allow list. |
+| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Security ID”** for accounts that are outside the allow list. |
| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. |
- You can track all [4771](event-4771.md) events where the **Client Address** is not from your internal IP range or not from private IP ranges.
- If you know that **Account Name** should be used only from known list of IP addresses, track all **Client Address** values for this **Account Name** in [4771](event-4771.md) events. If **Client Address** is not from the allow list, generate the alert.
-- All **Client Address** = ::1 means local authentication. If you know the list of accounts which should log on to the domain controllers, then you need to monitor for all possible violations, where **Client Address** = ::1 and **Account Name** is not allowed to log on to any domain controller.
+- All **Client Address** = ::1 means local authentication. If you know the list of accounts that should log on to the domain controllers, then you need to monitor for all possible violations, where **Client Address** = ::1 and **Account Name** is not allowed to log on to any domain controller.
- All [4771](event-4771.md) events with **Client Port** field value > 0 and < 1024 should be examined, because a well-known port was used for outbound connection.
@@ -227,5 +228,5 @@ For 4771(F): Kerberos pre-authentication failed.
| **Pre-Authentication Type** | Value is **not 2** when only standard password authentication is in use in the organization. For more information, see [Table 5. Kerberos Pre-Authentication types](#kerberos-preauthentication-types). |
| **Pre-Authentication Type** | Value is **not 138** when Kerberos Armoring is enabled for all Kerberos communications in the organization. For more information, see [Table 5. Kerberos Pre-Authentication types](#kerberos-preauthentication-types). |
| **Failure Code** | **0x10** (KDC has no support for PADATA type (pre-authentication data)). This error can help you to more quickly identify smart-card related problems with Kerberos authentication. |
-| **Failure Code** | **0x18** ((Pre-authentication information was invalid), if you see, for example N events in last N minutes. This can be an indicator of brute-force attack on the account password, especially for highly critical accounts. |
+| **Failure Code** | **0x18** ((Pre-authentication information was invalid), if you see, for example N events in last N minutes. This issue can indicate a brute-force attack on the account password, especially for highly critical accounts. |
diff --git a/windows/security/threat-protection/auditing/event-4772.md b/windows/security/threat-protection/auditing/event-4772.md
index 1119135008..2124b16bb1 100644
--- a/windows/security/threat-protection/auditing/event-4772.md
+++ b/windows/security/threat-protection/auditing/event-4772.md
@@ -2,7 +2,7 @@
title: 4772(F) A Kerberos authentication ticket request failed. (Windows 10)
description: Describes security event 4772(F) A Kerberos authentication ticket request failed.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4772(F): A Kerberos authentication ticket request failed.
diff --git a/windows/security/threat-protection/auditing/event-4773.md b/windows/security/threat-protection/auditing/event-4773.md
index 7a307bbea1..ba672478d8 100644
--- a/windows/security/threat-protection/auditing/event-4773.md
+++ b/windows/security/threat-protection/auditing/event-4773.md
@@ -2,7 +2,7 @@
title: 4773(F) A Kerberos service ticket request failed. (Windows 10)
description: Describes security event 4773(F) A Kerberos service ticket request failed.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4773(F): A Kerberos service ticket request failed.
diff --git a/windows/security/threat-protection/auditing/event-4774.md b/windows/security/threat-protection/auditing/event-4774.md
index 21a33e20a2..08eb0fe72f 100644
--- a/windows/security/threat-protection/auditing/event-4774.md
+++ b/windows/security/threat-protection/auditing/event-4774.md
@@ -2,7 +2,7 @@
title: 4774(S, F) An account was mapped for logon. (Windows 10)
description: Describes security event 4774(S, F) An account was mapped for logon. This event is generated when an account is mapped for logon.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4774(S, F): An account was mapped for logon.
diff --git a/windows/security/threat-protection/auditing/event-4775.md b/windows/security/threat-protection/auditing/event-4775.md
index e444e1c1bd..cf27ccdf2a 100644
--- a/windows/security/threat-protection/auditing/event-4775.md
+++ b/windows/security/threat-protection/auditing/event-4775.md
@@ -2,7 +2,7 @@
title: 4775(F) An account could not be mapped for logon. (Windows 10)
description: Describes security event 4775(F) An account could not be mapped for logon.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4775(F): An account could not be mapped for logon.
diff --git a/windows/security/threat-protection/auditing/event-4776.md b/windows/security/threat-protection/auditing/event-4776.md
index 2e759dcb4e..18bd592d00 100644
--- a/windows/security/threat-protection/auditing/event-4776.md
+++ b/windows/security/threat-protection/auditing/event-4776.md
@@ -2,7 +2,7 @@
title: 4776(S, F) The computer attempted to validate the credentials for an account. (Windows 10)
description: Describes security event 4776(S, F) The computer attempted to validate the credentials for an account.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4776(S, F): The computer attempted to validate the credentials for an account.
diff --git a/windows/security/threat-protection/auditing/event-4777.md b/windows/security/threat-protection/auditing/event-4777.md
index 4cdf40b163..28a4b42d08 100644
--- a/windows/security/threat-protection/auditing/event-4777.md
+++ b/windows/security/threat-protection/auditing/event-4777.md
@@ -2,7 +2,7 @@
title: 4777(F) The domain controller failed to validate the credentials for an account. (Windows 10)
description: Describes security event 4777(F) The domain controller failed to validate the credentials for an account.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4777(F): The domain controller failed to validate the credentials for an account.
diff --git a/windows/security/threat-protection/auditing/event-4778.md b/windows/security/threat-protection/auditing/event-4778.md
index 265b39dbcf..53c1eac2d8 100644
--- a/windows/security/threat-protection/auditing/event-4778.md
+++ b/windows/security/threat-protection/auditing/event-4778.md
@@ -2,7 +2,7 @@
title: 4778(S) A session was reconnected to a Window Station. (Windows 10)
description: Describes security event 4778(S) A session was reconnected to a Window Station.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4778(S): A session was reconnected to a Window Station.
diff --git a/windows/security/threat-protection/auditing/event-4779.md b/windows/security/threat-protection/auditing/event-4779.md
index bd733289bb..76337cfdf8 100644
--- a/windows/security/threat-protection/auditing/event-4779.md
+++ b/windows/security/threat-protection/auditing/event-4779.md
@@ -2,7 +2,7 @@
title: 4779(S) A session was disconnected from a Window Station. (Windows 10)
description: Describes security event 4779(S) A session was disconnected from a Window Station.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4779(S): A session was disconnected from a Window Station.
diff --git a/windows/security/threat-protection/auditing/event-4780.md b/windows/security/threat-protection/auditing/event-4780.md
index 4a521896e8..dafa5d3ff1 100644
--- a/windows/security/threat-protection/auditing/event-4780.md
+++ b/windows/security/threat-protection/auditing/event-4780.md
@@ -2,7 +2,7 @@
title: 4780(S) The ACL was set on accounts which are members of administrators groups. (Windows 10)
description: Describes security event 4780(S) The ACL was set on accounts which are members of administrators groups.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4780(S): The ACL was set on accounts which are members of administrators groups.
diff --git a/windows/security/threat-protection/auditing/event-4781.md b/windows/security/threat-protection/auditing/event-4781.md
index a48651e686..2adb3bcac5 100644
--- a/windows/security/threat-protection/auditing/event-4781.md
+++ b/windows/security/threat-protection/auditing/event-4781.md
@@ -2,7 +2,7 @@
title: 4781(S) The name of an account was changed. (Windows 10)
description: Describes security event 4781(S) The name of an account was changed. This event is generated every time a user or computer account name is changed.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4781(S): The name of an account was changed.
diff --git a/windows/security/threat-protection/auditing/event-4782.md b/windows/security/threat-protection/auditing/event-4782.md
index 571fdf3a93..a7907aed15 100644
--- a/windows/security/threat-protection/auditing/event-4782.md
+++ b/windows/security/threat-protection/auditing/event-4782.md
@@ -2,7 +2,7 @@
title: 4782(S) The password hash of an account was accessed. (Windows 10)
description: Describes security event 4782(S) The password hash of an account was accessed.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4782(S): The password hash of an account was accessed.
diff --git a/windows/security/threat-protection/auditing/event-4793.md b/windows/security/threat-protection/auditing/event-4793.md
index f2bdc2b09f..d6fecbdbdf 100644
--- a/windows/security/threat-protection/auditing/event-4793.md
+++ b/windows/security/threat-protection/auditing/event-4793.md
@@ -2,7 +2,7 @@
title: 4793(S) The Password Policy Checking API was called. (Windows 10)
description: Describes security event 4793(S) The Password Policy Checking API was called.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4793(S): The Password Policy Checking API was called.
diff --git a/windows/security/threat-protection/auditing/event-4794.md b/windows/security/threat-protection/auditing/event-4794.md
index 9ecf3cfcb7..6e585048c1 100644
--- a/windows/security/threat-protection/auditing/event-4794.md
+++ b/windows/security/threat-protection/auditing/event-4794.md
@@ -2,7 +2,7 @@
title: 4794(S, F) An attempt was made to set the Directory Services Restore Mode administrator password. (Windows 10)
description: Describes security event 4794(S, F) An attempt was made to set the Directory Services Restore Mode administrator password.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4794(S, F): An attempt was made to set the Directory Services Restore Mode administrator password.
diff --git a/windows/security/threat-protection/auditing/event-4798.md b/windows/security/threat-protection/auditing/event-4798.md
index 76e806ffcf..3fddfd9b65 100644
--- a/windows/security/threat-protection/auditing/event-4798.md
+++ b/windows/security/threat-protection/auditing/event-4798.md
@@ -2,7 +2,7 @@
title: 4798(S) A user's local group membership was enumerated. (Windows 10)
description: Describes security event 4798(S) A user's local group membership was enumerated.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4798(S): A user's local group membership was enumerated.
diff --git a/windows/security/threat-protection/auditing/event-4799.md b/windows/security/threat-protection/auditing/event-4799.md
index c9963afbb0..18b337fcdc 100644
--- a/windows/security/threat-protection/auditing/event-4799.md
+++ b/windows/security/threat-protection/auditing/event-4799.md
@@ -2,7 +2,7 @@
title: 4799(S) A security-enabled local group membership was enumerated. (Windows 10)
description: Describes security event 4799(S) A security-enabled local group membership was enumerated.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4799(S): A security-enabled local group membership was enumerated.
diff --git a/windows/security/threat-protection/auditing/event-4800.md b/windows/security/threat-protection/auditing/event-4800.md
index b0be9a0f3a..92c543f8b0 100644
--- a/windows/security/threat-protection/auditing/event-4800.md
+++ b/windows/security/threat-protection/auditing/event-4800.md
@@ -2,7 +2,7 @@
title: 4800(S) The workstation was locked. (Windows 10)
description: Describes security event 4800(S) The workstation was locked. This event is generated when a workstation is locked.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4800(S): The workstation was locked.
diff --git a/windows/security/threat-protection/auditing/event-4801.md b/windows/security/threat-protection/auditing/event-4801.md
index 61e2682379..ed7c8ec85c 100644
--- a/windows/security/threat-protection/auditing/event-4801.md
+++ b/windows/security/threat-protection/auditing/event-4801.md
@@ -2,7 +2,7 @@
title: 4801(S) The workstation was unlocked. (Windows 10)
description: Describes security event 4801(S) The workstation was unlocked. This event is generated when workstation is unlocked.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4801(S): The workstation was unlocked.
diff --git a/windows/security/threat-protection/auditing/event-4802.md b/windows/security/threat-protection/auditing/event-4802.md
index a00ead7497..9f5fa2b8e3 100644
--- a/windows/security/threat-protection/auditing/event-4802.md
+++ b/windows/security/threat-protection/auditing/event-4802.md
@@ -2,7 +2,7 @@
title: 4802(S) The screen saver was invoked. (Windows 10)
description: Describes security event 4802(S) The screen saver was invoked. This event is generated when screen saver is invoked.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4802(S): The screen saver was invoked.
diff --git a/windows/security/threat-protection/auditing/event-4803.md b/windows/security/threat-protection/auditing/event-4803.md
index 0354849e13..20304e4527 100644
--- a/windows/security/threat-protection/auditing/event-4803.md
+++ b/windows/security/threat-protection/auditing/event-4803.md
@@ -2,7 +2,7 @@
title: 4803(S) The screen saver was dismissed. (Windows 10)
description: Describes security event 4803(S) The screen saver was dismissed. This event is generated when screen saver is dismissed.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4803(S): The screen saver was dismissed.
diff --git a/windows/security/threat-protection/auditing/event-4816.md b/windows/security/threat-protection/auditing/event-4816.md
index 1efa9756ec..9e36c52bb1 100644
--- a/windows/security/threat-protection/auditing/event-4816.md
+++ b/windows/security/threat-protection/auditing/event-4816.md
@@ -2,7 +2,7 @@
title: 4816(S) RPC detected an integrity violation while decrypting an incoming message. (Windows 10)
description: Describes security event 4816(S) RPC detected an integrity violation while decrypting an incoming message.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4816(S): RPC detected an integrity violation while decrypting an incoming message.
diff --git a/windows/security/threat-protection/auditing/event-4817.md b/windows/security/threat-protection/auditing/event-4817.md
index efdf01da8a..48757706f8 100644
--- a/windows/security/threat-protection/auditing/event-4817.md
+++ b/windows/security/threat-protection/auditing/event-4817.md
@@ -2,7 +2,7 @@
title: 4817(S) Auditing settings on object were changed. (Windows 10)
description: Describes security event 4817(S) Auditing settings on object were changed.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4817(S): Auditing settings on object were changed.
diff --git a/windows/security/threat-protection/auditing/event-4818.md b/windows/security/threat-protection/auditing/event-4818.md
index 1134b02c0b..7da8723ef4 100644
--- a/windows/security/threat-protection/auditing/event-4818.md
+++ b/windows/security/threat-protection/auditing/event-4818.md
@@ -2,7 +2,7 @@
title: 4818(S) Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy. (Windows 10)
description: Describes security event 4818(S) Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4818(S): Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.
diff --git a/windows/security/threat-protection/auditing/event-4819.md b/windows/security/threat-protection/auditing/event-4819.md
index c2de9d1e36..58fa2fcf24 100644
--- a/windows/security/threat-protection/auditing/event-4819.md
+++ b/windows/security/threat-protection/auditing/event-4819.md
@@ -2,7 +2,7 @@
title: 4819(S) Central Access Policies on the machine have been changed. (Windows 10)
description: Describes security event 4819(S) Central Access Policies on the machine have been changed.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4819(S): Central Access Policies on the machine have been changed.
diff --git a/windows/security/threat-protection/auditing/event-4826.md b/windows/security/threat-protection/auditing/event-4826.md
index 3729924d93..29f4675931 100644
--- a/windows/security/threat-protection/auditing/event-4826.md
+++ b/windows/security/threat-protection/auditing/event-4826.md
@@ -2,7 +2,7 @@
title: 4826(S) Boot Configuration Data loaded. (Windows 10)
description: Describes security event 4826(S) Boot Configuration Data loaded. This event is generated every time system starts and loads Boot Configuration Data settings.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4826(S): Boot Configuration Data loaded.
diff --git a/windows/security/threat-protection/auditing/event-4864.md b/windows/security/threat-protection/auditing/event-4864.md
index 5556b207b5..ca1995291e 100644
--- a/windows/security/threat-protection/auditing/event-4864.md
+++ b/windows/security/threat-protection/auditing/event-4864.md
@@ -2,7 +2,7 @@
title: 4864(S) A namespace collision was detected. (Windows 10)
description: Describes security event 4864(S) A namespace collision was detected. This event is generated when a namespace collision is detected.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4864(S): A namespace collision was detected.
diff --git a/windows/security/threat-protection/auditing/event-4865.md b/windows/security/threat-protection/auditing/event-4865.md
index 15e738f7be..e1ff8e242a 100644
--- a/windows/security/threat-protection/auditing/event-4865.md
+++ b/windows/security/threat-protection/auditing/event-4865.md
@@ -2,7 +2,7 @@
title: 4865(S) A trusted forest information entry was added. (Windows 10)
description: Describes security event 4865(S) A trusted forest information entry was added.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4865(S): A trusted forest information entry was added.
diff --git a/windows/security/threat-protection/auditing/event-4866.md b/windows/security/threat-protection/auditing/event-4866.md
index e0f05fbf3e..f189e60e01 100644
--- a/windows/security/threat-protection/auditing/event-4866.md
+++ b/windows/security/threat-protection/auditing/event-4866.md
@@ -2,7 +2,7 @@
title: 4866(S) A trusted forest information entry was removed. (Windows 10)
description: Describes security event 4866(S) A trusted forest information entry was removed.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4866(S): A trusted forest information entry was removed.
diff --git a/windows/security/threat-protection/auditing/event-4867.md b/windows/security/threat-protection/auditing/event-4867.md
index ae2bf03bb6..9635b1cd74 100644
--- a/windows/security/threat-protection/auditing/event-4867.md
+++ b/windows/security/threat-protection/auditing/event-4867.md
@@ -2,7 +2,7 @@
title: 4867(S) A trusted forest information entry was modified. (Windows 10)
description: Describes security event 4867(S) A trusted forest information entry was modified.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4867(S): A trusted forest information entry was modified.
diff --git a/windows/security/threat-protection/auditing/event-4902.md b/windows/security/threat-protection/auditing/event-4902.md
index c8b89b375c..d5a7640b84 100644
--- a/windows/security/threat-protection/auditing/event-4902.md
+++ b/windows/security/threat-protection/auditing/event-4902.md
@@ -2,7 +2,7 @@
title: 4902(S) The Per-user audit policy table was created. (Windows 10)
description: Describes security event 4902(S) The Per-user audit policy table was created.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4902(S): The Per-user audit policy table was created.
diff --git a/windows/security/threat-protection/auditing/event-4904.md b/windows/security/threat-protection/auditing/event-4904.md
index cfd3f1c0fe..d22ff00643 100644
--- a/windows/security/threat-protection/auditing/event-4904.md
+++ b/windows/security/threat-protection/auditing/event-4904.md
@@ -2,7 +2,7 @@
title: 4904(S) An attempt was made to register a security event source. (Windows 10)
description: Describes security event 4904(S) An attempt was made to register a security event source.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4904(S): An attempt was made to register a security event source.
diff --git a/windows/security/threat-protection/auditing/event-4905.md b/windows/security/threat-protection/auditing/event-4905.md
index bfc9d5bbb9..aa98ea5517 100644
--- a/windows/security/threat-protection/auditing/event-4905.md
+++ b/windows/security/threat-protection/auditing/event-4905.md
@@ -2,7 +2,7 @@
title: 4905(S) An attempt was made to unregister a security event source. (Windows 10)
description: Describes security event 4905(S) An attempt was made to unregister a security event source.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4905(S): An attempt was made to unregister a security event source.
diff --git a/windows/security/threat-protection/auditing/event-4906.md b/windows/security/threat-protection/auditing/event-4906.md
index 7782a6571d..617b7a2597 100644
--- a/windows/security/threat-protection/auditing/event-4906.md
+++ b/windows/security/threat-protection/auditing/event-4906.md
@@ -2,7 +2,7 @@
title: 4906(S) The CrashOnAuditFail value has changed. (Windows 10)
description: Describes security event 4906(S) The CrashOnAuditFail value has changed.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4906(S): The CrashOnAuditFail value has changed.
diff --git a/windows/security/threat-protection/auditing/event-4907.md b/windows/security/threat-protection/auditing/event-4907.md
index 6610d670eb..74edaaa9a3 100644
--- a/windows/security/threat-protection/auditing/event-4907.md
+++ b/windows/security/threat-protection/auditing/event-4907.md
@@ -2,7 +2,7 @@
title: 4907(S) Auditing settings on object were changed. (Windows 10)
description: Describes security event 4907(S) Auditing settings on object were changed.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4907(S): Auditing settings on object were changed.
diff --git a/windows/security/threat-protection/auditing/event-4908.md b/windows/security/threat-protection/auditing/event-4908.md
index 7573adb5f7..3a12a949e0 100644
--- a/windows/security/threat-protection/auditing/event-4908.md
+++ b/windows/security/threat-protection/auditing/event-4908.md
@@ -2,7 +2,7 @@
title: 4908(S) Special Groups Logon table modified. (Windows 10)
description: Describes security event 4908(S) Special Groups Logon table modified. This event is generated when the Special Groups Logon table is modified.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4908(S): Special Groups Logon table modified.
diff --git a/windows/security/threat-protection/auditing/event-4909.md b/windows/security/threat-protection/auditing/event-4909.md
index 2acda55983..9c3b067418 100644
--- a/windows/security/threat-protection/auditing/event-4909.md
+++ b/windows/security/threat-protection/auditing/event-4909.md
@@ -2,7 +2,7 @@
title: 4909(-) The local policy settings for the TBS were changed. (Windows 10)
description: Describes security event 4909(-) The local policy settings for the TBS were changed.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4909(-): The local policy settings for the TBS were changed.
diff --git a/windows/security/threat-protection/auditing/event-4910.md b/windows/security/threat-protection/auditing/event-4910.md
index 8b90247c65..948c3a6dab 100644
--- a/windows/security/threat-protection/auditing/event-4910.md
+++ b/windows/security/threat-protection/auditing/event-4910.md
@@ -2,7 +2,7 @@
title: 4910(-) The group policy settings for the TBS were changed. (Windows 10)
description: Describes security event 4910(-) The group policy settings for the TBS were changed.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4910(-): The group policy settings for the TBS were changed.
diff --git a/windows/security/threat-protection/auditing/event-4911.md b/windows/security/threat-protection/auditing/event-4911.md
index bbd17b1660..cf47c889e0 100644
--- a/windows/security/threat-protection/auditing/event-4911.md
+++ b/windows/security/threat-protection/auditing/event-4911.md
@@ -2,7 +2,7 @@
title: 4911(S) Resource attributes of the object were changed. (Windows 10)
description: Describes security event 4911(S) Resource attributes of the object were changed.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4911(S): Resource attributes of the object were changed.
diff --git a/windows/security/threat-protection/auditing/event-4912.md b/windows/security/threat-protection/auditing/event-4912.md
index cf141b9a2d..e4bc6d9d43 100644
--- a/windows/security/threat-protection/auditing/event-4912.md
+++ b/windows/security/threat-protection/auditing/event-4912.md
@@ -2,7 +2,7 @@
title: 4912(S) Per User Audit Policy was changed. (Windows 10)
description: Describes security event 4912(S) Per User Audit Policy was changed. This event is generated every time Per User Audit Policy is changed.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4912(S): Per User Audit Policy was changed.
diff --git a/windows/security/threat-protection/auditing/event-4913.md b/windows/security/threat-protection/auditing/event-4913.md
index 3be7e9bec3..95f0aa8b70 100644
--- a/windows/security/threat-protection/auditing/event-4913.md
+++ b/windows/security/threat-protection/auditing/event-4913.md
@@ -2,7 +2,7 @@
title: 4913(S) Central Access Policy on the object was changed. (Windows 10)
description: Describes security event 4913(S) Central Access Policy on the object was changed.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4913(S): Central Access Policy on the object was changed.
diff --git a/windows/security/threat-protection/auditing/event-4928.md b/windows/security/threat-protection/auditing/event-4928.md
index 664b36c1ca..45fa768785 100644
--- a/windows/security/threat-protection/auditing/event-4928.md
+++ b/windows/security/threat-protection/auditing/event-4928.md
@@ -2,7 +2,7 @@
title: 4928(S, F) An Active Directory replica source naming context was established. (Windows 10)
description: Describes security event 4928(S, F) An Active Directory replica source naming context was established.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4928(S, F): An Active Directory replica source naming context was established.
diff --git a/windows/security/threat-protection/auditing/event-4929.md b/windows/security/threat-protection/auditing/event-4929.md
index b5a1ba430e..9e126439a2 100644
--- a/windows/security/threat-protection/auditing/event-4929.md
+++ b/windows/security/threat-protection/auditing/event-4929.md
@@ -2,7 +2,7 @@
title: 4929(S, F) An Active Directory replica source naming context was removed. (Windows 10)
description: Describes security event 4929(S, F) An Active Directory replica source naming context was removed.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4929(S, F): An Active Directory replica source naming context was removed.
diff --git a/windows/security/threat-protection/auditing/event-4930.md b/windows/security/threat-protection/auditing/event-4930.md
index f7b993d3a9..42d488915d 100644
--- a/windows/security/threat-protection/auditing/event-4930.md
+++ b/windows/security/threat-protection/auditing/event-4930.md
@@ -2,7 +2,7 @@
title: 4930(S, F) An Active Directory replica source naming context was modified. (Windows 10)
description: Describes security event 4930(S, F) An Active Directory replica source naming context was modified.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4930(S, F): An Active Directory replica source naming context was modified.
diff --git a/windows/security/threat-protection/auditing/event-4931.md b/windows/security/threat-protection/auditing/event-4931.md
index 3f02d54421..fc3a7fc61f 100644
--- a/windows/security/threat-protection/auditing/event-4931.md
+++ b/windows/security/threat-protection/auditing/event-4931.md
@@ -2,7 +2,7 @@
title: 4931(S, F) An Active Directory replica destination naming context was modified. (Windows 10)
description: Describes security event 4931(S, F) An Active Directory replica destination naming context was modified.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4931(S, F): An Active Directory replica destination naming context was modified.
diff --git a/windows/security/threat-protection/auditing/event-4932.md b/windows/security/threat-protection/auditing/event-4932.md
index 615a83328d..4450fb0acc 100644
--- a/windows/security/threat-protection/auditing/event-4932.md
+++ b/windows/security/threat-protection/auditing/event-4932.md
@@ -2,7 +2,7 @@
title: 4932(S) Synchronization of a replica of an Active Directory naming context has begun. (Windows 10)
description: Describes security event 4932(S) Synchronization of a replica of an Active Directory naming context has begun.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4932(S): Synchronization of a replica of an Active Directory naming context has begun.
diff --git a/windows/security/threat-protection/auditing/event-4933.md b/windows/security/threat-protection/auditing/event-4933.md
index b5fbe33942..1143269597 100644
--- a/windows/security/threat-protection/auditing/event-4933.md
+++ b/windows/security/threat-protection/auditing/event-4933.md
@@ -2,7 +2,7 @@
title: 4933(S, F) Synchronization of a replica of an Active Directory naming context has ended. (Windows 10)
description: Describes security event 4933(S, F) Synchronization of a replica of an Active Directory naming context has ended.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4933(S, F): Synchronization of a replica of an Active Directory naming context has ended.
diff --git a/windows/security/threat-protection/auditing/event-4934.md b/windows/security/threat-protection/auditing/event-4934.md
index 4a5890af24..ffc4b9b4a3 100644
--- a/windows/security/threat-protection/auditing/event-4934.md
+++ b/windows/security/threat-protection/auditing/event-4934.md
@@ -2,7 +2,7 @@
title: 4934(S) Attributes of an Active Directory object were replicated. (Windows 10)
description: Describes security event 4934(S) Attributes of an Active Directory object were replicated.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4934(S): Attributes of an Active Directory object were replicated.
diff --git a/windows/security/threat-protection/auditing/event-4935.md b/windows/security/threat-protection/auditing/event-4935.md
index c9e2159bc0..f2910784e6 100644
--- a/windows/security/threat-protection/auditing/event-4935.md
+++ b/windows/security/threat-protection/auditing/event-4935.md
@@ -2,7 +2,7 @@
title: 4935(F) Replication failure begins. (Windows 10)
description: Describes security event 4935(F) Replication failure begins. This event is generated when Active Directory replication failure begins.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4935(F): Replication failure begins.
diff --git a/windows/security/threat-protection/auditing/event-4936.md b/windows/security/threat-protection/auditing/event-4936.md
index d9d60e43be..3f808bf11d 100644
--- a/windows/security/threat-protection/auditing/event-4936.md
+++ b/windows/security/threat-protection/auditing/event-4936.md
@@ -2,7 +2,7 @@
title: 4936(S) Replication failure ends. (Windows 10)
description: Describes security event 4936(S) Replication failure ends. This event is generated when Active Directory replication failure ends.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4936(S): Replication failure ends.
diff --git a/windows/security/threat-protection/auditing/event-4937.md b/windows/security/threat-protection/auditing/event-4937.md
index 8fb915289b..2775be1c5d 100644
--- a/windows/security/threat-protection/auditing/event-4937.md
+++ b/windows/security/threat-protection/auditing/event-4937.md
@@ -2,7 +2,7 @@
title: 4937(S) A lingering object was removed from a replica. (Windows 10)
description: Describes security event 4937(S) A lingering object was removed from a replica.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4937(S): A lingering object was removed from a replica.
diff --git a/windows/security/threat-protection/auditing/event-4944.md b/windows/security/threat-protection/auditing/event-4944.md
index ca2c97045e..1b6522a256 100644
--- a/windows/security/threat-protection/auditing/event-4944.md
+++ b/windows/security/threat-protection/auditing/event-4944.md
@@ -2,7 +2,7 @@
title: 4944(S) The following policy was active when the Windows Firewall started. (Windows 10)
description: Describes security event 4944(S) The following policy was active when the Windows Firewall started.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4944(S): The following policy was active when the Windows Firewall started.
diff --git a/windows/security/threat-protection/auditing/event-4945.md b/windows/security/threat-protection/auditing/event-4945.md
index 74d3f7c688..da8105bffc 100644
--- a/windows/security/threat-protection/auditing/event-4945.md
+++ b/windows/security/threat-protection/auditing/event-4945.md
@@ -2,7 +2,7 @@
title: 4945(S) A rule was listed when the Windows Firewall started. (Windows 10)
description: Describes security event 4945(S) A rule was listed when the Windows Firewall started.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4945(S): A rule was listed when the Windows Firewall started.
diff --git a/windows/security/threat-protection/auditing/event-4946.md b/windows/security/threat-protection/auditing/event-4946.md
index 4ff3dd9f1d..30ae25fd28 100644
--- a/windows/security/threat-protection/auditing/event-4946.md
+++ b/windows/security/threat-protection/auditing/event-4946.md
@@ -2,7 +2,7 @@
title: 4946(S) A change has been made to Windows Firewall exception list. A rule was added. (Windows 10)
description: Describes security event 4946(S) A change has been made to Windows Firewall exception list. A rule was added.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4946(S): A change has been made to Windows Firewall exception list. A rule was added.
diff --git a/windows/security/threat-protection/auditing/event-4947.md b/windows/security/threat-protection/auditing/event-4947.md
index deffae0186..b38eef6371 100644
--- a/windows/security/threat-protection/auditing/event-4947.md
+++ b/windows/security/threat-protection/auditing/event-4947.md
@@ -2,7 +2,7 @@
title: 4947(S) A change has been made to Windows Firewall exception list. A rule was modified. (Windows 10)
description: Describes security event 4947(S) A change has been made to Windows Firewall exception list. A rule was modified.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4947(S): A change has been made to Windows Firewall exception list. A rule was modified.
@@ -90,11 +91,11 @@ This event doesn't generate when Firewall rule was modified via Group Policy.
- **Rule ID** \[Type = UnicodeString\]: the unique identifier for modified firewall rule.
- To see the unique ID of the rule you need to navigate to “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you will see the list of Windows Firewall rule IDs (Name column) with parameters:
+ To see the unique ID of the rule, navigate to the“**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you will see the list of Windows Firewall rule IDs (Name column) with parameters:
-- **Rule Name** \[Type = UnicodeString\]: the name of the rule which was modified. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column:
+- **Rule Name** \[Type = UnicodeString\]: the name of the rule that was modified. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column:
@@ -102,5 +103,5 @@ This event doesn't generate when Firewall rule was modified via Group Policy.
For 4947(S): A change has been made to Windows Firewall exception list. A rule was modified.
-- This event can be helpful in case you want to monitor all Firewall rules modifications which were done locally.
+- This event can be helpful in case you want to monitor all Firewall rules modifications that were done locally.
diff --git a/windows/security/threat-protection/auditing/event-4948.md b/windows/security/threat-protection/auditing/event-4948.md
index 5c86cb55c9..5f92a37c6a 100644
--- a/windows/security/threat-protection/auditing/event-4948.md
+++ b/windows/security/threat-protection/auditing/event-4948.md
@@ -2,7 +2,7 @@
title: 4948(S) A change has been made to Windows Firewall exception list. A rule was deleted. (Windows 10)
description: Describes security event 4948(S) A change has been made to Windows Firewall exception list. A rule was deleted.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4948(S): A change has been made to Windows Firewall exception list. A rule was deleted.
diff --git a/windows/security/threat-protection/auditing/event-4949.md b/windows/security/threat-protection/auditing/event-4949.md
index 983159d9e8..e304844bc8 100644
--- a/windows/security/threat-protection/auditing/event-4949.md
+++ b/windows/security/threat-protection/auditing/event-4949.md
@@ -2,7 +2,7 @@
title: 4949(S) Windows Firewall settings were restored to the default values. (Windows 10)
description: Describes security event 4949(S) Windows Firewall settings were restored to the default values.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4949(S): Windows Firewall settings were restored to the default values.
diff --git a/windows/security/threat-protection/auditing/event-4950.md b/windows/security/threat-protection/auditing/event-4950.md
index eb6c3770c9..54ead99c65 100644
--- a/windows/security/threat-protection/auditing/event-4950.md
+++ b/windows/security/threat-protection/auditing/event-4950.md
@@ -2,7 +2,7 @@
title: 4950(S) A Windows Firewall setting has changed. (Windows 10)
description: Describes security event 4950(S) A Windows Firewall setting has changed.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4950(S): A Windows Firewall setting has changed.
diff --git a/windows/security/threat-protection/auditing/event-4951.md b/windows/security/threat-protection/auditing/event-4951.md
index ff8ed88bdb..4a2c32b9e2 100644
--- a/windows/security/threat-protection/auditing/event-4951.md
+++ b/windows/security/threat-protection/auditing/event-4951.md
@@ -2,7 +2,7 @@
title: 4951(F) A rule has been ignored because its major version number was not recognized by Windows Firewall. (Windows 10)
description: Describes security event 4951(F) A rule has been ignored because its major version number was not recognized by Windows Firewall.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4951(F): A rule has been ignored because its major version number was not recognized by Windows Firewall.
diff --git a/windows/security/threat-protection/auditing/event-4952.md b/windows/security/threat-protection/auditing/event-4952.md
index 0bd8a3b9b6..150a0ac97d 100644
--- a/windows/security/threat-protection/auditing/event-4952.md
+++ b/windows/security/threat-protection/auditing/event-4952.md
@@ -2,7 +2,7 @@
title: 4952(F) Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. (Windows 10)
description: Security event 4952(F) Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4952(F): Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.
diff --git a/windows/security/threat-protection/auditing/event-4953.md b/windows/security/threat-protection/auditing/event-4953.md
index 0c705ce6cc..38d9aa6a3d 100644
--- a/windows/security/threat-protection/auditing/event-4953.md
+++ b/windows/security/threat-protection/auditing/event-4953.md
@@ -2,7 +2,7 @@
title: 4953(F) Windows Firewall ignored a rule because it could not be parsed. (Windows 10)
description: Describes security event 4953(F) Windows Firewall ignored a rule because it could not be parsed.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4953(F): Windows Firewall ignored a rule because it could not be parsed.
@@ -93,11 +94,11 @@ It can happen if Windows Firewall rule registry entry was corrupted.
- **ID** \[Type = UnicodeString\]: the unique identifier for ignored firewall rule.
- To see the unique ID of the rule you need to navigate to “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you will see the list of Windows Firewall rule IDs (Name column) with parameters:
+ To see the unique ID of the rule, navigate to the “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you will see the list of Windows Firewall rule IDs (Name column) with parameters:
-- **Name** \[Type = UnicodeString\]: the name of the rule which was ignored. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column:
+- **Name** \[Type = UnicodeString\]: the name of the rule that was ignored. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column:
diff --git a/windows/security/threat-protection/auditing/event-4954.md b/windows/security/threat-protection/auditing/event-4954.md
index b58926388b..99bb6457e2 100644
--- a/windows/security/threat-protection/auditing/event-4954.md
+++ b/windows/security/threat-protection/auditing/event-4954.md
@@ -2,7 +2,7 @@
title: 4954(S) Windows Firewall Group Policy settings have changed. The new settings have been applied. (Windows 10)
description: Describes security event 4954(S) Windows Firewall Group Policy settings have changed. The new settings have been applied.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4954(S): Windows Firewall Group Policy settings have changed. The new settings have been applied.
diff --git a/windows/security/threat-protection/auditing/event-4956.md b/windows/security/threat-protection/auditing/event-4956.md
index 6af6a50864..34d36fa5d0 100644
--- a/windows/security/threat-protection/auditing/event-4956.md
+++ b/windows/security/threat-protection/auditing/event-4956.md
@@ -2,7 +2,7 @@
title: 4956(S) Windows Firewall has changed the active profile. (Windows 10)
description: Describes security event 4956(S) Windows Firewall has changed the active profile.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4956(S): Windows Firewall has changed the active profile.
diff --git a/windows/security/threat-protection/auditing/event-4957.md b/windows/security/threat-protection/auditing/event-4957.md
index 396a5b587d..8b822ee84c 100644
--- a/windows/security/threat-protection/auditing/event-4957.md
+++ b/windows/security/threat-protection/auditing/event-4957.md
@@ -2,7 +2,7 @@
title: 4957(F) Windows Firewall did not apply the following rule. (Windows 10)
description: Describes security event 4957(F) Windows Firewall did not apply the following rule.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4957(F): Windows Firewall did not apply the following rule.
diff --git a/windows/security/threat-protection/auditing/event-4958.md b/windows/security/threat-protection/auditing/event-4958.md
index 14d3b2ad4b..05922fd7a7 100644
--- a/windows/security/threat-protection/auditing/event-4958.md
+++ b/windows/security/threat-protection/auditing/event-4958.md
@@ -2,7 +2,7 @@
title: 4958(F) Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer. (Windows 10)
description: Describes security event 4958(F) Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4958(F): Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer.
diff --git a/windows/security/threat-protection/auditing/event-4964.md b/windows/security/threat-protection/auditing/event-4964.md
index 4cd9707147..0ee97ac194 100644
--- a/windows/security/threat-protection/auditing/event-4964.md
+++ b/windows/security/threat-protection/auditing/event-4964.md
@@ -2,7 +2,7 @@
title: 4964(S) Special groups have been assigned to a new logon. (Windows 10)
description: Describes security event 4964(S) Special groups have been assigned to a new logon.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4964(S): Special groups have been assigned to a new logon.
diff --git a/windows/security/threat-protection/auditing/event-4985.md b/windows/security/threat-protection/auditing/event-4985.md
index 2a98d42db6..9b3680639b 100644
--- a/windows/security/threat-protection/auditing/event-4985.md
+++ b/windows/security/threat-protection/auditing/event-4985.md
@@ -2,7 +2,7 @@
title: 4985(S) The state of a transaction has changed. (Windows 10)
description: Describes security event 4985(S) The state of a transaction has changed.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 4985(S): The state of a transaction has changed.
diff --git a/windows/security/threat-protection/auditing/event-5024.md b/windows/security/threat-protection/auditing/event-5024.md
index 9dede9c866..b24cd95e31 100644
--- a/windows/security/threat-protection/auditing/event-5024.md
+++ b/windows/security/threat-protection/auditing/event-5024.md
@@ -2,7 +2,7 @@
title: 5024(S) The Windows Firewall Service has started successfully. (Windows 10)
description: Describes security event 5024(S) The Windows Firewall Service has started successfully.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 5024(S): The Windows Firewall Service has started successfully.
diff --git a/windows/security/threat-protection/auditing/event-5025.md b/windows/security/threat-protection/auditing/event-5025.md
index d6a60c5da2..a9a3c5e14b 100644
--- a/windows/security/threat-protection/auditing/event-5025.md
+++ b/windows/security/threat-protection/auditing/event-5025.md
@@ -2,7 +2,7 @@
title: 5025(S) The Windows Firewall Service has been stopped. (Windows 10)
description: Describes security event 5025(S) The Windows Firewall Service has been stopped.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 5025(S): The Windows Firewall Service has been stopped.
diff --git a/windows/security/threat-protection/auditing/event-5027.md b/windows/security/threat-protection/auditing/event-5027.md
index 23bf6e5c30..4ea2177c6b 100644
--- a/windows/security/threat-protection/auditing/event-5027.md
+++ b/windows/security/threat-protection/auditing/event-5027.md
@@ -1,8 +1,8 @@
---
title: 5027(F) The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy. (Windows 10)
-description: Details on security event 5027(F) The Windows Firewall Service was unable to retrieve the security policy from the local storage.
+description: Details on security event 5027(F) The Windows Firewall Service was unable to retrieve the security policy from the local storage.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 5027(F): The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.
diff --git a/windows/security/threat-protection/auditing/event-5028.md b/windows/security/threat-protection/auditing/event-5028.md
index 8929b86d33..9ab51ca985 100644
--- a/windows/security/threat-protection/auditing/event-5028.md
+++ b/windows/security/threat-protection/auditing/event-5028.md
@@ -2,7 +2,7 @@
title: 5028(F) The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy. (Windows 10)
description: Describes security event 5028(F) The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 5028(F): The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.
diff --git a/windows/security/threat-protection/auditing/event-5029.md b/windows/security/threat-protection/auditing/event-5029.md
index dcdda6a60f..46d9b7b3e7 100644
--- a/windows/security/threat-protection/auditing/event-5029.md
+++ b/windows/security/threat-protection/auditing/event-5029.md
@@ -2,7 +2,7 @@
title: 5029(F) The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy. (Windows 10)
description: Describes security event 5029(F) The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 5029(F): The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.
diff --git a/windows/security/threat-protection/auditing/event-5030.md b/windows/security/threat-protection/auditing/event-5030.md
index 37d3844e1f..de68bc30db 100644
--- a/windows/security/threat-protection/auditing/event-5030.md
+++ b/windows/security/threat-protection/auditing/event-5030.md
@@ -2,7 +2,7 @@
title: 5030(F) The Windows Firewall Service failed to start. (Windows 10)
description: Describes security event 5030(F) The Windows Firewall Service failed to start.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 5030(F): The Windows Firewall Service failed to start.
diff --git a/windows/security/threat-protection/auditing/event-5031.md b/windows/security/threat-protection/auditing/event-5031.md
index e6bcd4a68c..7453df6988 100644
--- a/windows/security/threat-protection/auditing/event-5031.md
+++ b/windows/security/threat-protection/auditing/event-5031.md
@@ -5,11 +5,12 @@ manager: dansimp
ms.author: dansimp
description: Describes security event 5031(F) The Windows Firewall Service blocked an application from accepting incoming connections on the network.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
+ms.technology: mde
---
# 5031(F): The Windows Firewall Service blocked an application from accepting incoming connections on the network.
diff --git a/windows/security/threat-protection/auditing/event-5032.md b/windows/security/threat-protection/auditing/event-5032.md
index 02b5e5768f..a356c6ba72 100644
--- a/windows/security/threat-protection/auditing/event-5032.md
+++ b/windows/security/threat-protection/auditing/event-5032.md
@@ -2,7 +2,7 @@
title: 5032(F) Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network. (Windows 10)
description: Describes security event 5032(F) Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 5032(F): Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
diff --git a/windows/security/threat-protection/auditing/event-5033.md b/windows/security/threat-protection/auditing/event-5033.md
index 834f4c95b8..05552da629 100644
--- a/windows/security/threat-protection/auditing/event-5033.md
+++ b/windows/security/threat-protection/auditing/event-5033.md
@@ -2,7 +2,7 @@
title: 5033(S) The Windows Firewall Driver has started successfully. (Windows 10)
description: Describes security event 5033(S) The Windows Firewall Driver has started successfully.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 5033(S): The Windows Firewall Driver has started successfully.
diff --git a/windows/security/threat-protection/auditing/event-5034.md b/windows/security/threat-protection/auditing/event-5034.md
index c3f04488fa..7cef4c54e0 100644
--- a/windows/security/threat-protection/auditing/event-5034.md
+++ b/windows/security/threat-protection/auditing/event-5034.md
@@ -2,7 +2,7 @@
title: 5034(S) The Windows Firewall Driver was stopped. (Windows 10)
description: Describes security event 5034(S) The Windows Firewall Driver was stopped.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 5034(S): The Windows Firewall Driver was stopped.
diff --git a/windows/security/threat-protection/auditing/event-5035.md b/windows/security/threat-protection/auditing/event-5035.md
index 2815638be4..6b9d8a9488 100644
--- a/windows/security/threat-protection/auditing/event-5035.md
+++ b/windows/security/threat-protection/auditing/event-5035.md
@@ -2,7 +2,7 @@
title: 5035(F) The Windows Firewall Driver failed to start. (Windows 10)
description: Describes security event 5035(F) The Windows Firewall Driver failed to start.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 5035(F): The Windows Firewall Driver failed to start.
diff --git a/windows/security/threat-protection/auditing/event-5037.md b/windows/security/threat-protection/auditing/event-5037.md
index 026d2c2985..a189ce3f21 100644
--- a/windows/security/threat-protection/auditing/event-5037.md
+++ b/windows/security/threat-protection/auditing/event-5037.md
@@ -2,7 +2,7 @@
title: 5037(F) The Windows Firewall Driver detected critical runtime error. Terminating. (Windows 10)
description: Describes security event 5037(F) The Windows Firewall Driver detected critical runtime error. Terminating.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 5037(F): The Windows Firewall Driver detected critical runtime error. Terminating.
diff --git a/windows/security/threat-protection/auditing/event-5038.md b/windows/security/threat-protection/auditing/event-5038.md
index 15bd4ad7e1..eac7f9eea0 100644
--- a/windows/security/threat-protection/auditing/event-5038.md
+++ b/windows/security/threat-protection/auditing/event-5038.md
@@ -2,7 +2,7 @@
title: 5038(F) Code integrity determined that the image hash of a file is not valid. (Windows 10)
description: Describes security event 5038(F) Code integrity determined that the image hash of a file is not valid.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 5038(F): Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
diff --git a/windows/security/threat-protection/auditing/event-5039.md b/windows/security/threat-protection/auditing/event-5039.md
index 1f6c100b8d..fda19e5f16 100644
--- a/windows/security/threat-protection/auditing/event-5039.md
+++ b/windows/security/threat-protection/auditing/event-5039.md
@@ -2,7 +2,7 @@
title: 5039(-) A registry key was virtualized. (Windows 10)
description: Describes security event 5039(-) A registry key was virtualized. This event is generated when a registry key is virtualized using LUAFV.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 5039(-): A registry key was virtualized.
diff --git a/windows/security/threat-protection/auditing/event-5051.md b/windows/security/threat-protection/auditing/event-5051.md
index 0bf8362113..3ac07671d2 100644
--- a/windows/security/threat-protection/auditing/event-5051.md
+++ b/windows/security/threat-protection/auditing/event-5051.md
@@ -2,7 +2,7 @@
title: 5051(-) A file was virtualized. (Windows 10)
description: Describes security event 5051(-) A file was virtualized. This event is generated when a file is virtualized using LUAFV.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 5051(-): A file was virtualized.
diff --git a/windows/security/threat-protection/auditing/event-5056.md b/windows/security/threat-protection/auditing/event-5056.md
index a675d79c58..a717d05e4a 100644
--- a/windows/security/threat-protection/auditing/event-5056.md
+++ b/windows/security/threat-protection/auditing/event-5056.md
@@ -2,7 +2,7 @@
title: 5056(S) A cryptographic self-test was performed. (Windows 10)
description: Describes security event 5056(S) A cryptographic self-test was performed.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 5056(S): A cryptographic self-test was performed.
@@ -20,7 +21,7 @@ ms.author: dansimp
- Windows Server 2016
-This event generates in CNG Self-Test function. This is a Cryptographic Next Generation (CNG) function.
+This event generates in CNG Self-Test function. This function is a Cryptographic Next Generation (CNG) function.
For more information about Cryptographic Next Generation (CNG) visit these pages:
@@ -32,7 +33,7 @@ For more information about Cryptographic Next Generation (CNG) visit these pages
- 
- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
-- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
+- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, run the following command: **netsh wfp show state**. As a result of this command **wfpstate.xml** file will be generated. Open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
@@ -168,7 +169,7 @@ This event is generated for every received network packet.
For 5152(F): The Windows Filtering Platform blocked a packet.
-- If you have a pre-defined application which should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
+- If you have a pre-defined application that should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
@@ -178,13 +179,13 @@ For 5152(F): The Windows Filtering Platform blocked a packet.
- If the computer or device should not have access to the Internet, or contains only applications that don’t connect to the Internet, monitor for [5152](event-5152.md) events where **Destination Address** is an IP address from the Internet (not from private IP ranges).
-- If you know that the computer should never contact or be contacted by certain network IP addresses, monitor for these addresses in “**Destination Address**.”
+- If you know that the computer should never contact or should never be contacted by certain network IP addresses, monitor for these addresses in **Destination Address**.
-- If you have an allow list of IP addresses that the computer or device is expected to contact or be contacted by, monitor for IP addresses in **“Destination Address”** that are not in the allow list.
+- If you have an allow list of IP addresses that the computer or device is expected to contact or to be contacted by, monitor for IP addresses in **“Destination Address”** that are not in the allow list.
- If you need to monitor all inbound connections to a specific local port, monitor for [5152](event-5152.md) events with that “**Source Port**.**”**
-- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or compter, for example, anything other than 1, 6, or 17.
+- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or computer, for example, anything other than 1, 6, or 17.
- If the computer’s communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.”
diff --git a/windows/security/threat-protection/auditing/event-5153.md b/windows/security/threat-protection/auditing/event-5153.md
index 8751b40002..ce3f53f60d 100644
--- a/windows/security/threat-protection/auditing/event-5153.md
+++ b/windows/security/threat-protection/auditing/event-5153.md
@@ -2,7 +2,7 @@
title: 5153(S) A more restrictive Windows Filtering Platform filter has blocked a packet. (Windows 10)
description: Describes security event 5153(S) A more restrictive Windows Filtering Platform filter has blocked a packet.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 5153(S): A more restrictive Windows Filtering Platform filter has blocked a packet.
diff --git a/windows/security/threat-protection/auditing/event-5154.md b/windows/security/threat-protection/auditing/event-5154.md
index f66366168d..5083012650 100644
--- a/windows/security/threat-protection/auditing/event-5154.md
+++ b/windows/security/threat-protection/auditing/event-5154.md
@@ -2,7 +2,7 @@
title: 5154(S) The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. (Windows 10)
description: Describes security event 5154(S) The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 5154(S): The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
@@ -75,7 +76,7 @@ This event generates every time [Windows Filtering Platform](https://msdn.micros
**Application Information**:
-- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process which was permitted to listen on the port. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that was permitted to listen on the port. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
@@ -103,7 +104,7 @@ This event generates every time [Windows Filtering Platform](https://msdn.micros
- 127.0.0.1 , ::1 - localhost
-- **Source Port** \[Type = UnicodeString\]: source TCP\\UDP port number which was requested for listening by application.
+- **Source Port** \[Type = UnicodeString\]: source TCP\\UDP port number that was requested for listening by application.
- **Protocol** \[Type = UInt32\]: protocol number. For example:
@@ -115,15 +116,15 @@ This event generates every time [Windows Filtering Platform](https://msdn.micros
**Filter Information:**
-- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID which allows application to listen on the specific port. By default Windows firewall won't prevent a port from being listened by an application and if this application doesn’t match any filters you will get value **0** in this field.
+- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that allows application to listen on the specific port. By default Windows firewall won't prevent a port from being listened by an application and if this application doesn’t match any filters you will get value **0** in this field.
- To find specific Windows Filtering Platform filter by ID you need to execute the following command: **netsh wfp show filters**. As result of this command **filters.xml** file will be generated. You need to open this file and find specific substring with required filter ID (**<filterId>**)**,** for example:
+ To find a specific Windows Filtering Platform filter by ID, run the following command: **netsh wfp show filters**. As a result of this command, the **filters.xml** file will be generated. Open this file and find specific substring with required filter ID (**<filterId>**)**,** for example:
- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
-- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
+- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, run the following command: **netsh wfp show state**. As a result of this command, the **wfpstate.xml** file will be generated. Open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
@@ -131,7 +132,7 @@ This event generates every time [Windows Filtering Platform](https://msdn.micros
For 5154(S): The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
-- If you have a “whitelist” of applications that are associated with certain operating systems or server roles, and that are expected to listen on specific ports, monitor this event for **“Application Name”** and other relevant information.
+- If you have an “allow list” of applications that are associated with certain operating systems or server roles, and that are expected to listen on specific ports, monitor this event for **“Application Name”** and other relevant information.
- If a certain application is allowed to listen only on specific port numbers, monitor this event for **“Application Name”** and **“Network Information\\Source Port**.**”**
@@ -139,7 +140,7 @@ For 5154(S): The Windows Filtering Platform has permitted an application or serv
- If a certain application is allowed to use only TCP or UDP protocols, monitor this event for **“Application Name”** and the protocol number in **“Network Information\\Protocol**.**”**
-- If you have a pre-defined application which should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
+- If you have a predefined application that should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
diff --git a/windows/security/threat-protection/auditing/event-5155.md b/windows/security/threat-protection/auditing/event-5155.md
index 9964b6f390..7d6eac1919 100644
--- a/windows/security/threat-protection/auditing/event-5155.md
+++ b/windows/security/threat-protection/auditing/event-5155.md
@@ -2,7 +2,7 @@
title: 5155(F) The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. (Windows 10)
description: Describes security event 5155(F) The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 5155(F): The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
diff --git a/windows/security/threat-protection/auditing/event-5156.md b/windows/security/threat-protection/auditing/event-5156.md
index 6a97371b47..8c1116cba5 100644
--- a/windows/security/threat-protection/auditing/event-5156.md
+++ b/windows/security/threat-protection/auditing/event-5156.md
@@ -2,7 +2,7 @@
title: 5156(S) The Windows Filtering Platform has permitted a connection. (Windows 10)
description: Describes security event 5156(S) The Windows Filtering Platform has permitted a connection.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 5156(S): The Windows Filtering Platform has permitted a connection.
@@ -80,7 +81,7 @@ This event generates when [Windows Filtering Platform](https://msdn.microsoft.co
**Application Information**:
-- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process which received the connection. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that received the connection. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
@@ -130,7 +131,7 @@ This event generates when [Windows Filtering Platform](https://msdn.microsoft.co
- **Destination Port** \[Type = UnicodeString\]**:** port number where the connection was received.
-- **Protocol** \[Type = UInt32\]: number of protocol which was used.
+- **Protocol** \[Type = UInt32\]: number of the protocol that was used.
| Service | Protocol Number |
|----------------------------------------------------|-----------------|
@@ -152,15 +153,15 @@ This event generates when [Windows Filtering Platform](https://msdn.microsoft.co
**Filter Information:**
-- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID which allowed the connection.
+- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that allowed the connection.
- To find specific Windows Filtering Platform filter by ID you need to execute the following command: **netsh wfp show filters**. As result of this command **filters.xml** file will be generated. You need to open this file and find specific substring with required filter ID (**<filterId>**)**,** for example:
+ To find a specific Windows Filtering Platform filter by ID, run the following command: **netsh wfp show filters**. As a result of this command, the **filters.xml** file will be generated. Open this file and find specific substring with required filter ID (**<filterId>**)**,** for example:
- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
-- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
+- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, run the following command: **netsh wfp show state**. As a result of this command, the **wfpstate.xml** file will be generated. Open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
@@ -168,7 +169,7 @@ This event generates when [Windows Filtering Platform](https://msdn.microsoft.co
For 5156(S): The Windows Filtering Platform has permitted a connection.
-- If you have a pre-defined application which should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
+- If you have a predefined application that should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
@@ -178,9 +179,9 @@ For 5156(S): The Windows Filtering Platform has permitted a connection.
- If the computer or device should not have access to the Internet, or contains only applications that don’t connect to the Internet, monitor for [5156](event-5156.md) events where “**Destination Address”** is an IP address from the Internet (not from private IP ranges).
-- If you know that the computer should never contact or be contacted by certain network IP addresses, monitor for these addresses in “**Destination Address**.**”**
+- If you know that the computer should never contact or should never be contacted by certain network IP addresses, monitor for these addresses in “**Destination Address**.**”**
-- If you have an allow list of IP addresses that the computer or device is expected to contact or be contacted by, monitor for IP addresses in “**Destination Address”** that are not in the allow list.
+- If you have an allow list of IP addresses that the computer or device is expected to contact or to be contacted by, monitor for IP addresses in “**Destination Address”** that are not in the allow list.
- If you need to monitor all inbound connections to a specific local port, monitor for [5156](event-5156.md) events with that “**Source Port**.**”**
diff --git a/windows/security/threat-protection/auditing/event-5157.md b/windows/security/threat-protection/auditing/event-5157.md
index f35e1cf804..2f2b2cd8fd 100644
--- a/windows/security/threat-protection/auditing/event-5157.md
+++ b/windows/security/threat-protection/auditing/event-5157.md
@@ -2,7 +2,7 @@
title: 5157(F) The Windows Filtering Platform has blocked a connection. (Windows 10)
description: Describes security event 5157(F) The Windows Filtering Platform has blocked a connection.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 5157(F): The Windows Filtering Platform has blocked a connection.
@@ -128,9 +129,9 @@ This event generates when [Windows Filtering Platform](https://msdn.microsoft.co
- 127.0.0.1 , ::1 - localhost
-- **Destination Port** \[Type = UnicodeString\]**:** port number which was used from remote machine to initiate connection.
+- **Destination Port** \[Type = UnicodeString\]**:** port number that was used from remote machine to initiate connection.
-- **Protocol** \[Type = UInt32\]: number of protocol which was used.
+- **Protocol** \[Type = UInt32\]: number of the protocol that was used.
| Service | Protocol Number |
|----------------------------------------------------|-----------------|
@@ -152,15 +153,15 @@ This event generates when [Windows Filtering Platform](https://msdn.microsoft.co
**Filter Information:**
-- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID which blocked the connection.
+- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that blocked the connection.
- To find specific Windows Filtering Platform filter by ID you need to execute the following command: **netsh wfp show filters**. As result of this command **filters.xml** file will be generated. You need to open this file and find specific substring with required filter ID (**<filterId>**)**,** for example:
+ To find a specific Windows Filtering Platform filter by ID, run the following command: **netsh wfp show filters**. As a result of this command, the **filters.xml** file will be generated. Open this file and find specific substring with required filter ID (**<filterId>**)**,** for example:
- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
-- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
+- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, run the following command: **netsh wfp show state**. As a result of this command, the **wfpstate.xml** file will be generated. Open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
@@ -168,7 +169,7 @@ This event generates when [Windows Filtering Platform](https://msdn.microsoft.co
For 5157(F): The Windows Filtering Platform has blocked a connection.
-- If you have a pre-defined application which should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
+- If you have a predefined application that should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
@@ -178,13 +179,13 @@ For 5157(F): The Windows Filtering Platform has blocked a connection.
- If the\` computer or device should not have access to the Internet, or contains only applications that don’t connect to the Internet, monitor for [5157](event-5157.md) events where “**Destination Address”** is an IP address from the Internet (not from private IP ranges).
-- If you know that the computer should never contact or be contacted by certain network IP addresses, monitor for these addresses in “**Destination Address**.**”**
+- If you know that the computer should never contact or should never be contacted by certain network IP addresses, monitor for these addresses in “**Destination Address**.**”**
-- If you have an allow list of IP addresses that the computer or device is expected to contact or be contacted by, monitor for IP addresses in “**Destination Address”** that are not in the allow list.
+- If you have an allow list of IP addresses that the computer or device is expected to contact or to be contacted by, monitor for IP addresses in “**Destination Address”** that are not in the allow list.
- If you need to monitor all inbound connections to a specific local port, monitor for [5157](event-5157.md) events with that “**Source Port**.**”**
-- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or compter, for example, anything other than 1, 6, or 17.
+- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or computer, for example, anything other than 1, 6, or 17.
- If the computer’s communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.”
diff --git a/windows/security/threat-protection/auditing/event-5158.md b/windows/security/threat-protection/auditing/event-5158.md
index 55dd4c04da..63753bbc2b 100644
--- a/windows/security/threat-protection/auditing/event-5158.md
+++ b/windows/security/threat-protection/auditing/event-5158.md
@@ -2,7 +2,7 @@
title: 5158(S) The Windows Filtering Platform has permitted a bind to a local port. (Windows 10)
description: Describes security event 5158(S) The Windows Filtering Platform has permitted a bind to a local port.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 5158(S): The Windows Filtering Platform has permitted a bind to a local port.
@@ -75,7 +76,7 @@ This event generates every time [Windows Filtering Platform](https://msdn.micros
**Application Information**:
-- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process which was permitted to bind to the local port. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that was permitted to bind to the local port. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
@@ -107,7 +108,7 @@ This event generates every time [Windows Filtering Platform](https://msdn.micros
- **Source Port** \[Type = UnicodeString\]**:** port number which application was bind.
-- **Protocol** \[Type = UInt32\]: number of protocol which was used.
+- **Protocol** \[Type = UInt32\]: number of the protocol that was used.
| Service | Protocol Number |
|----------------------------------------------------|-----------------|
@@ -129,15 +130,15 @@ This event generates every time [Windows Filtering Platform](https://msdn.micros
**Filter Information:**
-- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID which allows application to bind the port. By default Windows firewall won't prevent a port from being binded by an application and if this application doesn’t match any filters you will get value 0 in this field.
+- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that allows the application to bind the port. By default, Windows firewall won't prevent a port from being bound by an application. If this application doesn’t match any filters, you will get value 0 in this field.
- To find specific Windows Filtering Platform filter by ID you need to execute the following command: **netsh wfp show filters**. As result of this command **filters.xml** file will be generated. You need to open this file and find specific substring with required filter ID (**<filterId>**)**,** for example:
+ To find a specific Windows Filtering Platform filter by ID, run the following command: **netsh wfp show filters**. As a result of this command, the **filters.xml** file will be generated. Open this file and find specific substring with required filter ID (**<filterId>**)**,** for example:
- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
-- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
+- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, run the following command: **netsh wfp show state**. As a result of this command, the **wfpstate.xml** file will be generated. Open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
@@ -145,7 +146,7 @@ This event generates every time [Windows Filtering Platform](https://msdn.micros
For 5158(S): The Windows Filtering Platform has permitted a bind to a local port.
-- If you have a pre-defined application which should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
+- If you have a predefined application that should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
@@ -155,7 +156,7 @@ For 5158(S): The Windows Filtering Platform has permitted a bind to a local port
- If you need to monitor all actions with a specific local port, monitor for [5158](event-5158.md) events with that “**Source Port.”**
-- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or compter, for example, anything other than 6 or 17.
+- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or computer, for example, anything other than 6 or 17.
- If the computer’s communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.”
diff --git a/windows/security/threat-protection/auditing/event-5159.md b/windows/security/threat-protection/auditing/event-5159.md
index 998321eae5..b5b867bc47 100644
--- a/windows/security/threat-protection/auditing/event-5159.md
+++ b/windows/security/threat-protection/auditing/event-5159.md
@@ -2,7 +2,7 @@
title: 5159(F) The Windows Filtering Platform has blocked a bind to a local port. (Windows 10)
description: Describes security event 5159(F) The Windows Filtering Platform has blocked a bind to a local port.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 5159(F): The Windows Filtering Platform has blocked a bind to a local port.
@@ -73,7 +74,7 @@ This event is logged if the Windows Filtering Platform has blocked a bind to a l
**Application Information**:
-- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process which was permitted to bind to the local port. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that was permitted to bind to the local port. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
@@ -127,15 +128,15 @@ This event is logged if the Windows Filtering Platform has blocked a bind to a l
**Filter Information:**
-- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID which blocks the application from binding to the port. By default, Windows firewall won't prevent a port from binding by an application, and if this application doesn’t match any filters, you will get value 0 in this field.
+- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that blocks the application from binding to the port. By default, Windows firewall won't prevent a port from binding by an application, and if this application doesn’t match any filters, you will get value 0 in this field.
- To find specific Windows Filtering Platform filter by ID you need to execute the following command: **netsh wfp show filters**. As a result of this command, **filters.xml** file will be generated. You need to open this file and find the specific substring with the required filter ID (**<filterId>**)**,** for example:
+ To find a specific Windows Filtering Platform filter by ID, run the following command: **netsh wfp show filters**. As a result of this command, the **filters.xml** file will be generated. Open this file and find the specific substring with the required filter ID (**<filterId>**)**,** for example:
- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
-- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
+- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, run the following command: **netsh wfp show state**. As a result of this command, the **wfpstate.xml** file will be generated. Open this file and find the specific substring with the required layer ID (**<layerId>**)**,** for example:
diff --git a/windows/security/threat-protection/auditing/event-5168.md b/windows/security/threat-protection/auditing/event-5168.md
index fcc35ba385..819d9f191e 100644
--- a/windows/security/threat-protection/auditing/event-5168.md
+++ b/windows/security/threat-protection/auditing/event-5168.md
@@ -2,7 +2,7 @@
title: 5168(F) SPN check for SMB/SMB2 failed. (Windows 10)
description: Describes security event 5168(F) SPN check for SMB/SMB2 failed. This event is generated when an SMB SPN check fails.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 5168(F): SPN check for SMB/SMB2 failed.
diff --git a/windows/security/threat-protection/auditing/event-5376.md b/windows/security/threat-protection/auditing/event-5376.md
index f888db6fb2..3d7cc2e623 100644
--- a/windows/security/threat-protection/auditing/event-5376.md
+++ b/windows/security/threat-protection/auditing/event-5376.md
@@ -2,7 +2,7 @@
title: 5376(S) Credential Manager credentials were backed up. (Windows 10)
description: Describes security event 5376(S) Credential Manager credentials were backed up.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 5376(S): Credential Manager credentials were backed up.
diff --git a/windows/security/threat-protection/auditing/event-5377.md b/windows/security/threat-protection/auditing/event-5377.md
index 1ed830b074..98ccff769a 100644
--- a/windows/security/threat-protection/auditing/event-5377.md
+++ b/windows/security/threat-protection/auditing/event-5377.md
@@ -2,7 +2,7 @@
title: 5377(S) Credential Manager credentials were restored from a backup. (Windows 10)
description: Describes security event 5377(S) Credential Manager credentials were restored from a backup.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 5377(S): Credential Manager credentials were restored from a backup.
diff --git a/windows/security/threat-protection/auditing/event-5378.md b/windows/security/threat-protection/auditing/event-5378.md
index bb48a36562..04395a702b 100644
--- a/windows/security/threat-protection/auditing/event-5378.md
+++ b/windows/security/threat-protection/auditing/event-5378.md
@@ -2,7 +2,7 @@
title: 5378(F) The requested credentials delegation was disallowed by policy. (Windows 10)
description: Describes security event 5378(F) The requested credentials delegation was disallowed by policy.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 5378(F): The requested credentials delegation was disallowed by policy.
diff --git a/windows/security/threat-protection/auditing/event-5447.md b/windows/security/threat-protection/auditing/event-5447.md
index 89dd2b5bf0..a647b4c565 100644
--- a/windows/security/threat-protection/auditing/event-5447.md
+++ b/windows/security/threat-protection/auditing/event-5447.md
@@ -2,7 +2,7 @@
title: 5447(S) A Windows Filtering Platform filter has been changed. (Windows 10)
description: Describes security event 5447(S) A Windows Filtering Platform filter has been changed.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 5447(S): A Windows Filtering Platform filter has been changed.
diff --git a/windows/security/threat-protection/auditing/event-5632.md b/windows/security/threat-protection/auditing/event-5632.md
index 756db4ebbf..0870e6a7fc 100644
--- a/windows/security/threat-protection/auditing/event-5632.md
+++ b/windows/security/threat-protection/auditing/event-5632.md
@@ -2,7 +2,7 @@
title: 5632(S, F) A request was made to authenticate to a wireless network. (Windows 10)
description: Describes security event 5632(S, F) A request was made to authenticate to a wireless network.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 5632(S, F): A request was made to authenticate to a wireless network.
diff --git a/windows/security/threat-protection/auditing/event-5633.md b/windows/security/threat-protection/auditing/event-5633.md
index d85599c157..1bb8d2d300 100644
--- a/windows/security/threat-protection/auditing/event-5633.md
+++ b/windows/security/threat-protection/auditing/event-5633.md
@@ -2,7 +2,7 @@
title: 5633(S, F) A request was made to authenticate to a wired network. (Windows 10)
description: Describes security event 5633(S, F) A request was made to authenticate to a wired network.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 5633(S, F): A request was made to authenticate to a wired network.
diff --git a/windows/security/threat-protection/auditing/event-5712.md b/windows/security/threat-protection/auditing/event-5712.md
index 2fae83e65f..5bb81e6f09 100644
--- a/windows/security/threat-protection/auditing/event-5712.md
+++ b/windows/security/threat-protection/auditing/event-5712.md
@@ -2,7 +2,7 @@
title: 5712(S) A Remote Procedure Call (RPC) was attempted. (Windows 10)
description: Describes security event 5712(S) A Remote Procedure Call (RPC) was attempted.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 5712(S): A Remote Procedure Call (RPC) was attempted.
diff --git a/windows/security/threat-protection/auditing/event-5888.md b/windows/security/threat-protection/auditing/event-5888.md
index 43f79ed55d..8531945a54 100644
--- a/windows/security/threat-protection/auditing/event-5888.md
+++ b/windows/security/threat-protection/auditing/event-5888.md
@@ -2,7 +2,7 @@
title: 5888(S) An object in the COM+ Catalog was modified. (Windows 10)
description: Describes security event 5888(S) An object in the COM+ Catalog was modified.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 5888(S): An object in the COM+ Catalog was modified.
diff --git a/windows/security/threat-protection/auditing/event-5889.md b/windows/security/threat-protection/auditing/event-5889.md
index 5daae37ce0..3fe376f85c 100644
--- a/windows/security/threat-protection/auditing/event-5889.md
+++ b/windows/security/threat-protection/auditing/event-5889.md
@@ -2,7 +2,7 @@
title: 5889(S) An object was deleted from the COM+ Catalog. (Windows 10)
description: Describes security event 5889(S) An object was deleted from the COM+ Catalog.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 5889(S): An object was deleted from the COM+ Catalog.
diff --git a/windows/security/threat-protection/auditing/event-5890.md b/windows/security/threat-protection/auditing/event-5890.md
index f5f0c81561..9a90b1a6a3 100644
--- a/windows/security/threat-protection/auditing/event-5890.md
+++ b/windows/security/threat-protection/auditing/event-5890.md
@@ -2,7 +2,7 @@
title: 5890(S) An object was added to the COM+ Catalog. (Windows 10)
description: Describes security event 5890(S) An object was added to the COM+ Catalog.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 5890(S): An object was added to the COM+ Catalog.
diff --git a/windows/security/threat-protection/auditing/event-6144.md b/windows/security/threat-protection/auditing/event-6144.md
index 7f0df8a521..7565e8f794 100644
--- a/windows/security/threat-protection/auditing/event-6144.md
+++ b/windows/security/threat-protection/auditing/event-6144.md
@@ -2,7 +2,7 @@
title: 6144(S) Security policy in the group policy objects has been applied successfully. (Windows 10)
description: Describes security event 6144(S) Security policy in the group policy objects has been applied successfully.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 6144(S): Security policy in the group policy objects has been applied successfully.
diff --git a/windows/security/threat-protection/auditing/event-6145.md b/windows/security/threat-protection/auditing/event-6145.md
index c9a27526cd..8b541749d6 100644
--- a/windows/security/threat-protection/auditing/event-6145.md
+++ b/windows/security/threat-protection/auditing/event-6145.md
@@ -2,7 +2,7 @@
title: 6145(F) One or more errors occurred while processing security policy in the group policy objects. (Windows 10)
description: Describes security event 6145(F) One or more errors occurred while processing security policy in the group policy objects.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 6145(F): One or more errors occurred while processing security policy in the group policy objects.
diff --git a/windows/security/threat-protection/auditing/event-6281.md b/windows/security/threat-protection/auditing/event-6281.md
index e8dfb2d7cf..b4d79cbbdb 100644
--- a/windows/security/threat-protection/auditing/event-6281.md
+++ b/windows/security/threat-protection/auditing/event-6281.md
@@ -2,7 +2,7 @@
title: 6281(F) Code Integrity determined that the page hashes of an image file are not valid. (Windows 10)
description: Describes security event 6281(F) Code Integrity determined that the page hashes of an image file are not valid.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 6281(F): Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.
diff --git a/windows/security/threat-protection/auditing/event-6400.md b/windows/security/threat-protection/auditing/event-6400.md
index 7a379132bc..acefc262d9 100644
--- a/windows/security/threat-protection/auditing/event-6400.md
+++ b/windows/security/threat-protection/auditing/event-6400.md
@@ -2,7 +2,7 @@
title: 6400(-) BranchCache Received an incorrectly formatted response while discovering availability of content. (Windows 10)
description: Describes security event 6400(-) BranchCache Received an incorrectly formatted response while discovering availability of content.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 6400(-): BranchCache: Received an incorrectly formatted response while discovering availability of content.
diff --git a/windows/security/threat-protection/auditing/event-6401.md b/windows/security/threat-protection/auditing/event-6401.md
index 1ce4c083dd..1b442d10d9 100644
--- a/windows/security/threat-protection/auditing/event-6401.md
+++ b/windows/security/threat-protection/auditing/event-6401.md
@@ -2,7 +2,7 @@
title: 6401(-) BranchCache Received invalid data from a peer. Data discarded. (Windows 10)
description: Describes security event 6401(-) BranchCache Received invalid data from a peer. Data discarded.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 6401(-): BranchCache: Received invalid data from a peer. Data discarded.
diff --git a/windows/security/threat-protection/auditing/event-6402.md b/windows/security/threat-protection/auditing/event-6402.md
index dde20455d3..77a10ac4dc 100644
--- a/windows/security/threat-protection/auditing/event-6402.md
+++ b/windows/security/threat-protection/auditing/event-6402.md
@@ -2,7 +2,7 @@
title: 6402(-) BranchCache The message to the hosted cache offering it data is incorrectly formatted. (Windows 10)
description: Describes security event 6402(-) BranchCache The message to the hosted cache offering it data is incorrectly formatted.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 6402(-): BranchCache: The message to the hosted cache offering it data is incorrectly formatted.
diff --git a/windows/security/threat-protection/auditing/event-6403.md b/windows/security/threat-protection/auditing/event-6403.md
index e8020581ad..d730acb9d3 100644
--- a/windows/security/threat-protection/auditing/event-6403.md
+++ b/windows/security/threat-protection/auditing/event-6403.md
@@ -2,7 +2,7 @@
title: 6403(-) BranchCache The hosted cache sent an incorrectly formatted response to the client. (Windows 10)
description: Describes security event 6403(-) BranchCache The hosted cache sent an incorrectly formatted response to the client.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 6403(-): BranchCache: The hosted cache sent an incorrectly formatted response to the client.
diff --git a/windows/security/threat-protection/auditing/event-6404.md b/windows/security/threat-protection/auditing/event-6404.md
index 43228f26be..808c8e4264 100644
--- a/windows/security/threat-protection/auditing/event-6404.md
+++ b/windows/security/threat-protection/auditing/event-6404.md
@@ -2,7 +2,7 @@
title: 6404(-) BranchCache Hosted cache could not be authenticated using the provisioned SSL certificate. (Windows 10)
description: Describes security event 6404(-) BranchCache Hosted cache could not be authenticated using the provisioned SSL certificate.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 6404(-): BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.
diff --git a/windows/security/threat-protection/auditing/event-6405.md b/windows/security/threat-protection/auditing/event-6405.md
index ea59bc3fc7..2638753673 100644
--- a/windows/security/threat-protection/auditing/event-6405.md
+++ b/windows/security/threat-protection/auditing/event-6405.md
@@ -2,7 +2,7 @@
title: 6405(-) BranchCache %2 instance(s) of event id %1 occurred. (Windows 10)
description: Describes security event 6405(-) BranchCache %2 instance(s) of event id %1 occurred.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 6405(-): BranchCache: %2 instance(s) of event id %1 occurred.
diff --git a/windows/security/threat-protection/auditing/event-6406.md b/windows/security/threat-protection/auditing/event-6406.md
index d70fac0adb..11cef9058e 100644
--- a/windows/security/threat-protection/auditing/event-6406.md
+++ b/windows/security/threat-protection/auditing/event-6406.md
@@ -2,7 +2,7 @@
title: 6406(-) %1 registered to Windows Firewall to control filtering for the following %2. (Windows 10)
description: Describes security event 6406(-) %1 registered to Windows Firewall to control filtering for the following %2.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 6406(-): %1 registered to Windows Firewall to control filtering for the following: %2.
diff --git a/windows/security/threat-protection/auditing/event-6407.md b/windows/security/threat-protection/auditing/event-6407.md
index ca5e8e02d6..1e3d0cbd85 100644
--- a/windows/security/threat-protection/auditing/event-6407.md
+++ b/windows/security/threat-protection/auditing/event-6407.md
@@ -2,7 +2,7 @@
title: 6407(-) 1%. (Windows 10)
description: Describes security event 6407(-) 1%. This is a BranchCache event, which is outside the scope of this document.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 6407(-): 1%.
diff --git a/windows/security/threat-protection/auditing/event-6408.md b/windows/security/threat-protection/auditing/event-6408.md
index ffb33ccdee..d3bd29901c 100644
--- a/windows/security/threat-protection/auditing/event-6408.md
+++ b/windows/security/threat-protection/auditing/event-6408.md
@@ -2,7 +2,7 @@
title: 6408(-) Registered product %1 failed and Windows Firewall is now controlling the filtering for %2. (Windows 10)
description: Describes security event 6408(-) Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 6408(-): Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.
diff --git a/windows/security/threat-protection/auditing/event-6409.md b/windows/security/threat-protection/auditing/event-6409.md
index e1f76dbf69..97d212be9a 100644
--- a/windows/security/threat-protection/auditing/event-6409.md
+++ b/windows/security/threat-protection/auditing/event-6409.md
@@ -2,7 +2,7 @@
title: 6409(-) BranchCache A service connection point object could not be parsed. (Windows 10)
description: Describes security event 6409(-) BranchCache A service connection point object could not be parsed.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 6409(-): BranchCache: A service connection point object could not be parsed.
diff --git a/windows/security/threat-protection/auditing/event-6410.md b/windows/security/threat-protection/auditing/event-6410.md
index b13bbde8fc..a8980cfb49 100644
--- a/windows/security/threat-protection/auditing/event-6410.md
+++ b/windows/security/threat-protection/auditing/event-6410.md
@@ -2,7 +2,7 @@
title: 6410(F) Code integrity determined that a file does not meet the security requirements to load into a process. (Windows 10)
description: Describes security event 6410(F) Code integrity determined that a file does not meet the security requirements to load into a process.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 6410(F): Code integrity determined that a file does not meet the security requirements to load into a process.
diff --git a/windows/security/threat-protection/auditing/event-6416.md b/windows/security/threat-protection/auditing/event-6416.md
index 6e4c4af309..4b85673aa7 100644
--- a/windows/security/threat-protection/auditing/event-6416.md
+++ b/windows/security/threat-protection/auditing/event-6416.md
@@ -2,7 +2,7 @@
title: 6416(S) A new external device was recognized by the System. (Windows 10)
description: Describes security event 6416(S) A new external device was recognized by the System.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 6416(S): A new external device was recognized by the System.
diff --git a/windows/security/threat-protection/auditing/event-6419.md b/windows/security/threat-protection/auditing/event-6419.md
index e5c1d7fab1..90c145ff77 100644
--- a/windows/security/threat-protection/auditing/event-6419.md
+++ b/windows/security/threat-protection/auditing/event-6419.md
@@ -2,7 +2,7 @@
title: 6419(S) A request was made to disable a device. (Windows 10)
description: Describes security event 6419(S) A request was made to disable a device.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 6419(S): A request was made to disable a device.
diff --git a/windows/security/threat-protection/auditing/event-6420.md b/windows/security/threat-protection/auditing/event-6420.md
index 2ede6f7fce..51570d3ab3 100644
--- a/windows/security/threat-protection/auditing/event-6420.md
+++ b/windows/security/threat-protection/auditing/event-6420.md
@@ -2,7 +2,7 @@
title: 6420(S) A device was disabled. (Windows 10)
description: Describes security event 6420(S) A device was disabled. This event is generated when a specific device is disabled.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 6420(S): A device was disabled.
diff --git a/windows/security/threat-protection/auditing/event-6421.md b/windows/security/threat-protection/auditing/event-6421.md
index 4994eafbd7..ef4e0b856f 100644
--- a/windows/security/threat-protection/auditing/event-6421.md
+++ b/windows/security/threat-protection/auditing/event-6421.md
@@ -2,7 +2,7 @@
title: 6421(S) A request was made to enable a device. (Windows 10)
description: Describes security event 6421(S) A request was made to enable a device.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 6421(S): A request was made to enable a device.
diff --git a/windows/security/threat-protection/auditing/event-6422.md b/windows/security/threat-protection/auditing/event-6422.md
index 606f0228a6..2b2f45d1b8 100644
--- a/windows/security/threat-protection/auditing/event-6422.md
+++ b/windows/security/threat-protection/auditing/event-6422.md
@@ -2,7 +2,7 @@
title: 6422(S) A device was enabled. (Windows 10)
description: Describes security event 6422(S) A device was enabled. This event is generated when a specific device is enabled.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 6422(S): A device was enabled.
diff --git a/windows/security/threat-protection/auditing/event-6423.md b/windows/security/threat-protection/auditing/event-6423.md
index 67b96baef5..3332a01011 100644
--- a/windows/security/threat-protection/auditing/event-6423.md
+++ b/windows/security/threat-protection/auditing/event-6423.md
@@ -2,7 +2,7 @@
title: 6423(S) The installation of this device is forbidden by system policy. (Windows 10)
description: Describes security event 6423(S) The installation of this device is forbidden by system policy.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 6423(S): The installation of this device is forbidden by system policy.
diff --git a/windows/security/threat-protection/auditing/event-6424.md b/windows/security/threat-protection/auditing/event-6424.md
index 4e21756137..8ca1ce36d6 100644
--- a/windows/security/threat-protection/auditing/event-6424.md
+++ b/windows/security/threat-protection/auditing/event-6424.md
@@ -2,7 +2,7 @@
title: 6424(S) The installation of this device was allowed, after having previously been forbidden by policy. (Windows 10)
description: Describes security event 6424(S) The installation of this device was allowed, after having previously been forbidden by policy.
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
@@ -11,6 +11,7 @@ ms.date: 04/19/2017
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# 6424(S): The installation of this device was allowed, after having previously been forbidden by policy.
diff --git a/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md b/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md
index c9d3a1c9ba..1093140e38 100644
--- a/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md
+++ b/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md
@@ -4,7 +4,7 @@ description: The policy setting, File System (Global Object Access Auditing), en
ms.assetid: 4f215d61-0e23-46e4-9e58-08511105d25b
ms.reviewer:
ms.author: dansimp
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
+ms.technology: mde
---
# File System (Global Object Access Auditing)
diff --git a/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md b/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md
index 0762f04322..1efc819647 100644
--- a/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md
+++ b/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md
@@ -1,7 +1,7 @@
---
title: How to get a list of XML data name elements in
If you aren’t quite ready to deploy this feature into your organization, you can run it in Audit mode to see if not loading untrusted fonts causes any usability or compatibility issues.
+- **Audit.** Turns on event logging, but doesn’t block fonts from loading, regardless of location. The name of the apps that use untrusted fonts appear in your event log.
-- **Exclude apps to load untrusted fonts.** You can exclude specific apps, allowing them to load untrusted fonts, even while this feature is turned on. For instructions, see [Fix apps having problems because of blocked fonts](#fix-apps-having-problems-because-of-blocked-fonts).
+ > [!NOTE]
+ > If you aren't quite ready to deploy this feature into your organization, you can run it in Audit mode to see if not loading untrusted fonts causes any usability or compatibility issues.
+
+- **Exclude apps to load untrusted fonts.** You can exclude specific apps, allowing them to load untrusted fonts, even while this feature is turned on. For instructions, see [Fix apps having problems because of blocked fonts](#fix-apps-having-problems-because-of-blocked-fonts).
## Potential reductions in functionality
After you turn this feature on, your employees might experience reduced functionality when:
-- Sending a print job to a remote printer server that uses this feature and where the spooler process hasn’t been specifically excluded. In this situation, any fonts that aren’t already available in the server’s %windir%/Fonts folder won’t be used.
+- Sending a print job to a remote printer server that uses this feature and where the spooler process hasn’t been specifically excluded. In this situation, any fonts that aren’t already available in the server’s %windir%/Fonts folder won’t be used.
-- Printing using fonts provided by the installed printer’s graphics .dll file, outside of the %windir%/Fonts folder. For more information, see [Introduction to Printer Graphics DLLs](https://go.microsoft.com/fwlink/p/?LinkId=522302).
+- Printing using fonts provided by the installed printer’s graphics .dll file, outside of the %windir%/Fonts folder. For more information, see [Introduction to Printer Graphics DLLs](https://go.microsoft.com/fwlink/p/?LinkId=522302).
-- Using first or third-party apps that use memory-based fonts.
+- Using first or third-party apps that use memory-based fonts.
-- Using Internet Explorer to look at websites that use embedded fonts. In this situation, the feature blocks the embedded font, causing the website to use a default font. However, not all fonts have all of the characters, so the website might render differently.
+- Using Internet Explorer to look at websites that use embedded fonts. In this situation, the feature blocks the embedded font, causing the website to use a default font. However, not all fonts have all of the characters, so the website might render differently.
-- Using desktop Office to look at documents with embedded fonts. In this situation, content shows up using a default font picked by Office.
+- Using desktop Office to look at documents with embedded fonts. In this situation, content shows up using a default font picked by Office.
## Turn on and use the Blocking Untrusted Fonts feature
Use Group Policy or the registry to turn this feature on, off, or to use audit mode.
@@ -56,9 +60,9 @@ Use Group Policy or the registry to turn this feature on, off, or to use audit m
**To turn on and use the Blocking Untrusted Fonts feature through Group Policy**
1. Open the Group Policy editor (gpedit.msc) and go to `Computer Configuration\Administrative Templates\System\Mitigation Options\Untrusted Font Blocking`.
-2. Click **Enabled** to turn the feature on, and then click one of the following **Migitation Options**:
+2. Click **Enabled** to turn the feature on, and then click one of the following **Mitigation Options**:
- - **Block untrusted fonts and log events.** Turns the feature on, blocking untrusted fonts and logging installation attempts to the event log.
+ - **Block untrusted fonts and log events.** Turns the feature on, blocking untrusted fonts and logging installation attempts to the event log.
- **Do not block untrusted fonts.** Turns the feature on, but doesn't block untrusted fonts nor does it log installation attempts to the event log.
@@ -73,9 +77,9 @@ To turn this feature on, off, or to use audit mode:
2. If the **MitigationOptions** key isn't there, right-click and add a new **QWORD (64-bit) Value**, renaming it to **MitigationOptions**.
-3. Right click on the **MitigationOptions** key, and then click **Modify**.
+3. Right click on the **MitigationOptions** key, and then click **Modify**.
- The **Edit QWORD (64-bit) Value** box opens.
+ The **Edit QWORD (64-bit) Value** box opens.
4. Make sure the **Base** option is **Hexadecimal**, and then update the **Value data**, making sure you keep your existing value, like in the important note below:
@@ -85,8 +89,8 @@ To turn this feature on, off, or to use audit mode:
- **To audit with this feature.** Type **3000000000000**.
- >[!Important]
- >Your existing **MitigationOptions** values should be saved during your update. For example, if the current value is *1000*, your updated value should be *1000000001000*.
+ > [!Important]
+ > Your existing **MitigationOptions** values should be saved during your update. For example, if the current value is *1000*, your updated value should be *1000000001000*.
5. Restart your computer.
@@ -104,27 +108,27 @@ After you turn this feature on, or start using Audit mode, you can look at your
FontType: Memory
FontPath:
Blocked: true
-
- >[!NOTE]
- >Because the **FontType** is *Memory*, there’s no associated **FontPath**.
+
+ > [!NOTE]
+ > Because the **FontType** is *Memory*, there’s no associated **FontPath**.
**Event Example 2 - Winlogon**
Winlogon.exe attempted loading a font that is restricted by font-loading policy.
FontType: File
FontPath: `\??\C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\EQUATION\MTEXTRA.TTF`
Blocked: true
-
- >[!NOTE]
- >Because the **FontType** is *File*, there’s also an associated **FontPath**.
+
+ > [!NOTE]
+ > Because the **FontType** is *File*, there’s also an associated **FontPath**.
**Event Example 3 - Internet Explorer running in Audit mode**
Iexplore.exe attempted loading a font that is restricted by font-loading policy.
FontType: Memory
FontPath:
Blocked: false
-
- >[!NOTE]
- >In Audit mode, the problem is recorded, but the font isn’t blocked.
+
+ > [!NOTE]
+ > In Audit mode, the problem is recorded, but the font isn’t blocked.
## Fix apps having problems because of blocked fonts
Your company may still need apps that are having problems because of blocked fonts, so we suggest that you first run this feature in Audit mode to determine which fonts are causing the problems.
@@ -133,21 +137,15 @@ After you figure out the problematic fonts, you can try to fix your apps in 2 wa
**To fix your apps by installing the problematic fonts (recommended)**
-- On each computer with the app installed, right-click on the font name and click **Install**.
For example, if you want to exclude Microsoft Word processes, you’d use `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe`.
-2. Add any additional processes that need to be excluded here, and then turn the Blocking untrusted fonts feature on, using the steps in the [Turn on and use the Blocking Untrusted Fonts feature](#turn-on-and-use-the-blocking-untrusted-fonts-feature) section of this topic.
+2. Add any additional processes that need to be excluded here, and then turn the Blocking untrusted fonts feature on, using the steps in [Turn on and use the Blocking Untrusted Fonts feature](#turn-on-and-use-the-blocking-untrusted-fonts-feature), earlier in this article.
+
-
## Related content
-- [Dropping the “Untrusted Font Blocking” setting](https://blogs.technet.microsoft.com/secguide/2017/06/15/dropping-the-untrusted-font-blocking-setting/)
-
-
-
-
-
-
+- [Dropping the “Untrusted Font Blocking” setting](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/dropping-the-quot-untrusted-font-blocking-quot-setting/ba-p/701068/)
diff --git a/windows/security/threat-protection/change-history-for-threat-protection.md b/windows/security/threat-protection/change-history-for-threat-protection.md
index af17bfed1e..a1091576a5 100644
--- a/windows/security/threat-protection/change-history-for-threat-protection.md
+++ b/windows/security/threat-protection/change-history-for-threat-protection.md
@@ -1,9 +1,9 @@
---
-title: Change history for [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+title: "Change history for [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)"
ms.reviewer:
ms.author: dansimp
-description: This topic lists new and updated topics in the WWindows Defender ATP content set.
-ms.prod: w10
+description: This topic lists new and updated topics in the Defender for Endpoint content set.
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -13,14 +13,15 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.localizationpriority: medium
+ms.technology: mde
---
# Change history for threat protection
-This topic lists new and updated topics in the [Microsoft Defender ATP](microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) documentation.
+This topic lists new and updated topics in the [Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) documentation.
## August 2018
New or changed topic | Description
---------------------|------------
-[Microsoft Defender Advanced Threat Protection](microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) | Reorganized Windows 10 security topics to reflect the Windows Defender ATP platform.
+[Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) | Reorganized Windows 10 security topics to reflect the Defender for Endpoint platform.
diff --git a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
index add9bc1309..1c2d45ad8e 100644
--- a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
+++ b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
@@ -1,7 +1,7 @@
---
title: How to control USB devices and other removable media using Intune (Windows 10)
description: You can configure Intune settings to reduce threats from removable storage such as USB devices.
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -11,15 +11,16 @@ author: dansimp
ms.reviewer: dansimp
manager: dansimp
audience: ITPro
+ms.technology: mde
---
-# How to control USB devices and other removable media using Microsoft Defender ATP
+# How to control USB devices and other removable media using Microsoft Defender for Endpoint
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-Microsoft recommends [a layered approach to securing removable media](https://aka.ms/devicecontrolblog), and Microsoft Defender ATP provides multiple monitoring and control features to help prevent threats in unauthorized peripherals from compromising your devices:
+Microsoft recommends [a layered approach to securing removable media](https://aka.ms/devicecontrolblog), and Microsoft Defender for Endpoint provides multiple monitoring and control features to help prevent threats in unauthorized peripherals from compromising your devices:
-1. [Discover plug and play connected events for peripherals in Microsoft Defender ATP advanced hunting](#discover-plug-and-play-connected-events). Identify or investigate suspicious usage activity.
+1. [Discover plug and play connected events for peripherals in Microsoft Defender for Endpoint advanced hunting](#discover-plug-and-play-connected-events). Identify or investigate suspicious usage activity.
2. Configure to allow or block only certain removable devices and prevent threats.
1. [Allow or block removable devices](#allow-or-block-removable-devices) based on granular configuration to deny write access to removable disks and approve or deny devices by using USB device IDs. Flexible policy assignment of device installation settings based on an individual or group of Azure Active Directory (Azure AD) users and devices.
@@ -28,22 +29,22 @@ Microsoft recommends [a layered approach to securing removable media](https://ak
- Microsoft Defender Antivirus real-time protection (RTP) to scan removable storage for malware.
- The Attack Surface Reduction (ASR) USB rule to block untrusted and unsigned processes that run from USB.
- Direct Memory Access (DMA) protection settings to mitigate DMA attacks, including Kernel DMA Protection for Thunderbolt and blocking DMA until a user signs in.
-3. [Create customized alerts and response actions](#create-customized-alerts-and-response-actions) to monitor usage of removable devices based on these plug and play events or any other Microsoft Defender ATP events with [custom detection rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules).
+3. [Create customized alerts and response actions](#create-customized-alerts-and-response-actions) to monitor usage of removable devices based on these plug and play events or any other Microsoft Defender for Endpoint events with [custom detection rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules).
4. [Respond to threats](#respond-to-threats) from peripherals in real-time based on properties reported by each peripheral.
>[!Note]
->These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data from leaving your environment, you can also configure data loss prevention measures. For example, on Windows 10 devices you can configure [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) and [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure), which will encrypt company data even if it is stored on a personal device, or use the [Storage/RemovableDiskDenyWriteAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-storage#storage-removablediskdenywriteaccess) to deny write access to removable disks. Additionally, you can [classify and protect files on Windows devices](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview) (including their mounted USB devices) by using Microsoft Defender ATP and Azure Information Protection.
+>These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data from leaving your environment, you can also configure data loss prevention measures. For example, on Windows 10 devices you can configure [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) and [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure), which will encrypt company data even if it is stored on a personal device, or use the [Storage/RemovableDiskDenyWriteAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-storage#storage-removablediskdenywriteaccess) to deny write access to removable disks. Additionally, you can [classify and protect files on Windows devices](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview) (including their mounted USB devices) by using Microsoft Defender for Endpoint and Azure Information Protection.
## Discover plug and play connected events
-You can view plug and play connected events in Microsoft Defender ATP advanced hunting to identify suspicious usage activity or perform internal investigations.
-For examples of Microsoft Defender ATP advanced hunting queries, see the [Microsoft Defender ATP hunting queries GitHub repo](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries).
+You can view plug and play connected events in Microsoft Defender for Endpoint advanced hunting to identify suspicious usage activity or perform internal investigations.
+For examples of Defender for Endpoint advanced hunting queries, see the [Microsoft Defender for Endpoint hunting queries GitHub repo](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries).
-Sample Power BI report templates are available for Microsoft Defender ATP that you can use for Advanced hunting queries. With these sample templates, including one for device control, you can integrate the power of Advanced hunting into Power BI. See the [GitHub repository for PowerBI templates](https://github.com/microsoft/MDATP-PowerBI-Templates) for more information. See [Create custom reports using Power BI](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/api-power-bi) to learn more about Power BI integration.
+Sample Power BI report templates are available for Microsoft Defender for Endpoint that you can use for Advanced hunting queries. With these sample templates, including one for device control, you can integrate the power of Advanced hunting into Power BI. See the [GitHub repository for PowerBI templates](https://github.com/microsoft/MDATP-PowerBI-Templates) for more information. See [Create custom reports using Power BI](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/api-power-bi) to learn more about Power BI integration.
## Allow or block removable devices
-The following table describes the ways Microsoft Defender ATP can allow or block removable devices based on granular configuration.
+The following table describes the ways Microsoft Defender for Endpoint can allow or block removable devices based on granular configuration.
| Control | Description |
|----------|-------------|
@@ -54,11 +55,11 @@ The following table describes the ways Microsoft Defender ATP can allow or block
| [Allow installation and usage of specifically approved peripherals with matching device instance IDs](#allow-installation-and-usage-of-specifically-approved-peripherals-with-matching-device-instance-ids) | You can only install and use approved peripherals that match any of these device instance IDs. |
| [Prevent installation and usage of specifically prohibited peripherals with matching device instance IDs](#prevent-installation-and-usage-of-specifically-prohibited-peripherals-with-matching-device-instance-ids) | You can't install or use prohibited peripherals that match any of these device instance IDs. |
| [Limit services that use Bluetooth](#limit-services-that-use-bluetooth) | You can limit the services that can use Bluetooth. |
-| [Use Microsoft Defender ATP baseline settings](#use-microsoft-defender-atp-baseline-settings) | You can set the recommended configuration for ATP by using the Microsoft Defender ATP security baseline. |
+| [Use Microsoft Defender for Endpoint baseline settings](#use-microsoft-defender-for-endpoint-baseline-settings) | You can set the recommended configuration for ATP by using the Defender for Endpoint security baseline. |
### Restrict USB drives and other peripherals
-To prevent malware infections or data loss, an organization may restrict USB drives and other peripherals. The following table describes the ways Microsoft Defender ATP can help prevent installation and usage of USB drives and other peripherals.
+To prevent malware infections or data loss, an organization may restrict USB drives and other peripherals. The following table describes the ways Microsoft Defender for Endpoint can help prevent installation and usage of USB drives and other peripherals.
| Control | Description
|----------|-------------|
@@ -75,7 +76,7 @@ The above policies can also be set through the [Device Installation CSP settings
> [!Note]
> Always test and refine these settings with a pilot group of users and devices first before applying them in production.
-For more information about controlling USB devices, see the [Microsoft Defender ATP blog](https://www.microsoft.com/security/blog/2018/12/19/windows-defender-atp-has-protections-for-usb-and-removable-devices/).
+For more information about controlling USB devices, see the [Microsoft Defender for Endpoint blog](https://www.microsoft.com/security/blog/2018/12/19/windows-defender-atp-has-protections-for-usb-and-removable-devices/).
#### Allow installation and usage of USB drives and other peripherals
@@ -189,7 +190,7 @@ Allowing installation of specific devices requires also enabling [DeviceInstalla
### Prevent installation of specifically prohibited peripherals
-Microsoft Defender ATP blocks installation and usage of prohibited peripherals by using either of these options:
+Microsoft Defender for Endpoint blocks installation and usage of prohibited peripherals by using either of these options:
- [Administrative Templates](https://docs.microsoft.com/intune/administrative-templates-windows) can block any device with a matching hardware ID or setup class.
- [Device Installation CSP settings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation) with a custom profile in Intune. You can [prevent installation of specific device IDs](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofmatchingdeviceids) or [prevent specific device classes](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofmatchingdevicesetupclasses).
@@ -212,26 +213,26 @@ Using Intune, you can limit the services that can use Bluetooth through the ["Bl
-### Use Microsoft Defender ATP baseline settings
+### Use Microsoft Defender for Endpoint baseline settings
-The Microsoft Defender ATP baseline settings represent the recommended configuration for ATP. Configuration settings for baseline are located in the edit profile page of the configuration settings.
+The Microsoft Defender for Endpoint baseline settings represent the recommended configuration for ATP. Configuration settings for baseline are located in the edit profile page of the configuration settings.
## Prevent threats from removable storage
-Removable storage devices can introduce additional security risk to your organization. Microsoft Defender ATP can help identify and block malicious files on removable storage devices.
+Removable storage devices can introduce additional security risk to your organization. Microsoft Defender for Endpoint can help identify and block malicious files on removable storage devices.
-Microsoft Defender ATP can also prevent USB peripherals from being used on devices to help prevent external threats. It does this by using the properties reported by USB peripherals to determine whether or not they can be installed and used on the device.
+Microsoft Defender for Endpoint can also prevent USB peripherals from being used on devices to help prevent external threats. It does this by using the properties reported by USB peripherals to determine whether or not they can be installed and used on the device.
Note that if you block USB devices or any other device classes using the device installation policies, connected devices, such as phones, can still charge.
>[!NOTE]
>Always test and refine these settings with a pilot group of users and devices first before widely distributing to your organization.
-The following table describes the ways Microsoft Defender ATP can help prevent threats from removable storage.
+The following table describes the ways Microsoft Defender for Endpoint can help prevent threats from removable storage.
-For more information about controlling USB devices, see the [Microsoft Defender ATP blog](https://aka.ms/devicecontrolblog).
+For more information about controlling USB devices, see the [Microsoft Defender for Endpoint blog](https://aka.ms/devicecontrolblog).
| Control | Description |
|----------|-------------|
@@ -266,29 +267,17 @@ Affected file types include executable files (such as .exe, .dll, or .scr) and s
These settings require [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus).
-1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/).
-2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**.
-
- 
-
+1. Sign in to the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/).
+2. Click **Devices** > **Windows** > **Configuration Policies** > **Create profile**.
+
3. Use the following settings:
-
- - Name: Type a name for the profile
- - Description: Type a description
- - Platform: Windows 10 or later
- - Profile type: Endpoint protection
-
- 
-
-4. Click **Configure** > **Windows Defender Exploit Guard** > **Attack Surface Reduction**.
-
+ - Platform: Windows 10 and later
+ - Profile type: Device restrictions
+ 
+4. Click **Create**.
5. For **Unsigned and untrusted processes that run from USB**, choose **Block**.
-
-
-6. Click **OK** to close **Attack Surface Reduction**, **Windows Defender Exploit Guard**, and **Endpoint protection**.
-
-7. Click **Create** to save the profile.
+6. Click **OK** to close settings and **Device restrictions**.
### Protect against Direct Memory Access (DMA) attacks
@@ -327,7 +316,7 @@ For information on device control related advance hunting events and examples on
## Respond to threats
-You can create custom alerts and automatic response actions with the [Microsoft Defender ATP Custom Detection Rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules). Response actions within the custom detection cover both machine and file level actions. You can also create alerts and automatic response actions using [PowerApps](https://powerapps.microsoft.com/) and [Flow](https://flow.microsoft.com/) with the [Microsoft Defender ATP connector](https://docs.microsoft.com/connectors/wdatp/). The connector supports actions for investigation, threat scanning, and restricting running applications. It is one of over 200 pre-defined connectors including Outlook, Teams, Slack, and more. Custom connectors can also be built. See [Connectors](https://docs.microsoft.com/connectors/) to learn more about connectors.
+You can create custom alerts and automatic response actions with the [Microsoft Defender for Endpoint Custom Detection Rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules). Response actions within the custom detection cover both machine and file level actions. You can also create alerts and automatic response actions using [PowerApps](https://powerapps.microsoft.com/) and [Flow](https://flow.microsoft.com/) with the [Microsoft Defender for Endpoint connector](https://docs.microsoft.com/connectors/wdatp/). The connector supports actions for investigation, threat scanning, and restricting running applications. It is one of over 200 pre-defined connectors including Outlook, Teams, Slack, and more. Custom connectors can also be built. See [Connectors](https://docs.microsoft.com/connectors/) to learn more about connectors.
For example, using either approach, you can automatically have the Microsoft Defender Antivirus run when a USB device is mounted onto a machine.
diff --git a/windows/security/threat-protection/device-control/device-control-report.md b/windows/security/threat-protection/device-control/device-control-report.md
new file mode 100644
index 0000000000..2c35de2163
--- /dev/null
+++ b/windows/security/threat-protection/device-control/device-control-report.md
@@ -0,0 +1,74 @@
+---
+title: Protect your organization’s data with device control
+description: Monitor your organization's data security through device control reports.
+ms.prod: m365-security
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+ms.author: v-ajupudi
+author: alluthewriter
+ms.reviewer: dansimp
+manager: dansimp
+audience: ITPro
+ms.technology: mde
+---
+# Protect your organization’s data with device control
+
+**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+Microsoft Defender for Endpoint device control protects against data loss, by monitoring and controlling media use by devices in your organization, such as the use of removable storage devices and USB drives.
+
+With the device control report, you can view events that relate to media usage, such as:
+
+- **Audit events:** Shows the number of audit events that occur when external media is connected.
+- **Policy events:** Shows the number of policy events that occur when a device control policy is triggered.
+
+> [!NOTE]
+> The audit event to track media usage is enabled by default for devices onboarded to Microsoft Defender for Endpoint.
+
+## Understanding the audit events
+
+The audit events include:
+
+- **USB drive mount and unmount:** Audit events that are generated when a USB drive is mounted or unmounted.
+- **PnP:** Plug and Play audit events are generated when removable storage, a printer, or Bluetooth media is connected.
+
+## Monitor device control security
+
+Device control in Microsoft Defender for Endpoint empowers security administrators with tools that enable them to track their organization’s device control security through reports. You can find the device control report in the Microsoft 365 security center by going to **Reports > Device protection**.
+
+The Device protection card on the **Reports** dashboard shows the number of audit events generated by media type, over the last 180 days.
+
+> [!div class="mx-imgBorder"]
+> 
+
+The **View details** button shows more media usage data in the **device control report** page.
+
+The page provides a dashboard with aggregated number of events per type and a list of events. Administrators can filter on time range, media class name, and device ID.
+
+> [!div class="mx-imgBorder"]
+> 
+
+When you select an event, a flyout appears that shows you more information:
+
+- **General details:** Date, Action mode, and the policy of this event.
+- **Media information:** Media information includes Media name, Class name, Class GUID, Device ID, Vendor ID, Volume, Serial number, and Bus type.
+- **Location details:** Device name and MDATP device ID.
+
+> [!div class="mx-imgBorder"]
+> 
+
+To see real-time activity for this media across the organization, select the **Open Advanced hunting** button. This includes an embedded, pre-defined query.
+
+> [!div class="mx-imgBorder"]
+> 
+
+To see the security of the device, select the **Open device page** button on the flyout. This button opens the device entity page.
+
+> [!div class="mx-imgBorder"]
+> 
+
+## Reporting delays
+
+The device control report can have a 12-hour delay from the time a media connection occurs to the time the event is reflected in the card or in the domain list.
diff --git a/windows/security/threat-protection/device-control/images/Detaileddevicecontrolreport.png b/windows/security/threat-protection/device-control/images/Detaileddevicecontrolreport.png
new file mode 100644
index 0000000000..1943ec1fab
Binary files /dev/null and b/windows/security/threat-protection/device-control/images/Detaileddevicecontrolreport.png differ
diff --git a/windows/security/threat-protection/device-control/images/Devicecontrolreportquery.png b/windows/security/threat-protection/device-control/images/Devicecontrolreportquery.png
new file mode 100644
index 0000000000..6913ecfcc6
Binary files /dev/null and b/windows/security/threat-protection/device-control/images/Devicecontrolreportquery.png differ
diff --git a/windows/security/threat-protection/device-control/images/Devicesecuritypage.png b/windows/security/threat-protection/device-control/images/Devicesecuritypage.png
new file mode 100644
index 0000000000..d35b3507f8
Binary files /dev/null and b/windows/security/threat-protection/device-control/images/Devicesecuritypage.png differ
diff --git a/windows/security/threat-protection/device-control/images/create-device-configuration-profile.png b/windows/security/threat-protection/device-control/images/create-device-configuration-profile.png
index 1b6d4aa708..4b8c80fdd7 100644
Binary files a/windows/security/threat-protection/device-control/images/create-device-configuration-profile.png and b/windows/security/threat-protection/device-control/images/create-device-configuration-profile.png differ
diff --git a/windows/security/threat-protection/device-control/images/create-profile.png b/windows/security/threat-protection/device-control/images/create-profile.png
index ada168228e..b0b7eb7237 100644
Binary files a/windows/security/threat-protection/device-control/images/create-profile.png and b/windows/security/threat-protection/device-control/images/create-profile.png differ
diff --git a/windows/security/threat-protection/device-control/images/devicecontrolcard.png b/windows/security/threat-protection/device-control/images/devicecontrolcard.png
new file mode 100644
index 0000000000..829014859f
Binary files /dev/null and b/windows/security/threat-protection/device-control/images/devicecontrolcard.png differ
diff --git a/windows/security/threat-protection/device-control/images/devicecontrolreportfilter.png b/windows/security/threat-protection/device-control/images/devicecontrolreportfilter.png
new file mode 100644
index 0000000000..a7cd33c892
Binary files /dev/null and b/windows/security/threat-protection/device-control/images/devicecontrolreportfilter.png differ
diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
index 35846937a0..1c2019f4f1 100644
--- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
@@ -1,7 +1,7 @@
---
title: Enable virtualization-based protection of code integrity
description: This article explains the steps to opt in to using HVCI on Windows devices.
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.author: ellevin
@@ -12,13 +12,12 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/01/2019
ms.reviewer:
+ms.technology: mde
---
# Enable virtualization-based protection of code integrity
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
This topic covers different ways to enable Hypervisor-protected code integrity (HVCI) on Windows 10.
Some applications, including device drivers, may be incompatible with HVCI.
@@ -198,7 +197,7 @@ Value | Description
**5.** | If present, NX protections are available.
**6.** | If present, SMM mitigations are available.
**7.** | If present, Mode Based Execution Control is available.
-
+**8.** | If present, APIC virtualization is available.
#### InstanceIdentifier
@@ -229,6 +228,7 @@ Value | Description
**1.** | If present, Windows Defender Credential Guard is configured.
**2.** | If present, HVCI is configured.
**3.** | If present, System Guard Secure Launch is configured.
+**4.** | If present, SMM Firmware Measurement is configured.
#### SecurityServicesRunning
@@ -240,6 +240,7 @@ Value | Description
**1.** | If present, Windows Defender Credential Guard is running.
**2.** | If present, HVCI is running.
**3.** | If present, System Guard Secure Launch is running.
+**4.** | If present, SMM Firmware Measurement is running.
#### Version
diff --git a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
index f60748b37b..5b4942082c 100644
--- a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
+++ b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
@@ -1,16 +1,16 @@
---
-title: WDAC and virtualization-based code integrity (Windows 10)
-description: Hardware and software system integrity-hardening capabilites that can be deployed separately or in combination with Windows Defender Application Control (WDAC).
+title: Windows Defender Application Control and virtualization-based code integrity (Windows 10)
+description: Hardware and software system integrity-hardening capabilities that can be deployed separately or in combination with Windows Defender Application Control (WDAC).
keywords: virtualization, security, malware, device guard
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
-ms.date: 07/01/2019
ms.reviewer:
manager: dansimp
ms.custom: asr
+ms.technology: mde
---
# Windows Defender Application Control and virtualization-based protection of code integrity
@@ -19,24 +19,24 @@ ms.custom: asr
- Windows 10
- Windows Server 2016
-Windows 10 includes a set of hardware and OS technologies that, when configured together, allow enterprises to "lock down" Windows 10 systems so they operate with many of the properties of mobile devices. In this configuration, specific technologies work together to restrict devices to only run authorized apps by using a feature called configurable code integrity, while simultaneously hardening the OS against kernel memory attacks through the use of virtualization-based protection of code integrity (more specifically, HVCI).
+Windows 10 includes a set of hardware and OS technologies that, when configured together, allow enterprises to "lock down" Windows 10 systems so they operate with many of the properties of mobile devices. In this configuration, specific technologies work together to restrict devices to only run authorized apps by using a feature called configurable code integrity, while simultaneously hardening the OS against kernel memory attacks by using virtualization-based protection of code integrity (more specifically, HVCI).
-Configurable code integrity policies and HVCI are very powerful protections that can be used separately. However, when these two technologies are configured to work together, they present a very strong protection capability for Windows 10 devices.
+Configurable code integrity policies and HVCI are powerful protections that can be used separately. However, when these two technologies are configured to work together, they present a strong protection capability for Windows 10 devices.
Using configurable code integrity to restrict devices to only authorized apps has these advantages over other solutions:
1. Configurable code integrity policy is enforced by the Windows kernel itself. As such, the policy takes effect early in the boot sequence before nearly all other OS code and before traditional antivirus solutions run.
2. Configurable code integrity allows customers to set application control policy not only over code running in user mode, but also kernel mode hardware and software drivers and even code that runs as part of Windows.
-3. Customers can protect the configurable code integrity policy even from local administrator tampering by digitally signing the policy. This would mean that changing the policy would require both administrative privilege and access to the organization’s digital signing process, making it extremely difficult for an attacker with administrative privilege, or malicious software that managed to gain administrative privilege, to alter the application control policy.
-4. The entire configurable code integrity enforcement mechanism can be protected by HVCI, where even if a vulnerability exists in kernel mode code, the likelihood that an attacker could successfully exploit it is significantly diminished. Why is this relevant? That’s because an attacker that compromises the kernel would otherwise have enough privilege to disable most system defenses and override the application control policies enforced by configurable code integrity or any other application control solution.
+3. Customers can protect the configurable code integrity policy even from local administrator tampering by digitally signing the policy. This would mean that changing the policy would require both administrative privilege and access to the organization’s digital signing process, making it difficult for an attacker with administrative privilege, or malicious software that managed to gain administrative privilege, to alter the application control policy.
+4. The entire configurable code integrity enforcement mechanism can be protected by HVCI, where even if a vulnerability exists in kernel mode code, the likelihood that an attacker could successfully exploit it is diminished. Why is this relevant? That’s because an attacker that compromises the kernel would otherwise have enough privilege to disable most system defenses and override the application control policies enforced by configurable code integrity or any other application control solution.
## Windows Defender Application Control
-When we originally designed this configuration state, we did so with a specific security promise in mind. Although there were no direct dependencies between configurable code integrity and HVCI, we intentionally focused our discussion around the lockdown state you achieve when deploying them together. However, given that HVCI relies on Windows virtualization-based security, it comes with additional hardware, firmware, and kernel driver compatibility requirements that some older systems can’t meet. As a result, many IT Professionals assumed that because some systems couldn't use HVCI, they couldn’t use configurable code integrity either.
+When we originally designed this configuration state, we did so with a specific security promise in mind. Although there were no direct dependencies between configurable code integrity and HVCI, we intentionally focused our discussion around the lockdown state you achieve when deploying them together. However, given that HVCI relies on Windows virtualization-based security, it comes with more hardware, firmware, and kernel driver compatibility requirements that some older systems can’t meet. As a result, many IT Professionals assumed that because some systems couldn't use HVCI, they couldn’t use configurable code integrity either.
Configurable code integrity carries no specific hardware or software requirements other than running Windows 10, which means many IT professionals were wrongly denied the benefits of this powerful application control capability.
-Since the initial release of Windows 10, the world has witnessed numerous hacking and malware attacks where application control alone could have prevented the attack altogether. With this in mind, we are discussing and documenting configurable code integrity as a independent technology within our security stack and giving it a name of its own: [Windows Defender Application Control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control).
+Since the initial release of Windows 10, the world has witnessed numerous hacking and malware attacks where application control alone could have prevented the attack altogether. With this in mind, we are discussing and documenting configurable code integrity as an independent technology within our security stack and giving it a name of its own: [Windows Defender Application Control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control).
We hope this change will help us better communicate options for adopting application control within an organization.
## Related articles
diff --git a/windows/security/threat-protection/device-guard/memory-integrity.md b/windows/security/threat-protection/device-guard/memory-integrity.md
deleted file mode 100644
index 3ebdf7bf95..0000000000
--- a/windows/security/threat-protection/device-guard/memory-integrity.md
+++ /dev/null
@@ -1,25 +0,0 @@
----
-title: Memory integrity
-keywords: mitigations, vulnerabilities, vulnerability, mitigation, exploit, exploits, emet
-description: Learn about memory integrity, a feature of Windows that ensures code running in the Windows kernel is securely designed and trustworthy.
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: levinec
-ms.author: ellevin
-ms.reviewer:
-manager: dansimp
----
-
-# Memory integrity
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-Memory integrity is a feature of Windows that ensures code running in the Windows kernel is securely designed and trustworthy. It uses hardware virtualization and Hyper-V to protect Windows kernel mode processes from the injection and execution of malicious or unverified code. The integrity of code that runs on Windows is validated by memory integrity, making Windows resistant to attacks from malicious software. Memory integrity is a powerful security boundary that helps to block many types of malware from running in Windows 10 and Windows Server 2016 environments.
-
-For more information about Windows Security, see [Device protection in Windows Security](https://support.microsoft.com/help/4096339/windows-10-device-protection-in-windows-defender-security-center).
diff --git a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
index d594900ce7..47f912cc8d 100644
--- a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
@@ -2,7 +2,7 @@
title: Deployment guidelines for Windows Defender Device Guard (Windows 10)
description: Plan your deployment of Windows Defender Device Guard. Learn about hardware requirements, deployment approaches, code signing and code integrity policies.
keywords: virtualization, security, malware
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.localizationpriority: medium
author: dansimp
@@ -13,13 +13,12 @@ ms.topic: conceptual
ms.date: 10/20/2017
ms.reviewer:
ms.author: dansimp
+ms.technology: mde
---
# Baseline protections and additional qualifications for virtualization-based protection of code integrity
-**Applies to**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+**Applies to** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Computers must meet certain hardware, firmware, and software requirements in order to take advantage of all of the virtualization-based security (VBS) features in [Windows Defender Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md). Computers lacking these requirements can still be protected by Windows Defender Application Control (WDAC) policies—the difference is that those computers will not be as hardened against certain threats.
diff --git a/windows/security/threat-protection/fips-140-validation.md b/windows/security/threat-protection/fips-140-validation.md
index 262058bf1d..7be719b91a 100644
--- a/windows/security/threat-protection/fips-140-validation.md
+++ b/windows/security/threat-protection/fips-140-validation.md
@@ -1,57 +1,64 @@
---
-title: FIPS 140 Validation
-description: This topic provides information on how Microsoft products and cryptographic modules comply with the U.S. Federal government standard FIPS 140.
-ms.prod: w10
+title: Federal Information Processing Standard (FIPS) 140 Validation
+description: Learn how Microsoft products and cryptographic modules follow the U.S. Federal government standard FIPS 140.
+ms.prod: m365-security
audience: ITPro
-author: dulcemontemayor
+author: dansimp
ms.author: dansimp
manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
-ms.date: 11/05/2019
ms.reviewer:
+ms.technology: mde
---
# FIPS 140-2 Validation
## FIPS 140-2 standard overview
-The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government standard that defines minimum security requirements for cryptographic modules in information technology products, as defined in Section 5131 of the Information Technology Management Reform Act of 1996.
+The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government standard. FIPS is based on Section 5131 of the Information Technology Management Reform Act of 1996. It defines the minimum security requirements for cryptographic modules in IT products.
-The [Cryptographic Module Validation Program (CMVP)](https://csrc.nist.gov/Projects/cryptographic-module-validation-program), a joint effort of the U.S. National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS), validates cryptographic modules against the Security Requirements for Cryptographic Modules (part of FIPS 140-2) and related FIPS cryptography standards. The FIPS 140-2 security requirements cover eleven areas related to the design and implementation of a cryptographic module. The NIST Information Technology Laboratory operates a related program that validates the FIPS approved cryptographic algorithms in the module.
+The [Cryptographic Module Validation Program (CMVP)](https://csrc.nist.gov/Projects/cryptographic-module-validation-program) is a joint effort of the U.S. National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS). It validates cryptographic modules against the Security Requirements for Cryptographic Modules (part of FIPS 140-2) and related FIPS cryptography standards. The FIPS 140-2 security requirements cover 11 areas related to the design and implementation of a cryptographic module. The NIST Information Technology Laboratory operates a related program that validates the FIPS approved cryptographic algorithms in the module.
## Microsoft’s approach to FIPS 140-2 validation
-Microsoft maintains an active commitment to meeting the requirements of the FIPS 140-2 standard, having validated cryptographic modules against it since the inception of the standard in 2001. Microsoft validates its cryptographic modules under the NIST CMVP, as described above. Multiple Microsoft products, including Windows 10, Windows Server, and many cloud services, use these cryptographic modules.
+Microsoft maintains an active commitment to meeting the requirements of the FIPS 140-2 standard, having validated cryptographic modules against it since it was first established in 2001. Microsoft validates its cryptographic modules under the NIST CMVP, as described above. Multiple Microsoft products, including Windows 10, Windows Server, and many cloud services, use these cryptographic modules.
## Using Windows in a FIPS 140-2 approved mode of operation
-Windows 10 and Windows Server may be configured to run in a FIPS 140-2 approved mode of operation. This is commonly referred to as “FIPS mode.” When this mode is enabled, the Cryptographic Primitives Library (bcryptprimitives.dll) and Kernel Mode Cryptographic Primitives Library (CNG.sys) modules will run self-tests before Windows cryptographic operations are run. These self-tests are run in accordance with FIPS 140-2 Section 4.9 and are utilized to ensure that the modules are functioning properly. The Cryptographic Primitives Library and the Kernel Mode Cryptographic Primitives Library are the only modules affected by this mode of operation. The FIPS 140-2 approved mode of operation will not prevent Windows and its subsystems from using non-FIPS validated cryptographic algorithms. For applications or components beyond the Cryptographic Primitives Library and the Kernel Mode Cryptographic Primitives Library, FIPS mode is merely advisory.
-
-While US government regulations continue to mandate that FIPS mode be enabled on government computers running Windows, our recommendation is that it is each customer’s decision to make when considering enabling FIPS mode. There are many applications and protocols that look to the FIPS mode policy to determine which cryptographic functionality should be utilized in a given solution. We recommend that customers hoping to comply with FIPS 140-2 research the configuration settings of applications and protocols they may be using to ensure their solutions can be configured to utilize the FIPS 140-2 validated cryptography provided by Windows when it is operating in FIPS 140-2 approved mode.
-
+Windows 10 and Windows Server may be configured to run in a FIPS 140-2 approved mode of operation, commonly referred to as "FIPS mode." If you turn on FIPS mode, the Cryptographic Primitives Library (bcryptprimitives.dll) and Kernel Mode Cryptographic Primitives Library (CNG.sys) modules will run self-tests before Windows runs cryptographic operations. These self-tests are run according to FIPS 140-2 Section 4.9. They ensure that the modules are functioning properly.
+
+The Cryptographic Primitives Library and the Kernel Mode Cryptographic Primitives Library are the only modules affected by FIPS mode. FIPS mode won't prevent Windows and its subsystems from using non-FIPS validated cryptographic algorithms. FIPS mode is merely advisory for applications or components other than the Cryptographic Primitives Library and the Kernel Mode Cryptographic Primitives Library.
+
+US government regulations continue to mandate FIPS mode for government devices running Windows. Other customers should decide for themselves if FIPS mode is right for them. There are many applications and protocols that use FIPS mode policy to determine which cryptographic functionality to run. Customers seeking to follow the FIPS 140-2 standard should research the configuration settings of their applications and protocols. This research will help ensure that they can be configured to use FIPS 140-2 validated cryptography.
+
Achieving this FIPS 140-2 approved mode of operation of Windows requires administrators to complete all four steps outlined below.
### Step 1: Ensure FIPS 140-2 validated cryptographic modules are installed
-Administrators must ensure that all cryptographic modules installed are FIPS 140-2 validated. This is accomplished by cross-checking the version number of the cryptographic module with the table of validated modules at the end of this topic, organized by operating system release.
+Administrators must ensure that all cryptographic modules installed are FIPS 140-2 validated. Tables listing validated modules, organized by operating system release, are available later in this article.
### Step 2: Ensure all security policies for all cryptographic modules are followed
-Each of the cryptographic modules has a defined security policy that must be met for the module to operate in its FIPS 140-2 approved mode. The security policy may be found in each module’s published Security Policy Document (SPD). The SPDs for each module may be found by following the links in the table of validated modules at the end of this topic. Click on the module version number to view the published SPD for the module.
-
+Each of the cryptographic modules has a defined security policy that must be met for the module to operate in its FIPS 140-2 approved mode. The security policy may be found in each module’s published Security Policy Document (SPD). The SPDs for each module may be found in the table of validated modules at the end of this article. Select the module version number to view the published SPD for the module.
+
### Step 3: Enable the FIPS security policy
-Windows provides the security policy setting, “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing,” which is used by some Microsoft products to determine whether to operate in a FIPS 140-2 approved mode. When this policy is enabled, the validated cryptographic modules in Windows will also operate in FIPS approved mode. The policy may be set using Local Security Policy, as part of Group Policy, or through a Modern Device Management (MDM) solution. For more information on the policy, see [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](https://docs.microsoft.com/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing).
+Windows provides the security policy setting, *System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing*. This setting is used by some Microsoft products to determine whether to run in FIPS mode. When this policy is turned on, the validated cryptographic modules in Windows will also operate in FIPS mode. This policy may be set using Local Security Policy, as part of Group Policy, or through a Modern Device Management (MDM) solution. For more information on the policy, see [System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing](https://docs.microsoft.com/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing).
-### Step 4: Ensure only FIPS validated cryptographic algorithms are used
+### Step 4: Ensure that only FIPS validated cryptographic algorithms are used
-Neither the operating system nor the cryptographic modules can enforce a FIPS approved mode of operation, regardless of the FIPS security policy setting. To run in a FIPS approved mode, an application or service must check for the policy flag and enforce the security policies of the validated modules. If an application or service uses a non-approved cryptographic algorithm or does not follow the security policies of the validated modules, it is not operating in a FIPS approved mode.
+FIPS mode is enforced at the level of the application or service. It is not enforced by the operating system or by individual cryptographic modules. Applications or services running in FIPS mode must follow the security policies of validated modules. They must not use a cryptographic algorithm that isn't FIPS-compliant.
+
+In short, an application or service is running in FIPS mode if it:
+
+* Checks for the policy flag
+* Enforces security policies of validated modules
## Frequently asked questions
-### How long does it take to certify cryptographic modules?
+### How long does it take to certify a cryptographic module?
Microsoft begins certification of cryptographic modules after each major feature release of Windows 10 and Windows Server. The duration of each evaluation varies, depending on many factors.
@@ -59,29 +66,29 @@ Microsoft begins certification of cryptographic modules after each major feature
The cadence for starting module validation aligns with the feature updates of Windows 10 and Windows Server. As the software industry evolves, operating systems release more frequently. Microsoft completes validation work on major releases but, in between releases, seeks to minimize the changes to the cryptographic modules.
-### What is the difference between “FIPS 140 validated” and “FIPS 140 compliant”?
+### What is the difference between *FIPS 140 validated* and *FIPS 140 compliant*?
-“FIPS 140 validated” means that the cryptographic module, or a product that embeds the module, has been validated (“certified”) by the CMVP as meeting the FIPS 140-2 requirements. “FIPS 140 compliant” is an industry term for IT products that rely on FIPS 140 validated products for cryptographic functionality.
+*FIPS 140 validated* means that the cryptographic module, or a product that embeds the module, has been validated ("certified") by the CMVP as meeting the FIPS 140-2 requirements. *FIPS 140 compliant* is an industry term for IT products that rely on FIPS 140 validated products for cryptographic functionality.
-### I need to know if a Windows service or application is FIPS 140-2 validated.
+### How do I know if a Windows service or application is FIPS 140-2 validated?
-The cryptographic modules leveraged in Windows are validated through the CMVP, not individual services, applications, hardware peripherals, or other solutions. For a solution to be considered compliant, it must call a FIPS 140-2 validated cryptographic module in the underlying OS and the OS must be configured to run in FIPS mode. Contact the vendor of the service, application, or product for information on whether it calls a validated cryptographic module.
+The cryptographic modules used in Windows are validated through the CMVP. They aren't validated by individual services, applications, hardware peripherals, or other solutions. Any compliant solution must call a FIPS 140-2 validated cryptographic module in the underlying OS, and the OS must be configured to run in FIPS mode. Contact the vendor of the service, application, or product for information on whether it calls a validated cryptographic module.
-### What does "When operated in FIPS mode" mean on a certificate?
+### What does *When operated in FIPS mode* mean on a certificate?
-This caveat identifies required configuration and security rules that must be followed to use the cryptographic module in a way that is consistent with its FIPS 140-2 security policy. Each module has its own security policy—a precise specification of the security rules under which it will operate—and employs approved cryptographic algorithms, cryptographic key management, and authentication techniques. The security rules are defined in the Security Policy Document (SPD) for each module.
+This label means that certain configuration and security rules must be followed to use the cryptographic module in compliance with its FIPS 140-2 security policy. Each module has its own security policy—a precise specification of the security rules under which it will operate—and employs approved cryptographic algorithms, cryptographic key management, and authentication techniques. The security rules are defined in the Security Policy Document (SPD) for each module.
### What is the relationship between FIPS 140-2 and Common Criteria?
-These are two separate security standards with different, but complementary, purposes. FIPS 140-2 is designed specifically for validating software and hardware cryptographic modules, while Common Criteria is designed to evaluate security functions in IT software and hardware products. Common Criteria evaluations often rely on FIPS 140-2 validations to provide assurance that basic cryptographic functionality is implemented properly.
+FIPS 140-2 and Common Criteria are two separate security standards with different, but complementary, purposes. FIPS 140-2 is designed specifically for validating software and hardware cryptographic modules. Common Criteria are designed to evaluate security functions in IT software and hardware products. Common Criteria evaluations often rely on FIPS 140-2 validations to provide assurance that basic cryptographic functionality is implemented properly.
### How does FIPS 140 relate to Suite B?
-Suite B is a set of cryptographic algorithms defined by the U.S. National Security Agency (NSA) as part of its Cryptographic Modernization Program. The set of Suite B cryptographic algorithms are to be used for both unclassified information and most classified information. The Suite B cryptographic algorithms are a subset of the FIPS Approved cryptographic algorithms as allowed by the FIPS 140-2 standard.
+Suite B is a set of cryptographic algorithms defined by the U.S. National Security Agency (NSA) as part of its Cryptographic Modernization Program. The set of Suite B cryptographic algorithms are to be used for both unclassified information and most classified information. The Suite B cryptographic algorithms are a subset of the FIPS approved cryptographic algorithms allowed by the FIPS 140-2 standard.
### Is SMB3 (Server Message Block) FIPS 140 compliant in Windows?
-When Windows is configured to operate in FIPS 140 approved mode on both client and server, SMB3 is FIPS 140 compliant and relies on the underlying Windows FIPS 140 validated cryptographic modules for cryptographic operations.
+SMB3 can be FIPS 140 compliant, if Windows is configured to operate in FIPS 140 mode on both client and server. In FIPS mode, SMB3 relies on the underlying Windows FIPS 140 validated cryptographic modules for cryptographic operations.
## Microsoft FIPS 140-2 validated cryptographic modules
@@ -89,6 +96,76 @@ The following tables identify the cryptographic modules used in an operating sys
## Modules used by Windows
+##### Windows 10 Fall 2018 Update (Version 1809)
+
+Validated Editions: Home, Pro, Enterprise, Education
+
+
+
+
##### Windows 10 Spring 2018 Update (Version 1803)
Validated Editions: Home, Pro, Enterprise, Education
@@ -245,7 +322,7 @@ Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile
+
+Cryptographic Module
+Version (link to Security Policy)
+FIPS Certificate #
+Algorithms
+
+
+Cryptographic Primitives Library
+10.0.17763
+#3197
+See Security Policy and Certificate page for algorithm information
+
+
+Kernel Mode Cryptographic Primitives Library
+10.0.17763
+#3196
+See Security Policy and Certificate page for algorithm information
+
+
+Code Integrity
+10.0.17763
+#3644
+See Security Policy and Certificate page for algorithm information
+
+
+Windows OS Loader
+10.0.17763
+#3615
+See Security Policy and Certificate page for algorithm information
+
+
+Secure Kernel Code Integrity
+10.0.17763
+#3651
+See Security Policy and Certificate page for algorithm information
+
+
+BitLocker Dump Filter
+10.0.17763
+#3092
+See Security Policy and Certificate page for algorithm information
+
+
+Boot Manager
+10.0.17763
+#3089
+See Security Policy and Certificate page for algorithm information
+
+
+
+
+Virtual TPM
+10.0.17763
+#3690
+See Security Policy and Certificate page for algorithm information
+Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)
10.0.15063
#3095
-
+
Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)10.0.15063
#3094
-
@@ -264,51 +341,51 @@ Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile
+
Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)Boot Manager
10.0.15063
#3089
-
Windows OS Loader
10.0.15063
#3090
-
Windows Resume[1]
10.0.15063
#3091
-FIPS Approved algorithms: AES (Certs. #4624 and #4625); RSA (Cert. #2523); SHS (Cert. #3790)
+FIPS approved algorithms: AES (Certs. #4624 and #4625); RSA (Cert. #2523); SHS (Cert. #3790)
BitLocker® Dump Filter[2]
10.0.15063
#3092
-FIPS Approved algorithms: AES (Certs. #4624 and #4625); RSA (Cert. #2522); SHS (Cert. #3790)
+FIPS approved algorithms: AES (Certs. #4624 and #4625); RSA (Cert. #2522); SHS (Cert. #3790)
Code Integrity (ci.dll)
10.0.15063
#3093
-
Secure Kernel Code Integrity (skci.dll)[3]
10.0.15063
#3096
-Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)
10.0.14393
#2937
-
+
Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)Kernel Mode Cryptographic Primitives Library (cng.sys)
10.0.14393
#2936
-
+
Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)Boot Manager
10.0.14393
#2931
-
@@ -365,7 +442,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile
BitLocker® Windows OS Loader (winload)
10.0.14393
#2932
-FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
+FIPS approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
Other algorithms: NDRNG; MD5BitLocker® Windows Resume (winresume)[1]
10.0.14393
#2933
-FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
+FIPS approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
@@ -373,13 +450,13 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile
Other algorithms: MD5BitLocker® Dump Filter (dumpfve.sys)[2]
10.0.14393
#2934
-FIPS Approved algorithms: AES (Certs. #4061 and #4064)
+FIPS approved algorithms: AES (Certs. #4061 and #4064)
Code Integrity (ci.dll)
10.0.14393
#2935
-
+
Other algorithms: AES (non-compliant); MD5Secure Kernel Code Integrity (skci.dll)[3]
10.0.14393
#2938
-
+
Other algorithms: MD5Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)
10.0.10586
#2606
-
+
Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)Kernel Mode Cryptographic Primitives Library (cng.sys)
10.0.10586
#2605
-
+
Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)Boot Manager[4]
10.0.10586
#2700
-FIPS Approved algorithms: AES (Certs. #3653); HMAC (Cert. #2381); PBKDF (vendor affirmed); RSA (Cert. #1871); SHS (Certs. #3047 and #3048)
+FIPS approved algorithms: AES (Certs. #3653); HMAC (Cert. #2381); PBKDF (vendor affirmed); RSA (Cert. #1871); SHS (Certs. #3047 and #3048)
@@ -451,7 +528,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub
Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)BitLocker® Windows OS Loader (winload)[5]
10.0.10586
#2701
-FIPS Approved algorithms: AES (Certs. #3629 and #3653); RSA (Cert. #1871); SHS (Cert. #3048)
+FIPS approved algorithms: AES (Certs. #3629 and #3653); RSA (Cert. #1871); SHS (Cert. #3048)
@@ -459,7 +536,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub
Other algorithms: MD5; NDRNGBitLocker® Windows Resume (winresume)[6]
10.0.10586
#2702
-FIPS Approved algorithms: AES (Certs. #3653); RSA (Cert. #1871); SHS (Cert. #3048)
+FIPS approved algorithms: AES (Certs. #3653); RSA (Cert. #1871); SHS (Cert. #3048)
@@ -467,13 +544,13 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub
Other algorithms: MD5BitLocker® Dump Filter (dumpfve.sys)[7]
10.0.10586
#2703
-FIPS Approved algorithms: AES (Certs. #3653)
+FIPS approved algorithms: AES (Certs. #3653)
Code Integrity (ci.dll)
10.0.10586
#2604
-
+
Other algorithms: AES (non-compliant); MD5Secure Kernel Code Integrity (skci.dll)[8]
10.0.10586
#2607
-
+
Other algorithms: MD5Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)
10.0.10240
#2606
-
+
Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)Kernel Mode Cryptographic Primitives Library (cng.sys)
10.0.10240
#2605
-
+
Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)Boot Manager[9]
10.0.10240
#2600
-FIPS Approved algorithms: AES (Cert. #3497); HMAC (Cert. #2233); KTS (AES Cert. #3498); PBKDF (vendor affirmed); RSA (Cert. #1784); SHS (Certs. #2871 and #2886)
+FIPS approved algorithms: AES (Cert. #3497); HMAC (Cert. #2233); KTS (AES Cert. #3498); PBKDF (vendor affirmed); RSA (Cert. #1784); SHS (Certs. #2871 and #2886)
@@ -549,7 +626,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface
Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)BitLocker® Windows OS Loader (winload)[10]
10.0.10240
#2601
-FIPS Approved algorithms: AES (Certs. #3497 and #3498); RSA (Cert. #1784); SHS (Cert. #2871)
+FIPS approved algorithms: AES (Certs. #3497 and #3498); RSA (Cert. #1784); SHS (Cert. #2871)
@@ -557,7 +634,7 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface
Other algorithms: MD5; NDRNGBitLocker® Windows Resume (winresume)[11]
10.0.10240
#2602
-FIPS Approved algorithms: AES (Certs. #3497 and #3498); RSA (Cert. #1784); SHS (Cert. #2871)
+FIPS approved algorithms: AES (Certs. #3497 and #3498); RSA (Cert. #1784); SHS (Cert. #2871)
@@ -565,13 +642,13 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface
Other algorithms: MD5BitLocker® Dump Filter (dumpfve.sys)[12]
10.0.10240
#2603
-FIPS Approved algorithms: AES (Certs. #3497 and #3498)
+FIPS approved algorithms: AES (Certs. #3497 and #3498)
Code Integrity (ci.dll)
10.0.10240
#2604
-
+
Other algorithms: AES (non-compliant); MD5Secure Kernel Code Integrity (skci.dll)[13]
10.0.10240
#2607
-
+
Other algorithms: MD5Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)
6.3.9600 6.3.9600.17031
#2357
-
+
-Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)#2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)
Kernel Mode Cryptographic Primitives Library (cng.sys)
6.3.9600 6.3.9600.17042
#2356
-
+
-Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)
@@ -647,7 +724,7 @@ Validated Editions: RT, Pro, Enterprise, Phone, Embedded
Boot Manager
6.3.9600 6.3.9600.17031
#2351
-FIPS Approved algorithms: AES (Cert. #2832); HMAC (Cert. #1773); PBKDF (vendor affirmed); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
+FIPS approved algorithms: AES (Cert. #2832); HMAC (Cert. #1773); PBKDF (vendor affirmed); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)BitLocker® Windows OS Loader (winload)
6.3.9600 6.3.9600.17031
#2352
-FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Cert. #2396)
+FIPS approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Cert. #2396)
@@ -655,7 +732,7 @@ Validated Editions: RT, Pro, Enterprise, Phone, Embedded
Other algorithms: MD5; NDRNGBitLocker® Windows Resume (winresume)[14]
6.3.9600 6.3.9600.17031
#2353
-FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
+FIPS approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
@@ -663,7 +740,7 @@ Validated Editions: RT, Pro, Enterprise, Phone, Embedded
Other algorithms: MD5BitLocker® Dump Filter (dumpfve.sys)
6.3.9600 6.3.9600.17031
#2354
-FIPS Approved algorithms: AES (Cert. #2832)
+FIPS approved algorithms: AES (Cert. #2832)
@@ -671,7 +748,7 @@ Validated Editions: RT, Pro, Enterprise, Phone, Embedded
Other algorithms: N/ACode Integrity (ci.dll)
6.3.9600 6.3.9600.17031
#2355#2355
-
+
Other algorithms: MD5Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL)
6.2.9200
#1892
-FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258); DSA (Cert. #687); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
+FIPS approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258); DSA (Cert. #687); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
@@ -708,17 +785,17 @@ Validated Editions: RT, Home, Pro, Enterprise, Phone
-Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#258); DSA (Cert. ); ECDSA (Cert. ); HMAC (Cert. ); KAS (Cert. ); KBKDF (Cert. ); PBKDF (vendor affirmed); RSA (Certs. and ); SHS (Cert. ); Triple-DES (Cert. )
+Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#258); DSA (Cert.); ECDSA (Cert.); HMAC (Cert.); KAS (Cert); KBKDF (Cert.); PBKDF (vendor affirmed); RSA (Certs. and); SHS (Cert.); Triple-DES (Cert.)
Kernel Mode Cryptographic Primitives Library (cng.sys)
6.2.9200
#1891
-FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258 and #259); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RNG (Cert. #1110); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
+FIPS approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258 and #259); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RNG (Cert. #1110); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
+Other algorithms: AES (Certificate, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)
-Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#258 and ); ECDSA (Cert. ); HMAC (Cert. ); KAS (Cert. ); KBKDF (Cert. ); PBKDF (vendor affirmed); RNG (Cert. ); RSA (Certs. and ); SHS (Cert. ); Triple-DES (Cert. )
+Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#258 and); ECDSA (Cert.); HMAC (Cert.); KAS (Cert.); KBKDF (Cert.); PBKDF (vendor affirmed); RNG (Cert.); RSA (Certs. and); SHS (Cert.); Triple-DES (Cert.)
-Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)
@@ -726,7 +803,7 @@ Validated Editions: RT, Home, Pro, Enterprise, Phone
Boot Manager
6.2.9200
#1895
-FIPS Approved algorithms: AES (Certs. #2196 and #2198); HMAC (Cert. #1347); RSA (Cert. #1132); SHS (Cert. #1903)
+FIPS approved algorithms: AES (Certs. #2196 and #2198); HMAC (Cert. #1347); RSA (Cert. #1132); SHS (Cert. #1903)
Other algorithms: MD5BitLocker® Windows OS Loader (WINLOAD)
6.2.9200
#1896
-FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
+FIPS approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
@@ -734,7 +811,7 @@ Validated Editions: RT, Home, Pro, Enterprise, Phone
Other algorithms: AES (Cert. #2197; non-compliant); MD5; Non-Approved RNGBitLocker® Windows Resume (WINRESUME)[15]
6.2.9200
#1898
-FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
+FIPS approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
@@ -742,7 +819,7 @@ Validated Editions: RT, Home, Pro, Enterprise, Phone
Other algorithms: MD5BitLocker® Dump Filter (DUMPFVE.SYS)
6.2.9200
#1899
-FIPS Approved algorithms: AES (Certs. #2196 and #2198)
+FIPS approved algorithms: AES (Certs. #2196 and #2198)
@@ -750,7 +827,7 @@ Validated Editions: RT, Home, Pro, Enterprise, Phone
Other algorithms: N/ACode Integrity (CI.DLL)
6.2.9200
#1897
-FIPS Approved algorithms: RSA (Cert. #1132); SHS (Cert. #1903)
+FIPS approved algorithms: RSA (Cert. #1132); SHS (Cert. #1903)
@@ -758,19 +835,19 @@ Validated Editions: RT, Home, Pro, Enterprise, Phone
Other algorithms: MD5Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL)
6.2.9200
#1893
-FIPS Approved algorithms: DSA (Cert. #686); SHS (Cert. #1902); Triple-DES (Cert. #1386); Triple-DES MAC (Triple-DES Cert. #1386, vendor affirmed)
+FIPS approved algorithms: DSA (Cert. #686); SHS (Cert. #1902); Triple-DES (Cert. #1386); Triple-DES MAC (Triple-DES Cert. #1386, vendor affirmed)
+Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Certificate, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
-Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)#1902); Triple-DES (Cert. ); Triple-DES MAC (Triple-DES Cert. , vendor affirmed)
+Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)#1902); Triple-DES (Cert.); Triple-DES MAC (Triple-DES Certificate, vendor affirmed)
-Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. , key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
Enhanced Cryptographic Provider (RSAENH.DLL)
6.2.9200
#1894
-FIPS Approved algorithms: AES (Cert. #2196); HMAC (Cert. #1346); RSA (Cert. #1132); SHS (Cert. #1902); Triple-DES (Cert. #1386)
+FIPS approved algorithms: AES (Cert. #2196); HMAC (Cert. #1346); RSA (Cert. #1132); SHS (Cert. #1902); Triple-DES (Cert. #1386)
+Other algorithms: AES (Cert. #2196, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
-Other algorithms: AES (Cert. #2196, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
1329
-FIPS Approved algorithms: AES (Certs. #1168 and #1178); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #24); DSA (Cert. #386); ECDSA (Cert. #141); HMAC (Cert. #677); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides 80 to 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #560); SHS (Cert. #1081); Triple-DES (Cert. #846)
+FIPS approved algorithms: AES (Certs. #1168 and #1178); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #24); DSA (Cert. #386); ECDSA (Cert. #141); HMAC (Cert. #677); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides 80 bits to 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #560); SHS (Cert. #1081); Triple-DES (Cert. #846)
+Other algorithms: AES (Certificate, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4
-Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4#559 and ); SHS (Cert. ); Triple-DES (Cert. )
+Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4#559 and); SHS (Cert.); Triple-DES (Cert.)
-Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4
Kernel Mode Cryptographic Primitives Library (cng.sys)
@@ -818,18 +895,18 @@ Validated Editions: Windows 7, Windows 7 SP1
1328
-FIPS Approved algorithms: AES (Certs. #1168 and #1178); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #24); ECDSA (Cert. #141); HMAC (Cert. #677); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides 80 to 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #560); SHS (Cert. #1081); Triple-DES (Cert. #846)
+FIPS approved algorithms: AES (Certs. #1168 and #1178); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #24); ECDSA (Cert. #141); HMAC (Cert. #677); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides 80 bits to 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #560); SHS (Cert. #1081); Triple-DES (Cert. #846)
+Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4
-Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4
@@ -844,7 +921,7 @@ Validated Editions: Windows 7, Windows 7 SP1
Boot Manager
1319
-FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); RSA (Cert. #557); SHS (Cert. #1081)
+FIPS approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); RSA (Cert. #557); SHS (Cert. #1081)
-Other algorithms: MD5#1168 and ); HMAC (Cert. ); RSA (Cert. ); SHS (Cert. )
+Other algorithms: MD5#1168 and); HMAC (Cert.); RSA (Cert.); SHS (Cert.)
Other algorithms: MD51326
-FIPS Approved algorithms: AES (Certs. #1168 and #1177); RSA (Cert. #557); SHS (Cert. #1081)
+FIPS approved algorithms: AES (Certs. #1168 and #1177); RSA (Cert. #557); SHS (Cert. #1081)
@@ -863,7 +940,7 @@ Validated Editions: Windows 7, Windows 7 SP1
Other algorithms: MD51332
-FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); SHS (Cert. #1081)
+FIPS approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); SHS (Cert. #1081)
@@ -876,7 +953,7 @@ Validated Editions: Windows 7, Windows 7 SP1
Other algorithms: Elephant Diffuser1327
-FIPS Approved algorithms: RSA (Cert. #557); SHS (Cert. #1081)
+FIPS approved algorithms: RSA (Cert. #557); SHS (Cert. #1081)
@@ -885,7 +962,7 @@ Validated Editions: Windows 7, Windows 7 SP1
Other algorithms: MD56.1.7600.16385
(no change in SP1)1331
-FIPS Approved algorithms: DSA (Cert. #385); RNG (Cert. #649); SHS (Cert. #1081); Triple-DES (Cert. #846); Triple-DES MAC (Triple-DES Cert. #846, vendor affirmed)
+FIPS approved algorithms: DSA (Cert. #385); RNG (Cert. #649); SHS (Cert. #1081); Triple-DES (Cert. #846); Triple-DES MAC (Triple-DES Cert. #846, vendor affirmed)
@@ -894,9 +971,9 @@ Validated Editions: Windows 7, Windows 7 SP1
Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC46.1.7600.16385
(no change in SP1)1330
-FIPS Approved algorithms: AES (Cert. #1168); DRBG (Cert. #23); HMAC (Cert. #673); SHS (Cert. #1081); RSA (Certs. #557 and #559); Triple-DES (Cert. #846)
+FIPS approved algorithms: AES (Cert. #1168); DRBG (Cert. #23); HMAC (Cert. #673); SHS (Cert. #1081); RSA (Certs. #557 and #559); Triple-DES (Cert. #846)
+Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
-Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 256-bits of encryption strength; non-compliant less than 112 bits of encryption strength)Boot Manager (bootmgr)
6.0.6001.18000 and 6.0.6002.18005
978
-FIPS Approved algorithms: AES (Certs. #739 and #760); HMAC (Cert. #415); RSA (Cert. #354); SHS (Cert. #753)
+FIPS approved algorithms: AES (Certs. #739 and #760); HMAC (Cert. #415); RSA (Cert. #354); SHS (Cert. #753)
@@ -938,37 +1015,37 @@ Validated Editions: Ultimate Edition
Winload OS Loader (winload.exe)
6.0.6001.18000, 6.0.6001.18027, 6.0.6001.18606, 6.0.6001.22125, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411 and 6.0.6002.22596
979
-FIPS Approved algorithms: AES (Certs. #739 and #760); RSA (Cert. #354); SHS (Cert. #753)
+FIPS approved algorithms: AES (Certs. #739 and #760); RSA (Cert. #354); SHS (Cert. #753)
Other algorithms: MD5Code Integrity (ci.dll)
6.0.6001.18000, 6.0.6001.18023, 6.0.6001.22120, and 6.0.6002.18005
980
-FIPS Approved algorithms: RSA (Cert. #354); SHS (Cert. #753)
+FIPS approved algorithms: RSA (Cert. #354); SHS (Cert. #753)
Other algorithms: MD5
Kernel Mode Security Support Provider Interface (ksecdd.sys)
-6.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742, and 6.0.6002.228696.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742, and 6.0.6002.22869
+6.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742, and 6.0.6002.22869
1000
-
Cryptographic Primitives Library (bcrypt.dll)
-6.0.6001.22202, 6.0.6002.18005, and 6.0.6002.228726.0.6001.22202, 6.0.6002.18005, and 6.0.6002.22872
+6.0.6001.22202, 6.0.6002.18005, and 6.0.6002.22872
1001
-
Enhanced Cryptographic Provider (RSAENH)
-6.0.6001.22202 and 6.0.6002.180056.0.6001.22202 and 6.0.6002.18005
+6.0.6001.22202 and 6.0.6002.18005
1002
-
Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)
-6.0.6001.18000 and 6.0.6002.180056.0.6001.18000 and 6.0.6002.18005
+6.0.6001.18000 and 6.0.6002.18005
1003
-Enhanced Cryptographic Provider (RSAENH)
6.0.6000.16386
893
-FIPS Approved algorithms: AES (Cert. #553); HMAC (Cert. #297); RNG (Cert. #321); RSA (Certs. #255 and #258); SHS (Cert. #618); Triple-DES (Cert. #549)
+FIPS approved algorithms: AES (Cert. #553); HMAC (Cert. #297); RNG (Cert. #321); RSA (Certs. #255 and #258); SHS (Cert. #618); Triple-DES (Cert. #549)
+Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
-Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)
6.0.6000.16386
894
-FIPS Approved algorithms: DSA (Cert. #226); RNG (Cert. #321); SHS (Cert. #618); Triple-DES (Cert. #549); Triple-DES MAC (Triple-DES Cert. #549, vendor affirmed)
+FIPS approved algorithms: DSA (Cert. #226); RNG (Cert. #321); SHS (Cert. #618); Triple-DES (Cert. #549); Triple-DES MAC (Triple-DES Cert. #549, vendor affirmed)
+Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4
-Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4
@@ -1014,9 +1091,9 @@ Validated Editions: Ultimate Edition
BitLocker™ Drive Encryption
6.0.6000.16386
947
-FIPS Approved algorithms: AES (Cert. #715); HMAC (Cert. #386); SHS (Cert. #737)
+FIPS approved algorithms: AES (Cert. #715); HMAC (Cert. #386); SHS (Cert. #737)
Other algorithms: Elephant DiffuserKernel Mode Security Support Provider Interface (ksecdd.sys)
6.0.6000.16386, 6.0.6000.16870 and 6.0.6000.21067
891
-FIPS Approved algorithms: AES (Cert. #553); ECDSA (Cert. #60); HMAC (Cert. #298); RNG (Cert. #321); RSA (Certs. #257 and #258); SHS (Cert. #618); Triple-DES (Cert. #549)
+FIPS approved algorithms: AES (Cert. #553); ECDSA (Cert. #60); HMAC (Cert. #298); RNG (Cert. #321); RSA (Certs. #257 and #258); SHS (Cert. #618); Triple-DES (Cert. #549)
+Other algorithms: DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides 128 bits to 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; HMAC MD5
-Other algorithms: DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides 128 to 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; HMAC MD5Kernel Mode Cryptographic Module (FIPS.SYS)
5.1.2600.5512
997
-
Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)
5.1.2600.5507
990
-
Enhanced Cryptographic Provider (RSAENH)
5.1.2600.5507
989
-DSS/Diffie-Hellman Enhanced Cryptographic Provider
5.1.2600.2133
240
-
@@ -1117,7 +1194,7 @@ Validated Editions: Ultimate Edition
Microsoft Enhanced Cryptographic Provider
5.1.2600.2161
238
-Microsoft Enhanced Cryptographic Provider
5.1.2600.1029
238
-Kernel Mode Cryptographic Module
5.1.2600.0
241
-Kernel Mode Cryptographic Module (FIPS.SYS)
5.0.2195.1569
106
-
@@ -1181,7 +1258,7 @@ Validated Editions: Ultimate Edition
@@ -1208,7 +1285,7 @@ Validated Editions: Ultimate Edition
103
-Kernel Mode Cryptographic Module (FIPS.SYS)
5.0.2195.1569
106
-
@@ -1222,7 +1299,7 @@ Validated Editions: Ultimate Edition
@@ -1252,7 +1329,7 @@ Validated Editions: Ultimate Edition
103
-103
-Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider
5.0.2150.1
76
-Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider
5.0.1877.6 and 5.0.1877.7
75
-Base Cryptographic Provider
5.0.1877.6 and 5.0.1877.7
68
-FIPS Approved algorithms: SHA-1 (Certs. #20 and 21); DSA/SHA- 1 (Certs. #25 and 26); RSA (vendor affirmed)
+FIPS approved algorithms: SHA-1 (Certs. #20 and 21); DSA/SHA- 1 (Certs. #25 and 26); RSA (vendor affirmed)
@@ -1336,6 +1413,76 @@ Validated Editions: Ultimate Edition
## Modules used by Windows Server
+##### Windows Server 2019 (Version 1809)
+
+Validated Editions: Standard, Datacenter
+
+
Other algorithms: DES (Certs. #61, 62, 63 and 64); Triple-DES (allowed for US and Canadian Government use); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement)
+
+
##### Windows Server (Version 1803)
Validated Editions: Standard, Datacenter
@@ -1492,7 +1639,7 @@ Validated Editions: Standard, Datacenter, Storage Server
+
+Cryptographic Module
+Version (link to Security Policy)
+FIPS Certificate #
+Algorithms
+
+
+Cryptographic Primitives Library
+10.0.17763
+#3197
+See Security Policy and Certificate page for algorithm information
+
+
+Kernel Mode Cryptographic Primitives Library
+10.0.17763
+#3196
+See Security Policy and Certificate page for algorithm information
+
+
+Code Integrity
+10.0.17763
+#3644
+See Security Policy and Certificate page for algorithm information
+
+
+Windows OS Loader
+10.0.17763
+#3615
+See Security Policy and Certificate page for algorithm information
+
+
+Secure Kernel Code Integrity
+10.0.17763
+#3651
+See Security Policy and Certificate page for algorithm information
+
+
+BitLocker Dump Filter
+10.0.17763
+#3092
+See Security Policy and Certificate page for algorithm information
+
+
+Boot Manager
+10.0.17763
+#3089
+See Security Policy and Certificate page for algorithm information
+
+
+
+
+Virtual TPM
+10.0.17763
+#3690
+See Security Policy and Certificate page for algorithm information
+Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)
10.0.14393
2937
-FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
+FIPS approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193, and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
@@ -1500,7 +1647,7 @@ Validated Editions: Standard, Datacenter, Storage Server
Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)Kernel Mode Cryptographic Primitives Library (cng.sys)
10.0.14393
2936
-FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
+FIPS approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193, and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
@@ -1508,14 +1655,14 @@ Validated Editions: Standard, Datacenter, Storage Server
Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)Boot Manager
10.0.14393
2931
-
@@ -1523,7 +1670,7 @@ Validated Editions: Standard, Datacenter, Storage Server
BitLocker® Windows OS Loader (winload)
10.0.14393
2932
-FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
+FIPS approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
Other algorithms: NDRNG; MD5BitLocker® Windows Resume (winresume)
10.0.14393
2933
-FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
+FIPS approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
@@ -1531,13 +1678,13 @@ Validated Editions: Standard, Datacenter, Storage Server
Other algorithms: MD5BitLocker® Dump Filter (dumpfve.sys)
10.0.14393
2934
-FIPS Approved algorithms: AES (Certs. #4061 and #4064)
+FIPS approved algorithms: AES (Certs. #4061 and #4064)
@@ -1545,7 +1692,7 @@ Validated Editions: Standard, Datacenter, Storage Server
Code Integrity (ci.dll)
10.0.14393
2935
-FIPS Approved algorithms: RSA (Cert. #2193); SHS (Cert. #3347)
+FIPS approved algorithms: RSA (Cert. #2193); SHS (Cert. #3347)
Other algorithms: AES (non-compliant); MD5Secure Kernel Code Integrity (skci.dll)
10.0.14393
2938
-FIPS Approved algorithms: RSA (Certs. #2193); SHS (Certs. #3347)
+FIPS approved algorithms: RSA (Certs. #2193); SHS (Certs. #3347)
@@ -1571,23 +1718,23 @@ Validated Editions: Server, Storage Server,
Other algorithms: MD5Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)
6.3.9600 6.3.9600.17031
2357
-FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); DSA (Cert. #855); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. #2373); Triple-DES (Cert. #1692)
+FIPS approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); DSA (Cert. #855); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493, and #1519); SHS (Cert. #2373); Triple-DES (Cert. #1692)
+Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)
-Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)
Kernel Mode Cryptographic Primitives Library (cng.sys)
6.3.9600 6.3.9600.17042
2356
-FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. # 2373); Triple-DES (Cert. #1692)
+FIPS approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493, and #1519); SHS (Cert. # 2373); Triple-DES (Cert. #1692)
+Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)
-Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)
@@ -1595,7 +1742,7 @@ Validated Editions: Server, Storage Server,
Boot Manager
6.3.9600 6.3.9600.17031
2351
-FIPS Approved algorithms: AES (Cert. #2832); HMAC (Cert. #1773); PBKDF (vendor affirmed); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
+FIPS approved algorithms: AES (Cert. #2832); HMAC (Cert. #1773); PBKDF (vendor affirmed); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)BitLocker® Windows OS Loader (winload)
6.3.9600 6.3.9600.17031
2352
-FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Cert. #2396)
+FIPS approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Cert. #2396)
@@ -1603,7 +1750,7 @@ Validated Editions: Server, Storage Server,
Other algorithms: MD5; NDRNGBitLocker® Windows Resume (winresume)[16]
6.3.9600 6.3.9600.17031
2353
-FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
+FIPS approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
@@ -1611,7 +1758,7 @@ Validated Editions: Server, Storage Server,
Other algorithms: MD5BitLocker® Dump Filter (dumpfve.sys)[17]
6.3.9600 6.3.9600.17031
2354
-FIPS Approved algorithms: AES (Cert. #2832)
+FIPS approved algorithms: AES (Cert. #2832)
@@ -1619,7 +1766,7 @@ Validated Editions: Server, Storage Server,
Other algorithms: N/ACode Integrity (ci.dll)
6.3.9600 6.3.9600.17031
2355
-FIPS Approved algorithms: RSA (Cert. #1494); SHS (Cert. # 2373)
+FIPS approved algorithms: RSA (Cert. #1494); SHS (Cert. # 2373)
@@ -1627,9 +1774,9 @@ Validated Editions: Server, Storage Server,
Other algorithms: MD5Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL)
6.2.9200
1892
-FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258); DSA (Cert. #687); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
+FIPS approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258); DSA (Cert. #687); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
+Other algorithms: AES (Certificate, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)
-Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#687); ECDSA (Cert. ); HMAC (Cert. #); KAS (Cert. ); KBKDF (Cert. ); PBKDF (vendor affirmed); RSA (Certs. and ); SHS (Cert. ); Triple-DES (Cert. )
+Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#687); ECDSA (Cert.); HMAC (Cert. #); KAS (Cert.); KBKDF (Cert.); PBKDF (vendor affirmed); RSA (Certs. and); SHS (Cert.); Triple-DES (Cert.)
-Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)
Kernel Mode Cryptographic Primitives Library (cng.sys)
6.2.9200
1891
-FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258 and #259); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RNG (Cert. #1110); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
+FIPS approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258 and #259); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RNG (Cert. #1110); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
+Other algorithms: AES (Certificate, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)
-Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#1110); RSA (Certs. and ); SHS (Cert. ); Triple-DES (Cert. )
+Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#1110); RSA (Certs. and); SHS (Cert.); Triple-DES (Cert.)
-Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)
@@ -1675,7 +1822,7 @@ Validated Editions: Server, Storage Server
Boot Manager
6.2.9200
1895
-FIPS Approved algorithms: AES (Certs. #2196 and #2198); HMAC (Cert. #1347); RSA (Cert. #1132); SHS (Cert. #1903)
+FIPS approved algorithms: AES (Certs. #2196 and #2198); HMAC (Cert. #1347); RSA (Cert. #1132); SHS (Cert. #1903)
Other algorithms: MD5BitLocker® Windows OS Loader (WINLOAD)
6.2.9200
1896
-FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
+FIPS approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
@@ -1683,7 +1830,7 @@ Validated Editions: Server, Storage Server
Other algorithms: AES (Cert. #2197; non-compliant); MD5; Non-Approved RNGBitLocker® Windows Resume (WINRESUME)
6.2.9200
1898
-FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
+FIPS approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
@@ -1691,7 +1838,7 @@ Validated Editions: Server, Storage Server
Other algorithms: MD5BitLocker® Dump Filter (DUMPFVE.SYS)
6.2.9200
1899
-FIPS Approved algorithms: AES (Certs. #2196 and #2198)
+FIPS approved algorithms: AES (Certs. #2196 and #2198)
@@ -1699,7 +1846,7 @@ Validated Editions: Server, Storage Server
Other algorithms: N/ACode Integrity (CI.DLL)
6.2.9200
1897
-FIPS Approved algorithms: RSA (Cert. #1132); SHS (Cert. #1903)
+FIPS approved algorithms: RSA (Cert. #1132); SHS (Cert. #1903)
@@ -1707,7 +1854,7 @@ Validated Editions: Server, Storage Server
Other algorithms: MD5Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL)
6.2.9200
1893
-FIPS Approved algorithms: DSA (Cert. #686); SHS (Cert. #1902); Triple-DES (Cert. #1386); Triple-DES MAC (Triple-DES Cert. #1386, vendor affirmed)
+FIPS approved algorithms: DSA (Cert. #686); SHS (Cert. #1902); Triple-DES (Cert. #1386); Triple-DES MAC (Triple-DES Cert. #1386, vendor affirmed)
@@ -1715,9 +1862,9 @@ Validated Editions: Server, Storage Server
Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)Enhanced Cryptographic Provider (RSAENH.DLL)
6.2.9200
1894
-FIPS Approved algorithms: AES (Cert. #2196); HMAC (Cert. #1346); RSA (Cert. #1132); SHS (Cert. #1902); Triple-DES (Cert. #1386)
+FIPS approved algorithms: AES (Cert. #2196); HMAC (Cert. #1346); RSA (Cert. #1132); SHS (Cert. #1902); Triple-DES (Cert. #1386)
+Other algorithms: AES (Cert. #2196, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
-Other algorithms: AES (Cert. #2196, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
Boot Manager (bootmgr)
-6.1.7600.16385 or 6.1.7601.175146.1.7600.16385 or 6.1.7601.17514
+6.1.7600.16385 or 6.1.7601.17514
1321
-FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); RSA (Cert. #568); SHS (Cert. #1081)
+FIPS approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); RSA (Cert. #568); SHS (Cert. #1081)
Other algorithms: MD5
Winload OS Loader (winload.exe)
-6.1.7600.16385, 6.1.7600.16757, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21655 and 6.1.7601.216756.1.7600.16385, 6.1.7600.16757, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21655 and 6.1.7601.21675
+6.1.7600.16385, 6.1.7600.16757, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21655 and 6.1.7601.21675
1333
-FIPS Approved algorithms: AES (Certs. #1168 and #1177); RSA (Cert. #568); SHS (Cert. #1081)
+FIPS approved algorithms: AES (Certs. #1168 and #1177); RSA (Cert. #568); SHS (Cert. #1081)
Other algorithms: MD5
Code Integrity (ci.dll)
-6.1.7600.16385, 6.1.7600.17122, 6.1.7600.21320, 6.1.7601.17514, 6.1.7601.17950 and 6.1.7601.221086.1.7600.16385, 6.1.7600.17122, 6.1.7600.21320, 6.1.7601.17514, 6.1.7601.17950 and 6.1.7601.22108
+6.1.7600.16385, 6.1.7600.17122, 6.1.7600.21320, 6.1.7601.17514, 6.1.7601.17950 and 6.1.7601.22108
1334
-FIPS Approved algorithms: RSA (Cert. #568); SHS (Cert. #1081)
+FIPS approved algorithms: RSA (Cert. #568); SHS (Cert. #1081)
Other algorithms: MD5
Kernel Mode Cryptographic Primitives Library (cng.sys)
-6.1.7600.16385, 6.1.7600.16915, 6.1.7600.21092, 6.1.7601.17514, 6.1.7601.17919, 6.1.7601.17725, 6.1.7601.21861 and 6.1.7601.220766.1.7600.16385, 6.1.7600.16915, 6.1.7600.21092, 6.1.7601.17514, 6.1.7601.17919, 6.1.7601.17725, 6.1.7601.21861 and 6.1.7601.22076
+6.1.7600.16385, 6.1.7600.16915, 6.1.7600.21092, 6.1.7601.17514, 6.1.7601.17919, 6.1.7601.17725, 6.1.7601.21861 and 6.1.7601.22076
1335
-FIPS Approved algorithms: AES (Certs. #1168 and #1177); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #27); ECDSA (Cert. #142); HMAC (Cert. #686); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides between 80 and 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #567); SHS (Cert. #1081); Triple-DES (Cert. #846)
+FIPS approved algorithms: AES (Certs. #1168 and #1177); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #27); ECDSA (Cert. #142); HMAC (Cert. #686); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides between 80 bits and 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #567); SHS (Cert. #1081); Triple-DES (Cert. #846)
+-Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4
--Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4
Cryptographic Primitives Library (bcryptprimitives.dll)
-66.1.7600.16385 or 6.1.7601.1751466.1.7600.16385 or 6.1.7601.17514
+66.1.7600.16385 or 6.1.7601.17514
1336
-FIPS Approved algorithms: AES (Certs. #1168 and #1177); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #27); DSA (Cert. #391); ECDSA (Cert. #142); HMAC (Cert. #686); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides between 80 and 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #567); SHS (Cert. #1081); Triple-DES (Cert. #846)
+FIPS approved algorithms: AES (Certs. #1168 and #1177); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #27); DSA (Cert. #391); ECDSA (Cert. #142); HMAC (Cert. #686); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides between 80 bits and 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #567); SHS (Cert. #1081); Triple-DES (Cert. #846)
+Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 bits and 256 bits of encryption strength); DES; HMAC MD5; MD2; MD4; MD5; RC2; RC4
-Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; HMAC MD5; MD2; MD4; MD5; RC2; RC4
Enhanced Cryptographic Provider (RSAENH)
6.1.7600.16385
1337
-FIPS Approved algorithms: AES (Cert. #1168); DRBG (Cert. #23); HMAC (Cert. #687); SHS (Cert. #1081); RSA (Certs. #559 and #568); Triple-DES (Cert. #846)
+FIPS approved algorithms: AES (Cert. #1168); DRBG (Cert. #23); HMAC (Cert. #687); SHS (Cert. #1081); RSA (Certs. #559 and #568); Triple-DES (Cert. #846)
+Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
-Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)
6.1.7600.16385
1338
-FIPS Approved algorithms: DSA (Cert. #390); RNG (Cert. #649); SHS (Cert. #1081); Triple-DES (Cert. #846); Triple-DES MAC (Triple-DES Cert. #846, vendor affirmed)
+FIPS approved algorithms: DSA (Cert. #390); RNG (Cert. #649); SHS (Cert. #1081); Triple-DES (Cert. #846); Triple-DES MAC (Triple-DES Cert. #846, vendor affirmed)
Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4
@@ -1813,61 +1960,61 @@ Validated Editions: Server, Storage Server
BitLocker™ Drive Encryption
-6.1.7600.16385, 6.1.7600.16429, 6.1.7600.16757, 6.1.7600.20536, 6.1.7600.20873, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21634, 6.1.7601.21655 or 6.1.7601.216756.1.7600.16385, 6.1.7600.16429, 6.1.7600.16757, 6.1.7600.20536, 6.1.7600.20873, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21634, 6.1.7601.21655 or 6.1.7601.21675
+6.1.7600.16385, 6.1.7600.16429, 6.1.7600.16757, 6.1.7600.20536, 6.1.7600.20873, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21634, 6.1.7601.21655 or 6.1.7601.21675
1339
-FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); SHS (Cert. #1081)
+FIPS approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); SHS (Cert. #1081)
Other algorithms: Elephant Diffuser
Boot Manager (bootmgr)
-6.0.6001.18000, 6.0.6002.18005 and 6.0.6002.224976.0.6001.18000, 6.0.6002.18005 and 6.0.6002.22497
+6.0.6001.18000, 6.0.6002.18005 and 6.0.6002.22497
1004
-FIPS Approved algorithms: AES (Certs. #739 and #760); HMAC (Cert. #415); RSA (Cert. #355); SHS (Cert. #753)
+FIPS approved algorithms: AES (Certs. #739 and #760); HMAC (Cert. #415); RSA (Cert. #355); SHS (Cert. #753)
Other algorithms: N/A
Winload OS Loader (winload.exe)
-6.0.6001.18000, 6.0.6001.18606, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411, 6.0.6002.22497 and 6.0.6002.225966.0.6001.18000, 6.0.6001.18606, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411, 6.0.6002.22497 and 6.0.6002.22596
+6.0.6001.18000, 6.0.6001.18606, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411, 6.0.6002.22497 and 6.0.6002.22596
1005
-FIPS Approved algorithms: AES (Certs. #739 and #760); RSA (Cert. #355); SHS (Cert. #753)
+FIPS approved algorithms: AES (Certs. #739 and #760); RSA (Cert. #355); SHS (Cert. #753)
Other algorithms: MD5
Code Integrity (ci.dll)
-6.0.6001.18000 and 6.0.6002.180056.0.6001.18000 and 6.0.6002.18005
+6.0.6001.18000 and 6.0.6002.18005
1006
-FIPS Approved algorithms: RSA (Cert. #355); SHS (Cert. #753)
+FIPS approved algorithms: RSA (Cert. #355); SHS (Cert. #753)
Other algorithms: MD5
Kernel Mode Security Support Provider Interface (ksecdd.sys)
-6.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742 and 6.0.6002.228696.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742 and 6.0.6002.22869
+6.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742 and 6.0.6002.22869
1007
-FIPS Approved algorithms: AES (Certs. #739 and #757); ECDSA (Cert. #83); HMAC (Cert. #413); RNG (Cert. #435 and SP800-90 AES-CTR, vendor affirmed); RSA (Certs. #353 and #358); SHS (Cert. #753); Triple-DES (Cert. #656)
+FIPS approved algorithms: AES (Certs. #739 and #757); ECDSA (Cert. #83); HMAC (Cert. #413); RNG (Cert. #435 and SP800-90 AES-CTR, vendor affirmed); RSA (Certs. #353 and #358); SHS (Cert. #753); Triple-DES (Cert. #656)
+Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 bits and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping: key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
-Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping: key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)#83); HMAC (Cert. ); RNG (Cert. and SP800-90 AES-CTR, vendor affirmed); RSA (Certs. and ); SHS (Cert. ); Triple-DES (Cert. )
+Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 bits and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping: key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)#83); HMAC (Cert.); RNG (Cert. and SP800-90 AES-CTR, vendor affirmed); RSA (Certs. and); SHS (Cert.); Triple-DES (Cert.)
-Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping: key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
Cryptographic Primitives Library (bcrypt.dll)
-6.0.6001.22202, 6.0.6002.18005 and 6.0.6002.228726.0.6001.22202, 6.0.6002.18005 and 6.0.6002.22872
+6.0.6001.22202, 6.0.6002.18005 and 6.0.6002.22872
1008
-FIPS Approved algorithms: AES (Certs. #739 and #757); DSA (Cert. #284); ECDSA (Cert. #83); HMAC (Cert. #413); RNG (Cert. #435 and SP800-90, vendor affirmed); RSA (Certs. #353 and #358); SHS (Cert. #753); Triple-DES (Cert. #656)
+FIPS approved algorithms: AES (Certs. #739 and #757); DSA (Cert. #284); ECDSA (Cert. #83); HMAC (Cert. #413); RNG (Cert. #435 and SP800-90, vendor affirmed); RSA (Certs. #353 and #358); SHS (Cert. #753); Triple-DES (Cert. #656)
+Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 bits and 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant provides less than 112 bits of encryption strength)
-Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant provides less than 112 bits of encryption strength)
Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)
-6.0.6001.18000 and 6.0.6002.180056.0.6001.18000 and 6.0.6002.18005
+6.0.6001.18000 and 6.0.6002.18005
1009
-FIPS Approved algorithms: DSA (Cert. #282); RNG (Cert. #435); SHS (Cert. #753); Triple-DES (Cert. #656); Triple-DES MAC (Triple-DES Cert. #656, vendor affirmed)
+FIPS approved algorithms: DSA (Cert. #282); RNG (Cert. #435); SHS (Cert. #753); Triple-DES (Cert. #656); Triple-DES MAC (Triple-DES Cert. #656, vendor affirmed)
+-Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4
--Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4
Enhanced Cryptographic Provider (RSAENH)
-6.0.6001.22202 and 6.0.6002.180056.0.6001.22202 and 6.0.6002.18005
+6.0.6001.22202 and 6.0.6002.18005
1010
-FIPS Approved algorithms: AES (Cert. #739); HMAC (Cert. #408); RNG (SP 800-90, vendor affirmed); RSA (Certs. #353 and #355); SHS (Cert. #753); Triple-DES (Cert. #656)
+FIPS approved algorithms: AES (Cert. #739); HMAC (Cert. #408); RNG (SP 800-90, vendor affirmed); RSA (Certs. #353 and #355); SHS (Cert. #753); Triple-DES (Cert. #656)
+Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 bits and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
-Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)
5.2.3790.3959
875
-
Kernel Mode Cryptographic Module (FIPS.SYS)
5.2.3790.3959
869
-
Enhanced Cryptographic Provider (RSAENH)
5.2.3790.3959
868
-Kernel Mode Cryptographic Module (FIPS.SYS)
5.2.3790.1830 [SP1]
405
-
[2] SP1 x86, x64, IA64Enhanced Cryptographic Provider (RSAENH)
5.2.3790.1830 [Service Pack 1])
382
-
[2] SP1 x86, x64, IA64Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)
5.2.3790.1830 [Service Pack 1]
381
-
[2] SP1 x86, x64, IA64Kernel Mode Cryptographic Module (FIPS.SYS)
5.2.3790.0
405
-
[2] SP1 x86, x64, IA64Enhanced Cryptographic Provider (RSAENH)
5.2.3790.0
382
-
[2] SP1 x86, x64, IA64Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)
5.2.3790.0
381
-
[2] SP1 x86, x64, IA64Enhanced Cryptographic Provider
7.00.2872 [1] and 8.00.6246 [2]
2957
-
Cryptographic Primitives Library (bcrypt.dll)
7.00.2872 [1] and 8.00.6246 [2]
2956
-Enhanced Cryptographic Provider
6.00.1937 [1] and 7.00.1687 [2]
825
-
@@ -2165,7 +2312,7 @@ The following tables are organized by cryptographic algorithms with their modes,
Outlook Cryptographic Provider (EXCHCSP)
-SR-1A (3821)SR-1A (3821)
+SR-1A (3821)
110
-
@@ -2181,7 +2328,7 @@ The following tables are organized by cryptographic algorithms with their modes,
@@ -2254,7 +2401,7 @@ The following tables are organized by cryptographic algorithms with their modes,
@@ -2360,7 +2507,7 @@ The following tables are organized by cryptographic algorithms with their modes,
@@ -2467,7 +2614,7 @@ The following tables are organized by cryptographic algorithms with their modes,
@@ -2495,7 +2642,7 @@ The following tables are organized by cryptographic algorithms with their modes,
@@ -2507,7 +2654,7 @@ The following tables are organized by cryptographic algorithms with their modes,
@@ -2530,9 +2677,9 @@ The following tables are organized by cryptographic algorithms with their modes,
@@ -2543,9 +2690,9 @@ The following tables are organized by cryptographic algorithms with their modes,
-
-
-
-
-
-
-
-
-
-
-(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
-IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 0 , 0 ) ; 96BitIV_Supported
-GMAC_Supported
+(KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)
+IV Generated: (Externally); PT Lengths Tested: (0, 1024, 8, 1016); Additional authenticated data lengths tested: (0, 1024, 8, 1016); IV Lengths Tested: (0, 0); 96 bit IV supported
+GMAC supported
-
Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #4063
Version 10.0.14393
-
-
-
-
-
Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” RSA32 Algorithm Implementations #3630
Version 10.0.10586
-
-(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
-IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 0 , 0 ) ; 96BitIV_Supported
-GMAC_Supported
+(KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)
+IV Generated: (Externally); PT Lengths Tested: (0, 1024, 8, 1016); Additional authenticated data lengths tested: (0, 1024, 8, 1016); IV Lengths Tested: (0, 0); 96 bit IV supported
+GMAC supported
-
-
-
-(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
-IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 0 , 0 ) ; 96BitIV_Supported
-GMAC_Supported
+(KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)
+IV Generated: (Externally); PT Lengths Tested: (0, 1024, 8, 1016); Additional authenticated data lengths tested: (0, 1024, 8, 1016); IV Lengths Tested: (0, 0); 96 bit IV supported
+GMAC supportedMicrosoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #3497
Version 10.0.10240
-
Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #3476
Version 10.0.10240
-
-
-
+
OtherIVLen_Supported
-GMAC_Supported
-
-AES Val#2197
-AES Val#2197
-(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
-IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 8 , 1024 ) ; 96BitIV_Supported
-GMAC_Supported
+AES validation number 2197
+AES validation number 2197
+(KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)
+IV Generated: (Externally); PT Lengths Tested: (0, 128, 1024, 8, 1016); Additional authenticated data lengths tested: (0, 128, 1024, 8, 1016); IV Lengths Tested: (8, 1024); 96 bit IV supported
+GMAC supportedWindows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #2216
-
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #2198
-
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #2197
-
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #2196
-
CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 – 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
+
-AES Val#1168CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0 – 0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)
+AES validation number 1168
-
CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )
+
-AES Val#1168CCM (KS: 128, 256) (Assoc. Data Len Range: 0 - 8) (Payload Length Range: 4 - 32 (Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16)
+AES validation number 1168Windows 7 Ultimate and SP1 and Windows Server 2008 R2 and SP1 BitLocker Algorithm Implementations #1177
-
Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1168
Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1168 , vendor-affirmed
+Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1168, vendor-affirmed
-
CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )
+CCM (KS: 128, 256) (Assoc. Data Len Range: 0 - 8) (Payload Length Range: 4 - 32 (Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16)
Windows Vista Ultimate SP1 and Windows Server 2008 BitLocker Algorithm Implementations #760
-
CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 1 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
+CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0 - 0, 2^16) (Payload Length Range: 1 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)
-
-
-
Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #2023
-
@@ -2930,74 +3077,74 @@ Deterministic Random Bit Generator (DRBG)
-
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4627 ) ]
+CTR_DRBG: [Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 4627)]
-
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#4624 ) ]
+CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES validation number 4624)]
-
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4434 ) ]
+CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 4434)]
-
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4433 ) ]
+CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 4433)]
-
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4431 ) ]
+CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 4431)]
-
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4430 ) ]
+CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 4430)]
-
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4074 ) ]
-CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 4074)]
+
-
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#4064 ) ]
+CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES validation number 4064)]
-
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#3629 ) ]
+CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES validation number 3629)]
-
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#3497 ) ]
+CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES validation number 3497)]
-
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#2832 ) ]
-CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES validation number 2832)]
+
-
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#2197 ) ]
+CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES validation number 2197)]
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #258
-
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#2023 ) ]
+CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 2023)]
Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #193
-
CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#1168 ) ]
+CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES validation number 1168)]
Windows 7 Ultimate and SP1 and Windows Server 2008 R2 and SP1 RNG Library #23
@@ -3133,84 +3280,84 @@ Deterministic Random Bit Generator (DRBG)
FIPS186-4:
+PQG(ver)PARMS TESTED: [(1024,160) SHA(1)]
-PQG(ver)PARMS TESTED: [ (1024,160) SHA( 1 ); ]
-SIG(ver)PARMS TESTED: [ (1024,160) SHA( 1 ); ]
-SHS: Val# 3649
+SIG(ver)PARMS TESTED: [(1024,160) SHA(1)]
+SHS: validation number 3649
FIPS186-4:
+PQG(ver)PARMS TESTED: [(1024,160) SHA(1)]
-PQG(ver)PARMS TESTED: [ (1024,160) SHA( 1 ); ]
-SIG(ver)PARMS TESTED: [ (1024,160) SHA( 1 ); ]
-SHS: Val#3648
+SIG(ver)PARMS TESTED: [(1024,160) SHA(1)]
+SHS: validation number 3648
PQG(gen)PARMS TESTED: [
-(2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
-PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
-KeyPairGen: [ (2048,256) ; (3072,256) ]
-SIG(gen)PARMS TESTED: [ (2048,256)
-SHA( 256 ); (3072,256) SHA( 256 ); ]
-SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+PQG(ver)PARMS TESTED: [(2048,256) SHA(256); (3072,256) SHA(256)]
+KeyPairGen: [(2048,256); (3072,256)]
+SIG(gen)PARMS TESTED: [(2048,256)
+SHA(256); (3072,256) SHA(256)]
+SIG(ver)PARMS TESTED: [(2048,256) SHA(256); (3072,256) SHA(256)]
+
+DRBG: validation number 1217
-PQG(gen)PARMS TESTED: [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ] PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 )]
-KeyPairGen: [ (2048,256) ; (3072,256) ] SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
-SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+KeyPairGen: [(2048,256); (3072,256)] SIG(gen)PARMS TESTED: [(2048,256) SHA(256); (3072,256) SHA(256)]
+SIG(ver)PARMS TESTED: [(2048,256) SHA(256); (3072,256) SHA(256)]
+
+DRBG: validation number 955
-PQG(gen)PARMS TESTED: [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
-PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
-KeyPairGen: [ (2048,256) ; (3072,256) ]
-SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ] SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+PQG(ver)PARMS TESTED: [(2048,256) SHA(256); (3072,256) SHA(256)]
+KeyPairGen: [(2048,256); (3072,256)]
+SIG(gen)PARMS TESTED: [(2048,256) SHA(256); (3072,256) SHA(256)] SIG(ver)PARMS TESTED: [(2048,256) SHA(256); (3072,256) SHA(256)]
+
+DRBG: validation number 868
PQG(gen)PARMS TESTED: [
-(2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
-PQG(ver)PARMS TESTED: [ (2048,256)
-SHA( 256 ); (3072,256) SHA( 256 ) ]
-KeyPairGen: [ (2048,256) ; (3072,256) ]
-SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
-SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+PQG(ver)PARMS TESTED: [(2048,256)
+SHA(256); (3072,256) SHA(256)]
+KeyPairGen: [(2048,256); (3072,256)]
+SIG(gen)PARMS TESTED: [(2048,256) SHA(256); (3072,256) SHA(256)]
+SIG(ver)PARMS TESTED: [(2048,256) SHA(256); (3072,256) SHA(256)]
+
+DRBG: validation number 489
@@ -3220,13 +3367,13 @@ DRBG: #1903
DRBG: #258
-PQG(gen)PARMS TESTED: [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
-PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
-SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
-SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
+PQG(gen)PARMS TESTED: [(2048,256)SHA(256); (3072,256) SHA(256)]
+PQG(ver)PARMS TESTED: [(2048,256) SHA(256); (3072,256) SHA(256)]
+SIG(gen)PARMS TESTED: [(2048,256) SHA(256); (3072,256) SHA(256)]
+SIG(ver)PARMS TESTED: [(2048,256) SHA(256); (3072,256) SHA(256)]
SHS: #1903
DRBG: #258
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#687.Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #687
@@ -3235,75 +3382,75 @@ PQG(ver) MOD(1024);
SIG(ver) MOD(1024);
SHS: #1902
DRBG: #258
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#686.
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 686.
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 DSS and Diffie-Hellman Enhanced Cryptographic Provider (DSSENH) #686
FIPS186-2:
+SHS: validation number 1773
SIG(ver) MOD(1024);
-SHS: Val# 1773
-DRBG: Val# 193
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#645.
+DRBG: validation number 193
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 645.
Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #645
FIPS186-2:
+SHS: validation number 1081
SIG(ver) MOD(1024);
-SHS: Val# 1081
-DRBG: Val# 23
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#391. See Historical DSA List Val#386.
+DRBG: validation number 23
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 391. See Historical DSA List validation number 386.
FIPS186-2:
+SHS: validation number 1081
SIG(ver) MOD(1024);
-SHS: Val# 1081
-RNG: Val# 649
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#390. See Historical DSA List Val#385.
+RNG: validation number 649
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 390. See Historical DSA List validation number 385.
FIPS186-2:
+SHS: validation number 753
SIG(ver) MOD(1024);
-SHS: Val# 753
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#284. See Historical DSA List Val#283.
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 284. See Historical DSA List validation number 283.
FIPS186-2:
+SHS: validation number 753
SIG(ver) MOD(1024);
-SHS: Val# 753
-RNG: Val# 435
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#282. See Historical DSA List Val#281.
+RNG: validation number 435
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 282. See Historical DSA List validation number 281.
FIPS186-2:
+SHS: validation number 618
SIG(ver) MOD(1024);
-SHS: Val# 618
-RNG: Val# 321
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#227. See Historical DSA List Val#226.
+RNG: validation number 321
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 227. See Historical DSA List validation number 226.
FIPS186-2:
+SHS: validation number 784
SIG(ver) MOD(1024);
-SHS: Val# 784
-RNG: Val# 448
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#292.
+RNG: validation number 448
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 292.
Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #292
FIPS186-2:
+SHS: validation number 783
SIG(ver) MOD(1024);
-SHS: Val# 783
-RNG: Val# 447
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#291.
+RNG: validation number 447
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical DSA List validation number 291.
Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #291
@@ -3313,8 +3460,8 @@ PQG(gen) MOD(1024);
KEYGEN(Y) MOD(1024);
SIG(gen) MOD(1024);
SIG(ver) MOD(1024);
-SHS: Val# 611
-RNG: Val# 314
+SHS: validation number 611
+RNG: validation number 314
Windows 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #221
@@ -3324,7 +3471,7 @@ PQG(gen) MOD(1024);
KEYGEN(Y) MOD(1024);
SIG(gen) MOD(1024);
SIG(ver) MOD(1024);
-SHS: Val# 385
+SHS: validation number 385
Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #146
@@ -3333,7 +3480,7 @@ PQG(ver) MOD(1024);
KEYGEN(Y) MOD(1024);
SIG(gen) MOD(1024);
SIG(ver) MOD(1024);
-SHS: Val# 181
+SHS: validation number 181
Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #95
@@ -3409,7 +3556,7 @@ SHS: SHA-1 (BYTE)
@@ -3445,7 +3592,7 @@ SHS: SHA-1 (BYTE)
@@ -3615,7 +3762,7 @@ SHS: SHA-1 (BYTE)
@@ -3649,178 +3796,178 @@ SHS: SHA-1 (BYTE)
FIPS186-4:
+PKG: CURVES(P-256 P-384 TestingCandidates)
-PKG: CURVES( P-256 P-384 TestingCandidates )
-SHS: Val#3790
-DRBG: Val# 1555
+SHS: validation number 3790
+DRBG: validation number 1555
FIPS186-4:
+PKG: CURVES(P-256 P-384 P-521 ExtraRandomBits)
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-PKV: CURVES( P-256 P-384 P-521 )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
-SHS: Val#3790
-DRBG: Val# 1555
+PKV: CURVES(P-256 P-384 P-521)
+SigGen: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))
+SHS: validation number 3790
+DRBG: validation number 1555
FIPS186-4:
+PKG: CURVES(P-256 P-384 P-521 ExtraRandomBits)
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-PKV: CURVES( P-256 P-384 P-521 )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
-SHS: Val#3790
-DRBG: Val# 1555
+PKV: CURVES(P-256 P-384 P-521)
+SigGen: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))
+SHS: validation number 3790
+DRBG: validation number 1555
FIPS186-4:
+PKG: CURVES(P-256 P-384 P-521 ExtraRandomBits)
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-PKV: CURVES( P-256 P-384 P-521 )
-SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
-SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) )
-SHS:Val# 3649
-DRBG:Val# 1430
+PKV: CURVES(P-256 P-384 P-521)
+SigGen: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
+SigVer: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512))
+SHS:validation number 3649
+DRBG:validation number 1430
FIPS186-4:
+PKG: CURVES(P-256 P-384 P-521 ExtraRandomBits)
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-PKV: CURVES( P-256 P-384 P-521 )
-SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
-SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) )
-SHS:Val#3648
-DRBG:Val# 1429
+PKV: CURVES(P-256 P-384 P-521)
+SigGen: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
+SigVer: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512))
+SHS:validation number 3648
+DRBG:validation number 1429
-PKG: CURVES( P-256 P-384 TestingCandidates )
-PKV: CURVES( P-256 P-384 )
-SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) SIG(gen) with SHA-1 affirmed for use with protocols only.
-SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) )
+PKV: CURVES(P-256 P-384)
+SigGen: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) SIG(gen) with SHA-1 affirmed for use with protocols only.
+SigVer: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384))
+
+DRBG: validation number 1222
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-PKV: CURVES( P-256 P-384 P-521 )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
+PKV: CURVES(P-256 P-384 P-521)
+SigGen: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))
+
+DRBG: validation number 1217
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
+SigGen: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))
+
+DRBG: validation number 955
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
+SigGen: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))
+
+DRBG: validation number 868
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
+SigGen: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))
+
+DRBG: validation number 489
-PKG: CURVES( P-256 P-384 P-521 )
+PKG: CURVES(P-256 P-384 P-521)
SHS: #1903
DRBG: #258
-SIG(ver):CURVES( P-256 P-384 P-521 )
+SIG(ver): CURVES(P-256 P-384 P-521)
SHS: #1903
DRBG: #258
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
+PKG: CURVES(P-256 P-384 P-521 ExtraRandomBits)
+SigGen: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))
SHS: #1903
DRBG: #258
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#341.Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #341
-PKG: CURVES( P-256 P-384 P-521 )
-SHS: Val#1773
-DRBG: Val# 193
-SIG(ver): CURVES( P-256 P-384 P-521 )
-SHS: Val#1773
-DRBG: Val# 193
+SHS: validation number 1773
+DRBG: validation number 193
+SIG(ver): CURVES(P-256 P-384 P-521)
+SHS: validation number 1773
+DRBG: validation number 193
-PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
-SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
-SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
-SHS: Val#1773
-DRBG: Val# 193
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#295.
+SigGen: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
+SigVer: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))
+SHS: validation number 1773
+DRBG: validation number 193
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical ECDSA List validation number 295.
Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #295
FIPS186-2:
+PKG: CURVES(P-256 P-384 P-521)
-PKG: CURVES( P-256 P-384 P-521 )
-SHS: Val#1081
-DRBG: Val# 23
-SIG(ver): CURVES( P-256 P-384 P-521 )
-SHS: Val#1081
-DRBG: Val# 23
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#142. See Historical ECDSA List Val#141.
+SHS: validation number 1081
+DRBG: validation number 23
+SIG(ver): CURVES(P-256 P-384 P-521)
+SHS: validation number 1081
+DRBG: validation number 23
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical ECDSA List validation number 142. See Historical ECDSA List validation number 141.
FIPS186-2:
+PKG: CURVES(P-256 P-384 P-521)
-PKG: CURVES( P-256 P-384 P-521 )
-SHS: Val#753
-SIG(ver): CURVES( P-256 P-384 P-521 )
-SHS: Val#753
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#83. See Historical ECDSA List Val#82.
+SHS: validation number 753
+SIG(ver): CURVES(P-256 P-384 P-521)
+SHS: validation number 753
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical ECDSA List validation number 83. See Historical ECDSA List validation number 82.
@@ -3886,7 +4033,7 @@ Some of the previously validated components for this validation have been remove
FIPS186-2:
+PKG: CURVES(P-256 P-384 P-521)
-PKG: CURVES( P-256 P-384 P-521 )
-SHS: Val#618
-RNG: Val# 321
-SIG(ver): CURVES( P-256 P-384 P-521 )
-SHS: Val#618
-RNG: Val# 321
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#60.
+SHS: validation number 618
+RNG: validation number 321
+SIG(ver): CURVES(P-256 P-384 P-521)
+SHS: validation number 618
+RNG: validation number 321
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical ECDSA List validation number 60.
Windows Vista CNG algorithms #60
@@ -3979,269 +4126,269 @@ Some of the previously validated components for this validation have been remove
-
-
-
-
-
-
-
-SHS Val# 3347
-SHS Val# 3347
-SHS Val# 3347
+SHS validation number 3347
+SHS validation number 3347
+SHS validation number 3347
-
-
-SHS Val# 3047
-SHS Val# 3047
-SHS Val# 3047
-SHS Val# 3047
+SHS validation number 3047
+SHS validation number 3047
+SHS validation number 3047
+SHS validation number 3047
-
-SHSVal# 2886
-SHSVal# 2886
- SHSVal# 2886
-SHSVal# 2886
+SHSvalidation number 2886
+SHSvalidation number 2886
+ SHSvalidation number 2886
+SHSvalidation number 2886
-
-SHS Val#2373
-SHS Val#2373
-SHS Val#2373
-SHS Val#2373
+SHS validation number 2373
+SHS validation number 2373
+SHS validation number 2373
+SHS validation number 2373
-
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #1347
-
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #1346
-
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1345
-
Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1364
-
Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1227
-
-
Windows 7 and SP1 and Windows Server 2008 R2 and SP1 BitLocker Algorithm Implementations #675
-
Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #452
-
Windows Vista Ultimate SP1 and Windows Server 2008 BitLocker Algorithm Implementations #415
-
-
Windows Vista Enhanced Cryptographic Provider (RSAENH) #297
-
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#785
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 785
-
Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #428
-
Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #289
-
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#610
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 610
Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #287
-
-
Windows Vista Ultimate BitLocker Drive Encryption #386
-
Windows Vista CNG algorithms #298
-
Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #267
-
Windows CE and Windows Mobile 6.0 and Windows Mobil 6.5 Enhanced Cryptographic Provider (RSAENH) #260
-
Windows Vista BitLocker Drive Encryption #199
-
HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#364
+HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSvalidation number 364
-
@@ -4325,7 +4472,7 @@ SHS #4009, ECDSA #1252, DRBG #1733
-Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #31
@@ -4361,7 +4508,7 @@ SHS
-
-
+DSA validation number 1135
+DRBG validation number 1556
-
-( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhOneFlow ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC < KARole(s): Initiator / Responder> ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
-SHS Val#3790
-DSA Val#1223
-DRBG Val#1555
-[ OnePassDH ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
-[ StaticUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
+
+(FB: SHA256) (FC: SHA256)]
+[dhOneFlow (FB: SHA256) (FC: SHA256)] [dhStatic (No_KC < KARole(s): Initiator / Responder>) (FB: SHA256 HMAC) (FC: SHA256 HMAC)]
+SHS validation number 3790
+DSA validation number 1223
+DRBG validation number 1555
+[OnePassDH (No_KC < KARole(s): Initiator / Responder>) (EC: P-256 SHA256 HMAC) (ED: P-384 SHA384 HMAC) (EE: P-521 HMAC (SHA512, HMAC_SHA512))]
+[StaticUnified (No_KC < KARole(s): Initiator / Responder>) (EC: P-256 SHA256 HMAC) (ED: P-384 SHA384 HMAC) (EE: P-521 HMAC (SHA512, HMAC_SHA512))]
-SHS Val#3790
-ECDSA Val#1133
-DRBG Val#1555
+ECDSA validation number 1133
+DRBG validation number 1555
-
-( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC < KARole(s): Initiator / Responder> ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
-SHS Val# 3649
-DSA Val#1188
-DRBG Val#1430
-[ OnePassDH ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
-[ StaticUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
+(FB: SHA256) (FC: SHA256)]
+[dhOneFlow (KARole(s): Initiator / Responder) (FB: SHA256) (FC: SHA256)] [dhStatic (No_KC < KARole(s): Initiator / Responder>) (FB: SHA256 HMAC) (FC: SHA256 HMAC)]
+SHS validation number 3649
+DSA validation number 1188
+DRBG validation number 1430
+[OnePassDH (No_KC < KARole(s): Initiator / Responder>) (EC: P-256 SHA256 HMAC) (ED: P-384 SHA384 HMAC) (EE: P-521 HMAC (SHA512, HMAC_SHA512))]
+[StaticUnified (No_KC < KARole(s): Initiator / Responder>) (EC: P-256 SHA256 HMAC) (ED: P-384 SHA384 HMAC) (EE: P-521 HMAC (SHA512, HMAC_SHA512))]
-
-( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhHybridOneFlow ( No_KC < KARole(s): Initiator / Responder> ) ( FB:SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
-[ dhStatic ( No_KC < KARole(s): Initiator / Responder> ) ( FB:SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
-SHS Val#3648
-DSA Val#1187
-DRBG Val#1429
-[ OnePassDH ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
-[ StaticUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
+
+(FB: SHA256) (FC: SHA256)]
+[dhHybridOneFlow (No_KC < KARole(s): Initiator / Responder>) (FB:SHA256 HMAC) (FC: SHA256 HMAC)]
+[dhStatic (No_KC < KARole(s): Initiator / Responder>) (FB:SHA256 HMAC) (FC: SHA256 HMAC)]
+SHS validation number 3648
+DSA validation number 1187
+DRBG validation number 1429
+[OnePassDH (No_KC < KARole(s): Initiator / Responder>) (EC: P-256 SHA256 HMAC) (ED: P-384 SHA384 HMAC) (EE: P-521 HMAC (SHA512, HMAC_SHA512))]
+[StaticUnified (No_KC < KARole(s): Initiator / Responder>) (EC: P-256 SHA256 HMAC) (ED: P-384 SHA384 HMAC) (EE: P-521 HMAC (SHA512, HMAC_SHA512))]
-SHS Val#3648
-ECDSA Val#1072
-DRBG Val#1429
+ECDSA validation number 1072
+DRBG validation number 1429
-
-SCHEMES [ FullUnified ( No_KC < KARole(s): Initiator / Responder > < KDF: CONCAT > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ]
+SCHEMES [FullUnified (No_KC < KARole(s): Initiator / Responder > < KDF: CONCAT >) (EC: P-256 SHA256 HMAC) (ED: P-384 SHA384 HMAC)]
-
-SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
-( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic (No_KC < KARole(s): Initiator / Responder > ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
-[ OnePassDH ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
-[ StaticUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
+SCHEMES [dhEphem (KARole(s): Initiator / Responder)
+(FB: SHA256) (FC: SHA256)]
+[dhOneFlow (KARole(s): Initiator / Responder) (FB: SHA256) (FC: SHA256)] [dhStatic (No_KC < KARole(s): Initiator / Responder >) (FB: SHA256 HMAC) (FC: SHA256 HMAC)]
+[OnePassDH (No_KC < KARole(s): Initiator / Responder >) (EC: P-256 SHA256 HMAC) (ED: P-384 SHA384 HMAC) (EE: P-521 HMAC (SHA512, HMAC_SHA512))]
+[StaticUnified (No_KC < KARole(s): Initiator / Responder >) (EC: P-256 SHA256 HMAC) (ED: P-384 SHA384 HMAC) (EE: P-521 HMAC (SHA512, HMAC_SHA512))]
-
-( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC < KARole(s): Initiator / Responder > ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
-[ OnePassDH ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
-[ StaticUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
+(FB: SHA256) (FC: SHA256)]
+[dhOneFlow (KARole(s): Initiator / Responder) (FB: SHA256) (FC: SHA256)] [dhStatic (No_KC < KARole(s): Initiator / Responder >) (FB: SHA256 HMAC) (FC: SHA256 HMAC)]
+[OnePassDH (No_KC < KARole(s): Initiator / Responder >) (EC: P-256 SHA256 HMAC) (ED: P-384 SHA384 HMAC) (EE: P-521 HMAC (SHA512, HMAC_SHA512))]
+[StaticUnified (No_KC < KARole(s): Initiator / Responder >) (EC: P-256 SHA256 HMAC) (ED: P-384 SHA384 HMAC) (EE: P-521 HMAC (SHA512, HMAC_SHA512))]
-
-( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC < KARole(s): Initiator / Responder > ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
-[ OnePassDH ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
-[ StaticUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
+(FB: SHA256) (FC: SHA256)]
+[dhOneFlow (KARole(s): Initiator / Responder) (FB: SHA256) (FC: SHA256)] [dhStatic (No_KC < KARole(s): Initiator / Responder >) (FB: SHA256 HMAC) (FC: SHA256 HMAC)]
+[OnePassDH (No_KC < KARole(s): Initiator / Responder >) (EC: P-256 SHA256 HMAC) (ED: P-384 SHA384 HMAC) (EE: P-521 HMAC (SHA512, HMAC_SHA512))]
+[StaticUnified (No_KC < KARole(s): Initiator / Responder >) (EC: P-256 SHA256 HMAC) (ED: P-384 SHA384 HMAC) (EE: P-521 HMAC (SHA512, HMAC_SHA512))]
-
-( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC < KARole(s): Initiator / Responder > ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
-[ OnePassDH ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
-[ StaticUnified ( No_KC < KARole(s): Initiator / Responder > ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
+(FB: SHA256) (FC: SHA256)]
+[dhOneFlow (KARole(s): Initiator / Responder) (FB: SHA256) (FC: SHA256)] [dhStatic (No_KC < KARole(s): Initiator / Responder >) (FB: SHA256 HMAC) (FC: SHA256 HMAC)]
+[OnePassDH (No_KC < KARole(s): Initiator / Responder >) (EC: P-256 SHA256 HMAC) (ED: P-384 SHA384 HMAC) (EE: P-521 HMAC (SHA512, HMAC_SHA512))]
+[StaticUnified (No_KC < KARole(s): Initiator / Responder >) (EC: P-256 SHA256 HMAC) (ED: P-384 SHA384 HMAC) (EE: P-521 HMAC (SHA512, HMAC_SHA512))]
-
-( FA: SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FA: SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
-[ dhStatic ( No_KC < KARole(s): Initiator / Responder> ) ( FA: SHA256 HMAC ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
-SHS #1903 DSA Val#687 DRBG #258
-[ OnePassDH( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 ) ( ED: P-384 SHA384 ) ( EE: P-521 (SHA512, HMAC_SHA512) ) ) ]
-[ StaticUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
+
+(FA: SHA256) (FB: SHA256) (FC: SHA256)]
+[dhOneFlow (KARole(s): Initiator / Responder) (FA: SHA256) (FB: SHA256) (FC: SHA256)]
+[dhStatic (No_KC < KARole(s): Initiator / Responder>) (FA: SHA256 HMAC) (FB: SHA256 HMAC) (FC: SHA256 HMAC)]
+SHS #1903 DSA validation number 687 DRBG #258
+[OnePassDH(No_KC < KARole(s): Initiator / Responder>) (EC: P-256 SHA256) (ED: P-384 SHA384) (EE: P-521 (SHA512, HMAC_SHA512)))]
+[StaticUnified (No_KC < KARole(s): Initiator / Responder>) (EC: P-256 SHA256 HMAC) (ED: P-384 SHA384 HMAC) (EE: P-521 HMAC (SHA512, HMAC_SHA512))]
-SHS #1903 ECDSA Val#341 DRBG #258Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #36
@@ -4960,7 +5107,7 @@ SP 800-108 Key-Based Key Derivation Functions (KBKDF)
@@ -5017,61 +5164,61 @@ SP 800-108 Key-Based Key Derivation Functions (KBKDF)
-
CTR_Mode: ( Llength( Min0 Max0 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA384] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
+CTR_Mode: (Llength(Min0 Max0) MACSupported([HMACSHA1] [HMACSHA256] [HMACSHA384]) LocationCounter([BeforeFixedData]) rlength([32]))
+KAS validation number 128
-KAS Val#128
-DRBG Val#1556
-MAC Val#3062
+DRBG validation number 1556
+MAC validation number 3062
-
CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
+CTR_Mode: (Llength(Min20 Max64) MACSupported([CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512]) LocationCounter([BeforeFixedData]) rlength([32]))
+KAS validation number 127
-KAS Val#127
-AES Val#4624
-DRBG Val#1555
-MAC Val#3061
+AES validation number 4624
+DRBG validation number 1555
+MAC validation number 3061
-
-
-
-
-
-
@@ -5092,12 +5239,12 @@ Random Number Generator (RNG)
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #3
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #1110
FIPS 186-2
+[(x-Original); (SHA-1)]
-[ (x-Original); (SHA-1) ]
-[ (x-Change Notice); (SHA-1) ]
-[ (x-Change Notice); (SHA-1) ]
FIPS 186-2 General Purpose
+[(x-Change Notice); (SHA-1)]
-[ (x-Change Notice); (SHA-1) ]
@@ -5228,7 +5375,7 @@ Random Number Generator (RNG)
FIPS 186-2
+[(x-Change Notice); (SHA-1)]
-[ (x-Change Notice); (SHA-1) ]
@@ -5263,7 +5410,7 @@ Random Number Generator (RNG)
@@ -5637,7 +5784,7 @@ Random Number Generator (RNG)
@@ -5707,424 +5854,424 @@ Random Number Generator (RNG)
FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(1, 256, 384)) SIG(gen) with SHA-1 affirmed for use with protocols only.
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- SIG(Ver) (1024 SHA( 1 , 256 , 384 )) (2048 SHA( 1 , 256 , 384 ))
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) ))
-SHA Val#3790
+ SIG(Ver) (1024 SHA(1, 256, 384)) (2048 SHA(1, 256, 384))
+[RSASSA-PSS]: Sig(Gen): (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48))) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ Sig(Ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48)))
+SHA validation number 3790
FIPS186-4:
+ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))
-ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-SHA Val#3790
+SHA validation number 3790
FIPS186-4:
+186-4KEY(gen): FIPS186-4_Fixed_e (10001);
-186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ;
-PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
-SHA Val#3790
-DRBG: Val# 1555
+PGM(ProbPrimeCondition): 2048, 3072 PPTT:(C.3)
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512)) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))
+[RSASSA-PSS]: Sig(Gen): (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ Sig(Ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(62))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))
+SHA validation number 3790
+DRBG: validation number 1555
FIPS186-4:
+PGM(ProbRandom: (2048, 3072) PPTT:(C.2)
186-4KEY(gen):
-PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
-SHA Val#3790
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512)) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))
+[RSASSA-PSS]: Sig(Gen): (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ Sig(Ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(62))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))
+SHA validation number 3790
ALG[ANSIX9.31]:
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3652
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3652, SHA-384Val#3652, SHA-512Val#3652
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3652, SHA-256Val#3652, SHA-384Val#3652, SHA-512Val#3652
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096, SHS: SHA-256validation number 3652, SHA-384validation number 3652, SHA-512validation number 3652
+SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 3652, SHA-256validation number 3652, SHA-384validation number 3652, SHA-512validation number 3652
-ALG[ANSIX9.31] Sig(Gen): (2048 SHA( 1 )) (3072 SHA( 1 ))
-SIG(gen) with SHA-1 affirmed for use with protocols only. Sig(Ver): (1024 SHA( 1 )) (2048 SHA( 1 )) (3072 SHA( 1 ))
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-SHA Val#3652
+SIG(gen) with SHA-1 affirmed for use with protocols only. Sig(Ver): (1024 SHA(1)) (2048 SHA(1)) (3072 SHA(1))
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512)) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))
+SHA validation number 3652
ALG[ANSIX9.31]:
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3651
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3651, SHA-384Val#3651, SHA-512Val#3651
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3651, SHA-256Val#3651, SHA-384Val#3651, SHA-512Val#3651
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096, SHS: SHA-256validation number 3651, SHA-384validation number 3651, SHA-512validation number 3651
+SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 3651, SHA-256validation number 3651, SHA-384validation number 3651, SHA-512validation number 3651
-ALG[ANSIX9.31] Sig(Gen): (2048 SHA( 1 )) (3072 SHA( 1 ))
-SIG(gen) with SHA-1 affirmed for use with protocols only. Sig(Ver): (1024 SHA( 1 )) (2048 SHA( 1 )) (3072 SHA( 1 ))
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-SHA Val#3651
+SIG(gen) with SHA-1 affirmed for use with protocols only. Sig(Ver): (1024 SHA(1)) (2048 SHA(1)) (3072 SHA(1))
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512)) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))
+SHA validation number 3651
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val# 3649 , SHA-384Val# 3649 , SHA-512Val# 3649
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val# 3649 , SHA-256Val# 3649 , SHA-384Val# 3649 , SHA-512Val# 3649
+SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 3649, SHA-256validation number 3649, SHA-384validation number 3649, SHA-512validation number 3649
-186-4KEY(gen): FIPS186-4_Fixed_e (10001) ;
-PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-SHA Val# 3649
-DRBG: Val# 1430
+PGM(ProbRandom: (2048, 3072) PPTT:(C.2)
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512)) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))
+SHA validation number 3649
+DRBG: validation number 1430
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3648, SHA-384Val#3648, SHA-512Val#3648
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3648, SHA-256Val#3648, SHA-384Val#3648, SHA-512Val#3648
+SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 3648, SHA-256validation number 3648, SHA-384validation number 3648, SHA-512validation number 3648
-186-4KEY(gen): FIPS186-4_Fixed_e (10001) ;
-PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
- SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-SHA Val#3648
-DRBG: Val# 1429
+PGM(ProbRandom: (2048, 3072) PPTT:(C.2)
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512)) SIG(gen) with SHA-1 affirmed for use with protocols only.
+ SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))
+SHA validation number 3648
+DRBG: validation number 1429
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
-SIG(Ver) (1024 SHA( 1 , 256 , 384 )) (2048 SHA( 1 , 256 , 384 ))
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
-Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) ))
+SIG(Ver) (1024 SHA(1, 256, 384)) (2048 SHA(1, 256, 384))
+[RSASSA-PSS]: Sig(Gen): (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48))) SIG(gen) with SHA-1 affirmed for use with protocols only.
+Sig(Ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48)))
+
-186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ;
-PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
+PGM(ProbPrimeCondition): 2048, 3072 PPTT:(C.3)
+
-ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
-SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))
+
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
-186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ;
-PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
+PGM(ProbPrimeCondition): 2048, 3072 PPTT:(C.3)
+
-ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
-SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))
+
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
-Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
+Sig(Ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(62))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))
+
-186-4KEY(gen): FIPS186-4_Fixed_e ( 10001 ) ;
-PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
+PGM(ProbPrimeCondition): 2048, 3072 PPTT:(C.3)
+
-ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
-Sig(Ver): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
+Sig(Ver): (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))
+
-186-4KEY(gen): FIPS186-4_Fixed_e ;
-PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
+PGM(ProbPrimeCondition): 2048, 3072 PPTT:(C.3)
+
-ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
-SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
+SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))
+
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
- Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
+ Sig(Ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(62))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))
+
-ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 256 , 384 , 512-256 )) (3072 SHA( 256 , 384 , 512-256 ))
-SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512-256 )) (2048 SHA( 1 , 256 , 384 , 512-256 )) (3072 SHA( 1 , 256 , 384 , 512-256 ))
-[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
-Sig(Ver): (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 , 512 ))
+ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(256, 384, 512-256)) (3072 SHA(256, 384, 512-256))
+SIG(Ver) (1024 SHA(1, 256, 384, 512-256)) (2048 SHA(1, 256, 384, 512-256)) (3072 SHA(1, 256, 384, 512-256))
+[RSASSA-PSS]: Sig(Gen): (2048 SHA(256, 384, 512)) (3072 SHA(256, 384, 512))
+Sig(Ver): (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512, 512))
SHA #1903Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #1134
FIPS186-4:
-186-4KEY(gen): FIPS186-4_Fixed_e , FIPS186-4_Fixed_e_Value
-PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
+186-4KEY(gen): FIPS186-4_Fixed_e, FIPS186-4_Fixed_e_Value
+PGM(ProbPrimeCondition): 2048, 3072 PPTT:(C.3)
SHA #1903 DRBG: #258Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 RSA Key Generation Implementation #1133
FIPS186-2:
+ALG[ANSIX9.31]: Key(gen)(MOD: 2048, 3072, 4096 PubKey Values: 65537 DRBG: #258
-ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: #258
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256#1902, SHA-384#1902, SHA-512#1902,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1#1902, SHA-256#1902, SHA-#1902, SHA-512#1902,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1132.
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256#1902, SHA-384#1902, SHA-512#1902,
+SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1#1902, SHA-256#1902, SHA-#1902, SHA-512#1902,
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 1132.
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #1132
FIPS186-2:
+SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 1774
ALG[ANSIX9.31]:
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1774
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1774, SHA-384Val#1774, SHA-512Val#1774,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1774, SHA-256Val#1774, SHA-384Val#1774, SHA-512Val#1774,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1052.
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 1774, SHA-384validation number 1774, SHA-512validation number 1774,
+SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 1774, SHA-256validation number 1774, SHA-384validation number 1774, SHA-512validation number 1774,
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 1052.
Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1052
FIPS186-2:
+ALG[ANSIX9.31]: Key(gen)(MOD: 2048, 3072, 4096 PubKey Values: 65537 DRBG: validation number 193
-ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: Val# 193
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1773, SHA-384Val#1773, SHA-512Val#1773,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1773, SHA-256Val#1773, SHA-384Val#1773, SHA-512Val#1773,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1051.
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 1773, SHA-384validation number 1773, SHA-512validation number 1773,
+SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 1773, SHA-256validation number 1773, SHA-384validation number 1773, SHA-512validation number 1773,
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 1051.
Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1051
FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 1081, SHA-384validation number 1081, SHA-512validation number 1081,
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#568.
+SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 1081, SHA-256validation number 1081, SHA-384validation number 1081, SHA-512validation number 1081,
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 568.
Windows Server 2008 R2 and SP1 Enhanced Cryptographic Provider (RSAENH) #568
FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 1081, SHA-384validation number 1081, SHA-512validation number 1081,
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
-ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#567. See Historical RSA List Val#560.
+SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 1081, SHA-256validation number 1081, SHA-384validation number 1081, SHA-512validation number 1081,
+ALG[RSASSA-PSS]: SIG(gen); 2048, 3072, 4096, SHS: SHA-256validation number 1081, SHA-384validation number 1081, SHA-512validation number 1081
+SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 1081, SHA-256validation number 1081, SHA-384validation number 1081, SHA-512validation number 1081
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 567. See Historical RSA List validation number 560.
FIPS186-2:
+ALG[ANSIX9.31]: Key(gen)(MOD: 2048, 3072, 4096 PubKey Values: 65537 DRBG: validation number 23
-ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: Val# 23
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#559.
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 559.
Windows 7 and SP1 and Server 2008 R2 and SP1 RSA Key Generation Implementation #559
FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 1081, SHA-384validation number 1081, SHA-512validation number 1081,
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#557.
+SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 1081, SHA-256validation number 1081, SHA-384validation number 1081, SHA-512validation number 1081,
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 557.
Windows 7 and SP1 Enhanced Cryptographic Provider (RSAENH) #557
FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 816, SHA-384validation number 816, SHA-512validation number 816,
ALG[ANSIX9.31]:
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#816, SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#395.
+SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 816, SHA-256validation number 816, SHA-384validation number 816, SHA-512validation number 816,
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 395.
Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #395
FIPS186-2:
+SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 783
ALG[ANSIX9.31]:
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#783
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#783, SHA-384Val#783, SHA-512Val#783,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#371.
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 783, SHA-384validation number 783, SHA-512validation number 783,
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 371.
Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #371
FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 753, SHA-384validation number 753, SHA-512validation number 753,
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
-ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#358. See Historical RSA List Val#357.
+SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 753, SHA-256validation number 753, SHA-384validation number 753, SHA-512validation number 753,
+ALG[RSASSA-PSS]: SIG(gen); 2048, 3072, 4096, SHS: SHA-256validation number 753, SHA-384validation number 753, SHA-512validation number 753
+SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 753, SHA-256validation number 753, SHA-384validation number 753, SHA-512validation number 753
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 358. See Historical RSA List validation number 357.
FIPS186-2:
+SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 753
ALG[ANSIX9.31]:
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#355. See Historical RSA List Val#354.
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 753, SHA-384validation number 753, SHA-512validation number 753,
+SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 753, SHA-256validation number 753, SHA-384validation number 753, SHA-512validation number 753,
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 355. See Historical RSA List validation number 354.
FIPS186-2:
+ALG[ANSIX9.31]: Key(gen)(MOD: 2048, 3072, 4096 PubKey Values: 65537
-ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#353.
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 353.
Windows Vista SP1 and Windows Server 2008 RSA Key Generation Implementation #353
FIPS186-2:
+ALG[ANSIX9.31]: Key(gen)(MOD: 2048, 3072, 4096 PubKey Values: 65537 RNG: validation number 321
-ALG[ANSIX9.31]: Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 RNG: Val# 321
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#258.
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 258.
Windows Vista RSA key generation implementation #258
FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 618, SHA-384validation number 618, SHA-512validation number 618,
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
-ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#257.
+SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 618, SHA-256validation number 618, SHA-384validation number 618, SHA-512validation number 618,
+ALG[RSASSA-PSS]: SIG(gen); 2048, 3072, 4096, SHS: SHA-256validation number 618, SHA-384validation number 618, SHA-512validation number 618
+SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 618, SHA-256validation number 618, SHA-384validation number 618, SHA-512validation number 618
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 257.
Windows Vista CNG algorithms #257
FIPS186-2:
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 618, SHA-384validation number 618, SHA-512validation number 618,
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#255.
+SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 618, SHA-256validation number 618, SHA-384validation number 618, SHA-512validation number 618,
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 255.
Windows Vista Enhanced Cryptographic Provider (RSAENH) #255
FIPS186-2:
+SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 613
ALG[ANSIX9.31]:
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#613
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#613, SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#245.
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 613, SHA-384validation number 613, SHA-512validation number 613,
+SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 613, SHA-256validation number 613, SHA-384validation number 613, SHA-512validation number 613,
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 245.
Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #245
FIPS186-2:
+SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 589
ALG[ANSIX9.31]:
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#589
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#589, SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#230.
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 589, SHA-384validation number 589, SHA-512validation number 589,
+SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 589, SHA-256validation number 589, SHA-384validation number 589, SHA-512validation number 589,
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 230.
Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #230
FIPS186-2:
+SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 578
ALG[ANSIX9.31]:
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#578
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#578, SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#222.
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 578, SHA-384validation number 578, SHA-512validation number 578,
+SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 578, SHA-256validation number 578, SHA-384validation number 578, SHA-512validation number 578,
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 222.
Windows CE and Windows Mobile 6 and Windows Mobile 6.1 Enhanced Cryptographic Provider (RSAENH) #222
FIPS186-2:
+SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 364
ALG[RSASSA-PKCS1_V1_5]:
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#364
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#81.
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 81.
Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #81
FIPS186-2:
+SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 305
ALG[ANSIX9.31]:
-SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#305
-ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
-SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#305, SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
-Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#52.
+ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256validation number 305, SHA-384validation number 305, SHA-512validation number 305,
+SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1validation number 305, SHA-256validation number 305, SHA-384validation number 305, SHA-512validation number 305,
+Some of the previously validated components for this validation have been removed because they're now non-compliant per the SP800-131A transition. See Historical RSA List validation number 52.
Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #52
@@ -6313,7 +6460,7 @@ Version 6.3.9600
SHA-256 (BYTE-only)
SHA-384 (BYTE-only)
SHA-512 (BYTE-only)
-Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2373
+Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2373
Version 6.3.9600
@@ -6495,106 +6642,106 @@ Version 6.3.9600
-
TECB( KO 1 e/d, ) ; TCBC( KO 1 e/d, ) ; TCFB8( KO 1 e/d, ) ; TCFB64( KO 1 e/d, )
+TECB(KO 1 e/d); TCBC(KO 1 e/d); TCFB8(KO 1 e/d); TCFB64(KO 1 e/d)
-
-
-
-
-
-
-
-
-
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1387
-
Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #1386
-
Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #846
-
Windows Vista SP1 and Windows Server 2008 Symmetric Algorithm Implementation #656
-
Windows Vista Symmetric Algorithm Implementation #549
@@ -6603,8 +6750,8 @@ Version 6.3.9600
-
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md b/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
index f87c93e451..4f89790b1c 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
@@ -5,7 +5,7 @@ ms.assetid: 9a2534a5-d1fa-48a9-93c6-989d4857cf85
ms.reviewer:
ms.author: dansimp
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
+ms.technology: mde
---
# Display a custom URL message when users try to run a blocked app
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md
index be5c338598..aec41fda97 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md
@@ -4,7 +4,7 @@ description: This topic describes the file formats and available default rules f
ms.assetid: a083fd08-c07e-4534-b0e7-1e15d932ce8f
ms.reviewer:
ms.author: dansimp
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
+ms.technology: mde
---
# DLL rules in AppLocker
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
index 0e40237b7b..7c80353023 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
@@ -4,7 +4,7 @@ description: This planning topic describes what you need to investigate, determi
ms.assetid: 389ffa8e-11fc-49ff-b0b1-89553e6fb6e5
ms.reviewer:
ms.author: dansimp
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
@@ -15,6 +15,7 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
ms.pagetype: security
ms.date: 09/21/2017
+ms.technology: mde
---
# Document the Group Policy structure and AppLocker rule enforcement
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md
index c43cf96fee..64318e0bd7 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md
@@ -4,7 +4,7 @@ description: This planning topic describes the app information that you should d
ms.assetid: b155284b-f75d-4405-aecf-b74221622dc0
ms.reviewer:
ms.author: dansimp
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
+ms.technology: mde
---
# Document your app list
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md
index 9f6e032b66..1000876fbf 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md
@@ -4,7 +4,7 @@ description: Learn how to document your AppLocker rules and associate rule condi
ms.assetid: 91a198ce-104a-45ff-b49b-487fb40cd2dd
ms.reviewer:
ms.author: dansimp
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
+ms.technology: mde
---
# Document your AppLocker rules
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md
index 03b04a1190..9865b4a5d9 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md
@@ -4,7 +4,7 @@ description: This topic for IT professionals describes the steps required to mod
ms.assetid: dbc72d1f-3fe0-46c2-aeeb-96621fce7637
ms.reviewer:
ms.author: dansimp
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
+ms.technology: mde
---
# Edit an AppLocker policy
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md
index 028a8237bc..9fba4220b8 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md
@@ -4,7 +4,7 @@ description: This topic for IT professionals describes the steps to edit a publi
ms.assetid: 80016cda-b915-46a0-83c6-5e6b0b958e32
ms.reviewer:
ms.author: dansimp
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
+ms.technology: mde
---
# Edit AppLocker rules
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md b/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md
index 575de45499..33f8fc5205 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md
@@ -4,7 +4,7 @@ description: This topic for IT professionals describes the steps to enable the D
ms.assetid: 88ef9561-6eb2-491a-803a-b8cdbfebae27
ms.reviewer:
ms.author: dansimp
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
+ms.technology: mde
---
# Enable the DLL rule collection
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md
index b396db1cfb..977c71d0cf 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md
@@ -4,7 +4,7 @@ description: This topic for IT professionals describes how to enforce applicatio
ms.assetid: e1528b7b-77f2-4419-8e27-c9cc3721d96d
ms.reviewer:
ms.author: dansimp
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
+ms.technology: mde
---
# Enforce AppLocker rules
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md
index ffdc7ace8c..13e0194acf 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md
@@ -4,7 +4,7 @@ description: This topic describes the file formats and available default rules f
ms.assetid: 65e62f90-6caa-48f8-836a-91f8ac9018ee
ms.reviewer:
ms.author: dansimp
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
+ms.technology: mde
---
# Executable rules in AppLocker
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md
index 0443b67c6b..6f17980018 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md
@@ -4,7 +4,7 @@ description: This topic for IT professionals describes the steps to export an Ap
ms.assetid: 7db59719-a8be-418b-bbfd-22cf2176c9c0
ms.reviewer:
ms.author: dansimp
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
+ms.technology: mde
---
# Export an AppLocker policy from a GPO
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md
index 6856386f4a..a2c2fda488 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md
@@ -4,7 +4,7 @@ description: This topic for IT professionals describes the steps to export an Ap
ms.assetid: 979bd23f-6815-478b-a6a4-a25239cb1080
ms.reviewer:
ms.author: dansimp
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
+ms.technology: mde
---
# Export an AppLocker policy to an XML file
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md b/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md
index b4adeb4b33..6e4827d32a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md
@@ -4,7 +4,7 @@ description: This topic for the IT professional provides links to topics about A
ms.assetid: 24bb1d73-0ff5-4af7-8b8a-2fa44d4ddbcd
ms.reviewer:
ms.author: dansimp
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
+ms.technology: mde
---
# How AppLocker works
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md
index eaa7c7aa78..572410407e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md
@@ -4,7 +4,7 @@ description: This topic for IT professionals describes how to import an AppLocke
ms.assetid: b48cb2b2-8ef8-4cc0-89bd-309d0b1832f6
ms.reviewer:
ms.author: dansimp
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
+ms.technology: mde
---
# Import an AppLocker policy from another computer
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md
index ac5ac53cd5..10cdc3f2c5 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md
@@ -4,7 +4,7 @@ description: This topic for IT professionals describes the steps to import an Ap
ms.assetid: 0629ce44-f5e2-48a8-ba47-06544c73261f
ms.reviewer:
ms.author: dansimp
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
+ms.technology: mde
---
# Import an AppLocker policy into a GPO
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md
index 3e7f0169c7..67545f9094 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md
@@ -4,7 +4,7 @@ description: Learn how to maintain rules within AppLocker policies. View common
ms.assetid: b4fbfdfe-ef3d-49e0-a390-f2dfe74602bc
ms.reviewer:
ms.author: dansimp
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -14,6 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
+ms.technology: mde
---
# Maintain AppLocker policies
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md
index e33dc7ed87..fc27d49a00 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md
@@ -4,7 +4,7 @@ description: Learn concepts and lists procedures to help you manage packaged app
ms.assetid: 6d0c99e7-0284-4547-a30a-0685a9916650
ms.reviewer:
ms.author: dansimp
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
+ms.technology: mde
---
# Manage packaged apps with AppLocker
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md
index 47c7db9884..ffe44d7fae 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md
@@ -4,7 +4,7 @@ description: This topic for IT professionals describes the steps to merge AppLoc
ms.assetid: f1c7d5c0-463e-4fe2-a410-844a404f18d0
ms.reviewer:
ms.author: dansimp
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
+ms.technology: mde
---
# Merge AppLocker policies by using Set-ApplockerPolicy
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md
index f40ead0fc0..7567707461 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md
@@ -4,7 +4,7 @@ description: This topic for IT professionals describes the steps to manually mer
ms.assetid: 3605f293-e5f2-481d-8efd-775f9f23c30f
ms.reviewer:
ms.author: dansimp
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
+ms.technology: mde
---
# Merge AppLocker policies manually
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md
index d0aa573b21..56d201be4e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md
@@ -4,7 +4,7 @@ description: This topic for IT professionals describes how to monitor app usage
ms.assetid: 0516da6e-ebe4-45b4-a97b-31daba96d1cf
ms.reviewer:
ms.author: dansimp
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
+ms.technology: mde
---
# Monitor app usage with AppLocker
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md b/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md
index d669f7c890..e050d78690 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md
@@ -4,7 +4,7 @@ description: This topic for IT professionals describes how to optimize AppLocker
ms.assetid: a20efa20-bc98-40fe-bd81-28ec4905e0f6
ms.reviewer:
ms.author: dansimp
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
+ms.technology: mde
---
# Optimize AppLocker performance
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md
index 1057121e64..5889dda71b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md
@@ -4,7 +4,7 @@ description: This topic explains the AppLocker rule collection for packaged app
ms.assetid: 8fd44d08-a0c2-4c5b-a91f-5cb9989f971d
ms.reviewer:
ms.author: dansimp
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 10/13/2017
+ms.technology: mde
---
# Packaged apps and packaged app installer rules in AppLocker
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
index 35e51ee350..7bdb71f127 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
@@ -4,7 +4,7 @@ description: This topic for describes the decisions you need to make to establis
ms.assetid: dccc196f-6ae0-4ae4-853a-a3312b18751b
ms.reviewer:
ms.author: dansimp
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
+ms.technology: mde
---
# Plan for AppLocker policy management
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md
index 9e6a10f475..462a865a4f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md
@@ -4,7 +4,7 @@ description: This topic for IT professionals describes the steps to force an upd
ms.assetid: 3f24fcbc-3926-46b9-a1a2-dd036edab8a9
ms.reviewer:
ms.author: dansimp
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
+ms.technology: mde
---
# Refresh an AppLocker policy
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md
index 1d132ac242..acabab7d69 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md
@@ -4,7 +4,7 @@ description: This deployment topic for the IT professional lists the requirement
ms.assetid: 3e55bda2-3cd7-42c7-bad3-c7dfbe193d48
ms.reviewer:
ms.author: macapara
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
+ms.technology: mde
---
# Requirements for deploying AppLocker policies
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md
index 42347224a4..0b4fd786bf 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md
@@ -4,7 +4,7 @@ description: This topic for the IT professional lists software requirements to u
ms.assetid: dc380535-071e-4794-8f9d-e5d1858156f0
ms.reviewer:
ms.author: macapara
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
+ms.technology: mde
---
# Requirements to use AppLocker
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md b/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md
index a87df1bc69..da19e309e8 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md
@@ -4,7 +4,7 @@ description: This topic for IT professionals describes steps to run the wizard t
ms.assetid: 8cad1e14-d5b2-437c-8f88-70cffd7b3d8e
ms.reviewer:
ms.author: macapara
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
+ms.technology: mde
---
# Run the Automatically Generate Rules wizard
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
index 1854e961d1..db4968297c 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
@@ -4,7 +4,7 @@ description: This topic describes the file formats and available default rules f
ms.assetid: fee24ca4-935a-4c5e-8a92-8cf1d134d35f
ms.reviewer:
ms.author: macapara
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
+ms.technology: mde
---
# Script rules in AppLocker
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md
index 02e8dd5393..92928f7068 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md
@@ -4,7 +4,7 @@ description: This topic for the IT professional describes the security considera
ms.assetid: 354a5abb-7b31-4bea-a442-aa9666117625
ms.reviewer:
ms.author: macapara
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
+ms.technology: mde
---
# Security considerations for AppLocker
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md
index 4daacad66d..174e5d8a77 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md
@@ -4,7 +4,7 @@ description: This topic lists resources you can use when selecting your applicat
ms.assetid: 14751169-0ed1-47cc-822c-8c01a7477784
ms.reviewer:
ms.author: macapara
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
+ms.technology: mde
---
# Select the types of rules to create
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md
index 00511d0f23..fd78e7c563 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md
@@ -4,7 +4,7 @@ description: This topic for IT professionals describes the steps to test an AppL
ms.assetid: 048bfa38-6825-4a9a-ab20-776cf79f402a
ms.reviewer:
ms.author: macapara
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
+ms.technology: mde
---
# Test an AppLocker policy by using Test-AppLockerPolicy
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md
index 6306c10479..2027085b0e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md
@@ -4,7 +4,7 @@ description: This topic discusses the steps required to test an AppLocker policy
ms.assetid: 7d53cbef-078c-4d20-8b00-e821e33b6ea1
ms.reviewer:
ms.author: macapara
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
+ms.technology: mde
---
# Test and update an AppLocker policy
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md
index 974a0000cc..51d801a909 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md
@@ -4,7 +4,7 @@ description: This topic for the IT professional describes the tools available to
ms.assetid: db2b7cb3-7643-4be5-84eb-46ba551e1ad1
ms.reviewer:
ms.author: macapara
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
+ms.technology: mde
---
# Tools to use with AppLocker
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md
index 0cd67f03d8..cbd1b7c62e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md
@@ -4,7 +4,7 @@ description: This topic describes the AppLocker enforcement settings for rule co
ms.assetid: 48773007-a343-40bf-8961-b3ff0a450d7e
ms.reviewer:
ms.author: macapara
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
+ms.technology: mde
---
# Understand AppLocker enforcement settings
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md
index a8bfeff845..95dcad5fe6 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md
@@ -4,7 +4,7 @@ description: Review some common considerations while you are planning to use App
ms.assetid: 3475def8-949a-4b51-b480-dc88b5c1e6e6
ms.reviewer:
ms.author: macapara
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 10/13/2017
+ms.technology: mde
---
# Understand AppLocker policy design decisions
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
index ce6f6d4292..5350f5c843 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
@@ -4,7 +4,7 @@ description: This topic for the IT professional describes how application contro
ms.assetid: c1c5a3d3-540a-4698-83b5-0dab5d27d871
ms.reviewer:
ms.author: macapara
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
+ms.technology: mde
---
# Understand AppLocker rules and enforcement setting inheritance in Group Policy
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md
index 5e0c80b55d..0f909bdf3d 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md
@@ -4,7 +4,7 @@ description: This planning and deployment topic for the IT professional describe
ms.assetid: 4cfd95c1-fbd3-41fa-8efc-d23c1ea6fb16
ms.reviewer:
ms.author: macapara
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
+ms.technology: mde
---
# Understand the AppLocker policy deployment process
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md
index f9cdae7831..941aa4f30d 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md
@@ -4,7 +4,7 @@ description: This topic explains the differences between allow and deny actions
ms.assetid: ea0370fa-2086-46b5-a0a4-4a7ead8cbed9
ms.reviewer:
ms.author: macapara
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
+ms.technology: mde
---
# Understanding AppLocker allow and deny actions on rules
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md
index 02228d1867..e9e449b52e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md
@@ -4,7 +4,7 @@ description: This topic for IT professional describes the set of rules that can
ms.assetid: bdb03d71-05b7-41fb-96e3-a289ce1866e1
ms.reviewer:
ms.author: macapara
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
+ms.technology: mde
---
# Understanding AppLocker default rules
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md
index cbb7806a6b..041eee8f69 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md
@@ -4,7 +4,7 @@ description: This topic describes how AppLocker rules are enforced by using the
ms.assetid: 3e2738a3-8041-4095-8a84-45c1894c97d0
ms.reviewer:
ms.author: macapara
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
+ms.technology: mde
---
# Understanding AppLocker rule behavior
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md
index 0392b51405..319c895fd9 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md
@@ -4,7 +4,7 @@ description: This topic explains the five different types of AppLocker rules use
ms.assetid: 03c05466-4fb3-4880-8d3c-0f6f59fc5579
ms.reviewer:
ms.author: macapara
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
+ms.technology: mde
---
# Understanding AppLocker rule collections
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md
index 44c123c7a2..8dfb91c58e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md
@@ -4,7 +4,7 @@ description: This topic for the IT professional describes the three types of App
ms.assetid: c21af67f-60a1-4f7d-952c-a6f769c74729
ms.reviewer:
ms.author: macapara
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
+ms.technology: mde
---
# Understanding AppLocker rule condition types
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md
index 9420c1f20f..eb3084b691 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md
@@ -4,7 +4,7 @@ description: This topic describes the result of applying AppLocker rule exceptio
ms.assetid: e6bb349f-ee60-4c8d-91cd-6442f2d0eb9c
ms.reviewer:
ms.author: macapara
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
+ms.technology: mde
---
# Understanding AppLocker rule exceptions
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md
index b0e028c79d..7a8bfc63d1 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md
@@ -4,7 +4,7 @@ description: This topic explains the AppLocker file hash rule condition, the adv
ms.assetid: 4c6d9af4-2b1a-40f4-8758-1a6f9f147756
ms.reviewer:
ms.author: macapara
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
+ms.technology: mde
---
# Understanding the file hash rule condition in AppLocker
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md
index 95863340c0..057a3dabde 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md
@@ -4,7 +4,7 @@ description: This topic explains the AppLocker path rule condition, the advantag
ms.assetid: 3fa54ded-4466-4f72-bea4-2612031cad43
ms.reviewer:
ms.author: macapara
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
+ms.technology: mde
---
# Understanding the path rule condition in AppLocker
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md
index 73bd0d992a..8636e3b8dd 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md
@@ -4,7 +4,7 @@ description: This topic explains the AppLocker publisher rule condition, what co
ms.assetid: df61ed8f-a97e-4644-9d0a-2169f18c1c4f
ms.reviewer:
ms.author: macapara
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
+ms.technology: mde
---
# Understanding the publisher rule condition in AppLocker
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md
index f051177f0c..72eea2c6c1 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md
@@ -1,9 +1,9 @@
---
-title: "Use a reference device to create and maintain AppLocker policies (Windows 10)"
+title: Use a reference device to create and maintain AppLocker policies (Windows 10)
description: This topic for the IT professional describes the steps to create and maintain AppLocker policies by using a reference computer.
ms.assetid: 10c3597f-f44c-4c8e-8fe5-105d4ac016a6
ms.author: macapara
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
ms.reviewer:
+ms.technology: mde
---
# Use a reference device to create and maintain AppLocker policies
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md
index 828934ca43..b6018803fb 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md
@@ -4,7 +4,7 @@ description: This topic for IT professionals describes concepts and procedures t
ms.assetid: 2b7e0cec-df62-49d6-a2b7-6b8e30180943
ms.reviewer:
ms.author: macapara
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 09/21/2017
+ms.technology: mde
---
# Use AppLocker and Software Restriction Policies in the same domain
@@ -69,7 +70,7 @@ The following table compares the features and functions of Software Restriction
@@ -6685,7 +6832,7 @@ Version 6.3.9600
@@ -6707,7 +6854,7 @@ Version 6.3.9600
@@ -6717,7 +6864,7 @@ Version 6.3.9600
@@ -6988,7 +7135,7 @@ Version 6.3.9600
@@ -6998,7 +7145,7 @@ Version 6.3.9600
@@ -7009,7 +7156,7 @@ Version 6.3.9600
@@ -7022,7 +7169,7 @@ Version 6.3.9600
@@ -7032,7 +7179,7 @@ Version 6.3.9600
@@ -7044,7 +7191,7 @@ Version 6.3.9600
@@ -7110,23 +7257,23 @@ Version 6.3.9600
Version 10.0. 15063
Version 10.0. 15063
Version 10.0.14393
+
Version 10.0.14393icrosoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #666
Version 10.0.10586
+
Version 6.3.9600
@@ -7139,11 +7286,11 @@ Version 10.0.15063
Version 10.0.15063
Version 10.0.15063
+
Version 10.0.14393
Version 10.0.14393
+
Version 10.0.10586
Version 10.0.10240
Version 10.0.15063
+
Version 10.0.14393
Version 10.0.14393
@@ -7196,10 +7343,7 @@ fips@microsoft.com
## References
-\[[FIPS 140](http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf)\] - FIPS 140-2, Security Requirements for Cryptographic Modules
-
-\[[FIPS FAQ](http://csrc.nist.gov/groups/stm/cmvp/documents/cmvpfaq.pdf)\] - Cryptographic Module Validation Program (CMVP) FAQ
-
-\[[SP 800-57](http://csrc.nist.gov/publications/pubssps.html#800-57-part1)\] - Recommendation for Key Management – Part 1: General (Revised)
-
-\[[SP 800-131A](http://csrc.nist.gov/publications/nistpubs/800-131a/sp800-131a.pdf)\] - Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths
+* [FIPS 140-2, Security Requirements for Cryptographic Modules](http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf))
+* [Cryptographic Module Validation Program (CMVP) FAQ](http://csrc.nist.gov/groups/stm/cmvp/documents/cmvpfaq.pdf)
+* [SP 800-57 - Recommendation for Key Management – Part 1: General (Revised)](https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final)
+* [SP 800-131A - Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths](http://csrc.nist.gov/publications/nistpubs/800-131a/sp800-131a.pdf)
diff --git a/windows/security/threat-protection/get-support-for-security-baselines.md b/windows/security/threat-protection/get-support-for-security-baselines.md
index 81f5a796f3..c6c0883e58 100644
--- a/windows/security/threat-protection/get-support-for-security-baselines.md
+++ b/windows/security/threat-protection/get-support-for-security-baselines.md
@@ -2,7 +2,7 @@
title: Get support
description: Frequently asked question about how to get support for Windows baselines, the Security Compliance Toolkit (SCT), and related topics in your organization.
keywords: virtualization, security, malware
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.author: dansimp
@@ -13,6 +13,7 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 06/25/2018
ms.reviewer:
+ms.technology: mde
---
# Get Support
@@ -40,7 +41,7 @@ The toolkit supports formats created by the Windows GPO backup feature (.pol, .i
Not yet. PowerShell-based DSC is rapidly gaining popularity, and more DSC tools are coming online to convert GPOs and DSC and to validate system configuration. We are currently developing a tool to provide customers with these features.
-**Does SCT support the creation of Microsoft Endpoint Configuration Manager DCM packs?**
+**Does SCT support the creation of Microsoft Endpoint Manager DCM packs?**
No. A potential alternative is Desired State Configuration (DSC), a feature of the [Windows Management Framework](https://www.microsoft.com/download/details.aspx?id=40855). A tool that supports conversion of GPO backups to DSC format can be found [here](https://github.com/Microsoft/BaselineManagement).
diff --git a/windows/security/threat-protection/images/linux-mdatp-1.png b/windows/security/threat-protection/images/linux-mdatp-1.png
new file mode 100644
index 0000000000..f8c9c07b16
Binary files /dev/null and b/windows/security/threat-protection/images/linux-mdatp-1.png differ
diff --git a/windows/security/threat-protection/images/linux-mdatp.png b/windows/security/threat-protection/images/linux-mdatp.png
new file mode 100644
index 0000000000..f8c9c07b16
Binary files /dev/null and b/windows/security/threat-protection/images/linux-mdatp.png differ
diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md
index b4f683756c..80d1cc5846 100644
--- a/windows/security/threat-protection/index.md
+++ b/windows/security/threat-protection/index.md
@@ -1,9 +1,9 @@
---
title: Threat Protection (Windows 10)
-description: Microsoft Defender Advanced Threat Protection is a unified platform for preventative protection, post-breach detection, automated investigation, and response.
+description: Microsoft Defender for Endpoint is a unified platform for preventative protection, post-breach detection, automated investigation, and response.
keywords: threat protection, Microsoft Defender Advanced Threat Protection, attack surface reduction, next-generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, Microsoft Secure Score for Devices, advanced hunting, cyber threat hunting, web threat protection
search.product: eADQiWindows 10XVcnh
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -14,30 +14,39 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
+ms.technology: mde
---
# Threat Protection
-[Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Microsoft Defender ATP protects endpoints from cyber threats; detects advanced attacks and data breaches, automates security incidents and improves security posture.
->[!TIP]
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+[Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Defender for Endpoint protects endpoints from cyber threats, detects advanced attacks and data breaches, automates security incidents, and improves security posture.
+
+**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+
+> [!TIP]
> Enable your users to access cloud services and on-premises applications with ease and enable modern management capabilities for all devices. For more information, see [Secure your remote workforce](https://docs.microsoft.com/enterprise-mobility-security/remote-work/).
-
Version 10.0.15063
Version 10.0.10240
+
Version 6.3.9600Microsoft Defender ATP
Microsoft Defender for Endpoint
@@ -47,38 +56,33 @@ ms.topic: conceptual
>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4obJq]
-**[Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)**
+**[Threat & vulnerability management](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt)**
This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
-- [Risk-based Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
-- [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md)
-- [What's in the dashboard and what it means for my organization](microsoft-defender-atp/tvm-dashboard-insights.md)
-- [Exposure score](microsoft-defender-atp/tvm-exposure-score.md)
-- [Microsoft Secure Score for Devices](microsoft-defender-atp/tvm-microsoft-secure-score-devices.md)
-- [Security recommendations](microsoft-defender-atp/tvm-security-recommendation.md)
-- [Remediation](microsoft-defender-atp/tvm-remediation.md)
-- [Software inventory](microsoft-defender-atp/tvm-software-inventory.md)
-- [Weaknesses](microsoft-defender-atp/tvm-weaknesses.md)
-- [Scenarios](microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md)
+- [Threat & vulnerability management overview](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt)
+- [Get started](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/tvm-prerequisites)
+- [Access your security posture](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/tvm-dashboard-insights)
+- [Improve your security posture and reduce risk](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/tvm-security-recommendation)
+- [Understand vulnerabilities on your devices](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/tvm-software-inventory)
-**[Attack surface reduction](microsoft-defender-atp/overview-attack-surface-reduction.md)**
+**[Attack surface reduction](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)**
The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitation.
-- [Hardware based isolation](microsoft-defender-atp/overview-hardware-based-isolation.md)
+- [Hardware based isolation](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/overview-hardware-based-isolation)
- [Application control](windows-defender-application-control/windows-defender-application-control.md)
- [Device control](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
-- [Exploit protection](microsoft-defender-atp/exploit-protection.md)
-- [Network protection](microsoft-defender-atp/network-protection.md), [web protection](microsoft-defender-atp/web-protection-overview.md)
-- [Controlled folder access](microsoft-defender-atp/controlled-folders.md)
+- [Exploit protection](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/exploit-protection)
+- [Network protection](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/network-protection), [web protection](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/web-protection-overview)
+- [Controlled folder access](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/controlled-folders)
- [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md)
-- [Attack surface reduction rules](microsoft-defender-atp/attack-surface-reduction.md)
+- [Attack surface reduction rules](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction)
**[Next-generation protection](microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md)**
-To further reinforce the security perimeter of your network, Microsoft Defender ATP uses next-generation protection designed to catch all types of emerging threats.
+To further reinforce the security perimeter of your network, Microsoft Defender for Endpoint uses next-generation protection designed to catch all types of emerging threats.
- [Behavior monitoring](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus)
- [Cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus)
@@ -88,65 +92,59 @@ To further reinforce the security perimeter of your network, Microsoft Defender
-**[Endpoint detection and response](microsoft-defender-atp/overview-endpoint-detection-response.md)**
+**[Endpoint detection and response](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response)**
Endpoint detection and response capabilities are put in place to detect, investigate, and respond to intrusion attempts and active breaches. With Advanced hunting, you have a query-based threat-hunting tool that lets your proactively find breaches and create custom detections.
-- [Alerts](microsoft-defender-atp/alerts-queue.md)
-- [Historical endpoint data](microsoft-defender-atp/investigate-machines.md#timeline)
+- [Alerts](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/alerts-queue)
+- [Historical endpoint data](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/investigate-machines#timeline)
- [Response orchestration](microsoft-defender-atp/response-actions.md)
-- [Forensic collection](microsoft-defender-atp/respond-machine-alerts.md#collect-investigation-package-from-devices)
-- [Threat intelligence](microsoft-defender-atp/threat-indicator-concepts.md)
-- [Advanced detonation and analysis service](microsoft-defender-atp/respond-file-alerts.md#deep-analysis)
-- [Advanced hunting](microsoft-defender-atp/advanced-hunting-overview.md)
- - [Custom detections](microsoft-defender-atp/overview-custom-detections.md)
+- [Forensic collection](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/respond-machine-alerts#collect-investigation-package-from-devices)
+- [Threat intelligence](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/threat-indicator-concepts)
+- [Advanced detonation and analysis service](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/respond-file-alerts#deep-analysis)
+- [Advanced hunting](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/advanced-hunting-overview)
+ - [Custom detections](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/overview-custom-detections)
-**[Automated investigation and remediation](microsoft-defender-atp/automated-investigations.md)**
-In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
+**[Automated investigation and remediation](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations)**
+In addition to quickly responding to advanced attacks, Microsoft Defender for Endpoint offers automated investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
-- [Automated investigation and remediation](microsoft-defender-atp/automated-investigations.md)
-- [View details and results of automated investigations](microsoft-defender-atp/auto-investigation-action-center.md)
-- [View and approve remediation actions](microsoft-defender-atp/manage-auto-investigation.md)
-
-
-
-**[Microsoft Secure Score for Devices](microsoft-defender-atp/tvm-microsoft-secure-score-devices.md)**
-
-Microsoft Defender ATP includes a Microsoft Secure Score for Devices to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization.
-
-- [Microsoft Secure Score for Devices](microsoft-defender-atp/tvm-microsoft-secure-score-devices.md)
-- [Threat analytics](microsoft-defender-atp/threat-analytics.md)
+- [Get an overview of automated investigation and remediation](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations)
+- [Learn about automation levels](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/automation-levels)
+- [Configure automated investigation and remediation in Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-automated-investigations-remediation)
+- [Visit the Action center to see remediation actions](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/auto-investigation-action-center)
+- [Review remediation actions following an automated investigation](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/manage-auto-investigation)
+- [View the details and results of an automated investigation](microsoft-defender-atp/autoir-investigation-results.md)
-**[Microsoft Threat Experts](microsoft-defender-atp/microsoft-threat-experts.md)**
-Microsoft Defender ATP's new managed threat hunting service provides proactive hunting, prioritization and additional context and insights that further empower Security Operation Centers (SOCs) to identify and respond to threats quickly and accurately.
+**[Microsoft Threat Experts](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-threat-experts)**
+Microsoft Defender for Endpoint's new managed threat hunting service provides proactive hunting, prioritization, and additional context and insights. Microsoft Threat Experts further empowers Security Operation Centers (SOCs) to identify and respond to threats quickly and accurately.
-- [Targeted attack notification](microsoft-defender-atp/microsoft-threat-experts.md)
-- [Experts-on-demand](microsoft-defender-atp/microsoft-threat-experts.md)
-- [Configure your Microsoft Threat Protection managed hunting service](microsoft-defender-atp/configure-microsoft-threat-experts.md)
+- [Targeted attack notification](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-threat-experts)
+- [Experts-on-demand](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-threat-experts)
+- [Configure your Microsoft 365 Defender managed hunting service](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-microsoft-threat-experts)
-**[Centralized configuration and administration, APIs](microsoft-defender-atp/management-apis.md)**
-Integrate Microsoft Defender Advanced Threat Protection into your existing workflows.
-- [Onboarding](microsoft-defender-atp/onboard-configure.md)
-- [API and SIEM integration](microsoft-defender-atp/configure-siem.md)
-- [Exposed APIs](microsoft-defender-atp/apis-intro.md)
-- [Role-based access control (RBAC)](microsoft-defender-atp/rbac.md)
-- [Reporting and trends](microsoft-defender-atp/threat-protection-reports.md)
+**[Centralized configuration and administration, APIs](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/management-apis)**
+Integrate Microsoft Defender for Endpoint into your existing workflows.
+- [Onboarding](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/onboard-configure)
+- [API and SIEM integration](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/configure-siem)
+- [Exposed APIs](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/apis-intro)
+- [Role-based access control (RBAC)](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/rbac)
+- [Reporting and trends](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/threat-protection-reports)
-**[Integration with Microsoft solutions](microsoft-defender-atp/threat-protection-integration.md)**
- Microsoft Defender ATP directly integrates with various Microsoft solutions, including:
+**[Integration with Microsoft solutions](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/threat-protection-integration)**
+ Microsoft Defender for Endpoint directly integrates with various Microsoft solutions, including:
- Intune
-- Office 365 ATP
-- Azure ATP
-- Azure Security Center
+- Microsoft Defender for Office 365
+- Microsoft Defender for Identity
+- Azure Defender
- Skype for Business
- Microsoft Cloud App Security
-**[Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)**
- With Microsoft Threat Protection, Microsoft Defender ATP and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate and automatically respond to sophisticated attacks.
+**[Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)**
+ With Microsoft 365 Defender, Microsoft Defender for Endpoint and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate, and automatically respond to sophisticated attacks.
diff --git a/windows/security/threat-protection/intelligence/TOC.md b/windows/security/threat-protection/intelligence/TOC.md
index 48c382b306..9919f7d8d2 100644
--- a/windows/security/threat-protection/intelligence/TOC.md
+++ b/windows/security/threat-protection/intelligence/TOC.md
@@ -10,7 +10,9 @@
### [Macro malware](macro-malware.md)
-### [Phishing](phishing.md)
+### [Phishing attacks](phishing.md)
+
+#### [Phishing trends and techniques](phishing-trends.md)
### [Ransomware](ransomware-malware.md)
@@ -46,7 +48,7 @@
### [Coordinated malware eradication](coordinated-malware-eradication.md)
-## [Information for developers](developer-info.md)
+## [Information for developers]()
### [Software developer FAQ](developer-faq.md)
diff --git a/windows/security/threat-protection/intelligence/coinminer-malware.md b/windows/security/threat-protection/intelligence/coinminer-malware.md
index 2584ee9200..aa36031971 100644
--- a/windows/security/threat-protection/intelligence/coinminer-malware.md
+++ b/windows/security/threat-protection/intelligence/coinminer-malware.md
@@ -3,7 +3,7 @@ title: Coin miners
ms.reviewer:
description: Learn about coin miners, how they can infect devices, and what you can do to protect yourself.
keywords: security, malware, coin miners, protection, cryptocurrencies
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
@@ -11,9 +11,10 @@ ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: article
search.appverid: met150
+ms.technology: mde
---
# Coin miners
diff --git a/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md b/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md
index 6a3a933a3f..47e4ffb819 100644
--- a/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md
+++ b/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md
@@ -3,7 +3,7 @@ title: Coordinated Malware Eradication
ms.reviewer:
description: The Coordinated Malware Eradication program aims to unite security organizations to disrupt the malware ecosystem.
keywords: security, malware, malware eradication, Microsoft Malware Protection Center, MMPC
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
@@ -11,8 +11,9 @@ ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: article
+ms.technology: mde
---
# Coordinated Malware Eradication
diff --git a/windows/security/threat-protection/intelligence/criteria.md b/windows/security/threat-protection/intelligence/criteria.md
index 77a3c4e33d..0c75b48120 100644
--- a/windows/security/threat-protection/intelligence/criteria.md
+++ b/windows/security/threat-protection/intelligence/criteria.md
@@ -3,7 +3,7 @@ title: How Microsoft identifies malware and potentially unwanted applications
ms.reviewer:
description: Learn how Microsoft reviews software for privacy violations and other negative behavior, to determine if it's malware or a potentially unwanted application.
keywords: security, malware, virus research threats, research malware, device protection, computer infection, virus infection, descriptions, remediation, latest threats, MMdevice, Microsoft Malware Protection Center, PUA, potentially unwanted applications
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
@@ -11,9 +11,10 @@ ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: article
search.appverid: met150
+ms.technology: mde
---
# How Microsoft identifies malware and potentially unwanted applications
@@ -171,7 +172,7 @@ Microsoft uses specific categories and the category definitions to classify soft
* **Advertising software:** Software that displays advertisements or promotions, or prompts you to complete surveys for other products or services in software other than itself. This includes software that inserts advertisements to webpages.
-* **Torrent software:** Software that is used to create or download torrents or other files specifically used with peer-to-peer file-sharing technologies.
+* **Torrent software (Enterprise only):** Software that is used to create or download torrents or other files specifically used with peer-to-peer file-sharing technologies.
* **Cryptomining software:** Software that uses your device resources to mine cryptocurrencies.
diff --git a/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md b/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md
index 3cb57c45ef..fec4892d00 100644
--- a/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md
+++ b/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md
@@ -3,7 +3,7 @@ title: Industry collaboration programs
ms.reviewer:
description: Microsoft industry-wide antimalware collaboration programs - Virus Information Alliance (VIA), Microsoft Virus Initiative (MVI), and Coordinated Malware Eradication (CME)
keywords: security, malware, antivirus industry, antimalware Industry, collaboration programs, alliances, Virus Information Alliance, Microsoft Virus Initiative, Coordinated Malware Eradication, WDSI, MMPC, Microsoft Malware Protection Center, partnerships
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
@@ -11,8 +11,9 @@ ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: conceptual
+ms.technology: mde
---
# Industry collaboration programs
diff --git a/windows/security/threat-protection/intelligence/developer-faq.md b/windows/security/threat-protection/intelligence/developer-faq.md
index 06734edb7a..5f91ef4a1f 100644
--- a/windows/security/threat-protection/intelligence/developer-faq.md
+++ b/windows/security/threat-protection/intelligence/developer-faq.md
@@ -4,7 +4,7 @@ ms.reviewer:
description: This page provides answers to common questions we receive from software developers
keywords: wdsi, software, developer, faq, dispute, false-positive, classify, installer, software, bundler, blocking
search.product: eADQiWindows 10XVcnh
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -13,8 +13,9 @@ author: levinec
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: article
+ms.technology: mde
---
# Software developer FAQ
diff --git a/windows/security/threat-protection/intelligence/developer-info.md b/windows/security/threat-protection/intelligence/developer-info.md
deleted file mode 100644
index eb0ac99896..0000000000
--- a/windows/security/threat-protection/intelligence/developer-info.md
+++ /dev/null
@@ -1,29 +0,0 @@
----
-title: Information for developers
-ms.reviewer:
-description: This page provides answers to common questions we receive from software developers and other useful resources
-keywords: software, developer, faq, dispute, false-positive, classify, installer, software, bundler, blocking
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: ellevin
-author: levinec
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Information for developers
-
-Learn about the common questions we receive from software developers and get other developer resources such as detection criteria and file submissions.
-
-## In this section
-
-Topic | Description
-:---|:---
-[Software developer FAQ](developer-faq.md) | Provides answers to common questions we receive from software developers.
-[Developer resources](developer-resources.md) | Provides information about how to submit files and the detection criteria. Learn how to check your software against the latest security intelligence and cloud protection from Microsoft.
diff --git a/windows/security/threat-protection/intelligence/developer-resources.md b/windows/security/threat-protection/intelligence/developer-resources.md
index b413cea906..9c99065431 100644
--- a/windows/security/threat-protection/intelligence/developer-resources.md
+++ b/windows/security/threat-protection/intelligence/developer-resources.md
@@ -4,7 +4,7 @@ ms.reviewer:
description: This page provides information for developers such as detection criteria, developer questions, and how to check your software against Security intelligence.
keywords: wdsi, software, developer, resources, detection, criteria, questions, scan, software, definitions, cloud, protection, security intelligence
search.product: eADQiWindows 10XVcnh
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
@@ -13,8 +13,9 @@ ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: article
+ms.technology: mde
---
# Software developer resources
diff --git a/windows/security/threat-protection/intelligence/exploits-malware.md b/windows/security/threat-protection/intelligence/exploits-malware.md
index c7b63fd5fd..c7a418d55c 100644
--- a/windows/security/threat-protection/intelligence/exploits-malware.md
+++ b/windows/security/threat-protection/intelligence/exploits-malware.md
@@ -3,7 +3,7 @@ title: Exploits and exploit kits
ms.reviewer:
description: Learn about how exploits use vulnerabilities in common software to give attackers access to your computer and install other malware.
keywords: security, malware, exploits, exploit kits, prevention, vulnerabilities, Microsoft, Exploit malware family, exploits, java, flash, adobe, update software, prevent exploits, exploit pack, vulnerability, 0-day, holes, weaknesses, attack, Flash, Adobe, out-of-date software, out of date software, update, update software, reinfection, Java cache, reinfected, won't remove, won't clean, still detects, full scan, MSE, Defender, WDSI, MMPC, Microsoft Malware Protection Center
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
@@ -11,9 +11,10 @@ ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: article
search.appverid: met150
+ms.technology: mde
---
# Exploits and exploit kits
@@ -37,11 +38,11 @@ Several notable threats, including Wannacry, exploit the Server Message Block (S
Examples of exploit kits:
-- Angler / [Axpergle](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=JS%2fAxpergle)
+- Angler / [Axpergle](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=JS/Axpergle)
-- [Neutrino](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=JS%2fNeutrino)
+- [Neutrino](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=JS/NeutrinoEK)
-- [Nuclear](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Exploit:JS/Neclu)
+- [Nuclear](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=JS/Neclu)
To learn more about exploits, read this blog post on [taking apart a double zero-day sample discovered in joint hunt with ESET.](https://cloudblogs.microsoft.com/microsoftsecure/2018/07/02/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset/)
diff --git a/windows/security/threat-protection/intelligence/fileless-threats.md b/windows/security/threat-protection/intelligence/fileless-threats.md
index a5f4583231..a120169e13 100644
--- a/windows/security/threat-protection/intelligence/fileless-threats.md
+++ b/windows/security/threat-protection/intelligence/fileless-threats.md
@@ -1,9 +1,9 @@
---
title: Fileless threats
ms.reviewer:
-description: Learn about the categories of fileless threats and malware that "live off the land"
+description: Learn about the categories of fileless threats and malware that live off the land
keywords: fileless, fileless malware, living off the land, lolbins, amsi, behavior monitoring, memory scanning, boot sector protection, security, malware, Windows Defender ATP, antivirus, AV, Microsoft Defender ATP, next-generation protection
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
@@ -11,9 +11,10 @@ ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: article
search.appverid: met150
+ms.technology: mde
---
# Fileless threats
@@ -98,6 +99,6 @@ Besides being vulnerable at the firmware level, CPUs could be manufactured with
## Defeating fileless malware
-At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions to mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, Microsoft Defender Advanced Threat Protection [(Microsoft Defender ATP)](https://www.microsoft.com/windowsforbusiness?ocid=docs-fileless) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats.
+At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions to mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, Microsoft Defender for Endpoint](https://www.microsoft.com/windowsforbusiness?ocid=docs-fileless) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats.
To learn more, read: [Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/27/out-of-sight-but-not-invisible-defeating-fileless-malware-with-behavior-monitoring-amsi-and-next-gen-av/)
diff --git a/windows/security/threat-protection/intelligence/index.md b/windows/security/threat-protection/intelligence/index.md
index 1814307aac..819ce7f08a 100644
--- a/windows/security/threat-protection/intelligence/index.md
+++ b/windows/security/threat-protection/intelligence/index.md
@@ -2,7 +2,7 @@
title: Security intelligence
description: Learn about different types of malware, safety tips on how you can protect your organization, and resources for industry collaboration programs.
keywords: security, malware
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
@@ -10,8 +10,9 @@ ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: conceptual
+ms.technology: mde
---
# Security intelligence
diff --git a/windows/security/threat-protection/intelligence/macro-malware.md b/windows/security/threat-protection/intelligence/macro-malware.md
index b6f4a2b873..6faec90f87 100644
--- a/windows/security/threat-protection/intelligence/macro-malware.md
+++ b/windows/security/threat-protection/intelligence/macro-malware.md
@@ -3,7 +3,7 @@ title: Macro malware
ms.reviewer:
description: Learn about macro viruses and malware, which are embedded in documents and are used to drop malicious payloads and distribute other threats.
keywords: security, malware, macro, protection, WDSI, MMPC, Microsoft Malware Protection Center, macro virus, macro malware, documents, viruses in Office, viruses in Word
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
@@ -11,9 +11,10 @@ ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: article
search.appverid: met150
+ms.technology: mde
---
# Macro malware
@@ -43,8 +44,8 @@ We've seen macro malware download threats from the following families:
* Delete any emails from unknown people or with suspicious content. Spam emails are the main way macro malware spreads.
-* Enterprises can prevent macro malware from running executable content using [ASR rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction#enable-and-audit-attack-surface-reduction-rules)
+* Enterprises can prevent macro malware from running executable content using [ASR rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)
-For more tips on protecting yourself from suspicious emails, see [phishing](phishing.md).
+For more tips on protecting yourself from suspicious emails, see [phishing](phishing.md).
-For more general tips, see [prevent malware infection](prevent-malware-infection.md).
+For more general tips, see [prevent malware infection](prevent-malware-infection.md).
diff --git a/windows/security/threat-protection/intelligence/malware-naming.md b/windows/security/threat-protection/intelligence/malware-naming.md
index d920870809..abd3753a03 100644
--- a/windows/security/threat-protection/intelligence/malware-naming.md
+++ b/windows/security/threat-protection/intelligence/malware-naming.md
@@ -3,7 +3,7 @@ title: Malware names
ms.reviewer:
description: Understand the malware naming convention used by Microsoft Defender Antivirus and other Microsoft antimalware.
keywords: security, malware, names, Microsoft, MMPC, Microsoft Malware Protection Center, WDSI, malware name, malware prefix, malware type, virus name
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
@@ -11,9 +11,10 @@ ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: article
search.appverid: met150
+ms.technology: mde
---
# Malware names
diff --git a/windows/security/threat-protection/intelligence/phishing-trends.md b/windows/security/threat-protection/intelligence/phishing-trends.md
new file mode 100644
index 0000000000..d8cd025a74
--- /dev/null
+++ b/windows/security/threat-protection/intelligence/phishing-trends.md
@@ -0,0 +1,70 @@
+---
+title: Phishing trends and techniques
+ms.reviewer:
+description: Learn about how to spot phishing techniques
+keywords: security, malware, phishing, information, scam, social engineering, bait, lure, protection, trends, targeted attack, spear phishing, whaling
+ms.prod: m365-security
+ms.mktglfcycl: secure
+ms.sitesec: library
+ms.localizationpriority: medium
+ms.author: ellevin
+author: levinec
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+search.appverid: met150
+ms.technology: mde
+---
+
+# Phishing trends and techniques
+
+Phishing attacks are scams that often use social engineering bait or lure content. Legitimate-looking communication, usually email, that links to a phishing site is one of the most common methods used in phishing attacks. The phishing site typically mimics sign in pages that require users to input credentials and account information. The phishing site then captures the sensitive information as soon as the user provides it, giving attackers access to the information.
+
+Below are some of the most common phishing techniques attackers will employ to try to steal information or gain access to your devices.
+
+## Invoice phishing
+
+In this scam, the attacker attempts to lure you with an email stating that you have an outstanding invoice from a known vendor or company. They then provide a link for you to access and pay your invoice. When you access the site, the attacker is poised to steal your personal information and funds.
+
+## Payment/delivery scam
+
+You're asked to provide a credit card or other personal information so that your payment information can be updated with a commonly known vendor or supplier. The update is requested so that you can take delivery of your ordered goods. Generally, you may be familiar with the company and have likely done business with them in the past. However, you aren't aware of any items you have recently purchased from them.
+
+## Tax-themed phishing scams
+
+A common IRS phishing scam is receiving an urgent email letter indicating that you owe money to the IRS. Often the email threatens legal action if you don't access the site in a timely manner and pay your taxes. When you access the site, the attackers can steal your personal credit card or bank information and drain your accounts.
+
+## Downloads
+
+An attacker sends a fraudulent email requesting you to open or download a document attachment, such as a PDF. The attachment often contains a message asking you to sign in to another site, such as email or file sharing websites, to open the document. When you access these phishing sites using your sign-in credentials, the attacker now has access to your information and can gain additional personal information about you.
+
+## Phishing emails that deliver other threats
+
+Phishing emails are often effective, so attackers sometimes use them to distribute [ransomware](ransomware-malware.md) through links or attachments in emails. When run, the ransomware encrypts files and displays a ransom note, which asks you to pay a sum of money to access to your files.
+
+We have also seen phishing emails that have links to [tech support scam](support-scams.md) websites. These websites use various scare tactics to trick you into calling hotlines and paying for unnecessary "technical support services" that supposedly fix contrived device, platform, or software problems.
+
+## Spear phishing
+
+Spear phishing is a targeted phishing attack that involves highly customized lure content. Attackers will typically do reconnaissance work by surveying social media and other information sources about their intended target.
+
+Spear phishing may involve tricking you into logging into fake sites and divulging credentials. I may also lure you into opening documents by clicking on links that automatically install malware. With this malware in place, attackers can remotely manipulate the infected computer.
+
+The implanted malware serves as the point of entry for a more sophisticated attack, known as an advanced persistent threat (APT). APTs are designed to establish control and steal data over extended periods. Attackers may try to deploy more covert hacking tools, move laterally to other computers, compromise or create privileged accounts, and regularly exfiltrate information from compromised networks.
+
+## Whaling
+
+Whaling is a form of phishing directed at high-level or senior executives within specific companies to gain access to their credentials and/or bank information. The content of the email may be written as a legal subpoena, customer complaint, or other executive issue. This type of attack can also lead to an APT attack within an organization.
+
+## Business email compromise
+
+Business email compromise (BEC) is a sophisticated scam that targets businesses who frequently work with foreign suppliers or do money wire transfers. One of the most common schemes used by BEC attackers involves gaining access to a company’s network through a spear phishing attack. The attacker creates a domain similar to the company they're targeting, or spoofs their email to scam users into releasing personal account information for money transfers.
+
+## More information about phishing attacks
+
+For information on the latest phishing attacks, techniques, and trends, you can read these entries on the [Microsoft Security blog](https://www.microsoft.com/security/blog/product/windows/):
+
+- [Phishers unleash simple but effective social engineering techniques using PDF attachments](https://cloudblogs.microsoft.com/microsoftsecure/2017/01/26/phishers-unleash-simple-but-effective-social-engineering-techniques-using-pdf-attachments/?source=mmpc)
+- [Tax themed phishing and malware attacks proliferate during the tax filing season](https://cloudblogs.microsoft.com/microsoftsecure/2017/03/20/tax-themed-phishing-and-malware-attacks-proliferate-during-the-tax-filing-season/?source=mmpc)
+- [Phishing like emails lead to tech support scam](https://cloudblogs.microsoft.com/microsoftsecure/2017/08/07/links-in-phishing-like-emails-lead-to-tech-support-scam/?source=mmpc)
diff --git a/windows/security/threat-protection/intelligence/phishing.md b/windows/security/threat-protection/intelligence/phishing.md
index cfc9140745..20bf7cc3fd 100644
--- a/windows/security/threat-protection/intelligence/phishing.md
+++ b/windows/security/threat-protection/intelligence/phishing.md
@@ -1,9 +1,9 @@
---
-title: Phishing
+title: How to protect against phishing attacks
ms.reviewer:
description: Learn about how phishing work, deliver malware do your devices, and what you can do to protect yourself
keywords: security, malware, phishing, information, scam, social engineering, bait, lure, protection, trends, targeted attack
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
@@ -11,103 +11,21 @@ ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: article
search.appverid: met150
+ms.technology: mde
---
-# Phishing
+# How to protect against phishing attacks
Phishing attacks attempt to steal sensitive information through emails, websites, text messages, or other forms of electronic communication. They try to look like official communication from legitimate companies or individuals.
Cybercriminals often attempt to steal usernames, passwords, credit card details, bank account information, or other credentials. They use stolen information for malicious purposes, such as hacking, identity theft, or stealing money directly from bank accounts and credit cards. The information can also be sold in cybercriminal underground markets.
-## What to do if you've been a victim of a phishing scam
-
-If you feel you've been a victim of a phishing attack:
-
-1. Contact your IT admin if you are on a work computer.
-2. Immediately change all passwords associated with the accounts.
-3. Report any fraudulent activity to your bank and credit card company.
-
-### Reporting spam
-
-- **Outlook.com**: If you receive a suspicious email message that asks for personal information, select the check box next to the message in your Outlook inbox. Select the arrow next to **Junk**, and then select **Phishing**.
-
-- **Microsoft Office Outlook**: While in the suspicious message, select **Report message** from the ribbon, and then select **Phishing**.
-
-- **Microsoft**: Create a new, blank email message with the one of the following recipients:
- - Junk: junk@office365.microsoft.com
- - Phishing: phish@office365.microsoft.com
-
- Drag and drop the junk or phishing message into the new message. This will save the junk or phishing message as an attachment in the new message. Don't copy and paste the content of the message or forward the message (we need the original message so we can inspect the message headers). For more information, see [Submit spam, non-spam, and phishing scam messages to Microsoft for analysis](https://docs.microsoft.com/office365/SecurityCompliance/submit-spam-non-spam-and-phishing-scam-messages-to-microsoft-for-analysis).
-
-- **Anti-Phishing Working Group**: phishing-report@us-cert.gov. The group uses reports generated from emails sent to fight phishing scams and hackers. ISPs, security vendors, financial institutions, and law enforcement agencies are involved.
-
-If you’re on a suspicious website:
-
-- **Microsoft Edge**: While you’re on a suspicious site, select the **More (…) icon** > **Help and feedback** > **Report Unsafe site**. Follow the instructions on the webpage that displays to report the website.
-
-- **Internet Explorer**: While you’re on a suspicious site, select the gear icon, point to **Safety**, and then select **Report Unsafe Website**. Follow the instructions on the webpage that displays to report the website.
-
->[!NOTE]
->For more information, see [Protect yourself from phishing](https://support.microsoft.com/en-us/help/4033787/windows-protect-yourself-from-phishing).
-
-## How phishing works
-
-Phishing attacks are scams that often use social engineering bait or lure content. For example, during tax season bait content can be tax-filing announcements that attempt to lure you into providing personal information such as your SSN or bank account information.
-
-Legitimate-looking communication, usually email, that links to a phishing site is one of the most common methods used in phishing attacks. The phishing site typically mimics sign in pages that require users to input credentials and account information. The phishing site then captures the sensitive information as soon as the user provides it, giving attackers access to the information.
-
-Another common phishing technique is the use of emails that direct you to open a malicious attachment like a PDF file. The attachment often contains a message asking you to sign in to another site, such as email or file sharing websites, to open the document. When you access these phishing sites using your sign-in credentials, the attacker now has access to your information and can gain additional personal information about you.
-
-## Phishing trends and techniques
-
-### Invoice phishing
-
-In this scam, the attacker attempts to lure you with an email stating that you have an outstanding invoice from a known vendor or company. They then provide a link for you to access and pay your invoice. When you access the site, the attacker is poised to steal your personal information and funds.
-
-### Payment/delivery scam
-
-You're asked to provide a credit card or other personal information so that your payment information can be updated with a commonly known vendor or supplier. The update is requested so that you can take delivery of your ordered goods. Generally, you may be familiar with the company and have likely done business with them in the past. However, you aren't aware of any items you have recently purchased from them.
-
-### Tax-themed phishing scams
-
-A common IRS phishing scam is receiving an urgent email letter indicating that you owe money to the IRS. Often the email threatens legal action if you don't access the site in a timely manner and pay your taxes. When you access the site, the attackers can steal your personal credit card or bank information and drain your accounts.
-
-### Downloads
-
-An attacker sends a fraudulent email requesting you to open or download a document, often requiring you to sign in.
-
-### Phishing emails that deliver other threats
-
-Phishing emails are often very effective, so attackers sometimes use them to distribute [ransomware](ransomware-malware.md) through links or attachments in emails. When run, the ransomware encrypts files and displays a ransom note, which asks you to pay a sum of money to access to your files.
-
-We have also seen phishing emails that have links to [tech support scam](support-scams.md) websites. These websites use various scare tactics to trick you into calling hotlines and paying for unnecessary "technical support services" that supposedly fix contrived device, platform, or software problems.
-
-## Targeted attacks against enterprises
-
-### Spear phishing
-
-Spear phishing is a targeted phishing attack that involves highly customized lure content. Attackers will typically do reconnaissance work by surveying social media and other information sources about their intended target.
-
-Spear phishing may involve tricking you into logging into fake sites and divulging credentials. I may also lure you into opening documents by clicking on links that automatically install malware. With this malware in place, attackers can remotely manipulate the infected computer.
-
-The implanted malware serves as the point of entry for a more sophisticated attack, known as an advanced persistent threat (APT). APTs are designed to establish control and steal data over extended periods. Attackers may try to deploy more covert hacking tools, move laterally to other computers, compromise or create privileged accounts, and regularly exfiltrate information from compromised networks.
-
-### Whaling
-
-Whaling is a form of phishing directed at high-level or senior executives within specific companies to gain access to their credentials and/or bank information. The content of the email may be written as a legal subpoena, customer complaint, or other executive issue. This type of attack can also lead to an APT attack within an organization.
-
-### Business email compromise
-
-Business email compromise (BEC) is a sophisticated scam that targets businesses who frequently work with foreign suppliers or do money wire transfers. One of the most common schemes used by BEC attackers involves gaining access to a company’s network through a spear phishing attack. The attacker creates a domain similar to the company they're targeting, or spoofs their email to scam users into releasing personal account information for money transfers.
-
-## How to protect against phishing attacks
-
Social engineering attacks are designed to take advantage of a user's possible lapse in decision-making. Be aware and never provide sensitive or personal information through email or unknown websites, or over the phone. Remember, phishing emails are designed to appear legitimate.
-### Awareness
+## Learn the signs of a phishing scam
The best protection is awareness and education. Don’t open attachments or links in unsolicited emails, even if the emails came from a recognized source. If the email is unexpected, be wary about opening the attachment and verify the URL.
@@ -141,24 +59,44 @@ Here are several telltale signs of a phishing scam:
If in doubt, contact the business by known channels to verify if any suspicious emails are in fact legitimate.
-For more information, download and read this Microsoft [e-book on preventing social engineering attacks](https://info.microsoft.com/Protectyourweakestlink.html?ls=social), especially in enterprise environments.
-
-### Software solutions for organizations
+## Software solutions for organizations
* [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/index) and [Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) offer protection from the increasing threat of targeted attacks using Microsoft's industry-leading Hyper-V virtualization technology. If a browsed website is deemed untrusted, the Hyper-V container will isolate that device from the rest of your network thereby preventing access to your enterprise data.
* [Microsoft Exchange Online Protection (EOP)](https://products.office.com/exchange/exchange-email-security-spam-protection) offers enterprise-class reliability and protection against spam and malware, while maintaining access to email during and after emergencies. Using various layers of filtering, EOP can provide different controls for spam filtering, such as bulk mail controls and international spam, that will further enhance your protection services.
-* Use [Office 365 Advanced Threat Protection (ATP)](https://products.office.com/exchange/online-email-threat-protection?ocid=cx-blog-mmpc) to help protect your email, files, and online storage against malware. It offers holistic protection in Microsoft Teams, Word, Excel, PowerPoint, Visio, SharePoint Online, and OneDrive for Business. By protecting against unsafe attachments and expanding protection against malicious links, it complements the security features of Exchange Online Protection to provide better zero-day protection.
+* Use [Microsoft Defender for Office 365](https://products.office.com/exchange/online-email-threat-protection?ocid=cx-blog-mmpc) to help protect your email, files, and online storage against malware. It offers holistic protection in Microsoft Teams, Word, Excel, PowerPoint, Visio, SharePoint Online, and OneDrive for Business. By protecting against unsafe attachments and expanding protection against malicious links, it complements the security features of Exchange Online Protection to provide better zero-day protection.
-For more tips and software solutions, see [prevent malware infection](prevent-malware-infection.md).
+## What to do if you've been a victim of a phishing scam
+
+If you feel you've been a victim of a phishing attack:
+
+1. Contact your IT admin if you are on a work computer
+2. Immediately change all passwords associated with the accounts
+3. Report any fraudulent activity to your bank and credit card company
+
+### Reporting spam
+
+- **Outlook.com**: If you receive a suspicious email message that asks for personal information, select the check box next to the message in your Outlook inbox. Select the arrow next to **Junk**, and then select **Phishing**.
+
+- **Microsoft Office Outlook**: While in the suspicious message, select **Report message** from the ribbon, and then select **Phishing**.
+
+- **Microsoft**: Create a new, blank email message with the one of the following recipients:
+ - Junk: junk@office365.microsoft.com
+ - Phishing: phish@office365.microsoft.com
+
+ Drag and drop the junk or phishing message into the new message. This will save the junk or phishing message as an attachment in the new message. Don't copy and paste the content of the message or forward the message (we need the original message so we can inspect the message headers). For more information, see [Submit spam, non-spam, and phishing scam messages to Microsoft for analysis](https://docs.microsoft.com/office365/SecurityCompliance/submit-spam-non-spam-and-phishing-scam-messages-to-microsoft-for-analysis).
+
+- **Anti-Phishing Working Group**: phishing-report@us-cert.gov. The group uses reports generated from emails sent to fight phishing scams and hackers. ISPs, security vendors, financial institutions, and law enforcement agencies are involved.
+
+### If you’re on a suspicious website
+
+- **Microsoft Edge**: While you’re on a suspicious site, select the **More (…) icon** > **Help and feedback** > **Report Unsafe site**. Follow the instructions on the webpage that displays to report the website.
+
+- **Internet Explorer**: While you’re on a suspicious site, select the gear icon, point to **Safety**, and then select **Report Unsafe Website**. Follow the instructions on the webpage that displays to report the website.
## More information about phishing attacks
-For information on the latest phishing attacks, techniques, and trends, you can read these entries on the [Microsoft Security blog](https://www.microsoft.com/security/blog/product/windows/):
-
-* [Phishers unleash simple but effective social engineering techniques using PDF attachments](https://cloudblogs.microsoft.com/microsoftsecure/2017/01/26/phishers-unleash-simple-but-effective-social-engineering-techniques-using-pdf-attachments/?source=mmpc)
-
-* [Tax themed phishing and malware attacks proliferate during the tax filing season](https://cloudblogs.microsoft.com/microsoftsecure/2017/03/20/tax-themed-phishing-and-malware-attacks-proliferate-during-the-tax-filing-season/?source=mmpc)
-
-* [Phishing like emails lead to tech support scam](https://cloudblogs.microsoft.com/microsoftsecure/2017/08/07/links-in-phishing-like-emails-lead-to-tech-support-scam/?source=mmpc)
+- [Protect yourself from phishing](https://support.microsoft.com/help/4033787/windows-protect-yourself-from-phishing)
+- [Phishing trends](phishing-trends.md)
+- [Microsoft e-book on preventing social engineering attacks](https://info.microsoft.com/Protectyourweakestlink.html?ls=social), especially in enterprise environments.
diff --git a/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md b/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md
index df44f6142a..e84f8e37a8 100644
--- a/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md
+++ b/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md
@@ -3,7 +3,7 @@ title: Troubleshoot MSI portal errors caused by admin block
description: Troubleshoot MSI portal errors
ms.reviewer:
keywords: security, sample submission help, malware file, virus file, trojan file, submit, send to Microsoft, submit a sample, virus, trojan, worm, undetected, doesn’t detect, email microsoft, email malware, I think this is malware, I think it's a virus, where can I send a virus, is this a virus, MSE, doesn’t detect, no signature, no detection, suspect file, MMPC, Microsoft Malware Protection Center, researchers, analyst, WDSI, security intelligence
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
@@ -11,28 +11,29 @@ ms.author: dansimp
author: dansimp
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: article
search.appverid: met150
+ms.technology: mde
---
# Troubleshooting malware submission errors caused by administrator block
-In some instances, an administrator block might cause submission issues when you try to submit a potentially infected file to the [Microsoft Security intelligence website](https://www.microsoft.com/wdsi) for analysis. The following process shows how to resolve this.
+In some instances, an administrator block might cause submission issues when you try to submit a potentially infected file to the [Microsoft Security intelligence website](https://www.microsoft.com/wdsi) for analysis. The following process shows how to resolve this problem.
## Review your settings
Open your Azure [Enterprise application settings](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/UserSettings/menuId/). Under **Enterprise Applications** > **Users can consent to apps accessing company data on their behalf**, check whether Yes or No is selected.
-- If this is set to **No**, an AAD administrator for the customer tenant will need to provide consent for the organization. Depending on the configuration with AAD, users might be able to submit a request right from the same dialog box. If there’s no option to ask for admin consent, users need to request for these permissions to be added to their AAD admin. Go to the following section for more information.
+- If **No** is selected, an Azure AD administrator for the customer tenant will need to provide consent for the organization. Depending on the configuration with Azure AD, users might be able to submit a request right from the same dialog box. If there’s no option to ask for admin consent, users need to request for these permissions to be added to their Azure AD admin. Go to the following section for more information.
-- It this is set to **Yes**, ensure the Windows Defender Security Intelligence app setting **Enabled for users to sign-in?** is set to **Yes** [in Azure](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Properties/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/4a918a14-4069-4108-9b7d-76486212d75d). If this is set to **No** you'll need to request an AAD admin enable it.
+- If **Yes** is selected, ensure the Windows Defender Security Intelligence app setting **Enabled for users to sign in?** is set to **Yes** [in Azure](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Properties/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/4a918a14-4069-4108-9b7d-76486212d75d). If **No** is selected, you'll need to request an Azure AD admin enable it.
## Implement Required Enterprise Application permissions
This process requires a global or application admin in the tenant.
1. Open [Enterprise Application settings](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Permissions/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/4a918a14-4069-4108-9b7d-76486212d75d).
- 2. Click **Grant admin consent for organization**.
- 3. If you're able to do so, Review the API permissions required for this application. This should be exactly the same as in the following image. Provide consent for the tenant.
+ 2. Select **Grant admin consent for organization**.
+ 3. If you're able to do so, review the API permissions required for this application, as the following image shows. Provide consent for the tenant.
- 
+ 
4. If the administrator receives an error while attempting to provide consent manually, try either [Option 1](#option-1-approve-enterprise-application-permissions-by-user-request) or [Option 2](#option-2-provide-admin-consent-by-authenticating-the-application-as-an-admin) as possible workarounds.
@@ -59,15 +60,15 @@ This process requires that global admins go through the Enterprise customer sign
-Then, admins review the permissions and make sure to select **Consent on behalf of your organization**, and click **Accept**.
+Then, admins review the permissions and make sure to select **Consent on behalf of your organization**, and then select **Accept**.
All users in the tenant will now be able to use this application.
-## Option 3: Delete and re-add app permissions
+## Option 3: Delete and readd app permissions
If neither of these options resolve the issue, try the following steps (as an admin):
1. Remove previous configurations for the application. Go to [Enterprise applications](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Properties/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/982e94b2-fea9-4d1f-9fca-318cda92f90b)
-and click **delete**.
+and select **delete**.
@@ -78,7 +79,7 @@ and click **delete**.
-4. Review the permissions required by the application, and then click **Accept**.
+4. Review the permissions required by the application, and then select **Accept**.
5. Confirm the permissions are applied in the [Azure portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Permissions/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/ce60a464-5fca-4819-8423-bcb46796b051).
diff --git a/windows/security/threat-protection/intelligence/prevent-malware-infection.md b/windows/security/threat-protection/intelligence/prevent-malware-infection.md
index 3313e1d680..03eb9157aa 100644
--- a/windows/security/threat-protection/intelligence/prevent-malware-infection.md
+++ b/windows/security/threat-protection/intelligence/prevent-malware-infection.md
@@ -3,7 +3,7 @@ title: Prevent malware infection
ms.reviewer:
description: Learn steps you can take to help prevent a malware or potentially unwanted software from infecting your computer.
keywords: security, malware, prevention, infection, tips, Microsoft, MMPC, Microsoft Malware Protection Center, virus, trojan, worm, stop, prevent, full scan, infection, avoid malware, avoid trojan, avoid virus, infection, how, detection, security software, antivirus, updates, how malware works, how virus works, firewall, turn on, user privileges, limit, prevention, WDSI, MMPC, Microsoft Malware Protection Center
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
@@ -11,9 +11,10 @@ ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: article
search.appverid: met150
+ms.technology: mde
---
# Prevent malware infection
@@ -93,7 +94,7 @@ Microsoft provides comprehensive security capabilities that help protect against
* [Automatic Microsoft updates](https://support.microsoft.com/help/12373/windows-update-faq) keeps software up to date to get the latest protections.
-* [Controlled folder access](../microsoft-defender-atp/enable-controlled-folders.md) stops ransomware in its tracks by preventing unauthorized access to your important files. Controlled folder access locks down folders, allowing only authorized apps to access files. Unauthorized apps, including ransomware and other malicious executable files, DLLs, and scripts are denied access.
+* [Controlled folder access](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/enable-controlled-folders) stops ransomware in its tracks by preventing unauthorized access to your important files. Controlled folder access locks down folders, allowing only authorized apps to access files. Unauthorized apps, including ransomware and other malicious executable files, DLLs, and scripts are denied access.
* [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/index) browser protects against threats such as ransomware by preventing exploit kits from running. By using [Windows Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/index), Microsoft Edge blocks access to malicious websites.
@@ -103,11 +104,11 @@ Microsoft provides comprehensive security capabilities that help protect against
* [Microsoft 365](https://docs.microsoft.com/microsoft-365/enterprise/) includes Office 365, Windows 10, and Enterprise Mobility + Security. These resources power productivity while providing intelligent security across users, devices, and data.
-* [Office 365 Advanced Threat Protection](https://docs.microsoft.com/office365/servicedescriptions/office-365-advanced-threat-protection-service-description) includes machine learning capabilities that block dangerous emails, including millions of emails carrying ransomware downloaders.
+* [Microsoft Defender for Office 365](https://docs.microsoft.com/office365/servicedescriptions/office-365-advanced-threat-protection-service-description) includes machine learning capabilities that block dangerous emails, including millions of emails carrying ransomware downloaders.
* [OneDrive for Business](https://support.office.com/article/restore-a-previous-version-of-a-file-in-onedrive-159cad6d-d76e-4981-88ef-de6e96c93893?ui=en-US&rs=en-US&ad=US) can back up files, which you would then use to restore files in the event of an infection.
-* [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) provides comprehensive endpoint protection, detection, and response capabilities to help prevent ransomware. In the event of a breach, Microsoft Defender ATP alerts security operations teams about suspicious activities and automatically attempts to resolve the problem. This includes alerts for suspicious PowerShell commands, connecting to a TOR website, launching self-replicated copies, and deletion of volume shadow copies. Try Microsoft Defender ATP free of charge.
+* [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) provides comprehensive endpoint protection, detection, and response capabilities to help prevent ransomware. In the event of a breach, Microsoft Defender for Endpoint alerts security operations teams about suspicious activities and automatically attempts to resolve the problem. This includes alerts for suspicious PowerShell commands, connecting to a TOR website, launching self-replicated copies, and deletion of volume shadow copies. Try Microsoft Defender for Endpoint free of charge.
* [Windows Hello for Business](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-identity-verification) replaces passwords with strong two-factor authentication on your devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN. It lets user authenticate to an Active Directory or Azure Active Directory account.
@@ -117,6 +118,6 @@ Microsoft provides comprehensive security capabilities that help protect against
## What to do with a malware infection
-Microsoft Defender ATP antivirus capabilities help reduce the chances of infection and will automatically remove threats that it detects.
+Microsoft Defender for Endpoint antivirus capabilities help reduce the chances of infection and will automatically remove threats that it detects.
In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://support.microsoft.com/help/4466982/windows-10-troubleshoot-problems-with-detecting-and-removing-malware).
diff --git a/windows/security/threat-protection/intelligence/ransomware-malware.md b/windows/security/threat-protection/intelligence/ransomware-malware.md
index 2936cf36c4..77e6f67c32 100644
--- a/windows/security/threat-protection/intelligence/ransomware-malware.md
+++ b/windows/security/threat-protection/intelligence/ransomware-malware.md
@@ -3,7 +3,7 @@ title: Ransomware
ms.reviewer:
description: Learn how to protect your computer and network from ransomware attacks, which can stop you from accessing your files.
keywords: security, malware, ransomware, encryption, extortion, money, key, infection, prevention, tips, WDSI, MMPC, Microsoft Malware Protection Center, ransomware-as-a-service, ransom, ransomware downloader, protection, prevention, solution, exploit kits, backup, Cerber, Locky, WannaCry, WannaCrypt, Petya, Spora
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
@@ -11,9 +11,10 @@ ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: article
search.appverid: met150
+ms.technology: mde
---
# Ransomware
@@ -61,6 +62,6 @@ We recommend:
* Educate your employees so they can identify social engineering and spear-phishing attacks.
-* [Controlled folder access](../microsoft-defender-atp/controlled-folders.md). It can stop ransomware from encrypting files and holding the files for ransom.
+* [Controlled folder access](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/controlled-folders). It can stop ransomware from encrypting files and holding the files for ransom.
For more general tips, see [prevent malware infection](prevent-malware-infection.md).
diff --git a/windows/security/threat-protection/intelligence/rootkits-malware.md b/windows/security/threat-protection/intelligence/rootkits-malware.md
index f5ea7e21b2..ab4fa996bd 100644
--- a/windows/security/threat-protection/intelligence/rootkits-malware.md
+++ b/windows/security/threat-protection/intelligence/rootkits-malware.md
@@ -3,7 +3,7 @@ title: Rootkits
ms.reviewer:
description: Rootkits may be used by malware authors to hide malicious code on your computer and make malware or potentially unwanted software harder to remove.
keywords: security, malware, rootkit, hide, protection, hiding, WDSI, MMPC, Microsoft Malware Protection Center, rootkits, Sirefef, Rustock, Sinowal, Cutwail, malware, virus
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
@@ -11,9 +11,10 @@ ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: article
search.appverid: met150
+ms.technology: mde
---
# Rootkits
diff --git a/windows/security/threat-protection/intelligence/safety-scanner-download.md b/windows/security/threat-protection/intelligence/safety-scanner-download.md
index 96e45bc39b..c2e32ce5d1 100644
--- a/windows/security/threat-protection/intelligence/safety-scanner-download.md
+++ b/windows/security/threat-protection/intelligence/safety-scanner-download.md
@@ -3,7 +3,7 @@ title: Microsoft Safety Scanner Download
ms.reviewer:
description: Get the Microsoft Safety Scanner tool to find and remove malware from Windows computers.
keywords: security, malware
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
@@ -11,9 +11,10 @@ ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: article
search.appverid: met150
+ms.technology: mde
---
# Microsoft Safety Scanner
@@ -38,12 +39,12 @@ Microsoft Safety Scanner is a scan tool designed to find and remove malware from
## System requirements
-Safety Scanner helps remove malicious software from computers running Windows 10, Windows 10 Tech Preview, Windows 8.1, Windows 8, Windows 7, Windows Server 2016, Windows Server Tech Preview, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008. Please refer to the [Microsoft Lifecycle Policy](https://support.microsoft.com/lifecycle).
+Safety Scanner helps remove malicious software from computers running Windows 10, Windows 10 Tech Preview, Windows 8.1, Windows 8, Windows 7, Windows Server 2019, Windows Server 2016, Windows Server Tech Preview, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008. Please refer to the [Microsoft Lifecycle Policy](https://support.microsoft.com/lifecycle).
## How to run a scan
1. Download this tool and open it.
-2. Select the type of scan you want run and start the scan.
+2. Select the type of scan that you want to run and start the scan.
3. Review the scan results displayed on screen. For detailed detection results, view the log at **%SYSTEMROOT%\debug\msert.log**.
To remove this tool, delete the executable file (msert.exe by default).
diff --git a/windows/security/threat-protection/intelligence/submission-guide.md b/windows/security/threat-protection/intelligence/submission-guide.md
index 7e771ce477..87667989e4 100644
--- a/windows/security/threat-protection/intelligence/submission-guide.md
+++ b/windows/security/threat-protection/intelligence/submission-guide.md
@@ -3,7 +3,7 @@ title: Submit files for analysis by Microsoft
description: Learn how to submit files to Microsoft for malware analysis, how to track your submissions, and dispute detections.
ms.reviewer:
keywords: security, sample submission help, malware file, virus file, trojan file, submit, send to Microsoft, submit a sample, virus, trojan, worm, undetected, doesn’t detect, email microsoft, email malware, I think this is malware, I think it's a virus, where can I send a virus, is this a virus, MSE, doesn’t detect, no signature, no detection, suspect file, MMPC, Microsoft Malware Protection Center, researchers, analyst, WDSI, security intelligence
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
@@ -11,9 +11,10 @@ ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: article
search.appverid: met150
+ms.technology: mde
---
# Submit files for analysis
diff --git a/windows/security/threat-protection/intelligence/supply-chain-malware.md b/windows/security/threat-protection/intelligence/supply-chain-malware.md
index 7530ec2c2e..fff7e3b7b3 100644
--- a/windows/security/threat-protection/intelligence/supply-chain-malware.md
+++ b/windows/security/threat-protection/intelligence/supply-chain-malware.md
@@ -3,7 +3,7 @@ title: Supply chain attacks
ms.reviewer:
description: Learn about how supply chain attacks work, deliver malware do your devices, and what you can do to protect yourself
keywords: security, malware, protection, supply chain, hide, distribute, trust, compromised
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
@@ -11,9 +11,10 @@ ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: article
search.appverid: met150
+ms.technology: mde
---
# Supply chain attacks
diff --git a/windows/security/threat-protection/intelligence/support-scams.md b/windows/security/threat-protection/intelligence/support-scams.md
index 5ecbd9a101..0cfb94aa8f 100644
--- a/windows/security/threat-protection/intelligence/support-scams.md
+++ b/windows/security/threat-protection/intelligence/support-scams.md
@@ -3,7 +3,7 @@ title: Tech Support Scams
ms.reviewer:
description: Microsoft security software can protect you from tech support scams that claims to scan for malware or viruses and then shows you fake detections and warnings.
keywords: security, malware, tech support, scam, protection, trick, spoof, fake, error messages, report, rogue security software, fake, antivirus, fake software, rogue, threats, fee, removal fee, upgrade, pay for removal, install full version, trial, lots of threats, scanner, scan, clean, computer, security, program, XP home security, fake microsoft, activate, activate scan, activate antivirus, warnings, pop-ups, security warnings, security pop-ups tech support scams, fake Microsoft error notification, fake virus alert, fake product expiration, fake Windows activation, scam web pages, scam phone numbers, telephone numbers, MMPC, WDSI, Microsoft Malware Protection Center, tech support scam numbers
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
@@ -11,9 +11,10 @@ ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: article
search.appverid: met150
+ms.technology: mde
---
# Tech support scams
diff --git a/windows/security/threat-protection/intelligence/trojans-malware.md b/windows/security/threat-protection/intelligence/trojans-malware.md
index 2ed753b049..31228195f8 100644
--- a/windows/security/threat-protection/intelligence/trojans-malware.md
+++ b/windows/security/threat-protection/intelligence/trojans-malware.md
@@ -3,7 +3,7 @@ title: Trojan malware
ms.reviewer:
description: Trojans are a type of threat that can infect your device. This page tells you what they are and how to remove them.
keywords: security, malware, protection, trojan, download, file, infection, trojans, virus, protection, cleanup, removal, antimalware, antivirus, WDSI, MMPC, Microsoft Malware Protection Center, malware types
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
@@ -11,9 +11,10 @@ ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: article
search.appverid: met150
+ms.technology: mde
---
# Trojans
diff --git a/windows/security/threat-protection/intelligence/understanding-malware.md b/windows/security/threat-protection/intelligence/understanding-malware.md
index eb417b74dd..d7d82578fa 100644
--- a/windows/security/threat-protection/intelligence/understanding-malware.md
+++ b/windows/security/threat-protection/intelligence/understanding-malware.md
@@ -3,7 +3,7 @@ title: Understanding malware & other threats
ms.reviewer:
description: Learn about the most prevalent viruses, malware, and other threats. Understand how they infect systems, how they behave, and how to prevent and remove them.
keywords: security, malware, virus, malware, threat, analysis, research, encyclopedia, dictionary, glossary, ransomware, support scams, unwanted software, computer infection, virus infection, descriptions, remediation, latest threats, mmpc, microsoft malware protection center, wdsi
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
@@ -11,9 +11,10 @@ ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: conceptual
search.appverid: met150
+ms.technology: mde
---
# Understanding malware & other threats
@@ -21,7 +22,7 @@ Malware is a term used to describe malicious applications and code that can caus
Cybercriminals that distribute malware are often motivated by money and will use infected computers to launch attacks, obtain banking credentials, collect information that can be sold, sell access to computing resources, or extort payment from victims.
-As criminals become more sophisticated with their attacks, Microsoft is here to help. Windows 10 is the most secure version of Windows yet and includes many features to help protect you whether you're at home, at work, or on the go. With Microsoft Defender Advanced Threat Protection ([Microsoft Defender ATP](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp)), businesses can stay protected with next-generation protection and other security capabilities.
+As criminals become more sophisticated with their attacks, Microsoft is here to help. Windows 10 is the most secure version of Windows yet and includes many features to help protect you whether you're at home, at work, or on the go. With [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), businesses can stay protected with next-generation protection and other security capabilities.
For good general tips, check out the [prevent malware infection](prevent-malware-infection.md) topic.
diff --git a/windows/security/threat-protection/intelligence/unwanted-software.md b/windows/security/threat-protection/intelligence/unwanted-software.md
index ab2471f894..31dc9dc196 100644
--- a/windows/security/threat-protection/intelligence/unwanted-software.md
+++ b/windows/security/threat-protection/intelligence/unwanted-software.md
@@ -3,7 +3,7 @@ title: Unwanted software
ms.reviewer:
description: Learn about how unwanted software changes your default settings without your consent and what you can do to protect yourself.
keywords: security, malware, protection, unwanted, software, alter, infect, unwanted software, software bundlers, browser modifiers, privacy, security, computing experience, prevent infection, solution, WDSI, MMPC, Microsoft Malware Protection Center, virus research threats, research malware, pc protection, computer infection, virus infection, descriptions, remediation, latest threats
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
@@ -11,9 +11,10 @@ ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: article
search.appverid: met150
+ms.technology: mde
---
# Unwanted software
diff --git a/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md b/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md
index 5aded1e416..a70ae6fe7e 100644
--- a/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md
+++ b/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md
@@ -3,7 +3,7 @@ title: Virus Information Alliance
ms.reviewer:
description: The Microsoft Virus Information Alliance (VIA) is a collaborative antimalware program for organizations fighting cybercrime.
keywords: security, malware, Microsoft, MMPC, Microsoft Malware Protection Center, partners, sharing, samples, vendor exchange, CSS, alliance, WDSI
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
@@ -11,28 +11,36 @@ ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: article
+ms.technology: mde
---
# Virus Information Alliance
The Virus Information Alliance (VIA) is a public antimalware collaboration program for security software providers, security service providers, antimalware testing organizations, and other organizations involved in fighting cybercrime.
-Members of the VIA program collaborate by exchanging technical information on malicious software with Microsoft, with the goal of improving protection for Microsoft customers.
+Members of the VIA program collaborate by exchanging technical information on malicious software with Microsoft. The goal is to improve protection for Microsoft customers.
## Better protection for customers against malware
-The VIA program gives members access to information that will help improve protection for Microsoft customers. For example, the program provides malware telemetry and samples to security product teams to identify gaps in their protection and prioritize new threat coverage.
+The VIA program gives members access to information that will help them improve protection. For example, the program provides malware telemetry and samples to security teams so they can identify gaps and prioritize new threat coverage.
-Malware prevalence data is provided to antimalware testers to assist them in selecting sample sets and setting scoring criteria that represent the real-world threat landscape. Service organizations, such as a CERT, can leverage our data to help assess the impact of policy changes or to help shut down malicious activity.
+Malware prevalence data is provided to antimalware testers to assist them in selecting sample sets. The data also helps set scoring criteria that represent the real-world threat landscape. Service organizations, such as a CERT, can leverage our data to help assess the impact of policy changes or to help shut down malicious activity.
Microsoft is committed to continuous improvement to help reduce the impact of malware on customers. By sharing malware-related information, Microsoft enables members of this community to work towards better protection for customers.
## Becoming a member of VIA
-Microsoft has well-defined, objective, measurable, and tailored membership criteria for prospective members of the Virus Information Alliance (VIA). The criteria is designed to ensure that Microsoft is able to work with security software providers, security service providers, antimalware testing organizations, and other organizations involved in the fight against cybercrime to protect a broad range of customers.
+Microsoft has well-defined, objective, measurable, and tailored membership criteria for prospective members of the Virus Information Alliance (VIA).
-Members will receive information to facilitate effective malware detection, deterrence, and eradication. This includes technical information on malware as well as metadata on malicious activity. Information shared through VIA is governed by the VIA membership agreement and a Microsoft non-disclosure agreement, where applicable.
+The criteria is designed to ensure that Microsoft can work with the following groups to protect a broad range of customers:
+
+- Security software providers
+- Security service providers
+- Antimalware testing organizations
+- Other organizations involved in the fight against cybercrime
+
+Members will receive information to facilitate effective malware detection, deterrence, and eradication. This information includes technical information on malware as well as metadata on malicious activity. Information shared through VIA is governed by the VIA membership agreement and a Microsoft non-disclosure agreement, where applicable.
VIA has an open enrollment for potential members.
@@ -43,11 +51,12 @@ To be eligible for VIA your organization must:
1. Be willing to sign a non-disclosure agreement with Microsoft.
2. Fit into one of the following categories:
- * Your organization develops antimalware technology that can run on Windows and your organization’s product is commercially available.
- * Your organization provides security services to Microsoft customers or for Microsoft products.
- * Your organization publishes antimalware testing reports on a regular basis.
- * Your organization has a research or response team dedicated to fighting malware to protect your organization, your customers, or the general public.
+
+ - Your organization develops antimalware technology that can run on Windows and your organization’s product is commercially available.
+ - Your organization provides security services to Microsoft customers or for Microsoft products.
+ - Your organization publishes antimalware testing reports on a regular basis.
+ - Your organization has a research or response team dedicated to fighting malware to protect your organization, your customers, or the general public.
3. Be willing to sign and adhere to the VIA membership agreement.
-If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry).
+If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). For questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry).
diff --git a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md
index a896140ce6..8512c8d267 100644
--- a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md
+++ b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md
@@ -3,7 +3,7 @@ title: Microsoft Virus Initiative
ms.reviewer:
description: The Microsoft Virus Initiative (MVI) helps organizations that make antivirus or antimalware products integrate with Windows and share telemetry with Microsoft.
keywords: security, malware, MVI, Microsoft Malware Protection Center, MMPC, alliances, WDSI
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
@@ -11,21 +11,22 @@ ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: article
+ms.technology: mde
---
# Microsoft Virus Initiative
The Microsoft Virus Initiative (MVI) helps organizations to get their products working and integrated with Windows.
-MVI members receive access to Windows APIs and other technologies including IOAV, AMSI and Cloud files. Members also get malware telemetry and samples and invitations to security related events and conferences.
+MVI members receive access to Windows APIs and other technologies including IOAV, AMSI, and Cloud files. Members also get malware telemetry and samples and invitations to security-related events and conferences.
## Become a member
-A request for membership is made by an individual as a representative of an organization that develops and produces antimalware or antivirus technology. Your organization must meet the following eligibility requirements to qualify for the MVI program:
+You can request membership if you're a representative for an organization that develops and produces antimalware or antivirus technology. Your organization must meet the following requirements to qualify for the MVI program:
-1. Offer an antimalware or antivirus product that is one of the following:
+1. Offer an antimalware or antivirus product that meets one of the following criteria:
* Your organization's own creation.
* Developed by using an SDK (engine and other components) from another MVI Partner company and your organization adds a custom UI and/or other functionality.
@@ -34,7 +35,7 @@ A request for membership is made by an individual as a representative of an orga
3. Be active and have a positive reputation in the antimalware industry.
- * Activity can include participation in industry conferences or being reviewed in an industry standard report such as AV Comparatives, OPSWAT or Gartner.
+ * Activity can include participation in industry conferences or being reviewed in an industry standard report such as AV Comparatives, OPSWAT, or Gartner.
4. Be willing to sign a non-disclosure agreement (NDA) with Microsoft.
@@ -49,14 +50,14 @@ A request for membership is made by an individual as a representative of an orga
Test Provider | Lab Test Type | Minimum Level / Score
------------- |---------------|----------------------
AV-Comparatives | Real-World Protection Test https://www.av-comparatives.org/testmethod/real-world-protection-tests/ |“Approved” rating from AV Comparatives
-AV-Test | Must pass tests for Windows. Certifications for Mac and Linux are not accepted https://www.av-test.org/en/about-the-institute/certification/ | Achieve "AV-TEST Certified" (for home users) or "AV-TEST Approved” (for corporate users)
+AV-Test | Must pass tests for Windows. Certifications for Mac and Linux aren't accepted https://www.av-test.org/en/about-the-institute/certification/ | Achieve "AV-TEST Certified" (for home users) or "AV-TEST Approved” (for corporate users)
ICSA Labs | Endpoint Anti-Malware Detection https://www.icsalabs.com/technology-program/anti-virus/criteria |PASS/Certified
NSS Labs | Advanced Endpoint Protection AEP 3.0, which covers automatic threat prevention and threat event reporting capabilities https://www.nsslabs.com/tested-technologies/advanced-endpoint-protection/ |“Neutral” rating from NSS
-SKD Labs | Certification Requirements Product: Anti-virus or Antimalware http://www.skdlabs.com/html/english/ http://www.skdlabs.com/cert/ |SKD Labs Star Check Certification Requirements Pass >= 98.5 % with On Demand, On Access and Total Detection tests
+SKD Labs | Certification Requirements Product: Anti-virus or Antimalware http://www.skdlabs.com/html/english/ http://www.skdlabs.com/cert/ |SKD Labs Star Check Certification Requirements Pass >= 98.5% with On Demand, On Access and Total Detection tests
SE Labs | Protection A rating or Small Business EP A rating or Enterprise EP Protection A rating https://selabs.uk/en/reports/consumers |Home or Enterprise “A” rating
VB 100 | VB100 Certification Test V1.1 https://www.virusbulletin.com/testing/vb100/vb100-methodology/vb100-methodology-ver1-1/ | VB100 Certification
West Coast Labs | Checkmark Certified http://www.checkmarkcertified.com/sme/ | “A” Rating on Product Security Performance
## Apply now
-If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry).
+If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). For questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry).
diff --git a/windows/security/threat-protection/intelligence/worms-malware.md b/windows/security/threat-protection/intelligence/worms-malware.md
index 04c8f8280f..99c3fafa1a 100644
--- a/windows/security/threat-protection/intelligence/worms-malware.md
+++ b/windows/security/threat-protection/intelligence/worms-malware.md
@@ -3,7 +3,7 @@ title: Worms
ms.reviewer:
description: Learn about how worms replicate and spread to other computers or networks. Read about the most popular worms and steps you can take to stop them.
keywords: security, malware, protection, worm, vulnerabilities, infect, steal, Jenxcus, Gamarue, Bondat, WannaCrypt, WDSI, MMPC, Microsoft Malware Protection Center, worms, malware types, threat propagation, mass-mailing, IP scanning
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: secure
ms.sitesec: library
ms.localizationpriority: medium
@@ -11,9 +11,10 @@ ms.author: ellevin
author: levinec
manager: dansimp
audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: article
search.appverid: met150
+ms.technology: mde
---
# Worms
@@ -22,19 +23,19 @@ A worm is a type of malware that can copy itself and often spreads through a net
## How worms work
-Worms represent a large category of malware. Different worms use different methods to infect devices. Depending on the variant, they can steal sensitive information, change security settings, send information to malicious hackers, stop users from accessing files, and other malicious activities.
+Worms represent a large category of malware. Different worms use different methods to infect devices. Depending on the variant, they can steal sensitive information, change security settings, send information to malicious hackers, stop users from accessing files, and other malicious activities.
-Jenxcus (also known as Dunihi), Gamarue (also known as Androm), and Bondat have consistently remained at the top of the list of malware that infect users running Microsoft security software. Although these worms share some commonalities, it is interesting to note that they also have distinct characteristics.
+Jenxcus (also known as Dunihi), Gamarue (also known as Androm), and Bondat have consistently remained at the top of the list of malware that infects users running Microsoft software. Although these worms share some commonalities, it's interesting to note that they also have distinct characteristics.
* **Jenxcus** has capabilities of not only infecting removable drives but can also act as a backdoor that connects back to its server. This threat typically gets into a device from a drive-by download attack, meaning it's installed when users just visit a compromised web page.
-* **Gamarue** typically arrives through spam campaigns, exploits, downloaders, social networking sites, and removable drives. When Gamarue infects a device, it becomes a distribution channel for other malware. We’ve seen it distribute other malware such as infostealers, spammers, clickers, downloaders, and rogues.
+* **Gamarue** typically arrives through spam campaigns, exploits, downloaders, social networking sites, and removable drives. When Gamarue infects a device, it becomes a distribution channel for other malware. We’ve seen it distribute other malware such as info stealers, spammers, clickers, downloaders, and rogues.
* **Bondat** typically arrives through fictitious Nullsoft Scriptable Install System (NSIS), Java installers, and removable drives. When Bondat infects a system, it gathers information about the machine such as device name, Globally Unique Identifier (GUID), and OS build. It then sends that information to a remote server.
-Both Bondat and Gamarue have clever ways of obscuring themselves to evade detection. By hiding what they are doing, they try to avoid detection by security software.
+Both Bondat and Gamarue have clever ways of obscuring themselves to evade detection. By hiding what they're doing, they try to avoid detection by security software.
-* [**WannaCrypt**](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/WannaCrypt) also deserves a mention here. Unlike older worms that often spread just because they could, modern worms often spread to drop a payload (e.g. ransomware).
+* [**WannaCrypt**](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/WannaCrypt) also deserves a mention here. Unlike older worms that often spread just because they could, modern worms often spread to drop a payload (like ransomware).
This image shows how a worm can quickly spread through a shared USB drive.
diff --git a/windows/security/threat-protection/mbsa-removal-and-guidance.md b/windows/security/threat-protection/mbsa-removal-and-guidance.md
index 59f32f84e6..34fc1933f8 100644
--- a/windows/security/threat-protection/mbsa-removal-and-guidance.md
+++ b/windows/security/threat-protection/mbsa-removal-and-guidance.md
@@ -2,14 +2,14 @@
title: Guide to removing Microsoft Baseline Security Analyzer (MBSA)
description: This article documents the removal of Microsoft Baseline Security Analyzer (MBSA) and provides alternative solutions.
keywords: MBSA, security, removal
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.author: dansimp
-author: dulcemontemayor
-ms.date: 10/05/2018
+author: dansimp
ms.reviewer:
manager: dansimp
+ms.technology: mde
---
# What is Microsoft Baseline Security Analyzer and its uses?
@@ -25,14 +25,14 @@ MBSA was largely used in situations where neither Microsoft Update nor a local W
A script can help you with an alternative to MBSA’s patch-compliance checking:
- [Using WUA to Scan for Updates Offline](https://docs.microsoft.com/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline), which includes a sample .vbs script.
-For a PowerShell alternative, see [Using WUA to Scan for Updates Offline with PowerShell](https://gallery.technet.microsoft.com/Using-WUA-to-Scan-for-f7e5e0be).
+For a PowerShell alternative, see [Using WUA to Scan for Updates Offline with PowerShell](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0).
For example:
[](https://docs.microsoft.com/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline)
-[](https://gallery.technet.microsoft.com/Using-WUA-to-Scan-for-f7e5e0be)
+[](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0)
-The preceding scripts leverage the [WSUS offline scan file](https://support.microsoft.com/help/927745/detailed-information-for-developers-who-use-the-windows-update-offline) (wsusscn2.cab) to perform a scan and get the same information on missing updates as MBSA supplied. MBSA also relied on the wsusscn2.cab to determine which updates were missing from a given system without connecting to any online service or server. The wsusscn2.cab file is still available and there are currently no plans to remove or replace it.
+The preceding scripts use the [WSUS offline scan file](https://support.microsoft.com/help/927745/detailed-information-for-developers-who-use-the-windows-update-offline) (wsusscn2.cab) to perform a scan and get the same information on missing updates as MBSA supplied. MBSA also relied on the wsusscn2.cab to determine which updates were missing from a given system without connecting to any online service or server. The wsusscn2.cab file is still available and there are currently no plans to remove or replace it.
The wsusscn2.cab file contains the metadata of only security updates, update rollups and service packs available from Microsoft Update; it does not contain any information on non-security updates, tools or drivers.
## More Information
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md
deleted file mode 100644
index 1bf808c9ae..0000000000
--- a/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md
+++ /dev/null
@@ -1,77 +0,0 @@
----
-title: What to do with false positives/negatives in Microsoft Defender Antivirus
-description: Did Microsoft Defender Antivirus miss or wrongly detect something? Find out what you can do.
-keywords: Microsoft Defender Antivirus, false positives, false negatives, exclusions
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.custom: nextgen
-ms.date: 06/08/2020
-ms.reviewer: shwetaj
-manager: dansimp
-audience: ITPro
-ms.topic: article
----
-
-# What to do with false positives/negatives in Microsoft Defender Antivirus
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-Microsoft Defender Antivirus is designed to keep your PC safe with built-in, trusted antivirus protection. With Microsoft Defender Antivirus, you get comprehensive, ongoing, and real-time protection against software threats like viruses, malware, and spyware across email, apps, the cloud, and the web.
-
-What if something gets detected wrongly as malware, or something is missed? We call these false positives and false negatives. Fortunately, there are some steps you can take to deal with these issues. You can:
-- [Submit a file to Microsoft for analysis](#submit-a-file-to-microsoft-for-analysis)
-- [Create an "Allow" indicator to prevent a false positive from recurring](#create-an-allow-indicator-to-prevent-a-false-positive-from-recurring)
-- [Define an exclusion on an individual Windows device to prevent an item from being scanned](#define-an-exclusion-on-an-individual-windows-device-to-prevent-an-item-from-being-scanned)
-
-## Submit a file to Microsoft for analysis
-
-1. Review the [submission guidelines](../intelligence/submission-guide.md).
-2. [Submit your file or sample](https://www.microsoft.com/wdsi/filesubmission).
-
-> [!TIP]
-> We recommend signing in at the submission portal so you can track the results of your submissions.
-
-## Create an "Allow" indicator to prevent a false positive from recurring
-
-If a file, IP address, URL, or domain is treated as malware on a device, even though it's safe, you can create an "Allow" indicator. This indicator tells Microsoft Defender Antivirus (and Microsoft Defender Advanced Threat Protection) that the item is safe.
-
-To set up your "Allow" indicator, follow the guidance in [Manage indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators).
-
-## Define an exclusion on an individual Windows device to prevent an item from being scanned
-
-When you define an exclusion for Microsoft Defender Antivirus, you configure your antivirus to skip that item.
-
-1. On your Windows 10 device, open the Windows Security app.
-2. Select **Virus & threat protection** > **Virus & threat protection settings**.
-3. Under **Exclusions**, select **Add or remove exclusions**.
-4. Select **+ Add an exclusion**, and specify its type (**File**, **Folder**, **File type**, or **Process**).
-
-The following table summarizes exclusion types, how they're defined, and what happens when they're in effect.
-
-|Exclusion type |Defined by |What happens |
-|---------|---------|---------|
-|**File** |Location
Example: `c:\sample\sample.test` |The specified file is skipped by Microsoft Defender Antivirus. |
-|**Folder** |Location
Example: `c:\test\sample` |All items in the specified folder are skipped by Microsoft Defender Antivirus. |
-|**File type** |File extension
Example: `.test` |All files with the specified extension anywhere on your device are skipped by Microsoft Defender Antivirus. |
-|**Process** |Executable file path
Example: `c:\test\process.exe` |The specified process and any files that are opened by that process are skipped by Microsoft Defender Antivirus. |
-
-To learn more, see:
-- [Configure and validate exclusions based on file extension and folder location](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus)
-- [Configure exclusions for files opened by processes](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus)
-
-## Related articles
-
-[What is Microsoft Defender Advanced Threat Protection?](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection)
-
-[Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md
index c313f7f7cf..1d3f01234e 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md
@@ -3,7 +3,7 @@ title: Collect diagnostic data for Update Compliance and Windows Defender Micros
description: Use a tool to collect data to troubleshoot Update Compliance issues when using the Microsoft Defender Antivirus Assessment add in
keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender AV
search.product: eADQiWindows 10XVcnh
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
@@ -14,6 +14,7 @@ ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
+ms.technology: mde
---
# Collect Update Compliance diagnostic data for Microsoft Defender AV Assessment
@@ -23,7 +24,7 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using the Microsoft Defender AV Assessment section in the Update Compliance add-in.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md
index 8d013685ee..6ed065117c 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md
@@ -3,7 +3,7 @@ title: Collect diagnostic data of Microsoft Defender Antivirus
description: Use a tool to collect data to troubleshoot Microsoft Defender Antivirus
keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender av, group policy object, setting, diagnostic data
search.product: eADQiWindows 10XVcnh
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
@@ -14,6 +14,7 @@ ms.custom: nextgen
ms.date: 06/29/2020
ms.reviewer:
manager: dansimp
+ms.technology: mde
---
# Collect Microsoft Defender AV diagnostic data
@@ -23,7 +24,7 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you might encounter when using the Microsoft Defender AV.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md
index 3038c3095f..8ab6bc321a 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md
@@ -3,16 +3,17 @@ title: Use the command line to manage Microsoft Defender Antivirus
description: Run Microsoft Defender Antivirus scans and configure next-generation protection with a dedicated command-line utility.
keywords: run windows defender scan, run antivirus scan from command line, run windows defender scan from command line, mpcmdrun, defender
search.product: eADQiWindows 10XVcnh
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.reviewer: ksarens
+ms.reviewer: ksarens
manager: dansimp
-ms.date: 08/17/2020
+ms.date: 03/19/2021
+ms.technology: mde
---
# Configure and manage Microsoft Defender Antivirus with the mpcmdrun.exe command-line tool
@@ -22,14 +23,13 @@ ms.date: 08/17/2020
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
-You can perform various Microsoft Defender Antivirus functions with the dedicated command-line tool *mpcmdrun.exe*. This utility is useful when you want to automate Microsoft Defender Antivirus use. You can find the utility in `%ProgramFiles%\Windows Defender\MpCmdRun.exe`. You must run it from a command prompt.
+You can perform various Microsoft Defender Antivirus functions with the dedicated command-line tool **mpcmdrun.exe**. This utility is useful when you want to automate Microsoft Defender Antivirus use. You can find the utility in `%ProgramFiles%\Windows Defender\MpCmdRun.exe`. You must run it from a command prompt.
> [!NOTE]
-> You might need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
->
-> If you're running an updated Microsoft Defender Platform version, please run `MpCmdRun` from the following location: `C:\ProgramData\Microsoft\Windows Defender\Platform\
**Note:** In Windows 10 1909 or older, and Windows Server 2019 or older, the service used to be called "Windows Defender Antivirus" service.|
| `0x80070667` | You're running the `-ValidateMapsConnection` command from a computer that is Windows 10 version 1607 or older, or Windows Server 2016 or older. Run the command from a machine that is Windows 10 version 1703 or newer, or Windows Server 2019 or newer.|
-| `'MpCmdRun' is not recognized as an internal or external command, operable program or batch file.` | The tool needs to be run from either: `%ProgramFiles%\Windows Defender` or `C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.4-0` (where `2008.4-0` might differ since platform updates are monthly except for December)|
+| `'MpCmdRun' is not recognized as an internal or external command, operable program or batch file.` | The tool needs to be run from either: `%ProgramFiles%\Windows Defender` or `C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2012.4-0` (where `2012.4-0` might differ since platform updates are monthly except for March)|
| `ValidateMapsConnection failed to establish a connection to MAPS (hr=80070005 httpcode=450)` | Not enough privileges. Use the command prompt (cmd.exe) as an administrator.|
| `ValidateMapsConnection failed to establish a connection to MAPS (hr=80070006 httpcode=451)` | The firewall is blocking the connection or conducting SSL inspection. |
| `ValidateMapsConnection failed to establish a connection to MAPS (hr=80004005 httpcode=450)` | Possible network-related issues, like name resolution problems|
@@ -75,7 +75,9 @@ MpCmdRun.exe -Scan -ScanType 2
| `ValidateMapsConnection failed to establish a connection to MAPS (hr=800722F0D` | The firewall is blocking the connection or conducting SSL inspection. |
| `ValidateMapsConnection failed to establish a connection to MAPS (hr=80072EE7 httpcode=451)` | The firewall is blocking the connection or conducting SSL inspection. |
-## Related topics
+## See also
+- [Configure Microsoft Defender Antivirus features](configure-microsoft-defender-antivirus-features.md)
+- [Manage Microsoft Defender Antivirus in your business](configuration-management-reference-microsoft-defender-antivirus.md)
- [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md)
- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md
index 58cd36777d..3108c5ea6b 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md
@@ -3,7 +3,7 @@ title: Common mistakes to avoid when defining exclusions
description: Avoid common mistakes when defining exclusions for Microsoft Defender Antivirus scans.
keywords: exclusions, files, extension, file type, folder name, file name, scans
search.product: eADQiWindows 10XVcnh
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
@@ -13,6 +13,7 @@ ms.author: deniseb
ms.custom: nextgen
ms.reviewer:
manager: dansimp
+ms.technology: mde
---
# Common mistakes to avoid when defining exclusions
@@ -21,136 +22,38 @@ manager: dansimp
You can define an exclusion list for items that you don't want Microsoft Defender Antivirus to scan. Such excluded items could contain threats that make your device vulnerable.
-This topic describes some common mistake that you should avoid when defining exclusions.
+This article describes some common mistake that you should avoid when defining exclusions.
Before defining your exclusion lists, see [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions).
## Excluding certain trusted items
-There are certain files, file types, folders, or processes that you should not exclude from scanning even though you trust them to be not malicious. Refer to the following section for items that you should not exclude from scanning.
-**Do not add exclusions for the following folder locations:**
+Certain files, file types, folders, or processes should not be excluded from scanning even though you trust them to be not malicious.
-- %systemdrive%
-- C:
-- C:\
-- C:\*
-- %ProgramFiles%\Java
-- C:\Program Files\Java
-- %ProgramFiles%\Contoso\
-- C:\Program Files\Contoso\
-- %ProgramFiles(x86)%\Contoso\
-- C:\Program Files (x86)\Contoso\
-- C:\Temp
-- C:\Temp\
-- C:\Temp\*
-- C:\Users\
-- C:\Users\*
-- C:\Users\
`C:`
`C:\`
`C:\*`
`%ProgramFiles%\Java`
`C:\Program Files\Java`
`%ProgramFiles%\Contoso\`
`C:\Program Files\Contoso\`
`%ProgramFiles(x86)%\Contoso\`
`C:\Program Files (x86)\Contoso\`
`C:\Temp`
`C:\Temp\`
`C:\Temp\*`
`C:\Users\`
`C:\Users\*`
`C:\Users\
`C:\Users\
`C:\Users\
`%Windir%\Prefetch`
`C:\Windows\Prefetch`
`C:\Windows\Prefetch\`
`C:\Windows\Prefetch\*`
`%Windir%\System32\Spool`
`C:\Windows\System32\Spool`
`C:\Windows\System32\CatRoot2`
`%Windir%\Temp`
`C:\Windows\Temp`
`C:\Windows\Temp\`
`C:\Windows\Temp\*` | `.7zip`
`.bat`
`.bin`
`.cab`
`.cmd`
`.com`
`.cpl`
`.dll`
`.exe`
`.fla`
`.gif`
`.gz`
`.hta`
`.inf`
`.java`
`.jar`
`.job`
`.jpeg`
`.jpg`
`.js`
`.ko`
`.ko.gz`
`.msi`
`.ocx`
`.png`
`.ps1`
`.py`
`.rar`
`.reg`
`.scr`
`.sys`
`.tar`
`.tmp`
`.url`
`.vbe`
`.vbs`
`.wsf`
`.zip` | `AcroRd32.exe`
`bitsadmin.exe`
`excel.exe`
`iexplore.exe`
`java.exe`
`outlook.exe`
`psexec.exe`
`powerpnt.exe`
`powershell.exe`
`schtasks.exe`
`svchost.exe`
`wmic.exe`
`winword.exe`
`wuauclt.exe`
`addinprocess.exe`
`addinprocess32.exe`
`addinutil.exe`
`bash.exe`
`bginfo.exe`[1]
`cdb.exe`
`csi.exe`
`dbghost.exe`
`dbgsvc.exe`
`dnx.exe`
`fsi.exe`
`fsiAnyCpu.exe`
`kd.exe`
`ntkd.exe`
`lxssmanager.dll`
`msbuild.exe`[2]
`mshta.exe`
`ntsd.exe`
`rcsi.exe`
`system.management.automation.dll`
`windbg.exe` |
>[!NOTE]
-> You can chose to exclude file types, such as .gif, .jpg, .jpeg, .png if your environment has a modern, up-to-date software with a strict update policy to handle any vulnerabilities.
-
-**Do not add exclusions for the following processes:**
-- AcroRd32.exe
-- bitsadmin.exe
-- excel.exe
-- iexplore.exe
-- java.exe
-- outlook.exe
-- psexec.exe
-- powerpnt.exe
-- powershell.exe
-- schtasks.exe
-- svchost.exe
-- wmic.exe
-- winword.exe
-- wuauclt.exe
-- addinprocess.exe
-- addinprocess32.exe
-- addinutil.exe
-- bash.exe
-- bginfo.exe[1]
-- cdb.exe
-- csi.exe
-- dbghost.exe
-- dbgsvc.exe
-- dnx.exe
-- fsi.exe
-- fsiAnyCpu.exe
-- kd.exe
-- ntkd.exe
-- lxssmanager.dll
-- msbuild.exe[2]
-- mshta.exe
-- ntsd.exe
-- rcsi.exe
-- system.management.automation.dll
-- windbg.exe
+> You can chose to exclude file types, such as `.gif`, `.jpg`, `.jpeg`, or `.png` if your environment has a modern, up-to-date software with a strict update policy to handle any vulnerabilities.
## Using just the file name in the exclusion list
-A malware may have the same name as that of the file that you trust and want to exclude from scanning. Therefore, to avoid excluding a potential malware from scanning, use a fully qualified path to the file that you want to exclude instead of using just the file name. For example, if you want to exclude **Filename.exe** from scanning, use the complete path to the file, such as **C:\program files\contoso\Filename.exe**.
+
+A malware may have the same name as that of the file that you trust and want to exclude from scanning. Therefore, to avoid excluding a potential malware from scanning, use a fully qualified path to the file that you want to exclude instead of using just the file name. For example, if you want to exclude `Filename.exe` from scanning, use the complete path to the file, such as `C:\program files\contoso\Filename.exe`.
## Using a single exclusion list for multiple server workloads
+
Do not use a single exclusion list to define exclusions for multiple server workloads. Split the exclusions for different application or service workloads into multiple exclusion lists. For example, the exclusion list for your IIS Server workload must be different from the exclusion list for your SQL Server workload.
## Using incorrect environment variables as wildcards in the file name and folder path or extension exclusion lists
+
Microsoft Defender Antivirus Service runs in system context using the LocalSystem account, which means it gets information from the system environment variable, and not from the user environment variable. Use of environment variables as a wildcard in exclusion lists is limited to system variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account. Therefore, do not use user environment variables as wildcards when adding Microsoft Defender Antivirus folder and process exclusions. See the table under [System environment variables](configure-extension-file-exclusions-microsoft-defender-antivirus.md#system-environment-variables) for a complete list of system environment variables.
+
See [Use wildcards in the file name and folder path or extension exclusion lists](configure-extension-file-exclusions-microsoft-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) for information on how to use wildcards in exclusion lists.
-## Related topics
+## Related articles
- [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)
- [Configure and validate exclusions based on file extension and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md
index 093c6632fb..3c463a5169 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md
@@ -1,9 +1,9 @@
---
-title: Manage Windows Defender in your business
+title: Manage Windows Defender in your business
description: Learn how to use Group Policy, Configuration Manager, PowerShell, WMI, Intune, and the command line to manage Microsoft Defender AV
keywords: group policy, gpo, config manager, sccm, scep, powershell, wmi, intune, defender, antivirus, antimalware, security, protection
search.product: eADQiWindows 10XVcnh
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
@@ -11,9 +11,10 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 09/03/2018
+ms.date: 12/16/2020
ms.reviewer:
manager: dansimp
+ms.technology: mde
---
# Manage Microsoft Defender Antivirus in your business
@@ -23,25 +24,23 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
You can manage and configure Microsoft Defender Antivirus with the following tools:
-- Microsoft Intune
-- Microsoft Endpoint Configuration Manager
-- Group Policy
-- PowerShell cmdlets
-- Windows Management Instrumentation (WMI)
-- The mpcmdrun.exe utility
+- [Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/endpoint-security-antivirus-policy) (now part of Microsoft Endpoint Manager)
+- [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure) (now part of Microsoft Endpoint Manager)
+- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus)
+- [PowerShell cmdlets](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus)
+- [Windows Management Instrumentation (WMI)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus)
+- The [Microsoft Malware Protection Command Line Utility](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus) (referred to as the *mpcmdrun.exe* utility
-The articles in this section provide further information, links, and resources for using these tools to manage and configure Microsoft Defender Antivirus.
+The following articles provide further information, links, and resources for using these tools to manage and configure Microsoft Defender Antivirus.
-## In this section
-
-Article | Description
----|---
-[Manage Microsoft Defender Antivirus with Microsoft Intune and Microsoft Endpoint Configuration Manager](use-intune-config-manager-microsoft-defender-antivirus.md)|Information about using Intune and Configuration Manager to deploy, manage, report, and configure Microsoft Defender Antivirus
-[Manage Microsoft Defender Antivirus with Group Policy settings](use-group-policy-microsoft-defender-antivirus.md)|List of all Group Policy settings located in ADMX templates
-[Manage Microsoft Defender Antivirus with PowerShell cmdlets](use-powershell-cmdlets-microsoft-defender-antivirus.md)|Instructions for using PowerShell cmdlets to manage Microsoft Defender Antivirus, plus links to documentation for all cmdlets and allowed parameters
-[Manage Microsoft Defender Antivirus with Windows Management Instrumentation (WMI)](use-wmi-microsoft-defender-antivirus.md)| Instructions for using WMI to manage Microsoft Defender Antivirus, plus links to documentation for the WMIv2 APIs (including all classes, methods, and properties)
-[Manage Microsoft Defender Antivirus with the mpcmdrun.exe command-line tool](command-line-arguments-microsoft-defender-antivirus.md)|Instructions on using the dedicated command-line tool to manage and use Microsoft Defender Antivirus
+| Article | Description |
+|:---|:---|
+|[Manage Microsoft Defender Antivirus with Microsoft Intune and Microsoft Endpoint Configuration Manager](use-intune-config-manager-microsoft-defender-antivirus.md)|Information about using Intune and Configuration Manager to deploy, manage, report, and configure Microsoft Defender Antivirus |
+|[Manage Microsoft Defender Antivirus with Group Policy settings](use-group-policy-microsoft-defender-antivirus.md)|List of all Group Policy settings located in ADMX templates |
+|[Manage Microsoft Defender Antivirus with PowerShell cmdlets](use-powershell-cmdlets-microsoft-defender-antivirus.md)|Instructions for using PowerShell cmdlets to manage Microsoft Defender Antivirus, plus links to documentation for all cmdlets and allowed parameters |
+|[Manage Microsoft Defender Antivirus with Windows Management Instrumentation (WMI)](use-wmi-microsoft-defender-antivirus.md)| Instructions for using WMI to manage Microsoft Defender Antivirus, plus links to documentation for the WMIv2 APIs (including all classes, methods, and properties) |
+|[Manage Microsoft Defender Antivirus with the mpcmdrun.exe command-line tool](command-line-arguments-microsoft-defender-antivirus.md)|Instructions on using the dedicated command-line tool to manage and use Microsoft Defender Antivirus |
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md
index ee3e692d4a..bf309eba5d 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md
@@ -4,7 +4,7 @@ description: You can configure Microsoft Defender AV to scan email storage files
keywords: advanced scans, scanning, email, archive, zip, rar, archive, reparse scanning
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: medium
@@ -13,7 +13,7 @@ ms.author: deniseb
ms.custom: nextgen
ms.reviewer:
manager: dansimp
-
+ms.technology: mde
---
# Configure Microsoft Defender Antivirus scanning options
@@ -23,15 +23,15 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
## Use Microsoft Intune to configure scanning options
See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus) for more details.
-## Use Microsoft Endpoint Configuration Manager to configure scanning options
+## Use Microsoft Endpoint Manager to configure scanning options
-See [How to create and deploy antimalware policies: Scan settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#scan-settings) for details on configuring Microsoft Endpoint Configuration Manager (current branch).
+See [How to create and deploy antimalware policies: Scan settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#scan-settings) for details on configuring Microsoft Endpoint Manager (current branch).
## Use Group Policy to configure scanning options
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md
index a71f13399e..96b78f6e1c 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md
@@ -1,9 +1,9 @@
---
-title: Enable Block at First Sight to detect malware in seconds
-description: Turn on the block at first sight feature to detect and block malware within seconds, and validate that it is configured correctly.
+title: Enable block at first sight to detect malware in seconds
+description: Turn on the block at first sight feature to detect and block malware within seconds.
keywords: scan, BAFS, malware, first seen, first sight, cloud, defender
search.product: eADQiWindows 10XVcnh
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: high
@@ -12,7 +12,8 @@ ms.author: deniseb
ms.reviewer:
manager: dansimp
ms.custom: nextgen
-ms.date: 08/26/2020
+ms.date: 10/22/2020
+ms.technology: mde
---
# Turn on block at first sight
@@ -22,127 +23,93 @@ ms.date: 08/26/2020
**Applies to:**
-- Microsoft Defender Antivirus
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
-Block at first sight provides a way to detect and block new malware within seconds. This protection is enabled by default when certain prerequisite settings are also enabled. In most cases, these prerequisite settings are also enabled by default, so the feature is running without any intervention.
+Block at first sight provides a way to detect and block new malware within seconds. This protection is enabled by default when certain prerequisite settings are enabled. These settings include cloud-delivered protection, a specified sample submission timeout (such as 50 seconds), and a file-blocking level of high. In most enterprise organizations, these settings are enabled by default with Microsoft Defender Antivirus deployments.
-You can [specify how long the file should be prevented from running](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md) while the cloud-based protection service analyzes the file. And, you can [customize the message displayed on users' desktops](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information) when a file is blocked. You can change the company name, contact information, and message URL.
+You can [specify how long a file should be prevented from running](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md) while the cloud-based protection service analyzes the file. And, you can [customize the message displayed on users' desktops](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information) when a file is blocked. You can change the company name, contact information, and message URL.
>[!TIP]
->Visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work.
+>Visit the Microsoft Defender for Endpoint demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work.
## How it works
When Microsoft Defender Antivirus encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend applies heuristics, machine learning, and automated analysis of the file to determine whether the files are malicious or not a threat.
-Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, intelligent, and real-time protection. To learn more, see this blog: [Get to know the advanced technologies at the core of Microsoft Defender ATP next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
+Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, intelligent, and real-time protection. To learn more, see this blog: [Get to know the advanced technologies at the core of Microsoft Defender for Endpoint next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
In Windows 10, version 1803 or later, block at first sight can block non-portable executable files (such as JS, VBS, or macros) as well as executable files.
-Block at first sight only uses the cloud protection backend for executable files and non-portable executable files that are downloaded from the Internet, or that originate from the Internet zone. A hash value of the .exe file is checked via the cloud backend to determine if this is a previously undetected file.
+Block at first sight only uses the cloud protection backend for executable files and non-portable executable files that are downloaded from the Internet, or that originate from the Internet zone. A hash value of the .exe file is checked via the cloud backend to determine if the file is a previously undetected file.
If the cloud backend is unable to make a determination, Microsoft Defender Antivirus locks the file and uploads a copy to the cloud. The cloud performs additional analysis to reach a determination before it either allows the file to run or blocks it in all future encounters, depending on whether it determines the file to be malicious or safe.
In many cases, this process can reduce the response time for new malware from hours to seconds.
-## Confirm and validate that block at first sight is turned on
+## Turn on block at first sight with Microsoft Intune
-Block at first sight requires a number of settings to be configured correctly or it will not work. These settings are enabled by default in most enterprise Microsoft Defender Antivirus deployments.
+> [!TIP]
+> Microsoft Intune is now part of Microsoft Endpoint Manager.
-### Confirm block at first sight is turned on with Intune
+1. In the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)), navigate to **Devices** > **Configuration profiles**.
-1. In Intune, navigate to **Device configuration - Profiles** > *Profile name* > **Device restrictions** > **Microsoft Defender Antivirus**.
+2. Select or create a profile using the **Device restrictions** profile type.
- > [!NOTE]
- > The profile you select must be a Device Restriction profile type, not an Endpoint Protection profile type.
+3. In the **Configuration settings** for the Device restrictions profile, set or confirm the following settings under **Microsoft Defender Antivirus**:
-2. Verify these settings are configured as follows:
-
- - **Cloud-delivered protection**: **Enable**
- - **File Blocking Level**: **High**
- - **Time extension for file scanning by the cloud**: **50**
- - **Prompt users before sample submission**: **Send all data without prompting**
+ - **Cloud-delivered protection**: Enabled
+ - **File Blocking Level**: High
+ - **Time extension for file scanning by the cloud**: 50
+ - **Prompt users before sample submission**: Send all data without prompting
- > [!WARNING]
- > Setting the file blocking level to **High** will apply a strong level of detection. In the unlikely event that it causes a false positive detection of legitimate files, use the option to [restore the quarantined files](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus).
+4. Save your settings.
-For more information about configuring Microsoft Defender Antivirus device restrictions in Intune, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
+> [!TIP]
+> - Setting the file blocking level to **High** applies a strong level of detection. In the unlikely event that file blocking causes a false positive detection of legitimate files, you can [restore quarantined files](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus).
+> - For more information about configuring Microsoft Defender Antivirus device restrictions in Intune, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
+> - For a list of Microsoft Defender Antivirus device restrictions in Intune, see [Device restriction for Windows 10 (and newer) settings in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus).
-For a list of Microsoft Defender Antivirus device restrictions in Intune, see [Device restriction for Windows 10 (and newer) settings in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus).
+## Turn on block at first sight with Microsoft Endpoint Manager
-### Turn on block at first sight with Microsoft Endpoint Configuration Manager
+> [!TIP]
+> If you're looking for Microsoft Endpoint Configuration Manager, it's now part of Microsoft Endpoint Manager.
-1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **AntiMalware Policies**.
+1. In Microsoft Endpoint Manager ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)), go to **Endpoint security** > **Antivirus**.
-2. Click **Home** > **Create Antimalware Policy**.
+2. Select an existing policy, or create a new policy using the **Microsoft Defender Antivirus** profile type.
-3. Enter a name and a description, and add these settings:
- - **Real time protection**
- - **Advanced**
- - **Cloud Protection Service**
+3. Set or confirm the following configuration settings:
-4. In the left column, click **Real time protection**, set **Enable real-time protection** to **Yes**, and set **Scan system files** to **Scan incoming and outgoing files**.
- 
+ - **Turn on cloud-delivered protection**: Yes
+ - **Cloud-delivered protection level**: High
+ - **Defender Cloud Extended Timeout in Seconds**: 50
-5. Click **Advanced**, set **Enable real-time protection** to **Yes**, and set **Scan system files** to **Scan incoming and outgoing files**.
- 
+ :::image type="content" source="images/endpointmgr-antivirus-cloudprotection.png" alt-text="Block at first sight settings in Endpoint Manager":::
-6. Click **Cloud Protection Service**, set **Cloud Protection Service membership type** to **Advanced membership**, set **Level for blocking suspicious files** to **High**, and set **Allow extended cloud check to block and scan suspicious files for up to (seconds)** to **50** seconds.
- 
+4. Apply the Microsoft Defender Antivirus profile to a group, such as **All users**, **All devices**, or **All users and devices**.
-7. Click **OK** to create the policy.
+## Turn on block at first sight with Group Policy
-### Confirm block at first sight is turned on with Group Policy
+> [!NOTE]
+> We recommend using Intune or Microsoft Endpoint Manager to turn on block at first sight.
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**.
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. Using the **Group Policy Management Editor** go to **Computer configuration** > **Administrative templates** > **Windows Components** > **Microsoft Defender Antivirus** > **MAPS**.
-3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **MAPS**, configure the following Group Policies, and then click **OK**:
+3. In the MAPS section, double-click **Configure the 'Block at First Sight' feature**, and set it to **Enabled**, and then select **OK**.
- 1. Double-click **Join Microsoft MAPS** and ensure the option is set to **Enabled**. Click **OK**.
-
- 2. Double-click **Send file samples when further analysis is required** and ensure the option is set to **Enabled** and the additional options are either **Send safe samples (1)** or **Send all samples (3)**.
-
- > [!WARNING]
+ > [!IMPORTANT]
> Setting to **Always prompt (0)** will lower the protection state of the device. Setting to **Never send (2)** means block at first sight will not function.
-4. In the **Group Policy Management Editor**, expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Real-time Protection**:
+4. In the MAPS section, double-click **Send file samples when further analysis is required**, and set it to **Enabled**. Under **Send file samples when further analysis is required**, select **Send all samples**, and then click **OK**.
- 1. Double-click **Scan all downloaded files and attachments** and ensure the option is set to **Enabled**, and then click **OK**.
+5. If you changed any settings, redeploy the Group Policy Object across your network to ensure all endpoints are covered.
- 2. Double-click **Turn off real-time protection** and ensure the option is set to **Disabled**, and then click **OK**.
-
-5. In the **Group Policy Management Editor**, expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **MpEngine**:
-
- 1. Double-click **Select cloud protection level** and ensure the option is set to **Enabled**.
-
- 2. Ensure that **Select cloud blocking level** section on the same page is set to **High blocking level**, and then click **OK**.
-
-If you had to change any of the settings, you should redeploy the Group Policy Object across your network to ensure all endpoints are covered.
-
-### Confirm block at first sight is turned on with Registry editor
-
-1. Start Registry Editor.
-
-2. Go to `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet`, and make sure that
-
- 1. **SpynetReporting** key is set to **1**
-
- 2. **SubmitSamplesConsent** key is set to either **1** (Send safe samples) or **3** (Send all samples)
-
-3. Go to `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection`, and make sure that
-
- 1. **DisableIOAVProtection** key is set to **0**
-
- 2. **DisableRealtimeMonitoring** key is set to **0**
-
-4. Go to `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\MpEngine`, and make sure that the **MpCloudBlockLevel** key is set to **2**
-
-### Confirm Block at First Sight is enabled on individual clients
+## Confirm block at first sight is enabled on individual clients
You can confirm that block at first sight is enabled on individual clients using Windows security settings.
@@ -157,24 +124,43 @@ Block at first sight is automatically enabled as long as **Cloud-delivered prote
3. Confirm that **Cloud-delivered protection** and **Automatic sample submission** are both turned on.
> [!NOTE]
-> If the prerequisite settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings.
+> - If the prerequisite settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints.
+> - Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings.
-### Validate block at first sight is working
+## Validate block at first sight is working
-You can validate that the feature is working by following the steps outlined in [Validate connections between your network and the cloud](configure-network-connections-microsoft-defender-antivirus.md#validate-connections-between-your-network-and-the-cloud).
+To validate that the feature is working, follow the guidance in [Validate connections between your network and the cloud](configure-network-connections-microsoft-defender-antivirus.md#validate-connections-between-your-network-and-the-cloud).
## Turn off block at first sight
-> [!WARNING]
-> Turning off block at first sight will lower the protection state of the endpoint and your network.
+> [!CAUTION]
+> Turning off block at first sight will lower the protection state of your device(s) and your network.
-You may choose to disable block at first sight if you want to retain the prerequisite settings without using block at first sight protection. You might wish to do this if you are experiencing latency issues or you want to test the feature's impact on your network.
+You might choose to disable block at first sight if you want to retain the prerequisite settings without actually using block at first sight protection. You might do temporarily turn block at first sight off if you are experiencing latency issues or you want to test the feature's impact on your network. However, we do not recommend disabling block at first sight protection permanently.
+
+### Turn off block at first sight with Microsoft Endpoint Manager
+
+1. Go to Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.
+
+2. Go to **Endpoint security** > **Antivirus**, and then select your Microsoft Defender Antivirus policy.
+
+3. Under **Manage**, choose **Properties**.
+
+4. Next to **Configuration settings**, choose **Edit**.
+
+5. Change one or more of the following settings:
+
+ - Set **Turn on cloud-delivered protection** to **No** or **Not configured**.
+ - Set **Cloud-delivered protection level** to **Not configured**.
+ - Clear the **Defender Cloud Extended Timeout In Seconds** box.
+
+6. Review and save your settings.
### Turn off block at first sight with Group Policy
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure, and then click **Edit**.
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. Using the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
3. Expand the tree through **Windows components** > **Microsoft Defender Antivirus** > **MAPS**.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md
index 4be673460a..6fc2a16ea3 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md
@@ -3,7 +3,7 @@ title: Configure the Microsoft Defender AV cloud block timeout period
description: You can configure how long Microsoft Defender Antivirus will block a file from running while waiting for a cloud determination.
keywords: Microsoft Defender Antivirus, antimalware, security, defender, cloud, timeout, block, period, seconds
search.product: eADQiWindows 10XVcnh
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
@@ -14,6 +14,7 @@ ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
+ms.technology: mde
---
# Configure the cloud block timeout period
@@ -23,7 +24,7 @@ manager: dansimp
**Applies to:**
-- Microsoft Defender Antivirus
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
When Microsoft Defender Antivirus finds a suspicious file, it can prevent the file from running while it queries the [Microsoft Defender Antivirus cloud service](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md).
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md
index db09d1d9ef..a9d1ba4f3b 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md
@@ -3,7 +3,7 @@ title: Configure how users can interact with Microsoft Defender AV
description: Configure how end-users interact with Microsoft Defender AV, what notifications they see, and if they can override settings.
keywords: endpoint, user, interaction, notifications, ui lockdown mode, headless mode, hide interface
search.product: eADQiWindows 10XVcnh
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
@@ -13,6 +13,7 @@ ms.author: deniseb
ms.custom: nextgen
ms.reviewer:
manager: dansimp
+ms.technology: mde
---
# Configure end-user interaction with Microsoft Defender Antivirus
@@ -22,7 +23,7 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
You can configure how users of the endpoints on your network can interact with Microsoft Defender Antivirus.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md
index 1351a2448b..1f020f0372 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md
@@ -3,16 +3,16 @@ title: Set up exclusions for Microsoft Defender AV scans
description: You can exclude files (including files modified by specified processes) and folders from being scanned by Microsoft Defender AV. Validate your exclusions with PowerShell.
keywords:
search.product: eADQiWindows 10XVcnh
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 03/12/2020
ms.reviewer:
manager: dansimp
+ms.technology: mde
---
# Configure and validate exclusions for Microsoft Defender Antivirus scans
@@ -22,7 +22,7 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
You can exclude certain files, folders, processes, and process-opened files from Microsoft Defender Antivirus scans. Such exclusions apply to [scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md), [on-demand scans](run-scan-microsoft-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md). Exclusions for process-opened files only apply to real-time protection.
@@ -41,8 +41,11 @@ Defining exclusions lowers the protection offered by Microsoft Defender Antiviru
The following is a list of recommendations that you should keep in mind when defining exclusions:
- Exclusions are technically a protection gap—always consider additional mitigations when defining exclusions. Additional mitigations could be as simple as making sure the excluded location has the appropriate access-control lists (ACLs), audit policy, is processed by an up-to-date software, etc.
+
- Review the exclusions periodically. Re-check and re-enforce the mitigations as part of the review process.
+
- Ideally, avoid defining proactive exclusions. For instance, don't exclude something just because you think it might be a problem in the future. Use exclusions only for specific issues—mostly around performance, or sometimes around application compatibility that exclusions could mitigate.
+
- Audit the exclusion list changes. The security admin should preserve enough context around why a certain exclusion was added. You should be able to provide answer with specific reasoning as to why a certain path was excluded.
## Related articles
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md
index cad89f1643..fa58bbf100 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md
@@ -3,7 +3,7 @@ title: Configure and validate exclusions based on extension, name, or location
description: Exclude files from Microsoft Defender Antivirus scans based on their file extension, file name, or location.
keywords: exclusions, files, extension, file type, folder name, file name, scans
search.product: eADQiWindows 10XVcnh
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: medium
@@ -12,6 +12,7 @@ ms.author: deniseb
ms.custom: nextgen
ms.reviewer:
manager: dansimp
+ms.technology: mde
---
# Configure and validate exclusions based on file extension and folder location
@@ -21,47 +22,46 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
> [!IMPORTANT]
-> Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender ATP capabilities, including [endpoint detection and response (EDR)](../microsoft-defender-atp/overview-endpoint-detection-response.md), [attack surface reduction (ASR) rules](../microsoft-defender-atp/attack-surface-reduction.md), and [controlled folder access](../microsoft-defender-atp/controlled-folders.md). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, add them to the Microsoft Defender ATP [custom indicators](../microsoft-defender-atp/manage-indicators.md).
+> Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response (EDR)](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response), [attack surface reduction (ASR) rules](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/controlled-folders). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, add them to the Microsoft Defender for Endpoint [custom indicators](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/manage-indicators).
## Exclusion lists
-You can exclude certain files from Microsoft Defender Antivirus scans by modifying exclusion lists. **Generally, you shouldn't need to apply exclusions**. Microsoft Defender Antivirus includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations.
+You can exclude certain files from Microsoft Defender Antivirus scans by modifying exclusion lists. **Generally, you shouldn't need to apply exclusions**. Microsoft Defender Antivirus includes many automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations.
+
+**Note**: Exclusions apply to Potentially Unwanted Apps (PUA) detections as well.
> [!NOTE]
> Automatic exclusions apply only to Windows Server 2016 and above. These exclusions are not visible in the Windows Security app and in PowerShell.
This article describes how to configure exclusion lists for the files and folders. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists.
-Exclusion | Examples | Exclusion list
----|---|---
-Any file with a specific extension | All files with the specified extension, anywhere on the machine.
Valid syntax: `.test` and `test` | Extension exclusions
-Any file under a specific folder | All files under the `c:\test\sample` folder | File and folder exclusions
-A specific file in a specific folder | The file `c:\sample\sample.test` only | File and folder exclusions
-A specific process | The executable file `c:\test\process.exe` | File and folder exclusions
+| Exclusion | Examples | Exclusion list |
+|:---|:---|:---|
+|Any file with a specific extension | All files with the specified extension, anywhere on the machine.
Valid syntax: `.test` and `test` | Extension exclusions |
+|Any file under a specific folder | All files under the `c:\test\sample` folder | File and folder exclusions |
+| A specific file in a specific folder | The file `c:\sample\sample.test` only | File and folder exclusions |
+| A specific process | The executable file `c:\test\process.exe` | File and folder exclusions |
Exclusion lists have the following characteristics:
- Folder exclusions apply to all files and folders under that folder, unless the subfolder is a reparse point. Reparse point subfolders must be excluded separately.
- File extensions apply to any file name with the defined extension if a path or folder is not defined.
->[!IMPORTANT]
->Using wildcards such as the asterisk (\*) will alter how the exclusion rules are interpreted. See the [Use wildcards in the file name and folder path or extension exclusion lists](#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) section for important information about how wildcards work.
->
->You cannot exclude mapped network drives. You must specify the actual network path.
->
->Folders that are reparse points that are created after the Microsoft Defender Antivirus service starts and that have been added to the exclusion list will not be included. You must restart the service (by restarting Windows) for new reparse points to be recognized as a valid exclusion target.
+> [!IMPORTANT]
+> - Using wildcards such as the asterisk (\*) will alter how the exclusion rules are interpreted. See the [Use wildcards in the file name and folder path or extension exclusion lists](#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) section for important information about how wildcards work.
+> - You cannot exclude mapped network drives. You must specify the actual network path.
+> - Folders that are reparse points that are created after the Microsoft Defender Antivirus service starts and that have been added to the exclusion list will not be included. You must restart the service (by restarting Windows) for new reparse points to be recognized as a valid exclusion target.
To exclude files opened by a specific process, see [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md).
The exclusions apply to [scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md), [on-demand scans](run-scan-microsoft-defender-antivirus.md), and [real-time protection](configure-real-time-protection-microsoft-defender-antivirus.md).
->[!IMPORTANT]
->Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions).
->
->Changes made in the Windows Security app **will not show** in the Group Policy lists.
+> [!IMPORTANT]
+> Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions).
+> Changes made in the Windows Security app **will not show** in the Group Policy lists.
By default, local changes made to the lists (by users with administrator privileges, including changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists take precedence when there are conflicts.
@@ -77,39 +77,37 @@ See the following articles:
### Use Configuration Manager to configure file name, folder, or file extension exclusions
-See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring Microsoft Endpoint Configuration Manager (current branch).
+See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring Microsoft Endpoint Manager (current branch).
### Use Group Policy to configure folder or file extension exclusions
>[!NOTE]
>If you specify a fully qualified path to a file, then only that file is excluded. If a folder is defined in the exclusion, then all files and subdirectories under that folder are excluded.
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**.
-3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**.
+3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Exclusions**.
-4. Double-click the **Path Exclusions** setting and add the exclusions.
+4. Open the **Path Exclusions** setting for editing, and add your exclusions.
- Set the option to **Enabled**.
- Under the **Options** section, click **Show...**.
- Specify each folder on its own line under the **Value name** column.
- If you are specifying a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.
-5. Click **OK**.
+5. Choose **OK**.
-6. Double-click the **Extension Exclusions** setting and add the exclusions.
+6. Open the **Extension Exclusions** setting for editing and add your exclusions.
- Set the option to **Enabled**.
- - Under the **Options** section, click **Show...**.
+ - Under the **Options** section, select **Show...**.
- Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.
-7. Click **OK**.
-
- 
+7. Choose **OK**.
@@ -125,21 +123,21 @@ The format for the cmdlets is as follows:
The following are allowed as the `
In **file name and file extension inclusions**, the asterisk replaces any number of characters, and only applies to files in the last folder defined in the argument.
In **folder exclusions**, the asterisk replaces a single folder. Use multiple `*` with folder slashes `\` to indicate multiple nested folders. After matching the number of wild carded and named folders, all subfolders are also included. | `C:\MyData\*.txt` would include `C:\MyData\notes.txt`
`C:\somepath\*\Data` would include any file in `C:\somepath\Archives\Data and its subfolders` and `C:\somepath\Authorized\Data and its subfolders`
`C:\Serv\*\*\Backup` would include any file in `C:\Serv\Primary\Denied\Backup and its subfolders` and `C:\Serv\Secondary\Allowed\Backup and its subfolders` |
-|`?` (question mark)
In **file name and file extension inclusions**, the question mark replaces a single character, and only applies to files in the last folder defined in the argument.
In **folder exclusions**, the question mark replaces a single character in a folder name. After matching the number of wild carded and named folders, all subfolders are also included. |`C:\MyData\my` would include `C:\MyData\my1.zip`
`C:\somepath\?\Data` would include any file in `C:\somepath\P\Data` and its subfolders
`C:\somepath\test0?\Data` would include any file in `C:\somepath\test01\Data` and its subfolders |
+|`?` (question mark)
In **file name and file extension inclusions**, the question mark replaces a single character, and only applies to files in the last folder defined in the argument.
In **folder exclusions**, the question mark replaces a single character in a folder name. After matching the number of wild carded and named folders, all subfolders are also included. |`C:\MyData\my?` would include `C:\MyData\my1.zip`
`C:\somepath\?\Data` would include any file in `C:\somepath\P\Data` and its subfolders
`C:\somepath\test0?\Data` would include any file in `C:\somepath\test01\Data` and its subfolders |
|Environment variables
The defined variable is populated as a path when the exclusion is evaluated. |`%ALLUSERSPROFILE%\CustomLogFiles` would include `C:\ProgramData\CustomLogFiles\Folder1\file1.txt` |
->[!IMPORTANT]
->If you mix a file exclusion argument with a folder exclusion argument, the rules will stop at the file argument match in the matched folder, and will not look for file matches in any subfolders.
->
->For example, you can exclude all files that start with "date" in the folders `c:\data\final\marked` and `c:\data\review\marked` by using the rule argument `c:\data\*\marked\date*`.
->
->This argument, however, will not match any files in subfolders under `c:\data\final\marked` or `c:\data\review\marked`.
+> [!IMPORTANT]
+> If you mix a file exclusion argument with a folder exclusion argument, the rules will stop at the file argument match in the matched folder, and will not look for file matches in any subfolders.
+> For example, you can exclude all files that start with "date" in the folders `c:\data\final\marked` and `c:\data\review\marked` by using the rule argument `c:\data\*\marked\date*`.
+> This argument, however, will not match any files in subfolders under `c:\data\final\marked` or `c:\data\review\marked`.
@@ -204,273 +199,68 @@ The following table describes how the wildcards can be used and provides some ex
The following table lists and describes the system account environment variables.
-
-
-
+| This system environment variable... | Redirects to this |
+|:--|:--|
+| `%APPDATA%`| `C:\Users\UserName.DomainName\AppData\Roaming` |
+| `%APPDATA%\Microsoft\Internet Explorer\Quick Launch` | `C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch` |
+| `%APPDATA%\Microsoft\Windows\Start Menu` | `C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu` |
+| `%APPDATA%\Microsoft\Windows\Start Menu\Programs` | `C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs` |
+| `%LOCALAPPDATA%` | `C:\Windows\System32\config\systemprofile\AppData\Local` |
+| `%ProgramData%` | `C:\ProgramData` |
+| `%ProgramFiles%` | `C:\Program Files` |
+| `%ProgramFiles%\Common Files` | `C:\Program Files\Common Files` |
+| `%ProgramFiles%\Windows Sidebar\Gadgets` | `C:\Program Files\Windows Sidebar\Gadgets` |
+| `%ProgramFiles%\Common Files` | `C:\Program Files\Common Files` |
+| `%ProgramFiles(x86)%` | `C:\Program Files (x86)` |
+| `%ProgramFiles(x86)%\Common Files` | `C:\Program Files (x86)\Common Files` |
+| `%SystemDrive%` | `C:` |
+| `%SystemDrive%\Program Files` | `C:\Program Files` |
+| `%SystemDrive%\Program Files (x86)` | `C:\Program Files (x86)` |
+| `%SystemDrive%\Users` | `C:\Users` |
+| `%SystemDrive%\Users\Public` | `C:\Users\Public` |
+| `%SystemRoot%` | `C:\Windows` |
+| `%windir%` | `C:\Windows` |
+| `%windir%\Fonts` | `C:\Windows\Fonts` |
+| `%windir%\Resources` | `C:\Windows\Resources` |
+| `%windir%\resources\0409` | `C:\Windows\resources\0409` |
+| `%windir%\system32` | `C:\Windows\System32` |
+| `%ALLUSERSPROFILE%` | `C:\ProgramData` |
+| `%ALLUSERSPROFILE%\Application Data` | `C:\ProgramData\Application Data` |
+| `%ALLUSERSPROFILE%\Documents` | `C:\ProgramData\Documents` |
+| `%ALLUSERSPROFILE%\Documents\My Music\Sample Music` | `C:\ProgramData\Documents\My Music\Sample Music` |
+| `%ALLUSERSPROFILE%\Documents\My Music` | `C:\ProgramData\Documents\My Music` |
+| `%ALLUSERSPROFILE%\Documents\My Pictures` | `C:\ProgramData\Documents\My Pictures` |
+| `%ALLUSERSPROFILE%\Documents\My Pictures\Sample Pictures` | `C:\ProgramData\Documents\My Pictures\Sample Pictures` |
+| `%ALLUSERSPROFILE%\Documents\My Videos` | `C:\ProgramData\Documents\My Videos` |
+| `%ALLUSERSPROFILE%\Microsoft\Windows\DeviceMetadataStore` | `C:\ProgramData\Microsoft\Windows\DeviceMetadataStore` |
+| `%ALLUSERSPROFILE%\Microsoft\Windows\GameExplorer` | `C:\ProgramData\Microsoft\Windows\GameExplorer` |
+| `%ALLUSERSPROFILE%\Microsoft\Windows\Ringtones` | `C:\ProgramData\Microsoft\Windows\Ringtones` |
+| `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu` | `C:\ProgramData\Microsoft\Windows\Start Menu` |
+| `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs` | `C:\ProgramData\Microsoft\Windows\Start Menu\Programs` |
+| `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Administrative Tools` | `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools` |
+| `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\StartUp` | `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp` |
+| `%ALLUSERSPROFILE%\Microsoft\Windows\Templates` | `C:\ProgramData\Microsoft\Windows\Templates` |
+| `%ALLUSERSPROFILE%\Start Menu` | `C:\ProgramData\Start Menu` |
+| `%ALLUSERSPROFILE%\Start Menu\Programs` | C:\ProgramData\Start Menu\Programs |
+| `%ALLUSERSPROFILE%\Start Menu\Programs\Administrative Tools` | `C:\ProgramData\Start Menu\Programs\Administrative Tools` |
+| `%ALLUSERSPROFILE%\Templates` | `C:\ProgramData\Templates` |
+| `%LOCALAPPDATA%\Microsoft\Windows\ConnectedSearch\Templates` | `C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\ConnectedSearch\Templates` |
+| `%LOCALAPPDATA%\Microsoft\Windows\History` | `C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History` |
+| `%PUBLIC%` | `C:\Users\Public` |
+| `%PUBLIC%\AccountPictures` | `C:\Users\Public\AccountPictures` |
+| `%PUBLIC%\Desktop` | `C:\Users\Public\Desktop` |
+| `%PUBLIC%\Documents` | `C:\Users\Public\Documents` |
+| `%PUBLIC%\Downloads` | `C:\Users\Public\Downloads` |
+| `%PUBLIC%\Music\Sample Music` | `C:\Users\Public\Music\Sample Music` |
+| `%PUBLIC%\Music\Sample Playlists` | `C:\Users\Public\Music\Sample Playlists` |
+| `%PUBLIC%\Pictures\Sample Pictures` | `C:\Users\Public\Pictures\Sample Pictures` |
+| `%PUBLIC%\RecordedTV.library-ms` | `C:\Users\Public\RecordedTV.library-ms` |
+| `%PUBLIC%\Videos` | `C:\Users\Public\Videos` |
+| `%PUBLIC%\Videos\Sample Videos` | `C:\Users\Public\Videos\Sample Videos` |
+| `%USERPROFILE%` | `C:\Windows\System32\config\systemprofile` |
+| `%USERPROFILE%\AppData\Local` | `C:\Windows\System32\config\systemprofile\AppData\Local` |
+| `%USERPROFILE%\AppData\LocalLow` | `C:\Windows\System32\config\systemprofile\AppData\LocalLow` |
+| `%USERPROFILE%\AppData\Roaming` | `C:\Windows\System32\config\systemprofile\AppData\Roaming` |
## Review the list of exclusions
@@ -489,7 +279,7 @@ You can retrieve the items in the exclusion list using one of the following meth
If you use PowerShell, you can retrieve the list in two ways:
-- Retrieve the status of all Microsoft Defender Antivirus preferences. Each of the lists are displayed on separate lines, but the items within each list are combined into the same line.
+- Retrieve the status of all Microsoft Defender Antivirus preferences. Each list is displayed on separate lines, but the items within each list are combined into the same line.
- Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line.
### Validate the exclusion list by using MpCmdRun
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md
index 5a4dcf2b76..c9e9e785d1 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md
@@ -3,7 +3,7 @@ title: Configure local overrides for Microsoft Defender AV settings
description: Enable or disable users from locally changing settings in Microsoft Defender AV.
keywords: local override, local policy, group policy, gpo, lockdown,merge, lists
search.product: eADQiWindows 10XVcnh
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
@@ -14,6 +14,7 @@ ms.custom: nextgen
ms.date: 02/13/2020
ms.reviewer:
manager: dansimp
+ms.technology: mde
---
# Prevent or allow users to locally modify Microsoft Defender Antivirus policy settings
@@ -23,7 +24,7 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
By default, Microsoft Defender Antivirus settings that are deployed via a Group Policy Object to the endpoints in your network will prevent users from locally changing the settings. You can change this in some instances.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md
index 0e9715c7f7..07bd54a1a4 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md
@@ -3,7 +3,7 @@ title: Configure Microsoft Defender Antivirus features
description: You can configure Microsoft Defender Antivirus features with Intune, Microsoft Endpoint Configuration Manager, Group Policy, and PowerShell.
keywords: Microsoft Defender Antivirus, antimalware, security, defender, configure, configuration, Config Manager, Microsoft Endpoint Configuration Manager, SCCM, Intune, MDM, mobile device management, GP, group policy, PowerShell
search.product: eADQiWindows 10XVcnh
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
@@ -11,9 +11,10 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 09/03/2018
+ms.date: 11/18/2020
ms.reviewer:
manager: dansimp
+ms.technology: mde
---
# Configure Microsoft Defender Antivirus features
@@ -23,7 +24,7 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
You can configure Microsoft Defender Antivirus with a number of tools, including:
@@ -37,15 +38,16 @@ The following broad categories of features can be configured:
- Cloud-delivered protection
- Always-on real-time protection, including behavioral, heuristic, and machine-learning-based protection
-- How end-users interact with the client on individual endpoints
+- How end users interact with the client on individual endpoints
-The topics in this section describe how to perform key tasks when configuring Microsoft Defender Antivirus. Each topic includes instructions for the applicable configuration tool (or tools).
+The following articles describe how to perform key tasks when configuring Microsoft Defender Antivirus. Each article includes instructions for the applicable configuration tool (or tools).
-You can also review the [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md) topic for an overview of each tool and links to further help.
+|Article |Description |
+|---------|---------|
+|[Utilize Microsoft cloud-provided Microsoft Defender Antivirus protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) | Use cloud-delivered protection for advanced, fast, robust antivirus detection. |
+|[Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md) |Enable behavior-based, heuristic, and real-time antivirus protection. |
+|[Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md) | Configure how end users in your organization interact with Microsoft Defender Antivirus, what notifications they see, and whether they can override settings. |
+
+> [!TIP]
+> You can also review the [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md) topic for an overview of each tool and links to further help.
-## In this section
-Topic | Description
-:---|:---
-[Utilize Microsoft cloud-provided Microsoft Defender Antivirus protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) | Cloud-delivered protection provides an advanced level of fast, robust antivirus detection
-[Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md)|Enable behavior-based, heuristic, and real-time antivirus protection
-[Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md)|Configure how end-users interact with Microsoft Defender Antivirus, what notifications they see, and whether they can override settings
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md
index f19baf44aa..c4ecf2347a 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md
@@ -3,7 +3,7 @@ title: Configure and validate Microsoft Defender Antivirus network connections
description: Configure and test your connection to the Microsoft Defender Antivirus cloud protection service.
keywords: antivirus, Microsoft Defender Antivirus, antimalware, security, defender, cloud, aggressiveness, protection level
search.product: eADQiWindows 10XVcnh
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
@@ -11,9 +11,10 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 07/08/2020
+ms.date: 12/28/2020
ms.reviewer:
manager: dansimp
+ms.technology: mde
---
# Configure and validate Microsoft Defender Antivirus network connections
@@ -23,7 +24,7 @@ manager: dansimp
**Applies to:**
-- Microsoft Defender Antivirus
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
To ensure Microsoft Defender Antivirus cloud-delivered protection works properly, you need to configure your network to allow connections between your endpoints and certain Microsoft servers.
@@ -32,7 +33,7 @@ This article lists the connections that must be allowed, such as by using firewa
See the blog post [Important changes to Microsoft Active Protection Services endpoint](https://techcommunity.microsoft.com/t5/Configuration-Manager-Archive/Important-changes-to-Microsoft-Active-Protection-Service-MAPS/ba-p/274006) for some details about network connectivity.
>[!TIP]
->You can also visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working:
+>You can also visit the Microsoft Defender for Endpoint demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working:
>
>- Cloud-delivered protection
>- Fast learning (including block at first sight)
@@ -40,16 +41,16 @@ See the blog post [Important changes to Microsoft Active Protection Services end
## Allow connections to the Microsoft Defender Antivirus cloud service
-The Microsoft Defender Antivirus cloud service provides fast, strong protection for your endpoints. Enabling the cloud-delivered protection service is optional, however it is highly recommended because it provides important protection against malware on your endpoints and across your network.
+The Microsoft Defender Antivirus cloud service provides fast, strong protection for your endpoints. Enabling the cloud-delivered protection service is optional, however it's highly recommended because it provides important protection against malware on your endpoints and across your network.
>[!NOTE]
->The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
+>The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it's called a cloud service, it's not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
See [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) for details on enabling the service with Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app.
After you've enabled the service, you may need to configure your network or firewall to allow connections between it and your endpoints.
-Because your protection is a cloud service, computers must have access to the internet and reach the ATP machine learning services. Do not exclude the URL `*.blob.core.windows.net` from any kind of network inspection.
+Because your protection is a cloud service, computers must have access to the internet and reach the Microsoft Defender for Office 365 machine learning services. Don't exclude the URL `*.blob.core.windows.net` from any kind of network inspection.
The table below lists the services and their associated URLs. Make sure that there are no firewall or network filtering rules denying access to these URLs, or you may need to create an allow rule specifically for them (excluding the URL `*.blob.core.windows.net`). Below mention URLs are using port 443 for communication.
@@ -59,14 +60,14 @@ The table below lists the services and their associated URLs. Make sure that the
| Microsoft Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)|Used by Microsoft Defender Antivirus to provide cloud-delivered protection|`*.wdcp.microsoft.com`
-
-
-System environment variables
-Will redirect to:
-
-
-%APPDATA%
-C:\Users\UserName.DomainName\AppData\Roaming
-
-
-%APPDATA%\Microsoft\Internet Explorer\Quick Launch
-C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch
-
-
-%APPDATA%\Microsoft\Windows\Start Menu
-C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu
-
-
-%APPDATA%\Microsoft\Windows\Start Menu\Programs
-C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
-
-
-%LOCALAPPDATA%
-C:\Windows\System32\config\systemprofile\AppData\Local
-
-
-%ProgramData%
-C:\ProgramData
-
-
-%ProgramFiles%
-C:\Program Files
-
-
-%ProgramFiles%\Common Files
-C:\Program Files\Common Files
-
-
-%ProgramFiles%\Windows Sidebar\Gadgets
-C:\Program Files\Windows Sidebar\Gadgets
-
-
-%ProgramFiles%\Common Files
-C:\Program Files\Common Files
-
-
-%ProgramFiles(x86)%
-C:\Program Files (x86)
-
-
-%ProgramFiles(x86)%\Common Files
-C:\Program Files (x86)\Common Files
-
-
-%SystemDrive%
-C:
-
-
-%SystemDrive%\Program Files
-C:\Program Files
-
-
-%SystemDrive%\Program Files (x86)
-C:\Program Files (x86)
-
-
-%SystemDrive%\Users
-C:\Users
-
-
-%SystemDrive%\Users\Public
-C:\Users\Public
-
-
-%SystemRoot%
- C:\Windows
-
-
-%windir%
-C:\Windows
-
-
-%windir%\Fonts
-C:\Windows\Fonts
-
-
-%windir%\Resources
-C:\Windows\Resources
-
-
-%windir%\resources\0409
-C:\Windows\resources\0409
-
-
-%windir%\system32
-C:\Windows\System32
-
-
-%ALLUSERSPROFILE%
-C:\ProgramData
-
-
-%ALLUSERSPROFILE%\Application Data
-C:\ProgramData\Application Data
-
-
-%ALLUSERSPROFILE%\Documents
-C:\ProgramData\Documents
-
-
-%ALLUSERSPROFILE%\Documents\My Music\Sample Music
-
-
-
-
-%ALLUSERSPROFILE%\Documents\My Music
-C:\ProgramData\Documents\My Music
-
-
-%ALLUSERSPROFILE%\Documents\My Pictures
-
-
-
-
-%ALLUSERSPROFILE%\Documents\My Pictures\Sample Pictures
-C:\ProgramData\Documents\My Pictures\Sample Pictures
-
-
-%ALLUSERSPROFILE%\Documents\My Videos
-C:\ProgramData\Documents\My Videos
-
-
-%ALLUSERSPROFILE%\Microsoft\Windows\DeviceMetadataStore
-C:\ProgramData\Microsoft\Windows\DeviceMetadataStore
-
-
-%ALLUSERSPROFILE%\Microsoft\Windows\GameExplorer
-C:\ProgramData\Microsoft\Windows\GameExplorer
-
-
-%ALLUSERSPROFILE%\Microsoft\Windows\Ringtones
-C:\ProgramData\Microsoft\Windows\Ringtones
-
-
-%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu
-C:\ProgramData\Microsoft\Windows\Start Menu
-
-
-%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs
-C:\ProgramData\Microsoft\Windows\Start Menu\Programs
-
-
-%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Administrative Tools
-C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools
-
-
-%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\StartUp
-C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
-
-
-%ALLUSERSPROFILE%\Microsoft\Windows\Templates
-C:\ProgramData\Microsoft\Windows\Templates
-
-
-%ALLUSERSPROFILE%\Start Menu
-C:\ProgramData\Start Menu
-
-
-%ALLUSERSPROFILE%\Start Menu\Programs
-C:\ProgramData\Start Menu\Programs
-
-
-%ALLUSERSPROFILE%\Start Menu\Programs\Administrative Tools
-C:\ProgramData\Start Menu\Programs\Administrative Tools
-
-
-%ALLUSERSPROFILE%\Templates
-C:\ProgramData\Templates
-
-
-%LOCALAPPDATA%\Microsoft\Windows\ConnectedSearch\Templates
-C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\ConnectedSearch\Templates
-
-
-%LOCALAPPDATA%\Microsoft\Windows\History
-C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History
-
-
-
-
-C:\Users\Public
-
-
-%PUBLIC%\AccountPictures
-C:\Users\Public\AccountPictures
-
-
-%PUBLIC%\Desktop
-C:\Users\Public\Desktop
-
-
-%PUBLIC%\Documents
-C:\Users\Public\Documents
-
-
-%PUBLIC%\Downloads
-C:\Users\Public\Downloads
-
-
-%PUBLIC%\Music\Sample Music
-
-
-
-
-%PUBLIC%\Music\Sample Playlists
-
-
-
-
-%PUBLIC%\Pictures\Sample Pictures
-C:\Users\Public\Pictures\Sample Pictures
-
-
-%PUBLIC%\RecordedTV.library-ms
-C:\Users\Public\RecordedTV.library-ms
-
-
-%PUBLIC%\Videos
-C:\Users\Public\Videos
-
-
-%PUBLIC%\Videos\Sample Videos
-
-
-
-
-%USERPROFILE%
-C:\Windows\System32\config\systemprofile
-
-
-%USERPROFILE%\AppData\Local
-C:\Windows\System32\config\systemprofile\AppData\Local
-
-
-%USERPROFILE%\AppData\LocalLow
-C:\Windows\System32\config\systemprofile\AppData\LocalLow
-
-
-
-%USERPROFILE%\AppData\Roaming
-C:\Windows\System32\config\systemprofile\AppData\Roaming
-
`*.wdcpalt.microsoft.com`
`*.wd.microsoft.com`|
| Microsoft Update Service (MU)
Windows Update Service (WU)| Security intelligence and product updates |`*.update.microsoft.com`
`*.delivery.mp.microsoft.com`
`*.windowsupdate.com`
For details see [Connection endpoints for Windows Update](https://docs.microsoft.com/windows/privacy/manage-windows-1709-endpoints#windows-update)|
|Security intelligence updates Alternate Download Location (ADL)| Alternate location for Microsoft Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| `*.download.microsoft.com` `*.download.windowsupdate.com` `https://fe3cr.delivery.mp.microsoft.com/ClientWebService/client.asmx`|
-| Malware submission storage|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | `ussus1eastprod.blob.core.windows.net`
`ussus1westprod.blob.core.windows.net`
`usseu1northprod.blob.core.windows.net`
`usseu1westprod.blob.core.windows.net`
`ussuk1southprod.blob.core.windows.net`
`ussuk1westprod.blob.core.windows.net`
`ussas1eastprod.blob.core.windows.net`
`ussas1southeastprod.blob.core.windows.net`
`ussau1eastprod.blob.core.windows.net`
`ussau1southeastprod.blob.core.windows.net` |
+| Malware submission storage|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | `ussus1eastprod.blob.core.windows.net`
`ussus2eastprod.blob.core.windows.net`
`ussus3eastprod.blob.core.windows.net`
`ussus4eastprod.blob.core.windows.net`
`wsus1eastprod.blob.core.windows.net`
`wsus2eastprod.blob.core.windows.net`
`ussus1westprod.blob.core.windows.net`
`ussus2westprod.blob.core.windows.net`
`ussus3westprod.blob.core.windows.net`
`ussus4westprod.blob.core.windows.net`
`wsus1westprod.blob.core.windows.net`
`wsus2westprod.blob.core.windows.net`
`usseu1northprod.blob.core.windows.net`
`wseu1northprod.blob.core.windows.net`
`usseu1westprod.blob.core.windows.net`
`wseu1westprod.blob.core.windows.net`
`ussuk1southprod.blob.core.windows.net`
`wsuk1southprod.blob.core.windows.net`
`ussuk1westprod.blob.core.windows.net`
`wsuk1westprod.blob.core.windows.net` |
| Certificate Revocation List (CRL)|Used by Windows when creating the SSL connection to MAPS for updating the CRL | `http://www.microsoft.com/pkiops/crl/`
`http://www.microsoft.com/pkiops/certs`
`http://crl.microsoft.com/pki/crl/products`
`http://www.microsoft.com/pki/certs` |
| Symbol Store|Used by Microsoft Defender Antivirus to restore certain critical files during remediation flows | `https://msdl.microsoft.com/download/symbols` |
-| Universal Telemetry Client| Used by Windows to send client diagnostic data; Microsoft Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: `vortex-win.data.microsoft.com`
`settings-win.data.microsoft.com`|
+| Universal Telemetry Client| Used by Windows to send client diagnostic data; Microsoft Defender Antivirus uses telemetry for product quality monitoring purposes | The update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: `vortex-win.data.microsoft.com`
`settings-win.data.microsoft.com`|
## Validate connections between your network and the cloud
-After allowing the URLs listed above, you can test if you are connected to the Microsoft Defender Antivirus cloud service and are correctly reporting and receiving information to ensure you are fully protected.
+After allowing the URLs listed above, you can test if you're connected to the Microsoft Defender Antivirus cloud service and are correctly reporting and receiving information to ensure you're fully protected.
**Use the cmdline tool to validate cloud-delivered protection:**
@@ -83,38 +84,37 @@ For more information, see [Manage Microsoft Defender Antivirus with the mpcmdrun
**Attempt to download a fake malware file from Microsoft:**
-You can download a sample file that Microsoft Defender Antivirus will detect and block if you are properly connected to the cloud.
+You can download a sample file that Microsoft Defender Antivirus will detect and block if you're properly connected to the cloud.
-Download the file by visiting the following link:
-- https://aka.ms/ioavtest
+Download the file by visiting [https://aka.ms/ioavtest](https://aka.ms/ioavtest).
>[!NOTE]
->This file is not an actual piece of malware. It is a fake file that is designed to test if you are properly connected to the cloud.
+>This file is not an actual piece of malware. It's a fake file that is designed to test if you're properly connected to the cloud.
-If you are properly connected, you will see a warning Microsoft Defender Antivirus notification.
+If you're properly connected, you'll see a warning Microsoft Defender Antivirus notification.
-If you are using Microsoft Edge, you'll also see a notification message:
+If you're using Microsoft Edge, you'll also see a notification message:
-A similar message occurs if you are using Internet Explorer:
+A similar message occurs if you're using Internet Explorer:
-You will also see a detection under **Quarantined threats** in the **Scan history** section in the Windows Security app:
+You'll also see a detection under **Quarantined threats** in the **Scan history** section in the Windows Security app:
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
-2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Scan history** label:
+2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Scan history** label:
-3. Under the **Quarantined threats** section, click the **See full history** label to see the detected fake malware.
+3. Under the **Quarantined threats** section, select **See full history** to see the detected fake malware.
> [!NOTE]
> Versions of Windows 10 before version 1703 have a different user interface. See [Microsoft Defender Antivirus in the Windows Security app](microsoft-defender-security-center-antivirus.md).
- The Windows event log will also show [Windows Defender client event ID 2050](troubleshoot-microsoft-defender-antivirus.md).
+ The Windows event log will also show [Windows Defender client event ID 1116](troubleshoot-microsoft-defender-antivirus.md).
## Related articles
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md
index ce2af4d4b6..0b1a46fded 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md
@@ -3,7 +3,7 @@ title: Configure Microsoft Defender Antivirus notifications
description: Learn how to configure and customize both standard and additional Microsoft Defender Antivirus notifications on endpoints.
keywords: notifications, defender, antivirus, endpoint, management, admin
search.product: eADQiWindows 10XVcnh
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
@@ -14,6 +14,7 @@ ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
+ms.technology: mde
---
# Configure the notifications that appear on endpoints
@@ -23,7 +24,7 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
In Windows 10, application notifications about malware detection and remediation are more robust, consistent, and concise.
@@ -76,7 +77,7 @@ You can use Group Policy to:
Hiding notifications can be useful in situations where you can't hide the entire Microsoft Defender Antivirus interface. See [Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md) for more information.
> [!NOTE]
-> Hiding notifications will only occur on endpoints to which the policy has been deployed. Notifications related to actions that must be taken (such as a reboot) will still appear on the [Microsoft Endpoint Configuration Manager Endpoint Protection monitoring dashboard and reports](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection).
+> Hiding notifications will only occur on endpoints to which the policy has been deployed. Notifications related to actions that must be taken (such as a reboot) will still appear on the [Microsoft Endpoint Manager Endpoint Protection monitoring dashboard and reports](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection).
See [Customize the Windows Security app for your organization](../windows-defender-security-center/windows-defender-security-center.md) for instructions to add custom contact information to the notifications that users see on their machines.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md
index ae76a5bd9d..94b265a644 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md
@@ -3,7 +3,7 @@ title: Configure exclusions for files opened by specific processes
description: You can exclude files from scans if they have been opened by a specific process.
keywords: Microsoft Defender Antivirus, process, exclusion, files, scans
search.product: eADQiWindows 10XVcnh
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
@@ -13,6 +13,7 @@ ms.author: deniseb
ms.custom: nextgen
ms.reviewer:
manager: dansimp
+ms.technology: mde
---
# Configure exclusions for files opened by processes
@@ -22,19 +23,20 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
You can exclude files that have been opened by specific processes from Microsoft Defender Antivirus scans. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists.
-This topic describes how to configure exclusion lists for the following:
+This article describes how to configure exclusion lists.
-
+## Examples of exclusions
+
+|Exclusion | Example |
+|---|---|
+|Any file on the machine that is opened by any process with a specific file name | Specifying `test.exe` would exclude files opened by:
`c:\sample\test.exe`
`d:\internal\files\test.exe` |
+|Any file on the machine that is opened by any process under a specific folder | Specifying `c:\test\sample\*` would exclude files opened by:
`c:\test\sample\test.exe`
`c:\test\sample\test2.exe`
`c:\test\sample\utility.exe` |
+|Any file on the machine that is opened by a specific process in a specific folder | Specifying `c:\test\process.exe` would exclude files only opened by `c:\test\process.exe` |
-Exclusion | Example
----|---
-Any file on the machine that is opened by any process with a specific file name | Specifying "test.exe" would exclude files opened by:
-Any file on the machine that is opened by any process under a specific folder | Specifying "c:\test\sample\\*" would exclude files opened by:
-Any file on the machine that is opened by a specific process in a specific folder | Specifying "c:\test\process.exe" would exclude files only opened by c:\test\process.exe
When you add a process to the process exclusion list, Microsoft Defender Antivirus won't scan files opened by that process, no matter where the files are located. The process itself, however, will be scanned unless it has also been added to the [file exclusion list](configure-extension-file-exclusions-microsoft-defender-antivirus.md).
@@ -42,25 +44,23 @@ The exclusions only apply to [always-on real-time protection and monitoring](con
Changes made with Group Policy to the exclusion lists **will show** in the lists in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions). However, changes made in the Windows Security app **will not show** in the Group Policy lists.
-You can add, remove, and review the lists for exclusions in [Group Policy](#gp), [Microsoft Endpoint Configuration Manager, Microsoft Intune, and with the Windows Security app](#man-tools), and you can [use wildcards](#wildcards) to further customize the lists.
+You can add, remove, and review the lists for exclusions in Group Policy, Microsoft Endpoint Configuration Manager, Microsoft Intune, and with the Windows Security app, and you can use wildcards to further customize the lists.
-You can also [use PowerShell cmdlets and WMI to configure the exclusion lists](#ps), including [reviewing](#review) your lists.
+You can also use PowerShell cmdlets and WMI to configure the exclusion lists, including reviewing your lists.
-By default, local changes made to the lists (by users with administrator privileges; this includes changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts.
+By default, local changes made to the lists (by users with administrator privileges; changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts.
You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-microsoft-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings.
## Configure the list of exclusions for files opened by specified processes
-
-
### Use Microsoft Intune to exclude files that have been opened by specified processes from scans
See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus) for more details.
-### Use Microsoft Endpoint Configuration Manager to exclude files that have been opened by specified processes from scans
+### Use Microsoft Endpoint Manager to exclude files that have been opened by specified processes from scans
-See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring Microsoft Endpoint Configuration Manager (current branch).
+See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring Microsoft Endpoint Manager (current branch).
### Use Group Policy to exclude files that have been opened by specified processes from scans
@@ -74,14 +74,10 @@ See [How to create and deploy antimalware policies: Exclusion settings](https://
1. Set the option to **Enabled**.
2. Under the **Options** section, click **Show...**.
- 3. Enter each process on its own line under the **Value name** column. See the [example table](#examples) for the different types of process exclusions. Enter **0** in the **Value** column for all processes.
+ 3. Enter each process on its own line under the **Value name** column. See the example table for the different types of process exclusions. Enter **0** in the **Value** column for all processes.
5. Click **OK**.
-
-
-
-
### Use PowerShell cmdlets to exclude files that have been opened by specified processes from scans
Using PowerShell to add or remove exclusions for files that have been opened by processes requires using a combination of three cmdlets with the `-ExclusionProcess` parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/itpro/powershell/windows/defender/defender).
@@ -94,11 +90,11 @@ The format for the cmdlets is:
The following are allowed as the \
|
-? (question mark) | Not available | \- | \-
-Environment variables | The defined variable will be populated as a path when the exclusion is evaluated |
|
-
-
+|Wildcard | Example use | Example matches |
+|:---|:---|:---|
+|`*` (asterisk)
Replaces any number of characters | `C:\MyData\*` | Any file opened by `C:\MyData\file.exe` |
+|Environment variables
The defined variable is populated as a path when the exclusion is evaluated | `%ALLUSERSPROFILE%\CustomLogFiles\file.exe` | Any file opened by `C:\ProgramData\CustomLogFiles\file.exe` |
## Review the list of exclusions
@@ -166,8 +153,8 @@ To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://
MpCmdRun.exe -CheckExclusion -path
`*.vhdx`
`*.avhd`
`*.avhdx`
`*.vsv`
`*.iso`
`*.rct`
`*.vmcx`
`*.vmrs` | `%ProgramData%\Microsoft\Windows\Hyper-V`
`%ProgramFiles%\Hyper-V`
`%SystemDrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots`
`%Public%\Documents\Hyper-V\Virtual Hard Disks` | `%systemroot%\System32\Vmms.exe`
`%systemroot%\System32\Vmwp.exe` |
#### SYSVOL files
- `%systemroot%\Sysvol\Domain\*.adm`
-
- `%systemroot%\Sysvol\Domain\*.admx`
-
- `%systemroot%\Sysvol\Domain\*.adml`
-
- `%systemroot%\Sysvol\Domain\Registry.pol`
-
- `%systemroot%\Sysvol\Domain\*.aas`
-
- `%systemroot%\Sysvol\Domain\*.inf`
-
-- `%systemroot%\Sysvol\Domain\*.Scripts.ini`
-
+- `%systemroot%\Sysvol\Domain\*Scripts.ini`
- `%systemroot%\Sysvol\Domain\*.ins`
-
- `%systemroot%\Sysvol\Domain\Oscfilter.ini`
+
### Active Directory exclusions
This section lists the exclusions that are delivered automatically when you install Active Directory Domain Services.
@@ -267,7 +204,6 @@ This section lists the exclusions that are delivered automatically when you inst
The database files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File`
- `%windir%\Ntds\ntds.dit`
-
- `%windir%\Ntds\ntds.pat`
#### The AD DS transaction log files
@@ -275,13 +211,9 @@ The database files are specified in the registry key `HKEY_LOCAL_MACHINE\System\
The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files Path`
- `%windir%\Ntds\EDB*.log`
-
- `%windir%\Ntds\Res*.log`
-
- `%windir%\Ntds\Edb*.jrs`
-
- `%windir%\Ntds\Ntds*.pat`
-
- `%windir%\Ntds\TEMP.edb`
#### The NTDS working folder
@@ -289,13 +221,11 @@ The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\
This folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory`
- `%windir%\Ntds\Temp.edb`
-
- `%windir%\Ntds\Edb.chk`
#### Process exclusions for AD DS and AD DS-related support files
- `%systemroot%\System32\ntfrs.exe`
-
- `%systemroot%\System32\lsass.exe`
### DHCP Server exclusions
@@ -303,13 +233,9 @@ This folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentC
This section lists the exclusions that are delivered automatically when you install the DHCP Server role. The DHCP Server file locations are specified by the *DatabasePath*, *DhcpLogFilePath*, and *BackupDatabasePath* parameters in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters`
- `%systemroot%\System32\DHCP\*\*.mdb`
-
- `%systemroot%\System32\DHCP\*\*.pat`
-
- `%systemroot%\System32\DHCP\*\*.log`
-
- `%systemroot%\System32\DHCP\*\*.chk`
-
- `%systemroot%\System32\DHCP\*\*.edb`
### DNS Server exclusions
@@ -319,11 +245,8 @@ This section lists the file and folder exclusions and the process exclusions tha
#### File and folder exclusions for the DNS Server role
- `%systemroot%\System32\Dns\*\*.log`
-
- `%systemroot%\System32\Dns\*\*.dns`
-
- `%systemroot%\System32\Dns\*\*.scc`
-
- `%systemroot%\System32\Dns\*\BOOT`
#### Process exclusions for the DNS Server role
@@ -335,9 +258,7 @@ This section lists the file and folder exclusions and the process exclusions tha
This section lists the file and folder exclusions that are delivered automatically when you install the File and Storage Services role. The exclusions listed below do not include exclusions for the Clustering role.
- `%SystemDrive%\ClusterStorage`
-
- `%clusterserviceaccount%\Local Settings\Temp`
-
- `%SystemDrive%\mscs`
### Print Server exclusions
@@ -347,7 +268,6 @@ This section lists the file type exclusions, folder exclusions, and the process
#### File type exclusions
- `*.shd`
-
- `*.spl`
#### Folder exclusions
@@ -367,36 +287,49 @@ This section lists the folder exclusions and the process exclusions that are del
#### Folder exclusions
- `%SystemRoot%\IIS Temporary Compressed Files`
-
- `%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files`
-
- `%SystemDrive%\inetpub\temp\ASP Compiled Templates`
-
- `%systemDrive%\inetpub\logs`
-
- `%systemDrive%\inetpub\wwwroot`
#### Process exclusions
- `%SystemRoot%\system32\inetsrv\w3wp.exe`
-
- `%SystemRoot%\SysWOW64\inetsrv\w3wp.exe`
-
- `%SystemDrive%\PHP5433\php-cgi.exe`
+#### Turning off scanning of files in the Sysvol\Sysvol folder or the SYSVOL_DFSR\Sysvol folder
+
+The current location of the `Sysvol\Sysvol` or `SYSVOL_DFSR\Sysvol` folder and all the subfolders is the file system reparse target of the replica set root. The `Sysvol\Sysvol` and `SYSVOL_DFSR\Sysvol` folders use the following locations by default:
+
+- `%systemroot%\Sysvol\Domain`
+- `%systemroot%\Sysvol_DFSR\Domain`
+
+The path to the currently active `SYSVOL` is referenced by the NETLOGON share and can be determined by the SysVol value name in the following subkey: `HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Netlogon\Parameters`
+
+Exclude the following files from this folder and all its subfolders:
+
+- `*.adm`
+- `*.admx`
+- `*.adml`
+- `Registry.pol`
+- `Registry.tmp`
+- `*.aas`
+- `*.inf`
+- `Scripts.ini`
+- `*.ins`
+- `Oscfilter.ini`
+
### Windows Server Update Services exclusions
This section lists the folder exclusions that are delivered automatically when you install the Windows Server Update Services (WSUS) role. The WSUS folder is specified in the registry key `HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup`
- `%systemroot%\WSUS\WSUSContent`
-
- `%systemroot%\WSUS\UpdateServicesDBFiles`
-
- `%systemroot%\SoftwareDistribution\Datastore`
-
- `%systemroot%\SoftwareDistribution\Download`
-## Related articles
+## See also
- [Configure and validate exclusions for Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)
- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md
index f482a524ba..142404566a 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md
@@ -3,7 +3,7 @@ title: Run and customize scheduled and on-demand scans
description: Customize and initiate Microsoft Defender Antivirus scans on endpoints across your network.
keywords: scan, schedule, customize, exclusions, exclude files, remediation, scan results, quarantine, remove threat, quick scan, full scan, Microsoft Defender Antivirus
search.product: eADQiWindows 10XVcnh
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
@@ -14,6 +14,7 @@ ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
+ms.technology: mde
---
# Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation
@@ -23,7 +24,7 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure Microsoft Defender Antivirus scans.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
index f482a524ba..0fdf549b5e 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
@@ -3,7 +3,7 @@ title: Run and customize scheduled and on-demand scans
description: Customize and initiate Microsoft Defender Antivirus scans on endpoints across your network.
keywords: scan, schedule, customize, exclusions, exclude files, remediation, scan results, quarantine, remove threat, quick scan, full scan, Microsoft Defender Antivirus
search.product: eADQiWindows 10XVcnh
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
@@ -14,26 +14,27 @@ ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
+ms.technology: mde
---
-# Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation
+# Customize, initiate, and review the results of Microsoft Defender Antivirus scans & remediation
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure Microsoft Defender Antivirus scans.
## In this section
-Topic | Description
----|---
-[Configure and validate file, folder, and process-opened file exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) | You can exclude files (including files modified by specified processes) and folders from on-demand scans, scheduled scans, and always-on real-time protection monitoring and scanning
-[Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md) | You can configure Microsoft Defender Antivirus to include certain types of email storage files, back-up or reparse points, and archived files (such as .zip files) in scans. You can also enable network file scanning
-[Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md) | Configure what Microsoft Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder
-[Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) | Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans
-[Configure and run scans](run-scan-microsoft-defender-antivirus.md) | Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Security app
-[Review scan results](review-scan-results-microsoft-defender-antivirus.md) | Review the results of scans using Microsoft Endpoint Configuration Manager, Microsoft Intune, or the Windows Security app
+| Article | Description |
+|:---|:---|
+|[Configure and validate file, folder, and process-opened file exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) | You can exclude files (including files modified by specified processes) and folders from on-demand scans, scheduled scans, and always-on real-time protection monitoring and scanning |
+|[Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md) | You can configure Microsoft Defender Antivirus to include certain types of email storage files, back-up or reparse points, and archived files (such as .zip files) in scans. You can also enable network file scanning |
+|[Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md) | Configure what Microsoft Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder |
+|[Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) | Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans |
+|[Configure and run scans](run-scan-microsoft-defender-antivirus.md) | Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Security app |
+|[Review scan results](review-scan-results-microsoft-defender-antivirus.md) | Review the results of scans using Microsoft Endpoint Configuration Manager, Microsoft Intune, or the Windows Security app |
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md
index a6d053b389..c5543f30ef 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md
@@ -3,7 +3,7 @@ title: Deploy, manage, and report on Microsoft Defender Antivirus
description: You can deploy and manage Microsoft Defender Antivirus with Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell, or WMI
keywords: deploy, manage, update, protection, Microsoft Defender Antivirus
search.product: eADQiWindows 10XVcnh
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
@@ -14,6 +14,7 @@ ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
+ms.technology: mde
---
# Deploy, manage, and report on Microsoft Defender Antivirus
@@ -23,13 +24,13 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
You can deploy, manage, and report on Microsoft Defender Antivirus in a number of ways.
Because the Microsoft Defender Antivirus client is installed as a core part of Windows 10, traditional deployment of a client to your endpoints does not apply.
-However, in most cases you will still need to enable the protection service on your endpoints with Microsoft Intune, Microsoft Endpoint Configuration Manager, Azure Security Center, or Group Policy Objects, which is described in the following table.
+However, in most cases you will still need to enable the protection service on your endpoints with Microsoft Intune, Microsoft Endpoint Configuration Manager, Azure Defender, or Group Policy Objects, which is described in the following table.
You'll also see additional links for:
@@ -42,13 +43,13 @@ You'll also see additional links for:
Tool|Deployment options (2)|Management options (network-wide configuration and policy or baseline deployment) ([3](#fn3))|Reporting options
---|---|---|---
Microsoft Intune|[Add endpoint protection settings in Intune](https://docs.microsoft.com/intune/endpoint-protection-configure)|[Configure device restriction settings in Intune](https://docs.microsoft.com/intune/device-restrictions-configure)| [Use the Intune console to manage devices](https://docs.microsoft.com/intune/device-management)
-Microsoft Endpoint Configuration Manager ([1](#fn1))|Use the [Endpoint Protection point site system role][] and [enable Endpoint Protection with custom client settings][]|With [default and customized antimalware policies][] and [client management][]|With the default [Configuration Manager Monitoring workspace][] and [email alerts][]
+Microsoft Endpoint Manager ([1](#fn1))|Use the [Endpoint Protection point site system role][] and [enable Endpoint Protection with custom client settings][]|With [default and customized antimalware policies][] and [client management][]|With the default [Configuration Manager Monitoring workspace][] and [email alerts][]
Group Policy and Active Directory (domain-joined)|Use a Group Policy Object to deploy configuration changes and ensure Microsoft Defender Antivirus is enabled.|Use Group Policy Objects (GPOs) to [Configure update options for Microsoft Defender Antivirus][] and [Configure Windows Defender features][]|Endpoint reporting is not available with Group Policy. You can generate a list of [Group Policies to determine if any settings or policies are not applied][]
PowerShell|Deploy with Group Policy, Microsoft Endpoint Configuration Manager, or manually on individual endpoints.|Use the [Set-MpPreference] and [Update-MpSignature] cmdlets available in the Defender module.|Use the appropriate [Get- cmdlets available in the Defender module][]
Windows Management Instrumentation|Deploy with Group Policy, Microsoft Endpoint Configuration Manager, or manually on individual endpoints.|Use the [Set method of the MSFT_MpPreference class][] and the [Update method of the MSFT_MpSignature class][]|Use the [MSFT_MpComputerStatus][] class and the get method of associated classes in the [Windows Defender WMIv2 Provider][]
-Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by using Visual Studio virtual machine configuration, or using Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#antimalware-deployment-scenarios). You can also [Install Endpoint protection in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection)|Configure [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) or [use code samples](https://gallery.technet.microsoft.com/Antimalware-For-Azure-5ce70efe)|Use [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) to enable monitoring. You can also review usage reports in Azure Active Directory to determine suspicious activity, including the [Possibly infected devices][] report and configure an SIEM tool to report on [Microsoft Defender Antivirus events][] and add that tool as an app in AAD.
+Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by using Visual Studio virtual machine configuration, or using Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#antimalware-deployment-scenarios). You can also [Install Endpoint protection in Azure Defender*](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection)|Configure [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) or [use code samples](https://gallery.technet.microsoft.com/Antimalware-For-Azure-5ce70efe)|Use [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) to enable monitoring. You can also review usage reports in Azure Active Directory to determine suspicious activity, including the [Possibly infected devices][] report and configure an SIEM tool to report on [Microsoft Defender Antivirus events][] and add that tool as an app in AAD.
-1. The availability of some functions and features, especially related to cloud-delivered protection, differ between Microsoft Endpoint Configuration Manager (Current Branch) and System Center 2012 Configuration Manager. In this library, we've focused on Windows 10, Windows Server 2016, and Microsoft Endpoint Configuration Manager (Current Branch). See [Use Microsoft cloud-provided protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) for a table that describes the major differences. [(Return to table)](#ref2)
+1. The availability of some functions and features, especially related to cloud-delivered protection, differ between Microsoft Endpoint Manager (Current Branch) and System Center 2012 Configuration Manager. In this library, we've focused on Windows 10, Windows Server 2016, and Microsoft Endpoint Manager (Current Branch). See [Use Microsoft cloud-provided protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) for a table that describes the major differences. [(Return to table)](#ref2)
2. In Windows 10, Microsoft Defender Antivirus is a component available without installation or deployment of an additional client or service. It will automatically be enabled when third-party antivirus products are either uninstalled or out of date ([except on Windows Server 2016](microsoft-defender-antivirus-on-windows-server-2016.md)). Traditional deployment therefore is not required. Deployment here refers to ensuring the Microsoft Defender Antivirus component is available and enabled on endpoints or servers. [(Return to table)](#ref2)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md
index e66ebbd817..38beb9a21f 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md
@@ -1,9 +1,9 @@
---
-title: Deploy and enable Microsoft Defender Antivirus
+title: Deploy and enable Microsoft Defender Antivirus
description: Deploy Microsoft Defender Antivirus for protection of your endpoints with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or WMI.
keywords: deploy, enable, Microsoft Defender Antivirus
search.product: eADQiWindows 10XVcnh
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
@@ -11,9 +11,10 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 09/03/2018
+ms.date: 01/06/2021
ms.reviewer:
manager: dansimp
+ms.technology: mde
---
# Deploy and enable Microsoft Defender Antivirus
@@ -23,17 +24,17 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
Depending on the management tool you are using, you may need to specifically enable or configure Microsoft Defender Antivirus protection.
See the table in [Deploy, manage, and report on Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md#ref2) for instructions on how to enable protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, Active Directory, Microsoft Azure, PowerShell cmdlets, and Windows Management Instruction (WMI).
-Some scenarios require additional guidance on how to successfully deploy or configure Microsoft Defender Antivirus protection, such as Virtual Desktop Infrastructure (VDI) environments.
+Some scenarios require more guidance on how to successfully deploy or configure Microsoft Defender Antivirus protection, such as Virtual Desktop Infrastructure (VDI) environments.
-The remaining topic in this section provides end-to-end advice and best practices for [setting up Microsoft Defender Antivirus on virtual machines (VMs) in a VDI or Remote Desktop Services (RDS) environment](deployment-vdi-microsoft-defender-antivirus.md).
+The remaining article in this section provides end-to-end advice and best practices for [setting up Microsoft Defender Antivirus on virtual machines (VMs) in a VDI or Remote Desktop Services (RDS) environment](deployment-vdi-microsoft-defender-antivirus.md).
-## Related topics
+## Related articles
- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
- [Deploy, manage updates, and report on Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md
index ebce0895fc..3f58a55cf2 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md
@@ -3,16 +3,17 @@ title: Microsoft Defender Antivirus Virtual Desktop Infrastructure deployment gu
description: Learn how to deploy Microsoft Defender Antivirus in a virtual desktop environment for the best balance between protection and performance.
keywords: vdi, hyper-v, vm, virtual machine, windows defender, antivirus, av, virtual desktop, rds, remote desktop
search.product: eADQiWindows 10XVcnh
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 01/31/2020
-ms.reviewer:
+ms.date: 12/28/2020
+ms.reviewer: jesquive
manager: dansimp
+ms.technology: mde
---
# Deployment guide for Microsoft Defender Antivirus in a virtual desktop infrastructure (VDI) environment
@@ -22,13 +23,13 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
In addition to standard on-premises or hardware configurations, you can also use Microsoft Defender Antivirus in a remote desktop (RDS) or virtual desktop infrastructure (VDI) environment.
See [Windows Virtual Desktop Documentation](https://docs.microsoft.com/azure/virtual-desktop) for more details on Microsoft Remote Desktop Services and VDI support.
-For Azure-based virtual machines, you can also review the [Install Endpoint Protection in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection) topic.
+For Azure-based virtual machines, see [Install Endpoint Protection in Azure Defender](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection).
With the ability to easily deploy updates to VMs running in VDIs, we've shortened this guide to focus on how you can get updates on your machines quickly and easily. You no longer need to create and seal golden images on a periodic basis, as updates are expanded into their component bits on the host server and then downloaded directly to the VM when it's turned on.
@@ -49,7 +50,7 @@ You can also download the whitepaper [Microsoft Defender Antivirus on Virtual De
## Set up a dedicated VDI file share
-In Windows 10, version 1903, we introduced the shared security intelligence feature. This offloads the unpackaging of downloaded security intelligence updates onto a host machine — thus saving previous CPU, disk, and memory resources on individual machines. You can set this feature with a Group Policy, or PowerShell.
+In Windows 10, version 1903, we introduced the shared security intelligence feature, which offloads the unpackaging of downloaded security intelligence updates onto a host machine—thus saving previous CPU, disk, and memory resources on individual machines. This feature has been backported and now works in Windows 10 version 1703 and above. You can set this feature with a Group Policy, or PowerShell.
### Use Group Policy to enable the shared security intelligence feature:
@@ -63,7 +64,7 @@ In Windows 10, version 1903, we introduced the shared security intelligence feat
5. Double-click **Define security intelligence location for VDI clients**, and then set the option to **Enabled**. A field automatically appears.
-6. Enter `\\
Download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-microsoft-defender-antivirus.md). This option should generally be used only as a final fallback source, and not the primary source. It will only be used if updates cannot be downloaded from Windows Server Update Service or Microsoft Update for [a specified number of days](https://docs.microsoft.com/windows/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date).|
You can manage the order in which update sources are used with Group Policy, Microsoft Endpoint Configuration Manager, PowerShell cmdlets, and WMI.
@@ -111,7 +112,7 @@ The procedures in this article first describe how to set the order, and then how
## Use Configuration Manager to manage the update location
-See [Configure Security intelligence Updates for Endpoint Protection](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-definition-updates) for details on configuring Microsoft Endpoint Configuration Manager (current branch).
+See [Configure Security intelligence Updates for Endpoint Protection](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-definition-updates) for details on configuring Microsoft Endpoint Manager (current branch).
## Use PowerShell cmdlets to manage the update location
@@ -170,7 +171,7 @@ Set up a network file share (UNC/mapped drive) to download security intelligence
MD C:\Temp\TempSigs\x86
```
-3. Download the Powershell script from [www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4).
+3. Download the PowerShell script from [www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4).
4. Click **Manual Download**.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
index d352e882bd..4fd8f01ece 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
@@ -3,7 +3,7 @@ title: Manage Microsoft Defender Antivirus updates and apply baselines
description: Manage how Microsoft Defender Antivirus receives protection and product updates.
keywords: updates, security baselines, protection, schedule updates, force updates, mobile updates, wsus
search.product: eADQiWindows 10XVcnh
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
@@ -11,9 +11,10 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.reviewer:
+ms.reviewer: pahuijbr
manager: dansimp
-ms.date: 10/08/2020
+ms.date: 03/19/2021
+ms.technology: mde
---
# Manage Microsoft Defender Antivirus updates and apply baselines
@@ -23,19 +24,18 @@ ms.date: 10/08/2020
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
There are two types of updates related to keeping Microsoft Defender Antivirus up to date:
- - Security intelligence updates
- - Product updates
+- Security intelligence updates
+- Product updates
> [!IMPORTANT]
> Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques.
-> This also applies to devices where Microsoft Defender Antivirus is running in [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
+> Make sure to update your antivirus protection even if Microsoft Defender Antivirus is running in [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
>
-> You can use the below URL to find out what are the current versions:
-> [https://www.microsoft.com/security/encyclopedia/adlpackages.aspx?action=info](https://www.microsoft.com/security/encyclopedia/adlpackages.aspx?action=info)
+> To see the most current engine, platform, and signature date, visit the [Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware](https://www.microsoft.com/en-us/wdsi/defenderupdates).
## Security intelligence updates
@@ -48,6 +48,8 @@ Microsoft Defender Antivirus uses [cloud-delivered protection](utilize-microsoft
Cloud-delivered protection is always on and requires an active connection to the Internet to function. Security intelligence updates occur on a scheduled cadence (configurable via policy). For more information, see [Use Microsoft cloud-provided protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md).
+For a list of recent security intelligence updates, see [Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware](https://www.microsoft.com/en-us/wdsi/defenderupdates).
+
Engine updates are included with security intelligence updates and are released on a monthly cadence.
## Product updates
@@ -63,32 +65,112 @@ You can manage the distribution of updates through one of the following methods:
For more information, see [Manage the sources for Microsoft Defender Antivirus protection updates](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus).
> [!NOTE]
-> We release these monthly updates in phases. This results in multiple packages visible in your WSUS server.
+> Monthly updates are released in phases, resulting in multiple packages visible in your [Window Server Update Services](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus).
## Monthly platform and engine versions
-For information how to update or how to install the platform update, see [Update for Windows Defender antimalware platform](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform).
-
-All our updates contain:
-- performance improvements
-- serviceability improvements
-- integration improvements (Cloud, Microsoft 365 Defender)
-
+For information how to update or install the platform update, see [Update for Windows Defender antimalware platform](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform).
+All our updates contain
+- performance improvements;
+- serviceability improvements; and
+- integration improvements (Cloud, Microsoft 365 Defender).
+
February-2021 (Platform: 4.18.2102.3 | Engine: 1.1.17900.7)
+
+ Security intelligence update version: **1.333.7.0**
+ Released: **March 9, 2021**
+ Platform: **4.19.2102.3**
+ Engine: **1.1.17900.7**
+ Support phase: **Security and Critical Updates**
+
+### What's new
+
+- Improved service recovery through [tamper protection](prevent-changes-to-security-settings-with-tamper-protection.md)
+- Extend tamper protection scope
+
+### Known Issues
+No known issues
+
+ January-2021 (Platform: 4.18.2101.9 | Engine: 1.1.17800.5)
+
+ Security intelligence update version: **1.327.1854.0**
+ Released: **February 2, 2021**
+ Platform: **4.18.2101.9**
+ Engine: **1.1.17800.5**
+ Support phase: **Security and Critical Updates**
+
+### What's new
+
+- Additional failed tampering attempt event generation when [Tamper Protection](prevent-changes-to-security-settings-with-tamper-protection.md) is enabled
+- Shellcode exploit detection improvements
+- Increased visibility for credential stealing attempts
+- Improvements in antitampering features in Microsoft Defender Antivirus services
+- Improved support for ARM x64 emulation
+- Fix: EDR Block notification remains in threat history after real-time protection performed initial detection
+
+### Known Issues
+No known issues
+
+ November-2020 (Platform: 4.18.2011.6 | Engine: 1.1.17700.4)
+
+ Security intelligence update version: **1.327.1854.0**
+ Released: **December 03, 2020**
+ Platform: **4.18.2011.6**
+ Engine: **1.1.17700.4**
+ Support phase: **Security and Critical Updates**
+
+### What's new
+
+- Improved [SmartScreen](../microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md) status support logging
+
+### Known Issues
+No known issues
+
+
+ October-2020 (Platform: 4.18.2010.7 | Engine: 1.1.17600.5)
+
+ Security intelligence update version: **1.327.7.0**
+ Released: **October 29, 2020**
+ Platform: **4.18.2010.7**
+ Engine: **1.1.17600.5**
+ Support phase: **Security and Critical Updates**
+
+### What's new
+
+- New descriptions for special threat categories
+- Improved emulation capabilities
+- Improved host address allow/block capabilities
+- New option in Defender CSP to Ignore merging of local user exclusions
+
+### Known Issues
+
+No known issues
+
+ September-2020 (Platform: 4.18.2009.7 | Engine: 1.1.17500.4)
Security intelligence update version: **1.325.10.0**
Released: **October 01, 2020**
Platform: **4.18.2009.7**
Engine: **1.1.17500.4**
- Support phase: **Security and Critical Updates**
+ Support phase: **Technical upgrade support (only)**
### What's new
+
- Admin permissions are required to restore files in quarantine
- XML formatted events are now supported
-- CSP support for ignoring exclusion merge
+- CSP support for ignoring exclusion merges
- New management interfaces for:
- UDP Inspection
- Network Protection on Server 2019
@@ -97,6 +179,7 @@ All our updates contain:
- Improved Office VBA module scanning
### Known Issues
+
No known issues
> [!IMPORTANT]
-> This updates is needed by RS1 devices running lower version of the platform to support SHA2.
This update has reboot flag for systems that are experiencing the hang issue.
the This update is re-released in April 2020 and will not be superseded by newer updates to keep future availability.
-
-> [!IMPORTANT]
-> This update is categorized as an "update" due to its reboot requirement and will only be offered with a [Windows Update](https://support.microsoft.com/help/4027667/windows-10-update)
+> This update is:
+> - needed by RS1 devices running lower version of the platform to support SHA2;
+> - has a reboot flag for systems that have hanging issues;
+> - is re-released in April 2020 and will not be superseded by newer updates to keep future availability;
+> - is categorized as an update due to the reboot requirement; and
+> - is only be offered with [Windows Update](https://support.microsoft.com/help/4027667/windows-10-update).
@@ -291,24 +380,23 @@ Support phase: **No support**
### What's new
-* Fixed MpCmdRun tracing level
-* Fixed WDFilter version info
-* Improve notifications (PUA)
-* add MRT logs to support files
+- Fixed MpCmdRun tracing level
+- Fixed WDFilter version info
+- Improve notifications (PUA)
+- add MRT logs to support files
### Known Issues
When this update is installed, the device needs the jump package 4.10.2001.10 to be able to update to the latest platform version.
+
## Microsoft Defender Antivirus platform support
Platform and engine updates are provided on a monthly cadence. To be fully supported, keep current with the latest platform updates. Our support structure is dynamic, evolving into two phases depending on the availability of the latest platform version:
-
-* **Security and Critical Updates servicing phase** - When running the latest platform version, you will be eligible to receive both Security and Critical updates to the anti-malware platform.
+- **Security and Critical Updates servicing phase** - When running the latest platform version, you will be eligible to receive both Security and Critical updates to the anti-malware platform.
-
-* **Technical Support (Only) phase** - After a new platform version is released, support for older versions (N-2) will reduce to technical support only. Platform versions older than N-2 will no longer be supported.*
+- **Technical Support (Only) phase** - After a new platform version is released, support for older versions (N-2) will reduce to technical support only. Platform versions older than N-2 will no longer be supported.*
\* Technical support will continue to be provided for upgrades from the Windows 10 release version (see [Platform version included with Windows 10 releases](#platform-version-included-with-windows-10-releases)) to the latest platform version.
@@ -318,24 +406,131 @@ During the technical support (only) phase, commercially reasonable support incid
The below table provides the Microsoft Defender Antivirus platform and engine versions that are shipped with the latest Windows 10 releases:
|Windows 10 release |Platform version |Engine version |Support phase |
-|-|-|-|-|
-|1909 (19H2) |4.18.1902.5 |1.1.16700.3 | Technical upgrade Support (Only) |
-|1903 (19H1) |4.18.1902.5 |1.1.15600.4 | Technical upgrade Support (Only) |
-|1809 (RS5) |4.18.1807.18075 |1.1.15000.2 | Technical upgrade Support (Only) |
-|1803 (RS4) |4.13.17134.1 |1.1.14600.4 | Technical upgrade Support (Only) |
-|1709 (RS3) |4.12.16299.15 |1.1.14104.0 | Technical upgrade Support (Only) |
-|1703 (RS2) |4.11.15603.2 |1.1.13504.0 | Technical upgrade Support (Only) |
-|1607 (RS1) |4.10.14393.3683 |1.1.12805.0 | Technical upgrade Support (Only) |
+|:---|:---|:---|:---|
+|2004 (20H1/20H2) |4.18.1909.6 |1.1.17000.2 | Technical upgrade support (only) |
+|1909 (19H2) |4.18.1902.5 |1.1.16700.3 | Technical upgrade support (only) |
+|1903 (19H1) |4.18.1902.5 |1.1.15600.4 | Technical upgrade support (only) |
+|1809 (RS5) |4.18.1807.18075 |1.1.15000.2 | Technical upgrade support (only) |
+|1803 (RS4) |4.13.17134.1 |1.1.14600.4 | Technical upgrade support (only) |
+|1709 (RS3) |4.12.16299.15 |1.1.14104.0 | Technical upgrade support (only) |
+|1703 (RS2) |4.11.15603.2 |1.1.13504.0 | Technical upgrade support (only) |
+|1607 (RS1) |4.10.14393.3683 |1.1.12805.0 | Technical upgrade support (only) |
-Windows 10 release info: [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet).
+For Windows 10 release information, see the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet).
+## Updates for Deployment Image Servicing and Management (DISM)
-## See also
+We recommend updating your Windows 10 (Enterprise, Pro, and Home editions), Windows Server 2019, and Windows Server 2016 OS installation images with the latest antivirus and antimalware updates. Keeping your OS installation images up to date helps avoid a gap in protection.
-Article | Description
----|---
-[Manage how protection updates are downloaded and applied](manage-protection-updates-microsoft-defender-antivirus.md) | Protection updates can be delivered through a number of sources.
-[Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) | You can schedule when protection updates should be downloaded.
-[Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) | If an endpoint misses an update or scheduled scan, you can force an update or scan at the next logon.
-[Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md) | You can set protection updates to be downloaded at startup or after certain cloud-delivered protection events.
-[Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)| You can specify settings, such as whether updates should occur on battery power, that are especially useful for mobile devices and virtual machines.
+For more information, see [Microsoft Defender update for Windows operating system installation images](https://support.microsoft.com/help/4568292/defender-update-for-windows-operating-system-installation-images).
+
+1.1.2103.01
+
+ Package version: **1.1.2103.01**
+ Platform version: **4.18.2101.9**
+ Engine version: **1.17800.5**
+ Signature version: **1.331.2302.0**
+
+### Fixes
+- None
+
+### Additional information
+- None
+
+1.1.2102.03
+
+ Package version: **1.1.2102.03**
+ Platform version: **4.18.2011.6**
+ Engine version: **1.17800.5**
+ Signature version: **1.331.174.0**
+
+### Fixes
+- None
+
+### Additional information
+- None
+
+1.1.2101.02
+
+ Package version: **1.1.2101.02**
+ Platform version: **4.18.2011.6**
+ Engine version: **1.17700.4**
+ Signature version: **1.329.1796.0**
+
+### Fixes
+- None
+
+### Additional information
+- None
+
+1.1.2012.01
+
+ Package version: **1.1.2012.01**
+ Platform version: **4.18.2010.7**
+ Engine version: **1.17600.5**
+ Signature version: **1.327.1991.0**
+
+### Fixes
+- None
+
+### Additional information
+- None
+
+1.1.2011.02
+
+ Package version: **1.1.2011.02**
+ Platform version: **4.18.2010.7**
+ Engine version: **1.17600.5**
+ Signature version: **1.327.658.0**
+
+### Fixes
+- None
+
+### Additional information
+- Refreshed Microsoft Defender Antivirus signatures
+
+1.1.2011.01
+
+ Package version: **1.1.2011.01**
+ Platform version: **4.18.2009.7**
+ Engine version: **1.17600.5**
+ Signature version: **1.327.344.0**
+
+### Fixes
+- None
+
+### Additional information
+- None
+
+1.1.2009.10
+
+ Package version: **1.1.2011.01**
+ Platform version: **4.18.2008.9**
+ Engine version: **1.17400.5**
+ Signature version: **1.327.2216.0**
+
+### Fixes
+- None
+
+### Additional information
+- Added support for Windows 10 RS1 or later OS install images.
+
+
|Yes |No |Yes |Yes |Yes |
-|Passive mode |No |No |Yes |No |Yes |
-|[EDR in block mode enabled](../microsoft-defender-atp/edr-in-block-mode.md) |No |No |Yes |Yes |Yes |
-|Automatic disabled mode |No |Yes |No |No |No |
+> [!IMPORTANT]
+> Do not turn off capabilities, such as real-time protection, cloud-delivered protection, or limited periodic scanning, if you are using Microsoft Defender Antivirus in passive mode or you are using EDR in block mode.
-- In Active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Microsoft Defender Antivirus app on the machine itself).
-- In Passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are not remediated by Microsoft Defender Antivirus. Files are scanned and reports are provided for threat detections which are shared with the Microsoft Defender ATP service. Therefore, you might encounter alerts in the Security Center console with Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in Passive mode.
-- When [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) (currently in private preview) is turned on, Microsoft Defender Antivirus is not used as the primary antivirus solution, but can still detect and remediate malicious items.
-- In Automatic disabled mode, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated.
+|Protection |Active mode |Passive mode |EDR in block mode |Disabled or uninstalled |
+|:---|:---|:---|:---|:---|
+| [Real-time protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus) and [cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus) | Yes | No [[3](#fn3)] | No | No |
+| [Limited periodic scanning availability](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus) | No | No | No | Yes |
+| [File scanning and detection information](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus) | Yes | Yes | Yes | No |
+| [Threat remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus) | Yes | See note [[4](#fn4)] | Yes | No |
+| [Security intelligence updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus) | Yes | Yes | Yes | No |
+
+(3) In general, when Microsoft Defender Antivirus is in passive mode, real-time protection does not provide any blocking or enforcement, even though it is enabled and in passive mode.
+
+(4) When Microsoft Defender Antivirus is in passive mode, threat remediation features are active only during scheduled or on-demand scans.
+
+> [!NOTE]
+> [Microsoft 365 Endpoint data loss prevention](https://docs.microsoft.com/microsoft-365/compliance/endpoint-dlp-learn-about) protection continues to operate normally when Microsoft Defender Antivirus is in active or passive mode.
## Keep the following points in mind
-If you are enrolled in Microsoft Defender ATP and you are using a third party antimalware product then passive mode is enabled because [the service requires common information sharing from the Microsoft Defender Antivirus service](../microsoft-defender-atp/defender-compatibility.md) in order to properly monitor your devices and network for intrusion attempts and attacks.
+- In active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Microsoft Defender Antivirus app on the machine itself).
-When Microsoft Defender Antivirus is automatic disabled, it can automatically re-enable if the protection offered by a third-party antivirus product expires or otherwise stops providing real-time protection from viruses, malware or other threats. This is to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), which uses the Microsoft Defender Antivirus engine to periodically check for threats in addition to your main antivirus app.
+- In passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are not remediated by Microsoft Defender Antivirus. Files are scanned and reports are provided for threat detections that are shared with the Microsoft Defender for Endpoint service. Therefore, you might encounter alerts in the Security Center console with Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in Passive mode.
-In passive mode, you can still [manage updates for Microsoft Defender Antivirus](manage-updates-baselines-microsoft-defender-antivirus.md); however, you can't move Microsoft Defender Antivirus into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
+- When [EDR in block mode](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode) is turned on and Microsoft Defender Antivirus is not the primary antivirus solution, it can still detect and remediate malicious items.
-If you uninstall the other product, and choose to use Microsoft Defender Antivirus to provide protection to your endpoints, Microsoft Defender Antivirus will automatically return to its normal active mode.
+- When disabled, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated. Disabling/uninstalling Microsoft Defender Antivirus is not recommended in general; if possible, keep Microsoft Defender Antivirus in passive mode if you are using a non-Microsoft antimalware/antivirus solution.
+
+- If you are enrolled in Microsoft Defender for Endpoint and you are using a third-party antimalware product, then passive mode is enabled. [The service requires common information sharing from Microsoft Defender Antivirus service](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/defender-compatibility) in order to properly monitor your devices and network for intrusion attempts and attacks.
+
+- When Microsoft Defender Antivirus is disabled automatically, it can be re-enabled automatically if the protection offered by a non-Microsoft antivirus product expires or otherwise stops providing real-time protection from viruses, malware, or other threats. Automatic re-enabling helps to ensure that antivirus protection is maintained on your devices. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), which uses the Microsoft Defender Antivirus engine to periodically check for threats in addition to your main antivirus app.
+
+- When Microsoft Defender Antivirus is in passive mode, you can still [manage updates for Microsoft Defender Antivirus](manage-updates-baselines-microsoft-defender-antivirus.md); however, you can't move Microsoft Defender Antivirus into active mode if your devices have an up-to-date, non-Microsoft antivirus product providing real-time protection from malware. For optimal security layered defense and detection efficacy, please ensure that you update the [Microsoft Defender Antivirus protection (Security intelligence update, Engine and Platform)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus) even if Microsoft Defender Antivirus is running in passive mode.
+
+ If you uninstall the non-Microsoft antivirus product, and use Microsoft Defender Antivirus to provide protection to your devices, Microsoft Defender Antivirus will return to its normal active mode automatically.
> [!WARNING]
-> You should not attempt to disable, stop, or modify any of the associated services used by Microsoft Defender Antivirus, Microsoft Defender ATP, or the Windows Security app. This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks. It can also cause problems when using third-party antivirus apps and how their information is displayed in the [Windows Security app](microsoft-defender-security-center-antivirus.md).
+> Do not disable, stop, or modify any of the associated services that are used by Microsoft Defender Antivirus, Microsoft Defender for Endpoint, or the Windows Security app. This recommendation includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and processes. Manually modifying these services can cause severe instability on your devices and can make your network vulnerable. Disabling, stopping, or modifying those services can also cause problems when using non-Microsoft antivirus solutions and how their information is displayed in the [Windows Security app](microsoft-defender-security-center-antivirus.md).
-> [!IMPORTANT]
-> If you are using [Microsoft endpoint data loss prevention (Endpoint DLP)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview), Microsoft Defender Antivirus real-time protection is enabled even when Microsoft Defender Antivirus is running in passive mode. Endpoint DLP depends on real-time protection to operate.
-## Related topics
+## See also
- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
-- [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-defender-antivirus-on-windows-server-2016.md)
-- [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md)
+- [Microsoft Defender Antivirus on Windows Server](microsoft-defender-antivirus-on-windows-server-2016.md)
+- [EDR in block mode](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode)
- [Configure Endpoint Protection](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure)
-- [Configure Endpoint Protection on a standalone client](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure-standalone-client)
+- [Address false positives/negatives in Microsoft Defender for Endpoint](../microsoft-defender-atp/defender-endpoint-false-positives-negatives.md)
+- [Learn about Microsoft 365 Endpoint data loss prevention](https://docs.microsoft.com/microsoft-365/compliance/endpoint-dlp-learn-about)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md
index e9bcff7d72..0c2b8d058a 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md
@@ -1,48 +1,48 @@
---
title: Next-generation protection in Windows 10, Windows Server 2016, and Windows Server 2019
-description: Learn how to manage, configure, and use Microsoft Defender AV, the built-in antimalware and antivirus product available in Windows 10 and Windows Server 2016
+description: Learn how to manage, configure, and use Microsoft Defender Antivirus, built-in antimalware and antivirus protection.
keywords: Microsoft Defender Antivirus, windows defender, antimalware, scep, system center endpoint protection, system center configuration manager, virus, malware, threat, detection, protection, security
search.product: eADQiWindows 10XVcnh
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-ms.localizationpriority: medium
+ms.localizationpriority: high
author: denisebmsft
ms.author: deniseb
-ms.date: 02/25/2020
+ms.date: 12/16/2020
ms.reviewer:
manager: dansimp
ms.custom: nextgen
+ms.technology: mde
---
-# Next-generation protection in Windows 10, Windows Server 2016, and Windows Server 2019
+# Next-generation protection in Windows
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
## Microsoft Defender Antivirus: Your next-generation protection
-Microsoft Defender Antivirus is the next-generation protection component of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). Next-generation protection brings together machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect devices in your enterprise organization. Next-generation protection services include the following:
+Microsoft Defender Antivirus is the next-generation protection component of Microsoft Defender for Endpoint. This protection brings together machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect devices in your enterprise organization. Your next-generation protection services include the following capabilities:
-- [Behavior-based, heuristic, and real-time antivirus protection](configure-protection-features-microsoft-defender-antivirus.md). This includes always-on scanning using file and process behavior monitoring and other heuristics (also known as "real-time protection"). It also includes detecting and blocking apps that are deemed unsafe, but may not be detected as malware.
-- [Cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md). This includes near-instant detection and blocking of new and emerging threats.
-- [Dedicated protection and product updates](manage-updates-baselines-microsoft-defender-antivirus.md). This includes updates related to keeping Microsoft Defender Antivirus up to date.
+- [Behavior-based, heuristic, and real-time antivirus protection](configure-protection-features-microsoft-defender-antivirus.md), which includes always-on scanning using file and process behavior monitoring and other heuristics (also known as *real-time protection*). It also includes detecting and blocking apps that are deemed unsafe, but might not be detected as malware.
+- [Cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md), which includes near-instant detection and blocking of new and emerging threats.
+- [Dedicated protection and product updates](manage-updates-baselines-microsoft-defender-antivirus.md), which includes updates related to keeping Microsoft Defender Antivirus up to date.
## Try a demo!
-Visit the [Microsoft Defender ATP demo website](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following protection features are working and explore them using demo scenarios:
+Visit the [Microsoft Defender for Endpoint demo website](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following protection features are working and explore them using demo scenarios:
- Cloud-delivered protection
- Block at first sight (BAFS) protection
- Potentially unwanted applications (PUA) protection
## Minimum system requirements
-Microsoft Defender Antivirus has the same hardware requirements as of Windows 10. For more information, see:
+Microsoft Defender Antivirus has the same hardware requirements as of Windows 10. For more information, see the following resources:
- [Minimum hardware requirements](https://docs.microsoft.com/windows-hardware/design/minimum/minimum-hardware-requirements-overview)
- [Hardware component guidelines](https://docs.microsoft.com/windows-hardware/design/component-guidelines/components)
@@ -54,8 +54,8 @@ For information on how to configure next-generation protection services, see [Co
> [!Note]
> Configuration and management is largely the same in Windows Server 2016 and Windows Server 2019, while running Microsoft Defender Antivirus; however, there are some differences. To learn more, see [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-defender-antivirus-on-windows-server-2016.md).
-## Related articles
+## See also
+- [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-defender-antivirus-on-windows-server-2016.md)
- [Microsoft Defender Antivirus management and configuration](configuration-management-reference-microsoft-defender-antivirus.md)
-
- [Evaluate Microsoft Defender Antivirus protection](evaluate-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md
index 76701c22f2..3404f99585 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md
@@ -1,33 +1,35 @@
---
-title: Microsoft Defender Antivirus on Windows Server 2016 and 2019
+title: Microsoft Defender Antivirus on Windows Server
description: Learn how to enable and configure Microsoft Defender Antivirus on Windows Server 2016 and Windows Server 2019.
keywords: windows defender, server, scep, system center endpoint protection, server 2016, current branch, server 2012
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
-ms.date: 02/25/2020
-ms.reviewer:
+ms.date: 01/21/2021
+ms.reviewer: pahuijbr, shwjha
manager: dansimp
+ms.technology: mde
---
-# Microsoft Defender Antivirus on Windows Server 2016 and 2019
+# Microsoft Defender Antivirus on Windows Server
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
**Applies to:**
-- Windows Server 2016
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+
+Microsoft Defender Antivirus is available on the following editions/versions of Windows Server:
- Windows Server 2019
+- Windows Server, version 1803 or later
+- Windows Server 2016.
-Microsoft Defender Antivirus is available on Windows Server 2016 and Windows Server 2019. In some instances, Microsoft Defender Antivirus is referred to as Endpoint Protection; however, the protection engine is the same.
-
-While the functionality, configuration, and management are largely the same for Microsoft Defender Antivirus on Windows 10, there are a few key differences on Windows Server 2016 or Windows Server 2019:
+In some instances, Microsoft Defender Antivirus is referred to as *Endpoint Protection*; however, the protection engine is the same. Although the functionality, configuration, and management are largely the same for [Microsoft Defender Antivirus on Windows 10](microsoft-defender-antivirus-in-windows-10.md), there are a few key differences on Windows Server:
- In Windows Server, [automatic exclusions](configure-server-exclusions-microsoft-defender-antivirus.md) are applied based on your defined Server Role.
- In Windows Server, Microsoft Defender Antivirus does not automatically disable itself if you are running another antivirus product.
@@ -36,35 +38,29 @@ While the functionality, configuration, and management are largely the same for
The process of setting up and running Microsoft Defender Antivirus on a server platform includes several steps:
-1. [Enable the interface](#enable-the-user-interface-on-windows-server-2016-or-2019)
+1. [Enable the interface](#enable-the-user-interface-on-windows-server).
+2. [Install Microsoft Defender Antivirus](#install-microsoft-defender-antivirus-on-windows-server).
+3. [Verify Microsoft Defender Antivirus is running](#verify-microsoft-defender-antivirus-is-running).
+4. [Update your antimalware Security intelligence](#update-antimalware-security-intelligence).
+5. (As needed) [Submit samples](#submit-samples).
+6. (As needed) [Configure automatic exclusions](#configure-automatic-exclusions).
+7. (Only if necessary) [Set Microsoft Defender Antivirus to passive mode](#need-to-set-microsoft-defender-antivirus-to-passive-mode).
-2. [Install Microsoft Defender Antivirus](#install-microsoft-defender-antivirus-on-windows-server-2016-or-2019)
+## Enable the user interface on Windows Server
-2. [Verify Microsoft Defender Antivirus is running](#verify-microsoft-defender-antivirus-is-running)
-
-3. [Update your antimalware Security intelligence](#update-antimalware-security-intelligence)
-
-4. (As needed) [Submit samples](#submit-samples)
-
-5. (As needed) [Configure automatic exclusions](#configure-automatic-exclusions)
-
-6. (Only if necessary) [Uninstall Microsoft Defender Antivirus](#need-to-uninstall-microsoft-defender-antivirus)
-
-## Enable the user interface on Windows Server 2016 or 2019
-
-By default, Microsoft Defender Antivirus is installed and functional on Windows Server 2016 and Windows Server 2019. The user interface (GUI) is installed by default on some SKUs, but is not required because you can use PowerShell or other methods to manage Microsoft Defender Antivirus. And if the GUI is not installed on your server, you can add it by using the Add Roles and Features Wizard or PowerShell.
+By default, Microsoft Defender Antivirus is installed and functional on Windows Server. The user interface (GUI) is installed by default on some SKUs, but is not required because you can use PowerShell or other methods to manage Microsoft Defender Antivirus. If the GUI is not installed on your server, you can add it by using the **Add Roles and Features** wizard, or by using PowerShell cmdlets.
### Turn on the GUI using the Add Roles and Features Wizard
-1. Refer to [this article](https://docs.microsoft.com/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#install-roles-role-services-and-features-by-using-the-add-roles-and-features-wizard), and use the **Add Roles and Features Wizard**.
+1. See [Install roles, role services, and features by using the add Roles and Features Wizard](https://docs.microsoft.com/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#install-roles-role-services-and-features-by-using-the-add-roles-and-features-wizard), and use the **Add Roles and Features Wizard**.
2. When you get to the **Features** step of the wizard, under **Windows Defender Features**, select the **GUI for Windows Defender** option.
-In Windows Server 2016, the **Add Roles and Features Wizard** looks like this:
+ In Windows Server 2016, the **Add Roles and Features Wizard** looks like this:
-
+ 
-In Windows Server 2019, the **Add Roles and Feature Wizard** looks much the same.
+ In Windows Server 2019, the **Add Roles and Feature Wizard** is similar.
### Turn on the GUI using PowerShell
@@ -74,7 +70,7 @@ The following PowerShell cmdlet will enable the interface:
Install-WindowsFeature -Name Windows-Defender-GUI
```
-## Install Microsoft Defender Antivirus on Windows Server 2016 or 2019
+## Install Microsoft Defender Antivirus on Windows Server
You can use either the **Add Roles and Features Wizard** or PowerShell to install Microsoft Defender Antivirus.
@@ -119,16 +115,16 @@ The `sc query` command returns information about the Microsoft Defender Antiviru
## Update antimalware Security intelligence
-In order to get updated antimalware Security intelligence, you must have the Windows Update service running. If you use an update management service, like Windows Server Update Services (WSUS), make sure that updates for Microsoft Defender Antivirus Security intelligence are approved for the computers you manage.
+To get updated antimalware security intelligence, you must have the Windows Update service running. If you use an update management service, like Windows Server Update Services (WSUS), make sure that updates for Microsoft Defender Antivirus Security intelligence are approved for the computers you manage.
-By default, Windows Update does not download and install updates automatically on Windows Server 2016 or 2019. You can change this configuration by using one of the following methods:
+By default, Windows Update does not download and install updates automatically on Windows Server 2019 or Windows Server 2016. You can change this configuration by using one of the following methods:
|Method |Description |
|---------|---------|
|**Windows Update** in Control Panel |- **Install updates automatically** results in all updates being automatically installed, including Windows Defender Security intelligence updates.
- **Download updates but let me choose whether to install them** allows Windows Defender to download and install Security intelligence updates automatically, but other updates are not automatically installed. |
|**Group Policy** | You can set up and manage Windows Update by using the settings available in Group Policy, in the following path: **Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates** |
-|The **AUOptions** registry key |The following two values allow Windows Update to automatically download and install Security intelligence updates:
- **4** Install updates automatically. This value results in all updates being automatically installed, including Windows Defender Security intelligence updates.
- **3** Download updates but let me choose whether to install them. This value allows Windows Defender to download and install Security intelligence updates automatically, but other updates are not automatically installed. |
+|The **AUOptions** registry key |The following two values allow Windows Update to automatically download and install Security intelligence updates:
- **4** - **Install updates automatically**. This value results in all updates being automatically installed, including Windows Defender Security intelligence updates.
- **3** - **Download updates but let me choose whether to install them**. This value allows Windows Defender to download and install Security intelligence updates automatically, but other updates are not automatically installed. |
To ensure that protection from malware is maintained, we recommend that you enable the following services:
@@ -162,10 +158,10 @@ To enable automatic sample submission, start a Windows PowerShell console as an
|Setting |Description |
|---------|---------|
-|**0** Always prompt |The Microsoft Defender Antivirus service prompts you to confirm submission of all required files. This is the default setting for Microsoft Defender Antivirus, but is not recommended for installations on Windows Server 2016 or 2019 without a GUI. |
-|**1** Send safe samples automatically |The Microsoft Defender Antivirus service sends all files marked as "safe" and prompts for the remainder of the files. |
-|**2** Never send |The Microsoft Defender Antivirus service does not prompt and does not send any files. |
-|**3** Send all samples automatically |The Microsoft Defender Antivirus service sends all files without a prompt for confirmation. |
+|**0** - **Always prompt** |The Microsoft Defender Antivirus service prompts you to confirm submission of all required files. This is the default setting for Microsoft Defender Antivirus, but is not recommended for installations on Windows Server 2016 or 2019 without a GUI. |
+|**1** - **Send safe samples automatically** |The Microsoft Defender Antivirus service sends all files marked as "safe" and prompts for the remainder of the files. |
+|**2** - **Never send** |The Microsoft Defender Antivirus service does not prompt and does not send any files. |
+|**3** - **Send all samples automatically** |The Microsoft Defender Antivirus service sends all files without a prompt for confirmation. |
## Configure automatic exclusions
@@ -173,38 +169,29 @@ To help ensure security and performance, certain exclusions are automatically ad
See [Configure exclusions in Microsoft Defender Antivirus on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md).
-## Need to uninstall Microsoft Defender Antivirus?
+## Need to set Microsoft Defender Antivirus to passive mode?
-If you are using a third-party antivirus solution and you're running into issues with that solution and Microsoft Defender Antivirus, you can consider uninstalling Microsoft Defender Antivirus. Before you do that, review the following resources:
+If you are using a non-Microsoft antivirus product as your primary antivirus solution, set Microsoft Defender Antivirus to passive mode.
-- See the question "Should I run Microsoft security software at the same time as other security products?" on the [Windows Defender Security Intelligence Antivirus and antimalware software FAQ](https://www.microsoft.com/wdsi/help/antimalware-faq#multiple-products).
+### Set Microsoft Defender Antivirus to passive mode using a registry key
-- See [Better together: Microsoft Defender Antivirus and Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-antivirus). This article describes 10 advantages to using Microsoft Defender Antivirus together with Microsoft Defender Advanced Threat Protection.
+If you are using Windows Server, version 1803 or Windows Server 2019, you can set Microsoft Defender Antivirus to passive mode by setting the following registry key:
+- Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
+- Name: `ForcePassiveMode`
+- Type: `REG_DWORD`
+- Value: `1`
-If you determine you do want to uninstall Microsoft Defender Antivirus, follow the steps in the following sections.
+### Disable Microsoft Defender Antivirus using the Remove Roles and Features wizard
-### Uninstall Microsoft Defender Antivirus using the Remove Roles and Features wizard
+1. See [Install or Uninstall Roles, Role Services, or Features](https://docs.microsoft.com/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#remove-roles-role-services-and-features-by-using-the-remove-roles-and-features-wizard), and use the **Remove Roles and Features Wizard**.
-1. Refer to [this article](https://docs.microsoft.com/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#remove-roles-role-services-and-features-by-using-the-remove-roles-and-features-wizard), and use the **Remove Roles and Features Wizard**.
+2. When you get to the **Features** step of the wizard, clear the **Windows Defender Features** option.
-2. When you get to the **Features** step of the wizard, unselect the **Windows Defender Features** option.
-
- If you unselect **Windows Defender** by itself under the **Windows Defender Features** section, you will be prompted to remove the interface option **GUI for Windows Defender**.
+ If you clear **Windows Defender** by itself under the **Windows Defender Features** section, you will be prompted to remove the interface option **GUI for Windows Defender**.
- Microsoft Defender AV will still run normally without the user interface, but the user interface cannot be enabled if you disable the core **Windows Defender** feature.
+ Microsoft Defender Antivirus will still run normally without the user interface, but the user interface cannot be enabled if you disable the core **Windows Defender** feature.
-### Uninstall Microsoft Defender Antivirus using PowerShell
-
->[!NOTE]
->You can't uninstall the Windows Security app, but you can disable the interface with these instructions.
-
-The following PowerShell cmdlet will also uninstall Microsoft Defender AV on Windows Server 2016 or 2019:
-
-```PowerShell
-Uninstall-WindowsFeature -Name Windows-Defender
-```
-
-### Turn off the GUI using PowerShell
+### Turn off the Microsoft Defender Antivirus user interface using PowerShell
To turn off the Microsoft Defender Antivirus GUI, use the following PowerShell cmdlet:
@@ -212,11 +199,22 @@ To turn off the Microsoft Defender Antivirus GUI, use the following PowerShell c
Uninstall-WindowsFeature -Name Windows-Defender-GUI
```
+### Are you using Windows Server 2016?
-## Related topics
+If you are using Windows Server 2016 and a third-party antimalware/antivirus product that is not offered or developed by Microsoft, you'll need to disable/uninstall Microsoft Defender Antivirus.
+
+> [!NOTE]
+> You can't uninstall the Windows Security app, but you can disable the interface with these instructions.
+
+The following PowerShell cmdlet uninstalls Microsoft Defender Antivirus on Windows Server 2016:
+
+```PowerShell
+Uninstall-WindowsFeature -Name Windows-Defender
+```
+
+## See also
- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
-
-- [Configure exclusions in Microsoft Defender AV on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md)
+- [Microsoft Defender Antivirus compatibility](microsoft-defender-antivirus-compatibility.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md
index d2e1ac4fe4..a63d9f70b3 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md
@@ -3,7 +3,7 @@ title: Microsoft Defender Offline in Windows 10
description: You can use Microsoft Defender Offline straight from the Windows Defender Antivirus app. You can also manage how it is deployed in your network.
keywords: scan, defender, offline
search.product: eADQiWindows 10XVcnh
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
@@ -13,6 +13,7 @@ ms.author: deniseb
ms.custom: nextgen
ms.reviewer:
manager: dansimp
+ms.technology: mde
---
# Run and review the results of a Microsoft Defender Offline scan
@@ -22,7 +23,7 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
Microsoft Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted environment. The scan runs from outside the normal Windows kernel so it can target malware that attempts to bypass the Windows shell, such as viruses and rootkits that infect or overwrite the master boot record (MBR).
@@ -58,7 +59,7 @@ See the [Manage Microsoft Defender Antivirus Security intelligence updates](man
In Windows 10, version 1607, you can manually force an offline scan. Alternatively, if Windows Defender determines that Microsoft Defender Offline needs to run, it will prompt the user on the endpoint.
-The need to perform an offline scan will also be revealed in Microsoft Endpoint Configuration Manager if you're using it to manage your endpoints.
+The need to perform an offline scan will also be revealed in Microsoft Endpoint Manager if you're using it to manage your endpoints.
The prompt can occur via a notification, similar to the following:
@@ -70,7 +71,7 @@ In Configuration Manager, you can identify the status of endpoints by navigating
Microsoft Defender Offline scans are indicated under **Malware remediation status** as **Offline scan required**.
-
+
## Configure notifications
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md
index a6e9c4aa01..10976df113 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md
@@ -3,7 +3,7 @@ title: Microsoft Defender Antivirus in the Windows Security app
description: With Microsoft Defender AV now included in the Windows Security app, you can review, compare, and perform common tasks.
keywords: wdav, antivirus, firewall, security, windows
search.product: eADQiWindows 10XVcnh
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
@@ -13,6 +13,7 @@ ms.author: deniseb
ms.custom: nextgen
ms.reviewer:
manager: dansimp
+ms.technology: mde
---
# Microsoft Defender Antivirus in the Windows Security app
@@ -22,33 +23,29 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
In Windows 10, version 1703 and later, the Windows Defender app is part of the Windows Security.
Settings that were previously part of the Windows Defender client and main Windows Settings have been combined and moved to the new app, which is installed by default as part of Windows 10, version 1703.
> [!IMPORTANT]
-> Disabling the Windows Security Center service will not disable Microsoft Defender AV or [Windows Defender Firewall](https://docs.microsoft.com/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). These are disabled automatically when a third-party antivirus or firewall product is installed and kept up to date.
->
-> If you do disable the Windows Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
->
-> It may also prevent Microsoft Defender AV from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you may have previously installed.
->
+> Disabling the Windows Security Center service does not disable Microsoft Defender Antivirus or [Windows Defender Firewall](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security). These are disabled automatically when a third-party antivirus or firewall product is installed and kept up to date.
+> If you do disable the Windows Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Security app might display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
+> It might also prevent Microsoft Defender Antivirus from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you might have previously installed.
> This will significantly lower the protection of your device and could lead to malware infection.
See the [Windows Security article](/windows/threat-protection/windows-defender-security-center/windows-defender-security-center) for more information on other Windows security features that can be monitored in the app.
-The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal that is used to review and manage [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md).
+The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal that is used to review and manage [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint).
## Review virus and threat protection settings in the Windows Security app
+
+
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
-
-2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
-
- 
-
+2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar).
+
## Comparison of settings and functions of the old app and the new app
All of the previous functions and settings from the Windows Defender app (in versions of Windows 10 before version 1703) are now found in the new Windows Security app. Settings that were previously located in Windows Settings under **Update & security** > **Windows Defender** are also now in the new app.
@@ -59,13 +56,13 @@ The following diagrams compare the location of settings and functions between th
-Item | Windows 10, before version 1703 | Windows 10, version 1703 and later | Description
----|---|---|---
-1 | **Update** tab | **Protection updates** | Update the protection (Security intelligence)
-2 | **History** tab | **Scan history** | Review threats that were quarantined, removed, or allowed
-3 | **Settings** (links to **Windows Settings**) | **Virus & threat protection settings** | Enable various features, including Real-time protection, Cloud-delivered protection, Advanced notifications, and Automatic ample submission
-4 | **Scan options** | **Advanced scan** | Run a full scan, custom scan, or a Microsoft Defender Offline scan
-5 | Run a scan (based on the option chosen under **Scan options** | **Quick scan** | In Windows 10, version 1703 and later, you can run custom and full scans under the **Advanced scan** option
+| Item | Windows 10, before version 1703 | Windows 10, version 1703 and later | Description |
+|:---|:---|:---|:---|
+| 1 | **Update** tab | **Protection updates** | Update the protection (Security intelligence) |
+| 2 | **History** tab | **Scan history** | Review threats that were quarantined, removed, or allowed |
+| 3 | **Settings** (links to **Windows Settings**) | **Virus & threat protection settings** | Enable various features, including Real-time protection, Cloud-delivered protection, Advanced notifications, and Automatic ample submission |
+| 4 | **Scan options** | **Advanced scan** | Run a full scan, custom scan, or a Microsoft Defender Antivirus Offline scan |
+| 5 | Run a scan (based on the option chosen under **Scan options** | **Quick scan** | In Windows 10, version 1703 and later, you can run custom and full scans under the **Advanced scan** option |
## Common tasks
@@ -79,55 +76,41 @@ This section describes how to perform some of the most common tasks when reviewi
### Run a scan with the Windows Security app
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
-
-2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
-
-3. Click **Scan now**.
-
-4. Click **Run a new advanced scan** to specify different types of scans, such as a full scan.
+2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar).
+3. Select **Scan now**.
+4. Select **Run a new advanced scan** to specify different types of scans, such as a full scan.
### Review the security intelligence update version and download the latest updates in the Windows Security app
+
+
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
-
-2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
-
-3. Click **Virus & threat protection updates**. The currently installed version is displayed along with some information about when it was downloaded. You can check this against the latest version available for manual download, or review the change log for that version.
-
- 
-
-4. Click **Check for updates** to download new protection updates (if there are any).
+2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar).
+3. Select **Virus & threat protection updates**. The currently installed version is displayed along with some information about when it was downloaded. You can check this against the latest version available for manual download, or review the change log for that version.
+4. Select **Check for updates** to download new protection updates (if there are any).
### Ensure Microsoft Defender Antivirus is enabled in the Windows Security app
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
-
-2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
-
-3. Click **Virus & threat protection settings**.
-
+2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar).
+3. Select **Virus & threat protection settings**.
4. Toggle the **Real-time protection** switch to **On**.
> [!NOTE]
> If you switch **Real-time protection** off, it will automatically turn back on after a short delay. This is to ensure you are protected from malware and threats.
- >
- > If you install another antivirus product, Microsoft Defender AV will automatically disable itself and will indicate this in the Windows Security app. A setting will appear that will allow you to enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md).
+ > If you install another antivirus product, Microsoft Defender Antivirus automatically disables itself and is indicated as such in the Windows Security app. A setting will appear that will allow you to enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md).
### Add exclusions for Microsoft Defender Antivirus in the Windows Security app
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
-
-2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
-
-3. Click **Virus & threat protection settings**.
-
-4. Under the **Exclusions** setting, click **Add or remove exclusions**.
-
-5. Click the plus icon to choose the type and set the options for each exclusion.
+2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar).
+3. Under the **Manage settings**, select **Virus & threat protection settings**.
+4. Under the **Exclusions** setting, select **Add or remove exclusions**.
+5. Select the plus icon (**+**) to choose the type and set the options for each exclusion.
The following table summarizes exclusion types and what happens:
@@ -139,34 +122,26 @@ The following table summarizes exclusion types and what happens:
|**File type** |File extension
Example: `.test` |All files with the `.test` extension anywhere on your device are skipped by Microsoft Defender Antivirus. |
|**Process** |Executable file path
Example: `c:\test\process.exe` |The specific process and any files that are opened by that process are skipped by Microsoft Defender Antivirus. |
-To learn more, see:
+To learn more, see the following resources:
- [Configure and validate exclusions based on file extension and folder location](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus)
- [Configure exclusions for files opened by processes](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus)
### Review threat detection history in the Windows Defender Security Center app
- 1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
-
- 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
-
- 3. Click **Threat history**
-
- 4. Click **See full history** under each of the categories (**Current threats**, **Quarantined threats**, **Allowed threats**).
+1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar).
+3. Select **Threat history**
+4. Select **See full history** under each of the categories (**Current threats**, **Quarantined threats**, **Allowed threats**).
### Set ransomware protection and recovery options
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
-
-2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
-
-3. Click **Ransomware protection**.
-
+2. Select the **Virus & threat protection** tile (or the shield icon on the left menu bar).
+3. Select **Ransomware protection**.
4. To change Controlled folder access settings, see [Protect important folders with Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard).
+5. To set up ransomware recovery options, select **Set up** under **Ransomware data recovery** and follow the instructions for linking or setting up your OneDrive account so you can easily recover from a ransomware attack.
-5. To set up ransomware recovery options, click **Set up** under **Ransomware data recovery** and follow the instructions for linking or setting up your OneDrive account so you can easily recover from a ransomware attack.
-
-## Related articles
-
+## See also
- [Microsoft Defender Antivirus](microsoft-defender-antivirus-in-windows-10.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md
index 30030fb3b1..5f2be1828e 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md
@@ -1,21 +1,22 @@
---
-title: "Better together - Microsoft Defender Antivirus and Office 365 (including OneDrive) - better protection from ransomware and cyberthreats"
-description: "Office 365, which includes OneDrive, goes together wonderfully with Microsoft Defender Antivirus. Read this article to learn more."
+title: Better together - Microsoft Defender Antivirus and Office 365 (including OneDrive) - better protection from ransomware and cyberthreats
+description: Office 365, which includes OneDrive, goes together wonderfully with Microsoft Defender Antivirus. Read this article to learn more.
keywords: windows defender, antivirus, office 365, onedrive, restore, ransomware
search.product: eADQiWindows 10XVcnh
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
-ms.topic: article
+audience: ITPro
+ms.topic: article
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.date: 03/04/2020
ms.reviewer:
manager: dansimp
+ms.technology: mde
---
# Better together: Microsoft Defender Antivirus and Office 365
@@ -24,15 +25,15 @@ manager: dansimp
**Applies to:**
-
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- Microsoft Defender Antivirus
-- Office 365
+- Microsoft 365
You might already know that:
- **Microsoft Defender Antivirus protects your Windows 10 device from software threats, such as viruses, malware, and spyware**. Microsoft Defender Antivirus is your complete, ongoing protection, built into Windows 10 and ready to go. [Microsoft Defender Antivirus is your next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10).
-- **Office 365 includes antiphishing, antispam, and antimalware protection**. With your Office 365 subscription, you get premium email and calendars, Office apps, 1 TB of cloud storage (via OneDrive), and advanced security across all your devices. This is true for home and business users. And if you're a business user, and your organization is using Office 365 E5, you get even more protection through Office 365 Advanced Threat Protection. [Protect against threats with Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/protect-against-threats).
+- **Office 365 includes antiphishing, antispam, and antimalware protection**. With your Office 365 subscription, you get premium email and calendars, Office apps, 1 TB of cloud storage (via OneDrive), and advanced security across all your devices. This is true for home and business users. And if you're a business user, and your organization is using Office 365 E5, you get even more protection through Microsoft Defender for Office 365 [Protect against threats with Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/protect-against-threats).
- **OneDrive, included in Office 365, enables you to store your files and folders online, and share them as you see fit**. You can work together with people (for work or fun), and coauthor files that are stored in OneDrive. You can also access your files across all your devices (your PC, phone, and tablet). [Manage sharing in OneDrive](https://docs.microsoft.com/OneDrive/manage-sharing).
@@ -48,9 +49,9 @@ Read the following sections to learn more.
When you save your files to [OneDrive](https://docs.microsoft.com/onedrive), and [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) detects a ransomware threat on your device, the following things occur:
-1. **You are told about the threat**. (If your organization is using [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (ATP), your security operations team is notified, too.)
+1. **You are told about the threat**. (If your organization is using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection), your security operations team is notified, too.)
-2. **Microsoft Defender Antivirus helps you (and your organization's security team) remove the ransomware** from your device(s). (If your organization is using Microsoft Defender ATP, your security operations team can determine whether other devices are infected and take appropriate action, too.)
+2. **Microsoft Defender Antivirus helps you (and your organization's security team) remove the ransomware** from your device(s). (If your organization is using Microsoft Defender for Endpoint, your security operations team can determine whether other devices are infected and take appropriate action, too.)
3. **You get the option to recover your files in OneDrive**. With the OneDrive Files Restore feature, you can recover your files in OneDrive to the state they were in before the ransomware attack occurred. See [Ransomware detection and recovering your files](https://support.office.com/article/0d90ec50-6bfd-40f4-acc7-b8c12c73637f).
@@ -58,19 +59,19 @@ Think of the time and hassle this can save.
## Integration means better protection
-Office 365 Advanced Threat Protection integrated with Microsoft Defender Advanced Threat Protection means better protection for your organization. Here's how:
+Microsoft Defender for Office 365 integrated with Microsoft Defender for Endpoint means better protection for your organization. Here's how:
-- [Office 365 Advanced Threat Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp) safeguards your organization against malicious threats posed in email messages, email attachments, and links (URLs) in Office documents.
+- [Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp) safeguards your organization against malicious threats posed in email messages, email attachments, and links (URLs) in Office documents.
AND
-- [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) protects your devices from cyber threats, detects advanced attacks and data breaches, automates security incidents, and improves your security posture.
+- [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) protects your devices from cyber threats, detects advanced attacks and data breaches, automates security incidents, and improves your security posture.
SO
- Once integration is enabled, your security operations team can see a list of devices that are used by the recipients of any detected URLs or email messages, along with recent alerts for those devices, in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)).
-If you haven't already done so, [integrate Office 365 Advanced Threat Protection with Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/office-365-security/integrate-office-365-ti-with-wdatp).
+If you haven't already done so, [integrate Microsoft Defender for Office 365 with Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/office-365-security/integrate-office-365-ti-with-wdatp).
## More good reasons to use OneDrive
@@ -82,8 +83,8 @@ Protection from ransomware is one great reason to put your files in OneDrive. An
[OneDrive](https://docs.microsoft.com/onedrive)
-[Office 365 Advanced Threat Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp?view=o365-worldwide)
+[Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp?view=o365-worldwide)
-[Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/)
+[Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
index c49d6a763f..e77818c9df 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
@@ -1,12 +1,12 @@
---
title: Protect security settings with tamper protection
-ms.reviewer: shwjha
+ms.reviewer: shwjha, hayhov
manager: dansimp
description: Use tamper protection to prevent malicious apps from changing important security settings.
keywords: malware, defender, antivirus, tamper protection
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: medium
@@ -14,7 +14,8 @@ audience: ITPro
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 10/08/2020
+ms.date: 03/22/2021
+ms.technology: mde
---
# Protect security settings with tamper protection
@@ -24,12 +25,18 @@ ms.date: 10/08/2020
**Applies to:**
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+
+Tamper protection is available for devices that are running one of the following versions of Windows:
+
- Windows 10
-- Windows Server 2019 (if using tenant attach with [Configuration Manager, version 2006](#manage-tamper-protection-with-configuration-manager-version-2006))
+- Windows Server 2019
+- Windows Server, version 1803 or later
+- Windows Server 2016
## Overview
-During some kinds of cyber attacks, bad actors try to disable security features, such as anti-virus protection, on your machines. They do this to get easier access to your data, to install malware, or to otherwise exploit your data, identity, and devices. Tamper protection helps prevent this from occurring.
+During some kinds of cyber attacks, bad actors try to disable security features, such as anti-virus protection, on your machines. Bad actors like to disable your security features to get easier access to your data, to install malware, or to otherwise exploit your data, identity, and devices. Tamper protection helps prevent these kinds of things from occurring.
With tamper protection, malicious apps are prevented from taking actions such as:
@@ -44,80 +51,98 @@ With tamper protection, malicious apps are prevented from taking actions such as
Tamper protection essentially locks Microsoft Defender Antivirus and prevents your security settings from being changed through apps and methods such as:
-- Configuring settings in Registry Editor on your Windows machine
+- Configuring settings in Registry Editor on your Windows device
- Changing settings through PowerShell cmdlets
- Editing or removing security settings through group policies
-Tamper protection doesn't prevent you from viewing your security settings. And, tamper protection doesn't affect how third-party antivirus apps register with the Windows Security app. If your organization is using Windows 10 Enterprise E5, individual users can't change the tamper protection setting; this is managed by your security team.
+Tamper protection doesn't prevent you from viewing your security settings. And, tamper protection doesn't affect how third-party antivirus apps register with the Windows Security app. If your organization is using Windows 10 Enterprise E5, individual users can't change the tamper protection setting; in those cases, tamper protection is managed by your security team.
### What do you want to do?
-1. Turn tamper protection on
- - [For an individual machine, use Windows Security](#turn-tamper-protection-on-or-off-for-an-individual-machine).
- - [For your organization, use Intune](#turn-tamper-protection-on-or-off-for-your-organization-using-intune).
- - [Use tenant attach with Configuration Manager, version 2006, for devices running Windows 10 or Windows Server 2019](#manage-tamper-protection-with-configuration-manager-version-2006)
+| To perform this task... | See this section... |
+|:---|:---|
+| Turn tamper protection on (or off) in the Microsoft Defender Security Center
+ - In the **Platform** list, select **Windows 10 and Windows Server (ConfigMgr)**.
+ - In the **Profile** list, select **Windows Security experience (preview)**.
-2. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Endpoint security** > **Antivirus**, and choose **+ Create Policy**.
+3. Deploy the policy to your device collection.
-3. Configure tamper protection as part of the new policy.
+### Need help with this method?
-4. Deploy the policy to your device collection.
-
-Need help? See the following resources:
-
-- [Antivirus policy for endpoint security in Intune](https://docs.microsoft.com/mem/intune/protect/endpoint-security-antivirus-policy)
+See the following resources:
- [Settings for the Windows Security experience profile in Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/antivirus-security-experience-windows-settings)
-
- [Tech Community Blog: Announcing Tamper Protection for Configuration Manager Tenant Attach clients](https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/announcing-tamper-protection-for-configuration-manager-tenant/ba-p/1700246#.X3QLR5Ziqq8.linkedin)
-- [Tenant attach: Create and deploy endpoint security Antivirus policy from the admin center (preview)](https://docs.microsoft.com/mem/configmgr/tenant-attach/deploy-antivirus-policy)
+## Manage tamper protection on an individual device
+
+> [!NOTE]
+> Tamper protection blocks attempts to modify Microsoft Defender Antivirus settings through the registry.
+>
+> To help ensure that tamper protection doesn’t interfere with third-party security products or enterprise installation scripts that modify these settings, go to **Windows Security** and update **Security intelligence** to version 1.287.60.0 or later. (See [Security intelligence updates](https://www.microsoft.com/wdsi/definitions).)
+>
+> Once you’ve made this update, tamper protection continues to protect your registry settings, and logs attempts to modify them without returning errors.
+
+If you are a home user, or you are not subject to settings managed by a security team, you can use the Windows Security app to manage tamper protection. You must have appropriate admin permissions on your device to do change security settings, such as tamper protection.
+
+Here's what you see in the Windows Security app:
+
+
+
+1. Select **Start**, and start typing *Security*. In the search results, select **Windows Security**.
+
+2. Select **Virus & threat protection** > **Virus & threat protection settings**.
+
+3. Set **Tamper Protection** to **On** or **Off**.
+
## View information about tampering attempts
Tampering attempts typically indicate bigger cyberattacks. Bad actors try to change security settings as a way to persist and stay undetected. If you're part of your organization's security team, you can view information about such attempts, and then take appropriate actions to mitigate threats.
-When a tampering attempt is detected, an alert is raised in the [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/portal-overview) ([https://securitycenter.windows.com](https://securitycenter.windows.com)).
+When a tampering attempt is detected, an alert is raised in the [Microsoft Defender Security Center](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/portal-overview) ([https://securitycenter.windows.com](https://securitycenter.windows.com)).
-Using [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) and [advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview) capabilities in Microsoft Defender ATP, your security operations team can investigate and address such attempts.
+Using [endpoint detection and response](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response) and [advanced hunting](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/advanced-hunting-overview) capabilities in Microsoft Defender for Endpoint, your security operations team can investigate and address such attempts.
## Review your security recommendations
-Tamper protection integrates with [Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) capabilities. [Security recommendations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) include making sure tamper protection is turned on. For example, you can search on *tamper*, as shown in the following image:
+Tamper protection integrates with [Threat & Vulnerability Management](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt) capabilities. [Security recommendations](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/tvm-security-recommendation) include making sure tamper protection is turned on. For example, you can search on *tamper*, as shown in the following image:
@@ -173,62 +219,53 @@ In the results, you can select **Turn on Tamper Protection** to learn more and t
-To learn more about Threat & Vulnerability Management, see [Threat & Vulnerability Management in Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights#threat--vulnerability-management-in-microsoft-defender-security-center).
+To learn more about Threat & Vulnerability Management, see [Threat & Vulnerability Management in Microsoft Defender Security Center](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/tvm-dashboard-insights#threat--vulnerability-management-in-microsoft-defender-security-center).
## Frequently asked questions
### To which Windows OS versions is configuring tamper protection is applicable?
-Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019), or later together with [Microsoft Defender Advanced Threat Protection E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp).
+Windows 10 OS [1709](https://docs.microsoft.com/windows/release-health/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-health/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019), or later together with [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint).
-If you are using Configuration Manager, version 2006 with tenant attach, tamper protection can be extended to Windows Server 2019. See [Tenant attach: Create and deploy endpoint security Antivirus policy from the admin center (preview)](https://docs.microsoft.com/mem/configmgr/tenant-attach/deploy-antivirus-policy).
+If you are using Configuration Manager, version 2006, with tenant attach, tamper protection can be extended to Windows Server 2019. See [Tenant attach: Create and deploy endpoint security Antivirus policy from the admin center (preview)](https://docs.microsoft.com/mem/configmgr/tenant-attach/deploy-antivirus-policy).
-### Will tamper protection have any impact on third party antivirus registration?
+### Will tamper protection have any impact on third-party antivirus registration?
No. Third-party antivirus offerings will continue to register with the Windows Security application.
### What happens if Microsoft Defender Antivirus is not active on a device?
-Tamper protection will not have any impact on such devices.
+Devices that are onboarded to Microsoft Defender for Endpoint will have Microsoft Defender Antivirus running in passive mode. Tamper protection will continue to protect the service and its features.
### How can I turn tamper protection on/off?
-If you are a home user, see [Turn tamper protection on (or off) for an individual machine](#turn-tamper-protection-on-or-off-for-an-individual-machine).
+If you are a home user, see [Manage tamper protection on an individual device](#manage-tamper-protection-on-an-individual-device).
-If you are an organization using [Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), you should be able to manage tamper protection in Intune similar to how you manage other endpoint protection features. See the following sections of this article:
+If you are an organization using [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint), you should be able to manage tamper protection in Intune similar to how you manage other endpoint protection features. See the following sections of this article:
-- [Turn tamper protection on (or off) for your organization using Intune](#turn-tamper-protection-on-or-off-for-your-organization-using-intune)
-
-- [Manage tamper protection with Configuration Manager, version 2006](#manage-tamper-protection-with-configuration-manager-version-2006)
+- [Manage tamper protection using Intune](#manage-tamper-protection-for-your-organization-using-intune)
+- [Manage tamper protection using Configuration Manager, version 2006](#manage-tamper-protection-for-your-organization-with-configuration-manager-version-2006)
+- [Manage tamper protection using the Microsoft Defender Security Center](#manage-tamper-protection-for-your-organization-using-the-microsoft-defender-security-center) (currently in preview)
### How does configuring tamper protection in Intune affect how I manage Microsoft Defender Antivirus through my group policy?
Your regular group policy doesn’t apply to tamper protection, and changes to Microsoft Defender Antivirus settings are ignored when tamper protection is on.
-> [!NOTE]
-> A small delay in Group Policy (GPO) processing may occur if Group Policy settings include values that control Microsoft Defender Antivirus features protected by tamper protection.
+### For Microsoft Defender for Endpoint, is configuring tamper protection in Intune targeted to the entire organization only?
-To avoid any potential delays, we recommend that you remove settings that control Microsoft Defender Antivirus related behavior from GPO and simply allow tamper protection to protect Microsoft Defender Antivirus settings.
-
-Some sample Microsoft Defender Antivirus settings:
-
-- *Turn off real-time protection*
- Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Real-time Protection\\
- Value `DisableRealtimeMonitoring` = 0
-
-### For Microsoft Defender ATP E5, is configuring tamper protection in Intune targeted to the entire organization only?
-
-Configuring tamper protection in Intune can be targeted to your entire organization as well as to specific devices and user groups.
+Configuring tamper protection in Intune or Microsoft Endpoint Manager can be targeted to your entire organization and to specific devices and user groups.
### Can I configure Tamper Protection in Microsoft Endpoint Configuration Manager?
-If you are using tenant attach, you can use Microsoft Endpoint Configuration Manager. See [Manage tamper protection with Configuration Manager, version 2006](#manage-tamper-protection-with-configuration-manager-version-2006) and [Tech Community blog: Announcing Tamper Protection for Configuration Manager Tenant Attach clients](https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/announcing-tamper-protection-for-configuration-manager-tenant/ba-p/1700246#.X3QLR5Ziqq8.linkedin).
+If you are using tenant attach, you can use Microsoft Endpoint Configuration Manager. See the following resources:
+- [Manage tamper protection for your organization with Configuration Manager, version 2006](#manage-tamper-protection-for-your-organization-with-configuration-manager-version-2006)
+- [Tech Community blog: Announcing Tamper Protection for Configuration Manager Tenant Attach clients](https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/announcing-tamper-protection-for-configuration-manager-tenant/ba-p/1700246#.X3QLR5Ziqq8.linkedin)
### I have the Windows E3 enrollment. Can I use configuring tamper protection in Intune?
-Currently, configuring tamper protection in Intune is only available for customers who have [Microsoft Defender Advanced Threat Protection E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp).
+Currently, configuring tamper protection in Intune is only available for customers who have [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint).
-### What happens if I try to change Microsoft Defender ATP settings in Intune, Microsoft Endpoint Configuration Manager, and Windows Management Instrumentation when Tamper Protection is enabled on a device?
+### What happens if I try to change Microsoft Defender for Endpoint settings in Intune, Microsoft Endpoint Configuration Manager, and Windows Management Instrumentation when Tamper Protection is enabled on a device?
You won’t be able to change the features that are protected by tamper protection; such change requests are ignored.
@@ -236,15 +273,15 @@ You won’t be able to change the features that are protected by tamper protecti
No. Local admins cannot change or modify tamper protection settings.
-### What happens if my device is onboarded with Microsoft Defender ATP and then goes into an off-boarded state?
+### What happens if my device is onboarded with Microsoft Defender for Endpoint and then goes into an off-boarded state?
-In this case, tamper protection status changes, and this feature is no longer applied.
+If a device is off-boarded from Microsoft Defender for Endpoint, tamper protection is turned on, which is the default state for unmanaged devices.
### Will there be an alert about tamper protection status changing in the Microsoft Defender Security Center?
Yes. The alert is shown in [https://securitycenter.microsoft.com](https://securitycenter.microsoft.com) under **Alerts**.
-In addition, your security operations team can use hunting queries, such as the following:
+Your security operations team can also use hunting queries, such as the following example:
`DeviceAlertEvents | where Title == "Tamper Protection bypass"`
@@ -254,6 +291,6 @@ In addition, your security operations team can use hunting queries, such as the
[Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/intune/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)
-[Get an overview of Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp)
+[Get an overview of Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint)
-[Better together: Microsoft Defender Antivirus and Microsoft Defender Advanced Threat Protection](why-use-microsoft-defender-antivirus.md)
+[Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint](why-use-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md
index 7bf4c22d0e..9505edb6c6 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md
@@ -3,7 +3,7 @@ title: Hide the Microsoft Defender Antivirus interface
description: You can hide virus and threat protection tile in the Windows Security app.
keywords: ui lockdown, headless mode, hide app, hide settings, hide interface
search.product: eADQiWindows 10XVcnh
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
@@ -14,6 +14,7 @@ ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
+ms.technology: mde
---
# Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface
@@ -23,7 +24,7 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
You can use Group Policy to prevent users on endpoints from seeing the Microsoft Defender Antivirus interface. You can also prevent them from pausing scans.
@@ -40,7 +41,7 @@ With the setting set to **Disabled** or not configured:
>[!NOTE]
->Hiding the interface will also prevent Microsoft Defender Antivirus notifications from appearing on the endpoint. Microsoft Defender Advanced Threat Protection notifications will still appear. You can also individually [configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md)
+>Hiding the interface will also prevent Microsoft Defender Antivirus notifications from appearing on the endpoint. Microsoft Defender for Endpoint notifications will still appear. You can also individually [configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md)
In earlier versions of Windows 10, the setting will hide the Windows Defender client interface. If the user attempts to open it, they will receive a warning that says, "Your system administrator has restricted access to this app."
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md
index 2705f9bf69..63b1cef153 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md
@@ -3,7 +3,7 @@ title: Monitor and report on Microsoft Defender Antivirus protection
description: Use Configuration Manager or security information and event management (SIEM) tools to consume reports, and monitor Microsoft Defender AV with PowerShell and WMI.
keywords: siem, monitor, report, Microsoft Defender AV
search.product: eADQiWindows 10XVcnh
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
@@ -11,9 +11,10 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 09/03/2018
+ms.date: 12/07/2020
ms.reviewer:
manager: dansimp
+ms.technology: mde
---
# Report on Microsoft Defender Antivirus
@@ -23,9 +24,11 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
-With Microsoft Defender Antivirus, you have several options for reviewing protection status and alerts. You can use Microsoft Endpoint Configuration Manager to [monitor Microsoft Defender Antivirus](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-configure-alerts). Or, you can monitor protection using [Microsoft Intune](https://docs.microsoft.com/intune/introduction-intune).
+Microsoft Defender Antivirus is built into Windows 10, Windows Server 2019, and Windows Server 2016. Microsoft Defender Antivirus is of your next-generation protection in Microsoft Defender for Endpoint. Next-generation protection helps protect your devices from software threats like viruses, malware, and spyware across email, apps, the cloud, and the web.
+
+With Microsoft Defender Antivirus, you have several options for reviewing protection status and alerts. You can use Microsoft Endpoint Manager to [monitor Microsoft Defender Antivirus](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-configure-alerts). Or, you can monitor protection using [Microsoft Intune](https://docs.microsoft.com/intune/introduction-intune).
Microsoft Operations Management Suite has an [Update Compliance add-in](/windows/deployment/update/update-compliance-get-started) that reports on key Microsoft Defender Antivirus issues, including protection updates and real-time protection settings.
@@ -42,5 +45,5 @@ For monitoring or determining status with PowerShell, WMI, or Microsoft Azure, s
## Related articles
- [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
-
+- [Microsoft Defender Antivirus on Windows Server 2016 and 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016)
- [Deploy Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md
index 19b05b9f87..3aee622427 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md
@@ -3,7 +3,7 @@ title: Restore quarantined files in Microsoft Defender AV
description: You can restore files and folders that were quarantined by Microsoft Defender AV.
keywords:
search.product: eADQiWindows 10XVcnh
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
@@ -14,6 +14,7 @@ ms.custom: nextgen
ms.date: 05/20/2020
ms.reviewer:
manager: dansimp
+ms.technology: mde
---
# Restore quarantined files in Microsoft Defender AV
@@ -23,7 +24,7 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
If Microsoft Defender Antivirus is configured to detect and remediate threats on your device, Microsoft Defender Antivirus quarantines suspicious files. If you are certain a quarantined file is not a threat, you can restore it.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md
index da893a1b8a..82de267b72 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md
@@ -1,9 +1,9 @@
---
-title: Review the results of Microsoft Defender AV scans
+title: Review the results of Microsoft Defender AV scans
description: Review the results of scans using Microsoft Endpoint Configuration Manager, Microsoft Intune, or the Windows Security app
keywords: scan results, remediation, full scan, quick scan
search.product: eADQiWindows 10XVcnh
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
@@ -14,6 +14,7 @@ ms.custom: nextgen
ms.date: 09/28/2020
ms.reviewer:
manager: dansimp
+ms.technology: mde
---
# Review Microsoft Defender Antivirus scan results
@@ -23,7 +24,7 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
After a Microsoft Defender Antivirus scan completes, whether it is an [on-demand](run-scan-microsoft-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-microsoft-defender-antivirus.md), the results are recorded and you can view the results.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md
index 84a2edacf5..b9d6853c2a 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md
@@ -3,7 +3,7 @@ title: Run and customize on-demand scans in Microsoft Defender AV
description: Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Security app
keywords: scan, on-demand, dos, intune, instant scan
search.product: eADQiWindows 10XVcnh
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
@@ -11,58 +11,65 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 09/03/2018
+ms.date: 11/13/2020
ms.reviewer:
manager: dansimp
+ms.technology: mde
---
# Configure and run on-demand Microsoft Defender Antivirus scans
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
You can run an on-demand scan on individual endpoints. These scans will start immediately, and you can define parameters for the scan, such as the location or type.
-
## Quick scan versus full scan
-Quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders.
+Quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders.
-> [!IMPORTANT]
-> Microsoft Defender Antivirus runs in the context of the [LocalSystem](https://docs.microsoft.com/windows/win32/services/localsystem-account) account when performing a local scan. For network scans, it uses the context of the device account. If the domain device account doesn't have appropriate permissions to access the share, the scan won't work. Ensure that the device has permissions to the access network share.
+> [!IMPORTANT]
+> Microsoft Defender Antivirus runs in the context of the [LocalSystem](https://docs.microsoft.com/windows/win32/services/localsystem-account) account when performing a local scan. For network scans, it uses the context of the device account. If the domain device account doesn't have appropriate permissions to access the share, the scan won't work. Ensure that the device has permissions to the access network share.
-Combined with [always-on real-time protection capability](configure-real-time-protection-microsoft-defender-antivirus.md)--which reviews files when they are opened and closed, and whenever a user navigates to a folder--a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware.
+Combined with [always-on real-time protection capability](configure-real-time-protection-microsoft-defender-antivirus.md)--which reviews files when they're opened and closed, and whenever a user navigates to a folder--a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware.
-In most instances, this means a quick scan is adequate to find malware that wasn't picked up by real-time protection.
+In most instances, a quick scan is adequate to find malware that wasn't picked up by real-time protection.
-A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up, and can be ideal when running on-demand scans.
+A full scan can be useful on endpoints that have reported a malware threat. The scan can identify if there are any inactive components that require a more thorough clean-up. This is ideal if your organization is running on-demand scans.
->[!NOTE]
->By default, quick scans run on mounted removable devices, such as USB drives.
+> [!NOTE]
+> By default, quick scans run on mounted removable devices, such as USB drives.
-## Use Configuration Manager to run a scan
+## Use Microsoft Endpoint Manager to run a scan
-See [Antimalware and firewall tasks: How to perform an on-demand scan](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers) for details on using Microsoft Endpoint Configuration Manager (current branch) to run a scan.
+1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and log in.
+2. Choose **Endpoint security** > **Antivirus**.
+3. In the list of tabs, select **Windows 10 unhealthy endpoints**.
+4. From the list of actions provided, select **Quick Scan** or **Full Scan**.
+
+[  ](images/mem-antivirus-scan-on-demand.png#lightbox)
+
+> [!TIP]
+> For more information about using Microsoft Endpoint Manager to run a scan, see [Antimalware and firewall tasks: How to perform an on-demand scan](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers).
## Use the mpcmdrun.exe command-line utility to run a scan
Use the following `-scan` parameter:
-```DOS
+```console
mpcmdrun.exe -scan -scantype 1
```
-See [Use the mpcmdrun.exe commandline tool to configure and manage Microsoft Defender Antivirus](command-line-arguments-microsoft-defender-antivirus.md) for more information on how to use the tool and additional parameters, including starting a full scan or defining paths.
+
+For more information about how to use the tool and additional parameters, including starting a full scan, or defining paths, see [Use the mpcmdrun.exe commandline tool to configure and manage Microsoft Defender Antivirus](command-line-arguments-microsoft-defender-antivirus.md).
## Use Microsoft Intune to run a scan
-1. In Intune, go to **Devices > All Devices** and select the device you want to scan.
-
-2. Select **...More** and then select **Quick Scan** or **Full Scan**.
-
+1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and log in.
+2. From the sidebar, select **Devices > All Devices** and choose the device you want to scan.
+3. Select **...More**. From the options, select **Quick Scan** or **Full Scan**.
## Use the Windows Security app to run a scan
@@ -75,15 +82,14 @@ Use the following cmdlet:
```PowerShell
Start-MpScan
```
-See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
+
+For more information on how to use PowerShell with Microsoft Defender Antivirus, see [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index).
## Use Windows Management Instruction (WMI) to run a scan
-Use the [**Start** method of the **MSFT_MpScan**](https://msdn.microsoft.com/library/dn455324(v=vs.85).aspx#methods) class.
-
-See the following for more information and allowed parameters:
-- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
+Use the [**Start** method](https://docs.microsoft.com/previous-versions/windows/desktop/defender/start-msft-mpscan) of the **MSFT_MpScan** class.
+For more information about which parameters are allowed, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
## Related articles
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md
index f176529dde..d3af9f6b9d 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md
@@ -1,9 +1,9 @@
---
-title: Schedule regular quick and full scans with Microsoft Defender AV
+title: Schedule regular quick and full scans with Microsoft Defender Antivirus
description: Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans
keywords: quick scan, full scan, quick vs full, schedule scan, daily, weekly, time, scheduled, recurring, regular
search.product: eADQiWindows 10XVcnh
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
@@ -11,9 +11,10 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 09/30/2020
-ms.reviewer:
+ms.date: 11/02/2020
+ms.reviewer: pauhijbr
manager: dansimp
+ms.technology: mde
---
# Configure scheduled quick or full Microsoft Defender Antivirus scans
@@ -23,7 +24,8 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+
> [!NOTE]
> By default, Microsoft Defender Antivirus checks for an update 15 minutes before the time of any scheduled scans. You can [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) to override this default.
@@ -32,7 +34,7 @@ In addition to always-on real-time protection and [on-demand](run-scan-microsoft
You can configure the type of scan, when the scan should occur, and if the scan should occur after a [protection update](manage-protection-updates-microsoft-defender-antivirus.md) or if the endpoint is being used. You can also specify when special scans to complete remediation should occur.
-This article describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
+This article describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10).
## To configure the Group Policy settings described in this article
@@ -44,7 +46,9 @@ This article describes how to configure scheduled scans with Group Policy, Power
5. Expand the tree to **Windows components > Microsoft Defender Antivirus** and then the **Location** specified in the table below.
-6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
+6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration.
+
+7. Click **OK**, and repeat for any other settings.
Also see the [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) and [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) topics.
@@ -74,12 +78,13 @@ Scheduled scans will run at the day and time you specify. You can use Group Poli
### Use Group Policy to schedule scans
-Location | Setting | Description | Default setting (if not configured)
----|---|---|---
-Scan | Specify the scan type to use for a scheduled scan | Quick scan
-Scan | Specify the day of the week to run a scheduled scan | Specify the day (or never) to run a scan. | Never
-Scan | Specify the time of day to run a scheduled scan | Specify the number of minutes after midnight (for example, enter **60** for 1 am). | 2 am
-Root | Randomize scheduled task times |In Microsoft Defender Antivirus: Randomize the start time of the scan to any interval from 0 to 4 hours.
In FEP/SCEP: randomize to any interval plus or minus 30 minutes. This can be useful in VM or VDI deployments. | Enabled
+|Location | Setting | Description | Default setting (if not configured) |
+|:---|:---|:---|:---|
+|Scan | Specify the scan type to use for a scheduled scan | Quick scan |
+|Scan | Specify the day of the week to run a scheduled scan | Specify the day (or never) to run a scan. | Never |
+|Scan | Specify the time of day to run a scheduled scan | Specify the number of minutes after midnight (for example, enter **60** for 1 a.m.). | 2 a.m. |
+|Root | Randomize scheduled task times |In Microsoft Defender Antivirus: Randomize the start time of the scan to any interval from 0 to 4 hours.
In FEP/SCEP: randomize to any interval plus or minus 30 minutes. This can be useful in VM or VDI deployments. | Enabled |
+
### Use PowerShell cmdlets to schedule scans
@@ -100,8 +105,10 @@ See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](u
Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
```WMI
-SignatureFallbackOrder
-SignatureDefinitionUpdateFileSharesSouce
+ScanParameters
+ScanScheduleDay
+ScanScheduleTime
+RandomizeScheduleTaskTimes
```
See the following for more information and allowed parameters:
@@ -119,9 +126,9 @@ You can set the scheduled scan to only occur when the endpoint is turned on but
### Use Group Policy to schedule scans
-Location | Setting | Description | Default setting (if not configured)
----|---|---|---
-Scan | Start the scheduled scan only when computer is on but not in use | Scheduled scans will not run, unless the computer is on but not in use | Enabled
+|Location | Setting | Description | Default setting (if not configured) |
+|:---|:---|:---|:---|
+|Scan | Start the scheduled scan only when computer is on but not in use | Scheduled scans will not run, unless the computer is on but not in use | Enabled |
### Use PowerShell cmdlets
@@ -138,8 +145,7 @@ See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](u
Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
```WMI
-SignatureFallbackOrder
-SignatureDefinitionUpdateFileSharesSouce
+ScanOnlyIfIdleEnabled
```
See the following for more information and allowed parameters:
@@ -152,10 +158,10 @@ Some threats may require a full scan to complete their removal and remediation.
### Use Group Policy to schedule remediation-required scans
-Location | Setting | Description | Default setting (if not configured)
----|---|---|---
-Remediation | Specify the day of the week to run a scheduled full scan to complete remediation | Specify the day (or never) to run a scan. | Never
-Remediation | Specify the time of day to run a scheduled full scan to complete remediation | Specify the number of minutes after midnight (for example, enter **60** for 1 am) | 2 am
+| Location | Setting | Description | Default setting (if not configured) |
+|---|---|---|---|
+|Remediation | Specify the day of the week to run a scheduled full scan to complete remediation | Specify the day (or never) to run a scan. | Never |
+|Remediation | Specify the time of day to run a scheduled full scan to complete remediation | Specify the number of minutes after midnight (for example, enter **60** for 1 a.m.) | 2 a.m. |
### Use PowerShell cmdlets
@@ -173,8 +179,8 @@ See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](u
Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
```WMI
-SignatureFallbackOrder
-SignatureDefinitionUpdateFileSharesSouce
+RemediationScheduleDay
+RemediationScheduleTime
```
See the following for more information and allowed parameters:
@@ -190,10 +196,11 @@ You can enable a daily quick scan that can be run in addition to your other sche
### Use Group Policy to schedule daily scans
-Location | Setting | Description | Default setting (if not configured)
----|---|---|---
-Scan | Specify the interval to run quick scans per day | Specify how many hours should elapse before the next quick scan. For example, to run every two hours, enter **2**, for once a day, enter **24**. Enter **0** to never run a daily quick scan. | Never
-Scan | Specify the time for a daily quick scan | Specify the number of minutes after midnight (for example, enter **60** for 1 am) | 2 am
+
+|Location | Setting | Description | Default setting (if not configured) |
+|:---|:---|:---|:---|
+|Scan | Specify the interval to run quick scans per day | Specify how many hours should elapse before the next quick scan. For example, to run every two hours, enter **2**, for once a day, enter **24**. Enter **0** to never run a daily quick scan. | Never |
+|Scan | Specify the time for a daily quick scan | Specify the number of minutes after midnight (for example, enter **60** for 1 a.m.) | 2 a.m. |
### Use PowerShell cmdlets to schedule daily scans
@@ -210,8 +217,7 @@ See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](u
Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
```WMI
-SignatureFallbackOrder
-SignatureDefinitionUpdateFileSharesSouce
+ScanScheduleQuickScanTime
```
See the following for more information and allowed parameters:
@@ -224,9 +230,9 @@ You can force a scan to occur after every [protection update](manage-protection-
### Use Group Policy to schedule scans after protection updates
-Location | Setting | Description | Default setting (if not configured)
----|---|---|---
-Signature updates | Turn on scan after Security intelligence update | A scan will occur immediately after a new protection update is downloaded | Enabled
+|Location | Setting | Description | Default setting (if not configured)|
+|:---|:---|:---|:---|
+|Signature updates | Turn on scan after Security intelligence update | A scan will occur immediately after a new protection update is downloaded | Enabled |
## See also
- [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md
index da8cab7cff..e65babbf90 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md
@@ -1,19 +1,20 @@
---
-title: Specify cloud-delivered protection level in Microsoft Defender Antivirus
-description: Set the aggressiveness of cloud-delivered protection in Microsoft Defender Antivirus.
+title: Specify the cloud-delivered protection level for Microsoft Defender Antivirus
+description: Set your level of cloud-delivered protection for Microsoft Defender Antivirus.
keywords: Microsoft Defender Antivirus, antimalware, security, defender, cloud, aggressiveness, protection level
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
-ms.date: 08/12/2020
+ms.date: 10/26/2020
ms.reviewer:
manager: dansimp
ms.custom: nextgen
+ms.technology: mde
---
# Specify the cloud-delivered protection level
@@ -23,58 +24,65 @@ ms.custom: nextgen
**Applies to:**
-- Microsoft Defender Antivirus
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
-You can specify the level of cloud-protection offered by Microsoft Defender Antivirus with Group Policy and Microsoft Endpoint Configuration Manager.
+You can specify your level of cloud-delivered protection offered by Microsoft Defender Antivirus by using Microsoft Endpoint Manager (recommended) or Group Policy.
->[!NOTE]
->The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
+> [!TIP]
+> Cloud protection is not simply protection for files that are stored in the cloud. The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and devices (also called endpoints). Cloud protection with Microsoft Defender Antivirus uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional security intelligence updates.
+> Microsoft Intune and Microsoft Endpoint Manager are now part of [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview).
-## Use Intune to specify the level of cloud-delivered protection
-1. Sign in to the [Azure portal](https://portal.azure.com).
-2. Select **All services > Intune**.
-3. In the **Intune** pane, select **Device configuration > Profiles**, and then select the **Device restrictions** profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
-4. Select **Properties**, select **Settings: Configure**, and then select **Microsoft Defender Antivirus**.
-5. On the **File Blocking Level** switch, select one of the following:
+## Use Microsoft Endpoint Manager to specify the level of cloud-delivered protection
+
+1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.
+
+2. Choose **Endpoint security** > **Antivirus**.
+
+3. Select an antivirus profile. (If you don't have one yet, or if you want to create a new profile, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
+
+4. Select **Properties**. Then, next to **Configuration settings**, choose **Edit**.
+
+5. Expand **Cloud protection**, and then in the **Cloud-delivered protection level** list, select one of the following:
1. **High**: Applies a strong level of detection.
- 2. **High +**: Uses the **High** level and applies additional protection measures (may impact client performance).
+ 2. **High plus**: Uses the **High** level and applies additional protection measures (may impact client performance).
3. **Zero tolerance**: Blocks all unknown executables.
-8. Click **OK** to exit the **Microsoft Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile.
+6. Choose **Review + save**, and then choose **Save**.
-For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles)
+> [!TIP]
+> Need some help? See the following resources:
+> - [Configure Endpoint Protection](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure)
+> - [Add endpoint protection settings in Intune](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-configure)
-## Use Configuration Manager to specify the level of cloud-delivered protection
-
-See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring Microsoft Endpoint Configuration Manager (current branch).
-
## Use Group Policy to specify the level of cloud-delivered protection
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx).
2. Right-click the Group Policy Object you want to configure, and then click **Edit**.
-3. In the **Group Policy Management Editor** go to **Computer configuration**.
+3. In the **Group Policy Management Editor** go to **Computer Configuration** > **Administrative templates**.
-4. Click **Administrative templates**.
+4. Expand the tree to **Windows Components** > **Microsoft Defender Antivirus** > **MpEngine**.
-5. Expand the tree to **Windows components > Microsoft Defender Antivirus > MpEngine**.
-
-6. Double-click the **Select cloud protection level** setting and set it to **Enabled**. Select the level of protection:
+5. Double-click the **Select cloud protection level** setting and set it to **Enabled**. Select the level of protection:
- **Default blocking level** provides strong detection without increasing the risk of detecting legitimate files.
- **Moderate blocking level** provides moderate only for high confidence detections
- - **High blocking level** applies a strong level of detection while optimizing client performance (greater chance of false positives).
- - **High + blocking level** applies additional protection measures (may impact client performance and increase risk of false positives).
+ - **High blocking level** applies a strong level of detection while optimizing client performance (but can also give you a greater chance of false positives).
+ - **High + blocking level** applies additional protection measures (might impact client performance and increase your chance of false positives).
- **Zero tolerance blocking level** blocks all unknown executables.
> [!WARNING]
> While unlikely, setting this switch to **High** or **High +** may cause some legitimate files to be detected (although you will have the option to unblock or dispute that detection).
-7. Click **OK**.
+6. Click **OK**.
+7. Deploy your updated Group Policy Object. See [Group Policy Management Console](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx)
+
+> [!TIP]
+> Are you using Group Policy Objects on premises? See how they translate in the cloud. [Analyze your on-premises group policy objects using Group Policy analytics in Microsoft Endpoint Manager - Preview](https://docs.microsoft.com/mem/intune/configuration/group-policy-analytics).
## Related articles
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md
index 09535418a1..aed5140af3 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md
@@ -3,7 +3,7 @@ title: Troubleshoot Microsoft Defender Antivirus while migrating from a third-pa
description: Troubleshoot common errors when migrating to Microsoft Defender Antivirus
keywords: event, error code, logging, troubleshooting, microsoft defender antivirus, windows defender antivirus, migration
search.product: eADQiWindows 10XVcnh
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: medium
@@ -13,6 +13,7 @@ ms.custom: nextgen
ms.date: 09/11/2018
ms.reviewer:
manager: dansimp
+ms.technology: mde
---
# Troubleshoot Microsoft Defender Antivirus while migrating from a third-party solution
@@ -21,7 +22,8 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+
You can find help here if you encounter issues while migrating from a third-party security solution to Microsoft Defender Antivirus.
@@ -49,7 +51,7 @@ This issue can manifest in the form of several different event IDs, all of whic
### How to tell if Microsoft Defender Antivirus won't start because a third-party antivirus is installed
-On a Windows 10 device, if you are not using Microsoft Defender Advanced Threat Protection (ATP), and you have a third-party antivirus installed, then Microsoft Defender Antivirus will be automatically turned off. If you are using Microsoft Defender ATP with a third-party antivirus installed, Microsoft Defender Antivirus will start in passive mode, with reduced functionality.
+On a Windows 10 device, if you are not using Microsoft Defender for Endpoint, and you have a third-party antivirus installed, then Microsoft Defender Antivirus will be automatically turned off. If you are using Microsoft Defender for Endpoint with a third-party antivirus installed, Microsoft Defender Antivirus will start in passive mode, with reduced functionality.
> [!TIP]
> The scenario just described applies only to Windows 10. Other versions of Windows have [different responses](microsoft-defender-antivirus-compatibility.md) to Microsoft Defender Antivirus being run alongside third-party security software.
@@ -121,7 +123,7 @@ Microsoft Defender Antivirus will automatically turn on if no other antivirus is
> [!WARNING]
> Solutions suggesting that you edit the *Windows Defender* start values for *wdboot*, *wdfilter*, *wdnisdrv*, *wdnissvc*, and *windefend* in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services are unsupported, and may force you to re-image your system.
-Passive mode is available if you start using Microsoft Defender ATP and a third-party antivirus together with Microsoft Defender Antivirus. Passive mode allows Microsoft Defender to scan files and update itself, but it will not remediate threats. In addition, behavior monitoring via [Real Time Protection](configure-real-time-protection-microsoft-defender-antivirus.md) is not available under passive mode, unless [Endpoint data loss prevention (DLP)](../microsoft-defender-atp/information-protection-in-windows-overview.md) is deployed.
+Passive mode is available if you start using Microsoft Defender for Endpoint and a third-party antivirus together with Microsoft Defender Antivirus. Passive mode allows Microsoft Defender to scan files and update itself, but it will not remediate threats. In addition, behavior monitoring via [Real Time Protection](configure-real-time-protection-microsoft-defender-antivirus.md) is not available under passive mode, unless [Endpoint data loss prevention (DLP)](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/information-protection-in-windows-overview) is deployed.
Another feature, known as [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), is available to end-users when Microsoft Defender Antivirus is set to automatically turn off. This feature allows Microsoft Defender Antivirus to scan files periodically alongside a third-party antivirus, using a limited number of detections.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md
index bebdd997f5..6d48b38885 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md
@@ -3,7 +3,7 @@ title: Microsoft Defender AV event IDs and error codes
description: Look up the causes and solutions for Microsoft Defender Antivirus event IDs and errors
keywords: event, error code, siem, logging, troubleshooting, wef, windows event forwarding
search.product: eADQiWindows 10XVcnh
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: medium
@@ -13,6 +13,7 @@ ms.custom: nextgen
ms.date: 09/11/2018
ms.reviewer:
manager: dansimp
+ms.technology: mde
---
# Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus
@@ -22,7 +23,7 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
If you encounter a problem with Microsoft Defender Antivirus, you can search the tables in this topic to find a matching issue and potential solution.
@@ -33,7 +34,7 @@ The tables list:
- [Internal Microsoft Defender Antivirus client error codes (used by Microsoft during development and testing)](#internal-error-codes)
> [!TIP]
-> You can also visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working:
+> You can also visit the Microsoft Defender for Endpoint demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working:
>
> - Cloud-delivered protection
> - Fast learning (including Block at first sight)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md
index 936180ce74..4ec6d05d04 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md
@@ -3,7 +3,7 @@ title: Troubleshoot problems with reporting tools for Microsoft Defender AV
description: Identify and solve common problems when attempting to report in Microsoft Defender AV protection status in Update Compliance
keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender AV
search.product: eADQiWindows 10XVcnh
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
@@ -13,6 +13,7 @@ ms.author: deniseb
ms.custom: nextgen
ms.reviewer:
manager: dansimp
+ms.technology: mde
---
# Troubleshoot Microsoft Defender Antivirus reporting in Update Compliance
@@ -22,12 +23,12 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
> [!IMPORTANT]
> On March 31, 2020, the Microsoft Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to define and review security compliance policies using [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager), which allows finer control over security features and updates.
-You can use Microsoft Defender Antivirus with Update Compliance. You’ll see status for E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the [Microsoft Defender ATP portal](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To learn more about licensing options, see [Windows 10 product licensing options](https://www.microsoft.com/licensing/product-licensing/windows10.aspx).
+You can use Microsoft Defender Antivirus with Update Compliance. You’ll see status for E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the [Microsoft Defender for Endpoint portal](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To learn more about licensing options, see [Windows 10 product licensing options](https://www.microsoft.com/licensing/product-licensing/windows10.aspx).
When you use [Windows Analytics Update Compliance to obtain reporting into the protection status of devices or endpoints](/windows/deployment/update/update-compliance-using#wdav-assessment) in your network that are using Microsoft Defender Antivirus, you might encounter problems or issues.
@@ -59,7 +60,7 @@ In order for devices to properly show up in Update Compliance, you have to meet
> - If the endpoint is running Windows 10 version 1607 or earlier, [Windows 10 diagnostic data must be set to the Enhanced level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#enhanced-level).
> - It has been 3 days since all requirements have been met
-“You can use Microsoft Defender Antivirus with Update Compliance. You’ll see status for E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the Microsoft Defender ATP portal (https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To learn more about licensing options, see Windows 10 product licensing options"
+“You can use Microsoft Defender Antivirus with Update Compliance. You’ll see status for E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the Microsoft Defender for Endpoint portal (https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To learn more about licensing options, see Windows 10 product licensing options"
If the above prerequisites have all been met, you might need to proceed to the next step to collect diagnostic information and send it to us.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md
index 1a87a09ee4..decb62a445 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md
@@ -1,9 +1,9 @@
---
title: Configure Microsoft Defender Antivirus with Group Policy
-description: Learn how to use a Group Policy to configure and manage Microsoft Defender Antivirus on your endpoints in Microsoft Defender ATP.
+description: Learn how to use a Group Policy to configure and manage Microsoft Defender Antivirus on your endpoints in Microsoft Defender for Endpoint.
keywords: group policy, GPO, configuration, settings
search.product: eADQiWindows 10XVcnh
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: medium
@@ -13,6 +13,7 @@ ms.custom: nextgen
ms.date: 10/01/2018
ms.reviewer: ksarens
manager: dansimp
+ms.technology: mde
---
# Use Group Policy settings to configure and manage Microsoft Defender Antivirus
@@ -22,7 +23,7 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
You can use [Group Policy](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx) to configure and manage Microsoft Defender Antivirus on your endpoints.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md
index b32ee0bc06..dcd08baa99 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md
@@ -1,9 +1,9 @@
---
title: Configure Microsoft Defender Antivirus with Configuration Manager and Intune
-description: Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure Microsoft Defender AV and Endpoint Protection
+description: Use Microsoft Endpoint Manager and Microsoft Intune to configure Microsoft Defender AV and Endpoint Protection
keywords: scep, intune, endpoint protection, configuration
search.product: eADQiWindows 10XVcnh
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
@@ -11,27 +11,38 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 09/03/2018
+ms.date: 10/26/2018
ms.reviewer:
manager: dansimp
+ms.technology: mde
---
-# Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure and manage Microsoft Defender Antivirus
+# Use Microsoft Endpoint Manager and Microsoft Intune to configure and manage Microsoft Defender Antivirus
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
-If you are using Microsoft Endpoint Configuration Manager or Microsoft Intune to manage the endpoints on your network, you can also use them to manage Microsoft Defender Antivirus scans.
+If you were using Microsoft Endpoint Manager or Microsoft Intune to manage the endpoints on your network, you can now use Microsoft Endpoint Manager to manage Microsoft Defender Antivirus scans.
-In some cases, the protection will be labeled as Endpoint Protection, although the engine is the same as that used by Microsoft Defender Antivirus.
+1. In the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)), navigate to **Endpoint Security**.
-See the [Endpoint Protection](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-protection) library on docs.microsoft.com for information on using Configuration Manager.
+2. Under **Manage**, choose **Antivirus**.
-For Microsoft Intune, consult the [Microsoft Intune library](https://docs.microsoft.com/intune/introduction-intune) and [Configure device restriction settings in Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
+3. Select your Microsoft Defender Antivirus policy.
+
+4. Under **Manage**, choose **Properties**.
+
+5. Next to **Configuration settings**, choose **Edit**.
+
+6. Expand the **Scan** section, and review or edit your scanning settings.
+
+7. Choose **Review + save**
+
+Need help? See [Manage endpoint security in Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/endpoint-security).
## Related articles
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md
index 3dc5e33650..dc441c48cf 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md
@@ -3,7 +3,7 @@ title: Use PowerShell cmdlets to configure and run Microsoft Defender AV
description: In Windows 10, you can use PowerShell cmdlets to run scans, update Security intelligence, and change settings in Microsoft Defender Antivirus.
keywords: scan, command line, mpcmdrun, defender
search.product: eADQiWindows 10XVcnh
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
@@ -14,6 +14,7 @@ ms.custom: nextgen
ms.date: 07/23/2020
ms.reviewer:
manager: dansimp
+ms.technology: mde
---
# Use PowerShell cmdlets to configure and manage Microsoft Defender Antivirus
@@ -23,7 +24,7 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
You can use PowerShell to perform various functions in Windows Defender. Similar to the command prompt or command line, PowerShell is a task-based command-line shell and scripting language designed especially for system administration. You can read more about it at the [PowerShell hub on MSDN](https://docs.microsoft.com/previous-versions/msdn10/mt173057(v=msdn.10)).
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md
index a517c3bd60..bfcce9630c 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md
@@ -1,9 +1,9 @@
---
title: Configure Microsoft Defender Antivirus with WMI
-description: Learn how to configure and manage Microsoft Defender Antivirus by using WMI scripts to retrieve, modify, and update settings in Microsoft Defender ATP.
+description: Learn how to configure and manage Microsoft Defender Antivirus by using WMI scripts to retrieve, modify, and update settings in Microsoft Defender for Endpoint.
keywords: wmi, scripts, windows management instrumentation, configuration
search.product: eADQiWindows 10XVcnh
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
@@ -14,6 +14,7 @@ ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
+ms.technology: mde
---
# Use Windows Management Instrumentation (WMI) to configure and manage Microsoft Defender Antivirus
@@ -23,7 +24,7 @@ manager: dansimp
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
Windows Management Instrumentation (WMI) is a scripting interface that allows you to retrieve, modify, and update settings.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md
index b24a051f44..88cba327be 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md
@@ -3,7 +3,7 @@ title: Use next-generation technologies in Microsoft Defender Antivirus through
description: next-generation technologies in cloud-delivered protection provide an advanced level of fast, robust antivirus detection.
keywords: Microsoft Defender Antivirus, next-generation technologies, next-generation av, machine learning, antimalware, security, defender, cloud, cloud-delivered protection
search.product: eADQiWindows 10XVcnh
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: medium
@@ -12,6 +12,7 @@ ms.author: deniseb
ms.reviewer: shwjha
manager: dansimp
ms.custom: nextgen
+ms.technology: mde
---
# Use next-generation technologies in Microsoft Defender Antivirus through cloud-delivered protection
@@ -21,11 +22,11 @@ ms.custom: nextgen
**Applies to:**
-- Microsoft Defender Antivirus
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
Microsoft next-generation technologies in Microsoft Defender Antivirus provide near-instant, automated protection against new and emerging threats. To dynamically identify new threats, these technologies work with large sets of interconnected data in the Microsoft Intelligent Security Graph and powerful artificial intelligence (AI) systems driven by advanced machine learning models.
-Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
+Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender for Endpoint next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
To take advantage of the power and speed of these next-generation technologies, Microsoft Defender Antivirus works seamlessly with Microsoft cloud services. These cloud protection services, also referred to as Microsoft Advanced Protection Service (MAPS), enhances standard real-time protection, providing arguably the best antivirus defense.
@@ -45,11 +46,11 @@ src="https://videoplayercdn.osi.office.net/embed/c2f20f59-ca56-4a7b-ba23-44c60bc
Read the following blog posts for detailed protection stories involving cloud-protection and Microsoft AI:
-- [Why Microsoft Defender Antivirus is the most deployed in the enterprise](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/22/why-microsoft-defender-antivirus-is-the-most-deployed-in-the-enterprise/)
-- [Behavior monitoring combined with machine learning spoils a massive Dofoil coin mining campaign](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/)
-- [How artificial intelligence stopped an Emotet outbreak](https://cloudblogs.microsoft.com/microsoftsecure/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak/)
-- [Detonating a bad rabbit: Microsoft Defender Antivirus and layered machine learning defenses](https://cloudblogs.microsoft.com/microsoftsecure/2017/12/11/detonating-a-bad-rabbit-microsoft-defender-antivirus-and-layered-machine-learning-defenses/)
-- [Microsoft Defender Antivirus cloud protection service: Advanced real-time defense against never-before-seen malware](https://cloudblogs.microsoft.com/microsoftsecure/2017/07/18/microsoft-defender-antivirus-cloud-protection-service-advanced-real-time-defense-against-never-before-seen-malware/)
+- [Why Microsoft Defender Antivirus is the most deployed in the enterprise](https://www.microsoft.com/security/blog/2018/03/22/why-windows-defender-antivirus-is-the-most-deployed-in-the-enterprise)
+- [Behavior monitoring combined with machine learning spoils a massive Dofoil coin mining campaign](https://www.microsoft.com/security/blog/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign)
+- [How artificial intelligence stopped an Emotet outbreak](https://www.microsoft.com/security/blog/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak)
+- [Detonating a bad rabbit: Microsoft Defender Antivirus and layered machine learning defenses](https://www.microsoft.com/security/blog/2017/12/11/detonating-a-bad-rabbit-windows-defender-antivirus-and-layered-machine-learning-defenses)
+- [Microsoft Defender Antivirus cloud protection service: Advanced real-time defense against never-before-seen malware](https://www.microsoft.com/security/blog/2017/07/18/windows-defender-antivirus-cloud-protection-service-advanced-real-time-defense-against-never-before-seen-malware)
## Get cloud-delivered protection
@@ -68,7 +69,7 @@ The following table describes the differences in cloud-delivered protection betw
|Windows 10, version 1607 (Group Policy) |Microsoft Advanced Protection Service |Advanced |No |
|Windows 10, version 1703 or greater (Group Policy) |Cloud-based Protection |Advanced |Configurable |
|System Center 2012 Configuration Manager | N/A |Dependent on Windows version |Not configurable |
-|Microsoft Endpoint Configuration Manager (Current Branch) |Cloud protection service |Dependent on Windows version |Configurable |
+|Microsoft Endpoint Manager (Current Branch) |Cloud protection service |Dependent on Windows version |Configurable |
|Microsoft Intune |Microsoft Advanced Protection Service |Dependent on Windows version |Configurable |
You can also [configure Microsoft Defender Antivirus to automatically receive new protection updates based on reports from our cloud service](manage-event-based-updates-microsoft-defender-antivirus.md#cloud-report-updates).
@@ -82,6 +83,6 @@ You can also [configure Microsoft Defender Antivirus to automatically receive ne
- [Configure and validate network connections for Microsoft Defender Antivirus](configure-network-connections-microsoft-defender-antivirus.md). There are certain Microsoft URLs that your network and endpoints must be able to connect to for cloud-delivered protection to work effectively. This article lists the URLs that should be allowed via firewall or network filtering rules, and instructions for confirming your network is properly enrolled in cloud-delivered protection.
-- [Configure the block at first sight feature](configure-block-at-first-sight-microsoft-defender-antivirus.md). The "block at first sight" feature can block new malware within seconds, without having to wait hours for traditional Security intelligence. You can enable and configure it with Microsoft Endpoint Configuration Manager and Group Policy.
+- [Configure the block at first sight feature](configure-block-at-first-sight-microsoft-defender-antivirus.md). The "block at first sight" feature can block new malware within seconds, without having to wait hours for traditional Security intelligence. You can enable and configure it with Microsoft Endpoint Manager and Group Policy.
-- [Configure the cloud block timeout period](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md). Microsoft Defender Antivirus can block suspicious files from running while it queries our cloud-delivered protection service. You can configure the amount of time the file will be prevented from running with Microsoft Endpoint Configuration Manager and Group Policy.
+- [Configure the cloud block timeout period](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md). Microsoft Defender Antivirus can block suspicious files from running while it queries our cloud-delivered protection service. You can configure the amount of time the file will be prevented from running with Microsoft Endpoint Manager and Group Policy.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md
index dc28f1eb2f..5f4d1c7ced 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md
@@ -1,56 +1,57 @@
---
-title: "Why you should use Microsoft Defender Antivirus together with Microsoft Defender Advanced Threat Protection"
-description: "For best results, use Microsoft Defender Antivirus together with your other Microsoft offerings."
+title: Why you should use Microsoft Defender Antivirus together with Microsoft Defender for Endpoint
+description: For best results, use Microsoft Defender Antivirus together with your other Microsoft offerings.
keywords: windows defender, antivirus, third party av
search.product: eADQiWindows 10XVcnh
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: medium
-audience: ITPro
-ms.topic: article
+audience: ITPro
+ms.topic: article
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.reviewer:
manager: dansimp
+ms.technology: mde
---
-# Better together: Microsoft Defender Antivirus and Microsoft Defender Advanced Threat Protection
+# Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp)
+- [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint)
-Microsoft Defender Antivirus is the next-generation protection component of [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) (Microsoft Defender ATP).
+Microsoft Defender Antivirus is the next-generation protection component of [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) (Microsoft Defender for Endpoint).
-Although you can use a non-Microsoft antivirus solution with Microsoft Defender ATP, there are advantages to using Microsoft Defender Antivirus together with Microsoft Defender ATP. Not only is Microsoft Defender Antivirus an excellent next-generation antivirus solution, but combined with other Microsoft Defender ATP capabilities, such as [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) and [automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations), you get better protection that's coordinated across products and services.
+Although you can use a non-Microsoft antivirus solution with Microsoft Defender for Endpoint, there are advantages to using Microsoft Defender Antivirus together with Defender for Endpoint. Not only is Microsoft Defender Antivirus an excellent next-generation antivirus solution, but combined with other Defender for Endpoint capabilities, such as [endpoint detection and response](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response) and [automated investigation and remediation](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations), you get better protection that's coordinated across products and services.
-## 11 reasons to use Microsoft Defender Antivirus together with Microsoft Defender ATP
+## 11 reasons to use Microsoft Defender Antivirus together with Microsoft Defender for Endpoint
-| |Advantage |Why it matters |
+|# |Advantage |Why it matters |
|--|--|--|
-|1|Antivirus signal sharing |Microsoft applications and services share signals across your enterprise organization, providing a stronger single platform. See [Insights from the MITRE ATT&CK-based evaluation of Microsoft Defender ATP](https://www.microsoft.com/security/blog/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). |
-|2|Threat analytics and your score for devices |Microsoft Defender Antivirus collects underlying system data used by [threat analytics](../microsoft-defender-atp/threat-analytics.md) and [Microsoft Secure Score for Devices](../microsoft-defender-atp/tvm-microsoft-secure-score-devices.md). This provides your organization's security team with more meaningful information, such as recommendations and opportunities to improve your organization's security posture. |
-|3|Performance |Microsoft Defender ATP is designed to work with Microsoft Defender Antivirus, so you get better performance when you use these offerings together. [Evaluate Microsoft Defender Antivirus](evaluate-microsoft-defender-antivirus.md) and [Microsoft Defender ATP](../microsoft-defender-atp/evaluate-atp.md).|
-|4|Details about blocked malware |More details and actions for blocked malware are available with Microsoft Defender Antivirus and Microsoft Defender ATP. [Understand malware & other threats](../intelligence/understanding-malware.md).|
-|5|Network protection |Your organization's security team can protect your network by blocking specific URLs and IP addresses. [Protect your network](../microsoft-defender-atp/network-protection.md).|
-|6|File blocking |Your organization's security team can block specific files. [Stop and quarantine files in your network](../microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network).|
-|7|Attack Surface Reduction |Your organization's security team can reduce your vulnerabilities (attack surfaces), giving attackers fewer ways to perform attacks. Attack surface reduction uses cloud protection for a number of rules. [Get an overview of attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction).|
-|8|Auditing events |Auditing event signals are available in [endpoint detection and response capabilities](../microsoft-defender-atp/overview-endpoint-detection-response.md). (These signals are not available with non-Microsoft antivirus solutions.) |
+|1|Antivirus signal sharing |Microsoft applications and services share signals across your enterprise organization, providing a stronger single platform. See [Insights from the MITRE ATT&CK-based evaluation of Microsoft Defender for Endpoint](https://www.microsoft.com/security/blog/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). |
+|2|Threat analytics and your score for devices |Microsoft Defender Antivirus collects underlying system data used by [threat analytics](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/threat-analytics) and [Microsoft Secure Score for Devices](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/tvm-microsoft-secure-score-devices). This provides your organization's security team with more meaningful information, such as recommendations and opportunities to improve your organization's security posture. |
+|3|Performance |Microsoft Defender for Endpoint is designed to work with Microsoft Defender Antivirus, so you get better performance when you use these offerings together. [Evaluate Microsoft Defender Antivirus](evaluate-microsoft-defender-antivirus.md) and [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/evaluate-mde).|
+|4|Details about blocked malware |More details and actions for blocked malware are available with Microsoft Defender Antivirus and Microsoft Defender for Endpoint. [Understand malware & other threats](../intelligence/understanding-malware.md).|
+|5|Network protection |Your organization's security team can protect your network by blocking specific URLs and IP addresses. [Protect your network](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/network-protection).|
+|6|File blocking |Your organization's security team can block specific files. [Stop and quarantine files in your network](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/respond-file-alerts#stop-and-quarantine-files-in-your-network).|
+|7|Attack Surface Reduction |Your organization's security team can reduce your vulnerabilities (attack surfaces), giving attackers fewer ways to perform attacks. Attack surface reduction uses cloud protection for a number of rules. [Get an overview of attack surface reduction](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction).|
+|8|Auditing events |Auditing event signals are available in [endpoint detection and response capabilities](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response). (These signals are not available with non-Microsoft antivirus solutions.) |
|9|Geographic data |Compliant with ISO 270001 and data retention, geographic data is provided according to your organization's selected geographic sovereignty. See [Compliance offerings: ISO/IEC 27001:2013 Information Security Management Standards](https://docs.microsoft.com/microsoft-365/compliance/offering-iso-27001). |
|10|File recovery via OneDrive |If you are using Microsoft Defender Antivirus together with [Office 365](https://docs.microsoft.com/Office365/Enterprise), and your device is attacked by ransomware, your files are protected and recoverable. [OneDrive Files Restore and Windows Defender take ransomware protection one step further](https://techcommunity.microsoft.com/t5/Microsoft-OneDrive-Blog/OneDrive-Files-Restore-and-Windows-Defender-takes-ransomware/ba-p/188001).|
-|11|Technical support |By using Microsoft Defender ATP together with Microsoft Defender Antivirus, you have one company to call for technical support. [Troubleshoot service issues](../microsoft-defender-atp/troubleshoot-mdatp.md) and [review event logs and error codes with Microsoft Defender Antivirus](troubleshoot-microsoft-defender-antivirus.md). |
+|11|Technical support |By using Microsoft Defender for Endpoint together with Microsoft Defender Antivirus, you have one company to call for technical support. [Troubleshoot service issues](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/troubleshoot-mde) and [review event logs and error codes with Microsoft Defender Antivirus](troubleshoot-microsoft-defender-antivirus.md). |
## Learn more
-[Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md)
+[Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint)
-[Threat & Vulnerability Management](../microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
+[Threat & Vulnerability Management](https://docs.microsoft.com/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt)
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
index 121ed70fbe..6eddda97d7 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
@@ -1,7 +1,7 @@
---
title: Configure the Group Policy settings for Microsoft Defender Application Guard (Windows 10)
description: Learn about the available Group Policy settings for Microsoft Defender Application Guard.
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
@@ -12,12 +12,13 @@ ms.date: 10/17/2017
ms.reviewer:
manager: dansimp
ms.custom: asr
+ms.technology: mde
---
# Configure Microsoft Defender Application Guard policy settings
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
Microsoft Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a GPO, which is linked to a domain, and then apply all those settings to every computer in the domain.
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
index b3bb7867ee..60b5e96c41 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
@@ -1,40 +1,40 @@
---
title: FAQ - Microsoft Defender Application Guard (Windows 10)
description: Learn about the commonly asked questions and answers for Microsoft Defender Application Guard.
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
-ms.date: 09/14/2020
+ms.date: 01/21/2021
ms.reviewer:
manager: dansimp
ms.custom: asr
+ms.technology: mde
---
# Frequently asked questions - Microsoft Defender Application Guard
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Answering frequently asked questions about Microsoft Defender Application Guard (Application Guard) features, integration with the Windows operating system, and general configuration.
## Frequently Asked Questions
-### Can I enable Application Guard on machines equipped with 4GB RAM?
+### Can I enable Application Guard on machines equipped with 4-GB RAM?
+We recommend 8-GB RAM for optimal performance but you can use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration.
-We recommend 8GB RAM for optimal performance but you may use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration.
+`HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is four cores.)
-`HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is 4 cores.)
+`HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB` (Default is 8 GB.)
-`HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB` (Default is 8GB.)
-
-`HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB` (Default is 5GB.)
+`HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB` (Default is 5 GB.)
### Can employees download documents from the Application Guard Edge session onto host devices?
-In Windows 10 Enterprise edition 1803, users will be able to download documents from the isolated Application Guard container to the host PC. This is managed by policy.
+In Windows 10 Enterprise edition 1803, users are able to download documents from the isolated Application Guard container to the host PC. This capability is managed by policy.
In Windows 10 Enterprise edition 1709 or Windows 10 Professional edition 1803, it is not possible to download files from the isolated Application Guard container to the host PC. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device.
@@ -44,20 +44,16 @@ Depending on your organization's settings, employees can copy and paste images (
### Why don't employees see their Favorites in the Application Guard Edge session?
-To help keep the Application Guard Edge session secure and isolated from the host device, favorites that are stored in an Application Guard Edge session are not copied to the host device.
+To help keep the Application Guard Edge session secure and isolated from the host device, we don't copy the Favorites stored in the Application Guard Edge session back to the host device.
-### Are extensions supported in the Application Guard?
+### Why aren’t employees able to see their Extensions in the Application Guard Edge session?
-Extension installs in the container are supported from Microsoft Edge version 81. For more details, see [Extension support inside the container](https://docs.microsoft.com/deployedge/microsoft-edge-security-windows-defender-application-guard#extension-support-inside-the-container).
+Currently, the Application Guard Edge session doesn't support Extensions. However, we're closely monitoring your feedback about this.
### How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)?
Microsoft Defender Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune.
-If Application Guard is used with network proxies, they need to be specified by fully qualified domain name (FQDN) in the system proxy settings (likewise in a PAC script if that is the type of proxy configuration used). Additionally these proxies need to be marked as *neutral* in the **Application trust** list. The FQDNs for the PAC file and the proxy servers the PAC file redirects to must be added as neutral resources in the network isolation policies that are used by Application Guard. You can verify this by going to `edge://application-guard-internals/#utilities` and entering the FQDN for the pac/proxy in the **check url trust** field. Verify that it says *Neutral.*
-
-Optionally, if possible, the IP addresses associated with the server hosting the above should be removed from the enterprise IP ranges in the network isolation policies that are used by Application Guard. Additionally, go to `edge://application-guard-internals/#utilities` to view the Application Guard proxy configuration. This step can be done in both the host and within Application Guard to verify that each side is using the proxy setup you expect.
-
### Which Input Method Editors (IME) in 19H1 are not supported?
The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in Microsoft Defender Application Guard.
@@ -76,28 +72,116 @@ The following Input Method Editors (IME) introduced in Windows 10, version 1903
### I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering?
-This feature is currently experimental-only and is not functional without an additional regkey provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, please contact Microsoft and we’ll work with you to enable the feature.
+This feature is currently experimental only and is not functional without an additional registry key provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, contact Microsoft and we’ll work with you to enable the feature.
### What is the WDAGUtilityAccount local account?
-This account is part of Application Guard beginning with Windows 10 version 1709 (Fall Creators Update). This account remains disabled until Application Guard is enabled on your device. This item is integrated to the OS and is not considered as a threat/virus/malware.
+This account is part of Application Guard beginning with Windows 10, version 1709 (Fall Creators Update). This account remains disabled until Application Guard is enabled on your device. This item is integrated to the OS and is not considered as a threat/virus/malware.
### How do I trust a subdomain in my site list?
-To trust a subdomain, you must precede your domain with two dots, for example: `..contoso.com` will ensure `mail.contoso.com` or `news.contoso.com` are trusted. The first dot represents the strings for the subdomain name (mail or news), the second dot recognizes the start of the domain name (`contoso.com`). This prevents sites such as `fakesitecontoso.com` from being trusted.
+To trust a subdomain, you must precede your domain with two dots, for example: `..contoso.com` ensures that `mail.contoso.com` or `news.contoso.com` are trusted. The first dot represents the strings for the subdomain name (mail or news), the second dot recognizes the start of the domain name (`contoso.com`). This prevents sites such as `fakesitecontoso.com` from being trusted.
### Are there differences between using Application Guard on Windows Pro vs Windows Enterprise?
-When using Windows Pro or Windows Enterprise, you will have access to using Application Guard's Standalone Mode. However, when using Enterprise you will have access to Application Guard's Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard).
+When using Windows Pro or Windows Enterprise, you have access to using Application Guard in Standalone Mode. However, when using Enterprise you have access to Application Guard in Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard).
### Is there a size limit to the domain lists that I need to configure?
-Yes, both the enterprise resource domains hosted in the cloud and the domains categorized as both work and personal have a 16383B limit.
+Yes, both the Enterprise Resource domains hosted in the cloud and the Domains categorized as both work and personal have a 16383-B limit.
### Why does my encryption driver break Microsoft Defender Application Guard?
-Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Microsoft Defender Application Guard will not work and result in an error message (`0x80070013 ERROR_WRITE_PROTECT`).
+Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (`0x80070013 ERROR_WRITE_PROTECT`).
+
+### Why do the Network Isolation policies in Group Policy and CSP look different?
+
+There is not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy Application Guard are different between CSP and GP.
+
+Mandatory network isolation GP policy to deploy Application Guard: "DomainSubnets or CloudResources"
+Mandatory network isolation CSP policy to deploy Application Guard: "EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)"
+For EnterpriseNetworkDomainNames, there is no mapped CSP policy.
+
+Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (`0x80070013 ERROR_WRITE_PROTECT`).
### Why did Application Guard stop working after I turned off hyperthreading?
If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility Application Guard no longer meets the minimum requirements.
+
+### Why am I getting the error message "ERROR_VIRTUAL_DISK_LIMITATION"?
+
+Application Guard might not work correctly on NTFS compressed volumes. If this issue persists, try uncompressing the volume.
+
+### Why am I getting the error message "ERR_NAME_NOT_RESOLVED" after not being able to reach PAC file?
+
+This is a known issue. To mitigate this you need to create two firewall rules.
+For guidance on how to create a firewall rule by using group policy, see:
+- [Create an inbound icmp rule](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule)
+- [Open Group Policy management console for Microsoft Defender Firewall](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security)
+
+First rule (DHCP Server):
+1. Program path: `%SystemRoot%\System32\svchost.exe`
+2. Local Service: `Sid: S-1-5-80-2009329905-444645132-2728249442-922493431-93864177 (Internet Connection Service (SharedAccess))`
+3. Protocol UDP
+4. Port 67
+
+Second rule (DHCP Client)
+This is the same as the first rule, but scoped to local port 68.
+In the Microsoft Defender Firewall user interface go through the following steps:
+1. Right click on inbound rules, create a new rule.
+2. Choose **custom rule**.
+3. Program path: `%SystemRoot%\System32\svchost.exe`.
+4. Protocol Type: UDP, Specific ports: 67, Remote port: any.
+5. Any IP addresses.
+6. Allow the connection.
+7. All profiles.
+8. The new rule should show up in the user interface. Right click on the **rule** > **properties**.
+9. In the **Programs and services** tab, Under the **Services** section click on **settings**. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**.
+
+### Why can I not launch Application Guard when Exploit Guard is enabled?
+
+There is a known issue such that if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to **Windows Security** > **App and Browser control** > **Exploit Protection Setting**, and then switch CFG to **use default**.
+
+
+### How can I have ICS in enabled state yet still use Application Guard?
+
+ICS is enabled by default in Windows, and ICS must be enabled in order for Application Guard to function correctly. We do not recommend disabling ICS; however, you can disable ICS in part by using a Group Policy and editing registry keys.
+
+1. In the Group Policy setting, **Prohibit use of Internet Connection Sharing on your DNS domain network**, set it to **Disabled**.
+
+2. Disable IpNat.sys from ICS load as follows:
+`System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1`
+
+3. Configure ICS (SharedAccess) to enabled as follows:
+`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3`
+
+4. (This is optional) Disable IPNAT as follows:
+`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4`
+
+5. Reboot the device.
+
+### Why doesn't the container fully load when device control policies are enabled?
+Allow-listed items must be configured as "allowed" in the Group Policy Object ensure AppGuard works properly.
+
+Policy: Allow installation of devices that match any of these device IDs
+- `SCSI\DiskMsft____Virtual_Disk____`
+- `{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\msvhdhba`
+- `VMS_VSF`
+- `root\Vpcivsp`
+- `root\VMBus`
+- `vms_mp`
+- `VMS_VSP`
+- `ROOT\VKRNLINTVSP`
+- `ROOT\VID`
+- `root\storvsp`
+- `vms_vsmp`
+- `VMS_PP`
+
+Policy: Allow installation of devices using drivers that match these device setup classes
+- `{71a27cdd-812a-11d0-bec7-08002be2092f}`
+
+
+
+## See also
+
+[Configure Microsoft Defender Application Guard policy settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-hardware-isolation.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-hardware-isolation.png
index 56acb4be53..99e590e6ca 100644
Binary files a/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-hardware-isolation.png and b/windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-hardware-isolation.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
index 8aba080ae4..e63bfdaf57 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
@@ -1,23 +1,24 @@
---
title: Enable hardware-based isolation for Microsoft Edge (Windows 10)
description: Learn about the Microsoft Defender Application Guard modes (Standalone or Enterprise-managed), and how to install Application Guard in your enterprise.
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
-ms.date: 02/19/2019
+ms.date: 10/21/2020
ms.reviewer:
manager: dansimp
ms.custom: asr
+ms.technology: mde
---
# Prepare to install Microsoft Defender Application Guard
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
## Review system requirements
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md
index d01a2ef115..2731dfe662 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md
@@ -1,7 +1,7 @@
---
title: Microsoft Defender Application Guard Extension
description: Learn about the Microsoft Defender Application Guard browser extension, which extends Application Guard's protection to more web browsers.
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
@@ -12,6 +12,7 @@ ms.date: 06/12/2020
ms.reviewer:
manager: dansimp
ms.custom: asr
+ms.technology: mde
---
# Microsoft Defender Application Guard Extension
@@ -48,7 +49,7 @@ Enterprise administrators running Application Guard under managed mode should fi
From there, the steps for installing the extension are similar whether Application Guard is running in managed or standalone mode.
1. On the local device, download and install the Application Guard extension for Google [Chrome](https://chrome.google.com/webstore/detail/application-guard-extensi/mfjnknhkkiafjajicegabkbimfhplplj/) and/or Mozilla [Firefox](https://addons.mozilla.org/en-US/firefox/addon/application-guard-extension/).
-1. Install the [Windows Defender Application Guard companion app](https://www.microsoft.com/p/windows-defender-application-guard-companion/9n8gnlc8z9c8#activetab=pivot:overviewtab) from the Microsoft Store. This companion app enables Application Guard to work with web browsers other than Microsoft Edge or Internet Explorer.
+1. Install the [Microsoft Defender Application Guard companion app](https://www.microsoft.com/p/windows-defender-application-guard-companion/9n8gnlc8z9c8#activetab=pivot:overviewtab) from the Microsoft Store. This companion app enables Application Guard to work with web browsers other than Microsoft Edge or Internet Explorer.
1. Restart the device.
### Recommended browser group policies
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
index 4acd29aa2d..84ae3ac222 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
@@ -1,53 +1,56 @@
---
title: Microsoft Defender Application Guard (Windows 10)
description: Learn about Microsoft Defender Application Guard and how it helps to combat malicious content and malware out on the Internet.
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
-ms.date: 09/07/2020
+ms.date: 01/27/2021
ms.reviewer:
manager: dansimp
ms.custom: asr
+ms.technology: mde
---
# Microsoft Defender Application Guard overview
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
+**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Microsoft Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete.
## What is Application Guard and how does it work?
-Designed for Windows 10 and Microsoft Edge, Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet. As an enterprise administrator, you define what is among trusted web sites, cloud resources, and internal networks. Everything not on your list is considered untrusted.
+For Microsoft Edge, Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet. As an enterprise administrator, you define what is among trusted web sites, cloud resources, and internal networks. Everything not on your list is considered untrusted. If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated Hyper-V-enabled container.
+
+For Microsoft Office, Application Guard helps prevents untrusted Word, PowerPoint and Excel files from accessing trusted resources. Application Guard opens untrusted files in an isolated Hyper-V-enabled container. The isolated Hyper-V container is separate from the host operating system. This container isolation means that if the untrusted site or file turns out to be malicious, the host device is protected, and the attacker can't get to your enterprise data. For example, this approach makes the isolated container anonymous, so an attacker can't get to your employee's enterprise credentials.
-If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated Hyper-V-enabled container, which is separate from the host operating system. This container isolation means that if the untrusted site turns out to be malicious, the host PC is protected, and the attacker can't get to your enterprise data. For example, this approach makes the isolated container anonymous, so an attacker can't get to your employee's enterprise credentials.
### What types of devices should use Application Guard?
-Application Guard has been created to target several types of systems:
+Application Guard has been created to target several types of devices:
-- **Enterprise desktops.** These desktops are domain-joined and managed by your organization. Configuration management is primarily done through Microsoft Endpoint Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wired, corporate network.
+- **Enterprise desktops**. These desktops are domain-joined and managed by your organization. Configuration management is primarily done through Microsoft Endpoint Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wired, corporate network.
-- **Enterprise mobile laptops.** These laptops are domain-joined and managed by your organization. Configuration management is primarily done through Microsoft Endpoint Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wireless, corporate network.
+- **Enterprise mobile laptops**. These laptops are domain-joined and managed by your organization. Configuration management is primarily done through Microsoft Endpoint Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wireless, corporate network.
-- **Bring your own device (BYOD) mobile laptops.** These personally-owned laptops are not domain-joined, but are managed by your organization through tools, such as Microsoft Intune. The employee is typically an admin on the device and uses a high-bandwidth wireless corporate network while at work and a comparable personal network while at home.
+- **Bring your own device (BYOD) mobile laptops**. These personally-owned laptops are not domain-joined, but are managed by your organization through tools, such as Microsoft Intune. The employee is typically an admin on the device and uses a high-bandwidth wireless corporate network while at work and a comparable personal network while at home.
-- **Personal devices.** These personally-owned desktops or mobile laptops are not domain-joined or managed by an organization. The user is an admin on the device and uses a high-bandwidth wireless personal network while at home or a comparable public network while outside.
+- **Personal devices**. These personally-owned desktops or mobile laptops are not domain-joined or managed by an organization. The user is an admin on the device and uses a high-bandwidth wireless personal network while at home or a comparable public network while outside.
## Related articles
|Article |Description |
-|------|------------|
+|:------|:------------|
|[System requirements for Microsoft Defender Application Guard](reqs-md-app-guard.md) |Specifies the prerequisites necessary to install and use Application Guard.|
|[Prepare and install Microsoft Defender Application Guard](install-md-app-guard.md) |Provides instructions about determining which mode to use, either Standalone or Enterprise-managed, and how to install Application Guard in your organization.|
|[Configure the Group Policy settings for Microsoft Defender Application Guard](configure-md-app-guard.md) |Provides info about the available Group Policy and MDM settings.|
|[Testing scenarios using Microsoft Defender Application Guard in your business or organization](test-scenarios-md-app-guard.md)|Provides a list of suggested testing scenarios that you can use to test Application Guard in your organization.|
-| [Microsoft Defender Application Guard Extension for web browsers](md-app-guard-browser-extension.md) | Describes the Application Guard extension for Chrome and Firefox, including known issues, and a trouble-shooting guide |
+| [Microsoft Defender Application Guard Extension for web browsers](md-app-guard-browser-extension.md) | Describes the Application Guard extension for Chrome and Firefox, including known issues, and a troubleshooting guide |
+| [Microsoft Defender Application Guard for Microsoft Office](https://docs.microsoft.com/microsoft-365/security/office-365-security/install-app-guard) | Describes Application Guard for Microsoft Office, including minimum hardware requirements, configuration, and a troubleshooting guide |
|[Frequently asked questions - Microsoft Defender Application Guard](faq-md-app-guard.md)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.|
+|[Use a network boundary to add trusted sites on Windows devices in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/network-boundary-windows)|Network boundary, a feature that helps you protect your environment from sites that aren't trusted by your organization.|
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
index 5757f18c10..4444817c21 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
@@ -1,7 +1,7 @@
---
title: System requirements for Microsoft Defender Application Guard (Windows 10)
description: Learn about the system requirements for installing and running Microsoft Defender Application Guard.
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
@@ -12,11 +12,12 @@ ms.date: 02/11/2020
ms.reviewer:
manager: dansimp
ms.custom: asr
+ms.technology: mde
---
# System requirements for Microsoft Defender Application Guard
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Microsoft Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive.
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
index 1b3e19b06b..89dc438cda 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
@@ -1,7 +1,7 @@
---
title: Testing scenarios with Microsoft Defender Application Guard (Windows 10)
description: Suggested testing scenarios for Microsoft Defender Application Guard, showing how it works in both Standalone and Enterprise-managed mode.
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
@@ -12,13 +12,14 @@ ms.reviewer:
manager: dansimp
ms.date: 09/14/2020
ms.custom: asr
+ms.technology: mde
---
# Application Guard testing scenarios
**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
We've come up with a list of scenarios that you can use to test hardware-based isolation in your organization.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md b/windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md
deleted file mode 100644
index acb5350c34..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md
+++ /dev/null
@@ -1,59 +0,0 @@
----
-title: Access the Microsoft Defender Security Center MSSP customer portal
-description: Access the Microsoft Defender Security Center MSSP customer portal
-keywords: managed security service provider, mssp, configure, integration
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Access the Microsoft Defender Security Center MSSP customer portal
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
-
-
-
-
->[!NOTE]
->These set of steps are directed towards the MSSP.
-
-By default, MSSP customers access their Microsoft Defender Security Center tenant through the following URL: `https://securitycenter.windows.com`.
-
-
-MSSPs however, will need to use a tenant-specific URL in the following format: `https://securitycenter.windows.com?tid=customer_tenant_id` to access the MSSP customer portal.
-
-In general, MSSPs will need to be added to each of the MSSP customer's Azure AD that they intend to manage.
-
-
-Use the following steps to obtain the MSSP customer tenant ID and then use the ID to access the tenant-specific URL:
-
-1. As an MSSP, login to Azure AD with your credentials.
-
-2. Switch directory to the MSSP customer's tenant.
-
-3. Select **Azure Active Directory > Properties**. You'll find the tenant ID in the Directory ID field.
-
-4. Access the MSSP customer portal by replacing the `customer_tenant_id` value in the following URL: `https://securitycenter.windows.com?tid=customer_tenant_id`.
-
-
-## Related topics
-- [Grant MSSP access to the portal](grant-mssp-access.md)
-- [Configure alert notifications](configure-mssp-notifications.md)
-- [Fetch alerts from customer tenant](fetch-alerts-mssp.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md
deleted file mode 100644
index 3ef821e164..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md
+++ /dev/null
@@ -1,98 +0,0 @@
----
-title: Add or Remove Machine Tags API
-description: Learn how to use the Add or Remove machine tags API to adds or remove a tag for a machine in Microsoft Defender Advanced Threat Protection.
-keywords: apis, graph api, supported apis, tags, machine tags
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Add or Remove Machine Tags API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-## API description
-
-Adds or remove tag to a specific [Machine](machine.md).
-
-## Limitations
-
-1. You can post on machines last seen according to your configured retention period.
-
-2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Machine.ReadWrite.All | 'Read and write all machine information'
-Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
-
->[!Note]
-> When obtaining a token using user credentials:
->
->- The user needs to have at least the following role permission: 'Manage security setting'. For more (See [Create and manage roles](user-roles.md) for more information)
->- User needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
-
-## HTTP request
-
-```http
-POST https://api.securitycenter.windows.com/api/machines/{id}/tags
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-Content-Type | string | application/json. **Required**.
-
-## Request body
-
-In the request body, supply a JSON object with the following parameters:
-
-Parameter | Type | Description
-:---|:---|:---
-Value | String | The tag name. **Required**.
-Action | Enum | Add or Remove. Allowed values are: 'Add' or 'Remove'. **Required**.
-
-
-## Response
-
-If successful, this method returns 200 - Ok response code and the updated Machine in the response body.
-
-## Example
-
-**Request**
-
-Here is an example of a request that adds machine tag.
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-```http
-POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/tags
-Content-type: application/json
-{
- "Value" : "test Tag 2",
- "Action": "Add"
-}
-```
-
-- To remove machine tag, set the Action to 'Remove' instead of 'Add' in the request body.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
deleted file mode 100644
index 16e7db9ecf..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
+++ /dev/null
@@ -1,204 +0,0 @@
----
-title: Configure advanced features in Microsoft Defender ATP
-description: Turn on advanced features such as block file in Microsoft Defender Advanced Threat Protection.
-keywords: advanced features, settings, block file, automated investigation, auto-resolve, skype, azure atp, office 365, azure information protection, intune
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Configure advanced features in Microsoft Defender ATP
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedfeats-abovefoldlink)
-
-Depending on the Microsoft security products that you use, some advanced features might be available for you to integrate Microsoft Defender ATP with.
-
-Use the following advanced features to get better protected from potentially malicious files and gain better insight during security investigations:
-
-## Automated investigation
-
-Turn on this feature to take advantage of the automated investigation and remediation features of the service. For more information, see [Automated investigation](automated-investigations.md).
-
-## Live response
-
-Turn on this feature so that users with the appropriate permissions can start a live response session on devices.
-
-For more information about role assignments, see [Create and manage roles](user-roles.md).
-
-## Live response unsigned script execution
-
-Enabling this feature allows you to run unsigned scripts in a live response session.
-
-## Autoresolve remediated alerts
-
-For tenants created on or after Windows 10, version 1809 the automated investigation and remediation capability is configured by default to resolve alerts where the automated analysis result status is "No threats found" or "Remediated". If you don't want to have alerts auto-resolved, you'll need to manually turn off the feature.
-
->[!TIP]
->For tenants created prior that version, you'll need to manually turn this feature on from the [Advanced features](https://securitycenter.windows.com/preferences2/integration) page.
-
->[!NOTE]
->
->- The result of the auto-resolve action may influence the Device risk level calculation which is based on the active alerts found on a device.
->- If a security operations analyst manually sets the status of an alert to "In progress" or "Resolved" the auto-resolve capability will not overwrite it.
-
-## Allow or block file
-
-Blocking is only available if your organization fulfills these requirements:
-
-- Uses Microsoft Defender Antivirus as the active antimalware solution and,
-- The cloud-based protection feature is enabled
-
-This feature enables you to block potentially malicious files in your network. Blocking a file will prevent it from being read, written, or executed on devices in your organization.
-
-To turn **Allow or block** files on:
-
-1. In the navigation pane, select **Settings** > **Advanced features** > **Allow or block file**.
-
-1. Toggle the setting between **On** and **Off**.
-
- 
-
-1. Select **Save preferences** at the bottom of the page.
-
-After turning on this feature, you can [block files](respond-file-alerts.md#allow-or-block-file) via the **Add Indicator** tab on a file's profile page.
-
-## Custom network indicators
-
-Turning on this feature allows you to create indicators for IP addresses, domains, or URLs, which determine whether they will be allowed or blocked based on your custom indicator list.
-
-To use this feature, devices must be running Windows 10 version 1709 or later. They should also have network protection in block mode and version 4.18.1906.3 or later of the antimalware platform [see KB 4052623](https://go.microsoft.com/fwlink/?linkid=2099834).
-
-For more information, see [Manage indicators](manage-indicators.md).
-
->[!NOTE]
->Network protection leverages reputation services that process requests in locations that might be outside of the location you have selected for your Microsoft Defender ATP data.
-
-## Show user details
-
-Turn on this feature so that you can see user details stored in Azure Active Directory. Details include a user's picture, name, title, and department information when investigating user account entities. You can find user account information in the following views:
-
-- Security operations dashboard
-- Alert queue
-- Device details page
-
-For more information, see [Investigate a user account](investigate-user.md).
-
-## Skype for Business integration
-
-Enabling the Skype for Business integration gives you the ability to communicate with users using Skype for Business, email, or phone. This can be handy when you need to communicate with the user and mitigate risks.
-
->[!NOTE]
-> When a device is being isolated from the network, there's a pop-up where you can choose to enable Outlook and Skype communications which allows communications to the user while they are disconnected from the network. This setting applies to Skype and Outlook communication when devices are in isolation mode.
-
-## Azure Advanced Threat Protection integration
-
-The integration with Azure Advanced Threat Protection allows you to pivot directly into another Microsoft Identity security product. Azure Advanced Threat Protection augments an investigation with additional insights about a suspected compromised account and related resources. By enabling this feature, you'll enrich the device-based investigation capability by pivoting across the network from an identify point of view.
-
->[!NOTE]
->You'll need to have the appropriate license to enable this feature.
-
-## Microsoft Secure Score
-
-Forwards Microsoft Defender ATP signals to Microsoft Secure Score in the Microsoft 365 security center. Turning on this feature gives Microsoft Secure Score visibility into the devices security posture. Forwarded data is stored and processed in the same location as the your Microsoft Secure Score data.
-
-### Enable the Microsoft Defender ATP integration from the Azure ATP portal
-
-To receive contextual device integration in Azure ATP, you'll also need to enable the feature in the Azure ATP portal.
-
-1. Log in to the [Azure portal](https://portal.atp.azure.com/) with a Global Administrator or Security Administrator role.
-
-2. Click **Create your instance**.
-
-3. Toggle the Integration setting to **On** and click **Save**.
-
-After completing the integration steps on both portals, you'll be able to see relevant alerts in the device details or user details page.
-
-## Office 365 Threat Intelligence connection
-
-This feature is only available if you have an active Office 365 E5 or the Threat Intelligence add-on. For more information, see the Office 365 Enterprise E5 product page.
-
-When you turn this feature on, you'll be able to incorporate data from Office 365 Advanced Threat Protection into Microsoft Defender Security Center to conduct a comprehensive security investigation across Office 365 mailboxes and Windows devices.
-
->[!NOTE]
->You'll need to have the appropriate license to enable this feature.
-
-To receive contextual device integration in Office 365 Threat Intelligence, you'll need to enable the Microsoft Defender ATP settings in the Security & Compliance dashboard. For more information, see [Office 365 Threat Intelligence overview](https://support.office.com/en-us/article/Office-365-Threat-Intelligence-overview-32405DA5-BEE1-4A4B-82E5-8399DF94C512).
-
-## Microsoft Threat Experts
-
-Out of the two Microsoft Threat Expert components, targeted attack notification is in general availability. Experts-on-demand capability is still in preview. You can only use the experts-on-demand capability if you have applied for preview and your application has been approved. You can receive targeted attack notifications from Microsoft Threat Experts through your Microsoft Defender ATP portal's alerts dashboard and via email if you configure it.
-
->[!NOTE]
->The Microsoft Threat Experts capability in Microsoft Defender ATP is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security).
-
-## Microsoft Cloud App Security
-
-Enabling this setting forwards Microsoft Defender ATP signals to Microsoft Cloud App Security to provide deeper visibility into cloud application usage. Forwarded data is stored and processed in the same location as your Cloud App Security data.
-
->[!NOTE]
->This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on devices running Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441)), Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464)), Windows 10, version 1809 (OS Build 17763.379 with [KB4489899](https://support.microsoft.com/help/4489899)) or later Windows 10 versions.
-
-## Azure Information Protection
-
-Turning on this setting allows signals to be forwarded to Azure Information Protection. It gives data owners and administrators visibility into protected data on onboarded devices and device risk ratings.
-
-## Microsoft Intune connection
-
-Microsoft Defender ATP can be integrated with [Microsoft Intune](https://docs.microsoft.com/intune/what-is-intune) to [enable device risk-based conditional access](https://docs.microsoft.com/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune). When you [turn on this feature](configure-conditional-access.md), you'll be able to share Microsoft Defender ATP device information with Intune, enhancing policy enforcement.
-
->[!IMPORTANT]
->You'll need to enable the integration on both Intune and Microsoft Defender ATP to use this feature. For more information on specific steps, see [Configure Conditional Access in Microsoft Defender ATP](configure-conditional-access.md).
-
-This feature is only available if you have the following:
-
-- A licensed tenant for Enterprise Mobility + Security E3, and Windows E5 (or Microsoft 365 Enterprise E5)
-- An active Microsoft Intune environment, with Intune-managed Windows 10 devices [Azure AD-joined](https://docs.microsoft.com/azure/active-directory/devices/concept-azure-ad-join/).
-
-### Conditional Access policy
-
-When you enable Intune integration, Intune will automatically create a classic Conditional Access (CA) policy. This classic CA policy is a prerequisite for setting up status reports to Intune. It should not be deleted.
-
->[!NOTE]
-> The classic CA policy created by Intune is distinct from modern [Conditional Access policies](https://docs.microsoft.com/azure/active-directory/conditional-access/overview/), which are used for configuring endpoints.
-
-
-## Preview features
-
-Learn about new features in the Microsoft Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience.
-
-You'll have access to upcoming features, which you can provide feedback on to help improve the overall experience before features are generally available.
-
-## Share endpoint alerts with Microsoft Compliance Center
-
-Forwards endpoint security alerts and their triage status to Microsoft Compliance Center, allowing you to enhance insider risk management policies with alerts and remediate internal risks before they cause harm. Forwarded data is processed and stored in the same location as your Office 365 data.
-
-After configuring the [Security policy violation indicators](https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-settings.md#indicators) in the insider risk management settings, Microsoft Defender ATP alerts will be shared with insider risk management for applicable users.
-
-## Enable advanced features
-
-1. In the navigation pane, select **Preferences setup** > **Advanced features**.
-2. Select the advanced feature you want to configure and toggle the setting between **On** and **Off**.
-3. Click **Save preferences**.
-
-## Related topics
-
-- [Update data retention settings](data-retention-settings.md)
-- [Configure alert notifications](configure-email-notifications.md)
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
deleted file mode 100644
index 439322a448..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
+++ /dev/null
@@ -1,95 +0,0 @@
----
-title: Query best practices for advanced hunting
-description: Learn how to construct fast, efficient, and error-free threat hunting queries when using advanced hunting
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, avoid timeout, command lines, process id
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: m365-security-compliance
-ms.topic: article
----
-
-# Advanced hunting query best practices
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-abovefoldlink)
-
-## Optimize query performance
-Apply these recommendations to get results faster and avoid timeouts while running complex queries.
-- When trying new queries, always use `limit` to avoid extremely large result sets. You can also initially assess the size of the result set using `count`.
-- Use time filters first. Ideally, limit your queries to seven days.
-- Put filters that are expected to remove most of the data in the beginning of the query, right after the time filter.
-- Use the `has` operator over `contains` when looking for full tokens.
-- Look in a specific column rather than running full text searches across all columns.
-- When joining tables, specify the table with fewer rows first.
-- `project` only the necessary columns from tables you've joined.
-
->[!TIP]
->For more guidance on improving query performance, read [Kusto query best practices](https://docs.microsoft.com/azure/kusto/query/best-practices).
-
-## Query tips and pitfalls
-
-### Queries with process IDs
-Process IDs (PIDs) are recycled in Windows and reused for new processes. On their own, they can't serve as unique identifiers for specific processes. To get a unique identifier for a process on a specific device, use the process ID together with the process creation time. When you join or summarize data around processes, include columns for the device identifier (either `DeviceId` or `DeviceName`), the process ID (`ProcessId` or `InitiatingProcessId`), and the process creation time (`ProcessCreationTime` or `InitiatingProcessCreationTime`).
-
-The following example query finds processes that access more than 10 IP addresses over port 445 (SMB), possibly scanning for file shares.
-
-```kusto
-DeviceNetworkEvents
-| where RemotePort == 445 and Timestamp > ago(12h) and InitiatingProcessId !in (0, 4)
-| summarize RemoteIPCount=dcount(RemoteIP) by DeviceName, InitiatingProcessId, InitiatingProcessCreationTime, InitiatingProcessFileName
-| where RemoteIPCount > 10
-```
-
-The query summarizes by both `InitiatingProcessId` and `InitiatingProcessCreationTime` so that it looks at a single process, without mixing multiple processes with the same process ID.
-
-### Queries with command lines
-Command lines can vary. When applicable, filter on file names and do fuzzy matching.
-
-There are numerous ways to construct a command line to accomplish a task. For example, an attacker could reference an image file with or without a path, without a file extension, using environment variables, or with quotes. In addition, the attacker could also change the order of parameters or add multiple quotes and spaces.
-
-To create more durable queries using command lines, apply the following practices:
-
-- Identify the known processes (such as *net.exe* or *psexec.exe*) by matching on the filename fields, instead of filtering on the command-line field.
-- When querying for command-line arguments, don't look for an exact match on multiple unrelated arguments in a certain order. Instead, use regular expressions or use multiple separate contains operators.
-- Use case insensitive matches. For example, use `=~`, `in~`, and `contains` instead of `==`, `in` and `contains_cs`
-- To mitigate DOS command-line obfuscation techniques, consider removing quotes, replacing commas with spaces, and replacing multiple consecutive spaces with a single space. Note that there are more complex DOS obfuscation techniques that require other approaches, but these can help address the most common ones.
-
-The following examples show various ways to construct a query that looks for the file *net.exe* to stop the Windows Defender Firewall service:
-
-```kusto
-// Non-durable query - do not use
-DeviceProcessEvents
-| where ProcessCommandLine == "net stop MpsSvc"
-| limit 10
-
-// Better query - filters on filename, does case-insensitive matches
-DeviceProcessEvents
-| where Timestamp > ago(7d) and FileName in~ ("net.exe", "net1.exe") and ProcessCommandLine contains "stop" and ProcessCommandLine contains "MpsSvc"
-
-// Best query also ignores quotes
-DeviceProcessEvents
-| where Timestamp > ago(7d) and FileName in~ ("net.exe", "net1.exe")
-| extend CanonicalCommandLine=replace("\"", "", ProcessCommandLine)
-| where CanonicalCommandLine contains "stop" and CanonicalCommandLine contains "MpsSvc"
-```
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-belowfoldlink)
-
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md
deleted file mode 100644
index 80b4736768..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md
+++ /dev/null
@@ -1,56 +0,0 @@
----
-title: DeviceAlertEvents table in the advanced hunting schema
-description: Learn about alert generation events in the DeviceAlertEvents table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, DeviceAlertEvents, alert, severity, category
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.date: 01/22/2020
----
-
-# DeviceAlertEvents
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-The `DeviceAlertEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about alerts in Microsoft Defender Security Center. Use this reference to construct queries that return information from the table.
-
-For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
-
-| Column name | Data type | Description |
-|-------------|-----------|-------------|
-| `AlertId` | string | Unique identifier for the alert |
-| `Timestamp` | datetime | Date and time when the event was recorded |
-| `DeviceId` | string | Unique identifier for the device in the service |
-| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
-| `Severity` | string | Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert |
-| `Category` | string | Type of threat indicator or breach activity identified by the alert |
-| `Title` | string | Title of the alert |
-| `FileName` | string | Name of the file that the recorded action was applied to |
-| `SHA1` | string | SHA-1 of the file that the recorded action was applied to |
-| `RemoteUrl` | string | URL or fully qualified domain name (FQDN) that was being connected to |
-| `RemoteIP` | string | IP address that was being connected to |
-| `AttackTechniques` | string | MITRE ATT&CK techniques associated with the activity that triggered the alert |
-| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
-| `Table` | string | Table that contains the details of the event |
-
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md
deleted file mode 100644
index 33fbf6118f..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md
+++ /dev/null
@@ -1,88 +0,0 @@
----
-title: DeviceEvents table in the advanced hunting schema
-description: Learn about antivirus, firewall, and other event types in the miscellaneous device events (DeviceEvents) table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, security events, antivirus, firewall, exploit guard, MiscEvents
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# DeviceEvents
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-The miscellaneous device events or `DeviceEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about various event types, including events triggered by security controls, such as Microsoft Defender Antivirus and exploit protection. Use this reference to construct queries that return information from the table.
-
-For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
-
-| Column name | Data type | Description |
-|-------------|-----------|-------------|
-| `Timestamp` | datetime | Date and time when the event was recorded |
-| `DeviceId` | string | Unique identifier for the device in the service |
-| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
-| `ActionType` | string | Type of activity that triggered the event |
-| `FileName` | string | Name of the file that the recorded action was applied to |
-| `FolderPath` | string | Folder containing the file that the recorded action was applied to |
-| `SHA1` | string | SHA-1 of the file that the recorded action was applied to |
-| `SHA256` | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available |
-| `MD5` | string | MD5 hash of the file that the recorded action was applied to |
-| `AccountDomain` | string | Domain of the account |
-| `AccountName` |string | User name of the account |
-| `AccountSid` | string | Security Identifier (SID) of the account |
-| `RemoteUrl` | string | URL or fully qualified domain name (FQDN) that was being connected to |
-| `RemoteDeviceName` | string | Name of the device that performed a remote operation on the affected device. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information |
-| `ProcessId` | int | Process ID (PID) of the newly created process |
-| `ProcessCommandLine` | string | Command line used to create the new process |
-| `ProcessCreationTime` | datetime | Date and time the process was created |
-| `ProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process |
-| `LogonId` | string | Identifier for a logon session. This identifier is unique on the same device only between restarts |
-| `RegistryKey` | string | Registry key that the recorded action was applied to |
-| `RegistryValueName` | string | Name of the registry value that the recorded action was applied to |
-| `RegistryValueData` | string | Data of the registry value that the recorded action was applied to |
-| `RemoteIP` | string | IP address that was being connected to |
-| `RemotePort` | int | TCP port on the remote device that was being connected to |
-| `LocalIP` | string | IP address assigned to the local device used during communication |
-| `LocalPort` | int | TCP port on the local device used during communication |
-| `FileOriginUrl` | string | URL where the file was downloaded from |
-| `FileOriginIP` | string | IP address where the file was downloaded from |
-| `AdditionalFields` | string | Additional information about the event in JSON array format |
-| `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
-| `InitiatingProcessSHA256` | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available |
-| `InitiatingProcessFileName` | string | Name of the process that initiated the event |
-| `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
-| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
-| `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
-| `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
-| `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
-| `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
-| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
-| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
-| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
-| `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
-| `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
-| `InitiatingProcessLogonId` | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same device only between restarts |
-| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
-| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
-
-
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md
deleted file mode 100644
index e5a328a9db..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md
+++ /dev/null
@@ -1,61 +0,0 @@
----
-title: DeviceFileCertificateInfo table in the advanced hunting schema
-description: Learn about file signing information in the DeviceFileCertificateInfo table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, digital signature, certificate, file signing, DeviceFileCertificateInfo
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.date: 01/14/2020
----
-
-# DeviceFileCertificateInfo
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-The `DeviceFileCertificateInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about file signing certificates. This table uses data obtained from certificate verification activities regularly performed on files on endpoints.
-
-For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
-
-| Column name | Data type | Description |
-|-------------|-----------|-------------|
-| `Timestamp` | datetime | Date and time when the event was recorded |
-| `DeviceId` | string | Unique identifier for the device in the service |
-| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
-| `SHA1` | string | SHA-1 of the file that the recorded action was applied to |
-| `IsSigned` | boolean | Indicates whether the file is signed |
-| `SignatureType` | string | Indicates whether signature information was read as embedded content in the file itself or read from an external catalog file |
-| `Signer` | string | Information about the signer of the file |
-| `SignerHash` | string | Unique hash value identifying the signer |
-| `Issuer` | string | Information about the issuing certificate authority (CA) |
-| `IssuerHash` | string | Unique hash value identifying issuing certificate authority (CA) |
-| `CertificateSerialNumber` | string | Identifier for the certificate that is unique to the issuing certificate authority (CA) |
-| `CrlDistributionPointUrls` | string | JSON array listing the URLs of network shares that contain certificates and certificate revocation lists (CRLs) |
-| `CertificateCreationTime` | datetime | Date and time the certificate was created |
-| `CertificateExpirationTime` | datetime | Date and time the certificate is set to expire |
-| `CertificateCountersignatureTime` | datetime | Date and time the certificate was countersigned |
-| `IsTrusted` | boolean | Indicates whether the file is trusted based on the results of the WinVerifyTrust function, which checks for unknown root certificate information, invalid signatures, revoked certificates, and other questionable attributes |
-| `IsRootSignerMicrosoft` | boolean | Indicates whether the signer of the root certificate is Microsoft |
-| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. |
-
-
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md
deleted file mode 100644
index 246f3b70bd..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md
+++ /dev/null
@@ -1,80 +0,0 @@
----
-title: DeviceFileEvents table in the advanced hunting schema
-description: Learn about file-related events in the DeviceFileEvents table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicefileevents, files, path, hash, sha1, sha256, md5, FileCreationEvents
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# DeviceFileEvents
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-The `DeviceFileEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about file creation, modification, and other file system events. Use this reference to construct queries that return information from the table.
-
-For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
-
-| Column name | Data type | Description |
-|-------------|-----------|-------------|
-| `Timestamp` | datetime | Date and time when the event was recorded |
-| `DeviceId` | string | Unique identifier for the device in the service |
-| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
-| `ActionType` | string | Type of activity that triggered the event |
-| `FileName` | string | Name of the file that the recorded action was applied to |
-| `FolderPath` | string | Folder containing the file that the recorded action was applied to |
-| `SHA1` | string | SHA-1 of the file that the recorded action was applied to |
-| `SHA256` | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available |
-| `MD5` | string | MD5 hash of the file that the recorded action was applied to |
-| `FileOriginUrl` | string | URL where the file was downloaded from |
-| `FileOriginReferrerUrl` | string | URL of the web page that links to the downloaded file |
-| `FileOriginIP` | string | IP address where the file was downloaded from |
-| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
-| `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
-| `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
-| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
-| `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
-| `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
-| `InitiatingProcessFileName` | string | Name of the process that initiated the event |
-| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
-| `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
-| `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
-| `InitiatingProcessIntegrityLevel` | string | integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
-| `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
-| `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
-| `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
-| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
-| `RequestProtocol` | string | Network protocol, if applicable, used to initiate the activity: Unknown, Local, SMB, or NFS |
-| `ShareName` | string | Name of shared folder containing the file |
-| `RequestSourceIP` | string | IPv4 or IPv6 address of the remote device that initiated the activity |
-| `RequestSourcePort` | string | Source port on the remote device that initiated the activity |
-| `RequestAccountName` | string | User name of account used to remotely initiate the activity |
-| `RequestAccountDomain` | string | Domain of the account used to remotely initiate the activity |
-| `RequestAccountSid` | string | Security Identifier (SID) of the account to remotely initiate the activity |
-| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns |
-| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
-| `SensitivityLabel` | string | Label applied to an email, file, or other content to classify it for information protection |
-| `SensitivitySubLabel` | string | Sublabel applied to an email, file, or other content to classify it for information protection; sensitivity sublabels are grouped under sensitivity labels but are treated independently |
-| `IsAzureInfoProtectionApplied` | boolean | Indicates whether the file is encrypted by Azure Information Protection |
-
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md
deleted file mode 100644
index 7cd8fd9ebe..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md
+++ /dev/null
@@ -1,66 +0,0 @@
----
-title: DeviceImageLoadEvents table in the advanced hunting schema
-description: Learn about DLL loading events in the DeviceImageLoadEvents table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, deviceimageloadevents, DLL loading, library, file image, ImageLoadEvents
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# DeviceImageLoadEvents
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-The `DeviceImageLoadEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about DLL loading events. Use this reference to construct queries that return information from the table.
-
-For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
-
-| Column name | Data type | Description |
-|-------------|-----------|-------------|
-| `Timestamp` | datetime | Date and time when the event was recorded |
-| `DeviceId` | string | Unique identifier for the device in the service |
-| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
-| `ActionType` | string | Type of activity that triggered the event |
-| `FileName` | string | Name of the file that the recorded action was applied to |
-| `FolderPath` | string | Folder containing the file that the recorded action was applied to |
-| `SHA1` | string | SHA-1 of the file that the recorded action was applied to |
-| `MD5` | string | MD5 hash of the file that the recorded action was applied to |
-| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
-| `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
-| `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
-| `InitiatingProcessIntegrityLevel` | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
-| `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
-| `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
-| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
-| `InitiatingProcessFileName` | string | Name of the process that initiated the event |
-| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
-| `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
-| `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
-| `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
-| `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
-| `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
-| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
-| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
-| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
-
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md
deleted file mode 100644
index b939d5ba59..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md
+++ /dev/null
@@ -1,55 +0,0 @@
----
-title: DeviceInfo table in the advanced hunting schema
-description: Learn about OS, computer name, and other device information in the DeviceInfo table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, deviceinfo, device, OS, platform, users, DeviceInfo
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# DeviceInfo
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-The `DeviceInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about devices in the organization, including their OS version, active users, and computer name. Use this reference to construct queries that return information from the table.
-
-For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
-
-| Column name | Data type | Description |
-|-------------|-----------|-------------|
-| `Timestamp` | datetime | Date and time when the event was recorded |
-| `DeviceId` | string | Unique identifier for the device in the service |
-| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
-| `ClientVersion` | string | Version of the endpoint agent or sensor running on the device |
-| `PublicIP` | string | Public IP address used by the onboarded device to connect to the Microsoft Defender ATP service. This could be the IP address of the device itself, a NAT device, or a proxy |
-| `OSArchitecture` | string | Architecture of the operating system running on the device |
-| `OSPlatform` | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7 |
-| `OSBuild` | string | Build version of the operating system running on the device |
-| `IsAzureADJoined` | boolean | Boolean indicator of whether device is joined to the Azure Active Directory |
-| `LoggedOnUsers` | string | List of all users that are logged on the device at the time of the event in JSON array format |
-| `RegistryDeviceTag` | string | Device tag added through the registry |
-| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns |
-| `OSVersion` | string | Version of the operating system running on the device |
-| `MachineGroup` | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine |
-
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md
deleted file mode 100644
index 17b769e2f3..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md
+++ /dev/null
@@ -1,78 +0,0 @@
----
-title: DeviceLogonEvents table in the advanced hunting schema
-description: Learn about authentication or sign-in events in the DeviceLogonEvents table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicelogonevents, authentication, logon, sign in, LogonEvents
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# DeviceLogonEvents
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-The `DeviceLogonEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about user logons and other authentication events. Use this reference to construct queries that return information from the table.
-
-> [!NOTE]
-> Collection of DeviceLogonEvents is not supported on Windows 7 or Windows Server 2008 R2.
-> We recommend upgrading to Windows 10 or Windows Server 2019 for optimal visibility into user logon activity.
-
-For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
-
-| Column name | Data type | Description |
-|-------------|-----------|-------------|
-| `Timestamp` | datetime | Date and time when the event was recorded |
-| `DeviceId` | string | Unique identifier for the device in the service |
-| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
-| `ActionType` | string |Type of activity that triggered the event |
-| `AccountDomain` | string | Domain of the account |
-| `AccountName` | string | User name of the account |
-| `AccountSid` | string | Security Identifier (SID) of the account |
-| `LogonType` | string | Type of logon session, specifically:
- **Interactive** - User physically interacts with the device using the local keyboard and screen
- **Remote interactive (RDP) logons** - User interacts with the device remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients
- **Network** - Session initiated when the device is accessed using PsExec or when shared resources on the device, such as printers and shared folders, are accessed
- **Batch** - Session initiated by scheduled tasks
- **Service** - Session initiated by services as they start
|
-| `LogonId` | string | Identifier for a logon session. This identifier is unique on the same device only between restarts |
-| `RemoteDeviceName` | string | Name of the device that performed a remote operation on the affected device. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name or a host name without domain information |
-| `RemoteIP` | string | IP address that was being connected to |
-| `RemoteIPType` | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
-| `RemotePort` | int | TCP port on the remote device that was being connected to |
-| `AdditionalFields` | string | Additional information about the event in JSON array format |
-| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
-| `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
-| `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
-| `InitiatingProcessIntegrityLevel` | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
-| `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
-| `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
-| `InitiatingProcessSHA256` | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available |
-| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
-| `InitiatingProcessFileName` | string | Name of the process that initiated the event |
-| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
-| `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
-| `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
-| `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
-| `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
-| `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
-| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
-| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
-| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
-| `IsLocalAdmin` | boolean | Boolean indicator of whether the user is a local administrator on the device |
-
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md
deleted file mode 100644
index 77692cf8fe..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md
+++ /dev/null
@@ -1,70 +0,0 @@
----
-title: DeviceNetworkEvents table in the advanced hunting schema
-description: Learn about network connection events you can query from the DeviceNetworkEvents table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, devicenetworkevents, network connection, remote ip, local ip, NetworkCommunicationEvents
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# DeviceNetworkEvents
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-The `DeviceNetworkEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about network connections and related events. Use this reference to construct queries that return information from the table.
-
-For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
-
-| Column name | Data type | Description |
-|-------------|-----------|-------------|
-| `Timestamp` | datetime | Date and time when the event was recorded |
-| `DeviceId` | string | Unique identifier for the device in the service |
-| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
-| `ActionType` | string | Type of activity that triggered the event |
-| `RemoteIP` | string | IP address that was being connected to |
-| `RemotePort` | int | TCP port on the remote device that was being connected to |
-| `RemoteUrl` | string | URL or fully qualified domain name (FQDN) that was being connected to |
-| `LocalIP` | string | IP address assigned to the local device used during communication |
-| `LocalPort` | int | TCP port on the local device used during communication |
-| `Protocol` | string | IP protocol used, whether TCP or UDP |
-| `LocalIPType` | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
-| `RemoteIPType` | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
-| `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
-| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
-| `InitiatingProcessFileName` | string | Name of the process that initiated the event |
-| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
-| `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
-| `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
-| `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
-| `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
-| `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
-| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
-| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
-| `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
-| `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
-| `InitiatingProcessIntegrityLevel` | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
-| `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
-| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
-| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
-
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md
deleted file mode 100644
index 8d919d89c0..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md
+++ /dev/null
@@ -1,56 +0,0 @@
----
-title: DeviceNetworkInfo table in the advanced hunting schema
-description: Learn about network configuration information in the DeviceNetworkInfo table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicenetworkinfo, device, device, mac, ip, adapter, dns, dhcp, gateway, tunnel, DeviceNetworkInfo
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# DeviceNetworkInfo
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-The `DeviceNetworkInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about networking configuration of devices, including network adapters, IP and MAC addresses, and connected networks or domains. Use this reference to construct queries that return information from the table.
-
-For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
-
-| Column name | Data type | Description |
-|-------------|-----------|-------------|
-| `Timestamp` | datetime | Date and time when the event was recorded |
-| `DeviceId` | string | Unique identifier for the device in the service |
-| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
-| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
-| `NetworkAdapterName` | string | Name of the network adapter |
-| `MacAddress` | string | MAC address of the network adapter |
-| `NetworkAdapterType` | string | Network adapter type. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.networkinterfacetype?view=netframework-4.7.2) |
-| `NetworkAdapterStatus` | string | Operational status of the network adapter. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.operationalstatus?view=netframework-4.7.2) |
-| `TunnelType` | string | Tunneling protocol, if the interface is used for this purpose, for example 6to4, Teredo, ISATAP, PPTP, SSTP, and SSH |
-| `ConnectedNetworks` | string | Networks that the adapter is connected to. Each JSON array contains the network name, category (public, private or domain), a description, and a flag indicating if it's connected publicly to the internet |
-| `DnsAddresses` | string | DNS server addresses in JSON array format |
-| `IPv4Dhcp` | string | IPv4 address of DHCP server |
-| `IPv6Dhcp` | string | IPv6 address of DHCP server |
-| `DefaultGateways` | string | Default gateway addresses in JSON array format |
-| `IPAddresses` | string | JSON array containing all the IP addresses assigned to the adapter, along with their respective subnet prefix and IP address space, such as public, private, or link-local |
-
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md
deleted file mode 100644
index 3d7fc8a005..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md
+++ /dev/null
@@ -1,78 +0,0 @@
----
-title: DeviceProcessEvents table in the advanced hunting schema
-description: Learn about the process spawning or creation events in the DeviceProcessEvents table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, deviceprocessevents, process id, command line, ProcessCreationEvents
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# DeviceProcessEvents
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-The `DeviceProcessEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about process creation and related events. Use this reference to construct queries that return information from the table.
-
-For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
-
-| Column name | Data type | Description |
-|-------------|-----------|-------------|
-| `Timestamp` | datetime | Date and time when the event was recorded |
-| `DeviceId` | string | Unique identifier for the device in the service |
-| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
-| `ActionType` | string | Type of activity that triggered the event |
-| `FileName` | string | Name of the file that the recorded action was applied to |
-| `FolderPath` | string | Folder containing the file that the recorded action was applied to |
-| `SHA1` | string | SHA-1 of the file that the recorded action was applied to |
-| `SHA256` | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. |
-| `MD5` | string | MD5 hash of the file that the recorded action was applied to |
-| `ProcessId` | int | Process ID (PID) of the newly created process |
-| `ProcessCommandLine` | string | Command line used to create the new process |
-| `ProcessIntegrityLevel` | string | Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources |
-| `ProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process |
-| `ProcessCreationTime` | datetime | Date and time the process was created |
-| `AccountDomain` | string | Domain of the account |
-| `AccountName` | string | User name of the account |
-| `AccountSid` | string | Security Identifier (SID) of the account |
-| `LogonId` | string | Identifier for a logon session. This identifier is unique on the same device only between restarts |
-| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
-| `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
-| `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
-| `InitiatingProcessLogonId` | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same device only between restarts. |
-| `InitiatingProcessIntegrityLevel` | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
-| `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
-| `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
-| `InitiatingProcessSHA256` | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available |
-| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
-| `InitiatingProcessFileName` | string | Name of the process that initiated the event |
-| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
-| `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
-| `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
-| `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
-| `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
-| `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
-| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
-| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
-| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
-
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md
deleted file mode 100644
index 4ee7217b7c..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md
+++ /dev/null
@@ -1,68 +0,0 @@
----
-title: DeviceRegistryEvents table in the advanced hunting schema
-description: Learn about registry events you can query from the DeviceRegistryEvents table of the advanced hunting schema
-keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, deviceregistryevents, registry, key, subkey, value, RegistryEvents
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# DeviceRegistryEvents
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-The `DeviceRegistryEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about the creation and modification of registry entries. Use this reference to construct queries that return information from the table.
-
-For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
-
-| Column name | Data type | Description |
-|-------------|-----------|-------------|
-| `Timestamp` | datetime | Date and time when the event was recorded |
-| `DeviceId` | string | Unique identifier for the device in the service |
-| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
-| `ActionType` | string | Type of activity that triggered the event |
-| `RegistryKey` | string | Registry key that the recorded action was applied to |
-| `RegistryValueType` | string | Data type, such as binary or string, of the registry value that the recorded action was applied to |
-| `RegistryValueName` | string | Name of the registry value that the recorded action was applied to |
-| `RegistryValueData` | string | Data of the registry value that the recorded action was applied to |
-| `PreviousRegistryValueName` | string | Original name of the registry value before it was modified |
-| `PreviousRegistryValueData` | string | Original data of the registry value before it was modified |
-| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
-| `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
-| `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
-| `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
-| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event |
-| `InitiatingProcessFileName` | string | Name of the process that initiated the event |
-| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event |
-| `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event |
-| `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
-| `InitiatingProcessFolderPath` | string | Folder containing the process (image file) that initiated the event |
-| `InitiatingProcessParentId` | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
-| `InitiatingProcessParentFileName` | string | Name of the parent process that spawned the process responsible for the event |
-| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
-| `InitiatingProcessIntegrityLevel` | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
-| `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
-| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
-| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
-
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md
deleted file mode 100644
index 22e4e6aa6b..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md
+++ /dev/null
@@ -1,55 +0,0 @@
----
-title: DeviceTvmSecureConfigurationAssessment table in the advanced hunting schema
-description: Learn about Threat & Vulnerability Management security assessment events in the DeviceTvmSecureConfigurationAssessment table of the Advanced hunting schema. These events provide device information as well as security configuration details, impact, and compliance information.
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, DeviceTvmSecureConfigurationAssessment
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# DeviceTvmSecureConfigurationAssessment
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Each row in the `DeviceTvmSecureConfigurationAssessment` table contains an assessment event for a specific security configuration from [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md). Use this reference to check the latest assessment results and determine whether devices are compliant.
-
-For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md).
-
-| Column name | Data type | Description |
-|-------------|-----------|-------------|
-| `DeviceId` | string | Unique identifier for the device in the service |
-| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
-| `OSPlatform` | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7.|
-| `Timestamp` | datetime |Date and time when the record was generated |
-| `ConfigurationId` | string | Unique identifier for a specific configuration |
-| `ConfigurationCategory` | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls |
-| `ConfigurationSubcategory` | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. |
-| `ConfigurationImpact` | string | Rated impact of the configuration to the overall configuration score (1-10) |
-| `IsCompliant` | boolean | Indicates whether the configuration or policy is properly configured |
-
-
-## Related topics
-
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
-- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md
deleted file mode 100644
index d2b7ab5de4..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md
+++ /dev/null
@@ -1,55 +0,0 @@
----
-title: DeviceTvmSecureConfigurationAssessmentKB table in the advanced hunting schema
-description: Learn about the various secure configurations assessed by Threat & Vulnerability Management in the DeviceTvmSecureConfigurationAssessmentKB table of the Advanced hunting schema.
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, MITRE ATT&CK framework, knowledge base, KB, DeviceTvmSecureConfigurationAssessmentKB
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# DeviceTvmSecureConfigurationAssessmentKB
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-The `DeviceTvmSecureConfigurationAssessmentKB` table in the advanced hunting schema contains information about the various secure configurations — such as whether a device has automatic updates on — checked by [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md). It also includes risk information, related industry benchmarks, and applicable MITRE ATT&CK techniques and tactics. Use this reference to construct queries that return information from the table.
-
-For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md).
-
-| Column name | Data type | Description |
-|-------------|-----------|-------------|
-| `ConfigurationId` | string | Unique identifier for a specific configuration |
-| `ConfigurationImpact` | string | Rated impact of the configuration to the overall configuration score (1-10) |
-| `ConfigurationName` | string | Display name of the configuration |
-| `ConfigurationDescription` | string | Description of the configuration |
-| `RiskDescription` | string | Description of the associated risk |
-| `ConfigurationCategory` | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls|
-| `ConfigurationSubcategory` | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. |
-| `ConfigurationBenchmarks` | string | List of industry benchmarks recommending the same or similar configuration |
-| `RelatedMitreTechniques` | string | List of Mitre ATT&CK framework techniques related to the configuration |
-| `RelatedMitreTactics ` | string | List of Mitre ATT&CK framework tactics related to the configuration |
-
-## Related topics
-
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
-- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md
deleted file mode 100644
index a61d3499dc..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md
+++ /dev/null
@@ -1,58 +0,0 @@
----
-title: DeviceTvmSoftwareInventoryVulnerabilities table in the advanced hunting schema
-description: Learn about the inventory of software in your devices and their vulnerabilities in the DeviceTvmSoftwareInventoryVulnerabilities table of the advanced hunting schema.
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, OS DeviceTvmSoftwareInventoryVulnerabilities
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# DeviceTvmSoftwareInventoryVulnerabilities
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-The `DeviceTvmSoftwareInventoryVulnerabilities` table in the advanced hunting schema contains the [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) inventory of software on your devices as well as any known vulnerabilities in these software products. This table also includes operating system information, CVE IDs, and vulnerability severity information. Use this reference to construct queries that return information from the table.
-
-For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md).
-
-| Column name | Data type | Description |
-|-------------|-----------|-------------|
-| `DeviceId` | string | Unique identifier for the device in the service |
-| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
-| `OSPlatform` | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. |
-| `OSVersion` | string | Version of the operating system running on the device |
-| `OSArchitecture` | string | Architecture of the operating system running on the device |
-| `SoftwareVendor` | string | Name of the software vendor |
-| `SoftwareName` | string | Name of the software product |
-| `SoftwareVersion` | string | Version number of the software product |
-| `CveId` | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system |
-| `VulnerabilitySeverityLevel` | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape |
-
-
-
-## Related topics
-
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
-- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md
deleted file mode 100644
index 36a4097508..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md
+++ /dev/null
@@ -1,53 +0,0 @@
----
-title: DeviceTvmSoftwareVulnerabilitiesKB table in the advanced hunting schema
-description: Learn about the software vulnerabilities tracked by Threat & Vulnerability Management in the DeviceTvmSoftwareVulnerabilitiesKB table of the advanced hunting schema.
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, CVSS, DeviceTvmSoftwareVulnerabilitiesKB
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# DeviceTvmSoftwareVulnerabilitiesKB
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-The `DeviceTvmSoftwareVulnerabilitiesKB` table in the advanced hunting schema contains the list of vulnerabilities [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) assesses devices for. Use this reference to construct queries that return information from the table.
-
-For information on other tables in the advanced hunting schema, see [the advanced hunting reference](advanced-hunting-reference.md).
-
-| Column name | Data type | Description |
-|-------------|-----------|-------------|
-| `CveId` | string | Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system |
-| `CvssScore` | string | Severity score assigned to the security vulnerability under th Common Vulnerability Scoring System (CVSS) |
-| `IsExploitAvailable` | boolean | Indicates whether exploit code for the vulnerability is publicly available |
-| `VulnerabilitySeverityLevel` | string | Severity level assigned to the security vulnerability based on the CVSS score and dynamic factors influenced by the threat landscape |
-| `LastModifiedTime` | datetime | Date and time the item or related metadata was last modified |
-| `PublishedDate` | datetime | Date vulnerability was disclosed to public |
-| `VulnerabilityDescription` | string | Description of vulnerability and associated risks |
-| `AffectedSoftware` | string | List of all software products affected by the vulnerability |
-
-## Related topics
-
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
-- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-errors.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-errors.md
deleted file mode 100644
index 092f10cf8f..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-errors.md
+++ /dev/null
@@ -1,46 +0,0 @@
----
-title: Handle errors in advanced hunting for Microsoft Defender ATP
-description: Understand errors displayed when using advanced hunting
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp, m365, search, query, telemetry, schema, kusto, timeout, resources, errors, unknown error
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Handle advanced hunting errors
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
-
-
-Advanced hunting displays errors to notify for syntax mistakes and whenever queries hit [predefined limits](advanced-hunting-limits.md). Refer to the table below for tips on how to resolve or avoid errors.
-
-| Error type | Cause | Resolution | Error message examples |
-|--|--|--|--|
-| Syntax errors | The query contains unrecognized names, including references to nonexistent operators, columns, functions, or tables. | Ensure references to [Kusto operators and functions](https://docs.microsoft.com/azure/data-explorer/kusto/query/) are correct. Check [the schema](advanced-hunting-schema-reference.md) for the correct advanced hunting columns, functions, and tables. Enclose variable strings in quotes so they are recognized. While writing your queries, use the autocomplete suggestions from IntelliSense. | `A recognition error occurred.` |
-| Semantic errors | While the query uses valid operator, column, function, or table names, there are errors in its structure and resulting logic. In some cases, advanced hunting identifies the specific operator that caused the error. | Check for errors in the structure of query. Refer to [Kusto documentation](https://docs.microsoft.com/azure/data-explorer/kusto/query/) for guidance. While writing your queries, use the autocomplete suggestions from IntelliSense. | `'project' operator: Failed to resolve scalar expression named 'x'`|
-| Timeouts | A query can only run within a [limited period before timing out](advanced-hunting-limits.md). This error can happen more frequently when running complex queries. | [Optimize the query](advanced-hunting-best-practices.md) | `Query exceeded the timeout period.` |
-| CPU throttling | Queries in the same tenant have exceeded the [CPU resources](advanced-hunting-limits.md) that have been allocated based on tenant size. | The service checks CPU resource usage every 15 minutes and daily and displays warnings after usage exceeds 10% of the allocated limit. If you reach 100% utilization, the service blocks queries until after the next daily or 15-minute cycle. [Optimize your queries to avoid hitting CPU limits](advanced-hunting-best-practices.md) | - `This query used X% of your organization's allocated resources for the current 15 minutes.`
- `You have exceeded processing resources allocated to this tenant. You can run queries again in
-`Query stopped. Adjust use of the
- Daily at 12 midnight | The service enforces the daily and the 15-minute limit separately. For each limit, the [portal displays an error](advanced-hunting-errors.md) whenever a query runs and the tenant has consumed over 10% of allocated resources. Queries are blocked if the tenant has reached 100% until after the next daily or 15-minute cycle. |
-
->[!NOTE]
->A separate set of limits apply to advanced hunting queries performed through the API. [Read about advanced hunting APIs](run-advanced-query-api.md)
-
-Customers who run multiple queries regularly should track consumption and [apply optimization best practices](advanced-hunting-best-practices.md) to minimize disruption resulting from exceeding these limits.
-
-## Related topics
-
-- [Advanced hunting best practices](advanced-hunting-best-practices.md)
-- [Handle advanced hunting errors](advanced-hunting-errors.md)
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Custom detections rules](custom-detection-rules.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md
deleted file mode 100644
index 576f8e6c89..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md
+++ /dev/null
@@ -1,70 +0,0 @@
----
-title: Overview of advanced hunting in Microsoft Defender ATP
-description: Use threat hunting capabilities in Microsoft Defender ATP to build queries that find threats and weaknesses in your network
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp, search, query, telemetry, custom detections, schema, kusto, time zone, UTC
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Proactively hunt for threats with advanced hunting
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
-
-Advanced hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data. You can proactively inspect events in your network to locate threat indicators and entities. The flexible access to data enables unconstrained hunting for both known and potential threats.
-
-You can use the same threat-hunting queries to build custom detection rules. These rules run automatically to check for and then respond to suspected breach activity, misconfigured machines, and other findings.
-
->[!TIP]
->Use [advanced hunting in Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview) to hunt for threats using data from Microsoft Defender ATP, Office 365 ATP, Microsoft Cloud App Security, and Azure ATP. [Turn on Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-enable)
-
-## Get started with advanced hunting
-Watch this video for a quick overview of advanced hunting and a short tutorial that will get you started fast.
-
-
-> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bGqo]
-
-You can also go through each of the following steps to ramp up your advanced hunting knowledge.
-
-We recommend going through several steps to quickly get up and running with advanced hunting.
-
-| Learning goal | Description | Resource |
-|--|--|--|
-| **Learn the language** | Advanced hunting is based on [Kusto query language](https://docs.microsoft.com/azure/kusto/query/), supporting the same syntax and operators. Start learning the query language by running your first query. | [Query language overview](advanced-hunting-query-language.md) |
-| **Learn how to use the query results** | Learn about charts and various ways you can view or export your results. Explore how you can quickly tweak queries and drill down to get richer information. | [Work with query results](advanced-hunting-query-results.md) |
-| **Understand the schema** | Get a good, high-level understanding of the tables in the schema and their columns. Learn where to look for data when constructing your queries. | [Schema reference](advanced-hunting-schema-reference.md) |
-| **Use predefined queries** | Explore collections of predefined queries covering different threat hunting scenarios. | [Shared queries](advanced-hunting-shared-queries.md) |
-| **Optimize queries and handle errors** | Understand how to create efficient and error-free queries. | - [Query best practices](advanced-hunting-best-practices.md)
- [Handle errors](advanced-hunting-errors.md) |
-| **Create custom detection rules** | Understand how you can use advanced hunting queries to trigger alerts and take response actions automatically. | - [Custom detections overview](overview-custom-detections.md)
- [Custom detection rules](custom-detection-rules.md) |
-
-## Data freshness and update frequency
-Advanced hunting data can be categorized into two distinct types, each consolidated differently.
-
-- **Event or activity data**—populates tables about alerts, security events, system events, and routine assessments. Advanced hunting receives this data almost immediately after the sensors that collect them successfully transmit them to Microsoft Defender ATP.
-- **Entity data**—populates tables with consolidated information about users and devices. This data comes from both relatively static data sources and dynamic sources, such as Active Directory entries and event logs. To provide fresh data, tables are updated with any new information every 15 minutes, adding rows that might not be fully populated. Every 24 hours, data is consolidated to insert a record that contains the latest, most comprehensive data set about each entity.
-
-## Time zone
-Time information in advanced hunting is currently in the UTC time zone.
-
-## Related topics
-- [Learn the query language](advanced-hunting-query-language.md)
-- [Work with query results](advanced-hunting-query-results.md)
-- [Use shared queries](advanced-hunting-shared-queries.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
-- [Apply query best practices](advanced-hunting-best-practices.md)
-- [Custom detections overview](overview-custom-detections.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md
deleted file mode 100644
index e115475712..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md
+++ /dev/null
@@ -1,182 +0,0 @@
----
-title: Learn the advanced hunting query language
-description: Create your first threat hunting query and learn about common operators and other aspects of the advanced hunting query language
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, language, learn, first query, telemetry, events, telemetry, custom detections, schema, kusto, operators, data types
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Learn the advanced hunting query language
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
-
-Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/azure/kusto/query/). You can use Kusto operators and statements to construct queries that locate information in a specialized [schema](advanced-hunting-schema-reference.md). To understand these concepts better, run your first query.
-
-## Try your first query
-
-In Microsoft Defender Security Center, go to **Advanced hunting** to run your first query. Use the following example:
-
-```kusto
-// Finds PowerShell execution events that could involve a download
-union DeviceProcessEvents, DeviceNetworkEvents
-| where Timestamp > ago(7d)
-// Pivoting on PowerShell processes
-| where FileName in~ ("powershell.exe", "powershell_ise.exe")
-// Suspicious commands
-| where ProcessCommandLine has_any("WebClient",
- "DownloadFile",
- "DownloadData",
- "DownloadString",
- "WebRequest",
- "Shellcode",
- "http",
- "https")
-| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine,
-FileName, ProcessCommandLine, RemoteIP, RemoteUrl, RemotePort, RemoteIPType
-| top 100 by Timestamp
-```
-**[Run this query in advanced hunting](https://securitycenter.windows.com/hunting?query=H4sIAAAAAAAEAI2TT0vDQBDF5yz4HUJPFcTqyZsXqyCIBFvxKNGWtpo_NVlbC8XP7m8mado0K5Zls8nkzdu3b2Z70pNAbmUmqYyk4D2UTJYyllwGMmWNGQHrN_NNvsSBzUBrbMFMiWieAx3xDEBl4GL4AuNd8B0bNgARENcdUmIZ3yM5liPwac3bN-YZPGPU5ET1rWDc7Ox4uod8YDp4MzI-GkjlX4Ne2nly0zEkKzFWh4ZE5sSuTN8Ehq5couvEMnvmUAhez-HsRBMipVa_W_OG6vEfGtT12JRHpqV064e1Kx04NsxFzXxW1aFjp_djXmDRPbfY3XMMcLogTz2bWZ2KqmIJI6q6wKe2WYnrRsa9KVeU9kCBBo2v7BzPxF_Bx2DKiqh63SGoRoc6Njti48z_yL71XHQAcgAur6rXRpcqH3l-4knZF23Utsbq2MircEqmw-G__xR1TdZ1r7zb7XLezmx3etkvGr-ze6NdGdW92azUfpcdluWvr-aqbh_nofnqcWI3aYyOsBV7giduRUO7187LMKTT5rxvHHX80_t8IeeMgLquvL7-Ak3q-kz8BAAA&runQuery=true&timeRangeId=week)**
-
-### Describe the query and specify the tables to search
-A short comment has been added to the beginning of the query to describe what it is for. This comment helps if you later decide to save the query and share it with others in your organization.
-
-```kusto
-// Finds PowerShell execution events that could involve a download
-```
-The query itself will typically start with a table name followed by several elements that start with a pipe (`|`). In this example, we start by creating a union of two tables, `DeviceProcessEvents` and `DeviceNetworkEvents`, and add piped elements as needed.
-
-```kusto
-union DeviceProcessEvents, DeviceNetworkEvents
-```
-### Set the time range
-The first piped element is a time filter scoped to the previous seven days. Limiting the time range helps ensure that queries perform well, return manageable results, and don't time out.
-
-```kusto
-| where Timestamp > ago(7d)
-```
-
-### Check specific processes
-The time range is immediately followed by a search for process file names representing the PowerShell application.
-
-```kusto
-// Pivoting on PowerShell processes
-| where FileName in~ ("powershell.exe", "powershell_ise.exe")
-```
-
-### Search for specific command strings
-Afterwards, the query looks for strings in command lines that are typically used to download files using PowerShell.
-
-```kusto
-// Suspicious commands
-| where ProcessCommandLine has_any("WebClient",
- "DownloadFile",
- "DownloadData",
- "DownloadString",
- "WebRequest",
- "Shellcode",
- "http",
- "https")
-```
-
-### Customize result columns and length
-Now that your query clearly identifies the data you want to locate, you can define what the results look like. `project` returns specific columns, and `top` limits the number of results. These operators help ensure the results are well-formatted and reasonably large and easy to process.
-
-```kusto
-| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine,
-FileName, ProcessCommandLine, RemoteIP, RemoteUrl, RemotePort, RemoteIPType
-| top 100 by Timestamp
-```
-
-Select **Run query** to see the results. Use the expand icon at the top right of the query editor to focus on your hunting query and the results.
-
-
-
->[!TIP]
->You can view query results as charts and quickly adjust filters. For guidance, [read about working with query results](advanced-hunting-query-results.md)
-
-## Learn common query operators for advanced hunting
-
-You've just run your first query and have a general idea of its components. It's time to backtrack slightly and learn some basics. The Kusto query language used by advanced hunting supports a range of operators, including the following common ones.
-
-| Operator | Description and usage |
-|--|--|
-| `where` | Filter a table to the subset of rows that satisfy a predicate. |
-| `summarize` | Produce a table that aggregates the content of the input table. |
-| `join` | Merge the rows of two tables to form a new table by matching values of the specified column(s) from each table. |
-| `count` | Return the number of records in the input record set. |
-| `top` | Return the first N records sorted by the specified columns. |
-| `limit` | Return up to the specified number of rows. |
-| `project` | Select the columns to include, rename or drop, and insert new computed columns. |
-| `extend` | Create calculated columns and append them to the result set. |
-| `makeset` | Return a dynamic (JSON) array of the set of distinct values that Expr takes in the group. |
-| `find` | Find rows that match a predicate across a set of tables. |
-
-To see a live example of these operators, run them from the **Get started** section of the advanced hunting page.
-
-## Understand data types
-
-Advanced hunting supports Kusto data types, including the following common types:
-
-| Data type | Description and query implications |
-|--|--|
-| `datetime` | Data and time information typically representing event timestamps. [See supported datetime formats](https://docs.microsoft.com/azure/data-explorer/kusto/query/scalar-data-types/datetime) |
-| `string` | Character string in UTF-8 enclosed in single quotes (`'`) or double quotes (`"`). [Read more about strings](https://docs.microsoft.com/azure/data-explorer/kusto/query/scalar-data-types/string) |
-| `bool` | This data type supports `true` or `false` states. [See supported literals and operators](https://docs.microsoft.com/azure/data-explorer/kusto/query/scalar-data-types/bool) |
-| `int` | 32-bit integer |
-| `long` | 64-bit integer |
-
-To learn more about these data types, [read about Kusto scalar data types](https://docs.microsoft.com/azure/data-explorer/kusto/query/scalar-data-types/).
-
-## Get help as you write queries
-Take advantage of the following functionality to write queries faster:
-
-- **Autosuggest**—as you write queries, advanced hunting provides suggestions from IntelliSense.
-- **Schema tree**—a schema representation that includes the list of tables and their columns is provided next to your working area. For more information, hover over an item. Double-click an item to insert it to the query editor.
-- **[Schema reference](advanced-hunting-schema-reference.md#get-schema-information-in-the-security-center)**—in-portal reference with table and column descriptions as well as supported event types (`ActionType` values) and sample queries
-
-## Work with multiple queries in the editor
-You can use the query editor to experiment with multiple queries. To use multiple queries:
-
-- Separate each query with an empty line.
-- Place the cursor on any part of a query to select that query before running it. This will run only the selected query. To run another query, move the cursor accordingly and select **Run query**.
-
-
-_Query editor with multiple queries_
-
-
-## Use sample queries
-
-The **Get started** section provides a few simple queries using commonly used operators. Try running these queries and making small modifications to them.
-
-
-
-> [!NOTE]
-> Apart from the basic query samples, you can also access [shared queries](advanced-hunting-shared-queries.md) for specific threat hunting scenarios. Explore the shared queries on the left side of the page or the [GitHub query repository](https://aka.ms/hunting-queries).
-
-## Access comprehensive query language reference
-
-For detailed information about the query language, see [Kusto query language documentation](https://docs.microsoft.com/azure/kusto/query/).
-
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Work with query results](advanced-hunting-query-results.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
-- [Apply query best practices](advanced-hunting-best-practices.md)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-belowfoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md
deleted file mode 100644
index 97391fa308..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md
+++ /dev/null
@@ -1,143 +0,0 @@
----
-title: Work with advanced hunting query results in Microsoft Defender ATP
-description: Make the most of the query results returned by advanced hunting in Microsoft Defender ATP
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, visualization, chart, filters, drill down
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Work with advanced hunting query results
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
-
-While you can construct your [advanced hunting](advanced-hunting-overview.md) queries to return very precise information, you can also work with the query results to gain further insight and investigate specific activities and indicators. You can take the following actions on your query results:
-
-- View results as a table or chart
-- Export tables and charts
-- Drill down to detailed entity information
-- Tweak your queries directly from the results or apply filters
-
-## View query results as a table or chart
-By default, advanced hunting displays query results as tabular data. You can also display the same data as a chart. Advanced hunting supports the following views:
-
-| View type | Description |
-| -- | -- |
-| **Table** | Displays the query results in tabular format |
-| **Column chart** | Renders a series of unique items on the x-axis as vertical bars whose heights represent numeric values from another field |
-| **Stacked column chart** | Renders a series of unique items on the x-axis as stacked vertical bars whose heights represent numeric values from one or more other fields |
-| **Pie chart** | Renders sectional pies representing unique items. The size of each pie represents numeric values from another field. |
-| **Donut chart** | Renders sectional arcs representing unique items. The length of each arc represents numeric values from another field. |
-| **Line chart** | Plots numeric values for a series of unique items and connects the plotted values |
-| **Scatter chart** | Plots numeric values for a series of unique items |
-| **Area chart** | Plots numeric values for a series of unique items and fills the sections below the plotted values |
-
-### Construct queries for effective charts
-When rendering charts, advanced hunting automatically identifies columns of interest and the numeric values to aggregate. To get meaningful charts, construct your queries to return the specific values you want to see visualized. Here are some sample queries and the resulting charts.
-
-#### Alerts by severity
-Use the `summarize` operator to obtain a numeric count of the values you want to chart. The query below uses the `summarize` operator to get the number of alerts by severity.
-
-```kusto
-DeviceAlertEvents
-| summarize Total = count() by Severity
-```
-When rendering the results, a column chart displays each severity value as a separate column:
-
-
-*Query results for alerts by severity displayed as a column chart*
-
-#### Alert severity by operating system
-You could also use the `summarize` operator to prepare results for charting values from multiple fields. For example, you might want to understand how alert severities are distributed across operating systems (OS).
-
-The query below uses a `join` operator to pull in OS information from the `DeviceInfo` table, and then uses `summarize` to count values in both the `OSPlatform` and `Severity` columns:
-
-```kusto
-DeviceAlertEvents
-| join DeviceInfo on DeviceId
-| summarize Count = count() by OSPlatform, Severity
-```
-These results are best visualized using a stacked column chart:
-
-
-*Query results for alerts by OS and severity displayed as a stacked chart*
-
-#### Top ten device groups with alerts
-If you're dealing with a list of values that isn’t finite, you can use the `Top` operator to chart only the values with the most instances. For example, to get the top ten device groups with the most alerts, use the query below:
-
-```kusto
-DeviceAlertEvents
-| join DeviceInfo on DeviceId
-| summarize Count = count() by MachineGroup
-| top 10 by Count
-```
-Use the pie chart view to effectively show distribution across the top groups:
-
-
-*Pie chart showing distribution of alerts across device groups*
-
-#### Malware detections over time
-Using the `summarize` operator with the `bin()` function, you can check for events involving a particular indicator over time. The query below counts detections of an EICAR test file at 30 minute intervals to show spikes in detections of that file:
-
-```kusto
-DeviceEvents
-| where ActionType == "AntivirusDetection"
-| where SHA1 == "3395856ce81f2b7382dee72602f798b642f14140"
-| summarize Detections = count() by bin(Timestamp, 30m)
-```
-The line chart below clearly highlights time periods with more detections of the test malware:
-
-
-*Line chart showing the number of detections of a test malware over time*
-
-
-## Export tables and charts
-After running a query, select **Export** to save the results to local file. Your chosen view determines how the results are exported:
-
-- **Table view** — the query results are exported in tabular form as a Microsoft Excel workbook
-- **Any chart** — the query results are exported as a JPEG image of the rendered chart
-
-## Drill down from query results
-To view more information about entities, such as devices, files, users, IP addresses, and URLs, in your query results, simply click the entity identifier. This opens a detailed profile page for the selected entity.
-
-## Tweak your queries from the results
-Right-click a value in the result set to quickly enhance your query. You can use the options to:
-
-- Explicitly look for the selected value (`==`)
-- Exclude the selected value from the query (`!=`)
-- Get more advanced operators for adding the value to your query, such as `contains`, `starts with` and `ends with`
-
-
-
-## Filter the query results
-The filters displayed to the right provide a summary of the result set. Each column has its own section that lists the distinct values found for that column and the number of instances.
-
-Refine your query by selecting the `+` or `-` buttons on the values that you want to include or exclude and then selecting **Run query**.
-
-
-
-Once you apply the filter to modify the query and then run the query, the results are updated accordingly.
-
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
-- [Use shared queries](advanced-hunting-shared-queries.md)
-- [Understand the schema](advanced-hunting-schema-reference.md)
-- [Apply query best practices](advanced-hunting-best-practices.md)
-- [Custom detections overview](overview-custom-detections.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
deleted file mode 100644
index 6a0361489c..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
+++ /dev/null
@@ -1,76 +0,0 @@
----
-title: Advanced hunting schema reference
-description: Learn about the tables in the advanced hunting schema to understand the data you can run threat hunting queries on.
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, data
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.date: 01/14/2020
----
-
-# Understand the advanced hunting schema
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-The [advanced hunting](advanced-hunting-overview.md) schema is made up of multiple tables that provide either event information or information about devices and other entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the advanced hunting schema.
-
-## Get schema information in the security center
-While constructing queries, use the built-in schema reference to quickly get the following information about each table in the schema:
-
-- **Tables description**—type of data contained in the table and the source of that data.
-- **Columns**—all the columns in the table.
-- **Action types**—possible values in the `ActionType` column representing the event types supported by the table. This is provided only for tables that contain event information.
-- **Sample query**—example queries that feature how the table can be utilized.
-
-### Access the schema reference
-To quickly access the schema reference, select the **View reference** action next to the table name in the schema representation. You can also select **Schema reference** to search for a table.
-
-
-
-## Learn the schema tables
-
-The following reference lists all the tables in the advanced hunting schema. Each table name links to a page describing the column names for that table.
-
-Table and column names are also listed within the Microsoft Defender Security Center, in the schema representation on the advanced hunting screen.
-
-| Table name | Description |
-|------------|-------------|
-| **[DeviceAlertEvents](advanced-hunting-devicealertevents-table.md)** | Alerts on Microsoft Defender Security Center |
-| **[DeviceInfo](advanced-hunting-deviceinfo-table.md)** | Device information, including OS information |
-| **[DeviceNetworkInfo](advanced-hunting-devicenetworkinfo-table.md)** | Network properties of devices, including adapters, IP and MAC addresses, as well as connected networks and domains |
-| **[DeviceProcessEvents](advanced-hunting-deviceprocessevents-table.md)** | Process creation and related events |
-| **[DeviceNetworkEvents](advanced-hunting-devicenetworkevents-table.md)** | Network connection and related events |
-| **[DeviceFileEvents](advanced-hunting-devicefileevents-table.md)** | File creation, modification, and other file system events |
-| **[DeviceRegistryEvents](advanced-hunting-deviceregistryevents-table.md)** | Creation and modification of registry entries |
-| **[DeviceLogonEvents](advanced-hunting-devicelogonevents-table.md)** | Sign-ins and other authentication events |
-| **[DeviceImageLoadEvents](advanced-hunting-deviceimageloadevents-table.md)** | DLL loading events |
-| **[DeviceEvents](advanced-hunting-deviceevents-table.md)** | Multiple event types, including events triggered by security controls such as Microsoft Defender Antivirus and exploit protection |
-| **[DeviceFileCertificateInfo](advanced-hunting-devicefilecertificateinfo-table.md)** | Certificate information of signed files obtained from certificate verification events on endpoints |
-| **[DeviceTvmSoftwareInventoryVulnerabilities](advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md)** | Inventory of software on devices as well as any known vulnerabilities in these software products |
-| **[DeviceTvmSoftwareVulnerabilitiesKB ](advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md)** | Knowledge base of publicly disclosed vulnerabilities, including whether exploit code is publicly available |
-| **[DeviceTvmSecureConfigurationAssessment](advanced-hunting-devicetvmsecureconfigurationassessment-table.md)** | Threat & Vulnerability Management assessment events, indicating the status of various security configurations on devices |
-| **[DeviceTvmSecureConfigurationAssessmentKB](advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md)** | Knowledge base of various security configurations used by Threat & Vulnerability Management to assess devices; includes mappings to various standards and benchmarks |
-
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Work with query results](advanced-hunting-query-results.md)
-- [Learn the query language](advanced-hunting-query-language.md)
-- [Advanced hunting data schema changes](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/advanced-hunting-data-schema-changes/ba-p/1043914)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md
deleted file mode 100644
index 4eb3858c7f..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md
+++ /dev/null
@@ -1,69 +0,0 @@
----
-title: Use shared queries in advanced hunting
-description: Start threat hunting immediately with predefined and shared queries. Share your queries to the public or to your organization.
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, github repo, my queries, shared queries
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Use shared queries in advanced hunting
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
-
-[Advanced hunting](advanced-hunting-overview.md) queries can be shared among users in the same organization. You can also find queries shared publicly on GitHub. These queries let you quickly pursue specific threat hunting scenarios without having to write queries from scratch.
-
-
-
-## Save, modify, and share a query
-You can save a new or existing query so that it is only accessible to you or shared with other users in your organization.
-
-1. Type a new query or load an existing one from under **Shared queries** or **My queries**.
-
-2. Select **Save** or **Save as** from the save options. To avoid overwriting an existing query, choose **Save as**.
-
-3. Enter a name for the query.
-
- 
-
-4. Select the folder where you'd like to save the query.
- - **Shared queries** — shared to all users in the your organization
- - **My queries** — accessible only to you
-
-5. Select **Save**.
-
-## Delete or rename a query
-1. Right-click on a query you want to rename or delete.
-
- 
-
-2. Select **Delete** and confirm deletion. Or select **Rename** and provide a new name for the query.
-
-## Create a direct link to a query
-To generate a link that opens your query directly in the advanced hunting query editor, finalize your query and select **Share link**.
-
-## Access queries in the GitHub repository
-Microsoft security researchers regularly share advanced hunting queries in a [designated public repository on GitHub](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). This repository is open to contributions. To contribute, [join GitHub for free](https://github.com/).
-
->[!TIP]
->Microsoft security researchers also provide advanced hunting queries that you can use to locate activities and indicators associated with emerging threats. These queries are provided as part of the [threat analytics](threat-analytics.md) reports in Microsoft Defender Security Center.
-
-## Related topics
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the query language](advanced-hunting-query-language.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md
deleted file mode 100644
index 5e96430994..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md
+++ /dev/null
@@ -1,41 +0,0 @@
----
-title: Alerts queue in Microsoft Defender Security Center
-ms.reviewer:
-description: View and manage the alerts surfaced in Microsoft Defender Security Center
-keywords:
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.date: 09/03/2018
----
-
-# Alerts queue in Microsoft Defender Security Center
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-Learn how you can view and manage the queue so that you can effectively investigate threats seen on entities such as devices, files, or user accounts.
-
-
-## In this section
-Topic | Description
-:---|:---
-[View and organize the Alerts queue](alerts-queue.md) | Shows a list of alerts that were flagged in your network.
-[Manage alerts](manage-alerts.md) | Learn about how you can manage alerts such as change its status, assign it to a security operations member, and see the history of an alert.
-[Investigate alerts](investigate-alerts.md)| Investigate alerts that are affecting your network, understand what they mean, and how to resolve them.
-[Investigate files](investigate-files.md)| Investigate the details of a file associated with a specific alert, behaviour, or event.
-[Investigate devices](investigate-machines.md)| Investigate the details of a device associated with a specific alert, behaviour, or event.
-[Investigate an IP address](investigate-ip.md) | Examine possible communication between devices in your network and external internet protocol (IP) addresses.
-[Investigate a domain](investigate-domain.md) | Investigate a domain to see if devices and servers in your network have been communicating with a known malicious domain.
-[Investigate a user account](investigate-user.md) | Identify user accounts with the most active alerts and investigate cases of potential compromised credentials.
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
deleted file mode 100644
index 9bf8d26a01..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
+++ /dev/null
@@ -1,148 +0,0 @@
----
-title: View and organize the Microsoft Defender ATP Alerts queue
-description: Learn about how the Microsoft Defender ATP alerts queues work, and how to sort and filter lists of alerts.
-keywords: alerts, queues, alerts queue, sort, order, filter, manage alerts, new, in progress, resolved, newest, time in queue, severity, time period, microsoft threat experts alerts
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.date: 03/27/2020
----
-
-# View and organize the Microsoft Defender Advanced Threat Protection Alerts queue
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-alertsq-abovefoldlink)
-
-The **Alerts queue** shows a list of alerts that were flagged from devices in your network. By default, the queue displays alerts seen in the last 30 days in a grouped view. The most recent alerts are showed at the top of the list helping you see the most recent alerts first.
-
->[!NOTE]
->The alerts queue is significantly reduced with automated investigation and remediation, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. When an alert contains a supported entity for automated investigation (for example, a file) in a device that has a supported operating system for it, an automated investigation and remediation can start. For more information on automated investigations, see [Overview of Automated investigations](automated-investigations.md).
-
-There are several options you can choose from to customize the alerts queue view.
-
-On the top navigation you can:
-
-- Select grouped view or list view
-- Customize columns to add or remove columns
-- Select the items to show per page
-- Navigate between pages
-- Apply filters
-
-
-
-## Sort, filter, and group the alerts queue
-
-You can apply the following filters to limit the list of alerts and get a more focused view the alerts.
-
-### Severity
-
-Alert severity | Description
-:---|:---
-High (Red) | Alerts commonly seen associated with advanced persistent threats (APT). These alerts indicate a high risk because of the severity of damage they can inflict on devices. Some examples are: credential theft tools activities, ransomware activities not associated with any group, tampering with security sensors, or any malicious activities indicative of a human adversary.
-Medium (Orange) | Alerts from endpoint detection and response post-breach behaviors that might be a part of an advanced persistent threat (APT). This includes observed behaviors typical of attack stages, anomalous registry change, execution of suspicious files, and so forth. Although some might be part of internal security testing, it requires investigation as it might also be a part of an advanced attack.
-Low (Yellow) | Alerts on threats associated with prevalent malware. For example, hack-tools, non-malware hack tools, such as running exploration commands, clearing logs, etc., that often do not indicate an advanced threat targeting the organization. It could also come from an isolated security tool testing by a user in your organization.
-Informational (Grey) | Alerts that might not be considered harmful to the network but can drive organizational security awareness on potential security issues.
-
-#### Understanding alert severity
-
-Microsoft Defender Antivirus (Microsoft Defender AV) and Microsoft Defender ATP alert severities are different because they represent different scopes.
-
-The Microsoft Defender AV threat severity represents the absolute severity of the detected threat (malware), and is assigned based on the potential risk to the individual device, if infected.
-
-The Microsoft Defender ATP alert severity represents the severity of the detected behavior, the actual risk to the device but more importantly the potential risk to the organization.
-
-So, for example:
-
-- The severity of a Microsoft Defender ATP alert about a Microsoft Defender AV detected threat that was completely prevented and did not infect the device is categorized as "Informational" because there was no actual damage.
-- An alert about a commercial malware was detected while executing, but blocked and remediated by Microsoft Defender AV, is categorized as "Low" because it may have caused some damage to the individual device but poses no organizational threat.
-- An alert about malware detected while executing which can pose a threat not only to the individual device but to the organization, regardless if it was eventually blocked, may be ranked as "Medium" or "High".
-- Suspicious behavioral alerts, which weren't blocked or remediated will be ranked "Low", "Medium" or "High" following the same organizational threat considerations.
-
-#### Understanding alert categories
-
-We've redefined the alert categories to align to the [enterprise attack tactics](https://attack.mitre.org/tactics/enterprise/) in the [MITRE ATT&CK matrix](https://attack.mitre.org/). New category names apply to all new alerts. Existing alerts will keep the previous category names.
-
-The table below lists the current categories and how they generally map to previous categories.
-
-| New category | Previous categories | Detected threat activity or component |
-|----------------------|----------------------|-------------|
-| Collection | - | Locating and collecting data for exfiltration |
-| Command and control | CommandAndControl | Connecting to attacker-controlled network infrastructure to relay data or receive commands |
-| Credential access | CredentialTheft | Obtaining valid credentials to extend control over devices and other resources in the network |
-| Defense evasion | - | Avoiding security controls by, for example, turning off security apps, deleting implants, and running rootkits |
-| Discovery | Reconnaissance, WebFingerprinting | Gathering information about important devices and resources, such as administrator computers, domain controllers, and file servers |
-| Execution | Delivery, MalwareDownload | Launching attacker tools and malicious code, including RATs and backdoors |
-| Exfiltration | Exfiltration | Extracting data from the network to an external, attacker-controlled location |
-| Exploit | Exploit | Exploit code and possible exploitation activity |
-| Initial access | SocialEngineering, WebExploit, DocumentExploit | Gaining initial entry to the target network, usually involving password-guessing, exploits, or phishing emails |
-| Lateral movement | LateralMovement, NetworkPropagation | Moving between devices in the target network to reach critical resources or gain network persistence |
-| Malware | Malware, Backdoor, Trojan, TrojanDownloader, CredentialStealing, Weaponization, RemoteAccessTool | Backdoors, trojans, and other types of malicious code |
-| Persistence | Installation, Persistence | Creating autostart extensibility points (ASEPs) to remain active and survive system restarts |
-| Privilege escalation | PrivilegeEscalation | Obtaining higher permission levels for code by running it in the context of a privileged process or account |
-| Ransomware | Ransomware | Malware that encrypts files and extorts payment to restore access |
-| Suspicious activity | General, None, NotApplicable, EnterprisePolicy, SuspiciousNetworkTraffic | Atypical activity that could be malware activity or part of an attack |
-| Unwanted software | UnwantedSoftware | Low-reputation apps and apps that impact productivity and the user experience; detected as potentially unwanted applications (PUAs) |
-
-
-### Status
-
-You can choose to limit the list of alerts based on their status.
-
-### Investigation state
-
-Corresponds to the automated investigation state.
-
-### Category
-
-You can choose to filter the queue to display specific types of malicious activity.
-
-### Assigned to
-
-You can choose between showing alerts that are assigned to you or automation.
-
-### Detection source
-
-Select the source that triggered the alert detection. Microsoft Threat Experts preview participants can now filter and see detections from the new threat experts-managed hunting service.
-
->[!NOTE]
->The Antivirus filter will only appear if devices are using Microsoft Defender Antivirus as the default real-time protection antimalware product.
-
-
-### OS platform
-
-Limit the alerts queue view by selecting the OS platform that you're interested in investigating.
-
-### Device group
-
-If you have specific device groups that you're interested in checking, you can select the groups to limit the alerts queue view.
-
-### Associated threat
-
-Use this filter to focus on alerts that are related to high profile threats. You can see the full list of high-profile threats in [Threat analytics](threat-analytics.md).
-
-## Related topics
-
-- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md)
-- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md)
-- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md)
-- [Investigate devices in the Microsoft Defender ATP Devices list](investigate-machines.md)
-- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip.md)
-- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain.md)
-- [Investigate a user account in Microsoft Defender ATP](investigate-user.md)
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts.md b/windows/security/threat-protection/microsoft-defender-atp/alerts.md
deleted file mode 100644
index 67ed2be93e..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/alerts.md
+++ /dev/null
@@ -1,107 +0,0 @@
----
-title: Get alerts API
-description: Learn about the methods and properties of the Alert resource type in Microsoft Defender Advanced Threat Protection.
-keywords: apis, graph api, supported apis, get, alerts, recent
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Alert resource type
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-## Methods
-
-Method |Return Type |Description
-:---|:---|:---
-[Get alert](get-alert-info-by-id.md) | [Alert](alerts.md) | Get a single [alert](alerts.md) object.
-[List alerts](get-alerts.md) | [Alert](alerts.md) collection | List [alert](alerts.md) collection.
-[Update alert](get-alerts.md) | [Alert](update-alert.md) | Update specific [alert](alerts.md).
-[Create alert](create-alert-by-reference.md)|[Alert](alerts.md)|Create an alert based on event data obtained from [Advanced Hunting](run-advanced-query-api.md).
-[List related domains](get-alert-related-domain-info.md)|Domain collection| List URLs associated with the alert.
-[List related files](get-alert-related-files-info.md) | [File](files.md) collection | List the [file](files.md) entities that are associated with the [alert](alerts.md).
-[List related IPs](get-alert-related-ip-info.md) | IP collection | List IPs that are associated with the alert.
-[Get related machines](get-alert-related-machine-info.md) | [Machine](machine.md) | The [machine](machine.md) that is associated with the [alert](alerts.md).
-[Get related users](get-alert-related-user-info.md) | [User](user.md) | The [user](user.md) that is associated with the [alert](alerts.md).
-
-
-## Properties
-
-Property | Type | Description
-:---|:---|:---
-id | String | Alert ID.
-title | String | Alert title.
-description | String | Alert description.
-alertCreationTime | Nullable DateTimeOffset | The date and time (in UTC) the alert was created.
-lastEventTime | Nullable DateTimeOffset | The last occurrence of the event that triggered the alert on the same device.
-firstEventTime | Nullable DateTimeOffset | The first occurrence of the event that triggered the alert on that device.
-lastUpdateTime | Nullable DateTimeOffset | The date and time (in UTC) the alert was last updated.
-resolvedTime | Nullable DateTimeOffset | The date and time in which the status of the alert was changed to 'Resolved'.
-incidentId | Nullable Long | The [Incident](view-incidents-queue.md) ID of the Alert.
-investigationId | Nullable Long | The [Investigation](automated-investigations.md) ID related to the Alert.
-investigationState | Nullable Enum | The current state of the [Investigation](automated-investigations.md). Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign', 'Failed', 'PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert'.
-assignedTo | String | Owner of the alert.
-severity | Enum | Severity of the alert. Possible values are: 'UnSpecified', 'Informational', 'Low', 'Medium' and 'High'.
-status | Enum | Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'.
-classification | Nullable Enum | Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'.
-determination | Nullable Enum | Specifies the determination of the alert. Possible values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'.
-category| String | Category of the alert.
-detectionSource | String | Detection source.
-threatFamilyName | String | Threat family.
-machineId | String | ID of a [machine](machine.md) entity that is associated with the alert.
-computerDnsName | String | [machine](machine.md) fully qualified name.
-aadTenantId | String | The Azure Active Directory ID.
-comments | List of Alert comments | Alert Comment is an object that contains: comment string, createdBy string and createTime date time.
-
-### Response example for getting single alert:
-
-```
-GET https://api.securitycenter.windows.com/api/alerts/da637084217856368682_-292920499
-```
-
-```json
-{
- "id": "da637084217856368682_-292920499",
- "incidentId": 66860,
- "investigationId": 4416234,
- "investigationState": "Running",
- "assignedTo": "secop@contoso.com",
- "severity": "Low",
- "status": "New",
- "classification": "TruePositive",
- "determination": null,
- "detectionSource": "WindowsDefenderAtp",
- "category": "CommandAndControl",
- "threatFamilyName": null,
- "title": "Network connection to a risky host",
- "description": "A network connection was made to a risky host which has exhibited malicious activity.",
- "alertCreationTime": "2019-11-03T23:49:45.3823185Z",
- "firstEventTime": "2019-11-03T23:47:16.2288822Z",
- "lastEventTime": "2019-11-03T23:47:51.2966758Z",
- "lastUpdateTime": "2019-11-03T23:55:52.6Z",
- "resolvedTime": null,
- "machineId": "986e5df8b73dacd43c8917d17e523e76b13c75cd",
- "comments": [
- {
- "comment": "test comment for docs",
- "createdBy": "secop@contoso.com",
- "createdTime": "2019-11-05T14:08:37.8404534Z"
- }
- ]
-}
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-configure.md b/windows/security/threat-protection/microsoft-defender-atp/android-configure.md
deleted file mode 100644
index 6edfd475aa..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/android-configure.md
+++ /dev/null
@@ -1,58 +0,0 @@
----
-title: Configure Microsoft Defender ATP for Android features
-ms.reviewer:
-description: Describes how to configure Microsoft Defender ATP for Android
-keywords: microsoft, defender, atp, android, configuration
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: conceptual
----
-
-# Configure Microsoft Defender ATP for Android features
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Android](microsoft-defender-atp-android.md)
-
-## Conditional Access with Microsoft Defender ATP for Android
-Microsoft Defender ATP for Android along with Microsoft Intune and Azure Active
-Directory enables enforcing Device compliance and Conditional Access policies
-based on device risk levels. Microsoft Defender ATP is a Mobile Threat Defense
-(MTD) solution that you can deploy to leverage this capability via Intune.
-
-For more information about how to set up Microsoft Defender ATP for Android and Conditional Access, see [Microsoft Defender ATP and
-Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection).
-
-
-## Configure custom indicators
-
->[!NOTE]
-> Microsoft Defender ATP for Android only supports creating custom indicators for IP addresses and URLs/domains.
-
-Microsoft Defender ATP for Android enables admins to configure custom indicators to support Android devices as well. For more information on how to configure custom indicators, see [Manage indicators](manage-indicators.md).
-
-## Configure web protection
-Microsoft Defender ATP for Android allows IT Administrators the ability to configure the web protection feature. This capability is available within the Microsoft Endpoint Manager Admin center.
-
->[!NOTE]
-> Microsoft Defender ATP for Android would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device.
-For more information, see [Configure web protection on devices that run Android](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection-manage-android).
-
-
-## Related topics
-- [Overview of Microsoft Defender ATP for Android](microsoft-defender-atp-android.md)
-- [Deploy Microsoft Defender ATP for Android with Microsoft Intune](android-intune.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-intune.md b/windows/security/threat-protection/microsoft-defender-atp/android-intune.md
deleted file mode 100644
index b70734bf7c..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/android-intune.md
+++ /dev/null
@@ -1,279 +0,0 @@
----
-title: Deploy Microsoft Defender ATP for Android with Microsoft Intune
-ms.reviewer:
-description: Describes how to deploy Microsoft Defender ATP for Android with Microsoft Intune
-keywords: microsoft, defender, atp, android, installation, deploy, uninstallation,
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: conceptual
----
-
-# Deploy Microsoft Defender ATP for Android with Microsoft Intune
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Android](microsoft-defender-atp-android.md)
-
-This topic describes deploying Microsoft Defender ATP for Android on Intune
-Company Portal enrolled devices. For more information about Intune device enrollment, see [Enroll your
-device](https://docs.microsoft.com/mem/intune/user-help/enroll-device-android-company-portal).
-
-
-> [!NOTE]
-> **Microsoft Defender ATP for Android is now available on [Google Play](https://play.google.com/store/apps/details?id=com.microsoft.scmx)**
-> You can connect to Google Play from Intune to deploy Microsoft Defender ATP app across Device Administrator and Android Enterprise entrollment modes.
- Updates to the app are automatic via Google Play.
-
-## Deploy on Device Administrator enrolled devices
-
-**Deploy Microsoft Defender ATP for Android on Intune Company Portal - Device
-Administrator enrolled devices**
-
-This topic describes how to deploy Microsoft Defender ATP for Android on Intune Company Portal - Device Administrator enrolled devices.
-
-### Add as Android store app
-
-1. In [Microsoft Endpoint Manager admin
-center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \>
-**Android Apps** \> **Add \> Android store app** and click **Select**.
-
- 
-
-
-2. On the **Add app** page and in the *App Information* section enter:
-
- - **Name**
- - **Description**
- - **Publisher** as Microsoft.
- - **Appstore URL** as https://play.google.com/store/apps/details?id=com.microsoft.scmx (Microsoft Defender ATP app Google Play Store URL)
-
- Other fields are optional. Select **Next**.
-
- 
-
-3. In the *Assignments* section, go to the **Required** section and select **Add group.** You can then choose the user group(s) that you would like to target Microsoft Defender ATP for Android app. Click **Select** and then **Next**.
-
- >[!NOTE]
- >The selected user group should consist of Intune enrolled users.
-
- > [!div class="mx-imgBorder"]
- > 
-
-
-4. In the **Review+Create** section, verify that all the information entered is correct and then select **Create**.
-
- In a few moments, the Microsoft Defender ATP app would be created successfully, and a notification would show up at the top-right corner of the page.
-
- 
-
-
-5. In the app information page that is displayed, in the **Monitor** section,
-select **Device install status** to verify that the device installation has
-completed successfully.
-
- > [!div class="mx-imgBorder"]
- > 
-
-
-### Complete onboarding and check status
-
-1. Once Microsoft Defender ATP for Android has been installed on the device, you'll see the app icon.
-
- 
-
-2. Tap the Microsoft Defender ATP app icon and follow the on-screen instructions
-to complete onboarding the app. The details include end-user acceptance of Android permissions required by Microsoft Defender ATP for Android.
-
-3. Upon successful onboarding, the device will start showing up on the Devices
-list in Microsoft Defender Security Center.
-
- 
-
-## Deploy on Android Enterprise enrolled devices
-
-Microsoft Defender ATP for Android supports Android Enterprise enrolled devices.
-
-For more information on the enrollment options supported by Intune, see
-[Enrollment
-Options](https://docs.microsoft.com/mem/intune/enrollment/android-enroll) .
-
-Currently only Personal devices with Work Profile enrolled are supported for deployment.
-
-
-
-## Add Microsoft Defender ATP for Android as a Managed Google Play app
-
-Follow the steps below to add Microsoft
-Defender ATP app into your managed Google Play.
-
-1. In [Microsoft Endpoint Manager admin
-center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \>
-**Android Apps** \> **Add** and select **Managed Google Play app**.
-
- > [!div class="mx-imgBorder"]
- > 
-
-
-2. On your managed Google Play page that loads subsequently, go to the search
-box and lookup **Microsoft Defender.** Your search should display the Microsoft
-Defender ATP app in your Managed Google Play. Click on the Microsoft Defender
-ATP app from the Apps search result.
-
- 
-
-3. In the App description page that comes up next, you should be able to see app
-details on Microsoft Defender ATP. Review the information on the page and then
-select **Approve**.
-
- > [!div class="mx-imgBorder"]
- > 
-
-
-4. You should now be presented with the permissions that Microsoft Defender ATP
-obtains for it to work. Review them and then select **Approve**.
-
- 
-
-
-5. You'll be presented with the Approval settings page. The page confirms
-your preference to handle new app permissions that Microsoft Defender ATP for
-Android might ask. Review the choices and select your preferred option. Select
-**Done**.
-
- By default, managed Google Play selects *Keep approved when app requests new
-permissions*
-
- > [!div class="mx-imgBorder"]
- > 
-
-
-6. After the permissions handling selection is made, select **Sync** to sync
-Microsoft Defender ATP to your apps list.
-
- > [!div class="mx-imgBorder"]
- > 
-
-
-7. The sync will complete in a few minutes.
-
- 
-
-8. Select the **Refresh** button in the Android apps screen and Microsoft
-Defender ATP should be visible in the apps list.
-
- > [!div class="mx-imgBorder"]
- > 
-
-
-9. Microsoft Defender ATP supports App configuration policies for managed devices via Intune. This capability can be leveraged to autogrant applicable Android permission(s), so the end user does not need to accept these permission(s).
-
- 1. In the **Apps** page, go to **Policy > App configuration policies > Add > Managed devices**.
-
- 
-
- 1. In the **Create app configuration policy** page, enter the following details:
-
- - Name: Microsoft Defender ATP.
- - Choose **Android Enterprise** as platform.
- - Choose **Work Profile only** as Profile Type.
- - Click **Select App**, choose **Microsoft Defender ATP**, select **OK** and then **Next**.
-
- > [!div class="mx-imgBorder"]
- > 
-
- 1. In the **Settings** page, go to the Permissions section click on Add to view the list of supported permissions. In the Add Permissions section, select the following permissions:
-
- - External storage (read)
- - External storage (write)
-
- Then select **OK**.
-
- > [!div class="mx-imgBorder"]
- > 
-
-
- 1. You should now see both the permissions listed and now you can autogrant both by choosing autogrant in the **Permission state** drop-down and then select **Next**.
-
- > [!div class="mx-imgBorder"]
- > 
-
-
- 1. In the **Assignments** page, select the user group to which this app config policy would be assigned to. Click **Select groups to include** and selecting the applicable group and then selecting **Next**. The group selected here is usually the same group to which you would assign Microsoft Defender ATP Android app.
-
- > [!div class="mx-imgBorder"]
- > 
-
-
- 1. In the **Review + Create** page that comes up next, review all the information and then select **Create**.
-
- The app configuration policy for Microsoft Defender ATP auto-granting the storage permission is now assigned to the selected user group.
-
- > [!div class="mx-imgBorder"]
- > 
-
-
-10. Select **Microsoft Defender ATP** app in the list \> **Properties** \>
-**Assignments** \> **Edit**.
-
- 
-
-
-11. Assign the app as a *Required* app to a user group. It is automatically installed in the *work profile* during the next sync of
-the device via Company Portal app. This assignment can be done by navigating to
-the *Required* section \> **Add group,** selecting the user group and click
-**Select**.
-
- > [!div class="mx-imgBorder"]
- > 
-
-
-12. In the **Edit Application** page, review all the information that was entered
-above. Then select **Review + Save** and then **Save** again to commence
-assignment.
-
-## Complete onboarding and check status
-
-1. Confirm the installation status of Microsoft Defender ATP for Android by
-clicking on the **Device Install Status**. Verify that the device is
-displayed here.
-
- > [!div class="mx-imgBorder"]
- > 
-
-
-2. On the device, you can confirm the same by going to the **work profile** and
-confirm that Microsoft Defender ATP is available.
-
- 
-
-3. When the app is installed, open the app and accept the permissions
-and then your onboarding should be successful.
-
- 
-
-4. At this stage the device is successfully onboarded onto Microsoft Defender
-ATP for Android. You can verify this on the [Microsoft Defender Security
-Center](https://securitycenter.microsoft.com)
-by navigating to the **Devices** page.
-
- 
-
-
-## Related topics
-- [Overview of Microsoft Defender ATP for Android](microsoft-defender-atp-android.md)
-- [Configure Microsoft Defender ATP for Android features](android-configure.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/android-privacy.md
deleted file mode 100644
index 800e262876..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/android-privacy.md
+++ /dev/null
@@ -1,111 +0,0 @@
----
-title: Microsoft Defender ATP for Android - Privacy information
-description: Privacy controls, how to configure policy settings that impact privacy and information about the diagnostic data collected in Microsoft Defender ATP for Android.
-keywords: microsoft, defender, atp, android, privacy, diagnostic
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
----
-
-# Microsoft Defender ATP for Android - Privacy information
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Android](microsoft-defender-atp-android.md)
-
-
-Microsoft Defender ATP for Android collects information from your configured
-Android devices and stores it in the same tenant where you have Microsoft
-Defender ATP.
-
-Information is collected to help keep Microsoft Defender ATP for Android secure,
-up-to-date, performing as expected and to support the service.
-
-## Required Data
-
-Required data consists of data that is necessary to make Microsoft Defender ATP
-for Android work as expected. This data is essential to the operation of the
-service and can include data related to the end user, organization, device, and
-apps. Here's a list of the types of data being collected:
-
-### App information
-
-Information about Android application packages (APKs) on the device including
-
-- Install source
-- Storage location (file path) of the APK
-- Time of install, size of APK and permissions
-
-### Web page / Network information
-
-- Full URL (on supported browsers), when clicked
-- Connection information
-- Protocol type (such as HTTP, HTTPS, etc.)
-
-
-### Device and account information
-
-- Device information such as date & time, Android version, OEM model, CPU
- info, and Device identifier
-- Device identifier is one of the below:
- - Wi-Fi adapter MAC address
- - [Android
- ID](https://developer.android.com/reference/android/provider/Settings.Secure#ANDROID_ID)
- (as generated by Android at the time of first boot of the device)
- - Randomly generated globally unique identifier (GUID)
-
-- Tenant, Device and User information
- - Azure Active Directory (AD) Device ID and Azure User ID: Uniquely
- identifies the device, User respectively at Azure Active directory.
-
- - Azure tenant ID - GUID that identifies your organization within
- Azure Active Directory
-
- - Microsoft Defender ATP org ID - Unique identifier associated with
- the enterprise that the device belongs to. Allows Microsoft to
- identify whether issues are impacting a select set of enterprises
- and how many enterprises are impacted
-
- - User Principal Name – Email ID of the user
-
-### Product and service usage data
-- App package info, including name, version, and app upgrade status
-
-- Actions performed in the app
-
-- Threat detection information, such as threat name, category, etc.
-
-- Crash report logs generated by Android
-
-## Optional Data
-
-Optional data includes diagnostic data and feedback data. Optional diagnostic
-data is additional data that helps us make product improvements and provides
-enhanced information to help us detect, diagnose, and fix issues. Optional
-diagnostic data includes:
-
-- App, CPU, and network usage
-
-- State of the device from the app perspective, including scan status, scan
- timings, app permissions granted, and upgrade status
-
-- Features configured by the admin
-
-- Basic information about the browsers on the device
-
-**Feedback Data** is collected through in-app feedback provided by the user
-
-- The user’s email address, if they choose to provide it
-
-- Feedback type (smile, frown, idea) and any feedback comments submitted by
- the user
diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-support-signin.md b/windows/security/threat-protection/microsoft-defender-atp/android-support-signin.md
deleted file mode 100644
index d2d946c3fb..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/android-support-signin.md
+++ /dev/null
@@ -1,100 +0,0 @@
----
-title: Troubleshoot issues on Microsoft Defender ATP for Android
-ms.reviewer:
-description: Troubleshoot issues for Microsoft Defender ATP for Android
-keywords: microsoft, defender, atp, android, cloud, connectivity, communication
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: conceptual
----
-
-# Troubleshooting issues on Microsoft Defender ATP for Android
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for
- Android](microsoft-defender-atp-android.md)
-
-During onboarding, you might encounter sign in issues after the app is installed on your device.
-
-This article provides solutions to address the sign on issues.
-
-## Sign in failed - unexpected error
-**Sign in failed:** *Unexpected error, try later*
-
-
-
-**Message:**
-
-Unexpected error, try later
-
-**Cause:**
-
-You have an older version of "Microsoft Authenticator" app installed on your
-device.
-
-**Solution:**
-
-Install latest version and of [Microsoft
-Authenticator](https://play.google.com/store/apps/details?androidid=com.azure.authenticator)
-from Google Play Store and try again
-
-## Sign in failed - invalid license
-
-**Sign in failed:** *Invalid license, please contact administrator*
-
-
-
-**Message:** *Invalid license, please contact administrator*
-
-**Cause:**
-
-You do not have Microsoft 365 license assigned, or your organization does not
-have a license for Microsoft 365 Enterprise subscription.
-
-**Solution:**
-
-Contact your administrator for help.
-
-## Phishing pages are not blocked on specific OEM devices
-
-**Applies to:** Specific OEMs only
-
-- **Xiaomi**
-
-Phishing and harmful web connection threats detected by Microsoft Defender ATP
-for Android are not blocked on some Xiaomi devices. The following functionality does not work on these devices.
-
-
-
-
-**Cause:**
-
-Xiaomi devices introduced a new permission that prevents Microsoft Defender ATP
-for Android app from displaying pop-up windows while running in the background.
-
-Xiaomi devices permission: "Display pop-up windows while running in the
-background."
-
-
-
-**Solution:**
-
-Enable the required permission on Xiaomi devices.
-
-- Display pop-up windows while running in the background.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-terms.md b/windows/security/threat-protection/microsoft-defender-atp/android-terms.md
deleted file mode 100644
index 0d6e8dcd1c..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/android-terms.md
+++ /dev/null
@@ -1,232 +0,0 @@
----
-title: Microsoft Defender ATP for Android Application license terms
-ms.reviewer:
-description: Describes the Microsoft Defender ATP for Android license terms
-keywords: microsoft, defender, atp, android,license, terms, application, use, installation, service, feedback, scope,
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-hideEdit: true
----
-
-# Microsoft Defender ATP for Android application license terms
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Android](microsoft-defender-atp-android.md)
-
-## MICROSOFT APPLICATION LICENSE TERMS: MICROSOFT DEFENDER ATP
-
-These license terms ("Terms") are an agreement between Microsoft Corporation (or
-based on where you live, one of its affiliates) and you. Please read them. They
-apply to the application named above. These Terms also apply to any Microsoft
-
-- updates,
-
-- supplements,
-
-- Internet-based services, and
-
-- support services
-
-for this application, unless other terms accompany those items. If so, those
-terms apply.
-
-**BY USING THE APPLICATION, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM,
-DO NOT USE THE APPLICATION.**
-
-**If you comply with these Terms, you have the perpetual rights below.**
-
-1. **INSTALLATION AND USE RIGHTS.**
-
- 1. **Installation and Use.** You may install and use any number of copies
- of this application on Android enabled device or devices which you own
- or control. You may use this application with your company's valid
- subscription of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) or
- an online service that includes MDATP functionalities.
-
- 2. **Updates.** Updates or upgrades to MDATP may be required for full
- functionality. Some functionality may not be available in all countries.
-
- 3. **Third Party Programs.** The application may include third party
- programs that Microsoft, not the third party, licenses to you under this
- agreement. Notices, if any, for the third-party program are included for
- your information only.
-
-2. **INTERNET ACCESS MAY BE REQUIRED.** You may incur charges related to
- Internet access, data transfer and other services per the terms of the data
- service plan and any other agreement you have with your network operator due
- to use of the application. You are solely responsible for any network
- operator charges.
-
-3. **INTERNET-BASED SERVICES.** Microsoft provides Internet-based services with
- the application. It may change or cancel them at any time.
-
- 1. Consent for Internet-Based or Wireless Services. The application may
- connect to Internet-based wireless services. Your use of the application
- operates as your consent to the transmission of standard device
- information (including but not limited to technical information about
- your device, system and application software, and peripherals) for
- Internet-based or wireless services. If other terms are provided in
- connection with your use of the services, those terms also apply.
-
- - Data. Some online services require, or may be enhanced by, the
- installation of local software like this one. At your, or your
- admin's direction, this software may send data from a device to or
- from an online service.
-
- - Usage Data. Microsoft automatically collects usage and performance
- data over the internet. This data will be used to provide and
- improve Microsoft products and services and enhance your experience.
- You may limit or control collection of some usage and performance
- data through your device settings. Doing so may disrupt your use of
- certain features of the application. For additional information on
- Microsoft's data collection and use, see the [Online Services
- Terms](https://go.microsoft.com/fwlink/?linkid=2106777).
-
- 2. Misuse of Internet-based Services. You may not use any Internet-based
- service in any way that could harm it or impair anyone else's use of it
- or the wireless network. You may not use the service to try to gain
- unauthorized access to any service, data, account or network by any
- means.
-
-4. **FEEDBACK.** If you give feedback about the application to Microsoft, you
- give to Microsoft, without charge, the right to use, share and commercialize
- your feedback in any way and for any purpose. You also give to third
- parties, without charge, any patent rights needed for their products,
- technologies and services to use or interface with any specific parts of a
- Microsoft software or service that includes the feedback. You will not give
- feedback that is subject to a license that requires Microsoft to license its
- software or documentation to third parties because we include your feedback
- in them. These rights survive this agreement.
-
-5. **SCOPE OF LICENSE.** The application is licensed, not sold. This agreement
- only gives you some rights to use the application. Microsoft reserves all
- other rights. Unless applicable law gives you more rights despite this
- limitation, you may use the application only as expressly permitted in this
- agreement. In doing so, you must comply with any technical limitations in
- the application that only allow you to use it in certain ways. You may not
-
- - work around any technical limitations in the application;
-
- - reverse engineer, decompile or disassemble the application, except and
- only to the extent that applicable law expressly permits, despite this
- limitation;
-
- - make more copies of the application than specified in this agreement or
- allowed by applicable law, despite this limitation;
-
- - publish the application for others to copy;
-
- - rent, lease or lend the application; or
-
- - transfer the application or this agreement to any third party.
-
-6. **EXPORT RESTRICTIONS.** The application is subject to United States export
- laws and regulations. You must comply with all domestic and international
- export laws and regulations that apply to the application. These laws
- include restrictions on destinations, end users and end use. For additional
- information,
- see[www.microsoft.com/exporting](https://www.microsoft.com/exporting).
-
-7. **SUPPORT SERVICES.** Because this application is "as is," we may not
- provide support services for it. If you have any issues or questions about
- your use of this application, including questions about your company's
- privacy policy, please contact your company's admin. Do not contact the
- application store, your network operator, device manufacturer, or Microsoft.
- The application store provider has no obligation to furnish support or
- maintenance with respect to the application.
-
-8. **APPLICATION STORE.**
-
- 1. If you obtain the application through an application store (e.g., Google
- Play), please review the applicable application store terms to ensure
- your download and use of the application complies with such terms.
- Please note that these Terms are between you and Microsoft and not with
- the application store.
-
- 2. The respective application store provider and its subsidiaries are third
- party beneficiaries of these Terms, and upon your acceptance of these
- Terms, the application store provider(s) will have the right to directly
- enforce and rely upon any provision of these Terms that grants them a
- benefit or rights.
-
-9. **TRADEMARK NOTICES.** Microsoft, Microsoft Defender ATP, MDATP, and
- Microsoft 365 are registered or common-law trademarks of Microsoft
- Corporation in the United States and/or other countries.
-
-10. **ENTIRE AGREEMENT.** This agreement and the terms for supplements, updates,
- Internet-based services, and support services that you use are the entire
- agreement for the application and support services.
-
-11. **APPLICABLE LAW.**
-
- 1. **United States.** If you acquired the application in the United States,
- Washington state law governs the interpretation of this agreement and
- applies to claims for breach of it, regardless of conflict of laws
- principles. The laws of the state where you live govern all other
- claims, including claims under state consumer protection laws, unfair
- competition laws, and in tort.
-
- 2. **Outside the United States.** If you acquired the application in any
- other country, the laws of that country apply.
-
-12. **LEGAL EFFECT.** This agreement describes certain legal rights. You may
- have other rights under the laws of your country. You may also have rights
- with respect to the party from whom you acquired the application. This
- agreement does not change your rights under the laws of your country if the
- laws of your country do not permit it to do so.
-
-13. **DISCLAIMER OF WARRANTY. THE APPLICATION IS LICENSED "AS-IS." "WITH ALL
- FAULTS," AND "AS AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND
- WIRELESS CARRIERS OVER WHOSE NETWORK THE APPLICATION IS DISTRIBUTED, AND
- EACH OF OUR RESPECTIVE AFFILIATES, AND SUPPLIERS ("COVERED PARTIES") GIVE NO
- EXPRESS WARRANTIES, GUARANTEES OR CONDITIONS UNDER OR IN RELATION TO THE
- APPLICATION. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE
- APPLICATION IS WITH YOU. SHOULD THE APPLICATION BE DEFECTIVE, YOU ASSUME THE
- ENTIRE COST OF ALL NECESSARY SERVICING OR REPAIR. YOU MAY HAVE ADDITIONAL
- CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT CANNOT CHANGE. TO
- THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, COVERED PARTIES EXCLUDE THE
- IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
- NON-INFRINGEMENT.**
-
- **FOR AUSTRALIA - YOU HAVE STATUTORY GUARANTEES UNDER THE AUSTRALIAN CONSUMER LAW AND NOTHING IN THESE TERMS IS INTENDED TO AFFECT THOSE RIGHTS.**
-
-14. **LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. TO THE EXTENT NOT
- PROHIBITED BY LAW, YOU CAN RECOVER FROM MICROSOFT ONLY DIRECT DAMAGES UP TO
- ONE U.S. DOLLAR (\$1.00). YOU AGREE NOT TO SEEK TO RECOVER ANY OTHER
- DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR
- INCIDENTAL DAMAGES FROM ANY COVERED PARTIES.**
-
-This limitation applies to:
-
-- anything related to the application, services, content (including code) on
- third party Internet sites, or third party programs; and
-
-- claims for breach of contract, warranty, guarantee or condition; consumer
- protection; deception; unfair competition; strict liability, negligence,
- misrepresentation, omission, trespass or other tort; violation of statute or
- regulation; or unjust enrichment; all to the extent permitted by applicable
- law.
-
-It also applies even if:
-
-a. Repair, replacement or refund for the application does not fully compensate
- you for any losses; or
-
-b. Covered Parties knew or should have known about the possibility of the
- damages.
-
-The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md b/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md
deleted file mode 100644
index 7bc13986b1..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md
+++ /dev/null
@@ -1,68 +0,0 @@
----
-title: API Explorer in Microsoft Defender ATP
-ms.reviewer:
-description: Use the API Explorer to construct and do API queries, test, and send requests for any available API
-keywords: api, explorer, send, request, get, post,
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
----
-
-# API Explorer
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-The Microsoft Defender ATP API Explorer is a tool that helps you explore various Microsoft Defender ATP APIs interactively.
-
-The API Explorer makes it easy to construct and do API queries, test, and send requests for any available Microsoft Defender ATP API endpoint. Use the API Explorer to take actions or find data that might not yet be available through the user interface.
-
-The tool is useful during app development. It allows you to perform API queries that respect your user access settings, reducing the need to generate access tokens.
-
-You can also use the tool to explore the gallery of sample queries, copy result code samples, and generate debug information.
-
-With the API Explorer, you can:
-
-- Run requests for any method and see responses in real-time
-- Quickly browse through the API samples and learn what parameters they support
-- Make API calls with ease; no need to authenticate beyond the management portal sign in
-
-## Access API Explorer
-
-From the left navigation menu, select **Partners & APIs** > **API Explorer**.
-
-## Supported APIs
-
-API Explorer supports all the APIs offered by Microsoft Defender ATP.
-
-The list of supported APIs is available in the [APIs documentation](apis-intro.md).
-
-## Get started with the API Explorer
-
-1. In the left pane, there is a list of sample requests that you can use.
-2. Follow the links and click **Run query**.
-
-Some of the samples may require specifying a parameter in the URL, for example, {machine- ID}.
-
-## FAQ
-
-**Do I need to have an API token to use the API Explorer?**
-Credentials to access an API aren't needed. The API Explorer uses the Microsoft Defender ATP management portal token whenever it makes a request.
-
-The logged-in user authentication credential is used to verify that the API Explorer is authorized to access data on your behalf.
-
-Specific API requests are limited based on your RBAC privileges. For example, a request to "Submit indicator" is limited to the security admin role.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md b/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md
deleted file mode 100644
index 3163df4fcb..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md
+++ /dev/null
@@ -1,182 +0,0 @@
----
-title: Hello World for Microsoft Defender Advanced Threat Protection API
-ms.reviewer:
-description: Create a practice 'Hello world'-style API call to the Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) API.
-keywords: apis, supported apis, advanced hunting, query
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Microsoft Defender ATP API - Hello World
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-
-## Get Alerts using a simple PowerShell script
-
-### How long it takes to go through this example?
-It only takes 5 minutes done in two steps:
-- Application registration
-- Use examples: only requires copy/paste of a short PowerShell script
-
-### Do I need a permission to connect?
-For the Application registration stage, you must have a **Global administrator** role in your Azure Active Directory (Azure AD) tenant.
-
-### Step 1 - Create an App in Azure Active Directory
-
-1. Log on to [Azure](https://portal.azure.com) with your **Global administrator** user.
-
-2. Navigate to **Azure Active Directory** > **App registrations** > **New registration**.
-
- 
-
-3. In the registration form, choose a name for your application and then click **Register**.
-
-4. Allow your Application to access Microsoft Defender ATP and assign it **'Read all alerts'** permission:
-
- - On your application page, click **API Permissions** > **Add permission** > **APIs my organization uses** > type **WindowsDefenderATP** and click on **WindowsDefenderATP**.
-
- - **Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear.
-
- 
-
- - Choose **Application permissions** > **Alert.Read.All** > Click on **Add permissions**
-
- 
-
- **Important note**: You need to select the relevant permissions. 'Read All Alerts' is only an example!
-
- For instance,
-
- - To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission
- - To [isolate a machine](isolate-machine.md), select 'Isolate machine' permission
- - To determine which permission you need, please look at the **Permissions** section in the API you are interested to call.
-
-5. Click **Grant consent**
-
- - **Note**: Every time you add permission you must click on **Grant consent** for the new permission to take effect.
-
- 
-
-6. Add a secret to the application.
-
- - Click **Certificates & secrets**, add description to the secret and click **Add**.
-
- **Important**: After click Add, **copy the generated secret value**. You won't be able to retrieve after you leave!
-
- 
-
-7. Write down your application ID and your tenant ID:
-
- - On your application page, go to **Overview** and copy the following:
-
- 
-
-
-Done! You have successfully registered an application!
-
-### Step 2 - Get a token using the App and use this token to access the API.
-
-- Copy the script below to PowerShell ISE or to a text editor, and save it as "**Get-Token.ps1**"
-- Running this script will generate a token and will save it in the working folder under the name "**Latest-token.txt**".
-
-```
-# That code gets the App Context Token and save it to a file named "Latest-token.txt" under the current directory
-# Paste below your Tenant ID, App ID and App Secret (App key).
-
-$tenantId = '' ### Paste your tenant ID here
-$appId = '' ### Paste your Application ID here
-$appSecret = '' ### Paste your Application secret here
-
-$resourceAppIdUri = 'https://api.securitycenter.windows.com'
-$oAuthUri = "https://login.windows.net/$TenantId/oauth2/token"
-$authBody = [Ordered] @{
- resource = "$resourceAppIdUri"
- client_id = "$appId"
- client_secret = "$appSecret"
- grant_type = 'client_credentials'
-}
-$authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -ErrorAction Stop
-$token = $authResponse.access_token
-Out-File -FilePath "./Latest-token.txt" -InputObject $token
-return $token
-```
-
-- Sanity Check:
-Run the script.
-In your browser go to: https://jwt.ms/
-Copy the token (the content of the Latest-token.txt file).
-Paste in the top box.
-Look for the "roles" section. Find the Alert.Read.All role.
-
-
-
-### Lets get the Alerts!
-
-- The script below will use **Get-Token.ps1** to access the API and will get the past 48 hours Alerts.
-- Save this script in the same folder you saved the previous script **Get-Token.ps1**.
-- The script creates two files (json and csv) with the data in the same folder as the scripts.
-
-```
-# Returns Alerts created in the past 48 hours.
-
-$token = ./Get-Token.ps1 #run the script Get-Token.ps1 - make sure you are running this script from the same folder of Get-Token.ps1
-
-# Get Alert from the last 48 hours. Make sure you have alerts in that time frame.
-$dateTime = (Get-Date).ToUniversalTime().AddHours(-48).ToString("o")
-
-# The URL contains the type of query and the time filter we create above
-# Read more about other query options and filters at Https://TBD- add the documentation link
-$url = "https://api.securitycenter.windows.com/api/alerts?`$filter=alertCreationTime ge $dateTime"
-
-# Set the WebRequest headers
-$headers = @{
- 'Content-Type' = 'application/json'
- Accept = 'application/json'
- Authorization = "Bearer $token"
-}
-
-# Send the webrequest and get the results.
-$response = Invoke-WebRequest -Method Get -Uri $url -Headers $headers -ErrorAction Stop
-
-# Extract the alerts from the results.
-$alerts = ($response | ConvertFrom-Json).value | ConvertTo-Json
-
-# Get string with the execution time. We concatenate that string to the output file to avoid overwrite the file
-$dateTimeForFileName = Get-Date -Format o | foreach {$_ -replace ":", "."}
-
-# Save the result as json and as csv
-$outputJsonPath = "./Latest Alerts $dateTimeForFileName.json"
-$outputCsvPath = "./Latest Alerts $dateTimeForFileName.csv"
-
-Out-File -FilePath $outputJsonPath -InputObject $alerts
-($alerts | ConvertFrom-Json) | Export-CSV $outputCsvPath -NoTypeInformation
-```
-
-You’re all done! You have just successfully:
-- Created and registered and application
-- Granted permission for that application to read alerts
-- Connected the API
-- Used a PowerShell script to return alerts created in the past 48 hours
-
-
-
-## Related topic
-- [Microsoft Defender ATP APIs](exposed-apis-list.md)
-- [Access Microsoft Defender ATP with application context](exposed-apis-create-app-webapp.md)
-- [Access Microsoft Defender ATP with user context](exposed-apis-create-app-nativeapp.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md b/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md
deleted file mode 100644
index 8d06eb8f1b..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md
+++ /dev/null
@@ -1,84 +0,0 @@
----
-title: Microsoft Defender ATP Flow connector
-ms.reviewer:
-description: Use Microsoft Defender ATP Flow connector to automate security and create a flow that will be triggered any time a new alert occurs on your tenant.
-keywords: flow, supported apis, api, Microsoft flow, query, automation
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Microsoft Power Automate (formerly Microsoft Flow), and Azure Functions
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-Automating security procedures is a standard requirement for every modern Security Operations Center. The lack of professional cyber defenders forces SOC to work in the most efficient way and automation is a must. Microsoft Power Automate supports different connectors that were built exactly for that. You can build an end-to-end procedure automation within a few minutes.
-
-Microsoft Defender API has an official Flow Connector with many capabilities.
-
-
-
-## Usage example
-
-The following example demonstrates how to create a Flow that is triggered any time a new Alert occurs on your tenant.
-
-1. Log in to [Microsoft Power Automate](https://flow.microsoft.com).
-
-2. Go to **My flows** > **New** > **Automated-from blank**.
-
- 
-
-3. Choose a name for your Flow, search for "Microsoft Defender ATP Triggers" as the trigger, and then select the new Alerts trigger.
-
- 
-
-Now you have a Flow that is triggered every time a new Alert occurs.
-
-
-
-All you need to do now is choose your next steps.
-For example, you can isolate the device if the Severity of the Alert is High and send an email about it.
-The Alert trigger provides only the Alert ID and the Machine ID. You can use the connector to expand these entities.
-
-### Get the Alert entity using the connector
-
-1. Choose **Microsoft Defender ATP** for the new step.
-
-2. Choose **Alerts - Get single alert API**.
-
-3. Set the **Alert ID** from the last step as **Input**.
-
- 
-
-### Isolate the device if the Alert's severity is High
-
-1. Add **Condition** as a new step.
-
-2. Check if the Alert severity **is equal to** High.
-
- If yes, add the **Microsoft Defender ATP - Isolate machine** action with the Machine ID and a comment.
-
- 
-
-3. Add a new step for emailing about the Alert and the Isolation. There are multiple email connectors that are very easy to use, such as Outlook or Gmail.
-
-4. Save your flow.
-
-You can also create a **scheduled** flow that runs Advanced Hunting queries and much more!
-
-## Related topic
-- [Microsoft Defender ATP APIs](apis-intro.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
deleted file mode 100644
index 19a2f46e0c..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
+++ /dev/null
@@ -1,100 +0,0 @@
----
-title: Microsoft Defender ATP detections API fields
-description: Understand how the Detections API fields map to the values in Microsoft Defender Security Center
-keywords: detections, detections fields, fields, api, fields, pull Detections, rest api, request, response
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Microsoft Defender ATP detections API fields
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-apiportalmapping-abovefoldlink)
-
-Understand what data fields are exposed as part of the detections API and how they map to Microsoft Defender Security Center.
-
->[!Note]
->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections.
->- **Microsoft Defender ATP Detection** is composed from the suspicious event occurred on the Device and its related **Alert** details.
->- The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md).
-
-## Detections API fields and portal mapping
-The following table lists the available fields exposed in the detections API payload. It shows examples for the populated values and a reference on how data is reflected on the portal.
-
-The ArcSight field column contains the default mapping between the Microsoft Defender ATP fields and the built-in fields in ArcSight. You can download the mapping file from the portal when you enable the SIEM integration feature and you can modify it to match the needs of your organization. For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md).
-
-Field numbers match the numbers in the images below.
-
-> [!div class="mx-tableFixed"]
->
-> | Portal label | SIEM field name | ArcSight field | Example value | Description |
-> |------------------|---------------------------|---------------------|------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-> | 1 | AlertTitle | name | Microsoft Defender AV detected 'Mikatz' high-severity malware | Value available for every Detection. |
-> | 2 | Severity | deviceSeverity | High | Value available for every Detection. |
-> | 3 | Category | deviceEventCategory | Malware | Value available for every Detection. |
-> | 4 | Detection source | sourceServiceName | Antivirus | Microsoft Defender Antivirus or Microsoft Defender ATP. Value available for every Detection. |
-> | 5 | MachineName | sourceHostName | desktop-4a5ngd6 | Value available for every Detection. |
-> | 6 | FileName | fileName | Robocopy.exe | Available for detections associated with a file or process. |
-> | 7 | FilePath | filePath | C:\Windows\System32\Robocopy.exe | Available for detections associated with a file or process. |
-> | 8 | UserDomain | sourceNtDomain | CONTOSO | The domain of the user context running the activity, available for Microsoft Defender ATP behavioral based detections. |
-> | 9 | UserName | sourceUserName | liz.bean | The user context running the activity, available for Microsoft Defender ATP behavioral based detections. |
-> | 10 | Sha1 | fileHash | 3da065e07b990034e9db7842167f70b63aa5329 | Available for detections associated with a file or process. |
-> | 11 | Sha256 | deviceCustomString6 | ebf54f745dc81e1958f75e4ca91dd0ab989fc9787bb6b0bf993e2f5 | Available for Microsoft Defender AV detections. |
-> | 12 | Md5 | deviceCustomString5 | db979c04a99b96d370988325bb5a8b21 | Available for Microsoft Defender AV detections. |
-> | 13 | ThreatName | deviceCustomString1 | HackTool:Win32/Mikatz!dha | Available for Microsoft Defender AV detections. |
-> | 14 | IpAddress | sourceAddress | 218.90.204.141 | Available for detections associated to network events. For example, 'Communication to a malicious network destination'. |
-> | 15 | Url | requestUrl | down.esales360.cn | Available for detections associated to network events. For example, 'Communication to a malicious network destination'. |
-> | 16 | RemediationIsSuccess | deviceCustomNumber2 | TRUE | Available for Microsoft Defender AV detections. ArcSight value is 1 when TRUE and 0 when FALSE. |
-> | 17 | WasExecutingWhileDetected | deviceCustomNumber1 | FALSE | Available for Microsoft Defender AV detections. ArcSight value is 1 when TRUE and 0 when FALSE. |
-> | 18 | AlertId | externalId | 636210704265059241_673569822 | Value available for every Detection. |
-> | 19 | LinkToWDATP | flexString1 | `https://securitycenter.windows.com/alert/636210704265059241_673569822` | Value available for every Detection. |
-> | 20 | AlertTime | deviceReceiptTime | 2017-05-07T01:56:59.3191352Z | The time the event occurred. Value available for every Detection. |
-> | 21 | MachineDomain | sourceDnsDomain | contoso.com | Domain name not relevant for AAD joined devices. Value available for every Detection. |
-> | 22 | Actor | deviceCustomString4 | BORON | Available for alerts related to a known actor group. |
-> | 21+5 | ComputerDnsName | No mapping | liz-bean.contoso.com | The device fully qualified domain name. Value available for every Detection. |
-> | | LogOnUsers | sourceUserId | contoso\liz-bean; contoso\jay-hardee | The domain and user of the interactive logon user/s at the time of the event. Note: For devices on Windows 10 version 1607, the domain information will not be available. |
-> | | InternalIPv4List | No mapping | 192.168.1.7, 10.1.14.1 | List of IPV4 internal IPs for active network interfaces. |
-> | | InternalIPv6List | No mapping | fd30:0000:0000:0001:ff4e:003e:0009:000e, FE80:CD00:0000:0CDE:1257:0000:211E:729C | List of IPV6 internal IPs for active network interfaces. |
-> | Internal field | LastProcessedTimeUtc | No mapping | 2017-05-07T01:56:58.9936648Z | Time when event arrived at the backend. This field can be used when setting the request parameter for the range of time that detections are retrieved. |
-> | | Not part of the schema | deviceVendor | | Static value in the ArcSight mapping - 'Microsoft'. |
-> | | Not part of the schema | deviceProduct | | Static value in the ArcSight mapping - 'Microsoft Defender ATP'. |
-> | | Not part of the schema | deviceVersion | | Static value in the ArcSight mapping - '2.0', used to identify the mapping versions.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-## Related topics
-- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
-- [Configure ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)
-- [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md)
-- [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md b/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md
deleted file mode 100644
index 9ed52103d9..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md
+++ /dev/null
@@ -1,138 +0,0 @@
----
-title: Microsoft Defender ATP APIs connection to Power BI
-ms.reviewer:
-description: Create a Power Business Intelligence (BI) report on top of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) APIs.
-keywords: apis, supported apis, Power BI, reports
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Create custom reports using Power BI
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-In this section you will learn create a Power BI report on top of Microsoft Defender ATP APIs.
-
-The first example demonstrates how to connect Power BI to Advanced Hunting API and the second example demonstrates a connection to our OData APIs, such as Machine Actions or Alerts.
-
-## Connect Power BI to Advanced Hunting API
-
-- Open Microsoft Power BI
-
-- Click **Get Data** > **Blank Query**
-
- 
-
-- Click **Advanced Editor**
-
- 
-
-- Copy the below and paste it in the editor:
-
-```
- let
- AdvancedHuntingQuery = "DeviceEvents | where ActionType contains 'Anti'",
-
- HuntingUrl = "https://api.securitycenter.windows.com/api/advancedqueries",
-
- Response = Json.Document(Web.Contents(HuntingUrl, [Query=[key=AdvancedHuntingQuery]])),
-
- TypeMap = #table(
- { "Type", "PowerBiType" },
- {
- { "Double", Double.Type },
- { "Int64", Int64.Type },
- { "Int32", Int32.Type },
- { "Int16", Int16.Type },
- { "UInt64", Number.Type },
- { "UInt32", Number.Type },
- { "UInt16", Number.Type },
- { "Byte", Byte.Type },
- { "Single", Single.Type },
- { "Decimal", Decimal.Type },
- { "TimeSpan", Duration.Type },
- { "DateTime", DateTimeZone.Type },
- { "String", Text.Type },
- { "Boolean", Logical.Type },
- { "SByte", Logical.Type },
- { "Guid", Text.Type }
- }),
-
- Schema = Table.FromRecords(Response[Schema]),
- TypedSchema = Table.Join(Table.SelectColumns(Schema, {"Name", "Type"}), {"Type"}, TypeMap , {"Type"}),
- Results = Response[Results],
- Rows = Table.FromRecords(Results, Schema[Name]),
- Table = Table.TransformColumnTypes(Rows, Table.ToList(TypedSchema, (c) => {c{0}, c{2}}))
-
- in Table
-
-```
-
-- Click **Done**
-
-- Click **Edit Credentials**
-
- 
-
-- Select **Organizational account** > **Sign in**
-
- 
-
-- Enter your credentials and wait to be signed in
-
-- Click **Connect**
-
- 
-
-- Now the results of your query will appear as table and you can start build visualizations on top of it!
-
-- You can duplicate this table, rename it and edit the Advanced Hunting query inside to get any data you would like.
-
-## Connect Power BI to OData APIs
-
-- The only difference from the above example is the query inside the editor.
-
-- Copy the below and paste it in the editor to pull all **Machine Actions** from your organization:
-
-```
- let
-
- Query = "MachineActions",
-
- Source = OData.Feed("https://api.securitycenter.windows.com/api/" & Query, null, [Implementation="2.0", MoreColumns=true])
- in
- Source
-
-```
-
-- You can do the same for **Alerts** and **Machines**.
-
-- You also can use OData queries for queries filters, see [Using OData Queries](exposed-apis-odata-samples.md)
-
-
-## Power BI dashboard samples in GitHub
-For more information see the [Power BI report templates](https://github.com/microsoft/MicrosoftDefenderATP-PowerBI).
-
-## Sample reports
-View the Microsoft Defender ATP Power BI report samples. For more information, see [Browse code samples](https://docs.microsoft.com/samples/browse/?products=mdatp).
-
-
-## Related topic
-- [Microsoft Defender ATP APIs](apis-intro.md)
-- [Advanced Hunting API](run-advanced-query-api.md)
-- [Using OData Queries](exposed-apis-odata-samples.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md b/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md
deleted file mode 100644
index b5e6b4ffb6..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md
+++ /dev/null
@@ -1,43 +0,0 @@
----
-title: Microsoft Defender ATP API license and terms of use
-description: Description of the license and terms of use for Microsoft Defender APIs
-keywords: license, terms, apis, legal, notices, code of conduct
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Microsoft Defender ATP API license and terms of use
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-## APIs
-
-Microsoft Defender ATP APIs are governed by [Microsoft API License and Terms of use](https://docs.microsoft.com/legal/microsoft-apis/terms-of-use).
-
-### Throttling limits
-
-Name | Calls | Renewal period
-:---|:---|:---
-API calls per connection | 100 | 60 seconds
-
-
-## Legal Notices
-
-Microsoft and any contributors grant you a license to the Microsoft documentation and other content in this repository under the Creative Commons Attribution 4.0 International Public License, see the LICENSE file.
-
-Microsoft, Windows, Microsoft Azure and/or other Microsoft products and services referenced in the documentation may be either trademarks or registered trademarks of Microsoft in the United States and/or other countries. The licenses for this project do not grant you rights to use any Microsoft names, logos, or trademarks. Microsoft's general trademark guidelines can be found at https://go.microsoft.com/fwlink/?LinkID=254653.
-
-Privacy information can be found at https://privacy.microsoft.com/en-us/
-Microsoft and any contributors reserve all others rights, whether under their respective copyrights, patents, or trademarks, whether by implication, estoppel or otherwise.
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md
deleted file mode 100644
index 09205163fe..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md
+++ /dev/null
@@ -1,72 +0,0 @@
----
-title: Access the Microsoft Defender Advanced Threat Protection APIs
-ms.reviewer:
-description: Learn how you can use APIs to automate workflows and innovate based on Microsoft Defender ATP capabilities
-keywords: apis, api, wdatp, open api, microsoft defender atp api, public api, supported apis, alerts, device, user, domain, ip, file, advanced hunting, query
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
----
-
-# Access the Microsoft Defender Advanced Threat Protection APIs
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Microsoft Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
-
-Watch this video for a quick overview of Microsoft Defender ATP's APIs.
->[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4d73M]
-
-In general, you’ll need to take the following steps to use the APIs:
-- Create an AAD application
-- Get an access token using this application
-- Use the token to access Microsoft Defender ATP API
-
-
-You can access Microsoft Defender ATP API with **Application Context** or **User Context**.
-
-- **Application Context: (Recommended)**
- Used by apps that run without a signed-in user present. for example, apps that run as background services or daemons.
-
- Steps that need to be taken to access Microsoft Defender ATP API with application context:
-
- 1. Create an AAD Web-Application.
- 2. Assign the desired permission to the application, for example, 'Read Alerts', 'Isolate Machines'.
- 3. Create a key for this Application.
- 4. Get token using the application with its key.
- 5. Use the token to access Microsoft Defender ATP API
-
- For more information, see [Get access with application context](exposed-apis-create-app-webapp.md).
-
-
-- **User Context:**
- Used to perform actions in the API on behalf of a user.
-
- Steps that needs to be taken to access Microsoft Defender ATP API with application context:
- 1. Create AAD Native-Application.
- 2. Assign the desired permission to the application, e.g 'Read Alerts', 'Isolate Machines' etc.
- 3. Get token using the application with user credentials.
- 4. Use the token to access Microsoft Defender ATP API
-
- For more information, see [Get access with user context](exposed-apis-create-app-nativeapp.md).
-
-
-## Related topics
-- [Microsoft Defender ATP APIs](exposed-apis-list.md)
-- [Access Microsoft Defender ATP with application context](exposed-apis-create-app-webapp.md)
-- [Access Microsoft Defender ATP with user context](exposed-apis-create-app-nativeapp.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md b/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md
deleted file mode 100644
index 6eeaf5c729..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md
+++ /dev/null
@@ -1,48 +0,0 @@
----
-title: Assign user access to Microsoft Defender Security Center
-description: Assign read and write or read only access to the Microsoft Defender Advanced Threat Protection portal.
-keywords: assign user roles, assign read and write access, assign read only access, user, user roles, roles
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.date: 11/28/2018
----
-
-# Assign user access to Microsoft Defender Security Center
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- Azure Active Directory
-- Office 365
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink)
-
-Microsoft Defender ATP supports two ways to manage permissions:
-
-- **Basic permissions management**: Set permissions to either full access or read-only.
-- **Role-based access control (RBAC)**: Set granular permissions by defining roles, assigning Azure AD user groups to the roles, and granting the user groups access to device groups. For more information on RBAC, see [Manage portal access using role-based access control](rbac.md).
-
-> [!NOTE]
-> If you have already assigned basic permissions, you may switch to RBAC anytime. Consider the following before making the switch:
->
-> - Users with full access (users that are assigned the Global Administrator or Security Administrator directory role in Azure AD), are automatically assigned the default Microsoft Defender ATP administrator role, which also has full access. Additional Azure AD user groups can be assigned to the Microsoft Defender ATP administrator role after switching to RBAC. Only users assigned to the Microsoft Defender ATP administrator role can manage permissions using RBAC.
-> - Users that have read-only access (Security Readers) will lose access to the portal until they are assigned a role. Note that only Azure AD user groups can be assigned a role under RBAC.
-> - After switching to RBAC, you will not be able to switch back to using basic permissions management.
-
-## Related topics
-
-- [Use basic permissions to access the portal](basic-permissions.md)
-- [Manage portal access using RBAC](rbac.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md b/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md
deleted file mode 100644
index 4726e2223f..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md
+++ /dev/null
@@ -1,70 +0,0 @@
----
-title: Experience Microsoft Defender ATP through simulated attacks
-description: Run the provided attack scenario simulations to experience how Microsoft Defender ATP can detect, investigate, and respond to breaches.
-keywords: wdatp, test, scenario, attack, simulation, simulated, diy, microsoft defender advanced threat protection
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.date: 11/20/2018
----
-
-# Experience Microsoft Defender ATP through simulated attacks
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-attacksimulations-abovefoldlink)
-
->[!TIP]
->- Learn about the latest enhancements in Microsoft Defender ATP: [What's new in Microsoft Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
->- Microsoft Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
-
-You might want to experience Microsoft Defender ATP before you onboard more than a few devices to the service. To do this, you can run controlled attack simulations on a few test devices. After running the simulated attacks, you can review how Microsoft Defender ATP surfaces malicious activity and explore how it enables an efficient response.
-
-## Before you begin
-
-To run any of the provided simulations, you need at least [one onboarded device](onboard-configure.md).
-
-Read the walkthrough document provided with each attack scenario. Each document includes OS and application requirements as well as detailed instructions that are specific to an attack scenario.
-
-## Run a simulation
-
-1. In **Help** > **Simulations & tutorials**, select which of the available attack scenarios you would like to simulate:
-
- - **Scenario 1: Document drops backdoor** - simulates delivery of a socially engineered lure document. The document launches a specially crafted backdoor that gives attackers control.
-
- - **Scenario 2: PowerShell script in fileless attack** - simulates a fileless attack that relies on PowerShell, showcasing attack surface reduction and device learning detection of malicious memory activity.
-
- - **Scenario 3: Automated incident response** - triggers automated investigation, which automatically hunts for and remediates breach artifacts to scale your incident response capacity.
-
-2. Download and read the corresponding walkthrough document provided with your selected scenario.
-
-3. Download the simulation file or copy the simulation script by navigating to **Help** > **Simulations & tutorials**. You can choose to download the file or script on the test device but it's not mandatory.
-
-4. Run the simulation file or script on the test device as instructed in the walkthrough document.
-
-> [!NOTE]
-> Simulation files or scripts mimic attack activity but are actually benign and will not harm or compromise the test device.
->
->
-> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-attacksimulations-belowfoldlink)
-
-
-## Related topics
-
-- [Onboard devices](onboard-configure.md)
-- [Onboard Windows 10 devices](configure-endpoints.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md
deleted file mode 100644
index 0175049c55..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md
+++ /dev/null
@@ -1,136 +0,0 @@
----
-title: Attack surface reduction frequently asked questions (FAQ)
-description: Find answers to frequently asked questions about Microsoft Defender ATP's attack surface reduction rules.
-keywords: Attack surface reduction rules, asr, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, Microsoft Defender Advanced Threat Protection, Microsoft Defender ATP
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.localizationpriority: medium
-audience: ITPro
-author: martyav
-ms.author: v-maave
-ms.reviewer:
-manager: dansimp
-ms.custom: asr
----
-
-# Attack surface reduction frequently asked questions (FAQ)
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-## Is attack surface reduction (ASR) part of Windows?
-
-ASR was originally a feature of the suite of exploit guard features introduced as a major update to Microsoft Defender Antivirus, in Windows 10 version 1709. Microsoft Defender Antivirus is the native antimalware component of Windows. However, the full ASR feature-set is only available with a Windows enterprise license. Also note that ASR rule exclusions are managed separately from Microsoft Defender Antivirus exclusions.
-
-## Do I need to have an enterprise license to run ASR rules?
-
-The full set of ASR rules and features is only supported if you have an enterprise license for Windows 10. A limited number of rules may work without an enterprise license. If you have Microsoft 365 Business, set Microsoft Defender Antivirus as your primary security solution, and enable the rules through PowerShell. However, ASR usage without an enterprise license is not officially supported and the full capabilities of ASR will not be available.
-
-To learn more about Windows licensing, see [Windows 10 Licensing](https://www.microsoft.com/licensing/product-licensing/windows10?activetab=windows10-pivot:primaryr5) and get the [Volume Licensing guide for Windows 10](https://download.microsoft.com/download/2/D/1/2D14FE17-66C2-4D4C-AF73-E122930B60F6/Windows-10-Volume-Licensing-Guide.pdf).
-
-## Is ASR supported if I have an E3 license?
-
-Yes. ASR is supported for Windows Enterprise E3 and above.
-
-## Which features are supported with an E5 license?
-
-All of the rules supported with E3 are also supported with E5.
-
-E5 also added greater integration with Microsoft Defender ATP. With E5, you can [use Microsoft Defender ATP to monitor and review analytics](https://docs.microsoft.com/microsoft-365/security/mtp/monitor-devices?view=o365-worldwide#monitor-and-manage-asr-rule-deployment-and-detections) on alerts in real-time, fine-tune rule exclusions, configure ASR rules, and view lists of event reports.
-
-## What are the currently supported ASR rules?
-
-ASR currently supports all of the rules below:
-
-* [Block executable content from email client and webmail](attack-surface-reduction.md#block-executable-content-from-email-client-and-webmail)
-* [Block all Office applications from creating child processes](attack-surface-reduction.md#block-all-office-applications-from-creating-child-processes)
-* [Block Office applications from creating executable content](attack-surface-reduction.md#block-office-applications-from-creating-executable-content)
-* [Block Office applications from injecting code into other processes](attack-surface-reduction.md#block-office-applications-from-injecting-code-into-other-processes)
-* [Block JavaScript or VBScript from launching downloaded executable content](attack-surface-reduction.md#block-javascript-or-vbscript-from-launching-downloaded-executable-content)
-* [Block execution of potentially obfuscated scripts](attack-surface-reduction.md#block-execution-of-potentially-obfuscated-scripts)
-* [Block Win32 API calls from Office macro](attack-surface-reduction.md#block-win32-api-calls-from-office-macros)
-* [Use advanced protection against ransomware](attack-surface-reduction.md#use-advanced-protection-against-ransomware)
-* [Block credential stealing from the Windows local security authority subsystem](attack-surface-reduction.md#block-credential-stealing-from-the-windows-local-security-authority-subsystem) (lsass.exe)
-* [Block process creations originating from PSExec and WMI commands](attack-surface-reduction.md#block-process-creations-originating-from-psexec-and-wmi-commands)
-* [Block untrusted and unsigned processes that run from USB](attack-surface-reduction.md#block-untrusted-and-unsigned-processes-that-run-from-usb)
-* [Block executable files from running unless they meet a prevalence, age, or trusted list criteria](attack-surface-reduction.md#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion)
-* [Block Office communication applications from creating child processes](attack-surface-reduction.md#block-office-communication-application-from-creating-child-processes)
-* [Block Adobe Reader from creating child processes](attack-surface-reduction.md#block-adobe-reader-from-creating-child-processes)
-* [Block persistence through WMI event subscription](attack-surface-reduction.md#block-persistence-through-wmi-event-subscription)
-
-## What are some good recommendations for getting started with ASR?
-
-Test how ASR rules will impact your organization before enabling them by running ASR rules in audit mode for a brief period of time. While you are running the rules in audit mode, you can identify any line-of-business applications that might get blocked erroneously, and exclude them from ASR.
-
-Larger organizations should consider rolling out ASR rules in "rings," by auditing and enabling rules in increasingly broader subsets of devices. You can arrange your organization's devices into rings by using Intune or a Group Policy management tool.
-
-## How long should I test an ASR rule in audit mode before enabling it?
-
-Keep the rule in audit mode for about 30 days to get a good baseline for how the rule will operate once it goes live throughout your organization. During the audit period, you can identify any line-of-business applications that might get blocked by the rule, and configure the rule to exclude them.
-
-## I'm making the switch from a third-party security solution to Microsoft Defender ATP. Is there an "easy" way to export rules from another security solution to ASR?
-
-In most cases, it's easier and better to start with the baseline recommendations suggested by [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/) (Microsoft Defender ATP) than to attempt to import rules from another security solution. Then, use tools such as audit mode, monitoring, and analytics to configure your new solution to suit your unique needs.
-
-The default configuration for most ASR rules, combined with Microsoft Defender ATP's real-time protection, will protect against a large number of exploits and vulnerabilities.
-
-From within Microsoft Defender ATP, you can update your defenses with custom indicators, to allow and block certain software behaviors. ASR also allows for some customization of rules, in the form of file and folder exclusions. As a general rule, it is best to audit a rule for a period of time, and configure exclusions for any line-of-business applications that might get blocked.
-
-## Does ASR support file or folder exclusions that include system variables and wildcards in the path?
-
-Yes. See [Excluding files and folders from ASR rules](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for more details on excluding files or folders from ASR rules, and [Configure and validate exclusions based on file extension and folder location](../microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) for more on using system variables and wildcards in excluded file paths.
-
-## Do ASR rules cover all applications by default?
-
-It depends on the rule. Most ASR rules cover the behavior of Microsoft Office products and services, such as Word, Excel, PowerPoint, and OneNote, or Outlook. Certain ASR rules, such as *Block execution of potentially obfuscated scripts*, are more general in scope.
-
-## Does ASR support third-party security solutions?
-
-ASR uses Microsoft Defender Antivirus to block applications. It is not possible to configure ASR to use another security solution for blocking at this time.
-
-## I have an E5 license and enabled some ASR rules in conjunction with Microsoft Defender ATP. Is it possible for an ASR event to not show up at all in Microsoft Defender ATP's event timeline?
-
-Whenever a notification is triggered locally by an ASR rule, a report on the event is also sent to the Microsoft Defender ATP portal. If you're having trouble finding the event, you can filter the events timeline using the search box. You can also view ASR events by visiting **Go to attack surface management**, from the **Configuration management** icon in the Security Center taskbar. The attack surface management page includes a tab for report detections, which includes a full list of ASR rule events reported to Microsoft Defender ATP.
-
-## I applied a rule using GPO. Now when I try to check the indexing options for the rule in Microsoft Outlook, I get a message stating, 'Access denied'.
-
-Try opening the indexing options directly from Windows 10.
-
-1. Select the **Search** icon on the Windows taskbar.
-
-1. Enter **Indexing options** into the search box.
-
-## Are the criteria used by the rule, "Block executable files from running unless they meet a prevalence, age, or trusted list criterion," configurable by an admin?
-
-No. The criteria used by this rule are maintained by Microsoft cloud protection, to keep the trusted list constantly up to date with data gathered from around the world. Local admins do not have write access to alter this data. If you are looking to configure this rule to tailor it for your enterprise, you can add certain applications to the exclusions list to prevent the rule from being triggered.
-
-## I enabled the ASR rule, *Block executable files from running unless they meet a prevalence, age, or trusted list criterion*. After some time, I updated a piece of software, and the rule is now blocking it, even though it didn't before. Did something go wrong?
-
-This rule relies upon each application having a known reputation, as measured by prevalence, age, or inclusion on a list of trusted apps. The rule's decision to block or allow an application is ultimately determined by Microsoft cloud protection's assessment of these criteria.
-
-Usually, cloud protection can determine that a new version of an application is similar enough to previous versions that it does not need to be reassessed at length. However, it might take some time for the app to build reputation after switching versions, particularly after a major update. In the meantime, you can add the application to the exclusions list, to prevent this rule from blocking important applications. If you are frequently updating and working with new versions of applications, you may opt instead to run this rule in audit mode.
-
-## I recently enabled the ASR rule, *Block credential stealing from the Windows local security authority subsystem (lsass.exe)*, and I am getting a large number of notifications. What is going on?
-
-A notification generated by this rule does not necessarily indicate malicious activity; however, this rule is still useful for blocking malicious activity, since malware often targets lsass.exe to gain illicit access to accounts. The lsass.exe process stores user credentials in memory after a user has logged in. Windows uses these credentials to validate users and apply local security policies.
-
-Because many legitimate processes throughout a typical day will be calling on lsass.exe for credentials, this rule can be especially noisy. If a known legitimate application causes this rule to generate an excessive number of notifications, you can add it to the exclusion list. Most other ASR rules will generate a relatively smaller number of notifications, in comparison to this one, since calling on lsass.exe is typical of many applications' normal functioning.
-
-## Is it a good idea to enable the rule, *Block credential stealing from the Windows local security authority subsystem (lsass.exe)*, alongside LSA protection?
-
-Enabling this rule will not provide additional protection if you have [LSA protection](https://docs.microsoft.com/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#BKMK_HowToConfigure) enabled as well. Both the rule and LSA protection work in much the same way, so having both running at the same time would be redundant. However, sometimes you may not be able to enable LSA protection. In those cases, you can enable this rule to provide equivalent protection against malware that target lsass.exe.
-
-## Related topics
-
-* [Attack surface reduction overview](attack-surface-reduction.md)
-* [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
-* [Customize attack surface reduction rules](customize-attack-surface-reduction.md)
-* [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
-* [Compatibility of Microsoft Defender with other antivirus/antimalware](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
deleted file mode 100644
index 45db3aa0c7..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
+++ /dev/null
@@ -1,408 +0,0 @@
----
-title: Use attack surface reduction rules to prevent malware infection
-description: Attack surface reduction rules can help prevent exploits from using apps and scripts to infect devices with malware.
-keywords: Attack surface reduction rules, asr, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, Microsoft Defender Advanced Threat Protection, Microsoft Defender ATP
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-audience: ITPro
-author: denisebmsft
-ms.author: deniseb
-ms.reviewer: sugamar, jcedola
-manager: dansimp
-ms.custom: asr
-ms.date: 10/08/2020
----
-
-# Reduce attack surfaces with attack surface reduction rules
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-Your attack surface is the total number of places where an attacker could compromise your organization's devices or networks. Reducing your attack surface means offering attackers fewer ways to perform attacks.
-
-Attack surface reduction rules target software behaviors that are often abused by attackers, such as:
-
-- Launching executable files and scripts that attempt to download or run files
-- Running obfuscated or otherwise suspicious scripts
-- Performing behaviors that apps don't usually initiate during normal day-to-day work
-
-Such behaviors are sometimes seen in legitimate applications; however, they are considered risky because they are commonly abused by malware. Attack surface reduction rules can constrain these kinds of risky behaviors and help keep your organization safe.
-
-Use [audit mode](audit-windows-defender.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled. It's best to run all rules in audit mode first so you can understand their impact on your line-of-business applications. Many line-of-business applications are written with limited security concerns, and they may perform tasks in ways that seem similar to malware. By monitoring audit data and [adding exclusions](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for necessary applications, you can deploy attack surface reduction rules without impacting productivity.
-
-Whenever a rule is triggered, a notification will be displayed on the device. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. The notification also displays within the Microsoft Defender Security Center and the Microsoft 365 security center.
-
-For more information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
-
-## Attack surface reduction features across Windows versions
-
-You can set attack surface reduction rules for devices running any of the following editions and versions of Windows:
-- Windows 10 Pro, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
-- Windows 10 Enterprise, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
-- Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later
-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-
-To use the entire feature-set of attack surface reduction rules, you need a [Windows 10 Enterprise license](https://www.microsoft.com/licensing/product-licensing/windows10). With a [Windows E5 license](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses), you get advanced management capabilities including monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the [Microsoft 365 security center](https://docs.microsoft.com/microsoft-365/security/mtp/overview-security-center). These advanced capabilities aren't available with an E3 license, but you can still use Event Viewer to review attack surface reduction rule events.
-
-## Review attack surface reduction events in the Microsoft Defender Security Center
-
-Microsoft Defender ATP provides detailed reporting for events and blocks, as part of its alert investigation scenarios.
-
-You can query Microsoft Defender ATP data by using [advanced hunting](advanced-hunting-query-language.md). If you're running [audit mode](audit-windows-defender.md), you can use advanced hunting to understand how attack surface reduction rules could affect your environment.
-
-Here is an example query:
-
-```kusto
-DeviceEvents
-| where ActionType startswith 'Asr'
-```
-
-## Review attack surface reduction events in Windows Event Viewer
-
-You can review the Windows event log to view events generated by attack surface reduction rules:
-
-1. Download the [Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the device.
-
-2. Enter the words, *Event Viewer*, into the Start menu to open the Windows Event Viewer.
-
-3. Under **Actions**, select **Import custom view...**.
-
-4. Select the file *cfa-events.xml* from where it was extracted. Alternatively, [copy the XML directly](event-views.md).
-
-5. Select **OK**.
-
-This will create a custom view that filters events to only show the following, all of which are related to controlled folder access:
-
-|Event ID | Description |
-|---|---|
-|5007 | Event when settings are changed |
-|1121 | Event when rule fires in Block-mode |
-|1122 | Event when rule fires in Audit-mode |
-
-The "engine version" listed for attack surface reduction events in the event log, is generated by Microsoft Defender ATP, not by the operating system. Microsoft Defender ATP is integrated with Windows 10, so this feature works on all devices with Windows 10 installed.
-
-## Attack surface reduction rules
-
-The following sections describe each of the 15 attack surface reduction rules. This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy or PowerShell. If you use Microsoft Endpoint Configuration Manager or Microsoft Intune, you do not need the GUIDs:
-
-| Rule name | GUID | File & folder exclusions | Minimum OS supported |
-|-----|----|---|---|
-|[Block executable content from email client and webmail](#block-executable-content-from-email-client-and-webmail) | `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
-|[Block all Office applications from creating child processes](#block-all-office-applications-from-creating-child-processes) | `D4F940AB-401B-4EFC-AADC-AD5F3C50688A` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
-|[Block Office applications from creating executable content](#block-office-applications-from-creating-executable-content) | `3B576869-A4EC-4529-8536-B80A7769E899` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
-|[Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes) | `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
-|[Block JavaScript or VBScript from launching downloaded executable content](#block-javascript-or-vbscript-from-launching-downloaded-executable-content) | `D3E037E1-3EB8-44C8-A917-57927947596D` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
-|[Block execution of potentially obfuscated scripts](#block-execution-of-potentially-obfuscated-scripts) | `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
-|[Block Win32 API calls from Office macros](#block-win32-api-calls-from-office-macros) | `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
-|[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | `01443614-cd74-433a-b99e-2ecdc07bfc25` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
-|[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | `c1db55ab-c21a-4637-bb3f-a12568109d35` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
-|[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
-|[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | `d1e49aac-8f56-4280-b9ba-993a6d77406c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
-|[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
-|[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) | `26190899-1602-49e8-8b27-eb1d0a1ce869` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
-|[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c` | Supported | [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) (RS3, build 16299) or greater |
-|[Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) | `e6db77e5-3df2-4cf1-b95a-636979351e5b` | Not supported | [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) (build 18362) or greater |
-
-### Block executable content from email client and webmail
-
-This rule blocks the following file types from launching from email opened within the Microsoft Outlook application, or Outlook.com and other popular webmail providers:
-
-- Executable files (such as .exe, .dll, or .scr)
-- Script files (such as a PowerShell .ps, Visual Basic .vbs, or JavaScript .js file)
-
-This rule was introduced in:
-- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
-- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-- [Microsoft Endpoint Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
-
-Intune name: Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions)
-
-Microsoft Endpoint Configuration Manager name: Block executable content from email client and webmail
-
-GUID: `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550`
-
-### Block all Office applications from creating child processes
-
-This rule blocks Office apps from creating child processes. This includes Word, Excel, PowerPoint, OneNote, and Access.
-
-Creating malicious child processes is a common malware strategy. Malware that abuse Office as a vector often run VBA macros and exploit code to download and attempt to run additional payloads. However, some legitimate line-of-business applications might also generate child processes for benign purposes, such as spawning a command prompt or using PowerShell to configure registry settings.
-
-This rule was introduced in:
-- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
-- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
-
-Intune name: Office apps launching child processes
-
-Configuration Manager name: Block Office application from creating child processes
-
-GUID: `D4F940AB-401B-4EFC-AADC-AD5F3C50688A`
-
-### Block Office applications from creating executable content
-
-This rule prevents Office apps, including Word, Excel, and PowerPoint, from creating potentially malicious executable content, by blocking malicious code from being written to disk.
-
- Malware that abuses Office as a vector may attempt to break out of Office and save malicious components to disk. These malicious components would survive a computer reboot and persist on the system. Therefore, this rule defends against a common persistence technique.
-
-This rule was introduced in:
-- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
-- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-- [System Center Configuration Manager](https://docs.microsoft.com/configmgr/core/servers/manage/updates) (SCCM) CB 1710 (SCCM is now Microsoft Endpoint Configuration Manager)
-
-Intune name: Office apps/macros creating executable content
-
-SCCM name: Block Office applications from creating executable content
-
-GUID: `3B576869-A4EC-4529-8536-B80A7769E899`
-
-### Block Office applications from injecting code into other processes
-
-This rule blocks code injection attempts from Office apps into other processes.
-
-Attackers might attempt to use Office apps to migrate malicious code into other processes through code injection, so the code can masquerade as a clean process.
-
-There are no known legitimate business purposes for using code injection.
-
-This rule applies to Word, Excel, and PowerPoint.
-
-This rule was introduced in:
-- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
-- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
-
-Intune name: Office apps injecting code into other processes (no exceptions)
-
-Configuration Manager name: Block Office applications from injecting code into other processes
-
-GUID: `75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84`
-
-### Block JavaScript or VBScript from launching downloaded executable content
-
-This rule prevents scripts from launching potentially malicious downloaded content. Malware written in JavaScript or VBScript often acts as a downloader to fetch and launch other malware from the Internet.
-
-Although not common, line-of-business applications sometimes use scripts to download and launch installers.
-
-This rule was introduced in:
-- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
-- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
-
-Intune name: js/vbs executing payload downloaded from Internet (no exceptions)
-
-Configuration Manager name: Block JavaScript or VBScript from launching downloaded executable content
-
-GUID: `D3E037E1-3EB8-44C8-A917-57927947596D`
-
-### Block execution of potentially obfuscated scripts
-
-This rule detects suspicious properties within an obfuscated script.
-
-Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. Malware authors also use obfuscation to make malicious code harder to read, which prevents close scrutiny by humans and security software.
-
-This rule was introduced in:
-- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
-- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
-
-Intune name: Obfuscated js/vbs/ps/macro code
-
-Configuration Manager name: Block execution of potentially obfuscated scripts.
-
-GUID: `5BEB7EFE-FD9A-4556-801D-275E5FFC04CC`
-
-### Block Win32 API calls from Office macros
-
-This rule prevents VBA macros from calling Win32 APIs.
-
-Office VBA provides the ability to make Win32 API calls. Malware can abuse this capability, such as [calling Win32 APIs to launch malicious shellcode](https://www.microsoft.com/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/) without writing anything directly to disk. Most organizations don't rely on the ability to call Win32 APIs in their day-to-day functioning, even if they use macros in other ways.
-
-This rule was introduced in:
-- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
-- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-- [Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
-
-Intune name: Win32 imports from Office macro code
-
-Configuration Manager name: Block Win32 API calls from Office macros
-
-GUID: `92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B`
-
-### Block executable files from running unless they meet a prevalence, age, or trusted list criterion
-
-This rule blocks the following file types from launching unless they meet prevalence or age criteria, or they're in a trusted list or an exclusion list:
-
-- Executable files (such as .exe, .dll, or .scr)
-
-Launching untrusted or unknown executable files can be risky, as it may not be initially clear if the files are malicious.
-
-> [!IMPORTANT]
-> You must [enable cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) to use this rule.
The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25 is owned by Microsoft and is not specified by admins. It uses cloud-delivered protection to update its trusted list regularly.
->
->You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to.
-
-This rule was introduced in:
-- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
-- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
-
-Intune name: Executables that don't meet a prevalence, age, or trusted list criteria.
-
-Configuration Manager name: Block executable files from running unless they meet a prevalence, age, or trusted list criteria
-
-GUID: `01443614-cd74-433a-b99e-2ecdc07bfc25`
-
-### Use advanced protection against ransomware
-
-This rule provides an extra layer of protection against ransomware. It scans executable files entering the system to determine whether they're trustworthy. If the files closely resemble ransomware, this rule blocks them from running, unless they're in a trusted list or an exclusion list.
-
-> [!NOTE]
-> You must [enable cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) to use this rule.
-
-This rule was introduced in:
-- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
-- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
-
-Intune name: Advanced ransomware protection
-
-Configuration Manager name: Use advanced protection against ransomware
-
-GUID: `c1db55ab-c21a-4637-bb3f-a12568109d35`
-
-### Block credential stealing from the Windows local security authority subsystem
-
-This rule helps prevent credential stealing, by locking down Local Security Authority Subsystem Service (LSASS).
-
-LSASS authenticates users who log in to a Windows computer. Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use hack tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS.
-
-> [!NOTE]
-> In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that simply enumerates LSASS, but has no real impact in functionality, there is NO need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.
-
-This rule was introduced in:
-- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
-- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
-
-Intune name: Flag credential stealing from the Windows local security authority subsystem
-
-Configuration Manager name: Block credential stealing from the Windows local security authority subsystem
-
-GUID: `9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2`
-
-### Block process creations originating from PSExec and WMI commands
-
-This rule blocks processes created through [PsExec](https://docs.microsoft.com/sysinternals/downloads/psexec) and [WMI](https://docs.microsoft.com/windows/win32/wmisdk/about-wmi) from running. Both PsExec and WMI can remotely execute code, so there is a risk of malware abusing this functionality for command and control purposes, or to spread an infection throughout an organization's network.
-
-> [!WARNING]
-> Only use this rule if you're managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr) because this rule blocks WMI commands the Configuration Manager client uses to function correctly.
-
-This rule was introduced in:
-- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
-- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-
-Intune name: Process creation from PSExec and WMI commands
-
-Configuration Manager name: Not applicable
-
-GUID: `d1e49aac-8f56-4280-b9ba-993a6d77406c`
-
-### Block untrusted and unsigned processes that run from USB
-
-With this rule, admins can prevent unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file types include executable files (such as .exe, .dll, or .scr)
-
-This rule was introduced in:
-- [Windows 10, version 1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
-- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-- [Configuration Manager CB 1802](https://docs.microsoft.com/configmgr/core/servers/manage/updates)
-
-Intune name: Untrusted and unsigned processes that run from USB
-
-Configuration Manager name: Block untrusted and unsigned processes that run from USB
-
-GUID: `b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4`
-
-### Block Office communication application from creating child processes
-
-This rule prevents Outlook from creating child processes, while still allowing legitimate Outlook functions.
-
-This protects against social engineering attacks and prevents exploit code from abusing vulnerabilities in Outlook. It also protects against [Outlook rules and forms exploits](https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/) that attackers can use when a user's credentials are compromised.
-
-> [!NOTE]
-> This rule applies to Outlook and Outlook.com only.
-
-This rule was introduced in:
-- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809)
-- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-
-Intune name: Process creation from Office communication products (beta)
-
-Configuration Manager name: Not yet available
-
-GUID: `26190899-1602-49e8-8b27-eb1d0a1ce869`
-
-### Block Adobe Reader from creating child processes
-
-This rule prevents attacks by blocking Adobe Reader from creating additional processes.
-
-Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. By blocking child processes from being generated by Adobe Reader, malware attempting to use it as a vector are prevented from spreading.
-
-This rule was introduced in:
-- [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809)
-- [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809)
-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-
-Intune name: Process creation from Adobe Reader (beta)
-
-Configuration Manager name: Not yet available
-
-GUID: `7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c`
-
-### Block persistence through WMI event subscription
-
-This rule prevents malware from abusing WMI to attain persistence on a device.
-
-> [!IMPORTANT]
-> File and folder exclusions don't apply to this attack surface reduction rule.
-
-Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden.
-
-This rule was introduced in:
-- [Windows 10, version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903)
-- [Windows Server 1903](https://docs.microsoft.com/windows-server/get-started-19/whats-new-in-windows-server-1903-1909)
-
-Intune name: Not yet available
-
-Configuration Manager name: Not yet available
-
-GUID: `e6db77e5-3df2-4cf1-b95a-636979351e5b`
-
-## Related topics
-
-- [Attack surface reduction FAQ](attack-surface-reduction-faq.md)
-
-- [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
-
-- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
-
-- [Compatibility of Microsoft Defender with other antivirus/antimalware](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md b/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md
deleted file mode 100644
index 8a4304b984..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md
+++ /dev/null
@@ -1,56 +0,0 @@
----
-title: Test how Microsoft Defender ATP features work in audit mode
-description: Audit mode lets you use the event log to see how Microsoft Defender ATP would protect your devices if it was enabled.
-keywords: exploit guard, audit, auditing, mode, enabled, disabled, test, demo, evaluate, lab
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-audience: ITPro
-author: levinec
-ms.author: ellevin
-ms.reviewer:
-manager: dansimp
----
-
-# Test how Microsoft Defender ATP features work in audit mode
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-You can enable attack surface reduction rules, exploit protection, network protection, and controlled folder access in audit mode. Audit mode lets you see a record of what *would* have happened if you had enabled the feature.
-
-You may want to enable audit mode when testing how the features will work in your organization. Ensure it doesn't affect your line-of-business apps, and get an idea of how many suspicious file modification attempts generally occur over a certain period of time.
-
-The features won't block or prevent apps, scripts, or files from being modified. However, the Windows Event Log will record events as if the features were fully enabled. With audit mode, you can review the event log to see what impact the feature would have had if it was enabled.
-
-To find the audited entries, go to **Applications and Services** > **Microsoft** > **Windows** > **Windows Defender** > **Operational**.
-
-You can use Microsoft Defender Advanced Threat Protection to get greater details for each event, especially for investigating attack surface reduction rules. Using the Microsoft Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
-
-This article provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer.
-
-You can use Group Policy, PowerShell, and configuration service providers (CSPs) to enable audit mode.
-
->[!TIP]
->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work.
-
- Audit options | How to enable audit mode | How to view events
--|-|-
-Audit applies to all events | [Enable controlled folder access](enable-controlled-folders.md) | [Controlled folder access events](evaluate-controlled-folder-access.md#review-controlled-folder-access-events-in-windows-event-viewer)
-Audit applies to individual rules | [Enable attack surface reduction rules](enable-attack-surface-reduction.md) | [Attack surface reduction rule events](evaluate-attack-surface-reduction.md#review-attack-surface-reduction-events-in-windows-event-viewer)
-Audit applies to all events | [Enable network protection](enable-network-protection.md) | [Network protection events](evaluate-network-protection.md#review-network-protection-events-in-windows-event-viewer)
-|Audit applies to individual mitigations | [Enable exploit protection](enable-exploit-protection.md) | [Exploit protection events](exploit-protection.md#review-exploit-protection-events-in-windows-event-viewer)
-
-## Related topics
-
-* [Protect devices from exploits](exploit-protection.md)
-* [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md)
-* [Protect your network](network-protection.md)
-* [Protect important folders](controlled-folders.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
deleted file mode 100644
index 0a77813dd2..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
+++ /dev/null
@@ -1,171 +0,0 @@
----
-title: View details and results of automated investigations
-description: Use the action center to view details and results following an automated investigation
-keywords: action, center, autoir, automated, investigation, response, remediation
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: deniseb
-author: denisebmsft
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: article
-ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs
-ms.date: 09/24/2020
----
-
-# View details and results of automated investigations
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-During and after an automated investigation, certain remediation actions can be identified. Depending on the threat and how [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) is configured for your organization, some remediation actions are taken automatically.
-
-If you're part of your organization's security operations team, you can view pending and completed [remediation actions](manage-auto-investigation.md#remediation-actions) in the **Action center** ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)). You can also use the **Investigations** page ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) to view details about an investigation.
-
->[!NOTE]
->If your organization has implemented role-based access to manage portal access, only authorized users or user groups who have permission to view the device or device group will be able to view the entire investigation.
-
-## The Action center
-
-
-
-The action center consists of two main tabs: **Pending actions** and **History**.
-- **Pending actions** Displays a list of ongoing investigations that require attention. Recommended actions are presented that your security operations team can approve or reject. The Pending tab appears only if there are pending actions to be approved (or rejected).
-- **History** Acts as an audit log for all of the following items:
- - Remediation actions that were taken as a result of an automated investigation
- - Remediation actions that were approved by your security operations team (some actions, such as sending a file to quarantine, can be undone)
- - Commands that were run and remediation actions that were applied in Live Response sessions (some actions can be undone)
- - Remediation actions that were applied by Microsoft Defender Antivirus (some actions can be undone)
-
-Use the **Customize columns** menu to select columns that you'd like to show or hide.
-
-You can also download the entire list in CSV format using the **Export** feature, specify the number of items to show per page, and navigate between pages.
-
-## The Investigations page
-
-
-
-On the **Investigations** page, you'll find a list of all automated investigations. Select an item in the list to view additional information about that automated investigation.
-
-By default, the automated investigations list displays investigations initiated in the last week. You can also choose to select other time ranges from the drop-down menu or specify a custom range.
-
-Use the **Customize columns** menu to select columns that you'd like to show or hide.
-
-From this view, you can also download the entire list in CSV format using the **Export** feature, specify the number of items to show per page, and navigate between pages.
-
-### Filters for the list of investigations
-
-On the **Investigations** page, you can view details and use filters to focus on specific information. The following table lists available filters:
-
-|Filter |Description |
-|---------|---------|
-|**Status** |(See [Automated investigation status](#automated-investigation-status)) |
-|**Triggering alert** | The alert that initiated the automated investigation |
-|**Detection source** |The source of the alert that initiated the automated investigation |
-|**Entities** | Entities can include device or devices, and device groups. You can filter the automated investigations list to zone in a specific device to see other investigations related to the device, or to see specific device groups that were created. |
-|**Threat** |The category of threat detected during the automated investigation |
-|**Tags** |Filter using manually added tags that capture the context of an automated investigation|
-|**Comments** |Select between filtering the list between automated investigations that have comments and those that don't|
-
-## Automated investigation status
-
-An automated investigation can have one of the following status values:
-
-|Status |Description |
-|---------|---------|
-| Running | The investigation process has started and is underway. Malicious artifacts that are found are remediated. |
-| Partially investigated | Entities directly related to the alert have been investigated. However, a problem stopped the investigation of collateral entities. Check the investigation log ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) for specific details. |
-| No threats found | The investigation has finished and no threats were identified.
If you suspect something was missed (such as a false negative), you can use [advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview). |
-| Pending action | The investigation has found a threat, and an action to remediate that threat is awaiting approval. The Pending Action state is triggered when any threat with a corresponding action is found. However, the list of pending actions can increase as an investigation runs. Check the investigation log ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) to see if other items are still pending completion. |
-| Remediated | The investigation finished and all actions were approved (fully remediated). |
-| Partially remediated | The investigation resulted in remediation actions, and some were approved and completed. Other actions are still pending. |
-| Terminated by system | The investigation stopped. An investigation can stop for several reasons:
- The investigation's pending actions expired. Pending actions can time out after awaiting approval for an extended period of time.
- There are too many actions in the list.
Visit the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) to view and approve any pending actions. |
-| Failed | At least one investigation analyzer ran into a problem where it could not complete properly.
If an investigation fails after remediation actions were approved, the remediation actions might still have succeeded. Check the investigation log ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) for detailed results. |
-| Queued | An investigation is being held in a queue. When other investigations complete, queued investigations begin. |
-| Waiting for device | Investigation paused. The investigation will resume as soon as the device is available. |
-| Terminated by user | A user stopped the investigation before it could complete. |
-
-
-## View details about an automated investigation
-
-
-
-You can view the details of an automated investigation to see information such as the investigation graph, alerts associated with the investigation, the device that was investigated, and other information.
-
-In this view, you'll see the name of the investigation, when it started and ended.
-
-### Investigation graph
-
-The investigation graph provides a graphical representation of an automated investigation. All investigation-related information is simplified and arranged in specific sections. Clicking on any of the icons brings you the relevant section where you can view more information.
-
-A progress ring shows two status indicators:
-- Orange ring - shows the pending portion of the investigation
-- Green ring - shows the running time portion of the investigation
-
-
-
-In the example image, the automated investigation started on 10:26:59 AM and ended on 10:56:26 AM. Therefore, the entire investigation was running for 29 minutes and 27 seconds.
-
-The pending time of 16 minutes and 51 seconds reflects two possible pending states: pending for asset (for example, the device might have disconnected from the network) or pending for approval.
-
-From this view, you can also view and add comments and tags about the investigation.
-
-### Alerts
-
-The **Alerts** tab for an automated investigation shows details such as a short description of the alert that initiated the automated investigation, severity, category, the device associated with the alert, user, time in queue, status, investigation state, and to whom the investigation is assigned.
-
-Additional alerts seen on a device can be added to an automated investigation as long as the investigation is ongoing.
-
-Selecting an alert using the check box brings up the alerts details pane where you have the option of opening the alert page, manage the alert by changing its status, see alert details, automated investigation details, related device, logged-on users, and comments and history.
-
-Clicking on an alert title brings you the alert page.
-
-### Devices
-
-The **Devices** tab Shows details the device name, IP address, group, users, operating system, remediation level, investigation count, and when it was last investigated.
-
-Devices that show the same threat can be added to an ongoing investigation and will be displayed in this tab. If 10 or more devices are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view.
-
-Selecting a device using the checkbox brings up the device details pane where you can see more information such as device details and logged-on users.
-
-Clicking on a device name brings you the device page.
-
-### Evidence
-
-The **Evidence** tab shows details related to threats associated with this investigation.
-
-### Entities
-
-The **Entities** tab shows details about entities such as files, process, services, drives, and IP addresses. The table details such as the number of entities that were analyzed. You'll gain insight into details such as how many are remediated, suspicious, or had no threats found.
-
-### Log
-
-The **Log** tab gives a chronological detailed view of all the investigation actions taken on the alert. You'll see the action type, action, status, device name, description of the action, comments entered by analysts who may have worked on the investigation, execution start time, duration, pending duration.
-
-As with other sections, you can customize columns, select the number of items to show per page, and filter the log.
-
-Available filters include action type, action, status, device name, and description.
-
-You can also click on an action to bring up the details pane where you'll see information such as the summary of the action and input data.
-
-### Pending actions
-
-If there are pending actions on an automated investigation, you'll see a pop-up similar to the following image.
-
-
-
-When you click on the pending actions link, you'll be taken to the Action center. You can also navigate to the page from the navigation page by going to **automated investigation** > **Action center**.
-
-## Next steps
-
-- [View and approve remediation actions](manage-auto-investigation.md)
-
-- [See the interactive guide: Investigate and remediate threats with Microsoft Defender for Endpoint](https://aka.ms/MDATP-IR-Interactive-Guide)
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
deleted file mode 100644
index ef999e9cca..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ /dev/null
@@ -1,104 +0,0 @@
----
-title: Use automated investigations to investigate and remediate threats
-description: Understand the automated investigation flow in Microsoft Defender for Endpoint.
-keywords: automated, investigation, detection, source, threat types, id, tags, devices, duration, filter export, defender atp
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.technology: windows
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: deniseb
-author: denisebmsft
-ms.date: 09/30/2020
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: conceptual
-ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs
-ms.custom: AIR
----
-
-# Overview of automated investigations
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bOeh]
-
-Your security operations team receives an alert whenever a malicious or suspicious artifact is detected by Microsoft Defender for Endpoint. Security operations teams face challenges in addressing the multitude of alerts that arise from the seemingly never-ending flow of threats. Microsoft Defender for Endpoint includes automated investigation and remediation capabilities that can help your security operations team address threats more efficiently and effectively.
-
-Automated investigation uses various inspection algorithms and processes used by analysts to examine alerts and take immediate action to resolve breaches. These capabilities significantly reduce alert volume, allowing security operations to focus on more sophisticated threats and other high-value initiatives. The [Action center](auto-investigation-action-center.md) keeps track of all the investigations that were initiated automatically, along with details, such as investigation status, detection source, and any pending or completed actions.
-
-> [!TIP]
-> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink)
-
-## How the automated investigation starts
-
-When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an automated investigation can start. For example, suppose a malicious file resides on a device. When that file is detected, an alert is triggered, and the automated investigation process begins. Microsoft Defender for Endpoint checks to see if the malicious file is present on any other devices in the organization. Details from the investigation, including verdicts (*Malicious*, *Suspicious*, and *No threats found*) are available during and after the automated investigation.
-
->[!NOTE]
->Currently, automated investigation only supports the following OS versions:
->- Windows Server 2019
->- Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441)) or later
->- Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464/windows-10-update-kb4493464)) or later
->- Later versions of Windows 10
-
-## Details of an automated investigation
-
-During and after an automated investigation, you can view details about the investigation. Select a triggering alert to view the investigation details. From there, you can go to the **Investigation graph**, **Alerts**, **Devices**, **Evidence**, **Entities**, and **Log** tabs.
-
-|Tab |Description |
-|--|--|
-|**Alerts**| The alert(s) that started the investigation.|
-|**Devices** |The device(s) where the threat was seen.|
-|**Evidence** |The entities that were found to be malicious during an investigation.|
-|**Entities** |Details about each analyzed entity, including a determination for each entity type (*Malicious*, *Suspicious*, or *No threats found*). |
-|**Log** |The chronological, detailed view of all the investigation actions taken on the alert.|
-|**Pending actions** |If there are any actions awaiting approval as a result of the investigation, the **Pending actions** tab is displayed. On the **Pending actions** tab, you can approve or reject each action. |
-
-> [!IMPORTANT]
-> Go to the **[Action center](auto-investigation-action-center.md)** to get an aggregated view all pending actions and manage remediation actions. The **Action center** also acts as an audit trail for all automated investigation actions.
-
-## How an automated investigation expands its scope
-
-While an investigation is running, any other alerts generated from the device are added to an ongoing automated investigation until that investigation is completed. In addition, if the same threat is seen on other devices, those devices are added to the investigation.
-
-If an incriminated entity is seen in another device, the automated investigation process expands its scope to include that device, and a general security playbook starts on that device. If 10 or more devices are found during this expansion process from the same entity, then that expansion action requires an approval, and is visible on the **Pending actions** tab.
-
-## How threats are remediated
-
-Depending on how you set up the device groups and their level of automation, each automated investigation either requires user approval (default) or automatically takes action to remediate threats.
-
-> [!NOTE]
-> Microsoft Defender for Endpoint tenants created on or after August 16, 2020 have **Full - remediate threats automatically** selected by default. You can keep the default setting, or change it according to your organizational needs. To change your settings, [adjust your device group settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups).
-
-You can configure the following levels of automation:
-
-|Automation level | Description|
-|---|---|
-|**Full - remediate threats automatically** | All remediation actions are performed automatically. Remediation actions that were taken can be viewed in the [Action Center](auto-investigation-action-center.md), on the **History** tab.
***This option is recommended** and is selected by default for tenants that were created on or after August 16, 2020 with Microsoft Defender for Endpoint, with no device groups defined yet.*
*If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Full - remediate threats automatically**.* |
-|**Semi - require approval for core folders remediation** | Approval is required for remediation actions on files or executables that are in core folders. Pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md).
Remediation actions can be taken automatically on files or executables that are in other (non-core) folders. Core folders include operating system directories, such as the **Windows** (`\windows\*`). |
-|**Semi - require approval for non-temp folders remediation** | Approval is required for remediation actions on files or executables that are not in temporary folders. Pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md).
Remediation actions can be taken automatically on files or executables that are in temporary folders. Temporary folders can include the following examples:
- `\users\*\appdata\local\temp\*`
- `\documents and settings\*\local settings\temp\*`
- `\documents and settings\*\local settings\temporary\*`
- `\windows\temp\*`
- `\users\*\downloads\*`
- `\program files\`
- `\program files (x86)\*`
- `\documents and settings\*\users\*` |
-|**Semi - require approval for any remediation** | Approval is required for any remediation action. Pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md).
*This option is selected by default for tenants that were created before August 16, 2020 with Microsoft Defender ATP, with no device groups defined.*
*If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Semi - require approval for any remediation**.*|
-|**No automated response** | Automated investigation does not run on your organization's devices. As a result, no remediation actions are taken or pending as a result of automated investigation.
***This option is not recommended**, because it reduces the security posture of your organization's devices. [Consider setting up or changing your device groups to use **Full** or **Semi** automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups)* |
-
-
-> [!IMPORTANT]
-> If your tenant already has device groups defined, then the automation level settings are not changed for those device groups.
-
-## Next steps
-
-- [Learn about the automated investigations dashboard](manage-auto-investigation.md)
-
-- [See the interactive guide: Investigate and remediate threats with Microsoft Defender for Endpoint](https://aka.ms/MDATP-IR-Interactive-Guide)
-
-## See also
-
-- [Automated investigation and response in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-air)
-
-- [Automated investigation and response in Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-autoir)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md b/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md
deleted file mode 100644
index 2d1aa8f368..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md
+++ /dev/null
@@ -1,79 +0,0 @@
----
-title: Use basic permissions to access Microsoft Defender Security Center
-description: Learn how to use basic permissions to access the Microsoft Defender Advanced Threat Protection portal.
-keywords: assign user roles, assign read and write access, assign read only access, user, user roles, roles
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Use basic permissions to access the portal
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-
-- Azure Active Directory
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-basicaccess-abovefoldlink)
-
-Refer to the instructions below to use basic permissions management.
-
-You can use either of the following:
-- Azure PowerShell
-- Azure Portal
-
-For granular control over permissions, [switch to role-based access control](rbac.md).
-
-## Assign user access using Azure PowerShell
-You can assign users with one of the following levels of permissions:
-- Full access (Read and Write)
-- Read-only access
-
-### Before you begin
-- Install Azure PowerShell. For more information see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/documentation/articles/powershell-install-configure/).
-
- > [!NOTE]
- > You need to run the PowerShell cmdlets in an elevated command-line.
-
-- Connect to your Azure Active Directory. For more information see, [Connect-MsolService](https://msdn.microsoft.com/library/dn194123.aspx).
-
-**Full access**
-Users with full access can log in, view all system information and resolve alerts, submit files for deep analysis, and download the onboarding package.
-Assigning full access rights requires adding the users to the "Security Administrator" or "Global Administrator" AAD built-in roles.
-
-**Read only access**
-Users with read only access can log in, view all alerts, and related information.
-They will not be able to change alert states, submit files for deep analysis or perform any state changing operations.
-Assigning read only access rights requires adding the users to the "Security Reader" AAD built-in role.
-
-Use the following steps to assign security roles:
-
-- For **read and write** access, assign users to the security administrator role by using the following command:
- ```text
- Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "secadmin@Contoso.onmicrosoft.com"
- ```
-- For **read only** access, assign users to the security reader role by using the following command:
- ```text
- Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress "reader@Contoso.onmicrosoft.com"
- ```
-
-For more information see, [Add or remove group memberships](https://technet.microsoft.com/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups).
-
-## Assign user access using the Azure portal
-For more information, see [Assign administrator and non-administrator roles to uses with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal).
-
-
-## Related topic
-- [Manage portal access using RBAC](rbac.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md
deleted file mode 100644
index 8d29204276..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md
+++ /dev/null
@@ -1,124 +0,0 @@
----
-title: Behavioral blocking and containment
-description: Learn about behavioral blocking and containment capabilities in Microsoft Defender ATP
-keywords: Microsoft Defender ATP, EDR in block mode, passive mode blocking
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-author: denisebmsft
-ms.author: deniseb
-manager: dansimp
-ms.reviewer: shwetaj
-audience: ITPro
-ms.topic: article
-ms.prod: w10
-ms.localizationpriority: medium
-ms.custom:
-- next-gen
-- edr
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
----
-
-# Behavioral blocking and containment
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-## Overview
-
-Today’s threat landscape is overrun by [fileless malware](https://docs.microsoft.com/windows/security/threat-protection/intelligence/fileless-threats) and that lives off the land, highly polymorphic threats that mutate faster than traditional solutions can keep up with, and human-operated attacks that adapt to what adversaries find on compromised devices. Traditional security solutions are not sufficient to stop such attacks; you need artificial intelligence (AI) and device learning (ML) backed capabilities, such as behavioral blocking and containment, included in [Microsoft Defender ATP](https://docs.microsoft.com/windows/security).
-
-Behavioral blocking and containment capabilities can help identify and stop threats, based on their behaviors and process trees even when the threat has started execution. Next-generation protection, EDR, and Microsoft Defender ATP components and features work together in behavioral blocking and containment capabilities.
-
-:::image type="content" source="images/mdatp-next-gen-EDR-behavblockcontain.png" alt-text="Behavioral blocking and containment":::
-
-Behavioral blocking and containment capabilities work with multiple components and features of Microsoft Defender ATP to stop attacks immediately and prevent attacks from progressing.
-
-- [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) (which includes Microsoft Defender Antivirus) can detect threats by analyzing behaviors, and stop threats that have started running.
-
-- [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) receives security signals across your network, devices, and kernel behavior. As threats are detected, alerts are created. Multiple alerts of the same type are aggregated into incidents, which makes it easier for your security operations team to investigate and respond.
-
-- [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) has a wide range of optics across identities, email, data, and apps, in addition to the network, endpoint, and kernel behavior signals received through EDR. A component of [Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection), Microsoft Defender ATP processes and correlates these signals, raises detection alerts, and connects related alerts in incidents.
-
-With these capabilities, more threats can be prevented or blocked, even if they start running. Whenever suspicious behavior is detected, the threat is contained, alerts are created, and threats are stopped in their tracks.
-
-The following image shows an example of an alert that was triggered by behavioral blocking and containment capabilities:
-
-:::image type="content" source="images/blocked-behav-alert.png" alt-text="Example of an alert through behavioral blocking and containment":::
-
-## Components of behavioral blocking and containment
-
-- **On-client, policy-driven [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)** Predefined common attack behaviors are prevented from executing, according to your attack surface reduction rules. When such behaviors attempt to execute, they can be seen in the Microsoft Defender Security Center [https://securitycenter.windows.com](https://securitycenter.windows.com) as informational alerts. (Attack surface reduction rules are not enabled by default; you configure your policies in the Microsoft Defender Security Center.)
-
-- **[Client behavioral blocking](client-behavioral-blocking.md)** Threats on endpoints are detected through machine learning, and then are blocked and remediated automatically. (Client behavioral blocking is enabled by default.)
-
-- **[Feedback-loop blocking](feedback-loop-blocking.md)** (also referred to as rapid protection) Threat detections are observed through behavioral intelligence. Threats are stopped and prevented from running on other endpoints. (Feedback-loop blocking is enabled by default.)
-
-- **[Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md)** Malicious artifacts or behaviors that are observed through post-breach protection are blocked and contained. EDR in block mode works even if Microsoft Defender Antivirus is not the primary antivirus solution. (EDR in block mode, currently in preview, is not enabled by default; you turn it on in the Microsoft Defender Security Center.)
-
-Expect more to come in the area of behavioral blocking and containment, as Microsoft continues to improve threat protection features and capabilities. To see what's planned and rolling out now, visit the [Microsoft 365 roadmap](https://www.microsoft.com/microsoft-365/roadmap).
-
-## Examples of behavioral blocking and containment in action
-
-Behavioral blocking and containment capabilities have blocked attacker techniques such as the following:
-
-- Credential dumping from LSASS
-- Cross-process injection
-- Process hollowing
-- User Account Control bypass
-- Tampering with antivirus (such as disabling it or adding the malware as exclusion)
-- Contacting Command and Control (C&C) to download payloads
-- Coin mining
-- Boot record modification
-- Pass-the-hash attacks
-- Installation of root certificate
-- Exploitation attempt for various vulnerabilities
-
-Below are two real-life examples of behavioral blocking and containment in action.
-
-### Example 1: Credential theft attack against 100 organizations
-
-As described in [In hot pursuit of elusive threats: AI-driven behavior-based blocking stops attacks in their tracks](https://www.microsoft.com/security/blog/2019/10/08/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks), a credential theft attack against 100 organizations around the world was stopped by behavioral blocking and containment capabilities. Spear-phishing email messages that contained a lure document were sent to the targeted organizations. If a recipient opened the attachment, a related remote document was able to execute code on the user’s device and load Lokibot malware, which stole credentials, exfiltrated stolen data, and waited for further instructions from a command-and-control server.
-
-Behavior-based device learning models in Microsoft Defender ATP caught and stopped the attacker’s techniques at two points in the attack chain:
-- The first protection layer detected the exploit behavior. Device learning classifiers in the cloud correctly identified the threat as and immediately instructed the client device to block the attack.
-- The second protection layer, which helped stop cases where the attack got past the first layer, detected process hollowing, stopped that process, and removed the corresponding files (such as Lokibot).
-
-While the attack was detected and stopped, alerts, such as an "initial access alert," were triggered and appeared in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)):
-
-:::image type="content" source="images/behavblockcontain-initialaccessalert.png" alt-text="Initial access alert in the Microsoft Defender Security Center":::
-
-This example shows how behavior-based device learning models in the cloud add new layers of protection against attacks, even after they have started running.
-
-### Example 2: NTLM relay - Juicy Potato malware variant
-
-As described in the recent blog post, [Behavioral blocking and containment: Transforming optics into protection](https://www.microsoft.com/security/blog/2020/03/09/behavioral-blocking-and-containment-transforming-optics-into-protection), in January 2020, Microsoft Defender ATP detected a privilege escalation activity on a device in an organization. An alert called “Possible privilege escalation using NTLM relay” was triggered.
-
-:::image type="content" source="images/NTLMalertjuicypotato.png" alt-text="NTLM alert for Juicy Potato malware":::
-
-The threat turned out to be malware; it was a new, not-seen-before variant of a notorious hacking tool called Juicy Potato, which is used by attackers to get privilege escalation on a device.
-
-Minutes after the alert was triggered, the file was analyzed, and confirmed to be malicious. Its process was stopped and blocked, as shown in the following image:
-
-:::image type="content" source="images/Artifactblockedjuicypotato.png" alt-text="Artifact blocked":::
-
-A few minutes after the artifact was blocked, multiple instances of the same file were blocked on the same device, preventing additional attackers or other malware from deploying on the device.
-
-This example shows that with behavioral blocking and containment capabilities, threats are detected, contained, and blocked automatically.
-
-## Next steps
-
-- [Learn more about Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response)
-
-- [Configure your attack surface reduction rules](attack-surface-reduction.md)
-
-- [Enable EDR in block mode](edr-in-block-mode.md)
-
-- [See recent global threat activity](https://www.microsoft.com/wdsi/threats)
-
-- [Get an overview of Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md b/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md
deleted file mode 100644
index 9e38e27515..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md
+++ /dev/null
@@ -1,58 +0,0 @@
----
-title: Check the health state of the sensor in Microsoft Defender ATP
-description: Check the sensor health on devices to identify which ones are misconfigured, inactive, or are not reporting sensor data.
-keywords: sensor, sensor health, misconfigured, inactive, no sensor data, sensor data, impaired communications, communication
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.date: 04/24/2018
----
-
-# Check sensor health state in Microsoft Defender ATP
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-checksensor-abovefoldlink)
-
-The **Devices with sensor issues** tile is found on the Security Operations dashboard. This tile provides information on the individual device’s ability to provide sensor data and communicate with the Microsoft Defender ATP service. It reports how many devices require attention and helps you identify problematic devices and take action to correct known issues.
-
-There are two status indicators on the tile that provide information on the number of devices that are not reporting properly to the service:
-- **Misconfigured** - These devices might partially be reporting sensor data to the Microsoft Defender ATP service and might have configuration errors that need to be corrected.
-- **Inactive** - Devices that have stopped reporting to the Microsoft Defender ATP service for more than seven days in the past month.
-
-Clicking any of the groups directs you to **Devices list**, filtered according to your choice.
-
-
-
-On **Devices list**, you can filter the health state list by the following status:
-- **Active** - Devices that are actively reporting to the Microsoft Defender ATP service.
-- **Misconfigured** - These devices might partially be reporting sensor data to the Microsoft Defender ATP service but have configuration errors that need to be corrected. Misconfigured devices can have either one or a combination of the following issues:
- - **No sensor data** - Devices has stopped sending sensor data. Limited alerts can be triggered from the device.
- - **Impaired communications** - Ability to communicate with device is impaired. Sending files for deep analysis, blocking files, isolating device from network and other actions that require communication with the device may not work.
-- **Inactive** - Devices that have stopped reporting to the Microsoft Defender ATP service.
-
-You can also download the entire list in CSV format using the **Export** feature. For more information on filters, see [View and organize the Devices list](machines-view-overview.md).
-
->[!NOTE]
->Export the list in CSV format to display the unfiltered data. The CSV file will include all devices in the organization, regardless of any filtering applied in the view itself and can take a significant amount of time to download, depending on how large your organization is.
-
-
-
-You can view the device details when you click on a misconfigured or inactive device.
-
-## Related topic
-- [Fix unhealthy sensors in Microsoft Defender ATP](fix-unhealthy-sensors.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md b/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md
deleted file mode 100644
index 52e97e1b70..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md
+++ /dev/null
@@ -1,95 +0,0 @@
----
-title: Client behavioral blocking
-description: Client behavioral blocking is part of behavioral blocking and containment capabilities in Microsoft Defender ATP
-keywords: behavioral blocking, rapid protection, client behavior, Microsoft Defender ATP
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-author: denisebmsft
-ms.author: deniseb
-manager: dansimp
-ms.reviewer: shwetaj
-audience: ITPro
-ms.topic: article
-ms.prod: w10
-ms.localizationpriority: medium
-ms.custom:
-- next-gen
-- edr
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
----
-
-# Client behavioral blocking
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-## Overview
-
-Client behavioral blocking is a component of [behavioral blocking and containment capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment) in Microsoft Defender ATP. As suspicious behaviors are detected on devices (also referred to as clients or endpoints), artifacts (such as files or applications) are blocked, checked, and remediated automatically.
-
-:::image type="content" source="images/pre-execution-and-post-execution-detection-engines.png" alt-text="Cloud and client protection":::
-
-Antivirus protection works best when paired with cloud protection.
-
-## How client behavioral blocking works
-
-[Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) can detect suspicious behavior, malicious code, fileless and in-memory attacks, and more on a device. When suspicious behaviors are detected, Microsoft Defender Antivirus monitors and sends those suspicious behaviors and their process trees to the cloud protection service. Machine learning differentiates between malicious applications and good behaviors within milliseconds, and classifies each artifact. In almost real time, as soon as an artifact is found to be malicious, it's blocked on the device.
-
-Whenever a suspicious behavior is detected, an [alert](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/alerts-queue) is generated, and is visible in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)).
-
-Client behavioral blocking is effective because it not only helps prevent an attack from starting, it can help stop an attack that has begun executing. And, with [feedback-loop blocking](feedback-loop-blocking.md) (another capability of behavioral blocking and containment), attacks are prevented on other devices in your organization.
-
-## Behavior-based detections
-
-Behavior-based detections are named according to the [MITRE ATT&CK Matrix for Enterprise](https://attack.mitre.org/matrices/enterprise). The naming convention helps identify the attack stage where the malicious behavior was observed:
-
-
-|Tactic | Detection threat name |
-|----|----|
-|Initial Access | Behavior:Win32/InitialAccess.*!ml |
-|Execution | Behavior:Win32/Execution.*!ml |
-|Persistence | Behavior:Win32/Persistence.*!ml |
-|Privilege Escalation | Behavior:Win32/PrivilegeEscalation.*!ml |
-|Defense Evasion | Behavior:Win32/DefenseEvasion.*!ml |
-|Credential Access | Behavior:Win32/CredentialAccess.*!ml |
-|Discovery | Behavior:Win32/Discovery.*!ml |
-|Lateral Movement | Behavior:Win32/LateralMovement.*!ml |
-|Collection | Behavior:Win32/Collection.*!ml |
-|Command and Control | Behavior:Win32/CommandAndControl.*!ml |
-|Exfiltration | Behavior:Win32/Exfiltration.*!ml |
-|Impact | Behavior:Win32/Impact.*!ml |
-|Uncategorized | Behavior:Win32/Generic.*!ml |
-
-> [!TIP]
-> To learn more about specific threats, see **[recent global threat activity](https://www.microsoft.com/wdsi/threats)**.
-
-
-## Configuring client behavioral blocking
-
-If your organization is using Microsoft Defender ATP, client behavioral blocking is enabled by default. However, to benefit from all Microsoft Defender ATP capabilities, including [behavioral blocking and containment](behavioral-blocking-containment.md), make sure the following features and capabilities of Microsoft Defender ATP are enabled and configured:
-
-- [Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline)
-
-- [Devices onboarded to Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-configure)
-
-- [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode)
-
-- [Attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)
-
-- [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features) (antivirus)
-
-## Related articles
-
-- [Behavioral blocking and containment](behavioral-blocking-containment.md)
-
-- [Feedback-loop blocking](feedback-loop-blocking.md)
-
-- [(Blog) Behavioral blocking and containment: Transforming optics into protection](https://www.microsoft.com/security/blog/2020/03/09/behavioral-blocking-and-containment-transforming-optics-into-protection/)
-
-- [Helpful Microsoft Defender ATP resources](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/helpful-resources)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md b/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md
deleted file mode 100644
index 398305b848..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md
+++ /dev/null
@@ -1,87 +0,0 @@
----
-title: Collect investigation package API
-description: Use this API to create calls related to the collecting an investigation package from a device.
-keywords: apis, graph api, supported apis, collect investigation package
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-
----
-
-# Collect investigation package API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-## API description
-Collect investigation package from a device.
-
-
-## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Machine.CollectForensics | 'Collect forensics'
-Delegated (work or school account) | Machine.CollectForensics | 'Collect forensics'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles.md) for more information)
->- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
-## HTTP request
-```
-POST https://api.securitycenter.windows.com/api/machines/{id}/collectInvestigationPackage
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-Content-Type | string | application/json. **Required**.
-
-## Request body
-In the request body, supply a JSON object with the following parameters:
-
-Parameter | Type | Description
-:---|:---|:---
-Comment | String | Comment to associate with the action. **Required**.
-
-## Response
-If successful, this method returns 201 - Created response code and [Machine Action](machineaction.md) in the response body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-```
-POST https://api.securitycenter.windows.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/collectInvestigationPackage
-Content-type: application/json
-{
- "Comment": "Collect forensics due to alert 1234"
-}
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md b/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md
deleted file mode 100644
index 3642376253..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md
+++ /dev/null
@@ -1,111 +0,0 @@
----
-title: Microsoft Defender ATP for US Government GCC High customers
-description: Learn about the requirements and the available Microsoft Defender ATP capabilities for US Government CCC High customers
-keywords: government, gcc, high, requirements, capabilities, defender, defender atp, mdatp
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
----
-
-# Microsoft Defender ATP for US Government GCC High customers
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for US Government Community Cloud High (GCC High) customers, built in the US Azure Government environment, uses the same underlying technologies as Microsoft Defender ATP in Azure Commercial.
-
-This offering is currently available to US Office 365 GCC High customers and is based on the same prevention, detection, investigation, and remediation as the commercial version. However, there are some key differences in the availability of capabilities for this offering.
-
-
-## Endpoint versions
-The following OS versions are supported:
-
-- Windows 10, version 1903
-- Windows 10, version 1809 (OS Build 17763.404 with [KB4490481](https://support.microsoft.com/en-us/help/4490481))
-- Windows 10, version 1803 (OS Build 17134.799 with [KB4499183](https://support.microsoft.com/help/4499183))
-- Windows 10, version 1709 (OS Build 16299.1182 with [KB4499147](https://support.microsoft.com/help/4499147))
-- Windows Server, 2019 (with [KB4490481](https://support.microsoft.com/en-us/help/4490481))
-
->[!NOTE]
->A patch must be deployed before device onboarding in order to configure Microsoft Defender ATP to the correct environment.
-
-The following OS versions are supported via Azure Security Center:
-- Windows Server 2008 R2 SP1
-- Windows Server 2012 R2
-- Windows Server 2016
-
-The following OS versions are not supported:
-- Windows Server 2008 R2 SP1 (standalone, not via ASC)
-- Windows Server 2012 R2 (standalone, not via ASC)
-- Windows Server 2016 (standalone, not via ASC)
-- Windows Server, version 1803
-- Windows 7 SP1 Enterprise
-- Windows 7 SP1 Pro
-- Windows 8 Pro
-- Windows 8.1 Enterprise
-- macOS
-- Linux
-
-The initial release of Microsoft Defender ATP will not have immediate parity with the commercial offering. While our goal is to deliver all commercial features and functionality to our US Government (GCC High) customers, there are some capabilities not yet available that we'd like to highlight. These are the known gaps as of August 2020:
-
-## Threat Analytics
-Not currently available.
-
-## Threat & Vulnerability Management
-Not currently available.
-
-
-## Automated investigation and remediation
-The following capabilities are not currently available:
-- Response to Office 365 alerts
-- Live response
-
-
-
-## Management and APIs
-The following capabilities are not currently available:
-
-- Threat protection report
-- Device health and compliance report
-- Integration with third-party products
-
-
-## Email notifications
-Not currently available.
-
-
-## Integrations
-Integrations with the following Microsoft products are not currently available:
-- Azure Advanced Threat Protection
-- Azure Information Protection
-- Office 365 Advanced Threat Protection
-- Microsoft Cloud App Security
-- Skype for Business
-- Microsoft Intune (sharing of device information and enhanced policy enforcement)
-
-## Microsoft Threat Experts
-Not currently available.
-
-## Required connectivity settings
-You'll need to ensure that traffic from the following are allowed:
-
-Service location | DNS record
-:---|:---
-Common URLs for all locations (Global location) | ```crl.microsoft.com```
```ctldl.windowsupdate.com```
```notify.windows.com```
```settings-win.data.microsoft.com```
NOTE: ```settings-win.data.microsoft.com``` is only needed on Windows 10 devices running version 1803 or earlier.
-Microsoft Defender ATP GCC High specific | ```us4-v20.events.data.microsoft.com```
```winatp-gw-usgt.microsoft.com```
```winatp-gw-usgv.microsoft.com```
```*.blob.core.usgovcloudapi.net```
-
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/common-errors.md b/windows/security/threat-protection/microsoft-defender-atp/common-errors.md
deleted file mode 100644
index d34460c4bf..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/common-errors.md
+++ /dev/null
@@ -1,86 +0,0 @@
----
-title: Common Microsoft Defender ATP API errors
-description: List of common Microsoft Defender ATP API errors with descriptions.
-keywords: apis, mdatp api, errors, troubleshooting
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Common REST API error codes
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-* The error codes listed in the following table may be returned by an operation on any of Microsoft Defender ATP APIs.
-* Note that in addition to the error code, every error response contains an error message which can help resolving the problem.
-* Note that the message is a free text that can be changed.
-* At the bottom of the page you can find response examples.
-
-Error code |HTTP status code |Message
-:---|:---|:---
-BadRequest | BadRequest (400) | General Bad Request error message.
-ODataError | BadRequest (400) | Invalid OData URI query (the specific error is specified).
-InvalidInput | BadRequest (400) | Invalid input {the invalid input}.
-InvalidRequestBody | BadRequest (400) | Invalid request body.
-InvalidHashValue | BadRequest (400) | Hash value {the invalid hash} is invalid.
-InvalidDomainName | BadRequest (400) | Domain name {the invalid domain} is invalid.
-InvalidIpAddress | BadRequest (400) | IP address {the invalid IP} is invalid.
-InvalidUrl | BadRequest (400) | URL {the invalid URL} is invalid.
-MaximumBatchSizeExceeded | BadRequest (400) | Maximum batch size exceeded. Received: {batch size received}, allowed: {batch size allowed}.
-MissingRequiredParameter | BadRequest (400) | Parameter {the missing parameter} is missing.
-OsPlatformNotSupported | BadRequest (400) | OS Platform {the client OS Platform} is not supported for this action.
-ClientVersionNotSupported | BadRequest (400) | {The requested action} is supported on client version {supported client version} and above.
-Unauthorized | Unauthorized (401) | Unauthorized (usually invalid or expired authorization header).
-Forbidden | Forbidden (403) | Forbidden (valid token but insufficient permission for the action).
-DisabledFeature | Forbidden (403) | Tenant feature is not enabled.
-DisallowedOperation | Forbidden (403) | {the disallowed operation and the reason}.
-NotFound | Not Found (404) | General Not Found error message.
-ResourceNotFound | Not Found (404) | Resource {the requested resource} was not found.
-InternalServerError | Internal Server Error (500) | (No error message, try retry the operation or contact us if it does not resolved)
-
-## Body parameters are case sensitive
-
-The submitted body parameters are currently case sensitive.
-
If you experience an **InvalidRequestBody** or **MissingRequiredParameter** errors, it might be caused from a wrong parameter capital or lower-case letter.
-
It is recommended to go to the requested Api documentation page and check that the submitted parameters match the relevant example.
-
-## Correlation request ID
-
-Each error response contains a unique ID parameter for tracking.
-
The property name of this parameter is "target".
-
When contacting us about an error, attaching this ID will help find the root cause of the problem.
-
-## Examples
-
-```json
-{
- "error": {
- "code": "ResourceNotFound",
- "message": "Machine 123123123 was not found",
- "target": "43f4cb08-8fac-4b65-9db1-745c2ae65f3a"
- }
-}
-```
-
-
-```json
-{
- "error": {
- "code": "InvalidRequestBody",
- "message": "Request body is incorrect",
- "target": "1fa66c0f-18bd-4133-b378-36d76f3a2ba0"
- }
-}
-```
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/community.md b/windows/security/threat-protection/microsoft-defender-atp/community.md
deleted file mode 100644
index 7a83827fc5..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/community.md
+++ /dev/null
@@ -1,47 +0,0 @@
----
-title: Access the Microsoft Defender ATP Community Center
-description: Access the Microsoft Defender ATP Community Center to share experiences, engange, and learn about the product.
-keywords: community, community center, tech community, conversation, announcements
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.date: 04/24/2018
----
-
-
-# Access the Microsoft Defender ATP Community Center
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
-
-The Microsoft Defender ATP Community Center is a place where community members can learn, collaborate, and share experiences about the product.
-
-There are several spaces you can explore to learn about specific information:
-- Announcements
-- What's new
-- Threat Intelligence
-
-
-There are several ways you can access the Community Center:
-- In the Microsoft Defender Security Center navigation pane, select **Community center**. A new browser tab opens and takes you to the Microsoft Defender ATP Tech Community page.
-- Access the community through the [Microsoft Defender Advanced Threat Protection Tech Community](https://techcommunity.microsoft.com/t5/Windows-Defender-Advanced-Threat/ct-p/WindowsDefenderAdvanced) page
-
-
-You can instantly view and read conversations that have been posted in the community.
-
-To get the full experience within the community such as being able to comment on posts, you'll need to join the community. For more information on how to get started in the Microsoft Tech Community, see [Microsoft Tech Community: Getting Started](https://techcommunity.microsoft.com/t5/Getting-Started/Microsoft-Tech-Community-Getting-Started-Guide/m-p/77888#M15).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md b/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md
deleted file mode 100644
index edcabf4028..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md
+++ /dev/null
@@ -1,81 +0,0 @@
----
-title: Enable Conditional Access to better protect users, devices, and data
-description: Enable Conditional Access to prevent applications from running if a device is considered at risk and an application is determined to be non-compliant.
-keywords: conditional access, block applications, security level, intune,
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Enable Conditional Access to better protect users, devices, and data
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-conditionalaccess-abovefoldlink)
-
-Conditional Access is a capability that helps you better protect your users and enterprise information by making sure that only secure devices have access to applications.
-
-> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4byD1]
-
-With Conditional Access, you can control access to enterprise information based on the risk level of a device. This helps keep trusted users on trusted devices using trusted applications.
-
-You can define security conditions under which devices and applications can run and access information from your network by enforcing policies to stop applications from running until a device returns to a compliant state.
-
-The implementation of Conditional Access in Microsoft Defender ATP is based on Microsoft Intune (Intune) device compliance policies and Azure Active Directory (Azure AD) conditional access policies.
-
-The compliance policy is used with Conditional Access to allow only devices that fulfill one or more device compliance policy rules to access applications.
-
-## Understand the Conditional Access flow
-Conditional Access is put in place so that when a threat is seen on a device, access to sensitive content is blocked until the threat is remediated.
-
-The flow begins with devices being seen to have a low, medium, or high risk. These risk determinations are then sent to Intune.
-
-Depending on how you configure policies in Intune, Conditional Access can be set up so that when certain conditions are met, the policy is applied.
-
-For example, you can configure Intune to apply Conditional Access on devices that have a high risk.
-
-In Intune, a device compliance policy is used in conjunction with Azure AD Conditional Access to block access to applications. In parallel, an automated investigation and remediation process is launched.
-
- A user can still use the device while the automated investigation and remediation is taking place, but access to enterprise data is blocked until the threat is fully remediated.
-
-To resolve the risk found on a device, you'll need to return the device to a compliant state. A device returns to a compliant state when there is no risk seen on it.
-
-There are three ways to address a risk:
-1. Use Manual or automated remediation.
-2. Resolve active alerts on the device. This will remove the risk from the device.
-3. You can remove the device from the active policies and consequently, Conditional Access will not be applied on the device.
-
-Manual remediation requires a secops admin to investigate an alert and address the risk seen on the device. The automated remediation is configured through configuration settings provided in the following section, [Configure Conditional Access](configure-conditional-access.md).
-
-When the risk is removed either through manual or automated remediation, the device returns to a compliant state and access to applications is granted.
-
-The following example sequence of events explains Conditional Access in action:
-
-1. A user opens a malicious file and Microsoft Defender ATP flags the device as high risk.
-2. The high risk assessment is passed along to Intune. In parallel, an automated investigation is initiated to remediate the identified threat. A manual remediation can also be done to remediate the identified threat.
-3. Based on the policy created in Intune, the device is marked as not compliant. The assessment is then communicated to Azure AD by the Intune Conditional Access policy. In Azure AD, the corresponding policy is applied to block access to applications.
-4. The manual or automated investigation and remediation is completed and the threat is removed. Microsoft Defender ATP sees that there is no risk on the device and Intune assesses the device to be in a compliant state. Azure AD applies the policy which allows access to applications.
-5. Users can now access applications.
-
-
-## Related topic
-- [Configure Conditional Access in Microsoft Defender ATP](configure-conditional-access.md)
-
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md
deleted file mode 100644
index 2a2e4d3535..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md
+++ /dev/null
@@ -1,210 +0,0 @@
----
-title: Configure Micro Focus ArcSight to pull Microsoft Defender ATP detections
-description: Configure Micro Focus ArcSight to receive and pull detections from Microsoft Defender Security Center
-keywords: configure Micro Focus ArcSight, security information and events management tools, arcsight
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Configure Micro Focus ArcSight to pull Microsoft Defender ATP detections
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configurearcsight-abovefoldlink)
-
-You'll need to install and configure some files and tools to use Micro Focus ArcSight so that it can pull Microsoft Defender ATP detections.
-
->[!Note]
->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections
->- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Device and its related Alert details.
-
-## Before you begin
-
-Configuring the Micro Focus ArcSight Connector tool requires several configuration files for it to pull and parse detections from your Azure Active Directory (AAD) application.
-
-This section guides you in getting the necessary information to set and use the required configuration files correctly.
-
-- Make sure you have enabled the SIEM integration feature from the **Settings** menu. For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md).
-
-- Have the file you saved from enabling the SIEM integration feature ready. You'll need to get the following values:
- - OAuth 2.0 Token refresh URL
- - OAuth 2.0 Client ID
- - OAuth 2.0 Client secret
-
-- Have the following configuration files ready:
- - WDATP-connector.properties
- - WDATP-connector.jsonparser.properties
-
- You would have saved a .zip file which contains these two files when you chose Micro Focus ArcSight as the SIEM type you use in your organization.
-
-- Make sure you generate the following tokens and have them ready:
- - Access token
- - Refresh token
-
- You can generate these tokens from the **SIEM integration** setup section of the portal.
-
-## Install and configure Micro Focus ArcSight FlexConnector
-
-The following steps assume that you have completed all the required steps in [Before you begin](#before-you-begin).
-
-1. Install the latest 32-bit Windows FlexConnector installer. You can find this in the HPE Software center. The tool is typically installed in the following default location: `C:\Program Files\ArcSightFlexConnectors\current\bin`.You can choose where to save the tool, for example C:\\*folder_location*\current\bin where *folder_location* represents the installation location.
-
-2. Follow the installation wizard through the following tasks:
- - Introduction
- - Choose Install Folder
- - Choose Install Set
- - Choose Shortcut Folder
- - Pre-Installation Summary
- - Installing...
-
- You can keep the default values for each of these tasks or modify the selection to suit your requirements.
-
-3. Open File Explorer and locate the two configuration files you saved when you enabled the SIEM integration feature. Put the two files in the FlexConnector installation location, for example:
-
- - WDATP-connector.jsonparser.properties: C:\\*folder_location*\current\user\agent\flexagent\
-
- - WDATP-connector.properties: C:\\*folder_location*\current\user\agent\flexagent\
-
- > [!NOTE]
- >
- > You must put the configuration files in this location, where *folder_location* represents the location where you installed the tool.
-
-4. After the installation of the core connector completes, the Connector Setup window opens. In the Connector Setup window, select **Add a Connector**.
-
-5. Select Type: **ArcSight FlexConnector REST** and click **Next**.
-
-6. Type the following information in the parameter details form. All other values in the form are optional and can be left blank.
-
-
-
-
-
- Field
- Value
-
-
- Configuration File
- Type in the name of the client property file. The name must match the file provided in the .zip that you downloaded.
- For example, if the configuration file in "flexagent" directory is named "WDATP-Connector.jsonparser.properties", you must type "WDATP-Connector" as the name of the client property file.
- Events URL
- Depending on the location of your datacenter, select either the EU or the US URL: For EU: https://wdatp-alertexporter-eu.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
-
- For US: https://wdatp-alertexporter-us.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
For UK: https://wdatp-alertexporter-uk.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
-
- Authentication Type
- OAuth 2
- OAuth 2 Client Properties file
- Browse to the location of the wdatp-connector.properties file. The name must match the file provided in the .zip that you downloaded.
-
-
-
- Refresh Token
- You can obtain a refresh token in two ways: by generating a refresh token from the SIEM settings page or using the restutil tool.
-
For more information on generating a refresh token from the Preferences setup , see Enable SIEM integration in Microsoft Defender ATP. Get your refresh token using the restutil tool: a. Open a command prompt. Navigate to C:\folder_location\current\bin where folder_location represents the location where you installed the tool. b. Type: arcsight restutil token -config from the bin directory.For example: arcsight restutil boxtoken -proxy proxy.location.hp.com:8080 A Web browser window will open. c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials. d. A refresh token is shown in the command prompt. e. Copy and paste it into the Refresh Token field.
-
-
-7. A browser window is opened by the connector. Login with your application credentials. After you log in, you'll be asked to give permission to your OAuth2 Client. You must give permission to your OAuth 2 Client so that the connector configuration can authenticate.
-
- If the redirect_uri is a https URL, you'll be redirected to a URL on the local host. You'll see a page that requests for you to trust the certificate supplied by the connector running on the local host. You'll need to trust this certificate if the redirect_uri is a https.
-
- If however you specify a http URL for the redirect_uri, you do not need to provide consent in trusting the certificate.
-
-8. Continue with the connector setup by returning to the Micro Focus ArcSight Connector Setup window.
-
-9. Select the **ArcSight Manager (encrypted)** as the destination and click **Next**.
-
-10. Type in the destination IP/hostname in **Manager Hostname** and your credentials in the parameters form. All other values in the form should be retained with the default values. Click **Next**.
-
-11. Type in a name for the connector in the connector details form. All other values in the form are optional and can be left blank. Click **Next**.
-
-12. The ESM Manager import certificate window is shown. Select **Import the certificate to connector from destination** and click **Next**. The **Add connector Summary** window is displayed and the certificate is imported.
-
-13. Verify that the details in the **Add connector Summary** window is correct, then click **Next**.
-
-14. Select **Install as a service** and click **Next**.
-
-15. Type a name in the **Service Internal Name** field. All other values in the form can be retained with the default values or left blank . Click **Next**.
-
-16. Type in the service parameters and click **Next**. A window with the **Install Service Summary** is shown. Click **Next**.
-
-17. Finish the installation by selecting **Exit** and **Next**.
-
-## Install and configure the Micro Focus ArcSight console
-
-1. Follow the installation wizard through the following tasks:
- - Introduction
- - License Agreement
- - Special Notice
- - Choose ArcSight installation directory
- - Choose Shortcut Folder
- - Pre-Installation Summary
-
-2. Click **Install**. After the installation completes, the ArcSight Console Configuration Wizard opens.
-
-3. Type localhost in **Manager Host Name** and 8443 in **Manager Port** then click **Next**.
-
-4. Select **Use direct connection**, then click **Next**.
-
-5. Select **Password Based Authentication**, then click **Next**.
-
-6. Select **This is a single user installation. (Recommended)**, then click **Next**.
-
-7. Click **Done** to quit the installer.
-
-8. Login to the Micro Focus ArcSight console.
-
-9. Navigate to **Active channel set** > **New Condition** > **Device** > **Device Product**.
-
-10. Set **Device Product = Microsoft Defender ATP**. When you've verified that events are flowing to the tool, stop the process again and go to Windows Services and start the ArcSight FlexConnector REST.
-
-You can now run queries in the Micro Focus ArcSight console.
-
-Microsoft Defender ATP detections will appear as discrete events, with "Microsoft” as the vendor and “Windows Defender ATP” as the device name.
-
-
-## Troubleshooting Micro Focus ArcSight connection
-
-**Problem:** Failed to refresh the token. You can find the log located in C:\\*folder_location*\current\logs where *folder_location* represents the location where you installed the tool. Open _agent.log_ and look for `ERROR/FATAL/WARN`.
-
-**Symptom:** You get the following error message:
-
-`Failed to refresh the token. Set reauthenticate to true: com.arcsight.common.al.e: Failed to refresh access token: status=HTTP/1.1 400 Bad Request FATAL EXCEPTION: Could not refresh the access token`
-
-**Solution:**
-
-1. Stop the process by clicking Ctrl + C on the Connector window. Click **Y** when asked "Terminate batch job Y/N?".
-
-2. Navigate to the folder where you stored the WDATP-connector.properties file and edit it to add the following value:
- `reauthenticate=true`.
-
-3. Restart the connector by running the following command: `arcsight.bat connectors`.
-
- A browser window appears. Allow it to run, it should disappear, and the connector should now be running.
-
-> [!NOTE]
-> Verify that the connector is running by stopping the process again. Then start the connector again, and no browser window should appear.
-
-## Related topics
-- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
-- [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md)
-- [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md)
-- [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md
deleted file mode 100644
index 736ab0b846..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md
+++ /dev/null
@@ -1,40 +0,0 @@
----
-title: Configure attack surface reduction
-description: Use Microsoft Intune, Microsoft Endpoint Configuration Manager, Powershell cmdlets, and Group Policy to configure attack surface reduction.
-keywords: asr, attack surface reduction, windows defender, microsoft defender, antivirus, av
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
----
-
-# Configure attack surface reduction
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-You can configure attack surface reduction with a number of tools, including:
-
-* Microsoft Intune
-* Microsoft Endpoint Configuration Manager
-* Group Policy
-* PowerShell cmdlets
-
-Article | Description
--|-
-[Enable hardware-based isolation for Microsoft Edge](../microsoft-defender-application-guard/install-md-app-guard.md) | How to prepare for and install Application Guard, including hardware and software requirements
-[Enable application control](../windows-defender-application-control/windows-defender-application-control.md)|How to control applications run by users and protect kernel mode processes
-[Exploit protection](./enable-exploit-protection.md)|How to automatically apply exploit mitigation techniques on both operating system processes and on individual apps
-[Network protection](./enable-network-protection.md)|How to prevent users from using any apps to access dangerous domains
-[Controlled folder access](./enable-controlled-folders.md)|How to protect valuable data from malicious apps
-[Attack surface reduction](./enable-attack-surface-reduction.md)|How to prevent actions and apps that are typically used by exploit-seeking malware
-[Network firewall](../windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md)|How to protect devices and data across a network
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md
deleted file mode 100644
index 6a3872d1b2..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md
+++ /dev/null
@@ -1,61 +0,0 @@
----
-title: Configure automated investigation and remediation capabilities
-description: Set up your automated investigation and remediation capabilities in Microsoft Defender for Endpoint.
-keywords: configure, setup, automated, investigation, detection, alerts, remediation, response
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.technology: windows
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: deniseb
-author: denisebmsft
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.date: 09/24/2020
-ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs
----
-
-# Configure automated investigation and remediation capabilities in Microsoft Defender for Endpoint
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to**
-
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-If your organization is using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/) (Microsoft Defender ATP), [automated investigation and remediation capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) can save your security operations team time and effort. As outlined in [this blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/enhance-your-soc-with-microsoft-defender-atp-automatic/ba-p/848946), these capabilities mimic the ideal steps that a security analyst takes to investigate and remediate threats. [Learn more about automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations).
-
-To configure automated investigation and remediation, you [turn on the features](#turn-on-automated-investigation-and-remediation), and then you [set up device groups](#set-up-device-groups).
-
-## Turn on automated investigation and remediation
-
-1. As a global administrator or security administrator, go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in.
-2. In the navigation pane, choose **Settings**.
-3. In the **General** section, select **Advanced features**.
-4. Turn on both **Automated Investigation** and **Automatically resolve alerts**.
-
-## Set up device groups
-
-1. In the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)), on the **Settings** page, under **Permissions**, select **Device groups**.
-2. Select **+ Add device group**.
-3. Create at least one device group, as follows:
- - Specify a name and description for the device group.
- - In the **Automation level list**, select a level, such as **Full – remediate threats automatically**. The automation level determines whether remediation actions are taken automatically, or only upon approval. To learn more, see [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated).
- - In the **Members** section, use one or more conditions to identify and include devices.
- - On the **User access** tab, select the [Azure Active Directory groups](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-manage-groups?context=azure/active-directory/users-groups-roles/context/ugr-context) who should have access to the device group you're creating.
-4. Select **Done** when you're finished setting up your device group.
-
-## Next steps
-
-- [Visit the Action Center to view pending and completed remediation actions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center)
-
-- [Review and approve actions following an automated investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation)
-
-- [Manage indicators for files, IP addresses, URLs, or domains](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators)
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md b/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md
deleted file mode 100644
index 8946b66493..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md
+++ /dev/null
@@ -1,110 +0,0 @@
----
-title: Configure Conditional Access in Microsoft Defender ATP
-description: Learn about steps that you need to do in Intune, Microsoft Defender Security Center, and Azure to implement Conditional access
-keywords: conditional access, conditional, access, device risk, risk level, integration, intune integration
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Configure Conditional Access in Microsoft Defender ATP
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-This section guides you through all the steps you need to take to properly implement Conditional Access.
-
-### Before you begin
->[!WARNING]
->It's important to note that Azure AD registered devices is not supported in this scenario.
->Only Intune enrolled devices are supported.
-
-
-You need to make sure that all your devices are enrolled in Intune. You can use any of the following options to enroll devices in Intune:
-
-
-- IT Admin: For more information on how to enabling auto-enrollment, see [Windows Enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment)
-- End-user: For more information on how to enroll your Windows 10 device in Intune, see [Enroll your Windows 10 device in Intune](https://docs.microsoft.com/intune/quickstart-enroll-windows-device)
-- End-user alternative: For more information on joining an Azure AD domain, see [How to: Plan your Azure AD join implementation](https://docs.microsoft.com/azure/active-directory/devices/azureadjoin-plan).
-
-
-
-There are steps you'll need to take in Microsoft Defender Security Center, the Intune portal, and Azure AD portal.
-
-It's important to note the required roles to access these portals and implement Conditional access:
-- **Microsoft Defender Security Center** - You'll need to sign into the portal with a global administrator role to turn on the integration.
-- **Intune** - You'll need to sign in to the portal with security administrator rights with management permissions.
-- **Azure AD portal** - You'll need to sign in as a global administrator, security administrator, or Conditional Access administrator.
-
-
-> [!NOTE]
-> You'll need a Microsoft Intune environment, with Intune managed and Azure AD joined Windows 10 devices.
-
-Take the following steps to enable Conditional Access:
-- Step 1: Turn on the Microsoft Intune connection from Microsoft Defender Security Center
-- Step 2: Turn on the Microsoft Defender ATP integration in Intune
-- Step 3: Create the compliance policy in Intune
-- Step 4: Assign the policy
-- Step 5: Create an Azure AD Conditional Access policy
-
-
-### Step 1: Turn on the Microsoft Intune connection
-1. In the navigation pane, select **Settings** > **Advanced features** > **Microsoft Intune connection**.
-2. Toggle the Microsoft Intune setting to **On**.
-3. Click **Save preferences**.
-
-
-### Step 2: Turn on the Microsoft Defender ATP integration in Intune
-1. Sign in to the [Azure portal](https://portal.azure.com).
-2. Select **Device compliance** > **Microsoft Defender ATP**.
-3. Set **Connect Windows 10.0.15063+ devices to Microsoft Defender Advanced Threat Protection** to **On**.
-4. Click **Save**.
-
-
-### Step 3: Create the compliance policy in Intune
-1. In the [Azure portal](https://portal.azure.com), select **All services**, filter on **Intune**, and select **Microsoft Intune**.
-2. Select **Device compliance** > **Policies** > **Create policy**.
-3. Enter a **Name** and **Description**.
-4. In **Platform**, select **Windows 10 and later**.
-5. In the **Device Health** settings, set **Require the device to be at or under the Device Threat Level** to your preferred level:
-
- - **Secured**: This level is the most secure. The device cannot have any existing threats and still access company resources. If any threats are found, the device is evaluated as noncompliant.
- - **Low**: The device is compliant if only low-level threats exist. Devices with medium or high threat levels are not compliant.
- - **Medium**: The device is compliant if the threats found on the device are low or medium. If high-level threats are detected, the device is determined as noncompliant.
- - **High**: This level is the least secure, and allows all threat levels. So devices that with high, medium or low threat levels are considered compliant.
-
-6. Select **OK**, and **Create** to save your changes (and create the policy).
-
-### Step 4: Assign the policy
-1. In the [Azure portal](https://portal.azure.com), select **All services**, filter on **Intune**, and select **Microsoft Intune**.
-2. Select **Device compliance** > **Policies**> select your Microsoft Defender ATP compliance policy.
-3. Select **Assignments**.
-4. Include or exclude your Azure AD groups to assign them the policy.
-5. To deploy the policy to the groups, select **Save**. The user devices targeted by the policy are evaluated for compliance.
-
-### Step 5: Create an Azure AD Conditional Access policy
-1. In the [Azure portal](https://portal.azure.com), open **Azure Active Directory** > **Conditional Access** > **New policy**.
-2. Enter a policy **Name**, and select **Users and groups**. Use the Include or Exclude options to add your groups for the policy, and select **Done**.
-3. Select **Cloud apps**, and choose which apps to protect. For example, choose **Select apps**, and select **Office 365 SharePoint Online** and **Office 365 Exchange Online**. Select **Done** to save your changes.
-
-4. Select **Conditions** > **Client apps** to apply the policy to apps and browsers. For example, select **Yes**, and then enable **Browser** and **Mobile apps and desktop clients**. Select **Done** to save your changes.
-
-5. Select **Grant** to apply Conditional Access based on device compliance. For example, select **Grant access** > **Require device to be marked as compliant**. Choose **Select** to save your changes.
-
-6. Select **Enable policy**, and then **Create** to save your changes.
-
-For more information, see [Enable Microsoft Defender ATP with Conditional Access in Intune](https://docs.microsoft.com/intune/advanced-threat-protection).
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-conditionalaccess-belowfoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md b/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md
deleted file mode 100644
index 18ba591b16..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md
+++ /dev/null
@@ -1,101 +0,0 @@
----
-title: Configure alert notifications in Microsoft Defender ATP
-description: You can use Microsoft Defender Advanced Threat Protection to configure email notification settings for security alerts, based on severity and other criteria.
-keywords: email notifications, configure alert notifications, microsoft defender atp notifications, microsoft defender atp alerts, windows 10 enterprise, windows 10 education
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Configure alert notifications in Microsoft Defender ATP
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-emailconfig-abovefoldlink)
-
-You can configure Microsoft Defender ATP to send email notifications to specified recipients for new alerts. This feature enables you to identify a group of individuals who will immediately be informed and can act on alerts based on their severity.
-
-> [!NOTE]
-> Only users with 'Manage security settings' permissions can configure email notifications. If you've chosen to use basic permissions management, users with Security Administrator or Global Administrator roles can configure email notifications.
-
-You can set the alert severity levels that trigger notifications. You can also add or remove recipients of the email notification. New recipients get notified about alerts encountered after they are added. For more information about alerts, see [View and organize the Alerts queue](alerts-queue.md).
-
-If you're using role-based access control (RBAC), recipients will only receive notifications based on the device groups that were configured in the notification rule.
-Users with the proper permission can only create, edit, or delete notifications that are limited to their device group management scope.
-Only users assigned to the Global administrator role can manage notification rules that are configured for all device groups.
-
-The email notification includes basic information about the alert and a link to the portal where you can do further investigation.
-
-
-## Create rules for alert notifications
-You can create rules that determine the devices and alert severities to send email notifications for and the notification recipients.
-
-
-1. In the navigation pane, select **Settings** > **Alert notifications**.
-
-2. Click **Add notification rule**.
-
-3. Specify the General information:
- - **Rule name** - Specify a name for the notification rule.
- - **Include organization name** - Specify the customer name that appears on the email notification.
- - **Include tenant-specific portal link** - Adds a link with the tenant ID to allow access to a specific tenant.
- - **Include device information** - Includes the device name in the email alert body.
-
- >[!NOTE]
- > This information might be processed by recipient mail servers that ar not in the geographic location you have selected for your Microsoft Defender ATP data.
-
- - **Devices** - Choose whether to notify recipients for alerts on all devices (Global administrator role only) or on selected device groups. For more information, see [Create and manage device groups](machine-groups.md).
- - **Alert severity** - Choose the alert severity level.
-
-4. Click **Next**.
-
-5. Enter the recipient's email address then click **Add recipient**. You can add multiple email addresses.
-
-6. Check that email recipients are able to receive the email notifications by selecting **Send test email**.
-
-7. Click **Save notification rule**.
-
-## Edit a notification rule
-1. Select the notification rule you'd like to edit.
-
-2. Update the General and Recipient tab information.
-
-3. Click **Save notification rule**.
-
-
-## Delete notification rule
-
-1. Select the notification rule you'd like to delete.
-
-2. Click **Delete**.
-
-
-## Troubleshoot email notifications for alerts
-This section lists various issues that you may encounter when using email notifications for alerts.
-
-**Problem:** Intended recipients report they are not getting the notifications.
-
-**Solution:** Make sure that the notifications are not blocked by email filters:
-
-1. Check that the Microsoft Defender ATP email notifications are not sent to the Junk Email folder. Mark them as Not junk.
-2. Check that your email security product is not blocking the email notifications from Microsoft Defender ATP.
-3. Check your email application rules that might be catching and moving your Microsoft Defender ATP email notifications.
-
-## Related topics
-- [Update data retention settings](data-retention-settings.md)
-- [Configure advanced features](advanced-features.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md
deleted file mode 100644
index 36703ec3a4..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md
+++ /dev/null
@@ -1,230 +0,0 @@
----
-title: Onboard Windows 10 devices to Microsoft Defender ATP via Group Policy
-description: Use Group Policy to deploy the configuration package on Windows 10 devices so that they are onboarded to the service.
-keywords: configure devices using group policy, device management, configure Windows ATP devices, onboard Microsoft Defender Advanced Threat Protection devices, group policy
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.date: 04/24/2018
----
-
-# Onboard Windows 10 devices using Group Policy
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- Group Policy
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
-
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointsgp-abovefoldlink)
-
-
-> [!NOTE]
-> To use Group Policy (GP) updates to deploy the package, you must be on Windows Server 2008 R2 or later.
-
-> For Windows Server 2019, you may need to replace NT AUTHORITY\Well-Known-System-Account with NT AUTHORITY\SYSTEM of the XML file that the Group Policy preference creates.
-
-## Onboard devices using Group Policy
-1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
-
- a. In the navigation pane, select **Settings** > **Onboarding**.
-
- b. Select Windows 10 as the operating system.
-
- c. In the **Deployment method** field, select **Group policy**.
-
- d. Click **Download package** and save the .zip file.
-
-2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the device. You should have a folder called *OptionalParamsPolicy* and the file *WindowsDefenderATPOnboardingScript.cmd*.
-
-3. Open the [Group Policy Management Console](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
-
-4. In the **Group Policy Management Editor**, go to **Computer configuration**, then **Preferences**, and then **Control panel settings**.
-
-5. Right-click **Scheduled tasks**, point to **New**, and then click **Immediate Task (At least Windows 7)**.
-
-6. In the **Task** window that opens, go to the **General** tab. Under **Security options** click **Change User or Group** and type SYSTEM and then click **Check Names** then **OK**. NT AUTHORITY\SYSTEM appears as the user account the task will run as.
-
-7. Select **Run whether user is logged on or not** and check the **Run with highest privileges** check box.
-
-8. Go to the **Actions** tab and click **New...** Ensure that **Start a program** is selected in the **Action** field. Enter the file name and location of the shared *WindowsDefenderATPOnboardingScript.cmd* file.
-
-9. Click **OK** and close any open GPMC windows.
-
->[!TIP]
-> After onboarding the device, you can choose to run a detection test to verify that the device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP device](run-detection-test.md).
-
-## Additional Microsoft Defender ATP configuration settings
-For each device, you can state whether samples can be collected from the device when a request is made through Microsoft Defender Security Center to submit a file for deep analysis.
-
-You can use Group Policy (GP) to configure settings, such as settings for the sample sharing used in the deep analysis feature.
-
-### Configure sample collection settings
-1. On your GP management device, copy the following files from the
- configuration package:
-
- a. Copy _AtpConfiguration.admx_ into _C:\\Windows\\PolicyDefinitions_
-
- b. Copy _AtpConfiguration.adml_ into _C:\\Windows\\PolicyDefinitions\\en-US_
-
- If you are using a [Central Store for Group Policy Administrative Templates](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra), copy the following files from the
- configuration package:
-
- a. Copy _AtpConfiguration.admx_ into _\\\\\
-Key type is a D-WORD.
-Possible values are:
-- 0 - doesn't allow sample sharing from this device
-- 1 - allows sharing of all file types from this device
-
-The default value in case the registry key doesn’t exist is 1.
-
-For more information about System Center Configuration Manager Compliance, see [Introduction to compliance settings in System Center 2012 R2 Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/gg682139\(v=technet.10\)).
-
-
-## Other recommended configuration settings
-After onboarding devices to the service, it's important to take advantage of the included threat protection capabilities by enabling them with the following recommended configuration settings.
-
-### Device collection configuration
-If you're using Endpoint Configuration Manager, version 2002 or later, you can choose to broaden the deployment to include servers or down-level clients.
-
-
-### Next generation protection configuration
-The following configuration settings are recommended:
-
-**Scan**
-- Scan removable storage devices such as USB drives: Yes
-
-**Real-time Protection**
-- Enable Behavioral Monitoring: Yes
-- Enable protection against Potentially Unwanted Applications at download and prior to installation: Yes
-
-**Cloud Protection Service**
-- Cloud Protection Service membership type: Advanced membership
-
-**Attack surface reduction**
-Configure all available rules to Audit.
-
->[!NOTE]
-> Blocking these activities may interrupt legitimate business processes. The best approach is setting everything to audit, identifying which ones are safe to turn on, and then enabling those settings on endpoints which do not have false positive detections.
-
-
-**Network protection**
-Prior to enabling network protection in audit or block mode, ensure that you've installed the antimalware platform update, which can be obtained from the [support page](https://support.microsoft.com/en-us/help/4560203/windows-defender-anti-malware-platform-binaries-are-missing).
-
-
-**Controlled folder access**
-Enable the feature in audit mode for at least 30 days. After this period, review detections and create a list of applications that are allowed to write to protected directories.
-
-For more information, see [Evaluate controlled folder access](evaluate-controlled-folder-access.md).
-
-
-## Offboard devices using Configuration Manager
-
-For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package, you will be notified of the packages expiry date and it will also be included in the package name.
-
-> [!NOTE]
-> Onboarding and offboarding policies must not be deployed on the same device at the same time, otherwise this will cause unpredictable collisions.
-
-### Offboard devices using Microsoft Endpoint Configuration Manager current branch
-
-If you use Microsoft Endpoint Configuration Manager current branch, see [Create an offboarding configuration file](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection#create-an-offboarding-configuration-file).
-
-### Offboard devices using System Center 2012 R2 Configuration Manager
-
-1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
-
- a. In the navigation pane, select **Settings** > **Offboarding**.
-
- b. Select Windows 10 as the operating system.
-
- c. In the **Deployment method** field, select **System Center Configuration Manager 2012/2012 R2/1511/1602**.
-
- d. Select **Download package**, and save the .zip file.
-
-2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
-
-3. Deploy the package by following the steps in the [Packages and Programs in System Center 2012 R2 Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/gg699369\(v=technet.10\)) article.
-
- a. Choose a predefined device collection to deploy the package to.
-
-> [!IMPORTANT]
-> Offboarding causes the device to stop sending sensor data to the portal but data from the device, including reference to any alerts it has had will be retained for up to 6 months.
-
-
-## Monitor device configuration
-
-If you're using Microsoft Endpoint Configuration Manager current branch, use the built-in Microsoft Defender ATP dashboard in the Configuration Manager console. For more information, see [Microsoft Defender Advanced Threat Protection - Monitor](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection#monitor).
-
-If you're using System Center 2012 R2 Configuration Manager, monitoring consists of two parts:
-
-1. Confirming the configuration package has been correctly deployed and is running (or has successfully run) on the devices in your network.
-
-2. Checking that the devices are compliant with the Microsoft Defender ATP service (this ensures the device can complete the onboarding process and can continue to report data to the service).
-
-### Confirm the configuration package has been correctly deployed
-
-1. In the Configuration Manager console, click **Monitoring** at the bottom of the navigation pane.
-
-2. Select **Overview** and then **Deployments**.
-
-3. Select on the deployment with the package name.
-
-4. Review the status indicators under **Completion Statistics** and **Content Status**.
-
- If there are failed deployments (devices with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the devices. For more information, see, [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md).
-
- 
-
-### Check that the devices are compliant with the Microsoft Defender ATP service
-
-You can set a compliance rule for configuration item in System Center 2012 R2 Configuration Manager to monitor your deployment.
-
-This rule should be a *non-remediating* compliance rule configuration item that monitors the value of a registry key on targeted devices.
-
-Monitor the following registry key entry:
-```
-Path: “HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status”
-Name: “OnboardingState”
-Value: “1”
-```
-For more information, see [Introduction to compliance settings in System Center 2012 R2 Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/gg682139\(v=technet.10\)).
-
-## Related topics
-- [Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md)
-- [Onboard Windows 10 devices using Mobile Device Management tools](configure-endpoints-mdm.md)
-- [Onboard Windows 10 devices using a local script](configure-endpoints-script.md)
-- [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md)
-- [Run a detection test on a newly onboarded Microsoft Defender ATP device](run-detection-test.md)
-- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md
deleted file mode 100644
index 70821568d1..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md
+++ /dev/null
@@ -1,148 +0,0 @@
----
-title: Onboard Windows 10 devices using a local script
-description: Use a local script to deploy the configuration package on devices so that they are onboarded to the service.
-keywords: configure devices using a local script, device management, configure Windows ATP devices, configure Microsoft Defender Advanced Threat Protection devices
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Onboard Windows 10 devices using a local script
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
-
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink)
-
-You can also manually onboard individual devices to Microsoft Defender ATP. You might want to do this first when testing the service before you commit to onboarding all devices in your network.
-
-> [!IMPORTANT]
-> This script has been optimized for use on up to 10 devices.
->
-> To deploy at scale, use [other deployment options](configure-endpoints.md). For example, you can deploy an onboarding script to more than 10 devices in production with the script available in [Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md).
-
-## Onboard devices
-1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
-
- 1. In the navigation pane, select **Settings** > **Onboarding**.
-
- 1. Select Windows 10 as the operating system.
-
- 1. In the **Deployment method** field, select **Local Script**.
-
- 1. Click **Download package** and save the .zip file.
-
-
-2. Extract the contents of the configuration package to a location on the device you want to onboard (for example, the Desktop). You should have a file named *WindowsDefenderATPOnboardingScript.cmd*.
-
-3. Open an elevated command-line prompt on the device and run the script:
-
- 1. Go to **Start** and type **cmd**.
-
- 1. Right-click **Command prompt** and select **Run as administrator**.
-
- 
-
-4. Type the location of the script file. If you copied the file to the desktop, type: *%userprofile%\Desktop\WindowsDefenderATPOnboardingScript.cmd*
-
-5. Press the **Enter** key or click **OK**.
-
-For information on how you can manually validate that the device is compliant and correctly reports sensor data see, [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md).
-
-
->[!TIP]
-> After onboarding the device, you can choose to run a detection test to verify that an device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test.md).
-
-## Configure sample collection settings
-For each device, you can set a configuration value to state whether samples can be collected from the device when a request is made through Microsoft Defender Security Center to submit a file for deep analysis.
-
-You can manually configure the sample sharing setting on the device by using *regedit* or creating and running a *.reg* file.
-
-The configuration is set through the following registry key entry:
-
-```console
-Path: “HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection”
-Name: "AllowSampleCollection"
-Value: 0 or 1
-```
-Where:
-Name type is a D-WORD.
-Possible values are:
-- 0 - doesn't allow sample sharing from this device
-- 1 - allows sharing of all file types from this device
-
-The default value in case the registry key doesn’t exist is 1.
-
-
-## Offboard devices using a local script
-For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an device will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
-
-> [!NOTE]
-> Onboarding and offboarding policies must not be deployed on the same device at the same time, otherwise this will cause unpredictable collisions.
-
-1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
-
- 1. In the navigation pane, select **Settings** > **Offboarding**.
-
- 1. Select Windows 10 as the operating system.
-
- 1. In the **Deployment method** field, select **Local Script**.
-
- 1. Click **Download package** and save the .zip file.
-
-2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the devices. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
-
-3. Open an elevated command-line prompt on the device and run the script:
-
- 1. Go to **Start** and type **cmd**.
-
- 1. Right-click **Command prompt** and select **Run as administrator**.
-
- 
-
-4. Type the location of the script file. If you copied the file to the desktop, type: *%userprofile%\Desktop\WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*
-
-5. Press the **Enter** key or click **OK**.
-
-> [!IMPORTANT]
-> Offboarding causes the device to stop sending sensor data to the portal but data from the device, including reference to any alerts it has had will be retained for up to 6 months.
-
-
-## Monitor device configuration
-You can follow the different verification steps in the [Troubleshoot onboarding issues](troubleshoot-onboarding.md) to verify that the script completed successfully and the agent is running.
-
-Monitoring can also be done directly on the portal, or by using the different deployment tools.
-
-### Monitor devices using the portal
-1. Go to Microsoft Defender Security Center.
-
-2. Click **Devices list**.
-
-3. Verify that devices are appearing.
-
-
-## Related topics
-- [Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md)
-- [Onboard Windows 10 devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
-- [Onboard Windows 10 devices using Mobile Device Management tools](configure-endpoints-mdm.md)
-- [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md)
-- [Run a detection test on a newly onboarded Microsoft Defender ATP device](run-detection-test.md)
-- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
deleted file mode 100644
index 03c9870858..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
+++ /dev/null
@@ -1,156 +0,0 @@
----
-title: Onboard non-persistent virtual desktop infrastructure (VDI) devices
-description: Deploy the configuration package on virtual desktop infrastructure (VDI) device so that they are onboarded to Microsoft Defender ATP the service.
-keywords: configure virtual desktop infrastructure (VDI) device, vdi, device management, configure Windows ATP endpoints, configure Microsoft Defender Advanced Threat Protection endpoints
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.date: 04/16/2020
----
-
-# Onboard non-persistent virtual desktop infrastructure (VDI) devices
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- Virtual desktop infrastructure (VDI) devices
-
->[!WARNING]
-> Microsoft Defender ATP support for Windows Virtual Desktop multi-user scenarios is currently in Preview and limited up to 25 concurrent sessions per host/VM. However single session scenarios on Windows Virtual Desktop are fully supported.
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configvdi-abovefoldlink)
-
-## Onboard non-persistent virtual desktop infrastructure (VDI) devices
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-Microsoft Defender ATP supports non-persistent VDI session onboarding.
-
->[!Note]
->To onboard non-persistent VDI sessions, VDI devices must be on Windows 10.
->
->While other Windows versions might work, only Windows 10 is supported.
-
-There might be associated challenges when onboarding VDIs. The following are typical challenges for this scenario:
-
-- Instant early onboarding of a short-lived sessions, which must be onboarded to Microsoft Defender ATP prior to the actual provisioning.
-- The device name is typically reused for new sessions.
-
-VDI devices can appear in Microsoft Defender ATP portal as either:
-
-- Single entry for each device.
-Note that in this case, the *same* device name must be configured when the session is created, for example using an unattended answer file.
-- Multiple entries for each device - one for each session.
-
-The following steps will guide you through onboarding VDI devices and will highlight steps for single and multiple entries.
-
->[!WARNING]
-> For environments where there are low resource configurations, the VDI boot procedure might slow the Microsoft Defender ATP sensor onboarding.
-
-1. Open the VDI configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
-
- 1. In the navigation pane, select **Settings** > **Onboarding**.
-
- 1. Select Windows 10 as the operating system.
-
- 1. In the **Deployment method** field, select **VDI onboarding scripts for non-persistent endpoints**.
-
- 1. Click **Download package** and save the .zip file.
-
-2. Copy the files from the WindowsDefenderATPOnboardingPackage folder extracted from the .zip file into the `golden/master` image under the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`.
-
- 1. If you are not implementing a single entry for each device, copy WindowsDefenderATPOnboardingScript.cmd.
-
- 1. If you are implementing a single entry for each device, copy both Onboard-NonPersistentMachine.ps1 and WindowsDefenderATPOnboardingScript.cmd.
-
- > [!NOTE]
- > If you don't see the `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup` folder, it might be hidden. You'll need to choose the **Show hidden files and folders** option from File Explorer.
-
-3. Open a Local Group Policy Editor window and navigate to **Computer Configuration** > **Windows Settings** > **Scripts** > **Startup**.
-
- > [!NOTE]
- > Domain Group Policy may also be used for onboarding non-persistent VDI devices.
-
-4. Depending on the method you'd like to implement, follow the appropriate steps:
- **For single entry for each device**:
-
- Select the **PowerShell Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to onboarding PowerShell script `Onboard-NonPersistentMachine.ps1`.
-
- **For multiple entries for each device**:
-
- Select the **Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to the onboarding bash script `WindowsDefenderATPOnboardingScript.cmd`.
-
-5. Test your solution:
-
- 1. Create a pool with one device.
-
- 1. Logon to device.
-
- 1. Logoff from device.
-
- 1. Logon to device with another user.
-
- 1. **For single entry for each device**: Check only one entry in Microsoft Defender Security Center.
- **For multiple entries for each device**: Check multiple entries in Microsoft Defender Security Center.
-
-6. Click **Devices list** on the Navigation pane.
-
-7. Use the search function by entering the device name and select **Device** as search type.
-
-## Updating non-persistent virtual desktop infrastructure (VDI) images
-As a best practice, we recommend using offline servicing tools to patch golden/master images.
-For example, you can use the below commands to install an update while the image remains offline:
-
-```console
-DISM /Mount-image /ImageFile:"D:\Win10-1909.vhdx" /index:1 /MountDir:"C:\Temp\OfflineServicing"
-DISM /Image:"C:\Temp\OfflineServicing" /Add-Package /Packagepath:"C:\temp\patch\windows10.0-kb4541338-x64.msu"
-DISM /Unmount-Image /MountDir:"C:\Temp\OfflineServicing" /commit
-```
-
-For more information on DISM commands and offline servicing, please refer to the articles below:
-- [Modify a Windows image using DISM](https://docs.microsoft.com/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism)
-- [DISM Image Management Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/dism-image-management-command-line-options-s14)
-- [Reduce the Size of the Component Store in an Offline Windows Image](https://docs.microsoft.com/windows-hardware/manufacture/desktop/reduce-the-size-of-the-component-store-in-an-offline-windows-image)
-
-If offline servicing is not a viable option for your non-persistent VDI environment, the following steps should be taken to ensure consistency and sensor health:
-
-1. After booting the master image for online servicing or patching, run an offboarding script to turn off the Microsoft Defender ATP sensor. For more information, see [Offboard devices using a local script](configure-endpoints-script.md#offboard-devices-using-a-local-script).
-
-2. Ensure the sensor is stopped by running the command below in a CMD window:
-
- ```console
- sc query sense
- ```
-
-3. Service the image as needed.
-
-4. Run the below commands using PsExec.exe (which can be downloaded from https://download.sysinternals.com/files/PSTools.zip) to cleanup the cyber folder contents that the sensor may have accumulated since boot:
-
- ```console
- PsExec.exe -s cmd.exe
- cd "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Cyber"
- del *.* /f /s /q
- REG DELETE “HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection" /v senseGuid /f
- exit
- ```
-
-5. Re-seal the golden/master image as you normally would.
-
-## Related topics
-- [Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md)
-- [Onboard Windows 10 devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
-- [Onboard Windows 10 devices using Mobile Device Management tools](configure-endpoints-mdm.md)
-- [Onboard Windows 10 devices using a local script](configure-endpoints-script.md)
-- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md
deleted file mode 100644
index b77d79c856..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md
+++ /dev/null
@@ -1,50 +0,0 @@
----
-title: Onboarding tools and methods for Windows 10 devices
-description: Onboard Windows 10 devices so that they can send sensor data to the Microsoft Defender ATP sensor
-keywords: Onboard Windows 10 devices, group policy, endpoint configuration manager, mobile device management, local script, gp, sccm, mdm, intune
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
----
-
-# Onboarding tools and methods for Windows 10 devices
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-- [Microsoft 365 Endpoint data loss prevention (DLP)](/microsoft-365/compliance/endpoint-dlp-learn-about)
-
-Devices in your organization must be configured so that the Microsoft Defender ATP service can get sensor data from them. There are various methods and deployment tools that you can use to configure the devices in your organization.
-
-The following deployment tools and methods are supported:
-
-- Group Policy
-- Microsoft Endpoint Configuration Manager
-- Mobile Device Management (including Microsoft Intune)
-- Local script
-
-## In this section
-Topic | Description
-:---|:---
-[Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md) | Use Group Policy to deploy the configuration package on devices.
-[Onboard Windows devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) | You can use either use Microsoft Endpoint Configuration Manager (current branch) version 1606 or Microsoft Endpoint Configuration Manager (current branch) version 1602 or earlier to deploy the configuration package on devices.
-[Onboard Windows 10 devices using Mobile Device Management tools](configure-endpoints-mdm.md) | Use Mobile Device Management tools or Microsoft Intune to deploy the configuration package on device.
-[Onboard Windows 10 devices using a local script](configure-endpoints-script.md) | Learn how to use the local script to deploy the configuration package on endpoints.
-[Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md) | Learn how to use the configuration package to configure VDI devices.
-
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpoints-belowfoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md
deleted file mode 100644
index db418af7ff..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md
+++ /dev/null
@@ -1,56 +0,0 @@
----
-title: Optimize ASR rule deployment and detections
-description: Optimize your attack surface reduction (ASR) rules to identify and prevent typical malware exploits.
-keywords: onboard, Intune management, MDATP, WDATP, Microsoft Defender, Windows Defender, advanced threat protection, attack surface reduction, ASR, security baseline
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Optimize ASR rule deployment and detections
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-> Want to experience Microsoft Defender ATP? [Sign up for a free trial](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink).
-
-[Attack surface reduction (ASR) rules](./attack-surface-reduction.md) identify and prevent typical malware exploits. They control when and how potentially malicious code can run. For example, they can prevent JavaScript or VBScript from launching a downloaded executable, block Win32 API calls from Office macros, and block processes that run from USB drives.
-
-
-*Attack surface management card*
-
-The *Attack surface management card* is an entry point to tools in Microsoft 365 security center that you can use to:
-
-* Understand how ASR rules are currently deployed in your organization.
-* Review ASR detections and identify possible incorrect detections.
-* Analyze the impact of exclusions and generate the list of file paths to exclude.
-
-Select **Go to attack surface management** > **Monitoring & reports > Attack surface reduction rules > Add exclusions**. From there, you can navigate to other sections of Microsoft 365 security center.
-
-
-The ***Add exclusions** tab in the Attack surface reduction rules page in Microsoft 365 security center*
-
-> [!NOTE]
-> To access Microsoft 365 security center, you need a Microsoft 365 E3 or E5 license and an account that has certain roles on Azure Active Directory. [Read about required licenses and permissions](https://docs.microsoft.com/office365/securitycompliance/microsoft-security-and-compliance#required-licenses-and-permissions).
-
-For more information about ASR rule deployment in Microsoft 365 security center, see [Monitor and manage ASR rule deployment and detections](https://docs.microsoft.com/office365/securitycompliance/monitor-devices#monitor-and-manage-asr-rule-deployment-and-detections).
-
-**Related topics**
-
-* [Ensure your devices are configured properly](configure-machines.md)
-* [Get devices onboarded to Microsoft Defender ATP](configure-machines-onboarding.md)
-* [Monitor compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md
deleted file mode 100644
index eb72937f89..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md
+++ /dev/null
@@ -1,73 +0,0 @@
----
-title: Get devices onboarded to Microsoft Defender ATP
-description: Track onboarding of Intune-managed devices to Microsoft Defender ATP and increase onboarding rate.
-keywords: onboard, Intune management, MDATP, WDATP, Microsoft Defender, Windows Defender, advanced threat protection, configuration management
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get devices onboarded to Microsoft Defender ATP
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
-
-Each onboarded device adds an additional endpoint detection and response (EDR) sensor and increases visibility over breach activity in your network. Onboarding also ensures that a device can be checked for vulnerable components as well security configuration issues and can receive critical remediation actions during attacks.
-
-Before you can track and manage onboarding of devices:
-- [Enroll your devices to Intune management](configure-machines.md#enroll-devices-to-intune-management)
-- [Ensure you have the necessary permissions](configure-machines.md#obtain-required-permissions)
-
-## Discover and track unprotected devices
-
-The **Onboarding** card provides a high-level overview of your onboarding rate by comparing the number of Windows 10 devices that have actually onboarded to Microsoft Defender ATP against the total number of Intune-managed Windows 10 devices.
-
-
-*Card showing onboarded devices compared to the total number of Intune-managed Windows 10 device*
-
->[!NOTE]
->If you used Security Center Configuration Manager, the onboarding script, or other onboarding methods that don’t use Intune profiles, you might encounter data discrepancies. To resolve these discrepancies, create a corresponding Intune configuration profile for Microsoft Defender ATP onboarding and assign that profile to your devices.
-
-## Onboard more devices with Intune profiles
-
-Microsoft Defender ATP provides several convenient options for [onboarding Windows 10 devices](onboard-configure.md). For Intune-managed devices, however, you can leverage Intune profiles to conveniently deploy the Microsoft Defender ATP sensor to select devices, effectively onboarding these devices to the service.
-
-From the **Onboarding** card, select **Onboard more devices** to create and assign a profile on Intune. The link takes you to the device compliance page on Intune, which provides a similar overview of your onboarding state.
-
-
- *Microsoft Defender ATP device compliance page on Intune device management*
-
->[!TIP]
->Alternatively, you can navigate to the Microsoft Defender ATP onboarding compliance page in the [Microsoft Azure portal](https://portal.azure.com/) from **All services > Intune > Device compliance > Microsoft Defender ATP**.
-
->[!NOTE]
-> If you want to view the most up-to-date device data, click on **List of devices without ATP sensor**.
-
-From the device compliance page, create a configuration profile specifically for the deployment of the Microsoft Defender ATP sensor and assign that profile to the devices you want to onboard. To do this, you can either:
-
-- Select **Create a device configuration profile to configure ATP sensor** to start with a predefined device configuration profile.
-- Create the device configuration profile from scratch.
-
-For more information, [read about using Intune device configuration profiles to onboard devices to Microsoft Defender ATP](https://docs.microsoft.com/intune/advanced-threat-protection#onboard-devices-by-using-a-configuration-profile).
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
-
-## Related topics
-- [Ensure your devices are configured properly](configure-machines.md)
-- [Increase compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md)
-- [Optimize ASR rule deployment and detections](configure-machines-asr.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md
deleted file mode 100644
index d8200f1502..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md
+++ /dev/null
@@ -1,106 +0,0 @@
----
-title: Increase compliance to the Microsoft Defender ATP security baseline
-description: The Microsoft Defender ATP security baseline sets Microsoft Defender ATP security controls to provide optimal protection.
-keywords: Intune management, MDATP, WDATP, Microsoft Defender, advanced threat protection ASR, security baseline
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Increase compliance to the Microsoft Defender ATP security baseline
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
-
-Security baselines ensure that security features are configured according to guidance from both security experts and expert Windows system administrators. When deployed, the Microsoft Defender ATP security baseline sets Microsoft Defender ATP security controls to provide optimal protection.
-
-To understand security baselines and how they are assigned on Intune using configuration profiles, [read this FAQ](https://docs.microsoft.com/intune/security-baselines#q--a).
-
-Before you can deploy and track compliance to security baselines:
-- [Enroll your devices to Intune management](configure-machines.md#enroll-devices-to-intune-management)
-- [Ensure you have the necessary permissions](configure-machines.md#obtain-required-permissions)
-
-## Compare the Microsoft Defender ATP and the Windows Intune security baselines
-The Windows Intune security baseline provides a comprehensive set of recommended settings needed to securely configure devices running Windows, including browser settings, PowerShell settings, as well as settings for some security features like Microsoft Defender Antivirus. In contrast, the Microsoft Defender ATP baseline provides settings that optimize all the security controls in the Microsoft Defender ATP stack, including settings for endpoint detection and response (EDR) as well as settings also found in the Windows Intune security baseline. For more information about each baseline, see:
-
-- [Windows security baseline settings for Intune](https://docs.microsoft.com/intune/security-baseline-settings-windows)
-- [Microsoft Defender ATP baseline settings for Intune](https://docs.microsoft.com/intune/security-baseline-settings-defender-atp)
-
-Ideally, devices onboarded to Microsoft Defender ATP are deployed both baselines: the Windows Intune security baseline to initially secure Windows and then the Microsoft Defender ATP security baseline layered on top to optimally configure the Microsoft Defender ATP security controls. To benefit from the latest data on risks and threats and to minimize conflicts as baselines evolve, always apply the latest versions of the baselines across all products as soon as they are released.
-
->[!NOTE]
->The Microsoft Defender ATP security baseline has been optimized for physical devices and is currently not recommended for use on virtual machine (VMs) or VDI endpoints. Certain baseline settings can impact remote interactive sessions on virtualized environments.
-
-## Monitor compliance to the Microsoft Defender ATP security baseline
-
-The **Security baseline** card on [device configuration management](configure-machines.md) provides an overview of compliance across Windows 10 devices that have been assigned the Microsoft Defender ATP security baseline.
-
-
-*Card showing compliance to the Microsoft Defender ATP security baseline*
-
-Each device is given one of the following status types:
-
-- **Matches baseline**—device settings match all the settings in the baseline
-- **Does not match baseline**—at least one device setting doesn't match the baseline
-- **Misconfigured**—at least one baseline setting isn't properly configured on the device and is in a conflict, error, or pending state
-- **Not applicable**—At least one baseline setting isn't applicable on the device
-
-To review specific devices, select **Configure security baseline** on the card. This takes you to Intune device management. From there, select **Device status** for the names and statuses of the devices.
-
->[!NOTE]
->You might experience discrepancies in aggregated data displayed on the device configuration management page and those displayed on overview screens in Intune.
-
-## Review and assign the Microsoft Defender ATP security baseline
-
-Device configuration management monitors baseline compliance only of Windows 10 devices that have been specifically assigned the Microsoft Defender ATP security baseline. You can conveniently review the baseline and assign it to devices on Intune device management.
-
-1. Select **Configure security baseline** on the **Security baseline** card to go to Intune device management. A similar overview of baseline compliance is displayed.
-
- >[!TIP]
- > Alternatively, you can navigate to the Microsoft Defender ATP security baseline in the Microsoft Azure portal from **All services > Intune > Device security > Security baselines > Microsoft Defender ATP baseline**.
-
-
-2. Create a new profile.
-
- 
- *Microsoft Defender ATP security baseline overview on Intune*
-
-3. During profile creation, you can review and adjust specific settings on the baseline.
-
- 
- *Security baseline options during profile creation on Intune*
-
-4. Assign the profile to the appropriate device group.
-
- 
- *Assigning the security baseline profile on Intune*
-
-5. Create the profile to save it and deploy it to the assigned device group.
-
- 
- *Creating the security baseline profile on Intune*
-
->[!TIP]
->Security baselines on Intune provide a convenient way to comprehensively secure and protect your devices. [Learn more about security baselines on Intune](https://docs.microsoft.com/intune/security-baselines).
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
-
-## Related topics
-- [Ensure your devices are configured properly](configure-machines.md)
-- [Get devices onboarded to Microsoft Defender ATP](configure-machines-onboarding.md)
-- [Optimize ASR rule deployment and detections](configure-machines-asr.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md
deleted file mode 100644
index 1b1b0495eb..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md
+++ /dev/null
@@ -1,84 +0,0 @@
----
-title: Ensure your devices are configured properly
-description: Properly configure devices to boost overall resilience against threats and enhance your capability to detect and respond to attacks.
-keywords: onboard, Intune management, MDATP, WDATP, Microsoft Defender, Windows Defender, advanced threat protection, attack surface reduction, ASR, security baseline
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
----
-
-# Ensure your devices are configured properly
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
-
-With properly configured devices, you can boost overall resilience against threats and enhance your capability to detect and respond to attacks. Security configuration management helps ensure that your devices:
-
-- Onboard to Microsoft Defender ATP
-- Meet or exceed the Microsoft Defender ATP security baseline configuration
-- Have strategic attack surface mitigations in place
-
-Click **Configuration management** from the navigation menu to open the Device configuration management page.
-
-
-*Device configuration management page*
-
-You can track configuration status at an organizational level and quickly take action in response to poor onboarding coverage, compliance issues, and poorly optimized attack surface mitigations through direct, deep links to device management pages on Microsoft Intune and Microsoft 365 security center.
-
-In doing so, you benefit from:
-- Comprehensive visibility of the events on your devices
-- Robust threat intelligence and powerful device learning technologies for processing raw events and identifying the breach activity and threat indicators
-- A full stack of security features configured to efficiently stop the installation of malicious implants, hijacking of system files and process, data exfiltration, and other threat activities
-- Optimized attack surface mitigations, maximizing strategic defenses against threat activity while minimizing impact to productivity
-
-## Enroll devices to Intune management
-
-Device configuration management works closely with Intune device management to establish the inventory of the devices in your organization and the baseline security configuration. You will be able to track and manage configuration issues on Intune-managed Windows 10 devices.
-
-Before you can ensure your devices are configured properly, enroll them to Intune management. Intune enrollment is robust and has several enrollment options for Windows 10 devices. For more information about Intune enrollment options, read about [setting up enrollment for Windows devices](https://docs.microsoft.com/intune/windows-enroll).
-
->[!NOTE]
->To enroll Windows devices to Intune, administrators must have already been assigned licenses. [Read about assigning licenses for device enrollment](https://docs.microsoft.com/intune/licenses-assign).
-
->[!TIP]
->To optimize device management through Intune, [connect Intune to Microsoft Defender ATP](https://docs.microsoft.com/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune).
-
-## Obtain required permissions
-By default, only users who have been assigned the Global Administrator or the Intune Service Administrator role on Azure AD can manage and assign the device configuration profiles needed for onboarding devices and deploying the security baseline.
-
-If you have been assigned other roles, ensure you have the necessary permissions:
-
-- Full permissions to device configurations
-- Full permissions to security baselines
-- Read permissions to device compliance policies
-- Read permissions to the organization
-
-
-*Device configuration permissions on Intune*
-
->[!TIP]
->To learn more about assigning permissions on Intune, [read about creating custom roles](https://docs.microsoft.com/intune/create-custom-role#to-create-a-custom-role).
-
-## In this section
-Topic | Description
-:---|:---
-[Get devices onboarded to Microsoft Defender ATP](configure-machines-onboarding.md)| Track onboarding status of Intune-managed devices and onboard more devices through Intune.
-[Increase compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md) | Track baseline compliance and noncompliance. Deploy the security baseline to more Intune-managed devices.
-[Optimize ASR rule deployment and detections](configure-machines-asr.md) | Review rule deployment and tweak detections using impact analysis tools in Microsoft 365 security center.
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md
deleted file mode 100644
index 23f1b28355..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md
+++ /dev/null
@@ -1,150 +0,0 @@
----
-title: Configure and manage Microsoft Threat Experts capabilities
-ms.reviewer:
-description: Register to Microsoft Threats Experts to configure, manage, and use it in your daily security operations and security administration work.
-keywords: Microsoft Threat Experts, managed threat hunting service, MTE, Microsoft managed hunting service
-search.product: Windows 10
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: article
----
-
-# Configure and manage Microsoft Threat Experts capabilities
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-## Before you begin
-> [!NOTE]
-> Discuss the eligibility requirements with your Microsoft Technical Service provider and account team before you apply to the managed threat hunting service.
-
-Ensure that you have Microsoft Defender ATP deployed in your environment with devices enrolled, and not just on a laboratory set-up.
-
-Microsoft Defender ATP customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive Targeted Attack Notifications and to collaborate with experts on demand. Experts on Demand is an add-on service. Targeted Attack Notifications are always included after you have been accepted into Microsoft Threat Experts managed threat hunting service.
-
-If you are not enrolled yet and would like to experience its benefits, go to **Settings** > **General** > **Advanced features** > **Microsoft Threat Experts** to apply. Once accepted, you will get the benefits of Targeted Attack Notifications, and start a 90-day trial of Experts on Demand. Contact your Microsoft representative to get a full Experts on-Demand subscription.
-
-## Register to Microsoft Threat Experts managed threat hunting service
-If you're already a Microsoft Defender ATP customer, you can apply through the Microsoft Defender ATP portal.
-
-1. From the navigation pane, go to **Settings > General > Advanced features > Microsoft Threat Experts**.
-
-2. Click **Apply**.
-
- 
-
-3. Enter your name and email address so that Microsoft can get back to you on your application.
-
- 
-
-4. Read the [privacy statement](https://privacy.microsoft.com/en-us/privacystatement), then click **Submit** when you're done. You will receive a welcome email once your application is approved.
-
- 
-
-6. From the navigation pane, go to **Settings** > **General** > **Advanced features** to turn the **Threat Experts** toggle on. Click **Save preferences**.
-
-## Receive targeted attack notification from Microsoft Threat Experts
-You can receive targeted attack notification from Microsoft Threat Experts through the following medium:
-- The Microsoft Defender ATP portal's **Alerts** dashboard
-- Your email, if you choose to configure it
-
-To receive targeted attack notifications through email, create an email notification rule.
-
-### Create an email notification rule
-You can create rules to send email notifications for notification recipients. See [Configure alert notifications](configure-email-notifications.md) to create, edit, delete, or troubleshoot email notification, for details.
-
-## View the targeted attack notification
-You'll start receiving targeted attack notification from Microsoft Threat Experts in your email after you have configured your system to receive email notification.
-
-1. Click the link in the email to go to the corresponding alert context in the dashboard tagged with **Threat experts**.
-
-2. From the dashboard, select the same alert topic that you got from the email, to view the details.
-
-
-## Consult a Microsoft threat expert about suspicious cybersecurity activities in your organization
-You can partner with Microsoft Threat Experts who can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, a potentially compromised device, or a threat intelligence context that you see on your portal dashboard.
-
-> [!NOTE]
-> - Alert inquiries related to your organization's customized threat intelligence data are currently not supported. Consult your security operations or incident response team for details.
-> - You will need to have the "Manage security settings" permission in the Security Center portal to be able to submit a "Consult a threat expert" inquiry.
-
-1. Navigate to the portal page with the relevant information that you'd like to investigate, for example, the **Incident** page. Ensure that the page for the relevant alert or device is in view before you send an investigation request.
-
-2. From the upper right-hand menu, click the **?** icon. Then, select **Consult a threat expert**.
-
- 
-
- A flyout screen opens. The following screen shows when you are on a trial subscription.
-
- 
-
- The following screen shows when you are on a full Microsoft Threat Experts - Experts on-Demand subscription.
-
- 
-
- The **Inquiry topic** field is pre-populated with the link to the relevant page for your investigation request. For example, a link to the incident, alert, or device details page that you were at when you made the request.
-
-3. In the next field, provide enough information to give the Microsoft Threat Experts enough context to start the investigation.
-
-4. Enter the email address that you'd like to use to correspond with Microsoft Threat Experts.
-
-> [!NOTE]
-> Customers with Premier Support subscription mapped to their Office 365 license can track the status of their Experts on Demand cases through Microsoft Services Hub.
-
-Watch this video for a quick overview of the Microsoft Services Hub.
-
->[!VIDEO https://www.microsoft.com/videoplayer/embed/RE4pk9f]
-
-
-
-## Sample investigation topics that you can consult with Microsoft Threat Experts
-
-**Alert information**
-- We see a new type of alert for a living-off-the-land binary: [AlertID]. Can you tell us something more about this alert and how we can investigate further?
-- We’ve observed two similar attacks, which try to execute malicious PowerShell scripts but generate different alerts. One is "Suspicious PowerShell command line" and the other is "A malicious file was detected based on indication provided by O365". What is the difference?
-- I receive an odd alert today for abnormal number of failed logins from a high profile user’s device. I cannot find any further evidence around these sign-in attempts. How can Microsoft Defender ATP see these attempts? What type of sign-ins are being monitored?
-- Can you give more context or insights about this alert: “Suspicious behavior by a system utility was observed”.
-
-**Possible machine compromise**
-- Can you help answer why we see “Unknown process observed?” This message or alert is seen frequently on many devices. We appreciate any input to clarify whether this message or alert is related to malicious activity.
-- Can you help validate a possible compromise on the following system on [date] with similar behaviors as the previous [malware name] malware detection on the same system in [month]?
-
-**Threat intelligence details**
-- We detected a phishing email that delivered a malicious Word document to a user. The malicious Word document caused a series of suspicious events, which triggered multiple Microsoft Defender alerts for [malware name] malware. Do you have any information on this malware? If yes, can you send me a link?
-- I recently saw a [social media reference, for example, Twitter or blog] post about a threat that is targeting my industry. Can you help me understand what protection Microsoft Defender ATP provides against this threat actor?
-
-**Microsoft Threat Experts’ alert communications**
-- Can your incident response team help us address the targeted attack notification that we got?
-- I received this targeted attack notification from Microsoft Threat Experts. We don’t have our own incident response team. What can we do now, and how can we contain the incident?
-- I received a targeted attack notification from Microsoft Threat Experts. What data can you provide to us that we can pass on to our incident response team?
-
- >[!NOTE]
- >Microsoft Threat Experts is a managed cybersecurity hunting service and not an incident response service. However, the experts can seamlessly transition the investigation to Microsoft Cybersecurity Solutions Group (CSG)'s Detection and Response Team (DART) services, when necessary. You can also opt to engage with your own incident response team to address issues that requires an incident response.
-
-## Scenario
-
-### Receive a progress report about your managed hunting inquiry
-Response from Microsoft Threat Experts varies according to your inquiry. They will email a progress report to you about your **Consult a threat expert** inquiry within two days, to communicate the investigation status from the following categories:
-- More information is needed to continue with the investigation
-- A file or several file samples are needed to determine the technical context
-- Investigation requires more time
-- Initial information was enough to conclude the investigation
-
-It is crucial to respond in quickly to keep the investigation moving.
-
-## Related topic
-- [Microsoft Threat Experts overview](microsoft-threat-experts.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-notifications.md b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-notifications.md
deleted file mode 100644
index 4455735f4f..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-notifications.md
+++ /dev/null
@@ -1,49 +0,0 @@
----
-title: Configure alert notifications that are sent to MSSPs
-description: Configure alert notifications that are sent to MSSPs
-keywords: managed security service provider, mssp, configure, integration
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Configure alert notifications that are sent to MSSPs
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
-
-
->[!NOTE]
->This step can be done by either the MSSP customer or MSSP. MSSPs must be granted the appropriate permissions to configure this on behalf of the MSSP customer.
-
-After access the portal is granted, alert notification rules can to be created so that emails are sent to MSSPs when alerts associated with the tenant are created and set conditions are met.
-
-
-For more information, see [Create rules for alert notifications](configure-email-notifications.md#create-rules-for-alert-notifications).
-
-
-These check boxes must be checked:
-- **Include organization name** - The customer name will be added to email notifications
-- **Include tenant-specific portal link** - Alert link URL will have tenant specific parameter (tid=target_tenant_id) that allows direct access to target tenant portal
-
-
-## Related topics
-- [Grant MSSP access to the portal](grant-mssp-access.md)
-- [Access the MSSP customer portal](access-mssp-portal.md)
-- [Fetch alerts from customer tenant](fetch-alerts-mssp.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md
deleted file mode 100644
index fa877ecd83..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md
+++ /dev/null
@@ -1,79 +0,0 @@
----
-title: Configure managed security service provider support
-description: Take the necessary steps to configure the MSSP integration with Microsoft Defender ATP
-keywords: managed security service provider, mssp, configure, integration
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Configure managed security service provider integration
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
-
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-You'll need to take the following configuration steps to enable the managed security service provider (MSSP) integration.
-
->[!NOTE]
->The following terms are used in this article to distinguish between the service provider and service consumer:
-> - MSSPs: Security organizations that offer to monitor and manage security devices for an organization.
-> - MSSP customers: Organizations that engage the services of MSSPs.
-
-The integration will allow MSSPs to take the following actions:
-
-- Get access to MSSP customer's Microsoft Defender Security Center portal
-- Get email notifications, and
-- Fetch alerts through security information and event management (SIEM) tools
-
-Before MSSPs can take these actions, the MSSP customer will need to grant access to their Microsoft Defender ATP tenant so that the MSSP can access the portal.
-
-
-Typically, MSSP customers take the initial configuration steps to grant MSSPs access to their Windows Defender Security Central tenant. After access is granted, other configuration steps can be done by either the MSSP customer or the MSSP.
-
-
-In general, the following configuration steps need to be taken:
-
-
-- **Grant the MSSP access to Microsoft Defender Security Center**
-This action needs to be done by the MSSP customer. It grants the MSSP access to the MSSP customer's Microsoft Defender ATP tenant.
-
-
-- **Configure alert notifications sent to MSSPs**
-This action can be taken by either the MSSP customer or MSSP. This lets the MSSPs know what alerts they need to address for the MSSP customer.
-
-- **Fetch alerts from MSSP customer's tenant into SIEM system**
-This action is taken by the MSSP. It allows MSSPs to fetch alerts in SIEM tools.
-
-- **Fetch alerts from MSSP customer's tenant using APIs**
-This action is taken by the MSSP. It allows MSSPs to fetch alerts using APIs.
-
-## Multi-tenant access for MSSPs
-For information on how to implement a multi-tenant delegated access, see [Multi-tenant access for Managed Security Service Providers](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/multi-tenant-access-for-managed-security-service-providers/ba-p/1533440).
-
-
-
-## Related topics
-- [Grant MSSP access to the portal](grant-mssp-access.md)
-- [Access the MSSP customer portal](access-mssp-portal.md)
-- [Configure alert notifications](configure-mssp-notifications.md)
-- [Fetch alerts from customer tenant](fetch-alerts-mssp.md)
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
deleted file mode 100644
index 12c3637695..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
+++ /dev/null
@@ -1,217 +0,0 @@
----
-title: Configure device proxy and Internet connection settings
-description: Configure the Microsoft Defender ATP proxy and internet settings to enable communication with the cloud service.
-keywords: configure, proxy, internet, internet connectivity, settings, proxy settings, netsh, winhttp, proxy server
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: article
----
-
-# Configure device proxy and Internet connectivity settings
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink)
-
-The Microsoft Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender ATP service.
-
-The embedded Microsoft Defender ATP sensor runs in system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to enable communication with the Microsoft Defender ATP cloud service.
-
->[!TIP]
->For organizations that use forward proxies as a gateway to the Internet, you can use network protection to investigate behind a proxy. For more information, see [Investigate connection events that occur behind forward proxies](investigate-behind-proxy.md).
-
-The WinHTTP configuration setting is independent of the Windows Internet (WinINet) Internet browsing proxy settings and can only discover a proxy server by using the following discovery methods:
-
-- Auto-discovery methods:
- - Transparent proxy
- - Web Proxy Auto-discovery Protocol (WPAD)
-
- > [!NOTE]
- > If you're using Transparent proxy or WPAD in your network topology, you don't need special configuration settings. For more information on Microsoft Defender ATP URL exclusions in the proxy, see [Enable access to Microsoft Defender ATP service URLs in the proxy server](#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server).
-
-- Manual static proxy configuration:
- - Registry based configuration
- - WinHTTP configured using netsh command – Suitable only for desktops in a stable topology (for example: a desktop in a corporate network behind the same proxy)
-
-## Configure the proxy server manually using a registry-based static proxy
-
-Configure a registry-based static proxy to allow only Microsoft Defender ATP sensor to report diagnostic data and communicate with Microsoft Defender ATP services if a computer is not be permitted to connect to the Internet.
-
-The static proxy is configurable through Group Policy (GP). The group policy can be found under:
-
-- Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service
- - Set it to **Enabled** and select **Disable Authenticated Proxy usage**:
- 
-- **Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure connected user experiences and telemetry**:
- - Configure the proxy:
- 
-
- The policy sets two registry values `TelemetryProxyServer` as REG_SZ and `DisableEnterpriseAuthProxy` as REG_DWORD under the registry key `HKLM\Software\Policies\Microsoft\Windows\DataCollection`.
-
- The registry value `TelemetryProxyServer` takes the following string format:
-
- ```text
-
[Spreadsheet](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx) | The spreadsheet provides specific DNS records for service locations, geographic locations, and OS.
-
-
-If a proxy or firewall has HTTPS scanning (SSL inspection) enabled, exclude the domains listed in the above table from HTTPS scanning.
-
-> [!NOTE]
-> settings-win.data.microsoft.com is only needed if you have Windows 10 devices running version 1803 or earlier.
-
-
-> [!NOTE]
-> URLs that include v20 in them are only needed if you have Windows 10 devices running version 1803 or later. For example, ```us-v20.events.data.microsoft.com``` is needed for a Windows 10 device running version 1803 or later and onboarded to US Data Storage region.
-
-
-> [!NOTE]
-> If you are using Microsoft Defender Antivirus in your environment, please refer to the following article for details on allowing connections to the Microsoft Defender Antivirus cloud service: https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus
-
-If a proxy or firewall is blocking anonymous traffic, as Microsoft Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the previously listed URLs.
-
-### Log analytics agent requirements
-
-The information below list the proxy and firewall configuration information required to communicate with Log Analytics agent (often referred to as Microsoft Monitoring Agent) for the previous versions of Windows such as Windows 7 SP1, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, and Windows Server 2016.
-
-|Agent Resource|Ports |Direction |Bypass HTTPS inspection|
-|------|---------|--------|--------|
-|*.ods.opinsights.azure.com |Port 443 |Outbound|Yes |
-|*.oms.opinsights.azure.com |Port 443 |Outbound|Yes |
-|*.blob.core.windows.net |Port 443 |Outbound|Yes |
-
-## Microsoft Defender ATP service backend IP range
-
-If your network devices don't support the URLs added to an "allow" list in the prior section, you can use the following information.
-
-Microsoft Defender ATP is built on Azure cloud, deployed in the following regions:
-
-- \+\
- The tool checks the connectivity of Microsoft Defender ATP service URLs that Microsoft Defender ATP client is configured to interact with. It then prints the results into the *MDATPClientAnalyzerResult.txt* file for each URL that can potentially be used to communicate with the Microsoft Defender ATP services. For example:
-
- ```text
- Testing URL : https://xxx.microsoft.com/xxx
- 1 - Default proxy: Succeeded (200)
- 2 - Proxy auto discovery (WPAD): Succeeded (200)
- 3 - Proxy disabled: Succeeded (200)
- 4 - Named proxy: Doesn't exist
- 5 - Command line proxy: Doesn't exist
- ```
-
-If at least one of the connectivity options returns a (200) status, then the Microsoft Defender ATP client can communicate with the tested URL properly using this connectivity method.
-
-However, if the connectivity check results indicate a failure, an HTTP error is displayed (see HTTP Status Codes). You can then use the URLs in the table shown in [Enable access to Microsoft Defender ATP service URLs in the proxy server](#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). The URLs you'll use will depend on the region selected during the onboarding procedure.
-
-> [!NOTE]
-> The Connectivity Analyzer tool is not compatible with ASR rule [Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction#attack-surface-reduction-rules). You will need to temporarily disable this rule to run the connectivity tool.
-
-
-> [!NOTE]
-> When the TelemetryProxyServer is set, in Registry or via Group Policy, Microsoft Defender ATP will fall back to direct if it can't access the defined proxy.
-
-## Related topics
-
-- [Onboard Windows 10 devices](configure-endpoints.md)
-- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
deleted file mode 100644
index 38b47a18f9..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
+++ /dev/null
@@ -1,257 +0,0 @@
----
-title: Onboard Windows servers to the Microsoft Defender ATP service
-description: Onboard Windows servers so that they can send sensor data to the Microsoft Defender ATP sensor.
-keywords: onboard server, server, 2012r2, 2016, 2019, server onboarding, device management, configure Windows ATP servers, onboard Microsoft Defender Advanced Threat Protection servers
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: mjcaparas
-ms.author: macapara
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Onboard Windows servers to the Microsoft Defender ATP service
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- Windows Server 2008 R2 SP1
-- Windows Server 2012 R2
-- Windows Server 2016
-- Windows Server (SAC) version 1803 and later
-- Windows Server 2019 and later
-- Windows Server 2019 core edition
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configserver-abovefoldlink)
-
-
-Microsoft Defender ATP extends support to also include the Windows Server operating system. This support provides advanced attack detection and investigation capabilities seamlessly through the Microsoft Defender Security Center console.
-
-The service supports the onboarding of the following Windows servers:
-- Windows Server 2008 R2 SP1
-- Windows Server 2012 R2
-- Windows Server 2016
-- Windows Server (SAC) version 1803 and later
-- Windows Server 2019 and later
-- Windows Server 2019 core edition
-
-For a practical guidance on what needs to be in place for licensing and infrastructure, see [Protecting Windows Servers with Microsoft Defender ATP](https://techcommunity.microsoft.com/t5/What-s-New/Protecting-Windows-Server-with-Windows-Defender-ATP/m-p/267114#M128).
-
-For guidance on how to download and use Windows Security Baselines for Windows servers, see [Windows Security Baselines](https://docs.microsoft.com/windows/device-security/windows-security-baselines).
-
-
-## Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016
-
-You can onboard Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016 to Microsoft Defender ATP by using any of the following options:
-
-- **Option 1**: [Onboard through Microsoft Defender Security Center](#option-1-onboard-windows-servers-through-microsoft-defender-security-center)
-- **Option 2**: [Onboard through Azure Security Center](#option-2-onboard-windows-servers-through-azure-security-center)
-- **Option 3**: [Onboard through Microsoft Endpoint Configuration Manager version 2002 and later (only for Windows Server 2012 R2 and Windows Server 2016)](#option-3-onboard-windows-servers-through-microsoft-endpoint-configuration-manager-version-2002-and-later)
-
-> [!NOTE]
-> Microsoft defender ATP standalone server license is required, per node, in order to onboard a Windows server through Microsoft Defender Security Center (Option 1), or an Azure Security Center Standard license is required, per node, in order to onboard a Windows server through Azure Security Center (Option 2), see [Supported features available in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-services).
-
-
-### Option 1: Onboard Windows servers through Microsoft Defender Security Center
-Perform the following steps to onboard Windows servers through Microsoft Defender Security Center:
-
- - For Windows Server 2008 R2 SP1 or Windows Server 2012 R2, ensure that you install the following hotfix:
- - [Update for customer experience and diagnostic telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
-
- - In addition, for Windows Server 2008 R2 SP1, ensure that you fulfill the following requirements:
- - Install the [February monthly update rollup](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
- - Install either [.NET framework 4.5](https://www.microsoft.com/download/details.aspx?id=30653) (or later) or [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework)
-
- - For Windows Server 2008 R2 SP1 and Windows Server 2012 R2: [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients).
-
- > [!NOTE]
- > This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2008 R2 SP1 and Windows Server 2012 R2.
-
- - [Turn on server monitoring from Microsoft Defender Security Center](#turn-on-server-monitoring-from-the-microsoft-defender-security-center-portal).
-
- - If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Microsoft Defender ATP workspace through Multihoming support.
-
- Otherwise, [install and configure MMA to report sensor data to Microsoft Defender ATP](#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-atp). For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent).
-
-> [!TIP]
-> After onboarding the device, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test.md).
-
-### Configure and update System Center Endpoint Protection clients
-
-Microsoft Defender ATP integrates with System Center Endpoint Protection. The integration provides visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware.
-
-The following steps are required to enable this integration:
-- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie).
-
-- Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting.
-
-
-### Turn on Server monitoring from the Microsoft Defender Security Center portal
-
-1. In the navigation pane, select **Settings** > **Device management** > **Onboarding**.
-
-2. Select **Windows Server 2008 R2 SP1, 2012 R2 and 2016** as the operating system.
-
-3. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment setup. When the setup completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent.
-
-
-
-### Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Microsoft Defender ATP
-
-1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603).
-
-2. Using the Workspace ID and Workspace key obtained in the previous procedure, choose any of the following installation methods to install the agent on the Windows server:
- - [Manually install the agent using setup](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-setup)
- On the **Agent Setup Options** page, choose **Connect the agent to Azure Log Analytics (OMS)**.
- - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#add-a-workspace-using-a-script).
-
-3. You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see [Configure proxy settings](configure-proxy-internet.md).
-
-Once completed, you should see onboarded Windows servers in the portal within an hour.
-
-
-
-### Configure Windows server proxy and Internet connectivity settings
-
-- Each Windows server must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the OMS Gateway.
-- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that you [enable access to Microsoft Defender ATP service URLs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server).
-
-### Option 2: Onboard Windows servers through Azure Security Center
-1. In the Microsoft Defender Security Center navigation pane, select **Settings** > **Device management** > **Onboarding**.
-
-2. Select **Windows Server 2008 R2 SP1, 2012 R2 and 2016** as the operating system.
-
-3. Click **Onboard Servers in Azure Security Center**.
-
-4. Follow the onboarding instructions in [Microsoft Defender Advanced Threat Protection with Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp).
-
-### Option 3: Onboard Windows servers through Microsoft Endpoint Configuration Manager version 2002 and later
-You can onboard Windows Server 2012 R2 and Windows Server 2016 by using Microsoft Endpoint Configuration Manager version 2002 and later. For more information, see [Microsoft Defender Advanced Threat Protection in Microsoft Endpoint Configuration Manager current branch](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/defender-advanced-threat-protection).
-
-## Windows Server (SAC) version 1803, Windows Server 2019, and Windows Server 2019 Core edition
-You can onboard Windows Server (SAC) version 1803, Windows Server 2019, or Windows Server 2019 Core edition by using the following deployment methods:
-
-- [Local script](configure-endpoints-script.md)
-- [Group Policy](configure-endpoints-gp.md)
-- [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
-- [System Center Configuration Manager 2012 / 2012 R2 1511 / 1602](configure-endpoints-sccm.md#onboard-devices-using-system-center-configuration-manager)
-- [VDI onboarding scripts for non-persistent devices](configure-endpoints-vdi.md)
-
-> [!NOTE]
-> - The Onboarding package for Windows Server 2019 through Microsoft Endpoint Configuration Manager currently ships a script. For more information on how to deploy scripts in Configuration Manager, see [Packages and programs in Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/packages-and-programs).
-> - A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune.
-
-Support for Windows Server, provide deeper insight into activities happening on the Windows server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well.
-
-1. Configure Microsoft Defender ATP onboarding settings on the Windows server. For more information, see [Onboard Windows 10 devices](configure-endpoints.md).
-
-2. If you're running a third-party antimalware solution, you'll need to apply the following Microsoft Defender AV passive mode settings. Verify that it was configured correctly:
-
- 1. Set the following registry entry:
- - Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
- - Name: ForceDefenderPassiveMode
- - Type: REG_DWORD
- - Value: 1
-
- 1. Run the following PowerShell command to verify that the passive mode was configured:
-
- ```PowerShell
- Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84}
- ```
-
- 1. Confirm that a recent event containing the passive mode event is found:
-
- 
-
-3. Run the following command to check if Microsoft Defender AV is installed:
-
- ```sc.exe query Windefend```
-
- If the result is 'The specified service does not exist as an installed service', then you'll need to install Microsoft Defender AV. For more information, see [Microsoft Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10).
-
- For information on how to use Group Policy to configure and manage Microsoft Defender Antivirus on your Windows servers, see [Use Group Policy settings to configure and manage Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus).
-
-## Integration with Azure Security Center
-Microsoft Defender ATP can integrate with Azure Security Center to provide a comprehensive Windows server protection solution. With this integration, Azure Security Center can leverage the power of Microsoft Defender ATP to provide improved threat detection for Windows Servers.
-
-The following capabilities are included in this integration:
-- Automated onboarding - Microsoft Defender ATP sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/azure/security-center/security-center-onboarding).
-
- > [!NOTE]
- > Automated onboarding is only applicable for Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016.
-
-- Windows servers monitored by Azure Security Center will also be available in Microsoft Defender ATP - Azure Security Center seamlessly connects to the Microsoft Defender ATP tenant, providing a single view across clients and servers. In addition, Microsoft Defender ATP alerts will be available in the Azure Security Center console.
-- Server investigation - Azure Security Center customers can access Microsoft Defender Security Center to perform detailed investigation to uncover the scope of a potential breach.
-
-> [!IMPORTANT]
-> - When you use Azure Security Center to monitor servers, a Microsoft Defender ATP tenant is automatically created (in the US for US users, in the EU for European and UK users).
-Data collected by Microsoft Defender ATP is stored in the geo-location of the tenant as identified during provisioning.
-> - If you use Microsoft Defender ATP before using Azure Security Center, your data will be stored in the location you specified when you created your tenant even if you integrate with Azure Security Center at a later time.
-> - Once configured, you cannot change the location where your data is stored. If you need to move your data to another location, you need to contact Microsoft Support to reset the tenant.
-Server endpoint monitoring utilizing this integration has been disabled for Office 365 GCC customers.
-
-
-## Offboard Windows servers
-You can offboard Windows Server (SAC), Windows Server 2019, and Windows Server 2019 Core edition in the same method available for Windows 10 client devices.
-
-For other Windows server versions, you have two options to offboard Windows servers from the service:
-- Uninstall the MMA agent
-- Remove the Microsoft Defender ATP workspace configuration
-
-> [!NOTE]
-> Offboarding causes the Windows server to stop sending sensor data to the portal but data from the Windows server, including reference to any alerts it has had will be retained for up to 6 months.
-
-### Uninstall Windows servers by uninstalling the MMA agent
-To offboard the Windows server, you can uninstall the MMA agent from the Windows server or detach it from reporting to your Microsoft Defender ATP workspace. After offboarding the agent, the Windows server will no longer send sensor data to Microsoft Defender ATP.
-For more information, see [To disable an agent](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#to-disable-an-agent).
-
-### Remove the Microsoft Defender ATP workspace configuration
-To offboard the Windows server, you can use either of the following methods:
-
-- Remove the Microsoft Defender ATP workspace configuration from the MMA agent
-- Run a PowerShell command to remove the configuration
-
-#### Remove the Microsoft Defender ATP workspace configuration from the MMA agent
-
-1. In the **Microsoft Monitoring Agent Properties**, select the **Azure Log Analytics (OMS)** tab.
-
-2. Select the Microsoft Defender ATP workspace, and click **Remove**.
-
- 
-
-#### Run a PowerShell command to remove the configuration
-
-1. Get your Workspace ID:
-
- 1. In the navigation pane, select **Settings** > **Onboarding**.
-
- 1. Select **Windows Server 2008 R2 SP1, 2012 R2 and 2016** as the operating system and get your Workspace ID:
-
- 
-
-2. Open an elevated PowerShell and run the following command. Use the Workspace ID you obtained and replacing `WorkspaceID`:
-
- ```powershell
- # Load agent scripting object
- $AgentCfg = New-Object -ComObject AgentConfigManager.MgmtSvcCfg
- # Remove OMS Workspace
- $AgentCfg.RemoveCloudWorkspace($WorkspaceID)
- # Reload the configuration and apply changes
- $AgentCfg.ReloadConfiguration()
- ```
-## Related topics
-- [Onboard Windows 10 devices](configure-endpoints.md)
-- [Onboard non-Windows devices](configure-endpoints-non-windows.md)
-- [Configure proxy and Internet connectivity settings](configure-proxy-internet.md)
-- [Run a detection test on a newly onboarded Microsoft Defender ATP device](run-detection-test.md)
-- [Troubleshooting Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md
deleted file mode 100644
index 2767826ed6..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md
+++ /dev/null
@@ -1,58 +0,0 @@
----
-title: Pull detections to your SIEM tools from Microsoft Defender Advanced Threat Protection
-description: Learn how to use REST API and configure supported security information and events management tools to receive and pull detections.
-keywords: configure siem, security information and events management tools, splunk, arcsight, custom indicators, rest api, alert definitions, indicators of compromise
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Pull detections to your SIEM tools
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configuresiem-abovefoldlink)
-
-## Pull detections using security information and events management (SIEM) tools
-
->[!NOTE]
->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections.
->- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Device and its related Alert details.
->-The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md).
-
-Microsoft Defender ATP supports security information and event management (SIEM) tools to pull detections. Microsoft Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull detections from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment.
-
-
-Microsoft Defender ATP currently supports the following specific SIEM solution tools through a dedicated SIEM integration model:
-
-- IBM QRadar
-- Micro Focus ArcSight
-
-Other SIEM solutions (such as Splunk, RSA NetWitness) are supported through a different integration model based on the new Alert API. For more information, view the [Partner application](https://df.securitycenter.microsoft.com/interoperability/partners) page and select the Security Information and Analytics section for full details.
-
-To use either of these supported SIEM tools you'll need to:
-
-- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
-- Configure the supported SIEM tool:
- - [Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)
- - Configure IBM QRadar to pull Microsoft Defender ATP detections For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1).
-
-For more information on the list of fields exposed in the Detection API see, [Microsoft Defender ATP Detection fields](api-portal-mapping.md).
-
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md b/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md
deleted file mode 100644
index 69775ff5c3..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md
+++ /dev/null
@@ -1,47 +0,0 @@
----
-title: Connected applications in Microsoft Defender ATP
-ms.reviewer:
-description: View connected partner applications that use standard OAuth 2.0 protocol to authenticate and provide tokens for use with Microsoft Defender ATP APIs.
-keywords: partners, applications, third-party, connections, sentinelone, lookout, bitdefender, corrata, morphisec, paloalto, ziften, better mobile
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
----
-
-# Connected applications in Microsoft Defender ATP
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
-Connected applications integrates with the Microsoft Defender ATP platform using APIs.
-
-Applications use standard OAuth 2.0 protocol to authenticate and provide tokens for use with Microsoft Defender ATP APIs. In addition, Azure Active Directory (Azure AD) applications allow tenant admins to set explicit control over which APIs can be accessed using the corresponding app.
-
-You'll need to follow [these steps](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/apis-intro) to use the APIs with the connected application.
-
-## Access the connected application page
-From the left navigation menu, select **Partners & APIs** > **Connected AAD applications**.
-
-
-## View connected application details
-The Connected applications page provides information about the Azure AD applications connected to Microsoft Defender ATP in your organization. You can review the usage of the connected applications: last seen, number of requests in the past 24 hours, and request trends in the last 30 days.
-
-
-
-## Edit, reconfigure, or delete a connected application
-The **Open application settings** link opens the corresponding Azure AD application management page in the Azure portal. From the Azure portal, you can manage permissions, reconfigure, or delete the connected applications.
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/contact-support.md b/windows/security/threat-protection/microsoft-defender-atp/contact-support.md
deleted file mode 100644
index 252019ef63..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/contact-support.md
+++ /dev/null
@@ -1,90 +0,0 @@
----
-title: Contact Microsoft Defender ATP support
-description: Learn how to contact Microsoft Defender ATP support
-keywords: support, contact, premier support, solutions, problems, case
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
----
-
-# Contact Microsoft Defender ATP support
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
-
-Microsoft Defender ATP has recently upgraded the support process to offer a more modern and advanced support experience.
-
-The new widget allows customers to:
-- Find solutions to common problems
-- Submit a support case to the Microsoft support team
-
-## Prerequisites
-It's important to know the specific roles that have permission to open support cases.
-
-At a minimum, you must have a Service Support Administrator **OR** Helpdesk Administrator role.
-
-
-For more information on which roles have permission see, [Security Administrator permissions](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles#security-administrator-permissions). Roles that include the action `microsoft.office365.supportTickets/allEntities/allTasks` can submit a case.
-
-For general information on admin roles, see [About admin roles](https://docs.microsoft.com/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide).
-
-
-## Access the widget
-Accessing the new support widget can be done in one of two ways:
-
-1. Clicking on the question mark on the top right of the portal and then clicking on "Microsoft support":
-
- 
-
-2. Clicking on the **Need help?** button in the bottom right of the Microsoft Defender Security Center:
-
-
- 
-
-In the widget you will be offered two options:
-
-- Find solutions to common problems
-- Open a service request
-
-## Find solutions to common problems
-This option includes articles that might be related to the question you may ask. Just start typing the question in the search box and articles related to your search will be surfaced.
-
-
-
-In case the suggested articles are not sufficient, you can open a service request.
-
-## Open a service request
-
-Learn how to open support tickets by contacting Microsoft Defender ATP support.
-
-
-
-
-### Contact support
-This option is available by clicking the icon that looks like a headset. You will then get the following page to submit your support case:
-
-
-
-1. Fill in a title and description for the issue you are facing, as well as a phone number and email address where we may reach you.
-
-2. (Optional) Include up to five attachments that are relevant to the issue in order to provide additional context for the support case.
-
-3. Select your time zone and an alternative language, if applicable. The request will be sent to Microsoft Support Team. The team will respond to your service request shortly.
-
-
-## Related topics
-- [Troubleshoot service issues](troubleshoot-mdatp.md)
-- [Check service health](service-status.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
deleted file mode 100644
index e4e8f5ec72..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
+++ /dev/null
@@ -1,114 +0,0 @@
----
-title: Prevent ransomware and threats from encrypting and changing files
-description: Files in default folders can be protected from being changed by malicious apps. Prevent ransomware from encrypting your files.
-keywords: controlled folder access, windows 10, windows defender, ransomware, protect, files, folders
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-audience: ITPro
-ms.date: 08/25/2020
-ms.reviewer: v-maave
-manager: dansimp
-ms.custom: asr
----
-
-# Protect important folders with controlled folder access
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-## What is controlled folder access?
-
-Controlled folder access helps you protect your valuable data from malicious apps and threats, like ransomware. Controlled folder access protects your data by checking apps against a list of known, trusted apps. Supported on Windows Server 2019 and Windows 10 clients, controlled folder access can be turned on using the Windows Security App or in Microsoft Endpoint Configuration Manager and Intune (for managed devices).
-
-Controlled folder access works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
-
-## How does controlled folder access work?
-
-Controlled folder access works by only allowing trusted apps to access protected folders. Protected folders are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, and so on, are included in the list of controlled folders.
-
-Controlled folder access works with a list of trusted software. If an app is included in the list of trusted software, the app works as expected. If not, the app is blocked from making any changes to files that are inside protected folders. Apps are added to the trusted list based upon their prevalence and reputation. Apps that are highly prevalent throughout your organization, and that have never displayed any malicious behavior, are deemed trustworthy and automatically added to the list.
-
-Apps can also be manually added to the trusted list via Configuration Manager and Intune. Additional actions, such as [adding a file indicator](../microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) for the app, can be performed from the Security Center Console.
-
-Controlled folder access is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware). In a ransomware attack, your files can get encrypted and held hostage. With controlled folder access in place, a notification appears on the computer where an app attempted to make changes to a file in a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
-
-The protected folders include common system folders, and you can [add additional folders](customize-controlled-folders.md#protect-additional-folders). You can also [allow apps](customize-controlled-folders.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders.
-
-You can use [audit mode](audit-windows-defender.md) to evaluate how controlled folder access would impact your organization if it were enabled. You can also visit the Windows Defender Test ground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
-
-Controlled folder access is supported on Windows 10, version 1709 and later and Windows Server 2019.
-
-## Requirements
-
-Controlled folder access requires enabling [Microsoft Defender Antivirus real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md).
-
-## Review controlled folder access events in the Microsoft Defender Security Center
-
-Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
-
-You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use advanced hunting to see how controlled folder access settings would affect your environment if they were enabled.
-
-Example query:
-
-```PowerShell
-DeviceEvents
-| where ActionType in ('ControlledFolderAccessViolationAudited','ControlledFolderAccessViolationBlocked')
-```
-
-## Review controlled folder access events in Windows Event Viewer
-
-You can review the Windows event log to see events that are created when controlled folder access blocks (or audits) an app:
-
-1. Download the [Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the device.
-
-2. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
-
-3. On the left panel, under **Actions**, select **Import custom view...**.
-
-4. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views.md).
-
-5. Click **OK**.
-
-After following the procedure, you have created a custom view that shows events related to controlled folder access, as listed in the following table:
-
-|Event ID | Description |
-|---|---|
-|5007 | Event when settings are changed |
-|1124 | Audited controlled folder access event |
-|1123 | Blocked controlled folder access event |
-
-## View or change the list of protected folders
-
-### Windows 10 security app
-
-1. On your Windows 10 device, open the Windows Security app.
-
-2. Select **Virus & threat protection**.
-
-3. Under **Ransomware protection**, select **Manage ransomware protection**.
-
-4. If controlled folder access is turned off, you'll need to turn it on. Select **protected folders**.
-
-5. Do one of the following steps:
-
- - To add a folder, select **+ Add a protected folder**.
-
- - To remove a folder, select it, and then select **Remove**.
-
-## See also
-
-- [Evaluate controlled folder access](evaluate-controlled-folder-access.md). Use a dedicated demo tool to see how controlled folder access works, and what events would typically be created.
-
-- [Enable controlled folder access](enable-controlled-folders.md). Use Group Policy, PowerShell, or mobile device management CSPs to enable and manage controlled folder access in your network
-
-- [Customize controlled folder access](customize-controlled-folders.md). Add additional protected folders, and allow specified apps to access protected folders.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md
deleted file mode 100644
index e02de4aa8b..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md
+++ /dev/null
@@ -1,110 +0,0 @@
----
-title: Create alert from event API
-description: Learn how to use the Create alert API to create a new Alert on top of Event in Microsoft Defender Advanced Threat Protection.
-keywords: apis, graph api, supported apis, get, alert, information, id
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Create alert API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-
-## API description
-Creates new [Alert](alerts.md) on top of **Event**.
-
**Microsoft Defender ATP Event** is required for the alert creation.
-
You will need to supply 3 parameters from the Event in the request: **Event Time**, **Machine ID** and **Report ID**. See example below.
-
You can use an event found in Advanced Hunting API or Portal.
-
If there existing an open alert on the same Device with the same Title, the new created alert will be merged with it.
-
An automatic investigation starts automatically on alerts created via the API.
-
-
-## Limitations
-1. Rate limitations for this API are 15 calls per minute.
-
-
-## Permissions
-
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Alerts.ReadWrite.All | 'Read and write all alerts'
-Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'Alerts investigation' (See [Create and manage roles](user-roles.md) for more information)
->- The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
-## HTTP request
-
-```
-POST https://api.securitycenter.windows.com/api/alerts/CreateAlertByReference
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-Content-Type | String | application/json. **Required**.
-
-## Request body
-
-In the request body, supply the following values (all are required):
-
-Property | Type | Description
-:---|:---|:---
-eventTime | DateTime(UTC) | The precise time of the event as string, as obtained from advanced hunting. e.g. ```2018-08-03T16:45:21.7115183Z``` **Required**.
-reportId | String | The reportId of the event, as obtained from advanced hunting. **Required**.
-machineId | String | Id of the device on which the event was identified. **Required**.
-severity | String | Severity of the alert. The property values are: 'Low', 'Medium' and 'High'. **Required**.
-title | String | Title for the alert. **Required**.
-description | String | Description of the alert. **Required**.
-recommendedAction| String | Action that is recommended to be taken by security officer when analyzing the alert. **Required**.
-category| String | Category of the alert. The property values are: "General", "CommandAndControl", "Collection", "CredentialAccess", "DefenseEvasion", "Discovery", "Exfiltration", "Exploit", "Execution", "InitialAccess", "LateralMovement", "Malware", "Persistence", "PrivilegeEscalation", "Ransomware", "SuspiciousActivity" **Required**.
-
-## Response
-
-If successful, this method returns 200 OK, and a new [alert](alerts.md) object in the response body. If event with the specified properties (_reportId_, _eventTime_ and _machineId_) was not found - 404 Not Found.
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-```
-POST https://api.securitycenter.windows.com/api/alerts/CreateAlertByReference
-```
-```json
-{
- "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
- "severity": "Low",
- "title": "example",
- "description": "example alert",
- "recommendedAction": "nothing",
- "eventTime": "2018-08-03T16:45:21.7115183Z",
- "reportId": "20776",
- "category": "Exploit"
-}
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
deleted file mode 100644
index 79ab34fce9..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
+++ /dev/null
@@ -1,116 +0,0 @@
----
-title: Create custom detection rules in Microsoft Defender ATP
-ms.reviewer:
-description: Learn how to create custom detection rules based on advanced hunting queries
-keywords: custom detections, create, manage, alerts, edit, run on demand, frequency, interval, detection rules, advanced hunting, hunt, query, response actions, mdatp, microsoft defender atp
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Create custom detection rules
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-Custom detection rules built from [advanced hunting](advanced-hunting-overview.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured devices. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
-
-Read this article to learn how to create new custom detection rules. Or [see viewing and managing existing rules](custom-detections-manage.md).
-
-## 1. Check required permissions
-
-To create or manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
-
-## 2. Prepare the query
-
-In Microsoft Defender Security Center, go to **Advanced hunting** and select an existing query or create a new query. When using a new query, run the query to identify errors and understand possible results.
-
->[!IMPORTANT]
->To prevent the service from returning too many alerts, each rule is limited to generating only 100 alerts whenever it runs. Before creating a rule, tweak your query to avoid alerting for normal, day-to-day activity.
-
-
-### Required columns in the query results
-To use a query for a custom detection rule, the query must return the `Timestamp`, `DeviceId`, and `ReportId` columns in the results. Simple queries, such as those that don't use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns.
-
-There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by `DeviceId`, you can still return `Timestamp` and `ReportId` by getting them from the most recent event involving each device.
-
-The sample query below counts the number of unique devices (`DeviceId`) with antivirus detections and uses this count to find only the devices with more than five detections. To return the latest `Timestamp` and the corresponding `ReportId`, it uses the `summarize` operator with the `arg_max` function.
-
-```kusto
-DeviceEvents
-| where Timestamp > ago(7d)
-| where ActionType == "AntivirusDetection"
-| summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count() by DeviceId
-| where count_ > 5
-```
-
-## 3. Create new rule and provide alert details
-
-With the query in the query editor, select **Create detection rule** and specify the following alert details:
-
-- **Detection name**—name of the detection rule
-- **Frequency**—interval for running the query and taking action. [See additional guidance below](#rule-frequency)
-- **Alert title**—title displayed with alerts triggered by the rule
-- **Severity**—potential risk of the component or activity identified by the rule. [Read about alert severities](alerts-queue.md#severity)
-- **Category**—type of threat component or activity, if any. [Read about alert categories](alerts-queue.md#understanding-alert-categories)
-- **MITRE ATT&CK techniques**—one or more attack techniques identified by the rule as documented in the MITRE ATT&CK framework. This section is not available with certain alert categories, such as malware, ransomware, suspicious activity, and unwanted software
-- **Description**—more information about the component or activity identified by the rule
-- **Recommended actions**—additional actions that responders might take in response to an alert
-
-For more information about how alert details are displayed, [read about the alert queue](alerts-queue.md).
-
-### Rule frequency
-When saved, a new or edited custom detection rule immediately runs and checks for matches from the past 30 days of data. The rule then runs again at fixed intervals and lookback durations based on the frequency you choose:
-
-- **Every 24 hours**—runs every 24 hours, checking data from the past 30 days
-- **Every 12 hours**—runs every 12 hours, checking data from the past 24 hours
-- **Every 3 hours**—runs every 3 hours, checking data from the past 6 hours
-- **Every hour**—runs hourly, checking data from the past 2 hours
-
-Select the frequency that matches how closely you want to monitor detections, and consider your organization's capacity to respond to the alerts.
-
-## 4. Specify actions on files or devices
-Your custom detection rule can automatically take actions on files or devices that are returned by the query.
-
-### Actions on devices
-These actions are applied to devices in the `DeviceId` column of the query results:
-- **Isolate device**—applies full network isolation, preventing the device from connecting to any application or service, except for the Microsoft Defender ATP service. [Learn more about device isolation](respond-machine-alerts.md#isolate-devices-from-the-network)
-- **Collect investigation package**—collects device information in a ZIP file. [Learn more about the investigation package](respond-machine-alerts.md#collect-investigation-package-from-devices)
-- **Run antivirus scan**—performs a full Microsoft Defender Antivirus scan on the device
-- **Initiate investigation**—starts an [automated investigation](automated-investigations.md) on the device
-
-### Actions on files
-These actions are applied to files in the `SHA1` or the `InitiatingProcessSHA1` column of the query results:
-- **Allow/Block**—automatically adds the file to your [custom indicator list](manage-indicators.md) so that it is always allowed to run or blocked from running. You can set the scope of this action so that it is taken only on selected device groups. This scope is independent of the scope of the rule.
-- **Quarantine file**—deletes the file from its current location and places a copy in quarantine
-
-## 5. Set the rule scope
-Set the scope to specify which devices are covered by the rule:
-
-- All devices
-- Specific device groups
-
-Only data from devices in scope will be queried. Also, actions will be taken only on those devices.
-
-## 6. Review and turn on the rule
-After reviewing the rule, select **Create** to save it. The custom detection rule immediately runs. It runs again based on configured frequency to check for matches, generate alerts, and take response actions.
-
-
-## Related topics
-- [View and manage detection rules](custom-detections-manage.md)
-- [Custom detections overview](overview-custom-detections.md)
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [Learn the advanced hunting query language](advanced-hunting-query-language.md)
-- [View and organize alerts](alerts-queue.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md
deleted file mode 100644
index 855bd65993..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md
+++ /dev/null
@@ -1,70 +0,0 @@
----
-title: View and manage custom detection rules in Microsoft Defender ATP
-ms.reviewer:
-description: Learn how to view and manage custom detection rules
-keywords: custom detections, view, manage, alerts, edit, run on demand, detection rules, advanced hunting, hunt, query, response actions, mdatp, microsoft defender atp
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-
-# View and manage custom detection rules
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-Manage your existing [custom detection rules](custom-detection-rules.md) to ensure they are effectively finding threats and taking actions. Explore how to view the list of rules, check their previous runs, and review the alerts they have triggered. You can also run a rule on demand and modify it.
-
-## Required permissions
-
-To create or manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
-
-## View existing rules
-
-To view all existing custom detection rules, navigate to **Settings** > **Custom detections**. The page lists all the rules with the following run information:
-
-- **Last run**—when a rule was last run to check for query matches and generate alerts
-- **Last run status**—whether a rule ran successfully
-- **Next run**—the next scheduled run
-- **Status**—whether a rule has been turned on or off
-
-## View rule details, modify rule, and run rule
-
-To view comprehensive information about a custom detection rule, select the name of rule from the list of rules in **Settings** > **Custom detections**. A page about the selected rule displays the following information:
-
-- General information about the rule, including the details of the alert, run status, and scope
-- List of triggered alerts
-- List of triggered actions
-
-
-*Custom detection rule page*
-
-You can also take the following actions on the rule from this page:
-
-- **Run**—run the rule immediately. This action also resets the interval for the next run.
-- **Edit**—modify the rule without changing the query
-- **Modify query**—edit the query in advanced hunting
-- **Turn on** / **Turn off**—enable the rule or stop it from running
-- **Delete**—turn off the rule and remove it
-
->[!TIP]
->To quickly view information and take action on an item in a table, use the selection column [✓] at the left of the table.
-
-## Related topics
-- [Custom detections overview](overview-custom-detections.md)
-- [Create detection rules](custom-detection-rules.md)
-- [Advanced hunting overview](advanced-hunting-overview.md)
-- [View and organize alerts](alerts-queue.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md
deleted file mode 100644
index 2773f28ed5..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md
+++ /dev/null
@@ -1,114 +0,0 @@
----
-title: Customize attack surface reduction rules
-description: Individually set rules in audit, block, or disabled modes, and add files and folders that should be excluded from attack surface reduction rules
-keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, customize, configure, exclude
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.localizationpriority: medium
-audience: ITPro
-author: levinec
-ms.author: ellevin
-ms.reviewer:
-manager: dansimp
----
-
-# Customize attack surface reduction rules
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-> [!IMPORTANT]
-> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
-[Attack surface reduction rules](enable-attack-surface-reduction.md) help prevent software behaviors that are often abused to compromise your device or network. For example, an attacker might try to run an unsigned script off of a USB drive, or have a macro in an Office document make calls directly to the Win32 API. Attack surface reduction rules can constrain these kinds of risky behaviors and improve your organization's defensive posture.
-
-Learn how to customize attack surface reduction rules by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer.
-
-You can set attack surface reduction rules for devices running any of the following editions and versions of Windows:
-- Windows 10 Pro, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
-- Windows 10 Enterprise, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
-- Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later
-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-You can use Group Policy, PowerShell, and Mobile Device Management (MDM) configuration service providers (CSP) to configure these settings.
-
-## Exclude files and folders
-
-You can choose to exclude files and folders from being evaluated by attack surface reduction rules. Once excluded, the file won't be blocked from running even if an attack surface reduction rule detects that the file contains malicious behavior.
-
-> [!WARNING]
-> This could potentially allow unsafe files to run and infect your devices. Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded.
-
-An exclusion applies to all rules that allow exclusions. You can specify an individual file, folder path, or the fully qualified domain name for a resource. However, you cannot limit an exclusion to a specific rule.
-
-An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
-
-Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
-If you are encountering problems with rules detecting files that you believe should not be detected, [use audit mode to test the rule](evaluate-attack-surface-reduction.md).
-
-Rule description | GUID
--|-|-
-Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
-Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
-Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
-Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899
-Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
-Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D
-Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
-Block executable files from running unless they meet a prevalence, age, or trusted list criteria | 01443614-cd74-433a-b99e-2ecdc07bfc25
-Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35
-Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
-Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
-Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
-Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
-Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
-Block persistence through WMI event subscription | e6db77e5-3df2-4cf1-b95a-636979351e5b
-
-See the [attack surface reduction](attack-surface-reduction.md) topic for details on each rule.
-
-### Use Group Policy to exclude files and folders
-
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**.
-
-2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
-
-3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**.
-
-4. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Select **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
-
-> [!WARNING]
-> Do not use quotes as they are not supported for either the **Value name** column or the **Value** column.
-
-### Use PowerShell to exclude files and folders
-
-1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**
-2. Enter the following cmdlet:
-
- ```PowerShell
- Add-MpPreference -AttackSurfaceReductionOnlyExclusions "
-You can choose the data retention policy for your data. This determines how long Window Defender ATP will store your data. There’s a flexibility of choosing in the range of 1 month to six months to meet your company’s regulatory compliance needs.
-
-**At contract termination or expiration**
-Your data will be kept and will be available to you while the license is under grace period or suspended mode. At the end of this period, that data will be erased from Microsoft’s systems to make it unrecoverable, no later than 180 days from contract termination or expiration.
-
-
-## Can Microsoft help us maintain regulatory compliance?
-Microsoft provides customers with detailed information about Microsoft's security and compliance programs, including audit reports and compliance packages, to help customers assess Microsoft Defender ATP services against their own legal and regulatory requirements. Microsoft Defender ATP has achieved a number of certifications including ISO, SOC, FedRAMP High, and PCI and continues to pursue additional national, regional and industry-specific certifications.
-
-By providing customers with compliant, independently-verified services, Microsoft makes it easier for customers to achieve compliance for the infrastructure and applications they run.
-
-For more information on the Microsoft Defender ATP certification reports, see [Microsoft Trust Center](https://servicetrust.microsoft.com/).
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-datastorage-belowfoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md b/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md
deleted file mode 100644
index fa43e76e73..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md
+++ /dev/null
@@ -1,49 +0,0 @@
----
-title: Microsoft Defender Antivirus compatibility with Microsoft Defender ATP
-description: Learn about how Windows Defender works with Microsoft Defender ATP and how it functions when a third-party antimalware client is used.
-keywords: windows defender compatibility, defender, microsoft defender atp
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.date: 04/24/2018
----
-
-# Microsoft Defender Antivirus compatibility with Microsoft Defender ATP
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-
-- Windows Defender
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-defendercompat-abovefoldlink)
-
-The Microsoft Defender Advanced Threat Protection agent depends on Microsoft Defender Antivirus for some capabilities such as file scanning.
-
->[!IMPORTANT]
->Microsoft Defender ATP does not adhere to the Microsoft Defender Antivirus Exclusions settings.
-
-You must configure Security intelligence updates on the Microsoft Defender ATP devices whether Microsoft Defender Antivirus is the active antimalware or not. For more information, see [Manage Microsoft Defender Antivirus updates and apply baselines](../microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md).
-
-If an onboarded device is protected by a third-party antimalware client, Microsoft Defender Antivirus on that endpoint will enter into passive mode.
-
-Microsoft Defender Antivirus will continue to receive updates, and the *mspeng.exe* process will be listed as a running a service, but it will not perform scans and will not replace the running third-party antimalware client.
-
-The Microsoft Defender Antivirus interface will be disabled, and users on the device will not be able to use Microsoft Defender Antivirus to perform on-demand scans or configure most options.
-
-For more information, see the [Microsoft Defender Antivirus and Microsoft Defender ATP compatibility topic](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md
deleted file mode 100644
index 1dd2b90d07..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md
+++ /dev/null
@@ -1,76 +0,0 @@
----
-title: Delete Indicator API.
-description: Learn how to use the Delete Indicator API to delete an Indicator entity by ID in Microsoft Defender Advanced Threat Protection.
-keywords: apis, public api, supported apis, delete, ti indicator, entity, id
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Delete Indicator API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-
-## API description
-Deletes an [Indicator](ti-indicator.md) entity by ID.
-
-
-## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Get started](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Ti.ReadWrite | 'Read and write TI Indicators'
-Application | Ti.ReadWrite.All | 'Read and write Indicators'
-
-
-## HTTP request
-```
-Delete https://api.securitycenter.windows.com/api/indicators/{id}
-```
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If Indicator exist and deleted successfully - 204 OK without content.
-If Indicator with the specified id was not found - 404 Not Found.
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-DELETE https://api.securitycenter.windows.com/api/indicators/995
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md b/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md
deleted file mode 100644
index 000dafbddd..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md
+++ /dev/null
@@ -1,70 +0,0 @@
----
-title: Deployment phases
-description: Learn how deploy Microsoft Defender ATP by preparing, setting up, and onboarding endpoints to that service
-keywords: deploy, prepare, setup, onboard, phase, deployment, deploying, adoption, configuring
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- M365-security-compliance
-- m365solution-endpointprotect
-- m365solution-overview
-ms.topic: article
----
-
-# Deployment phases
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
-There are three phases in deploying Microsoft Defender ATP:
-
-|Phase | Desription |
-|:-------|:-----|
-| 
[Phase 1: Prepare](prepare-deployment.md)| Learn about what you need to consider when deploying Microsoft Defender ATP:
- Stakeholders and sign-off
- Environment considerations
- Access
- Adoption order
-| 
[Phase 2: Setup](production-deployment.md)| Take the initial steps to access Microsoft Defender Security Center. You'll be guided on:
- Validating the licensing
- Completing the setup wizard within the portal
- Network configuration|
-| 
[Phase 3: Onboard](onboarding.md) | Onboard devices to the service so the Microsoft Defender ATP service can get sensor data from them. You'll be guided on:
- Using Microsoft Endpoint Configuration Manager to onboard devices
- Configure capabilities
-
-
-
- The deployment guide will guide you through the recommended path in deploying Microsoft Defender ATP.
-
-There are several methods you can use to onboard to the service. For information on other ways to onboard, see [Onboard devices to Microsoft Defender ATP](onboard-configure.md).
-
-## In Scope
-
-The following is in scope for this deployment guide:
-
-- Use of Microsoft Endpoint Configuration Manager to onboard endpoints into the service
-
-- Enabling Microsoft Defender ATP endpoint protection platform (EPP)
- capabilities
-
- - Next-generation protection
-
- - Attack surface reduction
-
-- Enabling Microsoft Defender ATP endpoint detection and response (EDR)
- capabilities including automatic investigation and remediation
-
-- Enabling Microsoft Defender ATP threat and vulnerability management (TVM)
-
-
-## Out of scope
-
-The following are out of scope of this deployment guide:
-
-- Configuration of third-party solutions that might integrate with Microsoft
- Defender ATP
-
-- Penetration testing in production environment
diff --git a/windows/security/threat-protection/microsoft-defender-atp/deployment-strategy.md b/windows/security/threat-protection/microsoft-defender-atp/deployment-strategy.md
deleted file mode 100644
index cd066db719..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/deployment-strategy.md
+++ /dev/null
@@ -1,50 +0,0 @@
----
-title: Plan your Microsoft Defender ATP deployment strategy
-description: Select the best Microsoft Defender ATP deployment strategy for your environment
-keywords: deploy, plan, deployment strategy, cloud native, management, on prem, evaluation, onboarding, local, group policy, gp, endpoint manager, mem
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Plan your Microsoft Defender ATP deployment strategy
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-secopsdashboard-abovefoldlink)
-
-Depending on the requirements of your environment, we've put together material to help guide you through the various options you can adopt to deploy Microsoft Defender ATP.
-
-
-You can deploy Microsoft Defender ATP using various management tools. In general the following management tools are supported:
-
-- Group policy
-- Microsoft Endpoint Configuration Manager
-- Mobile Device Management tools
-- Local script
-
-
-## Microsoft Defender ATP deployment strategy
-
-Depending on your environment, some tools are better suited for certain architectures.
-
-
-|**Item**|**Description**|
-|:-----|:-----|
-|[](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf)
[PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf) \| [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx) | The architectural material helps you plan your deployment for the following architectures:
- Windows 10 (all releases)
- Windows Server 2016 or later |
-|Windows E5 enrollment |Windows E5 is included in the following subscriptions:
- Microsoft 365 E5
- Microsoft 365 E3 together with the Identity & Threat Protection offering
See [Components](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview?view=o365-worldwide#components) and [features and capabilities for each plan](https://www.microsoft.com/microsoft-365/compare-all-microsoft-365-plans). |
-|Cloud-delivered protection |Make sure Microsoft Defender Antivirus is configured such that cloud-delivered protection is enabled.
See [Enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus). |
-|Microsoft Defender Antivirus antimalware client |Make sure your client is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps) cmdlet as an administrator.
In the **AMProductVersion** line, you should see **4.18.2001.10** or above. |
-|Microsoft Defender Antivirus engine |Make sure your engine is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps) cmdlet as an administrator.
In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. |
-
-> [!IMPORTANT]
-> To get the best protection value, make sure your antivirus solution is configured to receive regular updates and essential features, and that your exclusions are defined.
-
-
-## Frequently asked questions
-
-### Will EDR in block mode have any impact on a user's antivirus protection?
-
-No. EDR in block mode does not affect third-party antivirus protection running on users' devices. EDR in block mode kicks in if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like [Microsoft Defender Antivirus in passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state), with the additional steps of blocking and remediating malicious artifacts or behaviors that are detected.
-
-### Why do I need to keep Microsoft Defender Antivirus up to date?
-
-Because Microsoft Defender Antivirus detects and remediates malicious items, it's important to keep it up to date to leverage the latest device learning models, behavioral detections, and heuristics for EDR in block mode to be most effective. The [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) stack of capabilities works in an integrated manner, and to get best protection value, you should keep Microsoft Defender Antivirus up to date.
-
-### Why do we need cloud protection on?
-
-Cloud protection is needed to turn on the feature on the device. Cloud protection allows [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) to deliver the latest and greatest protection based on our breadth and depth of security intelligence, along with behavioral and device learning models.
-
-## See also
-
-[Tech Community blog: Introducing EDR in block mode: Stopping attacks in their tracks](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/introducing-edr-in-block-mode-stopping-attacks-in-their-tracks/ba-p/1596617)
-
-[Behavioral blocking and containment](behavioral-blocking-containment.md)
-
-[Better together: Microsoft Defender Antivirus and Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-antivirus)
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
deleted file mode 100644
index 36216eb833..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
+++ /dev/null
@@ -1,203 +0,0 @@
----
-title: Enable attack surface reduction rules
-description: Enable attack surface reduction (ASR) rules to protect your devices from attacks that use macros, scripts, and common injection techniques.
-keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, enable, turn on
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-audience: ITPro
-author: levinec
-ms.author: ellevin
-ms.reviewer:
-manager: dansimp
----
-
-# Enable attack surface reduction rules
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-[Attack surface reduction rules](attack-surface-reduction.md) (ASR rules) help prevent actions that malware often abuses to compromise devices and networks. You can set ASR rules for devices running any of the following editions and versions of Windows:
-- Windows 10 Pro, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
-- Windows 10 Enterprise, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
-- Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later
-- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-
-Each ASR rule contains one of three settings:
-
-- Not configured: Disable the ASR rule
-- Block: Enable the ASR rule
-- Audit: Evaluate how the ASR rule would impact your organization if enabled
-
-To use ASR rules, you must have either a Windows 10 Enterprise E3 or E5 license. We recommend E5 licenses so you can take advantage of the advanced monitoring and reporting capabilities that are available in [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender ATP). Advanced monitoring and reporting capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjunction with ASR rules.
-
-> [!TIP]
-> To learn more about Windows licensing, see [Windows 10 Licensing](https://www.microsoft.com/licensing/product-licensing/windows10?activetab=windows10-pivot:primaryr5) and get the [Volume Licensing guide for Windows 10](https://download.microsoft.com/download/2/D/1/2D14FE17-66C2-4D4C-AF73-E122930B60F6/Windows-10-Volume-Licensing-Guide.pdf).
-
-You can enable attack surface reduction rules by using any of these methods:
-
-- [Microsoft Intune](#intune)
-- [Mobile Device Management (MDM)](#mdm)
-- [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager)
-- [Group Policy](#group-policy)
-- [PowerShell](#powershell)
-
-Enterprise-level management such as Intune or Microsoft Endpoint Configuration Manager is recommended. Enterprise-level management will overwrite any conflicting Group Policy or PowerShell settings on startup.
-
-## Exclude files and folders from ASR rules
-
-You can exclude files and folders from being evaluated by most attack surface reduction rules. This means that even if an ASR rule determines the file or folder contains malicious behavior, it will not block the file from running. This could potentially allow unsafe files to run and infect your devices.
-
-You can also exclude ASR rules from triggering based on certificate and file hashes by allowing specified Microsoft Defender ATP file and certificate indicators. (See [Manage indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators).)
-
-> [!IMPORTANT]
-> Excluding files or folders can severely reduce the protection provided by ASR rules. Excluded files will be allowed to run, and no report or event will be recorded.
-> If ASR rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md).
-
-
-You can specify individual files or folders (using folder paths or fully qualified resource names), but you can't specify which rules the exclusions apply to. An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
-
-ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](../microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
-
-The following procedures for enabling ASR rules include instructions for how to exclude files and folders.
-
-## Intune
-
-1. Select **Device configuration** > **Profiles**. Choose an existing endpoint protection profile or create a new one. To create a new one, select **Create profile** and enter information for this profile. For **Profile type**, select **Endpoint protection**. If you've chosen an existing profile, select **Properties** and then select **Settings**.
-
-2. In the **Endpoint protection** pane, select **Windows Defender Exploit Guard**, then select **Attack Surface Reduction**. Select the desired setting for each ASR rule.
-
-3. Under **Attack Surface Reduction exceptions**, enter individual files and folders. You can also select **Import** to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be formatted as follows:
-
- `C:\folder`, `%ProgramFiles%\folder\file`, `C:\path`
-
-4. Select **OK** on the three configuration panes. Then select **Create** if you're creating a new endpoint protection file or **Save** if you're editing an existing one.
-
-## MDM
-
-Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule.
-
-The following is a sample for reference, using [GUID values for ASR rules](attack-surface-reduction.md#attack-surface-reduction-rules).
-
-`OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules`
-
-`Value: {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}=2|{3B576869-A4EC-4529-8536-B80A7769E899}=1|{D4F940AB-401B-4EfC-AADC-AD5F3C50688A}=2|{D3E037E1-3EB8-44C8-A917-57927947596D}=1|{5BEB7EFE-FD9A-4556-801D-275E5FFC04CC}=0|{BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550}=1`
-
-The values to enable, disable, or enable in audit mode are:
-
-- Disable = 0
-- Block (enable ASR rule) = 1
-- Audit = 2
-
-Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions.
-
-Example:
-
-`OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions`
-
-`Value: c:\path|e:\path|c:\Whitelisted.exe`
-
-> [!NOTE]
-> Be sure to enter OMA-URI values without spaces.
-
-## Microsoft Endpoint Configuration Manager
-
-1. In Microsoft Endpoint Configuration Manager, go to **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
-
-2. Select **Home** > **Create Exploit Guard Policy**.
-
-3. Enter a name and a description, select **Attack Surface Reduction**, and select **Next**.
-
-4. Choose which rules will block or audit actions and select **Next**.
-
-5. Review the settings and select **Next** to create the policy.
-
-6. After the policy is created, **Close**.
-
-## Group Policy
-
-> [!WARNING]
-> If you manage your computers and devices with Intune, Configuration Manager, or other enterprise-level management platform, the management software will overwrite any conflicting Group Policy settings on startup.
-
-1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**.
-
-2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
-
-3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**.
-
-4. Select **Configure Attack surface reduction rules** and select **Enabled**. You can then set the individual state for each rule in the options section.
-
- Select **Show...** and enter the rule ID in the **Value name** column and your chosen state in the **Value** column as follows:
-
- - Disable = 0
- - Block (enable ASR rule) = 1
- - Audit = 2
-
- 
-
-5. To exclude files and folders from ASR rules, select the **Exclude files and paths from Attack surface reduction rules** setting and set the option to **Enabled**. Select **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
-
-> [!WARNING]
-> Do not use quotes as they are not supported for either the **Value name** column or the **Value** column.
-
-## PowerShell
-
-> [!WARNING]
-> If you manage your computers and devices with Intune, Configuration Manager, or another enterprise-level management platform, the management software will overwrite any conflicting PowerShell settings on startup. To allow users to define the value using PowerShell, use the "User Defined" option for the rule in the management platform.
-
-1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**.
-
-2. Enter the following cmdlet:
-
- ```PowerShell
- Set-MpPreference -AttackSurfaceReductionRules_Ids
-
-4. Go to **Configure** > **Windows Defender Exploit Guard** > **Controlled folder access** > **Enable**.
-
-5. Type the path to each application that has access to protected folders and the path to any additional folder that needs protection. Select **Add**.
-
- > [!NOTE]
- > Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted.
-
-6. Select **OK** to save each open blade and **Create**.
-
-7. Select the profile **Assignments**, assign to **All Users & All Devices**, and **Save**.
-
-## Mobile Device Management (MDM)
-
-Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-controlledfolderaccessprotectedfolders) configuration service provider (CSP) to allow apps to make changes to protected folders.
-
-## Microsoft Endpoint Configuration Manager
-
-1. In Microsoft Endpoint Configuration Manager, go to **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
-
-2. Select **Home** > **Create Exploit Guard Policy**.
-
-3. Enter a name and a description, select **Controlled folder access**, and select **Next**.
-
-4. Choose whether block or audit changes, allow other apps, or add other folders, and select **Next**.
- > [!NOTE]
- > Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted.
-
-5. Review the settings and select **Next** to create the policy.
-
-6. After the policy is created, **Close**.
-
-## Group Policy
-
-1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**.
-
-2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**.
-
-3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access**.
-
-4. Double-click the **Configure Controlled folder access** setting and set the option to **Enabled**. In the options section you must specify one of the following options:
- * **Enable** - Malicious and suspicious apps won't be allowed to make changes to files in protected folders. A notification will be provided in the Windows event log.
- * **Disable (Default)** - The Controlled folder access feature won't work. All apps can make changes to files in protected folders.
- * **Audit Mode** - Changes will be allowed if a malicious or suspicious app attempts to make a change to a file in a protected folder. However, it will be recorded in the Windows event log where you can assess the impact on your organization.
- * **Block disk modification only** - Attempts by untrusted apps to write to disk sectors will be logged in Windows Event log. These logs can be found in **Applications and Services Logs** > Microsoft > Windows > Windows Defender > Operational > ID 1123.
- * **Audit disk modification only** - Only attempts to write to protected disk sectors will be recorded in the Windows event log (under **Applications and Services Logs** > **Microsoft** > **Windows** > **Windows Defender** > **Operational** > **ID 1124**). Attempts to modify or delete files in protected folders won't be recorded.
-
- 
-
-> [!IMPORTANT]
-> To fully enable controlled folder access, you must set the Group Policy option to **Enabled** and select **Block** in the options drop-down menu.
-
-## PowerShell
-
-1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator**.
-
-2. Enter the following cmdlet:
-
- ```PowerShell
- Set-MpPreference -EnableControlledFolderAccess Enabled
- ```
-
-You can enable the feature in audit mode by specifying `AuditMode` instead of `Enabled`.
-
-Use `Disabled` to turn off the feature.
-
-## See also
-
-* [Protect important folders with controlled folder access](controlled-folders.md)
-* [Customize controlled folder access](customize-controlled-folders.md)
-* [Evaluate Microsoft Defender ATP](../microsoft-defender-atp/evaluate-atp.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
deleted file mode 100644
index 5707cf67b8..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
+++ /dev/null
@@ -1,250 +0,0 @@
----
-title: Turn on exploit protection to help mitigate against attacks
-keywords: exploit, mitigation, attacks, vulnerability
-description: Learn how to enable exploit protection in Windows 10. Exploit protection helps protect your device against malware.
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.localizationpriority: medium
-audience: ITPro
-author: denisebmsft
-ms.author: deniseb
-ms.reviewer:
-manager: dansimp
----
-
-# Enable exploit protection
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[Exploit protection](exploit-protection.md) helps protect against malware that uses exploits to infect devices and spread. Exploit protection consists of a number of mitigations that can be applied to either the operating system or individual apps.
-
-> [!IMPORTANT]
-> .NET 2.0 is not compatible with some exploit protection capabilities, specifically, Export Address Filtering (EAF) and Import Address Filtering (IAF). If you have enabled .NET 2.0, usage of EAF and IAF are not supported.
-
-Many features from the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection.
-
-You can enable each mitigation separately by using any of these methods:
-
-* [Windows Security app](#windows-security-app)
-* [Microsoft Intune](#intune)
-* [Mobile Device Management (MDM)](#mdm)
-* [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager)
-* [Group Policy](#group-policy)
-* [PowerShell](#powershell)
-
-Exploit protection is configured by default in Windows 10. You can set each mitigation to on, off, or to its default value. Some mitigations have additional options.
-
-You can [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) and deploy them to other devices.
-
-You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the device.
-
-## Windows Security app
-
-1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
-
-2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings**.
-
-3. Go to **Program settings** and choose the app you want to apply mitigations to.
- - If the app you want to configure is already listed, click it and then click **Edit**.
- - If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app.
- - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
- - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
-
-4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You are notified if you need to restart the process or app, or if you need to restart Windows.
-
-5. Repeat steps 3-4 for all the apps and mitigations you want to configure.
-
-6. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here:
- - **On by default**: The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
- - **Off by default**: The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section
- - **Use default**: The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation
-
-7. Repeat step 6 for all the system-level mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
-
-If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work:
-
-Enabled in **Program settings** | Enabled in **System settings** | Behavior
--|-|-
-[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] | As defined in **Program settings**
-[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **Program settings**
-[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **System settings**
-[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | Default as defined in **Use default** option
-
-### Example 1: Mikael configures Data Execution Prevention in system settings section to be off by default
-
-Mikael adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, Mikael enables the **Override system settings** option and sets the switch to **On**. There are no other apps listed in the **Program settings** section.
-
-The result will be that DEP only will be enabled for *test.exe*. All other apps will not have DEP applied.
-
-### Example 2: Josie configures Data Execution Prevention in system settings to be off by default
-
-Josie adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, Josie enables the **Override system settings** option and sets the switch to **On**.
-
-Josie also adds the app *miles.exe* to the **Program settings** section and configures **Control flow guard (CFG)** to **On**. Josie doesn't enable the **Override system settings** option for DEP or any other mitigations for that app.
-
-The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*. CFG will be enabled for *miles.exe*.
-
-1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
-
-2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
-
-3. Go to **Program settings** and choose the app you want to apply mitigations to.
- - If the app you want to configure is already listed, click it and then click **Edit**.
- - If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app.
- - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location.
- - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want.
-
-4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
-
-5. Repeat steps 3-4 for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
-
-## Intune
-
-1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
-
-2. Click **Device configuration** > **Profiles** > **Create profile**.
-
-3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
- 
-
-4. Click **Configure** > **Windows Defender Exploit Guard** > **Exploit protection**.
-
-5. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings:
-
-6. Click **OK** to save each open blade and click **Create**.
-
-7. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
-
-## MDM
-
-Use the [./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) configuration service provider (CSP) to enable or disable exploit protection mitigations or to use audit mode.
-
-## Microsoft Endpoint Configuration Manager
-
-1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
-
-2. Click **Home** > **Create Exploit Guard Policy**.
-
-3. Enter a name and a description, click **Exploit protection**, and click **Next**.
-
-4. Browse to the location of the exploit protection XML file and click **Next**.
-
-5. Review the settings and click **Next** to create the policy.
-
-6. After the policy is created, click **Close**.
-
-## Group Policy
-
-1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-
-2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-
-3. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**.
-
-4. Click **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) and click **OK**.
-
-## PowerShell
-
-You can use the PowerShell verb `Get` or `Set` with the cmdlet `ProcessMitigation`. Using `Get` will list the current configuration status of any mitigations that have been enabled on the device - add the `-Name` cmdlet and app exe to see mitigations for just that app:
-
-```PowerShell
-Get-ProcessMitigation -Name processName.exe
-```
-
-> [!IMPORTANT]
-> System-level mitigations that have not been configured will show a status of `NOTSET`.
->
-> For system-level settings, `NOTSET` indicates the default setting for that mitigation has been applied.
->
-> For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied.
->
-> The default setting for each system-level mitigation can be seen in the Windows Security.
-
-Use `Set` to configure each mitigation in the following format:
-
-```PowerShell
-Set-ProcessMitigation -
-
-
- 
-
-3. Choose the SIEM type you use in your organization.
-
- > [!NOTE]
- > If you select HP ArcSight, you'll need to save these two configuration files:
- > - WDATP-connector.jsonparser.properties
- > - WDATP-connector.properties
-
- If you want to connect directly to the detections REST API through programmatic access, choose **Generic API**.
-
-4. Copy the individual values or select **Save details to file** to download a file that contains all the values.
-
-5. Select **Generate tokens** to get an access and refresh token.
-
- > [!NOTE]
- > You'll need to generate a new Refresh token every 90 days.
-
-6. Follow the instructions for [creating an Azure AD app registration for Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp) and assign the correct permissions to it to read alerts.
-
-You can now proceed with configuring your SIEM solution or connecting to the detections REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive detections from Microsoft Defender Security Center.
-
-## Integrate Microsoft Defender ATP with IBM QRadar
-You can configure IBM QRadar to collect detections from Microsoft Defender ATP. For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1).
-
-## Related topics
-- [Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)
-- [Microsoft Defender ATP Detection fields](api-portal-mapping.md)
-- [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md)
-- [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md b/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md
deleted file mode 100644
index 4d724bc3ca..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md
+++ /dev/null
@@ -1,166 +0,0 @@
----
-title: Enable Microsoft Defender ATP Insider Device
-description: Install and use Microsoft Defender ATP for Mac.
-keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: conceptual
----
-
-# Enable Microsoft Defender ATP Insider Device
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-Endpoint detection and response capabilities in Microsoft Defender ATP for Mac are now in preview. To get these and other preview features, you must set up your Mac device to be an "Insider" device as described in this article. For scale deployment, we recommend using [Jamf](#enable-the-insider-program-with-jamf) or [Intune](#enable-the-insider-program-with-intune).
-
->[!IMPORTANT]
->Make sure you have enabled [Microsoft Defender ATP for Mac](microsoft-defender-atp-mac.md#how-to-install-microsoft-defender-atp-for-mac), and pay attention to the “earlyPreview” flag. See documentation for [Jamf](mac-install-with-jamf.md), [Intune](mac-install-with-intune.md) and [manual deployment](mac-install-manually.md) instructions.
-
-## Enable the Insider program with Jamf
-
-1. Create configuration profile com.microsoft.wdav.plist with the following content:
-
- ```XML
-
-
-
- > The device will change it’s state to “Executing password reset", then you’ll be presented with your new password in a few minutes.
-
-3. Enter the password that was displayed during the device creation step.
-
- 
-
-4. Run Do-it-yourself attack simulations on the device.
-
-
-### Threat simulator scenarios
-If you chose to install any of the supported threat simulators during the lab setup, you can run the built-in simulations on the evaluation lab devices.
-
-
-Running threat simulations using third-party platforms is a good way to evaluate Microsoft Defender ATP capabilities within the confines of a lab environment.
-
->[!NOTE]
->Before you can run simulations, ensure the following requirements are met:
->- Devices must be added to the evaluation lab
->- Threat simulators must be installed in the evaluation lab
-
-1. From the portal select **Create simulation**.
-
-2. Select a threat simulator.
-
- 
-
-3. Choose a simulation or look through the simulation gallery to browse through the available simulations.
-
- You can get to the simulation gallery from:
- - The main evaluation dashboard in the **Simulations overview** tile or
- - By navigating from the navigation pane **Evaluation and tutorials** > **Simulation & tutorials**, then select **Simulations catalog**.
-
-4. Select the devices where you'd like to run the simulation on.
-
-5. Select **Create simulation**.
-
-6. View the progress of a simulation by selecting the **Simulations** tab. View the simulation state, active alerts, and other details.
-
- 
-
-After running your simulations, we encourage you to walk through the lab progress bar and explore Microsoft Defender ATP features. See if the attack simulations you ran triggered an automated investigation and remediation, check out the evidence collected and analyzed by the feature.
-
-Hunt for attack evidence through advanced hunting by using the rich query language and raw telemetry and check out some world-wide threats documented in Threat analytics.
-
-
-## Simulation gallery
-Microsoft Defender ATP has partnered with various threat simulation platforms to give you convenient access to test the capabilities of the platform right from the within the portal.
-
-View all the available simulations by going to **Simulations and tutorials** > **Simulations catalog** from the menu.
-
-
-A list of supported third-party threat simulation agents are listed, and specific types of simulations along with detailed descriptions are provided on the catalog.
-
-You can conveniently run any available simulation right from the catalog.
-
-
-
-
-Each simulation comes with an in-depth description of the attack scenario and references such as the MITRE attack techniques used and sample Advanced hunting queries you run.
-
-**Examples:**
-
-
-
-
-
-
-## Evaluation report
-The lab reports summarize the results of the simulations conducted on the devices.
-
-
-
-At a glance, you'll quickly be able to see:
-- Incidents that were triggered
-- Generated alerts
-- Assessments on exposure level
-- Threat categories observed
-- Detection sources
-- Automated investigations
-
-
-## Provide feedback
-Your feedback helps us get better in protecting your environment from advanced attacks. Share your experience and impressions from product capabilities and evaluation results.
-
-Let us know what you think, by selecting **Provide feedback**.
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md
deleted file mode 100644
index 54be37811e..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md
+++ /dev/null
@@ -1,353 +0,0 @@
----
-title: Review events and errors using Event Viewer
-description: Get descriptions and further troubleshooting steps (if required) for all events reported by the Microsoft Defender ATP service.
-keywords: troubleshoot, event viewer, log summary, failure code, failed, Microsoft Defender Advanced Threat Protection service, cannot start, broken, can't start
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.date: 05/21/2018
----
-
-
-# Review events and errors using Event Viewer
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- Event Viewer
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
-
-You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/library/aa745633(v=bts.10).aspx) on individual devices.
-
-For example, if devices are not appearing in the **Devices list**, you might need to look for event IDs on the devices. You can then use this table to determine further troubleshooting steps.
-
-> [!NOTE]
-> It can take several days for devices to begin reporting to the Microsoft Defender ATP service.
-
-**Open Event Viewer and find the Microsoft Defender ATP service event log:**
-
-1. Click **Start** on the Windows menu, type **Event Viewer**, and press **Enter**.
-
-2. In the log list, under **Log Summary**, scroll until you see **Microsoft-Windows-SENSE/Operational**. Double-click the item to
- open the log.
-
- a. You can also access the log by expanding **Applications and Services Logs** > **Microsoft** > **Windows** > **SENSE** and click on **Operational**.
-
- > [!NOTE]
- > SENSE is the internal name used to refer to the behavioral sensor that powers Microsoft Defender ATP.
-
-3. Events recorded by the service will appear in the log. See the following table for a list of events recorded by the service.
-
-
-
-
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-eventerrorcodes-belowfoldlink)
-
-## Related topics
-- [Onboard Windows 10 devices](configure-endpoints.md)
-- [Configure device proxy and Internet connectivity settings](configure-proxy-internet.md)
-- [Troubleshoot Microsoft Defender ATP](troubleshoot-onboarding.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/event-views.md b/windows/security/threat-protection/microsoft-defender-atp/event-views.md
deleted file mode 100644
index 926fa6beef..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/event-views.md
+++ /dev/null
@@ -1,179 +0,0 @@
----
-title: View attack surface reduction events
-description: Import custom views to see attack surface reduction events.
-keywords: event view, exploit guard, audit, review, events
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.localizationpriority: medium
-audience: ITPro
-author: levinec
-ms.author: ellevin
-ms.reviewer:
-manager: dansimp
----
-
-# View attack surface reduction events
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-Review attack surface reduction events in Event Viewer to monitor what rules or settings are working. You can also determine if any settings are too "noisy" or impacting your day to day workflow.
-
-Reviewing events is handy when you're evaluating the features. You can enable audit mode for features or settings, and then review what would have happened if they were fully enabled.
-
-This article lists all the events, their associated feature or setting, and describes how to create custom views to filter to specific events.
-
-Get detailed reporting into events and blocks as part of Windows Security if you have an E5 subscription and use [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md).
-
-## Use custom views to review attack surface reduction capabilities
-
-Create custom views in the Windows Event Viewer to only see events for specific capabilities and settings. The easiest way is to import a custom view as an XML file. You can copy the XML directly from this page.
-
-You can also manually navigate to the event area that corresponds to the feature.
-
-### Import an existing XML custom view
-
-1. Create an empty .txt file and copy the XML for the custom view you want to use into the .txt file. Do this for each of the custom views you want to use. Rename the files as follows (ensure you change the type from .txt to .xml):
- - Controlled folder access events custom view: *cfa-events.xml*
- - Exploit protection events custom view: *ep-events.xml*
- - Attack surface reduction events custom view: *asr-events.xml*
- - Network/ protection events custom view: *np-events.xml*
-
-2. Type **event viewer** in the Start menu and open **Event Viewer**.
-
-3. Select **Action** > **Import Custom View...**
-
- 
-
-4. Navigate to where you extracted XML file for the custom view you want and select it.
-
-5. Select **Open**.
-
-6. It will create a custom view that filters to only show the events related to that feature.
-
-### Copy the XML directly
-
-1. Type **event viewer** in the Start menu and open the Windows **Event Viewer**.
-
-2. On the left panel, under **Actions**, select **Create Custom View...**
-
- 
-
-3. Go to the XML tab and select **Edit query manually**. You'll see a warning that you can't edit the query using the **Filter** tab if you use the XML option. Select **Yes**.
-
-4. Paste the XML code for the feature you want to filter events from into the XML section.
-
-5. Select **OK**. Specify a name for your filter.
-
-6. It will create a custom view that filters to only show the events related to that feature.
-
-### XML for attack surface reduction rule events
-
-```xml
-
-
-Event ID
-Message
-Description
-Action
-
-
-1
-Microsoft Defender Advanced Threat Protection service started (Version
-variable).Occurs during system start up, shut down, and during onbboarding.
-Normal operating notification; no action required.
-
-
-2
-Microsoft Defender Advanced Threat Protection service shutdown.
-Occurs when the device is shut down or offboarded.
-Normal operating notification; no action required.
-
-
-3
-Microsoft Defender Advanced Threat Protection service failed to start. Failure code:
-variable.Service did not start.
-Review other messages to determine possible cause and troubleshooting steps.
-
-
-4
-Microsoft Defender Advanced Threat Protection service contacted the server at
-variable.Variable = URL of the Microsoft Defender ATP processing servers.
-
-This URL will match that seen in the Firewall or network activity.Normal operating notification; no action required.
-
-
-5
-Microsoft Defender Advanced Threat Protection service failed to connect to the server at
-variable.Variable = URL of the Microsoft Defender ATP processing servers.
-
-The service could not contact the external processing servers at that URL.Check the connection to the URL. See Configure proxy and Internet connectivity.
-
-
-6
-Microsoft Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found.
-The device did not onboard correctly and will not be reporting to the portal.
-Onboarding must be run before starting the service.
-
-Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See Onboard Windows 10 devices.
-
-7
-Microsoft Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure:
-variable.Variable = detailed error description. The device did not onboard correctly and will not be reporting to the portal.
-Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-
-See Onboard Windows 10 devices.
-
-8
-Microsoft Defender Advanced Threat Protection service failed to clean its configuration. Failure code:
-variable.During onboarding: The service failed to clean its configuration during the onboarding. The onboarding process continues.
-
During offboarding: The service failed to clean its configuration during the offboarding. The offboarding process finished but the service keeps running.
- Onboarding: No action required.
-
Offboarding: Reboot the system.
-See Onboard Windows 10 devices.
-
-9
-Microsoft Defender Advanced Threat Protection service failed to change its start type. Failure code:
-variable.During onboarding: The device did not onboard correctly and will not be reporting to the portal.
-
During offboarding: Failed to change the service start type. The offboarding process continues. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-
-See Onboard Windows 10 devices.
-
-10
-Microsoft Defender Advanced Threat Protection service failed to persist the onboarding information. Failure code:
-variable.The device did not onboard correctly and will not be reporting to the portal.
-Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-
-See Onboard Windows 10 devices.
-
-11
-Onboarding or re-onboarding of Microsoft Defender Advanced Threat Protection service completed.
-The device onboarded correctly.
-Normal operating notification; no action required.
-
-It may take several hours for the device to appear in the portal.
-
-12
-Microsoft Defender Advanced Threat Protection failed to apply the default configuration.
-Service was unable to apply the default configuration.
-This error should resolve after a short period of time.
-
-
-13
-Microsoft Defender Advanced Threat Protection device ID calculated:
-variable.Normal operating process.
-Normal operating notification; no action required.
-
-
-15
-Microsoft Defender Advanced Threat Protection cannot start command channel with URL:
-variable.Variable = URL of the Microsoft Defender ATP processing servers.
-
-The service could not contact the external processing servers at that URL.Check the connection to the URL. See Configure proxy and Internet connectivity.
-
-
-17
-Microsoft Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code:
-variable.An error occurred with the Windows telemetry service.
-Ensure the diagnostic data service is enabled.
-
-Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See Onboard Windows 10 devices.
-
-18
-OOBE (Windows Welcome) is completed.
-Service will only start after any Windows updates have finished installing.
-Normal operating notification; no action required.
-
-
-19
-OOBE (Windows Welcome) has not yet completed.
-Service will only start after any Windows updates have finished installing.
-Normal operating notification; no action required.
-
-If this error persists after a system restart, ensure all Windows updates have full installed.
-
-20
-Cannot wait for OOBE (Windows Welcome) to complete. Failure code:
-variable.Internal error.
-If this error persists after a system restart, ensure all Windows updates have full installed.
-
-
-25
-Microsoft Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code:
-variable.The device did not onboard correctly.
-It will report to the portal, however the service may not appear as registered in SCCM or the registry.
-Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-
-See Onboard Windows 10 devices.
-
-26
-Microsoft Defender Advanced Threat Protection service failed to set the onboarding status in the registry. Failure code:
-variable.The device did not onboard correctly.
-
-It will report to the portal, however the service may not appear as registered in SCCM or the registry.Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-
-See Onboard Windows 10 devices.
-
-27
-Microsoft Defender Advanced Threat Protection service failed to enable SENSE aware mode in Microsoft Defender Antivirus. Onboarding process failed. Failure code:
-variable.Normally, Microsoft Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the device, and the device is reporting to Microsoft Defender ATP.
-Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-
-See Onboard Windows 10 devices.
-Ensure real-time antimalware protection is running properly.
-
-28
-Microsoft Defender Advanced Threat Protection Connected User Experiences and Telemetry service registration failed. Failure code:
-variable.An error occurred with the Windows telemetry service.
-Ensure the diagnostic data service is enabled.
-
-Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See Onboard Windows 10 devices.
-
-29
-Failed to read the offboarding parameters. Error type: %1, Error code: %2, Description: %3
-This event occurs when the system can't read the offboarding parameters.
-Ensure the device has Internet access, then run the entire offboarding process again. Ensure the offboarding package has not expired.
-
-
-30
-Microsoft Defender Advanced Threat Protection service failed to disable SENSE aware mode in Microsoft Defender Antivirus. Failure code:
-variable.Normally, Microsoft Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the device, and the device is reporting to Microsoft Defender ATP.
-Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-
-See Onboard Windows 10 devices
-Ensure real-time antimalware protection is running properly.
-
-31
-Microsoft Defender Advanced Threat Protection Connected User Experiences and Telemetry service unregistration failed. Failure code:
-variable.An error occurred with the Windows telemetry service during onboarding. The offboarding process continues.
-Check for errors with the Windows telemetry service.
-
-
-32
-Microsoft Defender Advanced Threat Protection service failed to request to stop itself after offboarding process. Failure code: %1
-An error occurred during offboarding.
-Reboot the device.
-
-
-33
-Microsoft Defender Advanced Threat Protection service failed to persist SENSE GUID. Failure code:
-variable.A unique identifier is used to represent each device that is reporting to the portal.
-
-If the identifier does not persist, the same device might appear twice in the portal.Check registry permissions on the device to ensure the service can update the registry.
-
-
-34
-Microsoft Defender Advanced Threat Protection service failed to add itself as a dependency on the Connected User Experiences and Telemetry service, causing onboarding process to fail. Failure code:
-variable.An error occurred with the Windows telemetry service.
-Ensure the diagnostic data service is enabled.
-
-Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See Onboard Windows 10 devices.
-
-35
-Microsoft Defender Advanced Threat Protection service failed to remove itself as a dependency on the Connected User Experiences and Telemetry service. Failure code:
-variable.An error occurred with the Windows telemetry service during offboarding. The offboarding process continues.
-
-Check for errors with the Windows diagnostic data service.
-
-
-36
-Microsoft Defender Advanced Threat Protection Connected User Experiences and Telemetry service registration succeeded. Completion code:
-variable.Registering Microsoft Defender Advanced Threat Protection with the Connected User Experiences and Telemetry service completed successfully.
-Normal operating notification; no action required.
-
-
-37
-Microsoft Defender Advanced Threat Protection A module is about to exceed its quota. Module: %1, Quota: {%2} {%3}, Percentage of quota utilization: %4.
-The device has almost used its allocated quota of the current 24-hour window. It’s about to be throttled.
-Normal operating notification; no action required.
-
-
-38
-Network connection is identified as low. Microsoft Defender Advanced Threat Protection will contact the server every %1 minutes. Metered connection: %2, internet available: %3, free network available: %4.
-The device is using a metered/paid network and will be contacting the server less frequently.
-Normal operating notification; no action required.
-
-
-39
-Network connection is identified as normal. Microsoft Defender Advanced Threat Protection will contact the server every %1 minutes. Metered connection: %2, internet available: %3, free network available: %4.
-The device is not using a metered/paid connection and will contact the server as usual.
-Normal operating notification; no action required.
-
-
-40
-Battery state is identified as low. Microsoft Defender Advanced Threat Protection will contact the server every %1 minutes. Battery state: %2.
-The device has low battery level and will contact the server less frequently.
-Normal operating notification; no action required.
-
-
-41
-Battery state is identified as normal. Microsoft Defender Advanced Threat Protection will contact the server every %1 minutes. Battery state: %2.
-The device doesn’t have low battery level and will contact the server as usual.
-Normal operating notification; no action required.
-
-
-42
-Microsoft Defender Advanced Threat Protection WDATP component failed to perform action. Component: %1, Action: %2, Exception Type: %3, Exception message: %4
-Internal error. The service failed to start.
-If this error persists, contact Support.
-
-
-43
-Microsoft Defender Advanced Threat Protection WDATP component failed to perform action. Component: %1, Action: %2, Exception Type: %3, Exception Error: %4, Exception message: %5
-Internal error. The service failed to start.
-If this error persists, contact Support.
-
-
-44
-Offboarding of Microsoft Defender Advanced Threat Protection service completed.
-The service was offboarded.
-Normal operating notification; no action required.
-
-
-45
-Failed to register and to start the event trace session [%1]. Error code: %2
-An error occurred on service startup while creating ETW session. This caused service start-up failure.
-If this error persists, contact Support.
-
-
-46
-Failed to register and start the event trace session [%1] due to lack of resources. Error code: %2. This is most likely because there are too many active event trace sessions. The service will retry in 1 minute.
-An error occurred on service startup while creating ETW session due to lack of resources. The service started and is running, but will not report any sensor event until the ETW session is started.
-Normal operating notification; no action required. The service will try to start the session every minute.
-
-
-47
-Successfully registered and started the event trace session - recovered after previous failed attempts.
-This event follows the previous event after successfully starting of the ETW session.
-Normal operating notification; no action required.
-
-
-
-
-48
-Failed to add a provider [%1] to event trace session [%2]. Error code: %3. This means that events from this provider will not be reported.
-Failed to add a provider to ETW session. As a result, the provider events aren’t reported.
-Check the error code. If the error persists contact Support.
-
As "Memory Protection Check" |
-|Block remote images | yes | yes
As "Load Library Check" |
-|Block untrusted fonts | yes | yes |
-|Data Execution Prevention (DEP) | yes | yes |
-|Export address filtering (EAF) | yes | yes |
-|Force randomization for images (Mandatory ASLR) | yes | yes |
-|NullPage Security Mitigation | yes
Included natively in Windows 10
See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | yes |
-|Randomize memory allocations (Bottom-Up ASLR) | yes | yes |
-|Simulate execution (SimExec) | yes | yes |
-|Validate API invocation (CallerCheck) | yes | yes |
-|Validate exception chains (SEHOP) | yes | yes |
-|Validate stack integrity (StackPivot) | yes | yes |
-|Certificate trust (configurable certificate pinning) | Windows 10 provides enterprise certificate pinning | yes |
-|Heap spray allocation | Ineffective against newer browser-based exploits; newer mitigations provide better protection
See [Mitigate threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information | yes |
-|Block low integrity images | yes | no |
-|Code integrity guard | yes | no |
-|Disable extension points | yes | no |
-|Disable Win32k system calls | yes | no |
-|Do not allow child processes | yes | no |
-|Import address filtering (IAF) | yes | no |
-|Validate handle usage | yes | no |
-|Validate heap integrity | yes | no |
-|Validate image dependency integrity | yes | no |
-
-> [!NOTE]
-> The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default, as part of enabling the anti-ROP mitigations for a process. See the [Mitigation threats by using Windows 10 security features](../overview-of-threat-mitigations-in-windows-10.md#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) for more information on how Windows 10 employs existing EMET technology.
-
-## See also
-
-- [Protect devices from exploits](exploit-protection.md)
-- [Evaluate exploit protection](evaluate-exploit-protection.md)
-- [Enable exploit protection](enable-exploit-protection.md)
-- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
-- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
-- [Troubleshoot exploit protection](troubleshoot-exploit-protection-mitigations.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md
deleted file mode 100644
index 8f4d3dec0e..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md
+++ /dev/null
@@ -1,177 +0,0 @@
----
-title: Use Microsoft Defender Advanced Threat Protection APIs
-ms.reviewer:
-description: Learn how to design a native Windows app to get programmatic access to Microsoft Defender ATP without a user.
-keywords: apis, graph api, supported apis, actor, alerts, device, user, domain, ip, file, advanced hunting, query
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Use Microsoft Defender ATP APIs
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-This page describes how to create an application to get programmatic access to Microsoft Defender ATP on behalf of a user.
-
-If you need programmatic access Microsoft Defender ATP without a user, refer to [Access Microsoft Defender ATP with application context](exposed-apis-create-app-webapp.md).
-
-If you are not sure which access you need, read the [Introduction page](apis-intro.md).
-
-Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate work flows and innovate based on Microsoft Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-code).
-
-In general, you’ll need to take the following steps to use the APIs:
-- Create an AAD application
-- Get an access token using this application
-- Use the token to access Microsoft Defender ATP API
-
-This page explains how to create an AAD application, get an access token to Microsoft Defender ATP and validate the token.
-
->[!NOTE]
-> When accessing Microsoft Defender ATP API on behalf of a user, you will need the correct Application permission and user permission.
-> If you are not familiar with user permissions on Microsoft Defender ATP, see [Manage portal access using role-based access control](rbac.md).
-
->[!TIP]
-> If you have the permission to perform an action in the portal, you have the permission to perform the action in the API.
-
-## Create an app
-
-1. Log on to [Azure](https://portal.azure.com) with user that has **Global Administrator** role.
-
-2. Navigate to **Azure Active Directory** > **App registrations** > **New registration**.
-
- 
-
-3. In the registration from, enter the following information then click **Register**.
-
- 
-
- - **Name:** -Your application name-
- - **Application type:** Public client
-
-4. Allow your Application to access Microsoft Defender ATP and assign it 'Read alerts' permission:
-
- - On your application page, click **API Permissions** > **Add permission** > **APIs my organization uses** > type **WindowsDefenderATP** and click on **WindowsDefenderATP**.
-
- - **Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear.
-
- 
-
- - Choose **Delegated permissions** > **Alert.Read** > Click on **Add permissions**
-
- 
-
- - **Important note**: You need to select the relevant permissions. 'Read alerts' is only an example!
-
- For instance,
-
- - To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission
- - To [isolate a device](isolate-machine.md), select 'Isolate machine' permission
- - To determine which permission you need, please look at the **Permissions** section in the API you are interested to call.
-
- - Click **Grant consent**
-
- **Note**: Every time you add permission you must click on **Grant consent** for the new permission to take effect.
-
- 
-
-6. Write down your application ID and your tenant ID:
-
- - On your application page, go to **Overview** and copy the following:
-
- 
-
-
-## Get an access token
-
-For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds)
-
-### Using C#
-
-- Copy/Paste the below class in your application.
-- Use **AcquireUserTokenAsync** method with the your application ID, tenant ID, user name and password to acquire a token.
-
- ```csharp
- namespace WindowsDefenderATP
- {
- using System.Net.Http;
- using System.Text;
- using System.Threading.Tasks;
- using Newtonsoft.Json.Linq;
-
- public static class WindowsDefenderATPUtils
- {
- private const string Authority = "https://login.windows.net";
-
- private const string WdatpResourceId = "https://api.securitycenter.windows.com";
-
- public static async Task
For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds)
-
-### Using PowerShell
-
-```
-# That code gets the App Context Token and save it to a file named "Latest-token.txt" under the current directory
-# Paste below your Tenant ID, App ID and App Secret (App key).
-
-$tenantId = '' ### Paste your tenant ID here
-$appId = '' ### Paste your Application ID here
-$appSecret = '' ### Paste your Application key here
-
-$resourceAppIdUri = 'https://api.securitycenter.windows.com'
-$oAuthUri = "https://login.windows.net/$TenantId/oauth2/token"
-$authBody = [Ordered] @{
- resource = "$resourceAppIdUri"
- client_id = "$appId"
- client_secret = "$appSecret"
- grant_type = 'client_credentials'
-}
-$authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -ErrorAction Stop
-$token = $authResponse.access_token
-Out-File -FilePath "./Latest-token.txt" -InputObject $token
-return $token
-```
-
-### Using C#:
-
->The below code was tested with Nuget Microsoft.IdentityModel.Clients.ActiveDirectory
-
-- Create a new Console Application
-- Install Nuget [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/)
-- Add the below using
-
- ```
- using Microsoft.IdentityModel.Clients.ActiveDirectory;
- ```
-
-- Copy/Paste the below code in your application (do not forget to update the 3 variables: ```tenantId, appId, appSecret```)
-
- ```
- string tenantId = "00000000-0000-0000-0000-000000000000"; // Paste your own tenant ID here
- string appId = "11111111-1111-1111-1111-111111111111"; // Paste your own app ID here
- string appSecret = "22222222-2222-2222-2222-222222222222"; // Paste your own app secret here for a test, and then store it in a safe place!
-
- const string authority = "https://login.windows.net";
- const string wdatpResourceId = "https://api.securitycenter.windows.com";
-
- AuthenticationContext auth = new AuthenticationContext($"{authority}/{tenantId}/");
- ClientCredential clientCredential = new ClientCredential(appId, appSecret);
- AuthenticationResult authenticationResult = auth.AcquireTokenAsync(wdatpResourceId, clientCredential).GetAwaiter().GetResult();
- string token = authenticationResult.AccessToken;
- ```
-
-
-### Using Python
-
-Refer to [Get token using Python](run-advanced-query-sample-python.md#get-token)
-
-### Using Curl
-
-> [!NOTE]
-> The below procedure supposed Curl for Windows is already installed on your computer
-
-- Open a command window
-- Set CLIENT_ID to your Azure application ID
-- Set CLIENT_SECRET to your Azure application secret
-- Set TENANT_ID to the Azure tenant ID of the customer that wants to use your application to access Microsoft Defender ATP application
-- Run the below command:
-
-```
-curl -i -X POST -H "Content-Type:application/x-www-form-urlencoded" -d "grant_type=client_credentials" -d "client_id=%CLIENT_ID%" -d "scope=https://securitycenter.onmicrosoft.com/windowsatpservice/.default" -d "client_secret=%CLIENT_SECRET%" "https://login.microsoftonline.com/%TENANT_ID%/oauth2/v2.0/token" -k
-```
-
-You will get an answer of the form:
-
-```
-{"token_type":"Bearer","expires_in":3599,"ext_expires_in":0,"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIn
Supports [OData V4 queries](https://www.odata.org/documentation/).
-
OData supported operators:
-
```$filter``` on: ```alertCreationTime```, ```lastUpdateTime```, ```incidentId```,```InvestigationId```, ```status```, ```severity``` and ```category``` properties.
-
```$top``` with max value of 10,000
-
```$skip```
-
```$expand``` of ```evidence```
-
See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)
-
-
-## Limitations
-1. You can get alerts last updated according to your configured retention period.
-2. Maximum page size is 10,000.
-3. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Alert.Read.All | 'Read all alerts'
-Application | Alert.ReadWrite.All | 'Read and write all alerts'
-Delegated (work or school account) | Alert.Read | 'Read alerts'
-Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
->- The response will include only alerts that are associated with devices that the user can access, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
-## HTTP request
-```
-GET /api/alerts
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK, and a list of [alert](alerts.md) objects in the response body.
-
-
-## Example 1 - Default
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.microsoft.com/api/alerts
-```
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-**Response**
-
-Here is an example of the response.
-
->[!NOTE]
->The response list shown here may be truncated for brevity. All alerts will be returned from an actual call.
-
-
-```json
-{
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Alerts",
- "value": [
- {
- "id": "da637308392288907382_-880718168",
- "incidentId": 7587,
- "investigationId": 723156,
- "assignedTo": "secop123@contoso.com",
- "severity": "Low",
- "status": "New",
- "classification": "TruePositive",
- "determination": null,
- "investigationState": "Queued",
- "detectionSource": "WindowsDefenderAv",
- "category": "SuspiciousActivity",
- "threatFamilyName": "Meterpreter",
- "title": "Suspicious 'Meterpreter' behavior was detected",
- "description": "Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nA malware is considered active if it is found running on the machine or it already has persistence mechanisms in place. Active malware detections are assigned higher severity ratings.\n\nBecause this malware was active, take precautionary measures and check for residual signs of infection.",
- "alertCreationTime": "2020-07-20T10:53:48.7657932Z",
- "firstEventTime": "2020-07-20T10:52:17.6654369Z",
- "lastEventTime": "2020-07-20T10:52:18.1362905Z",
- "lastUpdateTime": "2020-07-20T10:53:50.19Z",
- "resolvedTime": null,
- "machineId": "12ee6dd8c833c8a052ea231ec1b19adaf497b625",
- "computerDnsName": "temp123.middleeast.corp.microsoft.com",
- "rbacGroupName": "MiddleEast",
- "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c",
- "relatedUser": {
- "userName": "temp123",
- "domainName": "MIDDLEEAST"
- },
- "comments": [
- {
- "comment": "test comment for docs",
- "createdBy": "secop123@contoso.com",
- "createdTime": "2020-07-21T01:00:37.8404534Z"
- }
- ],
- "evidence": []
- }
- ...
- ]
-}
-```
-
-## Example 2 - Get 10 latest Alerts with related Evidence
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=evidence
-```
-
-
-**Response**
-
-Here is an example of the response.
-
->[!NOTE]
->The response list shown here may be truncated for brevity. All alerts will be returned from an actual call.
-
-
-```json
-{
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Alerts",
- "value": [
- {
- "id": "da637306396589640224_1753239473",
- "incidentId": 875832,
- "investigationId": 478434,
- "assignedTo": null,
- "severity": "Low",
- "status": "New",
- "classification": null,
- "determination": null,
- "investigationState": "PendingApproval",
- "detectionSource": "WindowsDefenderAv",
- "category": "UnwantedSoftware",
- "threatFamilyName": "InstallCore",
- "title": "An active 'InstallCore' unwanted software was detected",
- "description": "Potentially unwanted applications (PUA) often impact productivity and performance and are often unwanted in enterprise environments. This category of applications include torrent downloaders, cryptocurrency miners, browser advertising software, and evasion software.\n\nAn application is considered active if it is found running on the machine or it already has persistence mechanisms in place.\n\nBecause this PUA was active, take precautionary measures and check for residual signs of infection.",
- "alertCreationTime": "2020-07-18T03:27:38.9483995Z",
- "firstEventTime": "2020-07-18T03:25:39.6124549Z",
- "lastEventTime": "2020-07-18T03:26:18.4362304Z",
- "lastUpdateTime": "2020-07-18T03:28:19.76Z",
- "resolvedTime": null,
- "machineId": "97868b864dc8fa09cc8726c37a1fcd8ab582f3aa",
- "computerDnsName": "temp2.redmond.corp.microsoft.com",
- "rbacGroupName": "Ring0",
- "aadTenantId": "12f988bf-1234-1234-91ab-2d7cd011db47",
- "relatedUser": {
- "userName": "temp2",
- "domainName": "REDMOND"
- },
- "comments": [],
- "evidence": [
- {
- "entityType": "File",
- "sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c",
- "sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2",
- "fileName": "Your File Is Ready To Download_1911150169.exe",
- "filePath": "C:\\Users\\temp2\\Downloads",
- "processId": null,
- "processCommandLine": null,
- "processCreationTime": null,
- "parentProcessId": null,
- "parentProcessCreationTime": null,
- "ipAddress": null,
- "url": null,
- "accountName": null,
- "domainName": null,
- "userSid": null,
- "aadUserId": null,
- "userPrincipalName": null
- },
- {
- "entityType": "Process",
- "sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c",
- "sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2",
- "fileName": "Your File Is Ready To Download_1911150169.exe",
- "filePath": "C:\\Users\\temp2\\Downloads",
- "processId": 24348,
- "processCommandLine": "\"Your File Is Ready To Download_1911150169.exe\" ",
- "processCreationTime": "2020-07-18T03:25:38.5269993Z",
- "parentProcessId": 16840,
- "parentProcessCreationTime": "2020-07-18T02:12:32.8616797Z",
- "ipAddress": null,
- "url": null,
- "accountName": null,
- "domainName": null,
- "userSid": null,
- "aadUserId": null,
- "userPrincipalName": null
- },
- {
- "entityType": "User",
- "sha1": null,
- "sha256": null,
- "fileName": null,
- "filePath": null,
- "processId": null,
- "processCommandLine": null,
- "processCreationTime": null,
- "parentProcessId": null,
- "parentProcessCreationTime": null,
- "ipAddress": null,
- "url": null,
- "accountName": "temp2",
- "domainName": "REDMOND",
- "userSid": "S-1-5-21-1127532184-1642412920-1887927527-75363",
- "aadUserId": "319dc320-4ce3-4cd7-a0de-c476d146342d",
- "userPrincipalName": "temp2@microsoft.com"
- }
- ]
- },
- ...
- ]
-}
-```
-
-
-## Related topics
-- [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md
deleted file mode 100644
index c49e958dfb..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md
+++ /dev/null
@@ -1,111 +0,0 @@
----
-title: List all recommendations
-description: Retrieves a list of all security recommendations affecting the organization.
-keywords: apis, graph api, supported apis, get, security recommendations, mdatp tvm api, threat and vulnerability management, threat and vulnerability management api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# List all recommendations
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a list of all security recommendations affecting the organization.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
-Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
-
-## HTTP request
-```
-GET /api/recommendations
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the list of security recommendations in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/recommendations
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```json
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Recommendations",
- "value": [
- {
- "id": "va-_-microsoft-_-windows_10",
- "productName": "windows_10",
- "recommendationName": "Update Windows 10",
- "weaknesses": 397,
- "vendor": "microsoft",
- "recommendedVersion": "",
- "recommendationCategory": "Application",
- "subCategory": "",
- "severityScore": 0,
- "publicExploit": true,
- "activeAlert": false,
- "associatedThreats": [
- "3098b8ef-23b1-46b3-aed4-499e1928f9ed",
- "40c189d5-0330-4654-a816-e48c2b7f9c4b",
- "4b0c9702-9b6c-4ca2-9d02-1556869f56f8",
- "e8fc2121-3cf3-4dd2-9ea0-87d7e1d2b29d",
- "94b6e94b-0c1d-4817-ac06-c3b8639be3ab"
- ],
- "remediationType": "Update",
- "status": "Active",
- "configScoreImpact": 0,
- "exposureImpact": 7.674418604651163,
- "totalMachineCount": 37,
- "exposedMachinesCount": 7,
- "nonProductivityImpactedAssets": 0,
- "relatedComponent": "Windows 10"
- }
- ...
- ]
-}
-```
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md
deleted file mode 100644
index f3be9540c4..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md
+++ /dev/null
@@ -1,109 +0,0 @@
----
-title: Get all vulnerabilities by machine and software
-description: Retrieves a list of all the vulnerabilities affecting the organization by Machine and Software
-keywords: apis, graph api, supported apis, get, vulnerability information, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# List vulnerabilities by machine and software
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-Retrieves a list of all the vulnerabilities affecting the organization per [machine](machine.md) and [software](software.md).
-- If the vulnerability has a fixing KB, it will appear in the response.
-- Supports [OData V4 queries](https://www.odata.org/documentation/).
-- The OData ```$filter``` is supported on all properties.
-
->[!Tip]
->This is great API for [Power BI integration](api-power-bi.md).
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
-Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
-
-## HTTP request
-```
-GET /api/vulnerabilities/machinesVulnerabilities
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the list of vulnerabilities in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/vulnerabilities/machinesVulnerabilities
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```json
-{
- "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Collection(microsoft.windowsDefenderATP.api.PublicAssetVulnerabilityDto)",
- "value": [
- {
- "id": "5afa3afc92a7c63d4b70129e0a6f33f63a427e21-_-CVE-2020-6494-_-microsoft-_-edge_chromium-based-_-81.0.416.77-_-",
- "cveId": "CVE-2020-6494",
- "machineId": "5afa3afc92a7c63d4b70129e0a6f33f63a427e21",
- "fixingKbId": null,
- "productName": "edge_chromium-based",
- "productVendor": "microsoft",
- "productVersion": "81.0.416.77",
- "severity": "Low"
- },
- {
- "id": "7a704e17d1c2977c0e7b665fb18ae6e1fe7f3283-_-CVE-2016-3348-_-microsoft-_-windows_server_2012_r2-_-6.3.9600.19728-_-3185911",
- "cveId": "CVE-2016-3348",
- "machineId": "7a704e17d1c2977c0e7b665fb18ae6e1fe7f3283",
- "fixingKbId": "3185911",
- "productName": "windows_server_2012_r2",
- "productVendor": "microsoft",
- "productVersion": "6.3.9600.19728",
- "severity": "Low"
- },
- ...
- ]
-
-}
-```
-
-## Related topics
-
-- [Risk-based threat and vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md
deleted file mode 100644
index 262c80a1bf..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md
+++ /dev/null
@@ -1,99 +0,0 @@
----
-title: Get all vulnerabilities
-description: Retrieves a list of all the vulnerabilities affecting the organization
-keywords: apis, graph api, supported apis, get, vulnerability information, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# List vulnerabilities
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a list of all the vulnerabilities affecting the organization.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
-Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
-
-## HTTP request
-```
-GET /api/vulnerabilities
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the list of vulnerabilities in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/Vulnerabilities
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```json
-{
- "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Vulnerabilities",
- "value": [
- {
- "id": "CVE-2019-0608",
- "name": "CVE-2019-0608",
- "description": "A spoofing vulnerability exists when Microsoft Browsers does not properly parse HTTP content. An attacker who successfully exploited this vulnerability could impersonate a user request by crafting HTTP queries. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services.To exploit the vulnerability, the user must click a specially crafted URL. In an email attack scenario, an attacker could send an email message containing the specially crafted URL to the user in an attempt to convince the user to click it.In a web-based attack scenario, an attacker could host a specially crafted website designed to appear as a legitimate website to the user. However, the attacker would have no way to force the user to visit the specially crafted website. The attacker would have to convince the user to visit the specially crafted website, typically by way of enticement in an email or instant message, and then convince the user to interact with content on the website.The update addresses the vulnerability by correcting how Microsoft Browsers parses HTTP responses.",
- "severity": "Medium",
- "cvssV3": 4.3,
- "exposedMachines": 4,
- "publishedOn": "2019-10-08T00:00:00Z",
- "updatedOn": "2019-12-16T16:20:00Z",
- "publicExploit": false,
- "exploitVerified": false,
- "exploitInKit": false,
- "exploitTypes": [],
- "exploitUris": []
- }
- ...
- ]
-
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md
deleted file mode 100644
index d4dac32b7b..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md
+++ /dev/null
@@ -1,85 +0,0 @@
----
-title: Get CVE-KB map API
-description: Learn how to use the Get CVE-KB map API to retrieve a map of CVE's to KB's and CVE details in Microsoft Defender Advanced Threat Protection.
-keywords: apis, graph api, supported apis, get, cve, kb
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: leonidzh
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ROBOTS: NOINDEX
----
-
-# Get CVE-KB map API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-Retrieves a map of CVE's to KB's and CVE details.
-
-## Permissions
-User needs read permissions.
-
-## HTTP request
-```
-GET /testwdatppreview/cvekbmap
-```
-
-## Request headers
-
-Header | Value
-:---|:---
-Authorization | Bearer {token}. **Required**.
-Content type | application/json
-
-## Request body
-Empty
-
-## Response
-If successful and map exists - 200 OK.
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://graph.microsoft.com/testwdatppreview/CveKbMap
-Content-type: application/json
-```
-
-**Response**
-
-Here is an example of the response.
-
-```
-HTTP/1.1 200 OK
-Content-type: application/json
-{
- "@odata.context":"https://graph.microsoft.com/testwdatppreview/$metadata#CveKbMap",
- "@odata.count": 4168,
- "value": [
- {
- "cveKbId": "CVE-2015-2482-3097617",
- "cveId": "CVE-2015-2482",
- "kbId":"3097617",
- "title": "Cumulative Security Update for Internet Explorer",
- "severity": "Critical"
- },
- …
-}
-
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md
deleted file mode 100644
index 2c896a9943..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md
+++ /dev/null
@@ -1,86 +0,0 @@
----
-title: Get device secure score
-description: Retrieves the organizational device secure score.
-keywords: apis, graph api, supported apis, get, alerts, recent
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: levinec
-ms.author: ellevin
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get device secure score
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-Retrieves your [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md). A higher Microsoft Secure Score for Devices means your endpoints are more resilient from cybersecurity threat attacks.
-
-## Permissions
-
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Score.Read.Alll | 'Read Threat and Vulnerability Management score'
-Delegated (work or school account) | Score.Read | 'Read Threat and Vulnerability Management score'
-
-## HTTP request
-
-```
-GET /api/configurationScore
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-## Request body
-
-Empty
-
-## Response
-
-If successful, this method returns 200 OK, with the device secure score data in the response body.
-
-## Example
-
-### Request
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/configurationScore
-```
-
-### Response
-
-Here is an example of the response.
-
->[!NOTE]
->The response list shown here may be truncated for brevity.
-
-```json
-{
- "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ConfigurationScore/$entity",
- "time": "2019-12-03T09:15:58.1665846Z",
- "score": 340
-}
-```
-
-## Related topics
-
-- [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md
deleted file mode 100644
index 10ff59d2ea..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md
+++ /dev/null
@@ -1,97 +0,0 @@
----
-title: Get discovered vulnerabilities
-description: Retrieves a collection of discovered vulnerabilities related to a given device ID.
-keywords: apis, graph api, supported apis, get, list, file, information, discovered vulnerabilities, threat & vulnerability management api, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: levinec
-ms.author: ellevin
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get discovered vulnerabilities
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-Retrieves a collection of discovered vulnerabilities related to a given device ID.
-
-## Permissions
-
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application |Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
-Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
-
-## HTTP request
-
-```
-GET /api/machines/{machineId}/vulnerabilities
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-## Request body
-
-Empty
-
-## Response
-
-If successful, this method returns 200 OK with the discovered vulnerability information in the body.
-
-## Example
-
-### Request
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/vulnerabilities
-```
-
-### Response
-
-Here is an example of the response.
-
-```
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)",
- "value": [
- {
- "id": "CVE-2019-1348",
- "name": "CVE-2019-1348",
- "description": "Git could allow a remote attacker to bypass security restrictions, caused by a flaw in the --export-marks option of git fast-import. By persuading a victim to import specially-crafted content, an attacker could exploit this vulnerability to overwrite arbitrary paths.",
- "severity": "Medium",
- "cvssV3": 4.3,
- "exposedMachines": 1,
- "publishedOn": "2019-12-13T00:00:00Z",
- "updatedOn": "2019-12-13T00:00:00Z",
- "publicExploit": false,
- "exploitVerified": false,
- "exploitInKit": false,
- "exploitTypes": [],
- "exploitUris": []
- }
-}
-```
-
-## Related topics
-
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md
deleted file mode 100644
index 59c2587cda..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md
+++ /dev/null
@@ -1,81 +0,0 @@
----
-title: Get domain related alerts API
-description: Learn how to use the Get domain related alerts API to retrieve alerts related to a given domain address in Microsoft Defender Advanced Threat Protection.
-keywords: apis, graph api, supported apis, get, domain, related, alerts
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get domain related alerts API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-
-## API description
-Retrieves a collection of [Alerts](alerts.md) related to a given domain address.
-
-
-## Limitations
-1. You can query on alerts last updated according to your configured retention period.
-2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Alert.Read.All | 'Read all alerts'
-Application | Alert.ReadWrite.All | 'Read and write all alerts'
-Delegated (work or school account) | Alert.Read | 'Read alerts'
-Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
->- Response will include only alerts, associated with devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
-## HTTP request
-```http
-GET /api/domains/{domain}/alerts
-```
-
-## Request headers
-
-| Header | Value |
-|:--------------|:-------|
-| Authorization | String |
-
-## Request body
-Empty
-
-## Response
-If successful and domain exists - 200 OK with list of [alert](alerts.md) entities. If domain does not exist - 404 Not Found.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-```http
-GET https://api.securitycenter.windows.com/api/domains/client.wns.windows.com/alerts
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md
deleted file mode 100644
index 662f9724e7..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md
+++ /dev/null
@@ -1,83 +0,0 @@
----
-title: Get domain related machines API
-description: Learn how to use the Get domain related machines API to get machines that communicated to or from a domain in Microsoft Defender Advanced Threat Protection.
-keywords: apis, graph api, supported apis, get, domain, related, devices
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get domain related machines API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-
-## API description
-Retrieves a collection of [Machines](machine.md) that have communicated to or from a given domain address.
-
-
-## Limitations
-1. You can query on devices last updated according to your configured retention period.
-2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Machine.Read.All | 'Read all machine profiles'
-Application | Machine.ReadWrite.All | 'Read and write all machine information'
-Delegated (work or school account) | Machine.Read | 'Read machine information'
-Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
->- Response will include only devices that the user can access, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
-## HTTP request
-```http
-GET /api/domains/{domain}/machines
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful and domain exists - 200 OK with list of [machine](machine.md) entities. If domain do not exist - 404 Not Found.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-```http
-GET https://api.securitycenter.windows.com/api/domains/api.securitycenter.windows.com/machines
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md
deleted file mode 100644
index efb793f5cc..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md
+++ /dev/null
@@ -1,95 +0,0 @@
----
-title: Get domain statistics API
-description: Learn how to use the Get domain statistics API to retrieve the statistics on the given domain in Microsoft Defender Advanced Threat Protection.
-keywords: apis, graph api, supported apis, get, domain, domain related devices
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get domain statistics API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-
-## API description
-Retrieves the statistics on the given domain.
-
-
-## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | URL.Read.All | 'Read URLs'
-Delegated (work or school account) | URL.Read.All | 'Read URLs'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
-
-## HTTP request
-```
-GET /api/domains/{domain}/stats
-```
-
-## Request headers
-
-Header | Value
-:---|:---
-Authorization | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful and domain exists - 200 OK, with statistics object in the response body. If domain does not exist - 404 Not Found.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-```
-GET https://api.securitycenter.windows.com/api/domains/example.com/stats
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```
-HTTP/1.1 200 OK
-Content-type: application/json
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgDomainStats",
- "host": "example.com",
- "orgPrevalence": "4070",
- "orgFirstSeen": "2017-07-30T13:23:48Z",
- "orgLastSeen": "2017-08-29T13:09:05Z"
-}
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md
deleted file mode 100644
index 77c92c030f..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md
+++ /dev/null
@@ -1,90 +0,0 @@
----
-title: Get exposure score
-description: Retrieves the organizational exposure score.
-keywords: apis, graph api, supported apis, get, exposure score, organizational exposure score
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: levinec
-ms.author: ellevin
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get exposure score
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves the organizational exposure score.
-
-## Permissions
-
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Score.Read.All | 'Read Threat and Vulnerability Management score'
-Delegated (work or school account) | Score.Read | 'Read Threat and Vulnerability Management score'
-
-## HTTP request
-
-```
-GET /api/exposureScore
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-## Request body
-
-Empty
-
-## Response
-
-If successful, this method returns 200 OK, with the exposure data in the response body.
-
-## Example
-
-### Request
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/exposureScore
-```
-
-### Response
-
-Here is an example of the response.
-
->[!NOTE]
->The response list shown here may be truncated for brevity.
-
-```json
-{
- "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ExposureScore/$entity",
- "time": "2019-12-03T07:23:53.280499Z",
- "score": 33.491554051195706
-}
-
-```
-
-## Related topics
-
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability exposure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md
deleted file mode 100644
index db6f1f2f72..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md
+++ /dev/null
@@ -1,107 +0,0 @@
----
-title: Get file information API
-description: Learn how to use the Get file information API to get a file by Sha1, Sha256, or MD5 identifier in Microsoft Defender Advanced Threat Protection.
-keywords: apis, graph api, supported apis, get, file, information, sha1, sha256, md5
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get file information API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-
-## API description
-Retrieves a [File](files.md) by identifier Sha1, or Sha256
-
-
-## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | File.Read.All | 'Read all file profiles'
-Delegated (work or school account) | File.Read.All | 'Read all file profiles'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
-
-## HTTP request
-```
-GET /api/files/{id}
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful and file exists - 200 OK with the [file](files.md) entity in the body. If file does not exist - 404 Not Found.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-```
-GET https://api.securitycenter.windows.com/api/files/4388963aaa83afe2042a46a3c017ad50bdcdafb3
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```
-HTTP/1.1 200 OK
-Content-type: application/json
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Files/$entity",
- "sha1": "4388963aaa83afe2042a46a3c017ad50bdcdafb3",
- "sha256": "413c58c8267d2c8648d8f6384bacc2ae9c929b2b96578b6860b5087cd1bd6462",
- "globalPrevalence": 180022,
- "globalFirstObserved": "2017-09-19T03:51:27.6785431Z",
- "globalLastObserved": "2020-01-06T03:59:21.3229314Z",
- "size": 22139496,
- "fileType": "APP",
- "isPeFile": true,
- "filePublisher": "CHENGDU YIWO Tech Development Co., Ltd.",
- "fileProductName": "EaseUS MobiSaver for Android",
- "signer": "CHENGDU YIWO Tech Development Co., Ltd.",
- "issuer": "VeriSign Class 3 Code Signing 2010 CA",
- "signerHash": "6c3245d4a9bc0244d99dff27af259cbbae2e2d16",
- "isValidCertificate": false,
- "determinationType": "Pua",
- "determinationValue": "PUA:Win32/FusionCore"
-}
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md
deleted file mode 100644
index 7ccb81730f..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md
+++ /dev/null
@@ -1,81 +0,0 @@
----
-title: Get file related alerts API
-description: Learn how to use the Get file related alerts API to get a collection of alerts related to a given file hash in Microsoft Defender Advanced Threat Protection.
-keywords: apis, graph api, supported apis, get, file, hash
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get file related alerts API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-
-## API description
-Retrieves a collection of alerts related to a given file hash.
-
-
-## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Alert.Read.All | 'Read all alerts'
-Application | Alert.ReadWrite.All | 'Read and write all alerts'
-Delegated (work or school account) | Alert.Read | 'Read alerts'
-Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
->- Response will include only alerts, associated with devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
-## HTTP request
-```
-GET /api/files/{id}/alerts
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful and file exists - 200 OK with list of [alert](alerts.md) entities in the body. If file do not exist - 404 Not Found.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-```
-GET https://api.securitycenter.windows.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1/alerts
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md
deleted file mode 100644
index 09aef678f7..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md
+++ /dev/null
@@ -1,81 +0,0 @@
----
-title: Get file related machines API
-description: Learn how to use the Get file related machines API to get a collection of machines related to a file hash in Microsoft Defender Advanced Threat Protection.
-keywords: apis, graph api, supported apis, get, devices, hash
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get file related machines API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-
-## API description
-Retrieves a collection of [Machines](machine.md) related to a given file hash.
-
-
-## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Machine.Read.All | 'Read all machine profiles'
-Application | Machine.ReadWrite.All | 'Read and write all machine information'
-Delegated (work or school account) | Machine.Read | 'Read machine information'
-Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
->- Response will include only devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
-## HTTP request
-```
-GET /api/files/{id}/machines
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful and file exists - 200 OK with list of [machine](machine.md) entities in the body. If file do not exist - 404 Not Found.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-```
-GET https://api.securitycenter.windows.com/api/files/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/machines
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md
deleted file mode 100644
index 9f480df6b7..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md
+++ /dev/null
@@ -1,102 +0,0 @@
----
-title: Get file statistics API
-description: Learn how to use the Get file statistics API to retrieve the statistics for the given file in Microsoft Defender Advanced Threat Protection.
-keywords: apis, graph api, supported apis, get, file, statistics
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get file statistics API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-
-## API description
-Retrieves the statistics for the given file.
-
-
-## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | File.Read.All | 'Read file profiles'
-Delegated (work or school account) | File.Read.All | 'Read file profiles'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
-
-## HTTP request
-```
-GET /api/files/{id}/stats
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful and file exists - 200 OK with statistical data in the body. If file do not exist - 404 Not Found.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-```
-GET https://api.securitycenter.windows.com/api/files/0991a395da64e1c5fbe8732ed11e6be064081d9f/stats
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```
-HTTP/1.1 200 OK
-Content-type: application/json
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgFileStats",
- "sha1": "0991a395da64e1c5fbe8732ed11e6be064081d9f",
- "orgPrevalence": "14850",
- "orgFirstSeen": "2019-12-07T13:44:16Z",
- "orgLastSeen": "2020-01-06T13:39:36Z",
- "globalPrevalence": "705012",
- "globalFirstObserved": "2015-03-19T12:20:07.3432441Z",
- "globalLastObserved": "2020-01-06T13:39:36Z",
- "topFileNames": [
- "MREC.exe"
- ]
-}
-
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md
deleted file mode 100644
index 79f263d9b0..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md
+++ /dev/null
@@ -1,92 +0,0 @@
----
-title: Get installed software
-description: Retrieves a collection of installed software related to a given device ID.
-keywords: apis, graph api, supported apis, get, list, file, information, software inventory, installed software per device, threat & vulnerability management api, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get installed software
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a collection of installed software related to a given device ID.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application |Software.Read.All | 'Read Threat and Vulnerability Management Software information'
-Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
-
-## HTTP request
-```
-GET /api/machines/{machineId}/software
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the installed software information in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/software
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```
-{
-"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Software",
-"value": [
- {
-"id": "microsoft-_-internet_explorer",
-"name": "internet_explorer",
-"vendor": "microsoft",
-"weaknesses": 67,
-"publicExploit": true,
-"activeAlert": false,
-"exposedMachines": 42115,
-"impactScore": 46.2037163
- }
- ]
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md
deleted file mode 100644
index 676eba4bd3..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md
+++ /dev/null
@@ -1,113 +0,0 @@
----
-title: List Investigations API
-description: Use this API to create calls related to get Investigations collection
-keywords: apis, graph api, supported apis, Investigations collection
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# List Investigations API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-
-## API description
-Retrieves a collection of [Investigations](investigation.md).
-
Supports [OData V4 queries](https://www.odata.org/documentation/).
-
The OData's ```$filter``` query is supported on: ```startTime```, ```state```, ```machineId``` and ```triggeringAlertId``` properties.
-
See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)
-
-
-## Limitations
-1. Maximum page size is 10,000.
-2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Alert.Read.All | 'Read all alerts'
-Application | Alert.ReadWrite.All | 'Read and write all alerts'
-Delegated (work or school account) | Alert.Read | 'Read alerts'
-Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
-
-## HTTP request
-```
-GET https://api.securitycenter.windows.com/api/investigations
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200, Ok response code with a collection of [Investigations](investigation.md) entities.
-
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-## Example
-
-**Request**
-
-Here is an example of a request to get all investigations:
-
-
-```
-GET https://api.securitycenter.windows.com/api/investigations
-```
-
-**Response**
-
-Here is an example of the response:
-
-
-```
-HTTP/1.1 200 Ok
-Content-type: application/json
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Investigations",
- "value": [
- {
- "id": "63017",
- "startTime": "2020-01-06T14:11:34Z",
- "endTime": null,
- "state": "Running",
- "cancelledBy": null,
- "statusDetails": null,
- "machineId": "a69a22debe5f274d8765ea3c368d00762e057b30",
- "computerDnsName": "desktop-gtrcon0",
- "triggeringAlertId": "da637139166940871892_-598649278"
- }
- ...
- ]
-}
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-investigation-object.md b/windows/security/threat-protection/microsoft-defender-atp/get-investigation-object.md
deleted file mode 100644
index 99fd6a043d..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-investigation-object.md
+++ /dev/null
@@ -1,69 +0,0 @@
----
-title: Get Investigation object API
-description: Use this API to create calls related to get Investigation object
-keywords: apis, graph api, supported apis, Investigation object
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get Investigation API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-
-## API description
-Retrieves specific [Investigation](investigation.md) by its ID.
-
ID can be the investigation ID or the investigation triggering alert ID.
-
-
-## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Alert.Read.All | 'Read all alerts'
-Application | Alert.ReadWrite.All | 'Read and write all alerts'
-Delegated (work or school account) | Alert.Read | 'Read alerts'
-Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
-
-## HTTP request
-```
-GET https://api.securitycenter.windows.com/api/investigations/{id}
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200, Ok response code with a [Investigations](investigation.md) entity.
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md
deleted file mode 100644
index c8a2ab1f94..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md
+++ /dev/null
@@ -1,82 +0,0 @@
----
-title: Get IP related alerts API
-description: Retrieve a collection of alerts related to a given IP address using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
-keywords: apis, graph api, supported apis, get, ip, related, alerts
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get IP related alerts API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-
-## API description
-Retrieves a collection of alerts related to a given IP address.
-
-
-## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Alert.Read.All | 'Read all alerts'
-Application | Alert.ReadWrite.All | 'Read and write all alerts'
-Delegated (work or school account) | Alert.Read | 'Read alerts'
-Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
->- Response will include only alerts, associated with devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
-## HTTP request
-```
-GET /api/ips/{ip}/alerts
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful and IP exists - 200 OK with list of [alert](alerts.md) entities in the body. If IP do not exist - 404 Not Found.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-```
-GET https://api.securitycenter.windows.com/api/ips/10.209.67.177/alerts
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md
deleted file mode 100644
index ffd9485045..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md
+++ /dev/null
@@ -1,95 +0,0 @@
----
-title: Get IP statistics API
-description: Get the latest stats for your IP using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
-keywords: apis, graph api, supported apis, get, ip, statistics, prevalence
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get IP statistics API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-
-## API description
-Retrieves the statistics for the given IP.
-
-
-## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Ip.Read.All | 'Read IP address profiles'
-Delegated (work or school account) | Ip.Read.All | 'Read IP address profiles'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
-
-## HTTP request
-```
-GET /api/ips/{ip}/stats
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful and ip exists - 200 OK with statistical data in the body. IP do not exist - 404 Not Found.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-```
-GET https://api.securitycenter.windows.com/api/ips/10.209.67.177/stats
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```
-HTTP/1.1 200 OK
-Content-type: application/json
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgIPStats",
- "ipAddress": "10.209.67.177",
- "orgPrevalence": "63515",
- "orgFirstSeen": "2017-07-30T13:36:06Z",
- "orgLastSeen": "2017-08-29T13:32:59Z"
-}
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md
deleted file mode 100644
index d41005cb74..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md
+++ /dev/null
@@ -1,84 +0,0 @@
----
-title: Get KB collection API
-description: Retrieve a collection of knowledge bases (KB's) and KB details with Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
-keywords: apis, graph api, supported apis, get, kb
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: leonidzh
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ROBOTS: NOINDEX
----
-
-# Get KB collection API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-Retrieves a collection of KB's and KB details.
-
-## Permissions
-User needs read permissions.
-
-## HTTP request
-```
-GET /testwdatppreview/kbinfo
-```
-
-## Request headers
-
-Header | Value
-:---|:---
-Authorization | Bearer {token}. **Required**.
-Content type | application/json
-
-## Request body
-Empty
-
-## Response
-If successful - 200 OK.
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://graph.microsoft.com/testwdatppreview/KbInfo
-Content-type: application/json
-```
-
-**Response**
-
-Here is an example of the response.
-
-```
-HTTP/1.1 200 OK
-Content-type: application/json
-{
- "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#KbInfo",
- "@odata.count": 271,
- "value":[
- {
- "id": "KB3097617 (10240.16549) Amd64",
- "release": "KB3097617 (10240.16549)",
- "publishingDate": "2015-10-16T21:00:00Z",
- "version": "10.0.10240.16549",
- "architecture": "Amd64"
- },
- …
-}
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md
deleted file mode 100644
index 3cc89cd33b..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md
+++ /dev/null
@@ -1,116 +0,0 @@
----
-title: Get machine by ID API
-description: Learn how to use the Get machine by ID API to retrieve a machine by its device ID or computer name in Microsoft Defender Advanced Threat Protection.
-keywords: apis, graph api, supported apis, get, devices, entity, id
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get machine by ID API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-
-## API description
-Retrieves specific [Machine](machine.md) by its device ID or computer name.
-
-
-## Limitations
-1. You can get devices last seen according to your configured retention policy.
-2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Machine.Read.All | 'Read all machine profiles'
-Application | Machine.ReadWrite.All | 'Read and write all machine information'
-Delegated (work or school account) | Machine.Read | 'Read machine information'
-Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
->- User needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
-
-## HTTP request
-```http
-GET /api/machines/{id}
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful and device exists - 200 OK with the [machine](machine.md) entity in the body.
-If machine with the specified ID was not found - 404 Not Found.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-```http
-GET https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```http
-HTTP/1.1 200 OK
-Content-type: application/json
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machine",
- "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
- "computerDnsName": "mymachine1.contoso.com",
- "firstSeen": "2018-08-02T14:55:03.7791856Z",
- "lastSeen": "2018-08-02T14:55:03.7791856Z",
- "osPlatform": "Windows10",
- "version": "1709",
- "osProcessor": "x64",
- "lastIpAddress": "172.17.230.209",
- "lastExternalIpAddress": "167.220.196.71",
- "osBuild": 18209,
- "healthStatus": "Active",
- "rbacGroupId": 140,
- "rbacGroupName": "The-A-Team",
- "riskScore": "Low",
- "exposureLevel": "Medium",
- "isAadJoined": true,
- "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
- "machineTags": [ "test tag 1", "test tag 2" ]
-}
-
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md
deleted file mode 100644
index 92b5fae137..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md
+++ /dev/null
@@ -1,98 +0,0 @@
----
-title: List exposure score by device group
-description: Retrieves a list of exposure scores by device group.
-keywords: apis, graph api, supported apis, get, exposure score, device group, device group exposure score
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: levinec
-ms.author: ellevin
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# List exposure score by device group
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a collection of alerts related to a given domain address.
-
-## Permissions
-
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Score.Read.All | 'Read Threat and Vulnerability Management score'
-Delegated (work or school account) | Score.Read | 'Read Threat and Vulnerability Management score'
-
-## HTTP request
-
-```
-GET /api/exposureScore/ByMachineGroups
-```
-
-## Request headers
-
-| Name | Type | Description
-|:--------------|:-------|:--------------|
-| Authorization | String | Bearer {token}.**Required**.
-
-## Request body
-
-Empty
-
-## Response
-
-If successful, this method returns 200 OK, with a list of exposure score per device group data in the response body.
-
-## Example
-
-### Request
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/exposureScore/ByMachineGroups
-```
-
-### Response
-
-Here is an example of the response.
-
-```json
-
-{
- "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#ExposureScore",
- "value": [
- {
- "time": "2019-12-03T09:51:28.214338Z",
- "score": 41.38041766305988,
- "rbacGroupName": "GroupOne"
- },
- {
- "time": "2019-12-03T09:51:28.2143399Z",
- "score": 37.403726933165366,
- "rbacGroupName": "GroupTwo"
- }
- ...
- ]
-}
-```
-
-## Related topics
-
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability exposure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md
deleted file mode 100644
index e673d96cf0..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md
+++ /dev/null
@@ -1,110 +0,0 @@
----
-title: Get machine log on users API
-description: Learn how to use the Get machine log on users API to retrieve a collection of logged on users on a device in Microsoft Defender Advanced Threat Protection.
-keywords: apis, graph api, supported apis, get, device, log on, users
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get machine log on users API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-
-## API description
-Retrieves a collection of logged on users on a specific device.
-
-
-## Limitations
-1. You can query on alerts last updated according to your configured retention period.
-2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | User.Read.All | 'Read user profiles'
-Delegated (work or school account) | User.Read.All | 'Read user profiles'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
->- Response will include users only if the device is visible to the user, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
-## HTTP request
-```http
-GET /api/machines/{id}/logonusers
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful and device exist - 200 OK with list of [user](user.md) entities in the body. If device was not found - 404 Not Found.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-```http
-GET https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/logonusers
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```http
-HTTP/1.1 200 OK
-Content-type: application/json
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Users",
- "value": [
- {
- "id": "contoso\\user1",
- "accountName": "user1",
- "accountDomain": "contoso",
- "accountSid": "S-1-5-21-72051607-1745760036-109187956-93922",
- "firstSeen": "2019-12-18T08:02:54Z",
- "lastSeen": "2020-01-06T08:01:48Z",
- "mostPrevalentMachineId": "111153d0c675eaa415b8e5f383c6388bff446c62",
- "leastPrevalentMachineId": "111153d0c675eaa415b8e5f383c6388bff446c62",
- "logonTypes": "Interactive",
- "logOnMachinesCount": 8,
- "isDomainAdmin": true,
- "isOnlyNetworkUser": false
- },
- ...
- ]
-}
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md
deleted file mode 100644
index f47cdd76d2..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md
+++ /dev/null
@@ -1,66 +0,0 @@
----
-title: Get machine related alerts API
-description: Learn how to use the Get machine related alerts API to retrieve all alerts related to a specific device in Microsoft Defender Advanced Threat Protection.
-keywords: apis, graph api, supported apis, get, devices, related, alerts
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get machine related alerts API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-
-## API description
-Retrieves all [Alerts](alerts.md) related to a specific device.
-
-
-## Limitations
-1. You can query on devices last updated according to your configured retention period.
-2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Alert.Read.All | 'Read all alerts'
-Application | Alert.ReadWrite.All | 'Read and write all alerts'
-Delegated (work or school account) | Alert.Read | 'Read alerts'
-Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
->- User needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
-## HTTP request
-```http
-GET /api/machines/{id}/alerts
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful and device exists - 200 OK with list of [alert](alerts.md) entities in the body. If device was not found - 404 Not Found.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md b/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md
deleted file mode 100644
index b7a20c7b89..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md
+++ /dev/null
@@ -1,105 +0,0 @@
----
-title: Get MachineAction object API
-description: Learn how to use the Get MachineAction API to retrieve a specific Machine Action by its ID in Microsoft Defender Advanced Threat Protection.
-keywords: apis, graph api, supported apis, machineaction object
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get machineAction API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-
-## API description
-Retrieves specific [Machine Action](machineaction.md) by its ID.
-
-
-## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Machine.Read.All | 'Read all machine profiles'
-Application | Machine.ReadWrite.All | 'Read and write all machine information'
-Delegated (work or school account) | Machine.Read | 'Read machine information'
-Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
-
-## HTTP request
-```
-GET https://api.securitycenter.windows.com/api/machineactions/{id}
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200, Ok response code with a [Machine Action](machineaction.md) entity. If machine action entity with the specified id was not found - 404 Not Found.
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-```
-GET https://api.securitycenter.windows.com/api/machineactions/2e9da30d-27f6-4208-81f2-9cd3d67893ba
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```
-HTTP/1.1 200 Ok
-Content-type: application/json
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
- "id": "5382f7ea-7557-4ab7-9782-d50480024a4e",
- "type": "Isolate",
- "scope": "Selective",
- "requestor": "Analyst@TestPrd.onmicrosoft.com",
- "requestorComment": "test for docs",
- "status": "Succeeded",
- "machineId": "7b1f4967d9728e5aa3c06a9e617a22a4a5a17378",
- "computerDnsName": "desktop-test",
- "creationDateTimeUtc": "2019-01-02T14:39:38.2262283Z",
- "lastUpdateDateTimeUtc": "2019-01-02T14:40:44.6596267Z",
- "relatedFileInfo": null
-}
-
-
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md
deleted file mode 100644
index 5569002ec3..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md
+++ /dev/null
@@ -1,196 +0,0 @@
----
-title: List machineActions API
-description: Learn how to use the List MachineActions API to retrieve a collection of Machine Actions in Microsoft Defender Advanced Threat Protection.
-keywords: apis, graph api, supported apis, machineaction collection
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# List MachineActions API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-
-## API description
-Retrieves a collection of [Machine Actions](machineaction.md).
-
Supports [OData V4 queries](https://www.odata.org/documentation/).
-
The OData's ```$filter``` query is supported on: ```status```, ```machineId```, ```type```, ```requestor``` and ```creationDateTimeUtc``` properties.
-
See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)
-
-
-## Limitations
-1. Maximum page size is 10,000.
-2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Machine.Read.All | 'Read all machine profiles'
-Application | Machine.ReadWrite.All | 'Read and write all machine information'
-Delegated (work or school account) | Machine.Read | 'Read machine information'
-Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
-
-## HTTP request
-```
-GET https://api.securitycenter.windows.com/api/machineactions
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200, Ok response code with a collection of [machineAction](machineaction.md) entities.
-
-
-## Example 1
-
-**Request**
-
-Here is an example of the request on an organization that has three MachineActions.
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-```
-GET https://api.securitycenter.windows.com/api/machineactions
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```
-HTTP/1.1 200 Ok
-Content-type: application/json
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions",
- "value": [
- {
- "id": "69dc3630-1ccc-4342-acf3-35286eec741d",
- "type": "CollectInvestigationPackage",
- "scope": null,
- "requestor": "Analyst@contoso.com",
- "requestorComment": "test",
- "status": "Succeeded",
- "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
- "computerDnsName": "desktop-39g9tgl",
- "creationDateTimeUtc": "2018-12-04T12:43:57.2011911Z",
- "lastUpdateTimeUtc": "2018-12-04T12:45:25.4049122Z",
- "relatedFileInfo": null
- },
- {
- "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba",
- "type": "RunAntiVirusScan",
- "scope": "Full",
- "requestor": "Analyst@contoso.com",
- "requestorComment": "Check machine for viruses due to alert 3212",
- "status": "Succeeded",
- "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
- "computerDnsName": "desktop-39g9tgl",
- "creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z",
- "lastUpdateTimeUtc": "2018-12-04T12:18:57.5511934Z",
- "relatedFileInfo": null
- },
- {
- "id": "44cffc15-0e3d-4cbf-96aa-bf76f9b27f5e",
- "type": "StopAndQuarantineFile",
- "scope": null,
- "requestor": "Analyst@contoso.com",
- "requestorComment": "test",
- "status": "Succeeded",
- "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
- "computerDnsName": "desktop-39g9tgl",
- "creationDateTimeUtc": "2018-12-04T12:15:40.6052029Z",
- "lastUpdateTimeUtc": "2018-12-04T12:16:14.2899973Z",
- "relatedFileInfo": {
- "fileIdentifier": "a0c659857ccbe457fdaf5fe21d54efdcbf6f6508",
- "fileIdentifierType": "Sha1"
- }
- }
- ]
-}
-```
-
-## Example 2
-
-**Request**
-
-Here is an example of a request that filters the MachineActions by machine ID and shows the latest two MachineActions.
-
-```
-GET https://api.securitycenter.windows.com/api/machineactions?$filter=machineId eq 'f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f'&$top=2
-```
-
-**Response**
-
-Here is an example of the response.
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-```
-HTTP/1.1 200 Ok
-Content-type: application/json
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions",
- "value": [
- {
- "id": "69dc3630-1ccc-4342-acf3-35286eec741d",
- "type": "CollectInvestigationPackage",
- "scope": null,
- "requestor": "Analyst@contoso.com",
- "requestorComment": "test",
- "status": "Succeeded",
- "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
- "computerDnsName": "desktop-39g9tgl",
- "creationDateTimeUtc": "2018-12-04T12:43:57.2011911Z",
- "lastUpdateTimeUtc": "2018-12-04T12:45:25.4049122Z",
- "relatedFileInfo": null
- },
- {
- "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba",
- "type": "RunAntiVirusScan",
- "scope": "Full",
- "requestor": "Analyst@contoso.com",
- "requestorComment": "Check machine for viruses due to alert 3212",
- "status": "Succeeded",
- "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f",
- "computerDnsName": "desktop-39g9tgl",
- "creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z",
- "lastUpdateTimeUtc": "2018-12-04T12:18:57.5511934Z",
- "relatedFileInfo": null
- }
- ]
-}
-```
-
-## Related topics
-- [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection.md
deleted file mode 100644
index ff88b78222..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection.md
+++ /dev/null
@@ -1,84 +0,0 @@
----
-title: Get RBAC machine groups collection API
-description: Learn how to use the Get KB collection API to retrieve a collection of RBAC device groups in Microsoft Defender Advanced Threat Protection.
-keywords: apis, graph api, supported apis, get, RBAC, group
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: leonidzh
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.date: 10/07/2018
----
-
-# Get KB collection API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-Retrieves a collection of RBAC device groups.
-
-## Permissions
-User needs read permissions.
-
-## HTTP request
-```
-GET /testwdatppreview/machinegroups
-```
-
-## Request headers
-
-Header | Value
-:---|:---
-Authorization | Bearer {token}. **Required**.
-Content type | application/json
-
-## Request body
-Empty
-
-## Response
-If successful - 200 OK.
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://graph.microsoft.com/testwdatppreview/machinegroups
-Content-type: application/json
-```
-
-**Response**
-
-Here is an example of the response.
-Field id contains device group **id** and equal to field **rbacGroupId** in devices info.
-Field **ungrouped** is true only for one group for all devices that have not been assigned to any group. This group as usual has name "UnassignedGroup".
-
-```
-HTTP/1.1 200 OK
-Content-type: application/json
-{
- "@odata.context":"https://graph.microsoft.com/testwdatppreview/$metadata#MachineGroups",
- "@odata.count":7,
- "value":[
- {
- "id":86,
- "name":"UnassignedGroup",
- "description":"",
- "ungrouped":true},
- …
-}
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md
deleted file mode 100644
index d3c3f50dca..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md
+++ /dev/null
@@ -1,96 +0,0 @@
----
-title: List devices by software
-description: Retrieve a list of devices that has this software installed.
-keywords: apis, graph api, supported apis, get, list devices, devices list, list devices by software, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# List devices by software
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieve a list of device references that has this software installed.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
-Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
-
-## HTTP request
-```
-GET /api/Software/{Id}/machineReferences
-```
-
-## Request headers
-
-| Name | Type | Description
-|:--------------|:-------|:--------------|
-| Authorization | String | Bearer {token}.**Required**.
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK and a list of devices with the software installed in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/machineReferences
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-
-{
- "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#MachineReferences",
- "value": [
- {
- "id": "7c7e1896fa39efb0a32a2cf421d837af1b9bf762",
- "computerDnsName": "dave_desktop",
- "osPlatform": "Windows10",
- "rbacGroupName": "GroupTwo"
- },
- {
- "id": "7d5cc2e7c305e4a0a290392abf6707f9888fda0d",
- "computerDnsName": "jane_PC",
- "osPlatform": "Windows10",
- "rbacGroupName": "GroupTwo"
- }
- ...
- ]
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md
deleted file mode 100644
index 02ea057f59..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md
+++ /dev/null
@@ -1,95 +0,0 @@
----
-title: List devices by vulnerability
-description: Retrieves a list of devices affected by a vulnerability.
-keywords: apis, graph api, supported apis, get, devices list, vulnerable devices, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# List devices by vulnerability
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a list of devices affected by a vulnerability.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application |Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
-Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
-
-## HTTP request
-```
-GET /api/vulnerabilities/{cveId}/machineReferences
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the vulnerability information in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/vulnerabilities/CVE-2019-0608/machineReferences
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```json
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineReferences",
- "value": [
- {
- "id": "235a2e6278c63fcf85bab9c370396972c58843de",
- "computerDnsName": "h1mkn_PC",
- "osPlatform": "Windows10",
- "rbacGroupName": "GroupTwo"
- },
- {
- "id": "afb3f807d1a185ac66668f493af028385bfca184",
- "computerDnsName": "chat_Desk ",
- "osPlatform": "Windows10",
- "rbacGroupName": "GroupTwo"
- }
- ...
- ]
- }
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md
deleted file mode 100644
index 6f6c6177e9..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md
+++ /dev/null
@@ -1,125 +0,0 @@
----
-title: List machines API
-description: Learn how to use the List machines API to retrieve a collection of machines that have communicated with Microsoft Defender ATP cloud.
-keywords: apis, graph api, supported apis, get, devices
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# List machines API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-
-## API description
-Retrieves a collection of [Machines](machine.md) that have communicated with Microsoft Defender ATP cloud.
-
Supports [OData V4 queries](https://www.odata.org/documentation/).
-
The OData's `$filter` query is supported on: `computerDnsName`, `lastSeen`, `healthStatus`, `osPlatform`, `riskScore` and `rbacGroupId`.
-
See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)
-
-
-## Limitations
-1. You can get devices last seen according to your configured retention period.
-2. Maximum page size is 10,000.
-3. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Machine.Read.All | 'Read all machine profiles'
-Application | Machine.ReadWrite.All | 'Read and write all machine information'
-Delegated (work or school account) | Machine.Read | 'Read machine information'
-Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
->- Response will include only devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
-## HTTP request
-
-```http
-GET https://api.securitycenter.windows.com/api/machines
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful and machines exists - 200 OK with list of [machine](machine.md) entities in the body. If no recent machines - 404 Not Found.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-```http
-GET https://api.securitycenter.windows.com/api/machines
-```
-
-**Response**
-
-Here is an example of the response.
-
-```http
-HTTP/1.1 200 OK
-Content-type: application/json
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
- "value": [
- {
- "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
- "computerDnsName": "mymachine1.contoso.com",
- "firstSeen": "2018-08-02T14:55:03.7791856Z",
- "lastSeen": "2018-08-02T14:55:03.7791856Z",
- "osPlatform": "Windows10",
- "version": "1709",
- "osProcessor": "x64",
- "lastIpAddress": "172.17.230.209",
- "lastExternalIpAddress": "167.220.196.71",
- "osBuild": 18209,
- "healthStatus": "Active",
- "rbacGroupId": 140,
- "rbacGroupName": "The-A-Team",
- "riskScore": "Low",
- "exposureLevel": "Medium",
- "isAadJoined": true,
- "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
- "machineTags": [ "test tag 1", "test tag 2" ]
- }
- ...
- ]
-}
-```
-
-## Related topics
-- [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md
deleted file mode 100644
index 0da42db679..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md
+++ /dev/null
@@ -1,90 +0,0 @@
----
-title: Get machines security states collection API
-description: Retrieve a collection of device security states using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
-keywords: apis, graph api, supported apis, get, device, security, state
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: leonidzh
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get Machines security states collection API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-Retrieves a collection of devices security states.
-
-## Permissions
-User needs read permissions.
-
-## HTTP request
-```
-GET /testwdatppreview/machinesecuritystates
-```
-
-## Request headers
-
-Header | Value
-:---|:---
-Authorization | Bearer {token}. **Required**.
-Content type | application/json
-
-## Request body
-Empty
-
-## Response
-If successful - 200 OK.
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://graph.microsoft.com/testwdatppreview/machinesecuritystates
-Content-type: application/json
-```
-
-**Response**
-
-Here is an example of the response.
-Field *id* contains device id and equal to the field *id** in devices info.
-
-```
-HTTP/1.1 200 OK
-Content-type: application/json
-{
- "@odata.context":"https://graph.microsoft.com/testwdatppreview/$metadata#MachineSecurityStates",
- "@odata.count":444,
- "@odata.nextLink":"https://graph.microsoft.com/testwdatppreview/machinesecuritystates?$skiptoken=[continuation token]",
- "value":[
- {
- "id":"000050e1b4afeee3742489ede9ad7a3e16bbd9c4",
- "build":14393,
- "revision":2485,
- "architecture":"Amd64",
- "osVersion":"10.0.14393.2485.amd64fre.rs1_release.180827-1809",
- "propertiesRequireAttention":[
- "AntivirusNotReporting",
- "EdrImpairedCommunications"
- ]
- },
- …
- ]
-}
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md
deleted file mode 100644
index 510c7516c2..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md
+++ /dev/null
@@ -1,89 +0,0 @@
----
-title: Get missing KBs by device ID
-description: Retrieves missing security updates by device ID
-keywords: apis, graph api, supported apis, get, list, file, information, device id, threat & vulnerability management api, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: ellevin
-author: levinec
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get missing KBs by device ID
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-Retrieves missing KBs (security updates) by device ID
-
-## HTTP request
-
-```
-GET /api/machines/{machineId}/getmissingkbs
-```
-
-## Request header
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-## Request body
-
-Empty
-
-## Response
-
-If successful, this method returns 200 OK, with the specified device missing kb data in the body.
-
-## Example
-
-### Request
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/machines/2339ad14a01bd0299afb93dfa2550136057bff96/getmissingkbs
-```
-
-### Response
-
-Here is an example of the response.
-
-
-```json
-{
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(microsoft.windowsDefenderATP.api.PublicProductFixDto)",
- "value": [
- {
- "id": "4540673",
- "name": "March 2020 Security Updates",
- "productsNames": [
- "windows_10",
- "edge",
- "internet_explorer"
- ],
- "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4540673",
- "machineMissedOn": 1,
- "cveAddressed": 97
- },
- ...
- ]
-}
-```
-
-## Related topics
-
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md
deleted file mode 100644
index 6b6bf2db5f..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md
+++ /dev/null
@@ -1,96 +0,0 @@
----
-title: Get missing KBs by software ID
-description: Retrieves missing security updates by software ID
-keywords: apis, graph api, supported apis, get, list, file, information, software id, threat & vulnerability management api, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: ellevin
-author: levinec
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get missing KBs by software ID
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-Retrieves missing KBs (security updates) by software ID
-
-## Permissions
-
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application |Software.Read.All | 'Read Threat and Vulnerability Management Software information'
-Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
-
-## HTTP request
-
-```
-GET /api/Software/{Id}/getmissingkbs
-```
-
-## Request header
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-## Request body
-
-Empty
-
-## Response
-
-If successful, this method returns 200 OK, with the specified software missing kb data in the body.
-
-## Example
-
-### Request
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/getmissingkbs
-```
-
-### Response
-
-Here is an example of the response.
-
-
-```json
-{
- "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(microsoft.windowsDefenderATP.api.PublicProductFixDto)",
- "value": [
- {
- "id": "4540673",
- "name": "March 2020 Security Updates",
- "productsNames": [
- "edge"
- ],
- "url": "https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4540673",
- "machineMissedOn": 240,
- "cveAddressed": 14
- },
- ...
- ]
-}
-```
-
-## Related topics
-
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md b/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md
deleted file mode 100644
index a43102c733..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md
+++ /dev/null
@@ -1,93 +0,0 @@
----
-title: Get package SAS URI API
-description: Use this API to get a URI that allows downloading an investigation package.
-keywords: apis, graph api, supported apis, get package, sas, uri
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get package SAS URI API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-
-## API description
-Get a URI that allows downloading of an [Investigation package](collect-investigation-package.md).
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Machine.CollectForensics | 'Collect forensics'
-Delegated (work or school account) | Machine.CollectForensics | 'Collect forensics'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles.md) for more information)
->- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
-## HTTP request
-```
-GET https://api.securitycenter.windows.com/api/machineactions/{machine action id}/getPackageUri
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200, Ok response code with object that holds the link to the package in the “value” parameter. This link is valid for a very short time and should be used immediately for downloading the package to a local storage.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/machineactions/7327b54fd718525cbca07dacde913b5ac3c85673/GetPackageUri
-
-```
-
-**Response**
-
-Here is an example of the response.
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-```
-HTTP/1.1 200 Ok
-Content-type: application/json
-
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Edm.String",
- "value": "\"https://userrequests-us.securitycenter.windows.com:443/safedownload/WDATP_Investigation_Package.zip?token=gbDyj7y%2fbWGAZjn2sFiZXlliBTXOCVG7yiJ6mXNaQ9pLByC2Wxeno9mENsPFP3xMk5l%2bZiJXjLvqAyNEzUNROxoM2I1er9dxzfVeBsxSmclJjPsAx%2btiNyxSz1Ax%2b5jaT5cL5bZg%2b8wgbwY9urXbTpGjAKh6FB1e%2b0ypcWkPm8UkfOwsmtC%2biZJ2%2bPqnkkeQk7SKMNoAvmh9%2fcqDIPKXGIBjMa0D9auzypOqd8bQXp7p2BnLSH136BxST8n9IHR4PILvRjAYW9kvtHkBpBitfydAsUW4g2oDZSPN3kCLBOoo1C4w4Lkc9Bc3GNU2IW6dfB7SHcp7G9p4BDkeJl3VuDs6esCaeBorpn9FKJ%2fXo7o9pdcI0hUPZ6Ds9hiPpwPUtz5J29CBE3QAopCK%2fsWlf6OW2WyXsrNRSnF1tVE5H3wXpREzuhD7S4AIA3OIEZKzC4jIPLeMu%2bazZU9xGwuc3gICOaokbwMJiZTqcUuK%2fV9YdBdjdg8wJ16NDU96Pl6%2fgew2KYuk6Wo7ZuHotgHI1abcsvdlpe4AvixDbqcRJthsg2PpLRaFLm5av44UGkeK6TJpFvxUn%2f9fg6Zk5yM1KUTHb8XGmutoCM8U9er6AzXZlY0gGc3D3bQOg41EJZkEZLyUEbk1hXJB36ku2%2bW01cG71t7MxMBYz7%2bdXobxpdo%3d%3bRWS%2bCeoDfTyDcfH5pkCg6hYDmCOPr%2fHYQuaUWUBNVnXURYkdyOzVHqp%2fe%2f1BNyPdVoVkpQHpz1pPS3b5g9h7IMmNKCk5gFq5m2nPx6kk9EYtzx8Ndoa2m9Yj%2bSaf8zIFke86YnfQL4AYewsnQNJJh4wc%2bXxGlBq7axDcoiOdX91rKzVicH3GSBkFoLFAKoegWWsF%2fEDZcVpF%2fXUA1K8HvB6dwyfy4y0sAqnNPxYTQ97mG7yHhxPt4Pe9YF2UPPAJVuEf8LNlQ%2bWHC9%2f7msF6UUI4%2fca%2ftpjFs%2fSNeRE8%2fyQj21TI8YTF1SowvaJuDc1ivEoeopNNGG%2bGI%2fX0SckaVxU9Hdkh0zbydSlT5SZwbSwescs0IpzECitBbaLUz4aT8KTs8T0lvx8D7Te3wVsKAJ1r3iFMQZrlk%2bS1WW8rvac7oHRx2HKURn1v7fDIQWgJr9aNsNlFz4fLJ50T2qSHuuepkLVbe93Va072aMGhvr09WVKoTpAf1j2bcFZZU6Za5PxI32mr0k90FgiYFJ1F%2f1vRDrGwvWVWUkR3Z33m4g0gHa52W1FMxQY0TJIwbovD6FaSNDx7xhKZSd5IJ7r6P91Gez49PaZRcAZPjd%2bfbul3JNm1VqQPTLohT7wa0ymRiXpSST74xtFzuEBzNSNATdbngj3%2fwV4JesTjZjIj5Dc%3d%3blumqauVlFuuO8MQffZgs0tLJ4Fq6fpeozPTdDf8Ll6XLegi079%2b4mSPFjTK0y6eohstxdoOdom2wAHiZwk0u4KLKmRkfYOdT1wHY79qKoBQ3ZDHFTys9V%2fcwKGl%2bl8IenWDutHygn5IcA1y7GTZj4g%3d%3d\""
-}
-
-
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md
deleted file mode 100644
index b7bc3ab58f..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md
+++ /dev/null
@@ -1,99 +0,0 @@
----
-title: Get recommendation by Id
-description: Retrieves a security recommendation by its ID.
-keywords: apis, graph api, supported apis, get, security recommendation, security recommendation by ID, threat and vulnerability management, threat and vulnerability management api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get recommendation by ID
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a security recommendation by its ID.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
-Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
-
-## HTTP request
-```
-GET /api/recommendations/{id}
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the security recommendations in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Recommendations/$entity",
- "id": "va-_-google-_-chrome",
- "productName": "chrome",
- "recommendationName": "Update Chrome",
- "weaknesses": 38,
- "vendor": "google",
- "recommendedVersion": "",
- "recommendationCategory": "Application",
- "subCategory": "",
- "severityScore": 0,
- "publicExploit": false,
- "activeAlert": false,
- "associatedThreats": [],
- "remediationType": "Update",
- "status": "Active",
- "configScoreImpact": 0,
- "exposureImpact": 3.9441860465116285,
- "totalMachineCount": 6,
- "exposedMachinesCount": 5,
- "nonProductivityImpactedAssets": 0,
- "relatedComponent": "Chrome"
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md
deleted file mode 100644
index 2bdfb4a6e4..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md
+++ /dev/null
@@ -1,88 +0,0 @@
----
-title: List devices by recommendation
-description: Retrieves a list of devices associated with the security recommendation.
-keywords: apis, graph api, supported apis, get, security recommendation for vulnerable devices, threat and vulnerability management, threat and vulnerability management api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# List devices by recommendation
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a list of devices associated with the security recommendation.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
-Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
-
-## HTTP request
-```
-GET /api/recommendations/{id}/machineReferences
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the list of devices associated with the security recommendation.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome/machineReferences
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineReferences",
- "value": [
- {
- "id": "e058770379bc199a9c179ce52a23e16fd44fd2ee",
- "computerDnsName": "niw_pc",
- "osPlatform": "Windows10",
- "rbacGroupName": "GroupTwo"
- }
- ...
- ]
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md
deleted file mode 100644
index 449bb2bd1d..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md
+++ /dev/null
@@ -1,87 +0,0 @@
----
-title: Get recommendation by software
-description: Retrieves a security recommendation related to a specific software.
-keywords: apis, graph api, supported apis, get, security recommendation, security recommendation for software, threat and vulnerability management, threat and vulnerability management api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get recommendation by software
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a security recommendation related to a specific software.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
-Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
-
-## HTTP request
-```
-GET /api/recommendations/{id}/software
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the software associated with the security recommendations in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome/software
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Analytics.Contracts.PublicAPI.PublicProductDto",
- "id": "google-_-chrome",
- "name": "chrome",
- "vendor": "google",
- "weaknesses": 38,
- "publicExploit": false,
- "activeAlert": false,
- "exposedMachines": 5,
- "impactScore": 3.94418621
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md
deleted file mode 100644
index 156cef803c..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md
+++ /dev/null
@@ -1,97 +0,0 @@
----
-title: List vulnerabilities by recommendation
-description: Retrieves a list of vulnerabilities associated with the security recommendation.
-keywords: apis, graph api, supported apis, get, list of vulnerabilities, security recommendation, security recommendation for vulnerabilities, threat and vulnerability management, threat and vulnerability management api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# List vulnerabilities by recommendation
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a list of vulnerabilities associated with the security recommendation.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
-Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
-
-## HTTP request
-```
-GET /api/recommendations/{id}/vulnerabilities
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK, with the list of vulnerabilities associated with the security recommendation.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/recommendations/va-_-google-_-chrome/vulnerabilities
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)",
- "value": [
- {
- "id": "CVE-2019-13748",
- "name": "CVE-2019-13748",
- "description": "Insufficient policy enforcement in developer tools in Google Chrome prior to 79.0.3945.79 allowed a local attacker to obtain potentially sensitive information from process memory via a crafted HTML page.",
- "severity": "Medium",
- "cvssV3": 6.5,
- "exposedMachines": 0,
- "publishedOn": "2019-12-10T00:00:00Z",
- "updatedOn": "2019-12-16T12:15:00Z",
- "publicExploit": false,
- "exploitVerified": false,
- "exploitInKit": false,
- "exploitTypes": [],
- "exploitUris": []
- }
- ...
- ]
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md b/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md
deleted file mode 100644
index dffd2a0613..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md
+++ /dev/null
@@ -1,104 +0,0 @@
----
-title: Get security recommendations
-description: Retrieves a collection of security recommendations related to a given device ID.
-keywords: apis, graph api, supported apis, get, list, file, information, security recommendation per device, threat & vulnerability management api, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get security recommendations
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a collection of security recommendations related to a given device ID.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | SecurityRecommendation.Read.All | 'Read Threat and Vulnerability Management security recommendation information'
-Delegated (work or school account) | SecurityRecommendation.Read | 'Read Threat and Vulnerability Management security recommendation information'
-
-## HTTP request
-```
-GET /api/machines/{machineId}/recommendations
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the security recommendations in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/recommendations
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Recommendations",
- "value": [
- {
- "id": "va-_-git-scm-_-git",
- "productName": "git",
- "recommendationName": "Update Git to version 2.24.1.2",
- "weaknesses": 3,
- "vendor": "git-scm",
- "recommendedVersion": "2.24.1.2",
- "recommendationCategory": "Application",
- "subCategory": "",
- "severityScore": 0,
- "publicExploit": false,
- "activeAlert": false,
- "associatedThreats": [],
- "remediationType": "Update",
- "status": "Active",
- "configScoreImpact": 0,
- "exposureImpact": 0,
- "totalMachineCount": 0,
- "exposedMachinesCount": 1,
- "nonProductivityImpactedAssets": 0,
- "relatedComponent": "Git"
- },
-…
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md
deleted file mode 100644
index 0074439db0..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md
+++ /dev/null
@@ -1,89 +0,0 @@
----
-title: Get software by Id
-description: Retrieves a list of exposure scores by device group.
-keywords: apis, graph api, supported apis, get, software, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get software by Id
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves software details by ID.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
-Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
-
-## HTTP request
-```
-GET /api/Software/{Id}
-```
-
-## Request headers
-
-| Name | Type | Description
-|:--------------|:-------|:--------------|
-| Authorization | String | Bearer {token}.**Required**.
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the specified software data in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Software/$entity",
- "id": "microsoft-_-edge",
- "name": "edge",
- "vendor": "microsoft",
- "weaknesses": 467,
- "publicExploit": true,
- "activeAlert": false,
- "exposedMachines": 172,
- "impactScore": 2.39947438
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md b/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md
deleted file mode 100644
index e9b64f2ad1..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md
+++ /dev/null
@@ -1,94 +0,0 @@
----
-title: List software version distribution
-description: Retrieves a list of your organization's software version distribution
-keywords: apis, graph api, supported apis, get, software version distribution, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# List software version distribution
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves a list of your organization's software version distribution.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
-Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
-
-## HTTP request
-```
-GET /api/Software/{Id}/distributions
-```
-
-## Request headers
-
-| Name | Type | Description
-|:--------------|:-------|:--------------|
-| Authorization | String | Bearer {token}.**Required**.
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with a list of software distributions data in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/distributions
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-
-{
- "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Distributions",
- "value": [
- {
- "version": "11.0.17134.1039",
- "installations": 1,
- "vulnerabilities": 11
- },
- {
- "version": "11.0.18363.535",
- "installations": 750,
- "vulnerabilities": 0
- }
- ...
- ]
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-software.md
deleted file mode 100644
index e205e5f5b7..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-software.md
+++ /dev/null
@@ -1,93 +0,0 @@
----
-title: List software
-description: Retrieves a list of software inventory
-keywords: apis, graph api, supported apis, get, list, file, information, software inventory, threat & vulnerability management api, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# List software inventory API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-Retrieves the organization software inventory.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application |Software.Read.All | 'Read Threat and Vulnerability Management Software information'
-Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
-
-## HTTP request
-```
-GET /api/Software
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the software inventory in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/Software
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```json
-{
- "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Software",
- "value": [
- {
- "id": "microsoft-_-edge",
- "name": "edge",
- "vendor": "microsoft",
- "weaknesses": 467,
- "publicExploit": true,
- "activeAlert": false,
- "exposedMachines": 172,
- "impactScore": 2.39947438
- }
- ...
- ]
-}
-```
-
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md b/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md
deleted file mode 100644
index 0b87266339..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md
+++ /dev/null
@@ -1,65 +0,0 @@
----
-title: Become a Microsoft Defender ATP partner
-ms.reviewer:
-description: Learn the steps and requirements so that you can integrate your solution with Microsoft Defender ATP and be a partner
-keywords: partner, integration, solution validation, certification, requirements, member, misa, application portal
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
----
-
-# Become a Microsoft Defender ATP partner
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-To become a Microsoft Defender ATP solution partner, you'll need to follow and complete the following steps.
-
-## Step 1: Subscribe to a Microsoft Defender ATP Developer license
-Subscribing to the [Microsoft Defender ATP Developer license](https://winatpregistration-prd.trafficmanager.net/Developer/UserAgreement?Length=9) allows you to use a Microsoft Defender ATP tenant with up to 10 devices for developing solutions to integrate with Microsoft Defender ATP.
-
-## Step 2: Fulfill the solution validation and certification requirements
-The best way for technology partners to certify that their integration works is to have a joint customer approve the suggested integration design (the customer can use the **Recommend a partner** option in the [Partner Application page](https://securitycenter.microsoft.com/interoperability/partners) in the Microsoft Defender Security Center) and have it tested and demoed to the Microsoft Defender ATP team.
-
-Once the Microsoft Defender ATP team has reviewed and approves the integration, we will direct you to be included as a partner at the Microsoft Intelligent Security Association.
-
-## Step 3: Become a Microsoft Intelligent Security Association member
-[Microsoft Intelligent Security Association](https://www.microsoft.com/security/partnerships/intelligent-security-association) is a program specifically for Microsoft security partners to help enrich your security products and improve customer discoverability of your integrations to Microsoft security products.
-
-## Step 4: Get listed in the Microsoft Defender ATP partner application portal
-Microsoft Defender ATP supports third-party applications discovery and integration using the in-product [partner page](partner-applications.md) that is embedded within the Microsoft Defender ATP management portal.
-
-To have your company listed as a partner in the in-product partner page, you will need to provide the following:
-
-1. A square logo (SVG).
-2. Name of the product to be presented.
-3. Provide a 15-word product description.
-4. Link to the landing page for the customer to complete the integration or blog post that will include sufficient information for customers. Please note that any press release including the Microsoft Defender ATP product name should be reviewed by the marketing and engineering teams. You should allow at least 10 days for review process to be performed.
-5. If you use a multi-tenant Azure AD approach, we will need the AAD application name to track usage of the application.
-6. We'd like to request that you include the User-Agent field in each API call made to Microsoft Defender ATP public set of APIs or Graph Security APIs. This will be used for statistical purposes, troubleshooting, and partner recognition. In addition, this step is a requirement for membership in Microsoft Intelligent Security Association (MISA).
- Follow these steps:
- 1. Identify a name adhering to the following nomenclature that includes your company name and the Microsoft Defender ATP integrated product with the version of the product that includes this integration.
- - ISV Nomenclature: `MdatpPartner-{CompanyName}-{ProductName}/{Version}`
- - Security partner Nomenclature: `MdatpPartner-{CompanyName}-{ProductName}/{TenantID}`
-
- 2. Set the User-Agent field in each HTTP request header to the name based on the above nomenclature.
- For more information, see [RFC 2616 section-14.43](https://tools.ietf.org/html/rfc2616#section-14.43). For example, User-Agent: `MdatpPartner-Contoso-ContosoCognito/1.0.0`
-
-
-Partnership with Microsoft Defender ATP help our mutual customers to further streamline, integrate, and orchestrate defenses. We are happy that you chose to become a Microsoft Defender ATP partner and to achieve our common goal of effectively protecting customers and their assets by preventing and responding to modern threats together.
-
-## Related topics
-- [Technical partner opportunities](partner-integration.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md
deleted file mode 100644
index 41c5a0ebdd..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md
+++ /dev/null
@@ -1,177 +0,0 @@
----
-title: List Indicators API
-description: Learn how to use the List Indicators API to retrieve a collection of all active Indicators in Microsoft Defender Advanced Threat Protection.
-keywords: apis, public api, supported apis, Indicators collection
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# List Indicators API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-
-## API description
-Retrieves a collection of all active [Indicators](ti-indicator.md).
-
Supports [OData V4 queries](https://www.odata.org/documentation/).
-
The OData's ```$filter``` query is supported on: ```indicatorValue```, ```indicatorType```, ```creationTimeDateTimeUtc```, ```createdBy```, ```action``` and ```severity``` properties.
-
See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md)
-
-
-## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Get started](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Ti.ReadWrite | 'Read and write Indicators'
-Application | Ti.ReadWrite.All | 'Read and write All Indicators'
-Delegated (work or school account) | Ti.ReadWrite | 'Read and write Indicators'
-
-## HTTP request
-```
-GET https://api.securitycenter.windows.com/api/indicators
-```
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200, Ok response code with a collection of [Indicator](ti-indicator.md) entities.
-
->[!Note]
-> If the Application has 'Ti.ReadWrite.All' permission, it will be exposed to all Indicators. Otherwise, it will be exposed only to the Indicators it created.
-
-## Example 1:
-
-**Request**
-
-Here is an example of a request that gets all Indicators
-
-```
-GET https://api.securitycenter.windows.com/api/indicators
-```
-
-**Response**
-
-Here is an example of the response.
-
-```
-HTTP/1.1 200 Ok
-Content-type: application/json
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Indicators",
- "value": [
- {
- "id": "995",
- "indicatorValue": "12.13.14.15",
- "indicatorType": "IpAddress",
- "action": "Alert",
- "application": "demo-test",
- "source": "TestPrdApp",
- "sourceType": "AadApp",
- "title": "test",
- "creationTimeDateTimeUtc": "2018-10-24T11:15:35.3688259Z",
- "createdBy": "45097602-1234-5678-1234-9f453233e62c",
- "expirationTime": "2020-12-12T00:00:00Z",
- "lastUpdateTime": "2019-10-24T10:54:23.2009016Z",
- "lastUpdatedBy": TestPrdApp,
- "severity": "Informational",
- "description": "test",
- "recommendedActions": "test",
- "rbacGroupNames": []
- },
- {
- "id": "996",
- "indicatorValue": "220e7d15b0b3d7fac48f2bd61114db1022197f7f",
- "indicatorType": "FileSha1",
- "action": "AlertAndBlock",
- "application": null,
- "source": "TestPrdApp",
- "sourceType": "AadApp",
- "title": "test",
- "creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z",
- "createdBy": "45097602-1234-5678-1234-9f453233e62c",
- "expirationTime": "2020-12-12T00:00:00Z",
- "lastUpdateTime": "2019-10-24T10:54:23.2009016Z",
- "lastUpdatedBy": TestPrdApp,
- "severity": "Informational",
- "description": "test",
- "recommendedActions": "TEST",
- "rbacGroupNames": [ "Group1", "Group2" ]
- }
- ...
- ]
-}
-```
-
-## Example 2:
-
-**Request**
-
-Here is an example of a request that gets all Indicators with 'AlertAndBlock' action
-
-```
-GET https://api.securitycenter.windows.com/api/indicators?$filter=action+eq+'AlertAndBlock'
-```
-
-**Response**
-
-Here is an example of the response.
-
-```
-HTTP/1.1 200 Ok
-Content-type: application/json
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Indicators",
- "value": [
- {
- "id": "997",
- "indicatorValue": "111e7d15b0b3d7fac48f2bd61114db1022197f7f",
- "indicatorType": "FileSha1",
- "action": "AlertAndBlock",
- "application": null,
- "source": "TestPrdApp",
- "sourceType": "AadApp",
- "title": "test",
- "creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z",
- "createdBy": "45097602-1234-5678-1234-9f453233e62c",
- "expirationTime": "2020-12-12T00:00:00Z",
- "lastUpdateTime": "2019-10-24T10:54:23.2009016Z",
- "lastUpdatedBy": TestPrdApp,
- "severity": "Informational",
- "description": "test",
- "recommendedActions": "TEST",
- "rbacGroupNames": [ "Group1", "Group2" ]
- }
- ...
- ]
-}
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md
deleted file mode 100644
index 80617258d3..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md
+++ /dev/null
@@ -1,88 +0,0 @@
----
-title: Get user information API
-description: Learn how to use the Get user information API to retrieve a User entity by key, or user name, in Microsoft Defender Advanced Threat Protection.
-keywords: apis, graph api, supported apis, get, user, user information
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get user information API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
-Retrieve a User entity by key (user name).
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | User.Read.All | 'Read all user profiles'
-
-## HTTP request
-```
-GET /api/users/{id}/
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful and user exists - 200 OK with [user](user.md) entity in the body. If user does not exist - 404 Not Found.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-```
-GET https://api.securitycenter.windows.com/api/users/user1
-Content-type: application/json
-```
-
-**Response**
-
-Here is an example of the response.
-
-
-```
-HTTP/1.1 200 OK
-Content-type: application/json
-{
- "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Users/$entity",
- "id": "user1",
- "firstSeen": "2018-08-02T00:00:00Z",
- "lastSeen": "2018-08-04T00:00:00Z",
- "mostPrevalentMachineId": null,
- "leastPrevalentMachineId": null,
- "logonTypes": "Network",
- "logOnMachinesCount": 3,
- "isDomainAdmin": false,
- "isOnlyNetworkUser": null
-}
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md
deleted file mode 100644
index 3d00668c3b..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md
+++ /dev/null
@@ -1,83 +0,0 @@
----
-title: Get user related alerts API
-description: Retrieve a collection of alerts related to a given user ID using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
-keywords: apis, graph api, supported apis, get, user, related, alerts
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get user related alerts API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-
-## API description
-Retrieves a collection of alerts related to a given user ID.
-
-
-## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Alert.Read.All | 'Read all alerts'
-Application | Alert.ReadWrite.All | 'Read and write all alerts'
-Delegated (work or school account) | Alert.Read | 'Read alerts'
-Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
->- Response will include only alerts, associated with devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
-## HTTP request
-```
-GET /api/users/{id}/alerts
-```
-
-**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve alerts for user1@contoso.com use /api/users/user1/alerts)**
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful and user exist - 200 OK. If the user do not exist - 404 Not Found.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-```
-GET https://api.securitycenter.windows.com/api/users/user1/alerts
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md
deleted file mode 100644
index 28c129e51c..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md
+++ /dev/null
@@ -1,84 +0,0 @@
----
-title: Get user related machines API
-description: Learn how to use the Get user related machines API to retrieve a collection of devices related to a user ID in Microsoft Defender Advanced Threat Protection.
-keywords: apis, graph api, supported apis, get, user, user related alerts
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get user related machines API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-
-## API description
-Retrieves a collection of devices related to a given user ID.
-
-
-## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Machine.Read.All | 'Read all machine profiles'
-Application | Machine.ReadWrite.All | 'Read and write all machine information'
-Delegated (work or school account) | Machine.Read | 'Read machine information'
-Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
->- Response will include only devices that the user can access, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
-## HTTP request
-```
-GET /api/users/{id}/machines
-```
-
-**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve machines for user1@contoso.com use /api/users/user1/machines)**
-
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful and user exists - 200 OK with list of [machine](machine.md) entities in the body. If user does not exist - 404 Not Found.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-```
-GET https://api.securitycenter.windows.com/api/users/user1/machines
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md
deleted file mode 100644
index 4a5514ff10..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md
+++ /dev/null
@@ -1,96 +0,0 @@
----
-title: List vulnerabilities by software
-description: Retrieve a list of vulnerabilities in the installed software.
-keywords: apis, graph api, supported apis, get, vulnerabilities list, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# List vulnerabilities by software
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieve a list of vulnerabilities in the installed software.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Software.Read.All | 'Read Threat and Vulnerability Management Software information'
-Delegated (work or school account) | Software.Read | 'Read Threat and Vulnerability Management Software information'
-
-## HTTP request
-```
-GET /api/Software/{Id}/vulnerabilities
-```
-
-## Request headers
-
-| Name | Type | Description
-|:--------------|:-------|:--------------|
-| Authorization | String | Bearer {token}.**Required**.
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with a a list of vulnerabilities exposed by the specified software.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/Software/microsoft-_-edge/vulnerabilities
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-
-{
- "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)",
- "value": [
- {
- "id": "CVE-2017-0140",
- "name": "CVE-2017-0140",
- "description": "A security feature bypass vulnerability exists when Microsoft Edge improperly handles requests of different origins. The vulnerability allows Microsoft Edge to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored. An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted.In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.The security update addresses the vulnerability by modifying how affected Microsoft Edge handles different-origin requests.",
- "severity": "Medium",
- "cvssV3": 4.2,
- "exposedMachines": 1,
- "publishedOn": "2017-03-14T00:00:00Z",
- "updatedOn": "2019-10-03T00:03:00Z",
- "publicExploit": false,
- "exploitVerified": false,
- "exploitInKit": false,
- "exploitTypes": [],
- "exploitUris": []
- }
- ...
- ]
-}
-```
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md
deleted file mode 100644
index 27b633e634..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md
+++ /dev/null
@@ -1,91 +0,0 @@
----
-title: Get vulnerability by Id
-description: Retrieves vulnerability information by its ID.
-keywords: apis, graph api, supported apis, get, vulnerability information, mdatp tvm api
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Get vulnerability by ID
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Retrieves vulnerability information by its ID.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Vulnerability.Read.All | 'Read Threat and Vulnerability Management vulnerability information'
-Delegated (work or school account) | Vulnerability.Read | 'Read Threat and Vulnerability Management vulnerability information'
-
-## HTTP request
-```
-GET /api/vulnerabilities/{cveId}
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-
-
-## Request body
-Empty
-
-## Response
-If successful, this method returns 200 OK with the vulnerability information in the body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-GET https://api.securitycenter.windows.com/api/Vulnerabilities/CVE-2019-0608
-```
-
-**Response**
-
-Here is an example of the response.
-
-```json
-{
- "@odata.context": "https://api-us.securitycenter.windows.com/api/$metadata#Vulnerabilities/$entity",
- "id": "CVE-2019-0608",
- "name": "CVE-2019-0608",
- "description": "A spoofing vulnerability exists when Microsoft Browsers does not properly parse HTTP content. An attacker who successfully exploited this vulnerability could impersonate a user request by crafting HTTP queries. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services.To exploit the vulnerability, the user must click a specially crafted URL. In an email attack scenario, an attacker could send an email message containing the specially crafted URL to the user in an attempt to convince the user to click it.In a web-based attack scenario, an attacker could host a specially crafted website designed to appear as a legitimate website to the user. However, the attacker would have no way to force the user to visit the specially crafted website. The attacker would have to convince the user to visit the specially crafted website, typically by way of enticement in an email or instant message, and then convince the user to interact with content on the website.The update addresses the vulnerability by correcting how Microsoft Browsers parses HTTP responses.",
- "severity": "Medium",
- "cvssV3": 4.3,
- "exposedMachines": 4,
- "publishedOn": "2019-10-08T00:00:00Z",
- "updatedOn": "2019-12-16T16:20:00Z",
- "publicExploit": false,
- "exploitVerified": false,
- "exploitInKit": false,
- "exploitTypes": [],
- "exploitUris": []
-}
-```
-## Related topics
-- [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-- [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/grant-mssp-access.md b/windows/security/threat-protection/microsoft-defender-atp/grant-mssp-access.md
deleted file mode 100644
index 1feba6fc45..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/grant-mssp-access.md
+++ /dev/null
@@ -1,139 +0,0 @@
----
-title: Grant access to managed security service provider (MSSP)
-description: Take the necessary steps to configure the MSSP integration with Microsoft Defender ATP
-keywords: managed security service provider, mssp, configure, integration
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Grant managed security service provider (MSSP) access (preview)
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
-
->[!IMPORTANT]
->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
-To implement a multi-tenant delegated access solution, take the following steps:
-
-1. Enable [role-based access control](rbac.md) in Microsoft Defender ATP and connect with Active Directory (AD) groups.
-
-2. Configure [Governance Access Packages](https://docs.microsoft.com/azure/active-directory/governance/identity-governance-overview) for access request and provisioning.
-
-3. Manage access requests and audits in [Microsoft Myaccess](https://docs.microsoft.com/azure/active-directory/governance/entitlement-management-request-approve).
-
-## Enable role-based access controls in Microsoft Defender ATP
-
-1. **Create access groups for MSSP resources in Customer AAD: Groups**
-
- These groups will be linked to the Roles you create in Microsoft Defender ATP. To do so, in the customer AD tenant, create three groups. In our example approach, we create the following groups:
-
- - Tier 1 Analyst
- - Tier 2 Analyst
- - MSSP Analyst Approvers
-
-
-2. Create Microsoft Defender ATP roles for appropriate access levels in Customer Microsoft Defender ATP.
-
- To enable RBAC in the customer Microsoft Defender Security Center, access **Settings > Permissions > Roles** and "Turn on roles", from a user account with Global Administrator or Security Administrator rights.
-
- 
-
- Then, create RBAC roles to meet MSSP SOC Tier needs. Link these roles to the created user groups via Assigned user groups.
-
- Two possible roles:
-
- - **Tier 1 Analysts**
- Perform all actions except for live response and manage security settings.
-
- - **Tier 2 Analysts**
- Tier 1 capabilities with the addition to [live response](live-response.md)
-
- For more information, see [Use role-based access control](rbac.md).
-
-
-
-## Configure Governance Access Packages
-
-1. **Add MSSP as Connected Organization in Customer AAD: Identity Governance**
-
- Adding the MSSP as a connected organization will allow the MSSP to request and have accesses provisioned.
-
- To do so, in the customer AD tenant, access Identity Governance: Connected organization. Add a new organization and search for your MSSP Analyst tenant via Tenant ID or Domain. We suggest creating a separate AD tenant for your MSSP Analysts.
-
-2. **Create a resource catalog in Customer AAD: Identity Governance**
-
- Resource catalogs are a logical collection of access packages, created in the customer AD tenant.
-
- To do so, in the customer AD tenant, access Identity Governance: Catalogs, and add **New Catalog**. In our example, we will call it **MSSP Accesses**.
-
- 
-
- Further more information, see [Create a catalog of resources](https://docs.microsoft.com/azure/active-directory/governance/entitlement-management-catalog-create).
-
-
-3. **Create access packages for MSSP resources Customer AAD: Identity Governance**
-
- Access packages are the collection of rights and accesses that a requestor will be granted upon approval.
-
- To do so, in the customer AD tenant, access Identity Governance: Access Packages, and add **New Access Package**. Create an access package for the MSSP approvers and each analyst tier. For example, the following Tier 1 Analyst configuration creates an access package that:
-
- - Requires a member of the AD group **MSSP Analyst Approvers** to authorize new requests
- - Has annual access reviews, where the SOC analysts can request an access extension
- - Can only be requested by users in the MSSP SOC Tenant
- - Access auto expires after 365 days
-
- 
-
- For more information, see [Create a new access package](https://docs.microsoft.com/azure/active-directory/governance/entitlement-management-access-package-create).
-
-
-4. **Provide access request link to MSSP resources from Customer AAD: Identity Governance**
-
- The My Access portal link is used by MSSP SOC analysts to request access via the access packages created. The link is durable, meaning the same link may be used over time for new analysts. The analyst request goes into a queue for approval by the **MSSP Analyst Approvers**.
-
-
- 
-
- The link is located on the overview page of each access package.
-
-## Manage access
-
-1. Review and authorize access requests in Customer and/or MSSP myaccess.
-
- Access requests are managed in the customer My Access, by members of the MSSP Analyst Approvers group.
-
- To do so, access the customers myaccess using:
- `https://myaccess.microsoft.com/@
-> NOTE:
->- IP is supported for all three protocols
->- Only single IP addresses are supported (no CIDR blocks or IP ranges)
->- Encrypted URLs (full path) can only be blocked on first party browsers
->- Encrypted URLS (FQDN only) can be blocked outside of first party browsers
->- Full URL path blocks can be applied on the domain level and all unencrypted URLs
-
->[!NOTE]
->There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.
-
-### Create an indicator for IPs, URLs, or domains from the settings page
-
-1. In the navigation pane, select **Settings** > **Indicators**.
-
-2. Select the **IP addresses or URLs/Domains** tab.
-
-3. Select **Add item**.
-
-4. Specify the following details:
- - Indicator - Specify the entity details and define the expiration of the indicator.
- - Action - Specify the action to be taken and provide a description.
- - Scope - Define the scope of the machine group.
-
-5. Review the details in the Summary tab, then click **Save**.
-
-## Related topics
-- [Create indicators](manage-indicators.md)
-- [Create indicators for files](indicator-file.md)
-- [Create indicators based on certificates](indicator-certificates.md)
-- [Manage indicators](indicator-manage.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-manage.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-manage.md
deleted file mode 100644
index 54d2c70de6..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/indicator-manage.md
+++ /dev/null
@@ -1,73 +0,0 @@
----
-title: Manage indicators
-ms.reviewer:
-description: Manage indicators for a file hash, IP address, URLs, or domains that define the detection, prevention, and exclusion of entities.
-keywords: import, indicator, list, ioc, csv, manage, allowed, blocked, whitelist, blacklist, block, clean, malicious, file hash, ip address, urls, domain
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Manage indicators
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
-
-
-1. In the navigation pane, select **Settings** > **Indicators**.
-
-2. Select the tab of the entity type you'd like to manage.
-
-3. Update the details of the indicator and click **Save** or click the **Delete** button if you'd like to remove the entity from the list.
-
-## Import a list of IoCs
-
-You can also choose to upload a CSV file that defines the attributes of indicators, the action to be taken, and other details.
-
-Download the sample CSV to know the supported column attributes.
-
-1. In the navigation pane, select **Settings** > **Indicators**.
-
-2. Select the tab of the entity type you'd like to import indicators for.
-
-3. Select **Import** > **Choose file**.
-
-4. Select **Import**. Do this for all the files you'd like to import.
-
-5. Select **Done**.
-
-The following table shows the supported parameters.
-
-Parameter | Type | Description
-:---|:---|:---
-indicatorType | Enum | Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url". **Required**
-indicatorValue | String | Identity of the [Indicator](ti-indicator.md) entity. **Required**
-action | Enum | The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed". **Required**
-title | String | Indicator alert title. **Required**
-description | String | Description of the indicator. **Required**
-expirationTime | DateTimeOffset | The expiration time of the indicator in the following format YYYY-MM-DDTHH:MM:SS.0Z. **Optional**
-severity | Enum | The severity of the indicator. Possible values are: "Informational", "Low", "Medium" and "High". **Optional**
-recommendedActions | String | TI indicator alert recommended actions. **Optional**
-rbacGroupNames | String | Comma-separated list of RBAC group names the indicator would be applied to. **Optional**
-
-## Related topics
-- [Create indicators](manage-indicators.md)
-- [Create indicators for files](indicator-file.md)
-- [Create indicators for IPs and URLs/domains](indicator-ip-domain.md)
-- [Create indicators based on certificates](indicator-certificates.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md
deleted file mode 100644
index 17b7c51fcd..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md
+++ /dev/null
@@ -1,101 +0,0 @@
----
-title: Information protection in Windows overview
-ms.reviewer:
-description: Learn about how information protection works in Windows to identify and protect sensitive information
-keywords: information, protection, dlp, data, loss, prevention, protect
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
----
-
-# Information protection in Windows overview
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection to keep sensitive data secure while enabling productivity in the workplace.
-
-
->[!TIP]
-> Read our blog post about how [Microsoft Defender ATP integrates with Microsoft Information Protection to discover, protect, and monitor sensitive data on Windows devices](https://cloudblogs.microsoft.com/microsoftsecure/2019/01/17/windows-defender-atp-integrates-with-microsoft-information-protection-to-discover-protect-and-monitor-sensitive-data-on-windows-devices/).
-
-Microsoft Defender ATP applies the following methods to discover, classify, and protect data:
-
-- **Data discovery** - Identify sensitive data on Windows devices at risk
-- **Data classification** - Automatically classify data based on common Microsoft Information Protection (MIP) policies managed in Office 365 Security & Compliance Center. Auto-classification allows you to protect sensitive data even if the end user hasn’t manually classified it.
-
-
-## Data discovery and data classification
-
-Microsoft Defender ATP automatically discovers files with sensitivity labels and files that contain sensitive information types.
-
-Sensitivity labels classify and help protect sensitive content.
-
-Sensitive information types in the Office 365 data loss prevention (DLP) implementation fall under two categories:
-
-- Default
-- Custom
-
-Default sensitive information types include information such as bank account numbers, social security numbers, or national IDs. For more information, see [What the sensitive information type look for](https://docs.microsoft.com/office365/securitycompliance/what-the-sensitive-information-types-look-for).
-
-Custom types are ones that you define and is designed to protect a different type of sensitive information (for example, employee IDs or project numbers). For more information see, [Create a custom sensitive information type](https://docs.microsoft.com/office365/securitycompliance/create-a-custom-sensitive-information-type).
-
-When a file is created or edited on a Windows device, Microsoft Defender ATP scans the content to evaluate if it contains sensitive information.
-
-Turn on the Azure Information Protection integration so that when a file that contains sensitive information is discovered by Microsoft Defender ATP though labels or information types, it is automatically forwarded to Azure Information Protection from the device.
-
-
-
-The reported signals can be viewed on the Azure Information Protection – Data discovery dashboard.
-
-## Azure Information Protection - Data discovery dashboard
-
-This dashboard presents a summarized discovery information of data discovered by both Microsoft Defender ATP and Azure Information Protection. Data from Microsoft Defender ATP is marked with Location Type - Endpoint.
-
-
-
-Notice the Device Risk column on the right, this device risk is derived directly from Microsoft Defender ATP, indicating the risk level of the security device where the file was discovered, based on the active security threats detected by Microsoft Defender ATP.
-
-Click on a device to view a list of files observed on this device, with their sensitivity labels and information types.
-
->[!NOTE]
->Please allow approximately 15-20 minutes for the Azure Information Protection Dashboard Discovery to reflect discovered files.
-
-## Log Analytics
-
-Data discovery based on Microsoft Defender ATP is also available in [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-overview), where you can perform complex queries over the raw data.
-
-For more information on Azure Information Protection analytics, see [Central reporting for Azure Information Protection](https://docs.microsoft.com/azure/information-protection/reports-aip).
-
-Open Azure Log Analytics in Azure Portal and open a query builder (standard or classic).
-
-To view Microsoft Defender ATP data, perform a query that contains:
-
-```
-InformationProtectionLogs_CL
-| where Workload_s == "Windows Defender"
-```
-
-**Prerequisites:**
-
-- Customers must have a subscription for Azure Information Protection.
-- Enable Azure Information Protection integration in Microsoft Defender Security Center:
- - Go to **Settings** in Microsoft Defender Security Center, click on **Advanced Settings** under **General**.
-
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md
deleted file mode 100644
index 4c595bdec5..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md
+++ /dev/null
@@ -1,65 +0,0 @@
----
-title: Use sensitivity labels to prioritize incident response
-description: Learn how to use sensitivity labels to prioritize and investigate incidents
-keywords: information, protection, data, loss, prevention,labels, dlp, incident, investigate, investigation
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Use sensitivity labels to prioritize incident response
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-A typical advanced persistent threat lifecycle involves data exfiltration. In a security incident, it's important to have the ability to prioritize investigations where sensitive files may be jeopardy so that corporate data and information are protected.
-
-Microsoft Defender ATP helps to make the prioritization of security incidents much simpler with the use of sensitivity labels. Sensitivity labels quickly identify incidents that may involve devices with sensitive information such as confidential information.
-
-## Investigate incidents that involve sensitive data
-Learn how to use data sensitivity labels to prioritize incident investigation.
-
->[!NOTE]
->Labels are detected for Windows 10, version 1809 or later.
-
-1. In Microsoft Defender Security Center, select **Incidents**.
-
-2. Scroll to the right to see the **Data sensitivity** column. This column reflects sensitivity labels that have been observed on devices related to the incidents providing an indication of whether sensitive files may be impacted by the incident.
-
- 
-
- You can also filter based on **Data sensitivity**
-
- 
-
-3. Open the incident page to further investigate.
-
- 
-
-4. Select the **Devices** tab to identify devices storing files with sensitivity labels.
-
- 
-
-
-5. Select the devices that store sensitive data and search through the timeline to identify which files may be impacted then take appropriate action to ensure that data is protected.
-
- You can narrow down the events shown on the device timeline by searching for data sensitivity labels. Doing this will show only events associated with files that have said label name.
-
- 
-
-
->[!TIP]
->These data points are also exposed through the ‘DeviceFileEvents’ in advanced hunting, allowing advanced queries and schedule detection to take into account sensitivity labels and file protection status.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md
deleted file mode 100644
index f464c54bde..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md
+++ /dev/null
@@ -1,89 +0,0 @@
----
-title: Start Investigation API
-description: Use this API to start investigation on a device.
-keywords: apis, graph api, supported apis, investigation
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Start Investigation API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-
-## API description
-Start automated investigation on a device.
-
See [Overview of automated investigations](automated-investigations.md) for more information.
-
-
-## Limitations
-1. Rate limitations for this API are 50 calls per hour.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Alert.ReadWrite.All | 'Read and write all alerts'
-Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles.md) for more information)
->- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
-
-## HTTP request
-```
-POST https://api.securitycenter.microsoft.com/api/machines/{id}/startInvestigation
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-Content-Type | string | application/json. **Required**.
-
-## Request body
-In the request body, supply a JSON object with the following parameters:
-
-Parameter | Type | Description
-:---|:---|:---
-Comment | String | Comment to associate with the action. **Required**.
-
-
-## Response
-If successful, this method returns 201 - Created response code and [Investigation](investigation.md) in the response body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-```
-POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/startInvestigation
-Content-type: application/json
-{
- "Comment": "Test investigation",
-}
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md
deleted file mode 100644
index 1b20360ecd..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md
+++ /dev/null
@@ -1,112 +0,0 @@
----
-title: Investigate Microsoft Defender Advanced Threat Protection alerts
-description: Use the investigation options to get details on alerts are affecting your network, what they mean, and how to resolve them.
-keywords: investigate, investigation, devices, device, alerts queue, dashboard, IP address, file, submit, submissions, deep analysis, timeline, search, domain, URL, IP
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: article
-ms.date: 04/24/2018
----
-
-# Investigate Microsoft Defender Advanced Threat Protection alerts
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatealerts-abovefoldlink)
-
-Investigate alerts that are affecting your network, understand what they mean, and how to resolve them.
-
-Click an alert to see the alert details view and the various tiles that provide information about the alert.
-
-From the alert details view, you can manage an alert and see alert data such as severity, category, technique, along with other information that can help you make better decisions on how to approach them.
-
-The techniques reflected in the card are based on [MITRE enterprise techniques](https://attack.mitre.org/techniques/enterprise/).
-
-You'll also see a status of the automated investigation on the upper right corner. Clicking on the link will take you to the Automated investigations view. For more information, see [Automated investigations](automated-investigations.md).
-
-
-
-The alert context tile shows the where, who, and when context of the alert. As with other pages, you can click on the icon beside the name or user account to bring up the device or user details pane. The alert details view also has a status tile that shows the status of the alert in the queue. You'll also see a description and a set of recommended actions which you can expand.
-
-For more information about managing alerts, see [Manage alerts](manage-alerts.md).
-
-The alert details page also shows the alert process tree, an incident graph, and an artifact timeline.
-
-You can click on the device link from the alert view to navigate to the device. The alert will be highlighted automatically, and the timeline will display the appearance of the alert and its evidence in the **Device timeline**. If the alert appeared more than once on the device, the latest occurrence will be displayed in the **Device timeline**.
-
-Alerts attributed to an adversary or actor display a colored tile with the actor's name.
-
-
-
-Click on the actor's name to see the threat intelligence profile of the actor, including a brief overview of the actor, their interests or targets, their tools, tactics, and processes (TTPs), and areas where they've been observed worldwide. You will also see a set of recommended actions to take.
-
-Some actor profiles include a link to download a more comprehensive threat intelligence report.
-
-
-
-The detailed alert profile helps you understand who the attackers are, who they target, what techniques, tools, and procedures (TTPs) they use, which geolocations they are active in, and finally, what recommended actions you may take. In many cases, you can download a more detailed Threat Intelligence report about this attacker or campaign for offline reading.
-
-## Alert process tree
-The **Alert process tree** takes alert triage and investigation to the next level, displaying the aggregated alert and surrounding evidence that occurred within the same execution context and time period. This rich triage and investigation context is available on the alert page.
-
-
-
-The **Alert process tree** expands to display the execution path of the alert and related evidence that occurred around the same period. Items marked with a thunderbolt icon should be given priority during investigation.
-
->[!NOTE]
->The alert process tree might not show for some alerts, including alerts not triggered directly by process activity.
-
-Clicking in the circle immediately to the left of the indicator displays its details.
-
-
-
-The alert details pane helps you take a deeper look at the details about the alert. It displays rich information about the execution details, file details, detections, observed worldwide, observed in organization, and other details taken from the entity's page – while remaining on the alert page, so you never leave the current context of your investigation.
-
-
-## Incident graph
-The **Incident Graph** provides a visual representation of the organizational footprint of the alert and its evidence: where the evidence that triggered the alert was observed on other devices. It provides a graphical mapping from the original device and evidence expanding to show other devices in the organization where the triggering evidence was also observed.
-
-
-
-The **Incident Graph** supports expansion by File, Process, command line, or Destination IP Address, as appropriate.
-
-The **Incident Graph** expansion by destination IP Address, shows the organizational footprint of communications with this IP Address without having to change context by navigating to the IP Address page.
-
-You can click the full circles on the incident graph to expand the nodes and view the expansion to other devices where the matching criteria were observed.
-
-## Artifact timeline
-The **Artifact timeline** feature provides an additional view of the evidence that triggered the alert on the device, and shows the date and time the evidence triggering the alert was observed, as well as the first time it was observed on the device. This can help in understanding if the evidence was first observed at the time of the alert, or whether it was observed on the device earlier - without triggering an alert.
-
-
-
-Selecting an alert detail brings up the **Details pane** where you'll be able to see more information about the alert such as file details, detections, instances of it observed worldwide, and in the organization.
-
-## Related topics
-- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md)
-- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md)
-- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md)
-- [Investigate devices in the Microsoft Defender ATP Devices list](investigate-machines.md)
-- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip.md)
-- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain.md)
-- [Investigate a user account in Microsoft Defender ATP](investigate-user.md)
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md
deleted file mode 100644
index 37ca52cd85..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md
+++ /dev/null
@@ -1,93 +0,0 @@
----
-title: Investigate connection events that occur behind forward proxies
-description: Learn how to use advanced HTTP level monitoring through network protection in Microsoft Defender ATP, which surfaces a real target, instead of a proxy.
-keywords: proxy, network protection, forward proxy, network events, audit, block, domain names, domain
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: article
----
-
-# Investigate connection events that occur behind forward proxies
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatemachines-abovefoldlink)
-
-Microsoft Defender ATP supports network connection monitoring from different levels of the network stack. A challenging case is when the network uses a forward proxy as a gateway to the Internet.
-
-The proxy acts as if it was the target endpoint. In these cases, simple network connection monitors will audit the connections with the proxy which is correct but has lower investigation value.
-
-Microsoft Defender ATP supports advanced HTTP level monitoring through network protection. When turned on, a new type of event is surfaced which exposes the real target domain names.
-
-## Use network protection to monitor network connection behind a firewall
-Monitoring network connection behind a forward proxy is possible due to additional network events that originate from network protection. To see them on a device timeline, turn network protection on (at the minimum in audit mode).
-
-Network protection can be controlled using the following modes:
-
-- **Block**
Users or apps will be blocked from connecting to dangerous domains. You will be able to see this activity in Microsoft Defender Security Center.
-- **Audit**
Users or apps will not be blocked from connecting to dangerous domains. However, you will still see this activity in Microsoft Defender Security Center.
-
-
-If you turn network protection off, users or apps will not be blocked from connecting to dangerous domains. You will not see any network activity in Microsoft Defender Security Center.
-
-If you do not configure it, network blocking will be turned off by default.
-
-For more information, see [Enable network protection](enable-network-protection.md).
-
-## Investigation impact
-When network protection is turned on, you'll see that on a device's timeline the IP address will keep representing the proxy, while the real target address shows up.
-
-
-
-Additional events triggered by the network protection layer are now available to surface the real domain names even behind a proxy.
-
-Event's information:
-
-
-
-
-
-## Hunt for connection events using advanced hunting
-All new connection events are available for you to hunt on through advanced hunting as well. Since these events are connection events, you can find them under the DeviceNetworkEvents table under the `ConnecionSuccess` action type.
-
-Using this simple query will show you all the relevant events:
-
-```
-DeviceNetworkEvents
-| where ActionType == "ConnectionSuccess"
-| take 10
-```
-
-
-
-You can also filter out events that are related to connection to the proxy itself.
-
-Use the following query to filter out the connections to the proxy:
-
-```
-DeviceNetworkEvents
-| where ActionType == "ConnectionSuccess" and RemoteIP != "ProxyIP"
-| take 10
-```
-
-
-
-## Related topics
-- [Applying network protection with GP - policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md
deleted file mode 100644
index 7bd899fd9b..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md
+++ /dev/null
@@ -1,88 +0,0 @@
----
-title: Investigate Microsoft Defender Advanced Threat Protection domains
-description: Use the investigation options to see if devices and servers have been communicating with malicious domains.
-keywords: investigate domain, domain, malicious domain, microsoft defender atp, alert, URL
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: article
-ms.date: 04/24/2018
----
-# Investigate a domain associated with a Microsoft Defender ATP alert
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatedomain-abovefoldlink)
-
-Investigate a domain to see if devices and servers in your enterprise network have been communicating with a known malicious domain.
-
-You can investigate a domain by using the search feature or by clicking on a domain link from the **Device timeline**.
-
-You can see information from the following sections in the URL view:
-
-- URL details, Contacts, Nameservers
-- Alerts related to this URL
-- URL in organization
-- Most recent observed devices with URL
-
-## URL worldwide
-
-The **URL Worldwide** section lists the URL, a link to further details at Whois, the number of related open incidents, and the number of active alerts.
-
-## Incident
-
-The **Incident** card displays a bar chart of all active alerts in incidents over the past 180 days.
-
-## Prevalence
-
-The **Prevalence** card provides details on the prevalence of the URL within the organization, over a specified period of time.
-
-Although the default time period is the past 30 days, you can customize the range by selecting the downward-pointing arrow in the corner of the card. The shortest range available is for prevalence over the past day, while the longest range is over the past 6 months.
-
-## Alerts
-
-The **Alerts** tab provides a list of alerts that are associated with the URL. The table shown here is a filtered version of the alerts visible on the Alert queue screen, showing only alerts associated with the domain, their severity, status, the associated incident, classification, investigation state, and more.
-
-The Alerts tab can be adjusted to show more or less information, by selecting **Customize columns** from the action menu above the column headers. The number of items displayed can also be adjusted, by selecting **items per page** on the same menu.
-
-## Observed in organization
-
-The **Observed in organization** tab provides a chronological view on the events and associated alerts that were observed on the URL. This tab includes a timeline and a customizable table listing event details, such as the time, device, and a brief description of what happened.
-
-You can view events from different periods of time by entering the dates into the text fields above the table headers. You can also customize the time range by selecting different areas of the timeline.
-
-**Investigate a domain:**
-
-1. Select **URL** from the **Search bar** drop-down menu.
-2. Enter the URL in the **Search** field.
-3. Click the search icon or press **Enter**. Details about the URL are displayed. Note: search results will only be returned for URLs observed in communications from devices in the organization.
-4. Use the search filters to define the search criteria. You can also use the timeline search box to filter the displayed results of all devices in the organization observed communicating with the URL, the file associated with the communication and the last date observed.
-5. Clicking any of the device names will take you to that device's view, where you can continue investigate reported alerts, behaviors, and events.
-
-## Related topics
-- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md)
-- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md)
-- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md)
-- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md)
-- [Investigate devices in the Microsoft Defender ATP Devices list](investigate-machines.md)
-- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip.md)
-- [Investigate a user account in Microsoft Defender ATP](investigate-user.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md
deleted file mode 100644
index f5c2fcb4ce..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md
+++ /dev/null
@@ -1,111 +0,0 @@
----
-title: Investigate Microsoft Defender Advanced Threat Protection files
-description: Use the investigation options to get details on files associated with alerts, behaviours, or events.
-keywords: investigate, investigation, file, malicious activity, attack motivation, deep analysis, deep analysis report
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: article
-ms.date: 04/24/2018
----
-
-# Investigate a file associated with a Microsoft Defender ATP alert
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatefiles-abovefoldlink)
-
-Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach.
-
-There are many ways to access the detailed profile page of a specific file. For example, you can use the search feature, click on a link from the **Alert process tree**, **Incident graph**, **Artifact timeline**, or select an event listed in the **Device timeline**.
-
-Once on the detailed profile page, you can switch between the new and old page layouts by toggling **new File page**. The rest of this article describes the newer page layout.
-
-You can get information from the following sections in the file view:
-
-- File details, Malware detection, File prevalence
-- Deep analysis
-- Alerts
-- Observed in organization
-- Deep analysis
-- File names
-
-You can also take action on a file from this page.
-
-## File actions
-
-Along the top of the profile page, above the file information cards. Actions you can perform here include:
-
-- Stop and quarantine
-- Add/edit indicator
-- Download file
-- Consult a threat expert
-- Action center
-
-For more information on these actions, see [Take response action on a file](respond-file-alerts.md).
-
-## File details, Malware detection, and File prevalence
-
-The file details, incident, malware detection, and file prevalence cards display various attributes about the file.
-
-You'll see details such as the file’s MD5, the Virus Total detection ratio, and Microsoft Defender AV detection if available, and the file’s prevalence, both worldwide and within your organizations.
-
-
-
-## Alerts
-
-The **Alerts** tab provides a list of alerts that are associated with the file. This list covers much of the same information as the Alerts queue, except for the device group, if any, the affected device belongs to. You can choose what kind of information is shown by selecting **Customize columns** from the toolbar above the column headers.
-
-
-
-## Observed in organization
-
-The **Observed in organization** tab allows you to specify a date range to see which devices have been observed with the file.
-
->[!NOTE]
->This tab will show a maximum number of 100 devices. To see _all_ devices with the file, export the tab to a CSV file, by selecting **Export** from the action menu above the tab's column headers.
-
-
-
-Use the slider or the range selector to quickly specify a time period that you want to check for events involving the file. You can specify a time window as small as a single day. This will allow you to see only files that communicated with that IP Address at that time, drastically reducing unnecessary scrolling and searching.
-
-## Deep analysis
-
-The **Deep analysis** tab allows you to [submit the file for deep analysis](respond-file-alerts.md#deep-analysis), to uncover more details about the file's behavior, as well as the effect it is having within your organizations. After you submit the file, the deep analysis report will appear in this tab once results are available. If deep analysis did not find anything, the report will be empty and the results space will remain blank.
-
-
-
-## File names
-
-The **File names** tab lists all names the file has been observed to use, within your organizations.
-
-
-
-## Related topics
-
-- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md)
-- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md)
-- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md)
-- [Investigate devices in the Microsoft Defender ATP Devices list](investigate-machines.md)
-- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip.md)
-- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain.md)
-- [Investigate a user account in Microsoft Defender ATP](investigate-user.md)
-- [Take response actions on a file](respond-file-alerts.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md
deleted file mode 100644
index 419b64c153..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md
+++ /dev/null
@@ -1,91 +0,0 @@
----
-title: Investigate incidents in Microsoft Defender ATP
-description: See associated alerts, manage the incident, and see alert metadata to help you investigate an incident
-keywords: investigate, incident, alerts, metadata, risk, detection source, affected devices, patterns, correlation
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: article
----
-
-# Investigate incidents in Microsoft Defender ATP
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
-Investigate incidents that affect your network, understand what they mean, and collate evidence to resolve them.
-
-When you investigate an incident, you'll see:
-- Incident details
-- Incident comments and actions
-- Tabs (alerts, devices, investigations, evidence, graph)
-
-> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4qLUV]
-
-
-## Analyze incident details
-Click an incident to see the **Incident pane**. Select **Open incident page** to see the incident details and related information (alerts, devices, investigations, evidence, graph).
-
-
-
-### Alerts
-You can investigate the alerts and see how they were linked together in an incident.
-Alerts are grouped into incidents based on the following reasons:
-- Automated investigation - The automated investigation triggered the linked alert while investigating the original alert
-- File characteristics - The files associated with the alert have similar characteristics
-- Manual association - A user manually linked the alerts
-- Proximate time - The alerts were triggered on the same device within a certain timeframe
-- Same file - The files associated with the alert are exactly the same
-- Same URL - The URL that triggered the alert is exactly the same
-
-
-
-You can also manage an alert and see alert metadata along with other information. For more information, see [Investigate alerts](investigate-alerts.md).
-
-### Devices
-You can also investigate the devices that are part of, or related to, a given incident. For more information, see [Investigate devices](investigate-machines.md).
-
-
-
-### Investigations
-Select **Investigations** to see all the automatic investigations launched by the system in response to the incident alerts.
-
-
-
-## Going through the evidence
-Microsoft Defender Advanced Threat Protection automatically investigates all the incidents' supported events and suspicious entities in the alerts, providing you with auto-response and information about the important files, processes, services, and more. This helps quickly detect and block potential threats in the incident.
-Each of the analyzed entities will be marked as infected, remediated, or suspicious.
-
-
-
-## Visualizing associated cybersecurity threats
-Microsoft Defender Advanced Threat Protection aggregates the threat information into an incident so you can see the patterns and correlations coming in from various data points. You can view such correlation through the incident graph.
-
-### Incident graph
-The **Graph** tells the story of the cybersecurity attack. For example, it shows you what was the entry point, which indicator of compromise or activity was observed on which device. etc.
-
-
-
-You can click the circles on the incident graph to view the details of the malicious files, associated file detections, how many instances has there been worldwide, whether it’s been observed in your organization, if so, how many instances.
-
-
-
-## Related topics
-- [Incidents queue](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue)
-- [Investigate incidents in Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents)
-- [Manage Microsoft Defender ATP incidents](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-incidents)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md
deleted file mode 100644
index fb1109d764..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md
+++ /dev/null
@@ -1,89 +0,0 @@
----
-title: Investigate an IP address associated with an alert
-description: Use the investigation options to examine possible communication between devices and external IP addresses.
-keywords: investigate, investigation, IP address, alert, microsoft defender atp, external IP
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: article
-ms.date: 04/24/2018
----
-
-# Investigate an IP address associated with a Microsoft Defender ATP alert
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink)
-
-Examine possible communication between your devices and external internet protocol (IP) addresses.
-
-Identifying all devices in the organization that communicated with a suspected or known malicious IP address, such as Command and Control (C2) servers, helps determine the potential scope of breach, associated files, and infected devices.
-
-You can find information from the following sections in the IP address view:
-
-- IP worldwide
-- Reverse DNS names
-- Alerts related to this IP
-- IP in organization
-- Prevalence
-
-## IP Worldwide and Reverse DNS names
-
-The IP address details section shows attributes of the IP address such as its ASN and its Reverse DNS names.
-
-## Alerts related to this IP
-
-The **Alerts related to this IP** section provides a list of alerts that are associated with the IP.
-
-## IP in organization
-
-The **IP in organization** section provides details on the prevalence of the IP address in the organization.
-
-## Prevalence
-
-The **Prevalence** section displays how many devices have connected to this IP address, and when the IP was first and last seen. You can filter the results of this section by time period; the default period is 30 days.
-
-## Most recent observed devices with IP
-
-The **Most recent observed devices** with IP section provides a chronological view on the events and associated alerts that were observed on the IP address.
-
-**Investigate an external IP:**
-
-1. Select **IP** from the **Search bar** drop-down menu.
-2. Enter the IP address in the **Search** field.
-3. Click the search icon or press **Enter**.
-
-Details about the IP address are displayed, including: registration details (if available), reverse IPs (for example, domains), prevalence of devices in the organization that communicated with this IP Address (during selectable time period), and the devices in the organization that were observed communicating with this IP address.
-
-> [!NOTE]
-> Search results will only be returned for IP addresses observed in communication with devices in the organization.
-
-Use the search filters to define the search criteria. You can also use the timeline search box to filter the displayed results of all devices in the organization observed communicating with the IP address, the file associated with the communication and the last date observed.
-
-Clicking any of the device names will take you to that device's view, where you can continue investigate reported alerts, behaviors, and events.
-
-## Related topics
-
-- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md)
-- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md)
-- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md)
-- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md)
-- [Investigate devices in the Microsoft Defender ATP Devices list](investigate-machines.md)
-- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain.md)
-- [Investigate a user account in Microsoft Defender ATP](investigate-user.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
deleted file mode 100644
index 5419c76996..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md
+++ /dev/null
@@ -1,200 +0,0 @@
----
-title: Investigate devices in the Microsoft Defender ATP Devices list
-description: Investigate affected devices by reviewing alerts, network connection information, adding device tags and groups, and checking the service health.
-keywords: devices, tags, groups, endpoint, alerts queue, alerts, device name, domain, last seen, internal IP, active alerts, threat category, filter, sort, review alerts, network, connection, type, password stealer, ransomware, exploit, threat, low severity, service health
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: article
----
-
-# Investigate devices in the Microsoft Defender ATP Devices list
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatemachines-abovefoldlink)
-
-Investigate the details of an alert raised on a specific device to identify other behaviors or events that might be related to the alert or the potential scope of the breach.
-
-> [!NOTE]
-> As part of the investigation or response process, you can collect an investigation package from a device. Here's how: [Collect investigation package from devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#collect-investigation-package-from-devices).
-
-You can click on affected devices whenever you see them in the portal to open a detailed report about that device. Affected devices are identified in the following areas:
-
-- [Devices list](investigate-machines.md)
-- [Alerts queue](alerts-queue.md)
-- [Security operations dashboard](security-operations-dashboard.md)
-- Any individual alert
-- Any individual file details view
-- Any IP address or domain details view
-
-When you investigate a specific device, you'll see:
-
-- Device details
-- Response actions
-- Tabs (overview, alerts, timeline, security recommendations, software inventory, discovered vulnerabilities, missing KBs)
-- Cards (active alerts, logged on users, security assessment)
-
-
-
-## Device details
-
-The device details section provides information such as the domain, OS, and health state of the device. If there's an investigation package available on the device, you'll see a link that allows you to download the package.
-
-## Response actions
-
-Response actions run along the top of a specific device page and include:
-
-- Manage tags
-- Isolate device
-- Restrict app execution
-- Run antivirus scan
-- Collect investigation package
-- Initiate Live Response Session
-- Initiate automated investigation
-- Consult a threat expert
-- Action center
-
-You can take response actions in the Action center, in a specific device page, or in a specific file page.
-
-For more information on how to take action on a device, see [Take response action on a device](respond-machine-alerts.md).
-
-For more information, see [Investigate user entities](investigate-user.md).
-
-## Tabs
-
-The tabs provide relevant security and threat prevention information related to the device. In each tab, you can customize the columns that are shown by selecting **Customize columns** from the bar above the column headers.
-
-### Overview
-The **Overview** tab displays the [cards](#cards) for active alerts, logged on users, and security assessment.
-
-
-
-### Alerts
-
-The **Alerts** tab provides a list of alerts that are associated with the device. This list is a filtered version of the [Alerts queue](alerts-queue.md), and shows a short description of the alert, severity (high, medium, low, informational), status in the queue (new, in progress, resolved), classification (not set, false alert, true alert), investigation state, category of alert, who is addressing the alert, and last activity. You can also filter the alerts.
-
-
-
-When the circle icon to the left of an alert is selected, a fly-out appears. From this panel you can manage the alert and view more details such as incident number and related devices. Multiple alerts can be selected at a time.
-
-To see a full page view of an alert including incident graph and process tree, select the title of the alert.
-
-### Timeline
-
-The **Timeline** tab provides a chronological view of the events and associated alerts that have been observed on the device. This can help you correlate any events, files, and IP addresses in relation to the device.
-
-The timeline also enables you to selectively drill down into events that occurred within a given time period. You can view the temporal sequence of events that occurred on a device over a selected time period. To further control your view, you can filter by event groups or customize the columns.
-
->[!NOTE]
-> For firewall events to be displayed, you'll need to enable the audit policy, see [Audit Filtering Platform connection](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-filtering-platform-connection).
->Firewall covers the following events
->
->- [5025](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5025) - firewall service stopped
->- [5031](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5031) - application blocked from accepting incoming connections on the network
->- [5157](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5157) - blocked connection
-
-
-
-Some of the functionality includes:
-
-- Search for specific events
- - Use the search bar to look for specific timeline events.
-- Filter events from a specific date
- - Select the calendar icon in the upper left of the table to display events in the past day, week, 30 days, or custom range. By default, the device timeline is set to display the events from the past 30 days.
- - Use the timeline to jump to a specific moment in time by highlighting the section. The arrows on the timeline pinpoint automated investigations
-- Export detailed device timeline events
- - Export the device timeline for the current date or a specified date range up to seven days.
-
-More details about certain events are provided in the **Additional information** section. These details vary depending on the type of event, for example:
-
-- Contained by Application Guard - the web browser event was restricted by an isolated container
-- Active threat detected - the threat detection occurred while the threat was running
-- Remediation unsuccessful - an attempt to remediate the detected threat was invoked but failed
-- Remediation successful - the detected threat was stopped and cleaned
-- Warning bypassed by user - the Windows Defender SmartScreen warning was dismissed and overridden by a user
-- Suspicious script detected - a potentially malicious script was found running
-- The alert category - if the event led to the generation of an alert, the alert category ("Lateral Movement", for example) is provided
-
-You can also use the [Artifact timeline](investigate-alerts.md#artifact-timeline) feature to see the correlation between alerts and events on a specific device.
-
-#### Event details
-Select an event to view relevant details about that event. A panel displays to show general event information. When applicable and data is available, a graph showing related entities and their relationships are also shown.
-
-To further inspect the event and related events, you can quickly run an [advanced hunting](advanced-hunting-overview.md) query by selecting **Hunt for related events**. The query will return the selected event and the list of other events that occurred around the same time on the same endpoint.
-
-
-
-### Security recommendations
-
-**Security recommendations** are generated from Microsoft Defender ATP's [Threat & Vulnerability Management](tvm-dashboard-insights.md) capability. Selecting a recommendation will show a panel where you can view relevant details such as description of the recommendation and the potential risks associated with not enacting it. See [Security recommendation](tvm-security-recommendation.md) for details.
-
-
-
-### Software inventory
-
-The **Software inventory** tab lets you view software on the device, along with any weaknesses or threats. Selecting the name of the software will take you to the software details page where you can view security recommendations, discovered vulnerabilities, installed devices, and version distribution. See [Software inventory](tvm-software-inventory.md) for details
-
-
-
-### Discovered vulnerabilities
-
-The **Discovered vulnerabilities** tab shows the name, severity, and threat insights of discovered vulnerabilities on the device. Selecting specific vulnerabilities will show a description and details.
-
-
-
-### Missing KBs
-The **Missing KBs** tab lists the missing security updates for the device.
-
-
-
-## Cards
-
-### Active alerts
-
-The **Azure Advanced Threat Protection** card will display a high-level overview of alerts related to the device and their risk level, if you have enabled the Azure ATP feature, and there are any active alerts. More information is available in the "Alerts" drill down.
-
-
-
->[!NOTE]
->You'll need to enable the integration on both Azure ATP and Microsoft Defender ATP to use this feature. In Microsoft Defender ATP, you can enable this feature in advanced features. For more information on how to enable advanced features, see [Turn on advanced features](advanced-features.md).
-
-### Logged on users
-
-The **Logged on users** card shows how many users have logged on in the past 30 days, along with the most and least frequent users. Selecting the "See all users" link opens the details pane, which displays information such as user type, log on type, and when the user was first and last seen. For more information, see [Investigate user entities](investigate-user.md).
-
-
-
-### Security assessments
-
-The **Security assessments** card shows the overall exposure level, security recommendations, installed software, and discovered vulnerabilities. A device's exposure level is determined by the cumulative impact of its pending security recommendations.
-
-
-
-## Related topics
-
-- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md)
-- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md)
-- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md)
-- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md)
-- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip.md)
-- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain.md)
-- [Investigate a user account in Microsoft Defender ATP](investigate-user.md)
-- [Security recommendation](tvm-security-recommendation.md)
-- [Software inventory](tvm-software-inventory.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md
deleted file mode 100644
index 7593f22e63..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md
+++ /dev/null
@@ -1,101 +0,0 @@
----
-title: Investigate a user account in Microsoft Defender ATP
-description: Investigate a user account for potential compromised credentials or pivot on the associated user account during an investigation.
-keywords: investigate, account, user, user entity, alert, microsoft defender atp
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: article
-ms.date: 04/24/2018
----
-# Investigate a user account in Microsoft Defender ATP
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatgeuser-abovefoldlink)
-
-## Investigate user account entities
-
-Identify user accounts with the most active alerts (displayed on dashboard as "Users at risk") and investigate cases of potential compromised credentials, or pivot on the associated user account when investigating an alert or device to identify possible lateral movement between devices with that user account.
-
-You can find user account information in the following views:
-
-- Dashboard
-- Alert queue
-- Device details page
-
-A clickable user account link is available in these views, that will take you to the user account details page where more details about the user account are shown.
-
-When you investigate a user account entity, you'll see:
-
-- User account details, Azure Advanced Threat Protection (Azure ATP) alerts, and logged on devices, role, logon type, and other details
-- Overview of the incidents and user's devices
-- Alerts related to this user
-- Observed in organization (devices logged on to)
-
-
-
-### User details
-
-The **User details** pane on left provides information about the user, such as related open incidents, active alerts, SAM name, SID, Azure ATP alerts, number of devices the user is logged on to, when the user was first and last seen, role, and logon types. Depending on the integration features you've enabled, you'll see other details. For example, if you enable the Skype for business integration, you'll be able to contact the user from the portal. The **Azure ATP alerts** section contains a link that will take you to the Azure ATP page, if you have enabled the Azure ATP feature, and there are alerts related to the user. The Azure ATP page will provide more information about the alerts.
-
->[!NOTE]
->You'll need to enable the integration on both Azure ATP and Microsoft Defender ATP to use this feature. In Microsoft Defender ATP, you can enable this feature in advanced features. For more information on how to enable advanced features, see [Turn on advanced features](advanced-features.md).
-
-The Overview, Alerts, and Observed in organization are different tabs that display various attributes about the user account.
-
-### Overview
-
-The **Overview** tab shows the incidents details and a list of the devices that the user has logged on to. You can expand these to see details of the log-on events for each device.
-
-### Alerts
-
-The **Alerts** tab provides a list of alerts that are associated with the user account. This list is a filtered view of the [Alert queue](alerts-queue.md), and shows alerts where the user context is the selected user account, the date when the last activity was detected, a short description of the alert, the device associated with the alert, the alert's severity, the alert's status in the queue, and who is assigned the alert.
-
-### Observed in organization
-
-The **Observed in organization** tab allows you to specify a date range to see a list of devices where this user was observed logged on to, the most frequent and least frequent logged on user account for each of these devices, and total observed users on each device.
-
-Selecting an item on the Observed in organization table will expand the item, revealing more details about the device. Directly selecting a link within an item will send you to the corresponding page.
-
-## Search for specific user accounts
-
-1. Select **User** from the **Search bar** drop-down menu.
-2. Enter the user account in the **Search** field.
-3. Click the search icon or press **Enter**.
-
-A list of users matching the query text is displayed. You'll see the user account's domain and name, when the user account was last seen, and the total number of devices it was observed logged on to in the last 30 days.
-
-You can filter the results by the following time periods:
-
-- 1 day
-- 3 days
-- 7 days
-- 30 days
-- 6 months
-
-## Related topics
-
-- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md)
-- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md)
-- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md)
-- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md)
-- [Investigate devices in the Microsoft Defender ATP Devices list](investigate-machines.md)
-- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip.md)
-- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigation.md b/windows/security/threat-protection/microsoft-defender-atp/investigation.md
deleted file mode 100644
index 87bac34185..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/investigation.md
+++ /dev/null
@@ -1,69 +0,0 @@
----
-title: Investigation resource type
-description: Microsoft Defender ATP Investigation entity.
-keywords: apis, graph api, supported apis, get, alerts, investigations
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: article
----
-
-# Investigation resource type
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-Represent an Automated Investigation entity in Microsoft Defender ATP.
-
See [Overview of automated investigations](automated-investigations.md) for more information.
-
-## Methods
-Method|Return Type |Description
-:---|:---|:---
-[List Investigations](get-investigation-collection.md) | Investigation collection | Get collection of Investigation
-[Get single Investigation](get-investigation-collection.md) | Investigation entity | Gets single Investigation entity.
-[Start Investigation](initiate-autoir-investigation.md) | Investigation entity | Starts Investigation on a device.
-
-
-## Properties
-Property | Type | Description
-:---|:---|:---
-id | String | Identity of the investigation entity.
-startTime | DateTime Nullable | The date and time when the investigation was created.
-endTime | DateTime Nullable | The date and time when the investigation was completed.
-cancelledBy | String | The ID of the user/application that cancelled that investigation.
-investigationState | Enum | The current state of the investigation. Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign', 'Failed', 'PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert'.
-statusDetails | String | Additional information about the state of the investigation.
-machineId | String | The ID of the device on which the investigation is executed.
-computerDnsName | String | The name of the device on which the investigation is executed.
-triggeringAlertId | String | The ID of the alert that triggered the investigation.
-
-
-## Json representation
-
-```json
-{
- "id": "63004",
- "startTime": "2020-01-06T13:05:15Z",
- "endTime": null,
- "state": "Running",
- "cancelledBy": null,
- "statusDetails": null,
- "machineId": "e828a0624ed33f919db541065190d2f75e50a071",
- "computerDnsName": "desktop-test123",
- "triggeringAlertId": "da637139127150012465_1011995739"
-}
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md b/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md
deleted file mode 100644
index abb45e662b..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md
+++ /dev/null
@@ -1,49 +0,0 @@
----
-title: Configure Microsoft Defender ATP for iOS features
-ms.reviewer:
-description: Describes how to deploy Microsoft Defender ATP for iOS features
-keywords: microsoft, defender, atp, ios, configure, features, ios
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: conceptual
----
-
-# Configure Microsoft Defender ATP for iOS features
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-> [!IMPORTANT]
-> **PUBLIC PREVIEW EDITION**
->
-> This documentation is for a pre-release solution. The guidelines and the solution are subject to change between now and its general availability.
->
-> As with any pre-release solution, remember to exercise caution when determining the target population for your deployments.
-
-
-## Configure custom indicators
-Microsoft Defender ATP for iOS enables admins to configure custom indicators on
-iOS devices as well. Refer to [Manage
-indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators)
-on how to configure custom indicators
-
-## Web Protection
-By default, Microsoft Defender ATP for iOS includes and enables the web
-protection feature. [Web
-protection](web-protection-overview.md) helps
-to secure devices against web threats and protect users from phishing attacks.
-
->[!NOTE]
->Microsoft Defender ATP for iOS would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device.
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-install.md b/windows/security/threat-protection/microsoft-defender-atp/ios-install.md
deleted file mode 100644
index be3fe61fbf..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/ios-install.md
+++ /dev/null
@@ -1,82 +0,0 @@
----
-title: App-based deployment for Microsoft Defender ATP for iOS
-ms.reviewer:
-description: Describes how to deploy Microsoft Defender ATP for iOS using an app
-keywords: microsoft, defender, atp, ios, app, installation, deploy, uninstallation, intune
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: conceptual
----
-
-# App-based deployment for Microsoft Defender ATP for iOS
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-> [!IMPORTANT]
-> **PUBLIC PREVIEW EDITION**
->
-> This documentation is for a pre-release solution. The guidelines and the solution are subject to change between now and its general availability.
->
-> As with any pre-release solution, remember to exercise caution when determining the target population for your deployments.
-
-Microsoft Defender ATP for iOS is currently available as a preview app on TestFlight, Apple's beta testing platform. In GA, it will be available on the Apple App store.
-
-Deployment devices need to be enrolled on Intune Company portal. Refer to
-[Enroll your
-device](https://docs.microsoft.com/mem/intune/enrollment/ios-enroll) to
-learn more about Intune device enrollment
-
-## Before you begin
-
-- Ensure you have access to [Microsoft Endpoint manager admin
- center](https://go.microsoft.com/fwlink/?linkid=2109431).
-
-- Ensure iOS enrollment is done for your users. Users need to have Microsoft Defender ATP
- license assigned in order to use Microsoft Defender ATP for iOS. Refer [Assign licenses to
- users](https://docs.microsoft.com/azure/active-directory/users-groups-roles/licensing-groups-assign)
- for instructions on how to assign licenses.
-
-
-## Deployment steps
-
-To install Microsoft Defender ATP for iOS, end-users can visit
-
`/var/log/*.log`
`/var/log/install.?.log`
-Folder | All files under the specified folder (recursively) | `/var/log/`
`/var/*/`
-Process | A specific process (specified either by the full path or file name) and all files opened by it | `/bin/cat`
`cat`
`c?t`
-
-> [!IMPORTANT]
-> The paths above must be hard links, not symbolic links, in order to be successfully excluded. You can check if a path is a symbolic link by running `file
`file2.log` | `file123.log`
-
-## How to configure the list of exclusions
-
-### From the management console
-
-For more information on how to configure exclusions from Puppet, Ansible, or another management console, see [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md).
-
-### From the command line
-
-Run the following command to see the available switches for managing exclusions:
-
-```bash
-mdatp exclusion
-```
-
-> [!TIP]
-> When configuring exclusions with wildcards, enclose the parameter in double-quotes to prevent globbing.
-
-Examples:
-
-- Add an exclusion for a file extension:
-
- ```bash
- mdatp exclusion extension add --name .txt
- ```
- ```Output
- Extension exclusion configured successfully
- ```
-
-- Add an exclusion for a file:
-
- ```bash
- mdatp exclusion file add --path /var/log/dummy.log
- ```
- ```Output
- File exclusion configured successfully
- ```
-
-- Add an exclusion for a folder:
-
- ```bash
- mdatp exclusion folder add --path /var/log/
- ```
- ```Output
- Folder exclusion configured successfully
- ```
-
-- Add an exclusion for a folder with a wildcard in it:
-
- ```bash
- mdatp exclusion folder add --path "/var/*/"
- ```
-
- > [!NOTE]
- > This will only exclude paths one level below */var/*, but not folders which are more deeply nested; for example, */var/this-subfolder/but-not-this-subfolder*.
-
- ```bash
- mdatp exclusion folder add --path "/var/"
- ```
- > [!NOTE]
- > This will exclude all paths whose parent is */var/*; for example, */var/this-subfolder/and-this-subfolder-as-well*.
-
- ```Output
- Folder exclusion configured successfully
- ```
-
-- Add an exclusion for a process:
-
- ```bash
- mdatp exclusion process add --name cat
- ```
- ```Output
- Process exclusion configured successfully
- ```
-
-## Validate exclusions lists with the EICAR test file
-
-You can validate that your exclusion lists are working by using `curl` to download a test file.
-
-In the following Bash snippet, replace `test.txt` with a file that conforms to your exclusion rules. For example, if you have excluded the `.testing` extension, replace `test.txt` with `test.testing`. If you are testing a path, ensure that you run the command within that path.
-
-```bash
-curl -o test.txt https://www.eicar.org/download/eicar.com.txt
-```
-
-If Microsoft Defender ATP for Linux reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm that the contents are the same as what is described on the [EICAR test file website](http://2016.eicar.org/86-0-Intended-use.html).
-
-If you do not have Internet access, you can create your own EICAR test file. Write the EICAR string to a new text file with the following Bash command:
-
-```bash
-echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > test.txt
-```
-
-You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are attempting to exclude.
-
-## Allow threats
-
-In addition to excluding certain content from being scanned, you can also configure the product not to detect some classes of threats (identified by the threat name). You should exercise caution when using this functionality, as it can leave your device unprotected.
-
-To add a threat name to the allowed list, execute the following command:
-
-```bash
-mdatp threat allowed add --name [threat-name]
-```
-
-The threat name associated with a detection on your device can be obtained using the following command:
-
-```bash
-mdatp threat list
-```
-
-For example, to add `EICAR-Test-File (not a virus)` (the threat name associated with the EICAR detection) to the allowed list, execute the following command:
-
-```bash
-mdatp threat allowed add --name "EICAR-Test-File (not a virus)"
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
deleted file mode 100644
index 3012e87c2c..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
+++ /dev/null
@@ -1,336 +0,0 @@
----
-title: Deploy Microsoft Defender ATP for Linux manually
-ms.reviewer:
-description: Describes how to deploy Microsoft Defender ATP for Linux manually from the command line.
-keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: conceptual
----
-
-# Deploy Microsoft Defender ATP for Linux manually
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
-
-This article describes how to deploy Microsoft Defender ATP for Linux manually. A successful deployment requires the completion of all of the following tasks:
-
-- [Configure the Linux software repository](#configure-the-linux-software-repository)
-- [Application installation](#application-installation)
-- [Download the onboarding package](#download-the-onboarding-package)
-- [Client configuration](#client-configuration)
-
-## Prerequisites and system requirements
-
-Before you get started, see [Microsoft Defender ATP for Linux](microsoft-defender-atp-linux.md) for a description of prerequisites and system requirements for the current software version.
-
-## Configure the Linux software repository
-
-Microsoft Defender ATP for Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insiders-fast*, *insiders-slow*, or *prod*. Each of these channels corresponds to a Linux software repository. Instructions for configuring your device to use one of these repositories are provided below.
-
-The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in *insiders-fast* are the first ones to receive updates and new features, followed later by *insiders-slow* and lastly by *prod*.
-
-In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use either *insiders-fast* or *insiders-slow*.
-
-> [!WARNING]
-> Switching the channel after the initial installation requires the product to be reinstalled. To switch the product channel: uninstall the existing package, re-configure your device to use the new channel, and follow the steps in this document to install the package from the new location.
-
-### RHEL and variants (CentOS and Oracle Linux)
-
-- Install `yum-utils` if it isn't installed yet:
-
- ```bash
- sudo yum install yum-utils
- ```
-
-- Note your distribution and version, and identify the closest entry for it under `https://packages.microsoft.com/config/`.
-
- In the below commands, replace *[distro]* and *[version]* with the information you've identified:
-
- > [!NOTE]
- > In case of Oracle Linux, replace *[distro]* with “rhel”.
-
- ```bash
- sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/[distro]/[version]/[channel].repo
- ```
-
- For example, if you are running CentOS 7 and wish to deploy MDATP for Linux from the *insiders-fast* channel:
-
- ```bash
- sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/centos/7/insiders-fast.repo
- ```
-
-- Install the Microsoft GPG public key:
-
- ```bash
- sudo rpm --import http://packages.microsoft.com/keys/microsoft.asc
- ```
-
-- Download and make usable all the metadata for the currently enabled yum repositories:
-
- ```bash
- yum makecache
- ```
-
-### SLES and variants
-
-- Note your distribution and version, and identify the closest entry for it under `https://packages.microsoft.com/config/`.
-
- In the following commands, replace *[distro]* and *[version]* with the information you've identified:
-
- ```bash
- sudo zypper addrepo -c -f -n microsoft-[channel] https://packages.microsoft.com/config/[distro]/[version]/[channel].repo
- ```
-
- For example, if you are running SLES 12 and wish to deploy MDATP for Linux from the *insiders-fast* channel:
-
- ```bash
- sudo zypper addrepo -c -f -n microsoft-insiders-fast https://packages.microsoft.com/config/sles/12/insiders-fast.repo
- ```
-
-- Install the Microsoft GPG public key:
-
- ```bash
- sudo rpm --import http://packages.microsoft.com/keys/microsoft.asc
- ```
-
-### Ubuntu and Debian systems
-
-- Install `curl` if it isn't installed yet:
-
- ```bash
- sudo apt-get install curl
- ```
-
-- Install `libplist-utils` if it isn't installed yet:
-
- ```bash
- sudo apt-get install libplist-utils
- ```
-
-- Note your distribution and version, and identify the closest entry for it under `https://packages.microsoft.com/config`.
-
- In the below command, replace *[distro]* and *[version]* with the information you've identified:
-
- ```bash
- curl -o microsoft.list https://packages.microsoft.com/config/[distro]/[version]/[channel].list
- ```
-
- For example, if you are running Ubuntu 18.04 and wish to deploy MDATP for Linux from the *insiders-fast* channel:
-
- ```bash
- curl -o microsoft.list https://packages.microsoft.com/config/ubuntu/18.04/insiders-fast.list
- ```
-
-- Install the repository configuration:
-
- ```bash
- sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-[channel].list
- ```
-
-- Install the `gpg` package if not already installed:
-
- ```bash
- sudo apt-get install gpg
- ```
-
- If `gpg` is not available, then install `gnupg`.
-
-- Install the Microsoft GPG public key:
-
- ```bash
- curl https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add -
- ```
-
-- Install the https driver if it's not already present:
-
- ```bash
- sudo apt-get install apt-transport-https
- ```
-
-- Update the repository metadata:
-
- ```bash
- sudo apt-get update
- ```
-
-## Application installation
-
-- RHEL and variants (CentOS and Oracle Linux):
-
- ```bash
- sudo yum install mdatp
- ```
-
- If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the `production` channel if you also have the `insiders-fast` repository channel configured on this device. This situation can happen if you are using multiple Microsoft products on your device. Depending on the distribution and the version of your server, the repository alias might be different than the one in the following example.
-
- ```bash
- # list all repositories
- yum repolist
- ```
- ```Output
- ...
- packages-microsoft-com-prod packages-microsoft-com-prod 316
- packages-microsoft-com-prod-insiders-fast packages-microsoft-com-prod-ins 2
- ...
- ```
- ```bash
- # install the package from the production repository
- sudo yum --enablerepo=packages-microsoft-com-prod install mdatp
- ```
-
-- SLES and variants:
-
- ```bash
- sudo zypper install mdatp
- ```
-
- If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the `production` channel if you also have the `insiders-fast` repository channel configured on this device. This situation can happen if you are using multiple Microsoft products on your device.
-
- ```bash
- zypper repos
- ```
-
- ```Output
- ...
- # | Alias | Name | ...
- XX | packages-microsoft-com-insiders-fast | microsoft-insiders-fast | ...
- XX | packages-microsoft-com-prod | microsoft-prod | ...
- ...
- ```
- ```bash
- sudo zypper install packages-microsoft-com-prod:mdatp
- ```
-
-- Ubuntu and Debian system:
-
- ```bash
- sudo apt-get install mdatp
- ```
-
- If you have multiple Microsoft repositories configured on your device, you can be specific about which repository to install the package from. The following example shows how to install the package from the `production` channel if you also have the `insiders-fast` repository channel configured on this device. This situation can happen if you are using multiple Microsoft products on your device.
-
- ```bash
- cat /etc/apt/sources.list.d/*
- ```
- ```Output
- deb [arch=arm64,armhf,amd64] https://packages.microsoft.com/ubuntu/18.04/prod insiders-fast main
- deb [arch=amd64] https://packages.microsoft.com/ubuntu/18.04/prod bionic main
- ```
- ```bash
- sudo apt -t bionic install mdatp
- ```
-
-## Download the onboarding package
-
-Download the onboarding package from Microsoft Defender Security Center:
-
-1. In Microsoft Defender Security Center, go to **Settings > Device Management > Onboarding**.
-2. In the first drop-down menu, select **Linux Server** as the operating system. In the second drop-down menu, select **Local Script (for up to 10 devices)** as the deployment method.
-3. Select **Download onboarding package**. Save the file as WindowsDefenderATPOnboardingPackage.zip.
-
- 
-
-4. From a command prompt, verify that you have the file.
- Extract the contents of the archive:
-
- ```bash
- ls -l
- ```
-
- ```Output
- total 8
- -rw-r--r-- 1 test staff 5752 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip
- ```
-
- ```bash
- unzip WindowsDefenderATPOnboardingPackage.zip
- ```
- ```Output
- Archive: WindowsDefenderATPOnboardingPackage.zip
- inflating: MicrosoftDefenderATPOnboardingLinuxServer.py
- ```
-
-
-## Client configuration
-
-1. Copy MicrosoftDefenderATPOnboardingLinuxServer.py to the target device.
-
- Initially the client device is not associated with an organization. Note that the *orgId* attribute is blank:
-
- ```bash
- mdatp health --field org_id
- ```
-
-2. Run MicrosoftDefenderATPOnboardingLinuxServer.py, and note that, in order to run this command, you must have `python` installed on the device:
-
- ```bash
- python MicrosoftDefenderATPOnboardingLinuxServer.py
- ```
-
-3. Verify that the device is now associated with your organization and reports a valid organization identifier:
-
- ```bash
- mdatp health --field org_id
- ```
-
-4. A few minutes after you complete the installation, you can see the status by running the following command. A return value of `1` denotes that the product is functioning as expected:
-
- ```bash
- mdatp health --field healthy
- ```
-
- > [!IMPORTANT]
- > When the product starts for the first time, it downloads the latest antimalware definitions. Depending on your Internet connection, this can take up to a few minutes. During this time the above command returns a value of `false`. You can check the status of the definition update using the following command:
- > ```bash
- > mdatp health --field definitions_status
- > ```
- > Please note that you may also need to configure a proxy after completing the initial installation. See [Configure Microsoft Defender ATP for Linux for static proxy discovery: Post-installation configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration#post-installation-configuration).
-
-5. Run a detection test to verify that the device is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded device:
-
- - Ensure that real-time protection is enabled (denoted by a result of `1` from running the following command):
-
- ```bash
- mdatp health --field real_time_protection_enabled
- ```
-
- - Open a Terminal window. Copy and execute the following command:
-
- ``` bash
- curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt
- ```
-
- - The file should have been quarantined by Microsoft Defender ATP for Linux. Use the following command to list all the detected threats:
-
- ```bash
- mdatp threat list
- ```
-
-## Log installation issues
-
-See [Log installation issues](linux-resources.md#log-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs.
-
-## Operating system upgrades
-
-When upgrading your operating system to a new major version, you must first uninstall Microsoft Defender ATP for Linux, install the upgrade, and finally reconfigure Microsoft Defender ATP for Linux on your device.
-
-## Uninstallation
-
-See [Uninstall](linux-resources.md#uninstall) for details on how to remove Microsoft Defender ATP for Linux from client devices.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md
deleted file mode 100644
index 2cc5610a4c..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md
+++ /dev/null
@@ -1,267 +0,0 @@
----
-title: Deploy Microsoft Defender ATP for Linux with Ansible
-ms.reviewer:
-description: Describes how to deploy Microsoft Defender ATP for Linux using Ansible.
-keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: conceptual
----
-
-# Deploy Microsoft Defender ATP for Linux with Ansible
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
-
-This article describes how to deploy Microsoft Defender ATP for Linux using Ansible. A successful deployment requires the completion of all of the following tasks:
-
-- [Download the onboarding package](#download-the-onboarding-package)
-- [Create Ansible YAML files](#create-ansible-yaml-files)
-- [Deployment](#deployment)
-- [References](#references)
-
-## Prerequisites and system requirements
-
-Before you get started, see [the main Microsoft Defender ATP for Linux page](microsoft-defender-atp-linux.md) for a description of prerequisites and system requirements for the current software version.
-
-In addition, for Ansible deployment, you need to be familiar with Ansible administration tasks, have Ansible configured, and know how to deploy playbooks and tasks. Ansible has many ways to complete the same task. These instructions assume availability of supported Ansible modules, such as *apt* and *unarchive* to help deploy the package. Your organization might use a different workflow. Refer to the [Ansible documentation](https://docs.ansible.com/) for details.
-
-- Ansible needs to be installed on at least one computer (we will call it the primary computer).
-- SSH must be configured for an administrator account between the primary computer and all clients, and it is recommended be configured with public key authentication.
-- The following software must be installed on all clients:
- - curl
- - python-apt
-
-- All hosts must be listed in the following format in the `/etc/ansible/hosts` or relevant file:
-
- ```bash
- [servers]
- host1 ansible_ssh_host=10.171.134.39
- host2 ansible_ssh_host=51.143.50.51
- ```
-
-- Ping test:
-
- ```bash
- ansible -m ping all
- ```
-
-## Download the onboarding package
-
-Download the onboarding package from Microsoft Defender Security Center:
-
-1. In Microsoft Defender Security Center, go to **Settings > Device Management > Onboarding**.
-2. In the first drop-down menu, select **Linux Server** as the operating system. In the second drop-down menu, select **Your preferred Linux configuration management tool** as the deployment method.
-3. Select **Download onboarding package**. Save the file as WindowsDefenderATPOnboardingPackage.zip.
-
- 
-
-4. From a command prompt, verify that you have the file. Extract the contents of the archive:
-
- ```bash
- ls -l
- ```
- ```Output
- total 8
- -rw-r--r-- 1 test staff 4984 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip
- ```
- ```bash
- unzip WindowsDefenderATPOnboardingPackage.zip
- ```
- ```Output
- Archive: WindowsDefenderATPOnboardingPackage.zip
- inflating: mdatp_onboard.json
- ```
-
-## Create Ansible YAML files
-
-Create a subtask or role files that contribute to an playbook or task.
-
-- Create the onboarding task, `onboarding_setup.yml`:
-
- ```bash
- - name: Create MDATP directories
- file:
- path: /etc/opt/microsoft/mdatp/
- recurse: true
- state: directory
- mode: 0755
- owner: root
- group: root
-
- - name: Register mdatp_onboard.json
- stat:
- path: /etc/opt/microsoft/mdatp/mdatp_onboard.json
- register: mdatp_onboard
-
- - name: Extract WindowsDefenderATPOnboardingPackage.zip into /etc/opt/microsoft/mdatp
- unarchive:
- src: WindowsDefenderATPOnboardingPackage.zip
- dest: /etc/opt/microsoft/mdatp
- mode: 0600
- owner: root
- group: root
- when: not mdatp_onboard.stat.exists
- ```
-
-- Add the Microsoft Defender ATP repository and key.
-
- Microsoft Defender ATP for Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insiders-fast*, *insiders-slow*, or *prod*. Each of these channels corresponds to a Linux software repository.
-
- The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in *insiders-fast* are the first ones to receive updates and new features, followed later by *insiders-slow* and lastly by *prod*.
-
- In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use either *insiders-fast* or *insiders-slow*.
-
- > [!WARNING]
- > Switching the channel after the initial installation requires the product to be reinstalled. To switch the product channel: uninstall the existing package, re-configure your device to use the new channel, and follow the steps in this document to install the package from the new location.
-
- Note your distribution and version and identify the closest entry for it under `https://packages.microsoft.com/config/`.
-
- In the following commands, replace *[distro]* and *[version]* with the information you've identified.
-
- > [!NOTE]
- > In case of Oracle Linux, replace *[distro]* with “rhel”.
-
- ```bash
- - name: Add Microsoft APT key
- apt_key:
- keyserver: https://packages.microsoft.com/
- id: BC528686B50D79E339D3721CEB3E94ADBE1229CF
- when: ansible_os_family == "Debian"
-
- - name: Add Microsoft apt repository for MDATP
- apt_repository:
- repo: deb [arch=arm64,armhf,amd64] https://packages.microsoft.com/[distro]/[version]/prod [channel] main
- update_cache: yes
- state: present
- filename: microsoft-[channel].list
- when: ansible_os_family == "Debian"
-
- - name: Add Microsoft yum repository for MDATP
- yum_repository:
- name: packages-microsoft-com-prod-[channel]
- description: Microsoft Defender ATP
- file: microsoft-[channel]
- baseurl: https://packages.microsoft.com/[distro]/[version]/[channel]/
- gpgcheck: yes
- enabled: Yes
- when: ansible_os_family == "RedHat"
- ```
-
-- Create the Ansible install and uninstall YAML files.
-
- - For apt-based distributions use the following YAML file:
-
- ```bash
- cat install_mdatp.yml
- ```
- ```Output
- - hosts: servers
- tasks:
- - include: ../roles/onboarding_setup.yml
- - include: ../roles/add_apt_repo.yml
- - apt:
- name: mdatp
- state: latest
- update_cache: yes
- ```
-
- ```bash
- cat uninstall_mdatp.yml
- ```
- ```Output
- - hosts: servers
- tasks:
- - apt:
- name: mdatp
- state: absent
- ```
-
- - For yum-based distributions use the following YAML file:
-
- ```bash
- cat install_mdatp_yum.yml
- ```
- ```Output
- - hosts: servers
- tasks:
- - include: ../roles/onboarding_setup.yml
- - include: ../roles/add_yum_repo.yml
- - yum:
- name: mdatp
- state: latest
- enablerepo: packages-microsoft-com-prod-[channel]
- ```
-
- ```bash
- cat uninstall_mdatp_yum.yml
- ```
- ```Output
- - hosts: servers
- tasks:
- - yum:
- name: mdatp
- state: absent
- ```
-
-## Deployment
-
-Now run the tasks files under `/etc/ansible/playbooks/` or relevant directory.
-
-- Installation:
-
- ```bash
- ansible-playbook /etc/ansible/playbooks/install_mdatp.yml -i /etc/ansible/hosts
- ```
-
-> [!IMPORTANT]
-> When the product starts for the first time, it downloads the latest antimalware definitions. Depending on your Internet connection, this can take up to a few minutes.
-
-- Validation/configuration:
-
- ```bash
- ansible -m shell -a 'mdatp connectivity test' all
- ```
- ```bash
- ansible -m shell -a 'mdatp health' all
- ```
-
-- Uninstallation:
-
- ```bash
- ansible-playbook /etc/ansible/playbooks/uninstall_mdatp.yml -i /etc/ansible/hosts
- ```
-
-## Log installation issues
-
-See [Log installation issues](linux-resources.md#log-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs.
-
-## Operating system upgrades
-
-When upgrading your operating system to a new major version, you must first uninstall Microsoft Defender ATP for Linux, install the upgrade, and finally reconfigure Microsoft Defender ATP for Linux on your device.
-
-## References
-
-- [Add or remove YUM repositories](https://docs.ansible.com/ansible/2.3/yum_repository_module.html)
-
-- [Manage packages with the yum package manager](https://docs.ansible.com/ansible/latest/modules/yum_module.html)
-
-- [Add and remove APT repositories](https://docs.ansible.com/ansible/latest/modules/apt_repository_module.html)
-
-- [Manage apt-packages](https://docs.ansible.com/ansible/latest/modules/apt_module.html)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md
deleted file mode 100644
index 68fe2b6926..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md
+++ /dev/null
@@ -1,246 +0,0 @@
----
-title: Deploy Microsoft Defender ATP for Linux with Puppet
-ms.reviewer:
-description: Describes how to deploy Microsoft Defender ATP for Linux using Puppet.
-keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: conceptual
----
-
-# Deploy Microsoft Defender ATP for Linux with Puppet
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
-
-This article describes how to deploy Microsoft Defender ATP for Linux using Puppet. A successful deployment requires the completion of all of the following tasks:
-
-- [Download the onboarding package](#download-the-onboarding-package)
-- [Create Puppet manifest](#create-a-puppet-manifest)
-- [Deployment](#deployment)
-- [Check onboarding status](#check-onboarding-status)
-
-## Prerequisites and system requirements
-
- For a description of prerequisites and system requirements for the current software version, see [the main Microsoft Defender ATP for Linux page](microsoft-defender-atp-linux.md).
-
-In addition, for Puppet deployment, you need to be familiar with Puppet administration tasks, have Puppet configured, and know how to deploy packages. Puppet has many ways to complete the same task. These instructions assume availability of supported Puppet modules, such as *apt* to help deploy the package. Your organization might use a different workflow. Refer to the [Puppet documentation](https://puppet.com/docs) for details.
-
-## Download the onboarding package
-
-Download the onboarding package from Microsoft Defender Security Center:
-
-1. In Microsoft Defender Security Center, go to **Settings > Device Management > Onboarding**.
-2. In the first drop-down menu, select **Linux Server** as the operating system. In the second drop-down menu, select **Your preferred Linux configuration management tool** as the deployment method.
-3. Select **Download onboarding package**. Save the file as WindowsDefenderATPOnboardingPackage.zip.
-
- 
-
-4. From a command prompt, verify that you have the file.
-
- ```bash
- ls -l
- ```
- ```Output
- total 8
- -rw-r--r-- 1 test staff 4984 Feb 18 11:22 WindowsDefenderATPOnboardingPackage.zip
- ```
-5. Extract the contents of the archive.
- ```bash
- unzip WindowsDefenderATPOnboardingPackage.zip
- ```
- ```Output
- Archive: WindowsDefenderATPOnboardingPackage.zip
- inflating: mdatp_onboard.json
- ```
-
-## Create a Puppet manifest
-
-You need to create a Puppet manifest for deploying Microsoft Defender ATP for Linux to devices managed by a Puppet server. This example makes use of the *apt* and *yumrepo* modules available from puppetlabs, and assumes that the modules have been installed on your Puppet server.
-
-Create the folders *install_mdatp/files* and *install_mdatp/manifests* under the modules folder of your Puppet installation. This folder is typically located in */etc/puppetlabs/code/environments/production/modules* on your Puppet server. Copy the mdatp_onboard.json file created above to the *install_mdatp/files* folder. Create an *init.pp* file that contains the deployment instructions:
-
-```bash
-pwd
-```
-```Output
-/etc/puppetlabs/code/environments/production/modules
-```
-
-```bash
-tree install_mdatp
-```
-```Output
-install_mdatp
-├── files
-│ └── mdatp_onboard.json
-└── manifests
- └── init.pp
-```
-
-### Contents of `install_mdatp/manifests/init.pp`
-
-Microsoft Defender ATP for Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insiders-fast*, *insiders-slow*, or *prod*. Each of these channels corresponds to a Linux software repository.
-
-The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in *insiders-fast* are the first ones to receive updates and new features, followed later by *insiders-slow* and lastly by *prod*.
-
-In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use either *insiders-fast* or *insiders-slow*.
-
-> [!WARNING]
-> Switching the channel after the initial installation requires the product to be reinstalled. To switch the product channel: uninstall the existing package, re-configure your device to use the new channel, and follow the steps in this document to install the package from the new location.
-
-Note your distribution and version and identify the closest entry for it under `https://packages.microsoft.com/config/`.
-
-In the below commands, replace *[distro]* and *[version]* with the information you've identified:
-
-> [!NOTE]
-> In case of RedHat, Oracle EL, and CentOS 8, replace *[distro]* with 'rhel'.
-
-```puppet
-# Puppet manifest to install Microsoft Defender ATP.
-# @param channel The release channel based on your environment, insider-fast or prod.
-# @param distro The Linux distribution in lowercase. In case of RedHat, Oracle EL, and CentOS 8, the distro variable should be 'rhel'.
-# @param version The Linux distribution release number, e.g. 7.4.
-
-class install_mdatp (
-$channel = 'insiders-fast',
-$distro = undef,
-$version = undef
-){
- case $::osfamily {
- 'Debian' : {
- apt::source { 'microsoftpackages' :
- location => "https://packages.microsoft.com/${distro}/${version}/prod",
- release => $channel,
- repos => 'main',
- key => {
- 'id' => 'BC528686B50D79E339D3721CEB3E94ADBE1229CF',
- 'server' => 'keyserver.ubuntu.com',
- },
- }
- }
- 'RedHat' : {
- yumrepo { 'microsoftpackages' :
- baseurl => "https://packages.microsoft.com/${distro}/${version}/${channel}",
- descr => "packages-microsoft-com-prod-${channel}",
- enabled => 1,
- gpgcheck => 1,
- gpgkey => 'https://packages.microsoft.com/keys/microsoft.asc'
- }
- }
- default : { fail("${::osfamily} is currently not supported.") }
- }
-
- case $::osfamily {
- /(Debian|RedHat)/: {
- file { ['/etc/opt', '/etc/opt/microsoft', '/etc/opt/microsoft/mdatp']:
- ensure => directory,
- owner => root,
- group => root,
- mode => '0755'
- }
-
- file { '/etc/opt/microsoft/mdatp/mdatp_onboard.json':
- source => 'puppet:///modules/mdatp/mdatp_onboard.json',
- owner => root,
- group => root,
- mode => '0600',
- require => File['/etc/opt/microsoft/mdatp']
- }
-
- package { 'mdatp':
- ensure => 'installed',
- require => File['/etc/opt/microsoft/mdatp/mdatp_onboard.json']
- }
- }
- default : { fail("${::osfamily} is currently not supported.") }
- }
-}
-```
-
-## Deployment
-
-Include the above manifest in your site.pp file:
-
-```bash
-cat /etc/puppetlabs/code/environments/production/manifests/site.pp
-```
-```Output
-node "default" {
- include install_mdatp
-}
-```
-
-Enrolled agent devices periodically poll the Puppet Server and install new configuration profiles and policies as soon as they are detected.
-
-## Monitor Puppet deployment
-
-On the agent device, you can also check the onboarding status by running:
-
-```bash
-mdatp health
-```
-```Output
-...
-licensed : true
-org_id : "[your organization identifier]"
-...
-```
-
-- **licensed**: This confirms that the device is tied to your organization.
-
-- **orgId**: This is your Microsoft Defender ATP organization identifier.
-
-## Check onboarding status
-
-You can check that devices have been correctly onboarded by creating a script. For example, the following script checks enrolled devices for onboarding status:
-
-```bash
-mdatp health --field healthy
-```
-
-The above command prints `1` if the product is onboarded and functioning as expected.
-
-> [!IMPORTANT]
-> When the product starts for the first time, it downloads the latest antimalware definitions. Depending on your Internet connection, this can take up to a few minutes. During this time the above command returns a value of `0`.
-
-If the product is not healthy, the exit code (which can be checked through `echo $?`) indicates the problem:
-
-- 1 if the device isn't onboarded yet.
-- 3 if the connection to the daemon cannot be established.
-
-## Log installation issues
-
- For more information on how to find the automatically generated log that is created by the installer when an error occurs, see [Log installation issues](linux-resources.md#log-installation-issues).
-
-## Operating system upgrades
-
-When upgrading your operating system to a new major version, you must first uninstall Microsoft Defender ATP for Linux, install the upgrade, and finally reconfigure Microsoft Defender ATP for Linux on your device.
-
-## Uninstallation
-
-Create a module *remove_mdatp* similar to *install_mdatp* with the following contents in *init.pp* file:
-
-```bash
-class remove_mdatp {
- package { 'mdatp':
- ensure => 'purged',
- }
-}
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md b/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md
deleted file mode 100644
index e2944beb87..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md
+++ /dev/null
@@ -1,410 +0,0 @@
----
-title: Set preferences for Microsoft Defender ATP for Linux
-ms.reviewer:
-description: Describes how to configure Microsoft Defender ATP for Linux in enterprises.
-keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: conceptual
----
-
-# Set preferences for Microsoft Defender ATP for Linux
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
-
->[!IMPORTANT]
->This topic contains instructions for how to set preferences for Microsoft Defender ATP for Linux in enterprise environments. If you are interested in configuring the product on a device from the command-line, see [Resources](linux-resources.md#configure-from-the-command-line).
-
-In enterprise environments, Microsoft Defender ATP for Linux can be managed through a configuration profile. This profile is deployed from the management tool of your choice. Preferences managed by the enterprise take precedence over the ones set locally on the device. In other words, users in your enterprise are not able to change preferences that are set through this configuration profile.
-
-This article describes the structure of this profile (including a recommended profile that you can use to get started) and instructions on how to deploy the profile.
-
-## Configuration profile structure
-
-The configuration profile is a .json file that consists of entries identified by a key (which denotes the name of the preference), followed by a value, which depends on the nature of the preference. Values can be simple, such as a numerical value, or complex, such as a nested list of preferences.
-
-Typically, you would use a configuration management tool to push a file with the name ```mdatp_managed.json``` at the location ```/etc/opt/microsoft/mdatp/managed/```.
-
-The top level of the configuration profile includes product-wide preferences and entries for subareas of the product, which are explained in more detail in the next sections.
-
-### Antivirus engine preferences
-
-The *antivirusEngine* section of the configuration profile is used to manage the preferences of the antivirus component of the product.
-
-|||
-|:---|:---|
-| **Key** | antivirusEngine |
-| **Data type** | Dictionary (nested preference) |
-| **Comments** | See the following sections for a description of the dictionary contents. |
-
-#### Enable / disable real-time protection
-
-Determines whether real-time protection (scan files as they are accessed) is enabled or not.
-
-|||
-|:---|:---|
-| **Key** | enableRealTimeProtection |
-| **Data type** | Boolean |
-| **Possible values** | true (default)
false |
-
-#### Enable / disable passive mode
-
-Determines whether the antivirus engine runs in passive mode or not. In passive mode:
-- Real-time protection is turned off.
-- On-demand scanning is turned on.
-- Automatic threat remediation is turned off.
-- Security intelligence updates are turned on.
-- Status menu icon is hidden.
-
-|||
-|:---|:---|
-| **Key** | passiveMode |
-| **Data type** | Boolean |
-| **Possible values** | false (default)
true |
-| **Comments** | Available in Microsoft Defender ATP version 100.67.60 or higher. |
-
-#### Exclusion merge policy
-
-Specifies the merge policy for exclusions. It can be a combination of administrator-defined and user-defined exclusions (`merge`) or only administrator-defined exclusions (`admin_only`). This setting can be used to restrict local users from defining their own exclusions.
-
-|||
-|:---|:---|
-| **Key** | exclusionsMergePolicy |
-| **Data type** | String |
-| **Possible values** | merge (default)
admin_only |
-| **Comments** | Available in Microsoft Defender ATP version 100.83.73 or higher. |
-
-#### Scan exclusions
-
-Entities that have been excluded from the scan. Exclusions can be specified by full paths, extensions, or file names.
-
-|||
-|:---|:---|
-| **Key** | exclusions |
-| **Data type** | Dictionary (nested preference) |
-| **Comments** | See the following sections for a description of the dictionary contents. |
-
-**Type of exclusion**
-
-Specifies the type of content excluded from the scan.
-
-|||
-|:---|:---|
-| **Key** | $type |
-| **Data type** | String |
-| **Possible values** | excludedPath
excludedFileExtension
excludedFileName |
-
-**Path to excluded content**
-
-Used to exclude content from the scan by full file path.
-
-|||
-|:---|:---|
-| **Key** | path |
-| **Data type** | String |
-| **Possible values** | valid paths |
-| **Comments** | Applicable only if *$type* is *excludedPath* |
-
-**Path type (file / directory)**
-
-Indicates if the *path* property refers to a file or directory.
-
-|||
-|:---|:---|
-| **Key** | isDirectory |
-| **Data type** | Boolean |
-| **Possible values** | false (default)
true |
-| **Comments** | Applicable only if *$type* is *excludedPath* |
-
-**File extension excluded from the scan**
-
-Used to exclude content from the scan by file extension.
-
-|||
-|:---|:---|
-| **Key** | extension |
-| **Data type** | String |
-| **Possible values** | valid file extensions |
-| **Comments** | Applicable only if *$type* is *excludedFileExtension* |
-
-**Process excluded from the scan**
-
-Specifies a process for which all file activity is excluded from scanning. The process can be specified either by its name (for example, `cat`) or full path (for example, `/bin/cat`).
-
-|||
-|:---|:---|
-| **Key** | name |
-| **Data type** | String |
-| **Possible values** | any string |
-| **Comments** | Applicable only if *$type* is *excludedFileName* |
-
-#### Allowed threats
-
-List of threats (identified by their name) that are not blocked by the product and are instead allowed to run.
-
-|||
-|:---|:---|
-| **Key** | allowedThreats |
-| **Data type** | Array of strings |
-
-#### Disallowed threat actions
-
-Restricts the actions that the local user of a device can take when threats are detected. The actions included in this list are not displayed in the user interface.
-
-|||
-|:---|:---|
-| **Key** | disallowedThreatActions |
-| **Data type** | Array of strings |
-| **Possible values** | allow (restricts users from allowing threats)
restore (restricts users from restoring threats from the quarantine) |
-| **Comments** | Available in Microsoft Defender ATP version 100.83.73 or higher. |
-
-#### Threat type settings
-
-The *threatTypeSettings* preference in the antivirus engine is used to control how certain threat types are handled by the product.
-
-|||
-|:---|:---|
-| **Key** | threatTypeSettings |
-| **Data type** | Dictionary (nested preference) |
-| **Comments** | See the following sections for a description of the dictionary contents. |
-
-**Threat type**
-
-Type of threat for which the behavior is configured.
-
-|||
-|:---|:---|
-| **Key** | key |
-| **Data type** | String |
-| **Possible values** | potentially_unwanted_application
archive_bomb |
-
-**Action to take**
-
-Action to take when coming across a threat of the type specified in the preceding section. Can be:
-
-- **Audit**: The device is not protected against this type of threat, but an entry about the threat is logged.
-- **Block**: The device is protected against this type of threat and you are notified in the user interface and the security console.
-- **Off**: The device is not protected against this type of threat and nothing is logged.
-
-|||
-|:---|:---|
-| **Key** | value |
-| **Data type** | String |
-| **Possible values** | audit (default)
block
off |
-
-#### Threat type settings merge policy
-
-Specifies the merge policy for threat type settings. This can be a combination of administrator-defined and user-defined settings (`merge`) or only administrator-defined settings (`admin_only`). This setting can be used to restrict local users from defining their own settings for different threat types.
-
-|||
-|:---|:---|
-| **Key** | threatTypeSettingsMergePolicy |
-| **Data type** | String |
-| **Possible values** | merge (default)
admin_only |
-| **Comments** | Available in Microsoft Defender ATP version 100.83.73 or higher. |
-
-#### Antivirus scan history retention (in days)
-
-Specify the number of days that results are retained in the scan history on the device. Old scan results are removed from the history. Old quarantined files that are also removed from the disk.
-
-|||
-|:---|:---|
-| **Key** | scanResultsRetentionDays |
-| **Data type** | String |
-| **Possible values** | 90 (default). Allowed values are from 1 day to 180 days. |
-| **Comments** | Available in Microsoft Defender ATP version 101.04.76 or higher. |
-
-#### Maximum number of items in the antivirus scan history
-
-Specify the maximum number of entries to keep in the scan history. Entries include all on-demand scans performed in the past and all antivirus detections.
-
-|||
-|:---|:---|
-| **Key** | scanHistoryMaximumItems |
-| **Data type** | String |
-| **Possible values** | 10000 (default). Allowed values are from 5000 items to 15000 items. |
-| **Comments** | Available in Microsoft Defender ATP version 101.04.76 or higher. |
-
-### Cloud-delivered protection preferences
-
-The *cloudService* entry in the configuration profile is used to configure the cloud-driven protection feature of the product.
-
-|||
-|:---|:---|
-| **Key** | cloudService |
-| **Data type** | Dictionary (nested preference) |
-| **Comments** | See the following sections for a description of the dictionary contents. |
-
-#### Enable / disable cloud delivered protection
-
-Determines whether cloud-delivered protection is enabled on the device or not. To improve the security of your services, we recommend keeping this feature turned on.
-
-|||
-|:---|:---|
-| **Key** | enabled |
-| **Data type** | Boolean |
-| **Possible values** | true (default)
false |
-
-#### Diagnostic collection level
-
-Diagnostic data is used to keep Microsoft Defender ATP secure and up-to-date, detect, diagnose and fix problems, and also make product improvements. This setting determines the level of diagnostics sent by the product to Microsoft.
-
-|||
-|:---|:---|
-| **Key** | diagnosticLevel |
-| **Data type** | String |
-| **Possible values** | optional (default)
required |
-
-#### Enable / disable automatic sample submissions
-
-Determines whether suspicious samples (that are likely to contain threats) are sent to Microsoft. There are three levels for controlling sample submission:
-
-- **None**: no suspicious samples are submitted to Microsoft.
-- **Safe**: only suspicious samples that do not contain personally identifiable information (PII) are submitted automatically. This is the default value for this setting.
-- **All**: all suspicious samples are submitted to Microsoft.
-
-|||
-|:---|:---|
-| **Key** | automaticSampleSubmissionConsent |
-| **Data type** | String |
-| **Possible values** | none
safe (default)
all |
-
-#### Enable / disable automatic security intelligence updates
-
-Determines whether security intelligence updates are installed automatically:
-
-|||
-|:---|:---|
-| **Key** | automaticDefinitionUpdateEnabled |
-| **Data type** | Boolean |
-| **Possible values** | true (default)
false |
-
-## Recommended configuration profile
-
-To get started, we recommend the following configuration profile for your enterprise to take advantage of all protection features that Microsoft Defender ATP provides.
-
-The following configuration profile will:
-
-- Enable real-time protection (RTP)
-- Specify how the following threat types are handled:
- - **Potentially unwanted applications (PUA)** are blocked
- - **Archive bombs** (file with a high compression rate) are audited to the product logs
-- Enable automatic security intelligence updates
-- Enable cloud-delivered protection
-- Enable automatic sample submission at `safe` level
-
-### Sample profile
-
-```JSON
-{
- "antivirusEngine":{
- "enableRealTimeProtection":true,
- "threatTypeSettings":[
- {
- "key":"potentially_unwanted_application",
- "value":"block"
- },
- {
- "key":"archive_bomb",
- "value":"audit"
- }
- ]
- },
- "cloudService":{
- "automaticDefinitionUpdateEnabled":true,
- "automaticSampleSubmissionConsent":"safe",
- "enabled":true
- }
-}
-```
-
-## Full configuration profile example
-
-The following configuration profile contains entries for all settings described in this document and can be used for more advanced scenarios where you want more control over the product.
-
-### Full profile
-
-```JSON
-{
- "antivirusEngine":{
- "enableRealTimeProtection":true,
- "passiveMode":false,
- "exclusionsMergePolicy":"merge",
- "exclusions":[
- {
- "$type":"excludedPath",
- "isDirectory":false,
- "path":"/var/log/system.log"
- },
- {
- "$type":"excludedPath",
- "isDirectory":true,
- "path":"/home"
- },
- {
- "$type":"excludedFileExtension",
- "extension":"pdf"
- },
- {
- "$type":"excludedFileName",
- "name":"cat"
- }
- ],
- "allowedThreats":[
- "EICAR-Test-File (not a virus)"
- ],
- "disallowedThreatActions":[
- "allow",
- "restore"
- ],
- "threatTypeSettingsMergePolicy":"merge",
- "threatTypeSettings":[
- {
- "key":"potentially_unwanted_application",
- "value":"block"
- },
- {
- "key":"archive_bomb",
- "value":"audit"
- }
- ]
- },
- "cloudService":{
- "enabled":true,
- "diagnosticLevel":"optional",
- "automaticSampleSubmissionConsent":"safe",
- "automaticDefinitionUpdateEnabled":true
- }
-}
-```
-
-## Configuration profile validation
-
-The configuration profile must be a valid JSON-formatted file. There are a number of tools that can be used to verify this. For example, if you have `python` installed on your device:
-
-```bash
-python -m json.tool mdatp_managed.json
-```
-
-If the JSON is well-formed, the above command outputs it back to the Terminal and returns an exit code of `0`. Otherwise, an error that describes the issue is displayed and the command returns an exit code of `1`.
-
-## Configuration profile deployment
-
-Once you've built the configuration profile for your enterprise, you can deploy it through the management tool that your enterprise is using. Microsoft Defender ATP for Linux reads the managed configuration from the */etc/opt/microsoft/mdatp/managed/mdatp_managed.json* file.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/linux-privacy.md
deleted file mode 100644
index e5d120eb83..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-privacy.md
+++ /dev/null
@@ -1,303 +0,0 @@
----
-title: Privacy for Microsoft Defender ATP for Linux
-description: Privacy controls, how to configure policy settings that impact privacy and information about the diagnostic data collected in Microsoft Defender ATP for Linux.
-keywords: microsoft, defender, atp, linux, privacy, diagnostic
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
----
-
-# Privacy for Microsoft Defender ATP for Linux
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
-
-Microsoft is committed to providing you with the information and controls you need to make choices about how your data is collected and used when you’re using Microsoft Defender ATP for Linux.
-
-This topic describes the privacy controls available within the product, how to manage these controls with policy settings and more details on the data events that are collected.
-
-## Overview of privacy controls in Microsoft Defender ATP for Linux
-
-This section describes the privacy controls for the different types of data collected by Microsoft Defender ATP for Linux.
-
-### Diagnostic data
-
-Diagnostic data is used to keep Microsoft Defender ATP secure and up-to-date, detect, diagnose and fix problems, and also make product improvements.
-
-Some diagnostic data is required, while some diagnostic data is optional. We give you the ability to choose whether to send us required or optional diagnostic data through the use of privacy controls, such as policy settings for organizations.
-
-There are two levels of diagnostic data for Microsoft Defender ATP client software that you can choose from:
-
-* **Required**: The minimum data necessary to help keep Microsoft Defender ATP secure, up-to-date, and performing as expected on the device it’s installed on.
-
-* **Optional**: Additional data that helps Microsoft make product improvements and provides enhanced information to help detect, diagnose, and remediate issues.
-
-By default, only required diagnostic data is sent to Microsoft.
-
-### Cloud delivered protection data
-
-Cloud delivered protection is used to provide increased and faster protection with access to the latest protection data in the cloud.
-
-Enabling the cloud-delivered protection service is optional, however it is highly recommended because it provides important protection against malware on your endpoints and across your network.
-
-### Sample data
-
-Sample data is used to improve the protection capabilities of the product, by sending Microsoft suspicious samples so they can be analyzed. Enabling automatic sample submission is optional.
-
-There are three levels for controlling sample submission:
-
-- **None**: no suspicious samples are submitted to Microsoft.
-- **Safe**: only suspicious samples that do not contain personally identifiable information (PII) are submitted automatically. This is the default value for this setting.
-- **All**: all suspicious samples are submitted to Microsoft.
-
-## Manage privacy controls with policy settings
-
-If you're an IT administrator, you might want to configure these controls at the enterprise level.
-
-The privacy controls for the various types of data described in the preceding section are described in detail in [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md).
-
-As with any new policy settings, you should carefully test them out in a limited, controlled environment to ensure the settings that you configure have the desired effect before you implement the policy settings more widely in your organization.
-
-## Diagnostic data events
-
-This section describes what is considered required diagnostic data and what is considered optional diagnostic data, along with a description of the events and fields that are collected.
-
-### Data fields that are common for all events
-There is some information about events that is common to all events, regardless of category or data subtype.
-
-The following fields are considered common for all events:
-
-| Field | Description |
-| ----------------------- | ----------- |
-| platform | The broad classification of the platform on which the app is running. Allows Microsoft to identify on which platforms an issue may be occurring so that it can correctly be prioritized. |
-| machine_guid | Unique identifier associated with the device. Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. |
-| sense_guid | Unique identifier associated with the device. Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. |
-| org_id | Unique identifier associated with the enterprise that the device belongs to. Allows Microsoft to identify whether issues are impacting a select set of enterprises and how many enterprises are impacted. |
-| hostname | Local device name (without DNS suffix). Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. |
-| product_guid | Unique identifier of the product. Allows Microsoft to differentiate issues impacting different flavors of the product. |
-| app_version | Version of the Microsoft Defender ATP for Linux application. Allows Microsoft to identify which versions of the product are showing an issue so that it can correctly be prioritized.|
-| sig_version | Version of security intelligence database. Allows Microsoft to identify which versions of the security intelligence are showing an issue so that it can correctly be prioritized. |
-| supported_compressions | List of compression algorithms supported by the application, for example `['gzip']`. Allows Microsoft to understand what types of compressions can be used when it communicates with the application. |
-| release_ring | Ring that the device is associated with (for example Insider Fast, Insider Slow, Production). Allows Microsoft to identify on which release ring an issue may be occurring so that it can correctly be prioritized. |
-
-### Required diagnostic data
-
-**Required diagnostic data** is the minimum data necessary to help keep Microsoft Defender ATP secure, up-to-date, and perform as expected on the device it’s installed on.
-
-Required diagnostic data helps to identify problems with Microsoft Defender ATP that may be related to a device or software configuration. For example, it can help determine if a Microsoft Defender ATP feature crashes more frequently on a particular operating system version, with newly introduced features, or when certain Microsoft Defender ATP features are disabled. Required diagnostic data helps Microsoft detect, diagnose, and fix these problems more quickly so the impact to users or organizations is reduced.
-
-#### Software setup and inventory data events
-
-**Microsoft Defender ATP installation / uninstallation**
-
-The following fields are collected:
-
-| Field | Description |
-| ---------------- | ----------- |
-| correlation_id | Unique identifier associated with the installation. |
-| version | Version of the package. |
-| severity | Severity of the message (for example Informational). |
-| code | Code that describes the operation. |
-| text | Additional information associated with the product installation. |
-
-**Microsoft Defender ATP configuration**
-
-The following fields are collected:
-
-| Field | Description |
-| --------------------------------------------------- | ----------- |
-| antivirus_engine.enable_real_time_protection | Whether real-time protection is enabled on the device or not. |
-| antivirus_engine.passive_mode | Whether passive mode is enabled on the device or not. |
-| cloud_service.enabled | Whether cloud delivered protection is enabled on the device or not. |
-| cloud_service.timeout | Time out when the application communicates with the Microsoft Defender ATP cloud. |
-| cloud_service.heartbeat_interval | Interval between consecutive heartbeats sent by the product to the cloud. |
-| cloud_service.service_uri | URI used to communicate with the cloud. |
-| cloud_service.diagnostic_level | Diagnostic level of the device (required, optional). |
-| cloud_service.automatic_sample_submission | Automatic sample submission level of the device (none, safe, all). |
-| edr.early_preview | Whether the device should run EDR early preview features. |
-| edr.group_id | Group identifier used by the detection and response component. |
-| edr.tags | User-defined tags. |
-| features.\[optional feature name\] | List of preview features, along with whether they are enabled or not. |
-
-#### Product and service usage data events
-
-**Security intelligence update report**
-
-The following fields are collected:
-
-| Field | Description |
-| ---------------- | ----------- |
-| from_version | Original security intelligence version. |
-| to_version | New security intelligence version. |
-| status | Status of the update indicating success or failure. |
-| using_proxy | Whether the update was done over a proxy. |
-| error | Error code if the update failed. |
-| reason | Error message if the update failed. |
-
-#### Product and service performance data events
-
-**Kernel extension statistics**
-
-The following fields are collected:
-
-| Field | Description |
-| ---------------- | ----------- |
-| version | Version of Microsoft Defender ATP for Linux. |
-| instance_id | Unique identifier generated on kernel extension startup. |
-| trace_level | Trace level of the kernel extension. |
-| subsystem | The underlying subsystem used for real-time protection. |
-| ipc.connects | Number of connection requests received by the kernel extension. |
-| ipc.rejects | Number of connection requests rejected by the kernel extension. |
-| ipc.connected | Whether there is any active connection to the kernel extension. |
-
-#### Support data
-
-**Diagnostic logs**
-
-Diagnostic logs are collected only with the consent of the user as part of the feedback submission feature. The following files are collected as part of the support logs:
-
-- All files under */var/log/microsoft/mdatp*
-- Subset of files under */etc/opt/microsoft/mdatp* that are created and used by Microsoft Defender ATP for Linux
-- Product installation and uninstallation logs under */var/log/microsoft_mdatp_\*.log*
-
-### Optional diagnostic data
-
-**Optional diagnostic data** is additional data that helps Microsoft make product improvements and provides enhanced information to help detect, diagnose, and fix issues.
-
-If you choose to send us optional diagnostic data, required diagnostic data is also included.
-
-Examples of optional diagnostic data include data Microsoft collects about product configuration (for example number of exclusions set on the device) and product performance (aggregate measures about the performance of components of the product).
-
-#### Software setup and inventory data events
-
-**Microsoft Defender ATP configuration**
-
-The following fields are collected:
-
-| Field | Description |
-| -------------------------------------------------- | ----------- |
-| connection_retry_timeout | Connection retry time-out when communication with the cloud. |
-| file_hash_cache_maximum | Size of the product cache. |
-| crash_upload_daily_limit | Limit of crash logs uploaded daily. |
-| antivirus_engine.exclusions[].is_directory | Whether the exclusion from scanning is a directory or not. |
-| antivirus_engine.exclusions[].path | Path that was excluded from scanning. |
-| antivirus_engine.exclusions[].extension | Extension excluded from scanning. |
-| antivirus_engine.exclusions[].name | Name of the file excluded from scanning. |
-| antivirus_engine.scan_cache_maximum | Size of the product cache. |
-| antivirus_engine.maximum_scan_threads | Maximum number of threads used for scanning. |
-| antivirus_engine.threat_restoration_exclusion_time | Time out before a file restored from the quarantine can be detected again. |
-| filesystem_scanner.full_scan_directory | Full scan directory. |
-| filesystem_scanner.quick_scan_directories | List of directories used in quick scan. |
-| edr.latency_mode | Latency mode used by the detection and response component. |
-| edr.proxy_address | Proxy address used by the detection and response component. |
-
-**Microsoft Auto-Update configuration**
-
-The following fields are collected:
-
-| Field | Description |
-| --------------------------- | ----------- |
-| how_to_check | Determines how product updates are checked (for example automatic or manual). |
-| channel_name | Update channel associated with the device. |
-| manifest_server | Server used for downloading updates. |
-| update_cache | Location of the cache used to store updates. |
-
-### Product and service usage
-
-#### Diagnostic log upload started report
-
-The following fields are collected:
-
-| Field | Description |
-| ---------------- | ----------- |
-| sha256 | SHA256 identifier of the support log. |
-| size | Size of the support log. |
-| original_path | Path to the support log (always under */var/opt/microsoft/mdatp/wdavdiag/*). |
-| format | Format of the support log. |
-
-#### Diagnostic log upload completed report
-
-The following fields are collected:
-
-| Field | Description |
-| ---------------- | ----------- |
-| request_id | Correlation ID for the support log upload request. |
-| sha256 | SHA256 identifier of the support log. |
-| blob_sas_uri | URI used by the application to upload the support log. |
-
-#### Product and service performance data events
-
-**Unexpected application exit (crash)**
-
-Unexpected application exits and the state of the application when that happens.
-
-**Kernel extension statistics**
-
-The following fields are collected:
-
-| Field | Description |
-| ------------------------------ | ----------- |
-| pkt_ack_timeout | The following properties are aggregated numerical values, representing count of events that happened since kernel extension startup. |
-| pkt_ack_conn_timeout | |
-| ipc.ack_pkts | |
-| ipc.nack_pkts | |
-| ipc.send.ack_no_conn | |
-| ipc.send.nack_no_conn | |
-| ipc.send.ack_no_qsq | |
-| ipc.send.nack_no_qsq | |
-| ipc.ack.no_space | |
-| ipc.ack.timeout | |
-| ipc.ack.ackd_fast | |
-| ipc.ack.ackd | |
-| ipc.recv.bad_pkt_len | |
-| ipc.recv.bad_reply_len | |
-| ipc.recv.no_waiter | |
-| ipc.recv.copy_failed | |
-| ipc.kauth.vnode.mask | |
-| ipc.kauth.vnode.read | |
-| ipc.kauth.vnode.write | |
-| ipc.kauth.vnode.exec | |
-| ipc.kauth.vnode.del | |
-| ipc.kauth.vnode.read_attr | |
-| ipc.kauth.vnode.write_attr | |
-| ipc.kauth.vnode.read_ex_attr | |
-| ipc.kauth.vnode.write_ex_attr | |
-| ipc.kauth.vnode.read_sec | |
-| ipc.kauth.vnode.write_sec | |
-| ipc.kauth.vnode.take_own | |
-| ipc.kauth.vnode.link | |
-| ipc.kauth.vnode.create | |
-| ipc.kauth.vnode.move | |
-| ipc.kauth.vnode.mount | |
-| ipc.kauth.vnode.denied | |
-| ipc.kauth.vnode.ackd_before_deadline | |
-| ipc.kauth.vnode.missed_deadline | |
-| ipc.kauth.file_op.mask | |
-| ipc.kauth_file_op.open | |
-| ipc.kauth.file_op.close | |
-| ipc.kauth.file_op.close_modified | |
-| ipc.kauth.file_op.move | |
-| ipc.kauth.file_op.link | |
-| ipc.kauth.file_op.exec | |
-| ipc.kauth.file_op.remove | |
-| ipc.kauth.file_op.unmount | |
-| ipc.kauth.file_op.fork | |
-| ipc.kauth.file_op.create | |
-
-## Resources
-
-- [Privacy at Microsoft](https://privacy.microsoft.com/)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md b/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md
deleted file mode 100644
index 58b9c14323..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md
+++ /dev/null
@@ -1,70 +0,0 @@
----
-title: Detect and block potentially unwanted applications with Microsoft Defender ATP for Linux
-description: Detect and block Potentially Unwanted Applications (PUA) using Microsoft Defender ATP for Linux.
-keywords: microsoft, defender, atp, linux, pua, pus
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: conceptual
----
-
-# Detect and block potentially unwanted applications with Microsoft Defender ATP for Linux
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
-
-The potentially unwanted application (PUA) protection feature in Microsoft Defender ATP for Linux can detect and block PUA files on endpoints in your network.
-
-These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use. PUA can also refer to applications that are considered to have poor reputation.
-
-These applications can increase the risk of your network being infected with malware, cause malware infections to be harder to identify, and can waste IT resources in cleaning up the applications.
-
-## How it works
-
-Microsoft Defender ATP for Linux can detect and report PUA files. When configured in blocking mode, PUA files are moved to the quarantine.
-
-When a PUA is detected on an endpoint, Microsoft Defender ATP for Linux keeps a record of the infection in the threat history. The history can be visualized from the Microsoft Defender Security Center portal or through the `mdatp` command-line tool. The threat name will contain the word "Application".
-
-## Configure PUA protection
-
-PUA protection in Microsoft Defender ATP for Linux can be configured in one of the following ways:
-
-- **Off**: PUA protection is disabled.
-- **Audit**: PUA files are reported in the product logs, but not in Microsoft Defender Security Center. No record of the infection is stored in the threat history and no action is taken by the product.
-- **Block**: PUA files are reported in the product logs and in Microsoft Defender Security Center. A record of the infection is stored in the threat history and action is taken by the product.
-
->[!WARNING]
->By default, PUA protection is configured in **Audit** mode.
-
-You can configure how PUA files are handled from the command line or from the management console.
-
-### Use the command-line tool to configure PUA protection:
-
-In Terminal, execute the following command to configure PUA protection:
-
-```bash
-mdatp threat policy set --type potentially_unwanted_application --action [off|audit|block]
-```
-
-### Use the management console to configure PUA protection:
-
-In your enterprise, you can configure PUA protection from a management console, such as Puppet or Ansible, similarly to how other product settings are configured. For more information, see the [Threat type settings](linux-preferences.md#threat-type-settings) section of the [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md) article.
-
-## Related articles
-
-- [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md b/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md
deleted file mode 100644
index 7c779b7d9d..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md
+++ /dev/null
@@ -1,157 +0,0 @@
----
-title: Microsoft Defender ATP for Linux resources
-ms.reviewer:
-description: Describes resources for Microsoft Defender ATP for Linux, including how to uninstall it, how to collect diagnostic logs, CLI commands, and known issues with the product.
-keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: conceptual
----
-
-# Resources
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
-
-## Collect diagnostic information
-
-If you can reproduce a problem, first increase the logging level, run the system for some time, and then restore the logging level to the default.
-
-1. Increase logging level:
-
- ```bash
- mdatp log level set --level verbose
- ```
- ```Output
- Log level configured successfully
- ```
-
-2. Reproduce the problem.
-
-3. Run the following command to back up Microsoft Defender ATP's logs. The files will be stored inside of a .zip archive.
-
- ```bash
- sudo mdatp diagnostic create
- ```
- This command will also print out the file path to the backup after the operation succeeds:
- ```Output
- Diagnostic file created:
`mdatp exclusion process [add|remove] --name [process-name]` |
-|Configuration |List all antivirus exclusions |`mdatp exclusion list` |
-|Configuration |Add a threat name to the allowed list |`mdatp threat allowed add --name [threat-name]` |
-|Configuration |Remove a threat name from the allowed list |`mdatp threat allowed remove --name [threat-name]` |
-|Configuration |List all allowed threat names |`mdatp threat allowed list` |
-|Configuration |Turn on PUA protection |`mdatp threat policy set --type potentially_unwanted_application --action block` |
-|Configuration |Turn off PUA protection |`mdatp threat policy set --type potentially_unwanted_application --action off` |
-|Configuration |Turn on audit mode for PUA protection |`mdatp threat policy set --type potentially_unwanted_application --action audit` |
-|Diagnostics |Change the log level |`mdatp log level set --level verbose [error|warning|info|verbose]` |
-|Diagnostics |Generate diagnostic logs |`mdatp diagnostic create` |
-|Health |Check the product's health |`mdatp health` |
-|Protection |Scan a path |`mdatp scan custom --path [path]` |
-|Protection |Do a quick scan |`mdatp scan quick` |
-|Protection |Do a full scan |`mdatp scan full` |
-|Protection |Cancel an ongoing on-demand scan |`mdatp scan cancel` |
-|Protection |Request a security intelligence update |`mdatp definitions update` |
-|Protection history |Print the full protection history |`mdatp threat list` |
-|Protection history |Get threat details |`mdatp threat get --id [threat-id]` |
-|Quarantine management |List all quarantined files |`mdatp threat quarantine list` |
-|Quarantine management |Remove all files from the quarantine |`mdatp threat quarantine remove-all` |
-|Quarantine management |Add a file detected as a threat to the quarantine |`mdatp threat quarantine add --id [threat-id]` |
-|Quarantine management |Remove a file detected as a threat from the quarantine |`mdatp threat quarantine remove --id [threat-id]` |
-|Quarantine management |Restore a file from the quarantine |`mdatp threat quarantine restore --id [threat-id]` |
-
-## Microsoft Defender ATP portal information
-
-In the Microsoft Defender ATP portal, you'll see two categories of information:
-
-- Antivirus alerts, including:
- - Severity
- - Scan type
- - Device information (hostname, device identifier, tenant identifier, app version, and OS type)
- - File information (name, path, size, and hash)
- - Threat information (name, type, and state)
-- Device information, including:
- - Device identifier
- - Tenant identifier
- - App version
- - Hostname
- - OS type
- - OS version
- - Computer model
- - Processor architecture
- - Whether the device is a virtual machine
-
-### Known issues
-
-- You might see "No sensor data, impaired communications" in the machine information page of the Microsoft Defender Security Center portal, even though the product is working as expected. We are working on addressing this issue.
-- Logged on users do not appear in the Microsoft Defender Security Center portal.
-- In SUSE distributions, if the installation of *libatomic1* fails, you should validate that your OS is registered:
-
- ```bash
- sudo SUSEConnect --status-text
- ```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md b/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md
deleted file mode 100644
index d3b7796378..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md
+++ /dev/null
@@ -1,82 +0,0 @@
----
-title: Microsoft Defender ATP for Linux static proxy discovery
-ms.reviewer:
-description: Describes how to configure Microsoft Defender ATP for static proxy discovery.
-keywords: microsoft, defender, atp, linux, installation, proxy
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: conceptual
----
-
-# Configure Microsoft Defender ATP for Linux for static proxy discovery
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
-
-Microsoft Defender ATP can discover a proxy server using the ```HTTPS_PROXY``` environment variable. This setting must be configured **both** at installation time and after the product has been installed.
-
-## Installation time configuration
-
-During installation, the ```HTTPS_PROXY``` environment variable must be passed to the package manager. The package manager can read this variable in any of the following ways:
-
-- The ```HTTPS_PROXY``` variable is defined in ```/etc/environment``` with the following line:
-
- ```bash
- HTTPS_PROXY="http://proxy.server:port/"
- ```
-
-- The `HTTPS_PROXY` variable is defined in the package manager global configuration. For example, in Ubuntu 18.04, you can add the following line to `/etc/apt/apt.conf.d/proxy.conf`:
-
- ```bash
- Acquire::https::Proxy "http://proxy.server:port/";
- ```
-
- > [!CAUTION]
- > Note that above two methods could define the proxy to use for other applications on your system. Use this method with caution, or only if this is meant to be a generally global configuration.
-
-- The `HTTPS_PROXY` variable is prepended to the installation or uninstallation commands. For example, with the APT package manager, prepend the variable as follows when installing Microsoft Defender ATP:
-
- ```bash
- HTTPS_PROXY="http://proxy.server:port/" apt install mdatp
- ```
-
- > [!NOTE]
- > Do not add sudo between the environment variable definition and apt, otherwise the variable will not be propagated.
-
-The `HTTPS_PROXY` environment variable may similarly be defined during uninstallation.
-
-Note that installation and uninstallation will not necessarily fail if a proxy is required but not configured. However, telemetry will not be submitted, and the operation could take much longer due to network timeouts.
-
-## Post installation configuration
-
-After installation, the `HTTPS_PROXY` environment variable must be defined in the Microsoft Defender ATP service file. To do this, open `/lib/systemd/system/mdatp.service` in a text editor while running as the root user. You can then propagate the variable to the service in one of two ways:
-
-- Uncomment the line `#Environment="HTTPS_PROXY=http://address:port"` and specify your static proxy address.
-
-- Add a line `EnvironmentFile=/path/to/env/file`. This path can point to `/etc/environment` or a custom file, either of which needs to add the following line:
-
- ```bash
- HTTPS_PROXY="http://proxy.server:port/"
- ```
-
-After modifying the `mdatp.service` file, save and close it. Restart the service so the changes can be applied. In Ubuntu, this involves two commands:
-
-```bash
-systemctl daemon-reload; systemctl restart mdatp
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md
deleted file mode 100644
index 3406767afa..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md
+++ /dev/null
@@ -1,99 +0,0 @@
----
-title: Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux
-ms.reviewer:
-description: Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux
-keywords: microsoft, defender, atp, linux, cloud, connectivity, communication
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: conceptual
----
-
-# Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
-
-## Run the connectivity test
-
-To test if Microsoft Defender ATP for Linux can communicate to the cloud with the current network settings, run a connectivity test from the command line:
-
-```bash
-mdatp connectivity test
-```
-
-If the connectivity test fails, check if the device has Internet access and if [any of the endpoints required by the product](microsoft-defender-atp-linux.md#network-connections) are blocked by a proxy or firewall.
-
-## Troubleshooting steps for environments without proxy or with transparent proxy
-
-To test that a connection is not blocked in an environment without a proxy or with a transparent proxy, run the following command in the terminal:
-
-```bash
-curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
-```
-
-The output from this command should be similar to:
-
-```Output
-OK https://x.cp.wd.microsoft.com/api/report
-OK https://cdn.x.cp.wd.microsoft.com/ping
-```
-
-## Troubleshooting steps for environments with static proxy
-
-> [!WARNING]
-> PAC, WPAD, and authenticated proxies are not supported. Ensure that only a static proxy or transparent proxy is being used.
->
-> SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Microsoft Defender ATP for Linux to the relevant URLs without interception. Adding your interception certificate to the global store will not allow for interception.
-
-If a static proxy is required, add a proxy parameter to the above command, where `proxy_address:port` correspond to the proxy address and port:
-
-```bash
-curl -x http://proxy_address:port -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
-```
-
-Ensure that you use the same proxy address and port as configured in the `/lib/system/system/mdatp.service` file. Check your proxy configuration if there are errors from the above commands.
-
-> [!WARNING]
-> The static proxy cannot be configured through a system-wide `HTTPS_PROXY` environment variable. Instead, ensure that `HTTPS_PROXY` is properly set in the `/lib/system/system/mdatp.service` file.
-
-To use a static proxy, the `mdatp.service` file must be modified. Ensure the leading `#` is removed to uncomment the following line from `/lib/systemd/system/mdatp.service`:
-
-```bash
-#Environment="HTTPS_PROXY=http://address:port"
-```
-
-Also ensure that the correct static proxy address is filled in to replace `address:port`.
-
-If this file is correct, try running the following command in the terminal to reload Microsoft Defender ATP for Linux and propagate the setting:
-
-```bash
-sudo systemctl daemon-reload; sudo systemctl restart mdatp
-```
-
-Upon success, attempt another connectivity test from the command line:
-
-```bash
-mdatp connectivity test
-```
-
-If the problem persists, contact customer support.
-
-## Resources
-
-- For more information about how to configure the product to use a static proxy, see [Configure Microsoft Defender ATP for static proxy discovery](linux-static-proxy-configuration.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md
deleted file mode 100644
index 15d0e69c78..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md
+++ /dev/null
@@ -1,138 +0,0 @@
----
-title: Troubleshoot installation issues for Microsoft Defender ATP for Linux
-ms.reviewer:
-description: Troubleshoot installation issues for Microsoft Defender ATP for Linux
-keywords: microsoft, defender, atp, linux, installation
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: conceptual
----
-
-# Troubleshoot installation issues for Microsoft Defender ATP for Linux
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
-
-## Verify if installation succeeded
-
-An error in installation may or may not result in a meaningful error message by the package manager. To verify if the installation succeeded, obtain and check the installation logs using:
-
- ```bash
- sudo journalctl | grep 'microsoft-mdatp' > installation.log
-```
-```bash
- grep 'postinstall end' installation.log
-```
-```Output
- microsoft-mdatp-installer[102243]: postinstall end [2020-03-26 07:04:43OURCE +0000] 102216
- ```
-
-An output from the previous command with correct date and time of installation indicates success.
-
-Also check the [Client configuration](linux-install-manually.md#client-configuration) to verify the health of the product and detect the EICAR text file.
-
-## Installation failed
-
-Check if the mdatp service is running:
-
-```bash
-systemctl status mdatp
-```
-```Output
- ● mdatp.service - Microsoft Defender ATP
- Loaded: loaded (/lib/systemd/system/mdatp.service; enabled; vendor preset: enabled)
- Active: active (running) since Thu 2020-03-26 10:37:30 IST; 23h ago
- Main PID: 1966 (wdavdaemon)
- Tasks: 105 (limit: 4915)
- CGroup: /system.slice/mdatp.service
- ├─1966 /opt/microsoft/mdatp/sbin/wdavdaemon
- ├─1967 /opt/microsoft/mdatp/sbin/wdavdaemon
- └─1968 /opt/microsoft/mdatp/sbin/wdavdaemon
- ```
-
-## Steps to troubleshoot if mdatp service isn't running
-
-1. Check if "mdatp" user exists:
- ```bash
- id "mdatp"
- ```
- If there’s no output, run
- ```bash
- sudo useradd --system --no-create-home --user-group --shell /usr/sbin/nologin mdatp
- ```
-
-2. Try enabling and restarting the service using:
- ```bash
- sudo systemctl enable mdatp
- ```
- ```bash
- sudo systemctl restart mdatp
- ```
-
-3. If mdatp.service isn't found upon running the previous command, run:
- ```bash
- sudo cp /opt/microsoft/mdatp/conf/mdatp.service
-
-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4qLUW]
-
-With live response, analysts can do all of the following tasks:
-- Run basic and advanced commands to do investigative work on a device.
-- Download files such as malware samples and outcomes of PowerShell scripts.
-- Download files in the background (new!).
-- Upload a PowerShell script or executable to the library and run it on a device from a tenant level.
-- Take or undo remediation actions.
-
-## Before you begin
-
-Before you can initiate a session on a device, make sure you fulfill the following requirements:
-
-- **Verify that you're running a supported version of Windows 10**.
-Devices must be running one of the following versions of Windows 10:
- - [1909](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1909) or later
- - [1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903)
- - [1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809)
- - [1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803)
- - [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709)
-
-- **Make sure to install appropriate security updates**.
- - 1903: [KB4515384](https://support.microsoft.com/help/4515384/windows-10-update-kb4515384)
- - 1809 (RS5): [KB4537818](https://support.microsoft.com/help/4537818/windows-10-update-kb4537818)
- - 1803 (RS4): [KB4537795](https://support.microsoft.com/help/4537795/windows-10-update-kb4537795)
- - 1709 (RS3): [KB4537816](https://support.microsoft.com/help/4537816/windows-10-update-kb4537816)
-
-- **Enable live response from the settings page**.
-You'll need to enable the live response capability in the [Advanced features settings](advanced-features.md) page.
-
- >[!NOTE]
- >Only users with manage security or global admin roles can edit these settings.
-
-- **Ensure that the device has an Automation Remediation level assigned to it**.
-You'll need to enable, at least, the minimum Remediation Level for a given Device Group. Otherwise you won't be able to establish a Live Response session to a member of that group.
-
- You'll receive the following error:
-
- 
-
-- **Enable live response unsigned script execution** (optional).
-
- >[!WARNING]
- >Allowing the use of unsigned scripts may increase your exposure to threats.
-
- Running unsigned scripts is not recommended as it can increase your exposure to threats. If you must use them however, you'll need to enable the setting in the [Advanced features settings](advanced-features.md) page.
-
-- **Ensure that you have the appropriate permissions**.
- Only users who have been provisioned with the appropriate permissions can initiate a session. For more information on role assignments, see [Create and manage roles](user-roles.md).
-
- > [!IMPORTANT]
- > The option to upload a file to the library is only available to those with the appropriate RBAC permissions. The button is greyed out for users with only delegated permissions.
-
- Depending on the role that's been granted to you, you can run basic or advanced live response commands. Users permissions are controlled by RBAC custom role.
-
-## Live response dashboard overview
-When you initiate a live response session on a device, a dashboard opens. The dashboard provides information about the session such as the following:
-
-- Who created the session
-- When the session started
-- The duration of the session
-
-The dashboard also gives you access to:
-- Disconnect session
-- Upload files to the library
-- Command console
-- Command log
-
-
-## Initiate a live response session on a device
-
-1. Sign in to Microsoft Defender Security Center.
-
-2. Navigate to the devices list page and select a device to investigate. The devices page opens.
-
-3. Launch the live response session by selecting **Initiate live response session**. A command console is displayed. Wait while the session connects to the device.
-
-4. Use the built-in commands to do investigative work. For more information, see [Live response commands](#live-response-commands).
-
-5. After completing your investigation, select **Disconnect session**, then select **Confirm**.
-
-## Live response commands
-
-Depending on the role that's been granted to you, you can run basic or advanced live response commands. User permissions are controlled by RBAC custom roles. For more information on role assignments, see [Create and manage roles](user-roles.md).
-
-
->[!NOTE]
->Live response is a cloud-based interactive shell, as such, specific command experience may vary in response time depending on network quality and system load between the end user and the target device.
-
-### Basic commands
-
-The following commands are available for user roles that are granted the ability to run **basic** live response commands. For more information on role assignments, see [Create and manage roles](user-roles.md).
-
-| Command | Description |
-|---|---|--- |
-|`cd` | Changes the current directory. |
-|`cls` | Clears the console screen. |
-|`connect` | Initiates a live response session to the device. |
-|`connections` | Shows all the active connections. |
-|`dir` | Shows a list of files and subdirectories in a directory. |
-|`download
NOTE: This command has a prerequisite command. You can use the `-auto` command in conjunction with `getfile` to automatically run the prerequisite command. |
-| `run` | Runs a PowerShell script from the library on the device. |
-| `library` | Lists files that were uploaded to the live response library. |
-| `putfile` | Puts a file from the library to the device. Files are saved in a working folder and are deleted when the device restarts by default. |
-| `remediate` | Remediates an entity on the device. The remediation action will vary depending on the entity type:
- File: delete
- Process: stop, delete image file
- Service: stop, delete image file
- Registry entry: delete
- Scheduled task: remove
- Startup folder item: delete file
NOTE: This command has a prerequisite command. You can use the `-auto` command in conjunction with `remediate` to automatically run the prerequisite command.
-|`undo` | Restores an entity that was remediated. |
-
-
-## Use live response commands
-
-The commands that you can use in the console follow similar principles as [Windows Commands](https://docs.microsoft.com/windows-server/administration/windows-commands/windows-commands#BKMK_c).
-
-The advanced commands offer a more robust set of actions that allow you to take more powerful actions such as download and upload a file, run scripts on the device, and take remediation actions on an entity.
-
-### Get a file from the device
-
-For scenarios when you'd like get a file from a device you're investigating, you can use the `getfile` command. This allows you to save the file from the device for further investigation.
-
->[!NOTE]
->The following file size limits apply:
->- `getfile` limit: 3 GB
->- `fileinfo` limit: 10 GB
->- `library` limit: 250 MB
-
-### Download a file in the background
-
-To enable your security operations team to continue investigating an impacted device, files can now be downloaded in the background.
-
-- To download a file in the background, in the live response command console, type `download
`/var/log/*.log`
`/var/log/install.?.log`
-Folder | All files under the specified folder (recursively) | `/var/log/`
`/var/*/`
-Process | A specific process (specified either by the full path or file name) and all files opened by it | `/bin/cat`
`cat`
`c?t`
-
-File, folder, and process exclusions support the following wildcards:
-
-Wildcard | Description | Example | Matches | Does not match
----|---|---|---|---
-\* | Matches any number of any characters including none (note that when this wildcard is used inside a path it will substitute only one folder) | `/var/*/*.log` | `/var/log/system.log` | `/var/log/nested/system.log`
-? | Matches any single character | `file?.log` | `file1.log`
`file2.log` | `file123.log`
-
-## How to configure the list of exclusions
-
-### From the management console
-
-For more information on how to configure exclusions from JAMF, Intune, or another management console, see [Set preferences for Microsoft Defender ATP for Mac](mac-preferences.md).
-
-### From the user interface
-
-Open the Microsoft Defender ATP application and navigate to **Manage settings** > **Add or Remove Exclusion...**, as shown in the following screenshot:
-
-
-
-Select the type of exclusion that you wish to add and follow the prompts.
-
-## Validate exclusions lists with the EICAR test file
-
-You can validate that your exclusion lists are working by using `curl` to download a test file.
-
-In the following Bash snippet, replace `test.txt` with a file that conforms to your exclusion rules. For example, if you have excluded the `.testing` extension, replace `test.txt` with `test.testing`. If you are testing a path, ensure that you run the command within that path.
-
-```bash
-curl -o test.txt https://www.eicar.org/download/eicar.com.txt
-```
-
-If Microsoft Defender ATP for Mac reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm that the contents are the same as what is described on the [EICAR test file website](http://2016.eicar.org/86-0-Intended-use.html).
-
-If you do not have Internet access, you can create your own EICAR test file. Write the EICAR string to a new text file with the following Bash command:
-
-```bash
-echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > test.txt
-```
-
-You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are attempting to exclude.
-
-## Allow threats
-
-In addition to excluding certain content from being scanned, you can also configure the product not to detect some classes of threats (identified by the threat name). You should exercise caution when using this functionality, as it can leave your device unprotected.
-
-To add a threat name to the allowed list, execute the following command:
-
-```bash
-mdatp threat allowed add --name [threat-name]
-```
-
-The threat name associated with a detection on your device can be obtained using the following command:
-
-```bash
-mdatp threat list
-```
-
-For example, to add `EICAR-Test-File (not a virus)` (the threat name associated with the EICAR detection) to the allowed list, execute the following command:
-
-```bash
-mdatp threat allowed add --name "EICAR-Test-File (not a virus)"
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-jamfpro-login.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-jamfpro-login.md
deleted file mode 100644
index 59d65172e9..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-jamfpro-login.md
+++ /dev/null
@@ -1,46 +0,0 @@
----
-title: Log in to Jamf Pro
-description: Log in to Jamf Pro
-keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamfpro, macos, catalina, mojave, high sierra
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: conceptual
----
-
-# Log in to Jamf Pro
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
-
-1. Enter your credentials.
-
- 
-
-2. Select **Computers**.
-
- 
-
-3. You will see the settings that are available.
-
- 
-
-
-## Next step
-[Setup the device groups in Jamf Pro](mac-jamfpro-device-groups.md)
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md
deleted file mode 100644
index 3f720e90e8..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md
+++ /dev/null
@@ -1,151 +0,0 @@
----
-title: Manual deployment for Microsoft Defender ATP for macOS
-description: Install Microsoft Defender ATP for macOS manually, from the command line.
-keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: conceptual
----
-
-# Manual deployment for Microsoft Defender ATP for macOS
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for macOS](microsoft-defender-atp-mac.md)
-
-This topic describes how to deploy Microsoft Defender ATP for macOS manually. A successful deployment requires the completion of all of the following steps:
-- [Download installation and onboarding packages](#download-installation-and-onboarding-packages)
-- [Application installation (macOS 10.15 and older versions)](#application-installation-macos-1015-and-older-versions)
-- [Application installation (macOS 11 and newer versions)](#application-installation-macos-11-and-newer-versions)
-- [Client configuration](#client-configuration)
-
-## Prerequisites and system requirements
-
-Before you get started, see [the main Microsoft Defender ATP for macOS page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version.
-
-## Download installation and onboarding packages
-
-Download the installation and onboarding packages from Microsoft Defender Security Center:
-
-1. In Microsoft Defender Security Center, go to **Settings > Device Management > Onboarding**.
-2. In Section 1 of the page, set operating system to **macOS** and Deployment method to **Local script**.
-3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory.
-4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory.
-
- 
-
-5. From a command prompt, verify that you have the two files.
-
-## Application installation (macOS 10.15 and older versions)
-
-To complete this process, you must have admin privileges on the device.
-
-1. Navigate to the downloaded wdav.pkg in Finder and open it.
-
- 
-
-2. Select **Continue**, agree with the License terms, and enter the password when prompted.
-
- 
-
- > [!IMPORTANT]
- > You will be prompted to allow a driver from Microsoft to be installed (either "System Extension Blocked" or "Installation is on hold" or both. The driver must be allowed to be installed.
-
- 
-
-3. Select **Open Security Preferences** or **Open System Preferences > Security & Privacy**. Select **Allow**:
-
- 
-
- The installation proceeds.
-
- > [!CAUTION]
- > If you don't select **Allow**, the installation will proceed after 5 minutes. Defender ATP will be loaded, but some features, such as real-time protection, will be disabled. See [Troubleshoot kernel extension issues](mac-support-kext.md) for information on how to resolve this.
-
-> [!NOTE]
-> macOS may request to reboot the device upon the first installation of Microsoft Defender. Real-time protection will not be available until the device is rebooted.
-
-## Application installation (macOS 11 and newer versions)
-
-To complete this process, you must have admin privileges on the device.
-
-1. Navigate to the downloaded wdav.pkg in Finder and open it.
-
- 
-
-2. Select **Continue**, agree with the License terms, and enter the password when prompted.
-
-3. At the end of the installation process, you will be promoted to approve the system extensions used by the product. Select **Open Security Preferences**.
-
- 
-
-4. From the **Security & Privacy** window, select **Allow**.
-
- 
-
-5. Repeat steps 3 & 4 for all system extensions distributed with Microsoft Defender ATP for Mac.
-
-6. As part of the Endpoint Detection and Response capabilities, Microsoft Defender ATP for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. When prompted to grant Microsoft Defender ATP permissions to filter network traffic, select **Allow**.
-
- 
-
-7. Open **System Preferences** > **Security & Privacy** and navigate to the **Privacy** tab. Grant **Full Disk Access** permission to **Microsoft Defender ATP** and **Microsoft Defender ATP Endpoint Security Extension**.
-
- 
-
-## Client configuration
-
-1. Copy wdav.pkg and MicrosoftDefenderATPOnboardingMacOs.py to the device where you deploy Microsoft Defender ATP for macOS.
-
- The client device is not associated with orgId. Note that the *orgId* attribute is blank.
-
- ```bash
- mdatp --health orgId
- ```
-
-2. Run the Python script to install the configuration file:
-
- ```bash
- /usr/bin/python MicrosoftDefenderATPOnboardingMacOs.py
- ```
-
-3. Verify that the device is now associated with your organization and reports a valid *orgId*:
-
- ```bash
- mdatp --health orgId
- ```
-
-After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner.
-
- 
-
-
-## How to Allow Full Disk Access
-
-> [!CAUTION]
-> macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender ATP is not able to fully protect your device.
-
-To grant consent, open System Preferences -> Security & Privacy -> Privacy -> Full Disk Access. Click the lock icon to make changes (bottom of the dialog box). Select Microsoft Defender ATP.
-
-## Logging installation issues
-
-See [Logging installation issues](mac-resources.md#logging-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs.
-
-## Uninstallation
-
-See [Uninstalling](mac-resources.md#uninstalling) for details on how to remove Microsoft Defender ATP for macOS from client devices.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md
deleted file mode 100644
index 91a5ea6044..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md
+++ /dev/null
@@ -1,280 +0,0 @@
----
-title: Intune-based deployment for Microsoft Defender ATP for Mac
-description: Install Microsoft Defender ATP for Mac, using Microsoft Intune.
-keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: conceptual
----
-
-# Intune-based deployment for Microsoft Defender ATP for Mac
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-> [!NOTE]
-> This documentation explains the legacy method for deploying and configuring Microsoft Defender ATP on macOS devices. The native experience is now available in the MEM console. The release of the native UI in the MEM console provide admins with a much simpler way to configure and deploy the application and send it down to macOS devices.
->The blog post [MEM simplifies deployment of Microsoft Defender ATP for macOS](https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/microsoft-endpoint-manager-simplifies-deployment-of-microsoft/ba-p/1322995) explains the new features. To configure the app, go to [Settings for Microsoft Defender ATP for Mac in Microsoft InTune](https://docs.microsoft.com/mem/intune/protect/antivirus-microsoft-defender-settings-macos). To deploy the app, go to [Add Microsoft Defender ATP to macOS devices using Microsoft Intune](https://docs.microsoft.com/mem/intune/apps/apps-advanced-threat-protection-macos).
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
-
-This topic describes how to deploy Microsoft Defender ATP for Mac through Intune. A successful deployment requires the completion of all of the following steps:
-
-1. [Download installation and onboarding packages](#download-installation-and-onboarding-packages)
-1. [Client device setup](#client-device-setup)
-1. [Approve system extensions](#approve-system-extensions)
-1. [Create System Configuration profiles](#create-system-configuration-profiles)
-1. [Publish application](#publish-application)
-
-## Prerequisites and system requirements
-
-Before you get started, see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version.
-
-## Overview
-
-The following table summarizes the steps you would need to take to deploy and manage Microsoft Defender ATP for Macs, via Intune. More detailed steps are available below.
-
-| Step | Sample file names | BundleIdentifier |
-|-|-|-|
-| [Download installation and onboarding packages](#download-installation-and-onboarding-packages) | WindowsDefenderATPOnboarding__MDATP_wdav.atp.xml | com.microsoft.wdav.atp |
-| [Approve System Extension for Microsoft Defender ATP](#approve-system-extensions) | MDATP_SysExt.xml | N/A |
-| [Approve Kernel Extension for Microsoft Defender ATP](#download-installation-and-onboarding-packages) | MDATP_KExt.xml | N/A |
-| [Grant full disk access to Microsoft Defender ATP](#create-system-configuration-profiles-step-8) | MDATP_tcc_Catalina_or_newer.xml | com.microsoft.wdav.tcc |
-| [Network Extension policy](#create-system-configuration-profiles-step-9) | MDATP_NetExt.xml | N/A |
-| [Configure Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-updates#intune) | MDATP_Microsoft_AutoUpdate.xml | com.microsoft.autoupdate2 |
-| [Microsoft Defender ATP configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#intune-profile-1)
**Note:** If you are planning to run a third party AV for macOS, set `passiveMode` to `true`. | MDATP_WDAV_and_exclusion_settings_Preferences.xml | com.microsoft.wdav |
-| [Configure Microsoft Defender ATP and MS AutoUpdate (MAU) notifications](#create-system-configuration-profiles-step-10) | MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig | com.microsoft.autoupdate2 or com.microsoft.wdav.tray |
-
-## Download installation and onboarding packages
-
-Download the installation and onboarding packages from Microsoft Defender Security Center:
-
-1. In Microsoft Defender Security Center, go to **Settings** > **Device Management** > **Onboarding**.
-
-2. Set the operating system to **macOS** and the deployment method to **Mobile Device Management / Microsoft Intune**.
-
- 
-
-3. Select **Download installation package**. Save it as _wdav.pkg_ to a local directory.
-
-4. Select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory.
-
-5. Download **IntuneAppUtil** from [https://docs.microsoft.com/intune/lob-apps-macos](https://docs.microsoft.com/intune/lob-apps-macos).
-
-6. From a command prompt, verify that you have the three files.
-
-
- ```bash
- ls -l
- ```
-
- ```Output
- total 721688
- -rw-r--r-- 1 test staff 269280 Mar 15 11:25 IntuneAppUtil
- -rw-r--r-- 1 test staff 11821 Mar 15 09:23 WindowsDefenderATPOnboardingPackage.zip
- -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg
- ```
-7. Extract the contents of the .zip files:
-
- ```bash
- unzip WindowsDefenderATPOnboardingPackage.zip
- ```
- ```Output
- Archive: WindowsDefenderATPOnboardingPackage.zip
- warning: WindowsDefenderATPOnboardingPackage.zip appears to use backslashes as path separators
- inflating: intune/kext.xml
- inflating: intune/WindowsDefenderATPOnboarding.xml
- inflating: jamf/WindowsDefenderATPOnboarding.plist
- ```
-
-8. Make IntuneAppUtil an executable:
-
- ```bash
- chmod +x IntuneAppUtil
- ```
-
-9. Create the wdav.pkg.intunemac package from wdav.pkg:
-
- ```bash
- ./IntuneAppUtil -c wdav.pkg -o . -i "com.microsoft.wdav" -n "1.0.0"
- ```
- ```Output
- Microsoft Intune Application Utility for Mac OS X
- Version: 1.0.0.0
- Copyright 2018 Microsoft Corporation
-
- Creating intunemac file for /Users/test/Downloads/wdav.pkg
- Composing the intunemac file output
- Output written to ./wdav.pkg.intunemac.
-
- IntuneAppUtil successfully processed "wdav.pkg",
- to deploy refer to the product documentation.
- ```
-
-## Client device setup
-
-You do not need any special provisioning for a Mac device beyond a standard [Company Portal installation](https://docs.microsoft.com/intune-user-help/enroll-your-device-in-intune-macos-cp).
-
-1. Confirm device management.
-
- 
-
- Select **Open System Preferences**, locate **Management Profile** on the list, and select **Approve...**. Your Management Profile would be displayed as **Verified**:
-
- 
-
-2. Select **Continue** and complete the enrollment.
-
- You may now enroll more devices. You can also enroll them later, after you have finished provisioning system configuration and application packages.
-
-3. In Intune, open **Manage** > **Devices** > **All devices**. Here you can see your device among those listed:
-
- > [!div class="mx-imgBorder"]
- > 
-
-## Approve System Extensions
-
-To approve the system extensions:
-
-1. In Intune, open **Manage** > **Device configuration**. Select **Manage** > **Profiles** > **Create Profile**.
-
-2. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Extensions**. Select **Create**.
-
-3. In the `Basics` tab, give a name to this new profile.
-
-4. In the `Configuration settings` tab, add the following entries in the `Allowed system extensions` section:
-
- Bundle identifier | Team identifier
- --------------------------|----------------
- com.microsoft.wdav.epsext | UBF8T346G9
- com.microsoft.wdav.netext | UBF8T346G9
-
- > [!div class="mx-imgBorder"]
- > 
-
-5. In the `Assignments` tab, assign this profile to **All Users & All devices**.
-
-6. Review and create this configuration profile.
-
-## Create System Configuration profiles
-
-1. In Intune, open **Manage** > **Device configuration**. Select **Manage** > **Profiles** > **Create Profile**.
-
-2. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Custom**. Select **Configure**.
-
-3. Open the configuration profile and upload intune/kext.xml. This file was created in one of the preceding sections.
-
-4. Select **OK**.
-
- 
-
-5. Select **Manage** > **Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
-
-6. Repeat steps 1 through 5 for more profiles.
-
-7. Create another profile, give it a name, and upload the intune/WindowsDefenderATPOnboarding.xml file.
-
-8. Download `fulldisk.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/fulldisk.mobileconfig) and save it as `tcc.xml`. Create another profile, give it any name and upload this file to it.
-
- > [!CAUTION]
- > macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender ATP is not able to fully protect your device.
- >
- > This configuration profile grants Full Disk Access to Microsoft Defender ATP. If you previously configured Microsoft Defender ATP through Intune, we recommend you update the deployment with this configuration profile.
-
-9. As part of the Endpoint Detection and Response capabilities, Microsoft Defender ATP for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. The following policy allows the network extension to perform this functionality. Download `netfilter.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/netfilter.mobileconfig), save it as netext.xml and deploy it using the same steps as in the previous sections.
-
-10. To allow Defender and Auto Update to display notifications in UI on macOS 10.15 (Catalina), download `notif.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/notif.mobileconfig) and import it as a custom payload.
-
-11. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
-
-Once the Intune changes are propagated to the enrolled devices, you can see them listed under **Monitor** > **Device status**:
-
-> [!div class="mx-imgBorder"]
-> 
-
-## Publish application
-
-1. In Intune, open the **Manage > Client apps** blade. Select **Apps > Add**.
-
-2. Select **App type=Other/Line-of-business app**.
-
-3. Select **file=wdav.pkg.intunemac**. Select **OK** to upload.
-
-4. Select **Configure** and add the required information.
-
-5. Use **macOS High Sierra 10.13** as the minimum OS.
-
-6. Set *Ignore app version* to **Yes**. Other settings can be any arbitrary value.
-
- > [!CAUTION]
- > Setting *Ignore app version* to **No** impacts the ability of the application to receive updates through Microsoft AutoUpdate. See [Deploy updates for Microsoft Defender ATP for Mac](mac-updates.md) for additional information about how the product is updated.
- >
- > If the version uploaded by Intune is lower than the version on the device, then the lower version will be installed, effectively downgrading Defender. This could result in a non-functioning application. See [Deploy updates for Microsoft Defender ATP for Mac](mac-updates.md) for additional information about how the product is updated. If you deployed Defender with *Ignore app version* set to **No**, please change it to **Yes**. If Defender still cannot be installed on a client device, then uninstall Defender and push the updated policy.
-
- > [!div class="mx-imgBorder"]
- > 
-
-7. Select **OK** and **Add**.
-
- > [!div class="mx-imgBorder"]
- > 
-
-8. It may take a few moments to upload the package. After it's done, select the package from the list and go to **Assignments** and **Add group**.
-
- > [!div class="mx-imgBorder"]
- > 
-
-9. Change **Assignment type** to **Required**.
-
-10. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Select **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**.
-
- > [!div class="mx-imgBorder"]
- > 
-
-11. After some time the application will be published to all enrolled devices. You can see it listed in **Monitor** > **Device**, under **Device install status**:
-
- > [!div class="mx-imgBorder"]
- > 
-
-## Verify client device state
-
-1. After the configuration profiles are deployed to your devices, open **System Preferences** > **Profiles** on your Mac device.
-
- 
- 
-
-2. Verify that the following configuration profiles are present and installed. The **Management Profile** should be the Intune system profile. _Wdav-config_ and _wdav-kext_ are system configuration profiles that were added in Intune:
- 
-
-3. You should also see the Microsoft Defender icon in the top-right corner:
-
- > [!div class="mx-imgBorder"]
- > 
-
-## Troubleshooting
-
-Issue: No license found
-
-Solution: Follow the steps above to create a device profile using WindowsDefenderATPOnboarding.xml
-
-## Logging installation issues
-
-For more information on how to find the automatically generated log that is created by the installer when an error occurs, see [Logging installation issues](mac-resources.md#logging-installation-issues).
-
-## Uninstallation
-
-See [Uninstalling](mac-resources.md#uninstalling) for details on how to remove Microsoft Defender ATP for Mac from client devices.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md
deleted file mode 100644
index b02fdd72d5..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md
+++ /dev/null
@@ -1,43 +0,0 @@
----
-title: Deploying Microsoft Defender ATP for macOS with Jamf Pro
-description: Deploying Microsoft Defender ATP for macOS with Jamf Pro
-keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamfpro, macos, catalina, mojave, high sierra
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: conceptual
----
-
-# Deploying Microsoft Defender ATP for macOS with Jamf Pro
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
-
-Learn how to deploy Microsoft Defender ATP for macOS with Jamf Pro.
-
-This is a multi step process. You'll need to complete all of the following steps:
-
-- [Login to the Jamf Portal](mac-install-jamfpro-login.md)
-- [Setup the Microsoft Defender ATP for macOS device groups in Jamf Pro](mac-jamfpro-device-groups.md)
-- [Setup the Microsoft Defender ATP for macOS policies in Jamf Pro](mac-jamfpro-policies.md)
-- [Enroll the Microsoft Defender ATP for macOS devices into Jamf Pro](mac-jamfpro-enroll-devices.md)
-
-
-
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md
deleted file mode 100644
index 1e43a13d07..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md
+++ /dev/null
@@ -1,115 +0,0 @@
----
-title: Deployment with a different Mobile Device Management (MDM) system for Microsoft Defender ATP for Mac
-description: Install Microsoft Defender ATP for Mac on other management solutions.
-keywords: microsoft, defender, atp, mac, installation, deploy, macos, catalina, mojave, high sierra
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: mavel
-author: maximvelichko
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: conceptual
----
-
-# Deployment with a different Mobile Device Management (MDM) system for Microsoft Defender ATP for Mac
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
-
-## Prerequisites and system requirements
-
-Before you get started, see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version.
-
-## Approach
-
-> [!CAUTION]
-> Currently, Microsoft oficially supports only Intune and JAMF for the deployment and management of Microsoft Defender ATP for Mac. Microsoft makes no warranties, express or implied, with respect to the information provided below.
-
-If your organization uses a Mobile Device Management (MDM) solution that is not officially supported, this does not mean you are unable to deploy or run Microsoft Defender ATP for Mac.
-
-Microsoft Defender ATP for Mac does not depend on any vendor-specific features. It can be used with any MDM solution that supports the following features:
-
-- Deploy a macOS .pkg to managed devices.
-- Deploy macOS system configuration profiles to managed devices.
-- Run an arbitrary admin-configured tool/script on managed devices.
-
-Most modern MDM solutions include these features, however, they may call them differently.
-
-You can deploy Defender without the last requirement from the preceding list, however:
-
-- You will not be able to collect status in a centralized way
-- If you decide to uninstall Defender, you will need to log on to the client device locally as an administrator
-
-## Deployment
-
-Most MDM solutions use the same model for managing macOS devices, with similar terminology. Use [JAMF-based deployment](mac-install-with-jamf.md) as a template.
-
-### Package
-
-Configure deployment of a [required application package](mac-install-with-jamf.md),
-with the installation package (wdav.pkg) downloaded from [Microsoft Defender Security Center](mac-install-with-jamf.md).
-
-In order to deploy the package to your enterprise, use the instructions associated with your MDM solution.
-
-### License settings
-
-Set up [a system configuration profile](mac-install-with-jamf.md).
-Your MDM solution may call it something like "Custom Settings Profile", as Microsoft Defender ATP for Mac is not part of macOS.
-
-Use the property list, jamf/WindowsDefenderATPOnboarding.plist, which can be extracted from an onboarding package downloaded from [Microsoft Defender Security Center](mac-install-with-jamf.md).
-Your system may support an arbitrary property list in XML format. You can upload the jamf/WindowsDefenderATPOnboarding.plist file as-is in that case.
-Alternatively, it may require you to convert the property list to a different format first.
-
-Typically, your custom profile has an ID, name, or domain attribute. You must use exactly "com.microsoft.wdav.atp" for this value.
-MDM uses it to deploy the settings file to **/Library/Managed Preferences/com.microsoft.wdav.atp.plist** on a client device, and Defender uses this file for loading the onboarding information.
-
-### Kernel extension policy
-
-Set up a KEXT or kernel extension policy. Use team identifier **UBF8T346G9** to allow kernel extensions provided by Microsoft.
-
-### System extension policy
-
-Set up a system extension policy. Use team identifier **UBF8T346G9** and approve the following bundle identifiers:
-
-- com.microsoft.wdav.epsext
-- com.microsoft.wdav.netext
-
-### Full disk access policy
-
-Grant Full Disk Access to the following components:
-
-- Microsoft Defender ATP
- - Identifier: `com.microsoft.wdav`
- - Identifier Type: Bundle ID
- - Code Requirement: identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /\* exists \*/ and certificate leaf[field.1.2.840.113635.100.6.1.13] /\* exists \*/ and certificate leaf[subject.OU] = UBF8T346G9
-
-- Microsoft Defender ATP Endpoint Security Extension
- - Identifier: `com.microsoft.wdav.epsext`
- - Identifier Type: Bundle ID
- - Code Requirement: identifier "com.microsoft.wdav.epsext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9
-
-### Network extension policy
-
-As part of the Endpoint Detection and Response capabilities, Microsoft Defender ATP for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. The following policy allows the network extension to perform this functionality.
-
-- Filter type: Plugin
-- Plugin bundle identifier: `com.microsoft.wdav`
-- Filter data provider bundle identifier: `com.microsoft.wdav.netext`
-- Filter data provider designated requirement: identifier "com.microsoft.wdav.netext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9
-- Filter sockets: `true`
-
-## Check installation status
-
-Run [mdatp](mac-install-with-jamf.md) on a client device to check the onboarding status.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md
deleted file mode 100644
index 04cb07cd04..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md
+++ /dev/null
@@ -1,48 +0,0 @@
----
-title: Set up device groups in Jamf Pro
-description: Learn how to set up device groups in Jamf Pro for Microsoft Defender ATP for macOS
-keywords: device, group, microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamfpro, macos, catalina, mojave, high sierra
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: conceptual
----
-
-# Set up Microsoft Defender ATP for macOS device groups in Jamf Pro
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
-
-Set up the device groups similar to Group policy organizational unite (OUs), Microsoft Endpoint Configuration Manager's device collection, and Intune's device groups.
-
-1. Navigate to **Static Computer Groups**.
-
-2. Select **New**.
-
- 
-
-3. Provide a display name and select **Save**.
-
- 
-
-4. Now you will see the **Contoso's Machine Group** under **Static Computer Groups**.
-
- 
-
-## Next step
-- [Set up Microsoft Defender ATP for macOS policies in Jamf Pro](mac-jamfpro-policies.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-enroll-devices.md b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-enroll-devices.md
deleted file mode 100644
index ffd3980a4a..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-enroll-devices.md
+++ /dev/null
@@ -1,105 +0,0 @@
----
-title: Enroll Microsoft Defender ATP for macOS devices into Jamf Pro
-description: Enroll Microsoft Defender ATP for macOS devices into Jamf Pro
-keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamfpro, macos, catalina, mojave, high sierra
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: conceptual
----
-
-# Enroll Microsoft Defender ATP for macOS devices into Jamf Pro
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
-
-## Enroll macOS devices
-
-There are multiple methods of getting enrolled to JamF.
-
-This article will guide you on two methods:
-
-- [Method 1: Enrollment Invitations](#enrollment-method-1-enrollment-invitations)
-- [Method 2: Prestage Enrollments](#enrollment-method-2-prestage-enrollments)
-
-For a complete list, see [About Computer Enrollment](https://docs.jamf.com/9.9/casper-suite/administrator-guide/About_Computer_Enrollment.html).
-
-
-## Enrollment Method 1: Enrollment Invitations
-
-1. In the Jamf Pro dashboard, navigate to **Enrollment invitations**.
-
- 
-
-2. Select **+ New**.
-
- 
-
-3. In **Specify Recipients for the Invitation** > under **Email Addresses** enter the e-mail address(es) of the recipients.
-
- 
-
- 
-
- For example: janedoe@contoso.com
-
- 
-
-4. Configure the message for the invitation.
-
- 
-
- 
-
- 
-
- 
-
-## Enrollment Method 2: Prestage Enrollments
-
-1. In the Jamf Pro dashboard, navigate to **Prestage enrollments**.
-
- 
-
-2. Follow the instructions in [Computer PreStage Enrollments](https://docs.jamf.com/9.9/casper-suite/administrator-guide/Computer_PreStage_Enrollments.html).
-
-## Enroll macOS device
-
-1. Select **Continue** and install the CA certificate from a **System Preferences** window.
-
- 
-
-2. Once CA certificate is installed, return to the browser window and select **Continue** and install the MDM profile.
-
- 
-
-3. Select **Allow** to downloads from JAMF.
-
- 
-
-4. Select **Continue** to proceed with the MDM Profile installation.
-
- 
-
-5. Select **Continue** to install the MDM Profile.
-
- 
-
-6. Select **Continue** to complete the configuration.
-
- 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md
deleted file mode 100644
index a56afd0ef7..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md
+++ /dev/null
@@ -1,858 +0,0 @@
----
-title: Set up the Microsoft Defender ATP for macOS policies in Jamf Pro
-description: Learn how to set up the Microsoft Defender ATP for macOS policies in Jamf Pro
-keywords: policies, microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamfpro, macos, catalina, mojave, high sierra
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: conceptual
----
-
-# Set up the Microsoft Defender ATP for macOS policies in Jamf Pro
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
-
-This page will guide you through the steps you need to take to set up macOS policies in Jamf Pro.
-
-You'll need to take the following steps:
-
-1. [Get the Microsoft Defender ATP onboarding package](#step-1-get-the-microsoft-defender-atp-onboarding-package)
-
-2. [Create a configuration profile in Jamf Pro using the onboarding package](#step-2-create-a-configuration-profile-in-jamf-pro-using-the-onboarding-package)
-
-3. [Configure Microsoft Defender ATP settings](#step-3-configure-microsoft-defender-atp-settings)
-
-4. [Configure Microsoft Defender ATP notification settings](#step-4-configure-notifications-settings)
-
-5. [Configure Microsoft AutoUpdate (MAU)](#step-5-configure-microsoft-autoupdate-mau)
-
-6. [Grant full disk access to Microsoft Defender ATP](#step-6-grant-full-disk-access-to-microsoft-defender-atp)
-
-7. [Approve Kernel extension for Microsoft Defender ATP](#step-7-approve-kernel-extension-for-microsoft-defender-atp)
-
-8. [Approve System extensions for Microsoft Defender ATP](#step-8-approve-system-extensions-for-microsoft-defender-atp)
-
-9. [Configure Network Extension](#step-9-configure-network-extension)
-
-10. [Schedule scans with Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp)
-
-11. [Deploy Microsoft Defender ATP for macOS](#step-11-deploy-microsoft-defender-atp-for-macos)
-
-
-## Step 1: Get the Microsoft Defender ATP onboarding package
-
-1. In [Microsoft Defender Security Center](https://securitycenter.microsoft.com ), navigate to **Settings > Onboarding**.
-
-2. Select macOS as the operating system and Mobile Device Management / Microsoft Intune as the deployment method.
-
- 
-
-3. Select **Download onboarding package** (WindowsDefenderATPOnboardingPackage.zip).
-
-4. Extract `WindowsDefenderATPOnboardingPackage.zip`.
-
-5. Copy the file to your preferred location. For example, `C:\Users\JaneDoe_or_JohnDoe.contoso\Downloads\WindowsDefenderATPOnboardingPackage_macOS_MDM_contoso\jamf\WindowsDefenderATPOnboarding.plist`.
-
-
-## Step 2: Create a configuration profile in Jamf Pro using the onboarding package
-
-1. Locate the file `WindowsDefenderATPOnboarding.plist` from the previous section.
-
- 
-
-
-2. In the Jamf Pro dashboard, select **New**.
-
- 
-
-3. Enter the following details:
-
- **General**
- - Name: MDATP onboarding for macOS
- - Description: MDATP EDR onboarding for macOS
- - Category: None
- - Distribution Method: Install Automatically
- - Level: Computer Level
-
-4. In **Application & Custom Settings** select **Configure**.
-
- 
-
-5. Select **Upload File (PLIST file)** then in **Preference Domain** enter: `com.microsoft.wdav.atp`.
-
- 
-
- 
-
-7. Select **Open** and select the onboarding file.
-
- 
-
-8. Select **Upload**.
-
- 
-
-
-9. Select the **Scope** tab.
-
- 
-
-10. Select the target computers.
-
- 
-
- 
-
-11. Select **Save**.
-
- 
-
- 
-
-12. Select **Done**.
-
- 
-
- 
-
-## Step 3: Configure Microsoft Defender ATP settings
-
-1. Use the following Microsoft Defender ATP configuration settings:
-
- - enableRealTimeProtection
- - passiveMode
-
- >[!NOTE]
- >Not turned on by default, if you are planning to run a third-party AV for macOS, set it to `true`.
-
- - exclusions
- - excludedPath
- - excludedFileExtension
- - excludedFileName
- - exclusionsMergePolicy
- - allowedThreats
-
- >[!NOTE]
- >EICAR is on the sample, if you are going through a proof-of-concept, remove it especially if you are testing EICAR.
-
- - disallowedThreatActions
- - potentially_unwanted_application
- - archive_bomb
- - cloudService
- - automaticSampleSubmission
- - tags
- - hideStatusMenuIcon
-
- For information, see [Property list for Jamf configuration profile](mac-preferences.md#property-list-for-jamf-configuration-profile).
-
- ```XML
-
-
-
- >
-
-
-11. Select **Save**.
-
- 
-
-12. The file is uploaded.
-
- 
-
- 
-
-13. Select the **Scope** tab.
-
- 
-
-14. Select **Contoso's Machine Group**.
-
-15. Select **Add**, then select **Save**.
-
- 
-
- 
-
-16. Select **Done**. You'll see the new **Configuration profile**.
-
- 
-
-
-## Step 4: Configure notifications settings
-
-These steps are applicable of macOS 10.15 (Catalina) or newer.
-
-1. Download `notif.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/notif.mobileconfig)
-
-2. Save it as `MDATP_MDAV_notification_settings.plist`.
-
-3. In the Jamf Pro dashboard, select **General**.
-
-4. Enter the following details:
-
- **General**
-
- - Name: MDATP MDAV Notification settings
- - Description: macOS 10.15 (Catalina) or newer
- - Category: None (default)
- - Distribution Method: Install Automatically(default)
- - Level: Computer Level(default)
-
- 
-
-
-5. Select **Upload File (PLIST file)**.
-
- 
-
-
-6. Select **Choose File** > **MDATP_MDAV_Notification_Settings.plist**.
-
-
- 
-
-
- 
-
-7. Select **Open** > **Upload**.
-
- 
-
-
- 
-
-8. Select the **Scope** tab, then select **Add**.
-
- 
-
-
-9. Select **Contoso's Machine Group**.
-
-10. Select **Add**, then select **Save**.
-
- 
-
-
- 
-
-11. Select **Done**. You'll see the new **Configuration profile**.
- 
-
-## Step 5: Configure Microsoft AutoUpdate (MAU)
-
-1. Use the following Microsoft Defender ATP configuration settings:
-
- ```XML
-
-
-
Keep default values.
-
- **Limitations tab**
Keep default values.
-
- 
-
-9. Select **Save**. The package is uploaded to Jamf Pro.
-
- 
-
- It can take a few minutes for the package to be available for deployment.
-
- 
-
-10. Navigate to the **Policies** page.
-
- 
-
-11. Select **+ New** to create a new policy.
-
- 
-
-
-12. In **General** Enter the following details:
-
- - Display name: MDATP Onboarding Contoso 200329 v100.86.92 or later
-
- 
-
-13. Select **Recurring Check-in**.
-
- 
-
-
-14. Select **Save**.
-
-15. Select **Packages > Configure**.
-
- 
-
-16. Select the **Add** button next to **Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus**.
-
- 
-
-17. Select **Save**.
-
- 
-
-18. Select the **Scope** tab.
-
- 
-
-19. Select the target computers.
-
- 
-
- **Scope**
-
- Select **Add**.
-
- 
-
- 
-
- **Self-Service**
-
- 
-
-20. Select **Done**.
-
- 
-
- 
-
-
-
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
deleted file mode 100644
index ec94cef29a..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md
+++ /dev/null
@@ -1,819 +0,0 @@
----
-title: Set preferences for Microsoft Defender ATP for Mac
-description: Configure Microsoft Defender ATP for Mac in enterprise organizations.
-keywords: microsoft, defender, atp, mac, management, preferences, enterprise, intune, jamf, macos, catalina, mojave, high sierra
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: conceptual
----
-
-# Set preferences for Microsoft Defender ATP for Mac
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
-
->[!IMPORTANT]
->This article contains instructions for how to set preferences for Microsoft Defender ATP for Mac in enterprise organizations. To configure Microsoft Defender ATP for Mac using the command-line interface, see [Resources](mac-resources.md#configuring-from-the-command-line).
-
-## Summary
-
-In enterprise organizations, Microsoft Defender ATP for Mac can be managed through a configuration profile that is deployed by using one of several management tools. Preferences that are managed by your security operations team take precedence over preferences that are set locally on the device. Changing the preferences that are set through the configuration profile requires escalated privileges and is not available for users without administrative permissions.
-
-This article describes the structure of the configuration profile, includes a recommended profile that you can use to get started, and provides instructions on how to deploy the profile.
-
-## Configuration profile structure
-
-The configuration profile is a *.plist* file that consists of entries identified by a key (which denotes the name of the preference), followed by a value, which depends on the nature of the preference. Values can either be simple (such as a numerical value) or complex, such as a nested list of preferences.
-
->[!CAUTION]
->The layout of the configuration profile depends on the management console that you are using. The following sections contain examples of configuration profiles for JAMF and Intune.
-
-The top level of the configuration profile includes product-wide preferences and entries for subareas of Microsoft Defender ATP, which are explained in more detail in the next sections.
-
-### Antivirus engine preferences
-
-The *antivirusEngine* section of the configuration profile is used to manage the preferences of the antivirus component of Microsoft Defender ATP.
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | antivirusEngine |
-| **Data type** | Dictionary (nested preference) |
-| **Comments** | See the following sections for a description of the dictionary contents. |
-
-#### Enable / disable real-time protection
-
-Specify whether to enable real-time protection, which scans files as they are accessed.
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | enableRealTimeProtection |
-| **Data type** | Boolean |
-| **Possible values** | true (default)
false |
-
-#### Enable / disable passive mode
-
-Specify whether the antivirus engine runs in passive mode. Passive mode has the following implications:
-- Real-time protection is turned off
-- On-demand scanning is turned on
-- Automatic threat remediation is turned off
-- Security intelligence updates are turned on
-- Status menu icon is hidden
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | passiveMode |
-| **Data type** | Boolean |
-| **Possible values** | false (default)
true |
-| **Comments** | Available in Microsoft Defender ATP version 100.67.60 or higher. |
-
-#### Exclusion merge policy
-
-Specify the merge policy for exclusions. This can be a combination of administrator-defined and user-defined exclusions (`merge`) or only administrator-defined exclusions (`admin_only`). This setting can be used to restrict local users from defining their own exclusions.
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | exclusionsMergePolicy |
-| **Data type** | String |
-| **Possible values** | merge (default)
admin_only |
-| **Comments** | Available in Microsoft Defender ATP version 100.83.73 or higher. |
-
-#### Scan exclusions
-
-Specify entities excluded from being scanned. Exclusions can be specified by full paths, extensions, or file names.
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | exclusions |
-| **Data type** | Dictionary (nested preference) |
-| **Comments** | See the following sections for a description of the dictionary contents. |
-
-##### Type of exclusion
-
-Specify content excluded from being scanned by type.
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | $type |
-| **Data type** | String |
-| **Possible values** | excludedPath
excludedFileExtension
excludedFileName |
-
-##### Path to excluded content
-
-Specify content excluded from being scanned by full file path.
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | path |
-| **Data type** | String |
-| **Possible values** | valid paths |
-| **Comments** | Applicable only if *$type* is *excludedPath* |
-
-##### Path type (file / directory)
-
-Indicate if the *path* property refers to a file or directory.
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | isDirectory |
-| **Data type** | Boolean |
-| **Possible values** | false (default)
true |
-| **Comments** | Applicable only if *$type* is *excludedPath* |
-
-##### File extension excluded from the scan
-
-Specify content excluded from being scanned by file extension.
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | extension |
-| **Data type** | String |
-| **Possible values** | valid file extensions |
-| **Comments** | Applicable only if *$type* is *excludedFileExtension* |
-
-##### Process excluded from the scan
-
-Specify a process for which all file activity is excluded from scanning. The process can be specified either by its name (e.g. `cat`) or full path (e.g. `/bin/cat`).
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | name |
-| **Data type** | String |
-| **Possible values** | any string |
-| **Comments** | Applicable only if *$type* is *excludedFileName* |
-
-#### Allowed threats
-
-Specify threats by name that are not blocked by Microsoft Defender ATP for Mac. These threats will be allowed to run.
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | allowedThreats |
-| **Data type** | Array of strings |
-
-#### Disallowed threat actions
-
-Restricts the actions that the local user of a device can take when threats are detected. The actions included in this list are not displayed in the user interface.
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | disallowedThreatActions |
-| **Data type** | Array of strings |
-| **Possible values** | allow (restricts users from allowing threats)
restore (restricts users from restoring threats from the quarantine) |
-| **Comments** | Available in Microsoft Defender ATP version 100.83.73 or higher. |
-
-#### Threat type settings
-
-Specify how certain threat types are handled by Microsoft Defender ATP for Mac.
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | threatTypeSettings |
-| **Data type** | Dictionary (nested preference) |
-| **Comments** | See the following sections for a description of the dictionary contents. |
-
-##### Threat type
-
-Specify threat types.
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | key |
-| **Data type** | String |
-| **Possible values** | potentially_unwanted_application
archive_bomb |
-
-##### Action to take
-
-Specify what action to take when a threat of the type specified in the preceding section is detected. Choose from the following options:
-
-- **Audit**: your device is not protected against this type of threat, but an entry about the threat is logged.
-- **Block**: your device is protected against this type of threat and you are notified in the user interface and the security console.
-- **Off**: your device is not protected against this type of threat and nothing is logged.
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | value |
-| **Data type** | String |
-| **Possible values** | audit (default)
block
off |
-
-#### Threat type settings merge policy
-
-Specify the merge policy for threat type settings. This can be a combination of administrator-defined and user-defined settings (`merge`) or only administrator-defined settings (`admin_only`). This setting can be used to restrict local users from defining their own settings for different threat types.
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | threatTypeSettingsMergePolicy |
-| **Data type** | String |
-| **Possible values** | merge (default)
admin_only |
-| **Comments** | Available in Microsoft Defender ATP version 100.83.73 or higher. |
-
-#### Antivirus scan history retention (in days)
-
-Specify the number of days that results are retained in the scan history on the device. Old scan results are removed from the history. Old quarantined files that are also removed from the disk.
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | scanResultsRetentionDays |
-| **Data type** | String |
-| **Possible values** | 90 (default). Allowed values are from 1 day to 180 days. |
-| **Comments** | Available in Microsoft Defender ATP version 101.07.23 or higher. |
-
-#### Maximum number of items in the antivirus scan history
-
-Specify the maximum number of entries to keep in the scan history. Entries include all on-demand scans performed in the past and all antivirus detections.
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | scanHistoryMaximumItems |
-| **Data type** | String |
-| **Possible values** | 10000 (default). Allowed values are from 5000 items to 15000 items. |
-| **Comments** | Available in Microsoft Defender ATP version 101.07.23 or higher. |
-
-### Cloud-delivered protection preferences
-
-Configure the cloud-driven protection features of Microsoft Defender ATP for Mac.
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | cloudService |
-| **Data type** | Dictionary (nested preference) |
-| **Comments** | See the following sections for a description of the dictionary contents. |
-
-#### Enable / disable cloud-delivered protection
-
-Specify whether to enable cloud-delivered protection the device or not. To improve the security of your services, we recommend keeping this feature turned on.
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | enabled |
-| **Data type** | Boolean |
-| **Possible values** | true (default)
false |
-
-#### Diagnostic collection level
-
-Diagnostic data is used to keep Microsoft Defender ATP secure and up-to-date, detect, diagnose and fix problems, and also make product improvements. This setting determines the level of diagnostics sent by Microsoft Defender ATP to Microsoft.
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | diagnosticLevel |
-| **Data type** | String |
-| **Possible values** | optional (default)
required |
-
-#### Enable / disable automatic sample submissions
-
-Determines whether suspicious samples (that are likely to contain threats) are sent to Microsoft. You are prompted if the submitted file is likely to contain personal information.
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | automaticSampleSubmission |
-| **Data type** | Boolean |
-| **Possible values** | true (default)
false |
-
-#### Enable / disable automatic security intelligence updates
-
-Determines whether security intelligence updates are installed automatically:
-
-|||
-|:---|:---|
-| **Key** | automaticDefinitionUpdateEnabled |
-| **Data type** | Boolean |
-| **Possible values** | true (default)
false |
-
-### User interface preferences
-
-Manage the preferences for the user interface of Microsoft Defender ATP for Mac.
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | userInterface |
-| **Data type** | Dictionary (nested preference) |
-| **Comments** | See the following sections for a description of the dictionary contents. |
-
-#### Show / hide status menu icon
-
-Specify whether to show or hide the status menu icon in the top-right corner of the screen.
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | hideStatusMenuIcon |
-| **Data type** | Boolean |
-| **Possible values** | false (default)
true |
-
-### Endpoint detection and response preferences
-
-Manage the preferences of the endpoint detection and response (EDR) component of Microsoft Defender ATP for Mac.
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | edr |
-| **Data type** | Dictionary (nested preference) |
-| **Comments** | See the following sections for a description of the dictionary contents. |
-
-#### Device tags
-
-Specify a tag name and its value.
-
-- The GROUP tag, tags the device with the specified value. The tag is reflected in the portal under the device page and can be used for filtering and grouping devices.
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | tags |
-| **Data type** | Dictionary (nested preference) |
-| **Comments** | See the following sections for a description of the dictionary contents. |
-
-##### Type of tag
-
-Specifies the type of tag
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | key |
-| **Data type** | String |
-| **Possible values** | `GROUP` |
-
-##### Value of tag
-
-Specifies the value of tag
-
-|||
-|:---|:---|
-| **Domain** | `com.microsoft.wdav` |
-| **Key** | value |
-| **Data type** | String |
-| **Possible values** | any string |
-
-> [!IMPORTANT]
-> - Only one value per tag type can be set.
-> - Type of tags are unique, and should not be repeated in the same configuration profile.
-
-## Recommended configuration profile
-
-To get started, we recommend the following configuration for your enterprise to take advantage of all protection features that Microsoft Defender ATP provides.
-
-The following configuration profile (or, in case of JAMF, a property list that could be uploaded into the custom settings configuration profile) will:
-- Enable real-time protection (RTP)
-- Specify how the following threat types are handled:
- - **Potentially unwanted applications (PUA)** are blocked
- - **Archive bombs** (file with a high compression rate) are audited to Microsoft Defender ATP logs
-- Enable automatic security intelligence updates
-- Enable cloud-delivered protection
-- Enable automatic sample submission
-
-### Property list for JAMF configuration profile
-
-```XML
-
-
-
External
Production |
-
->[!WARNING]
->This setting changes the channel for all applications that are updated through Microsoft AutoUpdate. To change the channel only for Microsoft Defender ATP for Mac, execute the following command after replacing `[channel-name]` with the desired channel:
-> ```bash
-> defaults write com.microsoft.autoupdate2 Applications -dict-add "/Applications/Microsoft Defender ATP.app" " { 'Application ID' = 'WDAV00' ; 'App Domain' = 'com.microsoft.wdav' ; LCID = 1033 ; ChannelName = '[channel-name]' ; }"
-> ```
-
-### Set update check frequency
-
-Change how often MAU searches for updates.
-
-|||
-|:---|:---|
-| **Domain** | com.microsoft.autoupdate2 |
-| **Key** | UpdateCheckFrequency |
-| **Data type** | Integer |
-| **Default value** | 720 (minutes) |
-| **Comment** | This value is set in minutes. |
-
-### Change how MAU interacts with updates
-
-Change how MAU searches for updates.
-
-|||
-|:---|:---|
-| **Domain** | com.microsoft.autoupdate2 |
-| **Key** | HowToCheck |
-| **Data type** | String |
-| **Possible values** | Manual
AutomaticCheck
AutomaticDownload |
-| **Comment** | Note that AutomaticDownload will do a download and install silently if possible. |
-
-### Change whether the "Check for Updates" button is enabled
-
-Change whether local users will be able to click the "Check for Updates" option in the Microsoft AutoUpdate user interface.
-
-|||
-|:---|:---|
-| **Domain** | com.microsoft.autoupdate2 |
-| **Key** | EnableCheckForUpdatesButton |
-| **Data type** | Boolean |
-| **Possible values** | True (default)
False |
-
-### Disable Insider checkbox
-
-Set to true to make the "Join the Office Insider Program..." checkbox unavailable / greyed out to users.
-
-|||
-|:---|:---|
-| **Domain** | com.microsoft.autoupdate2 |
-| **Key** | DisableInsiderCheckbox |
-| **Data type** | Boolean |
-| **Possible values** | False (default)
True |
-
-### Limit the telemetry that is sent from MAU
-
-Set to false to send minimal heartbeat data, no application usage, and no environment details.
-
-|||
-|:---|:---|
-| **Domain** | com.microsoft.autoupdate2 |
-| **Key** | SendAllTelemetryEnabled |
-| **Data type** | Boolean |
-| **Possible values** | True (default)
False |
-
-## Example configuration profile
-
-The following configuration profile is used to:
-- Place the device in the Insider Fast channel
-- Automatically download and install updates
-- Enable the "Check for updates" button in the user interface
-- Allow users on the device to enroll into the Insider channels
-
-### JAMF
-
-```XML
-
-
-
-> Even though Microsoft Defender ATP for Mac new implementation based on system extensions is only applicable to devices running macOS version 10.15.4 or later, deploying configuration proactively across the entire macOS fleet will ensure that even down-level devices are prepared for the day when Apple releases macOS 11 Big Sur and will ensure that Microsoft Defender ATP for Mac continues protecting all macOS devices regardless OS version they were running prior to the Big Sur upgrade.
->
-> 2. Refer to this documentation for detailed configuration information and instructions: [New configuration profiles for macOS Catalina and newer versions of macOS](mac-sysext-policies.md).
-> 3. Monitor this page for an announcement of the actual release of MDATP for Mac agent update.
-
-## 101.09.49
-
-- User interface improvements to differentiate exclusions that are managed by the IT administrator versus exclusions defined by the local user
-- Improved CPU utilization during on-demand scans
-- Performance improvements & bug fixes
-
-## 101.07.23
-
-- Added new fields to the output of `mdatp --health` for checking the status of passive mode and the EDR group ID
-
- > [!NOTE]
- > `mdatp --health` will be replaced with `mdatp health` in a future product update.
-
-- Fixed a bug where automatic sample submission was not marked as managed in the user interface
-- Added new settings for controlling the retention of items in the antivirus scan history. You can now [specify the number of days to retain items in the scan history](mac-preferences.md#antivirus-scan-history-retention-in-days) and [specify the maximum number of items in the scan history](mac-preferences.md#maximum-number-of-items-in-the-antivirus-scan-history)
-- Bug fixes
-
-## 101.06.63
-
-- Addressed a performance regression introduced in version `101.05.17`. The regression was introduced with the fix to eliminate the kernel panics some customers have observed when accessing SMB shares. We have reverted this code change and are investigating alternative ways to eliminate the kernel panics.
-
-## 101.05.17
-
-> [!IMPORTANT]
-> We are working on a new and enhanced syntax for the `mdatp` command-line tool. The new syntax is currently the default in the Insider Fast and Insider Slow update channels. We encourage you to famliliarize yourself with this new syntax.
->
-> We will continue supporting the old syntax in parallel with the new syntax and will provide more communication around the deprecation plan for the old syntax in the upcoming months.
-
-- Addressed a kernel panic that occurred sometimes when accessing SMB file shares
-- Performance improvements & bug fixes
-
-## 101.05.16
-
-- Improvements to quick scan logic to significantly reduce the number of scanned files
-- Added [autocompletion support](mac-resources.md#how-to-enable-autocompletion) for the command-line tool
-- Bug fixes
-
-## 101.03.12
-
-- Performance improvements & bug fixes
-
-## 101.01.54
-
-- Improvements around compatibility with Time Machine
-- Accessibility improvements
-- Performance improvements & bug fixes
-
-## 101.00.31
-
-- Improved [product onboarding experience for Intune users](https://docs.microsoft.com/mem/intune/apps/apps-advanced-threat-protection-macos)
-- Antivirus [exclusions now support wildcards](mac-exclusions.md#supported-exclusion-types)
-- Added the ability to trigger antivirus scans from the macOS contextual menu. You can now right-click a file or a folder in Finder and select **Scan with Microsoft Defender ATP**
-- In-place product downgrades are now explicitly disallowed by the installer. If you need to downgrade, first uninstall the existing version and reconfigure your device
-- Other performance improvements & bug fixes
-
-## 100.90.27
-
-- You can now [set an update channel](mac-updates.md#set-the-channel-name) for Microsoft Defender ATP for Mac that is different from the system-wide update channel
-- New product icon
-- Other user experience improvements
-- Bug fixes
-
-## 100.86.92
-
-- Improvements around compatibility with Time Machine
-- Addressed an issue where the product was sometimes not cleaning all files under `/Library/Application Support/Microsoft/Defender` during uninstallation
-- Reduced the CPU utilization of the product when Microsoft products are updated through Microsoft AutoUpdate
-- Other performance improvements & bug fixes
-
-## 100.86.91
-
-> [!CAUTION]
-> To ensure the most complete protection for your macOS devices and in alignment with Apple stopping delivery of macOS native security updates to OS versions older than [current – 2], MDATP for Mac deployment and updates will no longer be supported on macOS Sierra [10.12]. MDATP for Mac updates and enhancements will be delivered to devices running versions Catalina [10.15], Mojave [10.14], and High Sierra [10.13].
->
-> If you already have MDATP for Mac deployed to your Sierra [10.12] devices, please upgrade to the latest macOS version to eliminate risks of losing protection.
-
-- Performance improvements & bug fixes
-
-## 100.83.73
-
-- Added more controls for IT administrators around [management of exclusions](mac-preferences.md#exclusion-merge-policy), [management of threat type settings](mac-preferences.md#threat-type-settings-merge-policy), and [disallowed threat actions](mac-preferences.md#disallowed-threat-actions)
-- When Full Disk Access is not enabled on the device, a warning is now displayed in the status menu
-- Performance improvements & bug fixes
-
-## 100.82.60
-
-- Addressed an issue where the product fails to start following a definition update.
-
-## 100.80.42
-
-- Bug fixes
-
-## 100.79.42
-
-- Fixed an issue where Microsoft Defender ATP for Mac was sometimes interfering with Time Machine
-- Added a new switch to the command-line utility for testing the connectivity with the backend service
- ```bash
- mdatp --connectivity-test
- ```
-- Added ability to view the full threat history in the user interface (can be accessed from the **Protection history** view)
-- Performance improvements & bug fixes
-
-## 100.72.15
-
-- Bug fixes
-
-## 100.70.99
-
-- Addressed an issue that impacts the ability of some users to upgrade to macOS Catalina when real-time protection is enabled. This sporadic issue was caused by Microsoft Defender ATP locking files within Catalina upgrade package while scanning them for threats, which led to failures in the upgrade sequence.
-
-## 100.68.99
-
-- Added the ability to configure the antivirus functionality to run in [passive mode](mac-preferences.md#enable--disable-passive-mode)
-- Performance improvements & bug fixes
-
-## 100.65.28
-
-- Added support for macOS Catalina
-
- > [!CAUTION]
- > macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender ATP is not able to fully protect your device.
- >
- > The mechanism for granting this consent depends on how you deployed Microsoft Defender ATP:
- >
- > - For manual deployments, see the updated instructions in the [Manual deployment](mac-install-manually.md#how-to-allow-full-disk-access) topic.
- > - For managed deployments, see the updated instructions in the [JAMF-based deployment](mac-install-with-jamf.md) and [Microsoft Intune-based deployment](mac-install-with-intune.md#create-system-configuration-profiles) topics.
-
-- Performance improvements & bug fixes
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md b/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md
deleted file mode 100644
index 678340162e..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md
+++ /dev/null
@@ -1,91 +0,0 @@
----
-title: Create and manage device groups in Microsoft Defender ATP
-description: Create device groups and set automated remediation levels on them by confiring the rules that apply on the group
-keywords: device groups, groups, remediation, level, rules, aad group, role, assign, rank
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Create and manage device groups
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- Azure Active Directory
-- Office 365
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-In an enterprise scenario, security operation teams are typically assigned a set of devices. These devices are grouped together based on a set of attributes such as their domains, computer names, or designated tags.
-
-In Microsoft Defender ATP, you can create device groups and use them to:
-- Limit access to related alerts and data to specific Azure AD user groups with [assigned RBAC roles](rbac.md)
-- Configure different auto-remediation settings for different sets of devices
-- Assign specific remediation levels to apply during automated investigations
-- In an investigation, filter the **Devices list** to just specific device groups by using the **Group** filter.
-
-You can create device groups in the context of role-based access (RBAC) to control who can take specific action or see information by assigning the device group(s) to a user group. For more information, see [Manage portal access using role-based access control](rbac.md).
-
->[!TIP]
-> For a comprehensive look into RBAC application, read: [Is your SOC running flat with RBAC](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Is-your-SOC-running-flat-with-limited-RBAC/ba-p/320015).
-
-As part of the process of creating a device group, you'll:
-- Set the automated remediation level for that group. For more information on remediation levels, see [Use Automated investigation to investigate and remediate threats](automated-investigations.md).
-- Specify the matching rule that determines which device group belongs to the group based on the device name, domain, tags, and OS platform. If a device is also matched to other groups, it is added only to the highest ranked device group.
-- Select the Azure AD user group that should have access to the device group.
-- Rank the device group relative to other groups after it is created.
-
->[!NOTE]
->A device group is accessible to all users if you don’t assign any Azure AD groups to it.
-
-## Create a device group
-
-1. In the navigation pane, select **Settings** > **Device groups**.
-
-2. Click **Add device group**.
-
-3. Enter the group name and automation settings and specify the matching rule that determines which devices belong to the group. See [How the automated investigation starts](automated-investigations.md#how-the-automated-investigation-starts).
-
- >[!TIP]
- >If you want to group devices by organizational unit, you can configure the registry key for the group affiliation. For more information on device tagging, see [Create and manage device tags](machine-tags.md).
-
-4. Preview several devices that will be matched by this rule. If you are satisfied with the rule, click the **User access** tab.
-
-5. Assign the user groups that can access the device group you created.
-
- >[!NOTE]
- >You can only grant access to Azure AD user groups that have been assigned to RBAC roles.
-
-6. Click **Close**. The configuration changes are applied.
-
-## Manage device groups
-
-You can promote or demote the rank of a device group so that it is given higher or lower priority during matching. When a device is matched to more than one group, it is added only to the highest ranked group. You can also edit and delete groups.
-
->[!WARNING]
->Deleting a device group may affect email notification rules. If a device group is configured under an email notification rule, it will be removed from that rule. If the device group is the only group configured for an email notification, that email notification rule will be deleted along with the device group.
-
-By default, device groups are accessible to all users with portal access. You can change the default behavior by assigning Azure AD user groups to the device group.
-
-Devices that are not matched to any groups are added to Ungrouped devices (default) group. You cannot change the rank of this group or delete it. However, you can change the remediation level of this group, and define the Azure AD user groups that can access this group.
-
->[!NOTE]
-> Applying changes to device group configuration may take up to several minutes.
-
-## Related topics
-
-- [Manage portal access using role-based based access control](rbac.md)
-- [Create and manage device tags](machine-tags.md)
-- [Get list of tenant device groups using Graph API](get-machinegroups-collection.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md b/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md
deleted file mode 100644
index 3349058516..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md
+++ /dev/null
@@ -1,92 +0,0 @@
----
-title: Device health and compliance report in Microsoft Defender ATP
-description: Track device health state detections, antivirus status, OS platform, and Windows 10 versions using the device health and compliance report
-keywords: health state, antivirus, os platform, windows 10 version, version, health, compliance, state
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Device health and compliance report in Microsoft Defender ATP
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
-The devices status report provides high-level information about the devices in your organization. The report includes trending information showing the sensor health state, antivirus status, OS platforms, and Windows 10 versions.
-
-The dashboard is structured into two sections:
- 
-
-Section | Description
-:---|:---
-1 | Device trends
-2 | Device summary (current day)
-
-
-## Device trends
-By default, the device trends displays device information from the 30-day period ending in the latest full day. To gain better perspective on trends occurring in your organization, you can fine-tune the reporting period by adjusting the time period shown. To adjust the time period, select a time range from the drop-down options:
-
-- 30 days
-- 3 months
-- 6 months
-- Custom
-
->[!NOTE]
->These filters are only applied on the device trends section. It doesn't affect the device summary section.
-
-## Device summary
-While the devices trends shows trending device information, the device summary shows device information scoped to the current day.
-
->[!NOTE]
->The data reflected in the summary section is scoped to 180 days prior to the current date. For example if today's date is March 27, 2019, the data on the summary section will reflect numbers starting from September 28, 2018 to March 27, 2019.
-> The filter applied on the trends section is not applied on the summary section.
-
-The device trends section allows you to drill down to the devices list with the corresponding filter applied to it. For example, clicking on the Inactive bar in the Sensor health state card will bring you the devices list with results showing only devices whose sensor status is inactive.
-
-
-
-## Device attributes
-The report is made up of cards that display the following device attributes:
-
-- **Health state**: shows information about the sensor state on devices, providing an aggregated view of devices that are active, experiencing impaired communications, inactive, or where no sensor data is seen.
-
-- **Antivirus status for active Windows 10 devices**: shows the number of devices and status of Microsoft Defender Antivirus.
-
-- **OS platforms**: shows the distribution of OS platforms that exists within your organization.
-
-- **Windows 10 versions**: shows the distribution of Windows 10 devices and their versions in your organization.
-
-
-
-## Filter data
-
-Use the provided filters to include or exclude devices with certain attributes.
-
-You can select multiple filters to apply from the device attributes.
-
->[!NOTE]
->These filters apply to **all** the cards in the report.
-
-For example, to show data about Windows 10 devices with Active sensor health state:
-
-1. Under **Filters > Sensor health state > Active**.
-2. Then select **OS platforms > Windows 10**.
-3. Select **Apply**.
-
-
-## Related topic
-- [Threat protection report](threat-protection-reports.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md b/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md
deleted file mode 100644
index 73940895f1..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md
+++ /dev/null
@@ -1,91 +0,0 @@
----
-title: Create and manage device tags
-description: Use device tags to group devices to capture context and enable dynamic list creation as part of an incident
-keywords: tags, device tags, device groups, groups, remediation, level, rules, aad group, role, assign, rank
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Create and manage device tags
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-Add tags on devices to create a logical group affiliation. Device tags support proper mapping of the network, enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident. Tags can be used as a filter in **Devices list** view, or to group devices. For more information on device grouping, see [Create and manage device groups](machine-groups.md).
-
-You can add tags on devices using the following ways:
-
-- Using the portal
-- Setting a registry key value
-
-> [!NOTE]
-> There may be some latency between the time a tag is added to a device and its availability in the devices list and device page.
-
-To add device tags using API, see [Add or remove device tags API](add-or-remove-machine-tags.md).
-
-## Add and manage device tags using the portal
-
-1. Select the device that you want to manage tags on. You can select or search for a device from any of the following views:
-
- - **Security operations dashboard** - Select the device name from the Top devices with active alerts section.
- - **Alerts queue** - Select the device name beside the device icon from the alerts queue.
- - **Devices list** - Select the device name from the list of devices.
- - **Search box** - Select Device from the drop-down menu and enter the device name.
-
- You can also get to the alert page through the file and IP views.
-
-2. Select **Manage Tags** from the row of Response actions.
-
- 
-
-3. Type to find or create tags
-
- 
-
-Tags are added to the device view and will also be reflected on the **Devices list** view. You can then use the **Tags** filter to see the relevant list of devices.
-
->[!NOTE]
-> Filtering might not work on tag names that contain parenthesis.
-
-You can also delete tags from this view.
-
-
-
-## Add device tags by setting a registry key value
-
->[!NOTE]
-> Applicable only on the following devices:
->- Windows 10, version 1709 or later
->- Windows Server, version 1803 or later
->- Windows Server 2016
->- Windows Server 2012 R2
->- Windows Server 2008 R2 SP1
->- Windows 8.1
->- Windows 7 SP1
-
-> [!NOTE]
-> The maximum number of characters that can be set in a tag is 200.
-
-Devices with similar tags can be handy when you need to apply contextual action on a specific list of devices.
-
-Use the following registry key entry to add a tag on a device:
-
-- Registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\`
-- Registry key value (REG_SZ): `Group`
-- Registry key data: `Name of the tag you want to set`
-
->[!NOTE]
->The device tag is part of the device information report that's generated once a day. As an alternative, you may choose to restart the endpoint that would transfer a new device information report.
->
-> If you need to remove a tag that was added using the above Registry key, clear the contents of the Registry key data instead of removing the 'Group' key.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine.md b/windows/security/threat-protection/microsoft-defender-atp/machine.md
deleted file mode 100644
index e2bb55c2a6..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/machine.md
+++ /dev/null
@@ -1,68 +0,0 @@
----
-title: Machine resource type
-description: Learn about the methods and properties of the Machine resource type in Microsoft Defender Advanced Threat Protection.
-keywords: apis, supported apis, get, machines
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Machine resource type
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-## Methods
-
-Method|Return Type |Description
-:---|:---|:---
-[List machines](get-machines.md) | [machine](machine.md) collection | List set of [machine](machine.md) entities in the org.
-[Get machine](get-machine-by-id.md) | [machine](machine.md) | Get a [machine](machine.md) by its identity.
-[Get logged on users](get-machine-log-on-users.md) | [user](user.md) collection | Get the set of [User](user.md) that logged on to the [machine](machine.md).
-[Get related alerts](get-machine-related-alerts.md) | [alert](alerts.md) collection | Get the set of [alert](alerts.md) entities that were raised on the [machine](machine.md).
-[Get installed software](get-installed-software.md) | [software](software.md) collection | Retrieves a collection of installed software related to a given machine ID.
-[Get discovered vulnerabilities](get-discovered-vulnerabilities.md) | [vulnerability](vulnerability.md) collection | Retrieves a collection of discovered vulnerabilities related to a given machine ID.
-[Get security recommendations](get-security-recommendations.md) | [recommendation](recommendation.md) collection | Retrieves a collection of security recommendations related to a given machine ID.
-[Add or Remove machine tags](add-or-remove-machine-tags.md) | [machine](machine.md) | Add or Remove tag to a specific machine.
-[Find machines by IP](find-machines-by-ip.md) | [machine](machine.md) collection | Find machines seen with IP.
-[Get missing KBs](get-missing-kbs-machine.md) | KB collection | Get a list of missing KBs associated with the machine ID
-[Set device value](set-device-value.md)| [machine](machine.md) collection | Set the value of a device, See [threat and vulnerability management scenarios](threat-and-vuln-mgt-scenarios.md).
-
-## Properties
-
-Property | Type | Description
-:---|:---|:---
-id | String | [machine](machine.md) identity.
-computerDnsName | String | [machine](machine.md) fully qualified name.
-firstSeen | DateTimeOffset | First date and time where the [machine](machine.md) was observed by Microsoft Defender ATP.
-lastSeen | DateTimeOffset | Last date and time where the [machine](machine.md) was observed by Microsoft Defender ATP.
-osPlatform | String | Operating system platform.
-version | String | Operating system Version.
-osBuild | Nullable long | Operating system build number.
-lastIpAddress | String | Last IP on local NIC on the [machine](machine.md).
-lastExternalIpAddress | String | Last IP through which the [machine](machine.md) accessed the internet.
-healthStatus | Enum | [machine](machine.md) health status. Possible values are: "Active", "Inactive", "ImpairedCommunication", "NoSensorData" and "NoSensorDataImpairedCommunication"
-rbacGroupName | String | Machine group Name.
-rbacGroupId | Int | Machine group unique ID.
-riskScore | Nullable Enum | Risk score as evaluated by Microsoft Defender ATP. Possible values are: 'None', 'Low', 'Medium' and 'High'.
-exposureScore | Nullable Enum | [Exposure score](tvm-exposure-score.md) as evaluated by Microsoft Defender ATP. Possible values are: 'None', 'Low', 'Medium' and 'High'.
-aadDeviceId | Nullable representation Guid | AAD Device ID (when [machine](machine.md) is Aad Joined).
-machineTags | String collection | Set of [machine](machine.md) tags.
-exposureLevel | Nullable Enum | Exposure level as evaluated by Microsoft Defender ATP. Possible values are: 'None', 'Low', 'Medium' and 'High'.
-deviceValue | Nullable Enum | The value of the device, See [threat and vulnerability management scenarios](threat-and-vuln-mgt-scenarios.md). Possible values are: 'Normal', 'Low' and 'High'.
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machineaction.md b/windows/security/threat-protection/microsoft-defender-atp/machineaction.md
deleted file mode 100644
index 683d807480..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/machineaction.md
+++ /dev/null
@@ -1,79 +0,0 @@
----
-title: machineAction resource type
-description: Learn about the methods and properties of the MachineAction resource type in Microsoft Defender Advanced Threat Protection.
-keywords: apis, supported apis, get, machineaction, recent
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# MachineAction resource type
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-- See [Response Actions](respond-machine-alerts.md) for more information
-
-| Method | Return Type | Description |
-|:------------------------------------------------------------------|:-----------------------------------|:------------------------------------------------------------|
-| [List MachineActions](get-machineactions-collection.md) | [Machine Action](machineaction.md) | List [Machine Action](machineaction.md) entities. |
-| [Get MachineAction](get-machineaction-object.md) | [Machine Action](machineaction.md) | Get a single [Machine Action](machineaction.md) entity. |
-| [Collect investigation package](collect-investigation-package.md) | [Machine Action](machineaction.md) | Collect investigation package from a [machine](machine.md). |
-| [Get investigation package SAS URI](get-package-sas-uri.md) | [Machine Action](machineaction.md) | Get URI for downloading the investigation package. |
-| [Isolate machine](isolate-machine.md) | [Machine Action](machineaction.md) | Isolate [machine](machine.md) from network. |
-| [Release machine from isolation](unisolate-machine.md) | [Machine Action](machineaction.md) | Release [machine](machine.md) from Isolation. |
-| [Restrict app execution](restrict-code-execution.md) | [Machine Action](machineaction.md) | Restrict application execution. |
-| [Remove app restriction](unrestrict-code-execution.md) | [Machine Action](machineaction.md) | Remove application execution restriction. |
-| [Run antivirus scan](run-av-scan.md) | [Machine Action](machineaction.md) | Run an AV scan using Windows Defender (when applicable). |
-| [Offboard machine](offboard-machine-api.md) | [Machine Action](machineaction.md) | Offboard [machine](machine.md) from Microsoft Defender ATP. |
-| [Stop and quarantine file](stop-and-quarantine-file.md) | [Machine Action](machineaction.md) | Stop execution of a file on a machine and delete it. |
-
-
-
-## Properties
-
-| Property | Type | Description |
-|:--------------------|:---------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| id | Guid | Identity of the [Machine Action](machineaction.md) entity. |
-| type | Enum | Type of the action. Possible values are: "RunAntiVirusScan", "Offboard", "CollectInvestigationPackage", "Isolate", "Unisolate", "StopAndQuarantineFile", "RestrictCodeExecution" and "UnrestrictCodeExecution" |
-| scope | string | Scope of the action. "Full" or "Selective" in case of Isolation, "Quick" or "Full" in case of Anti-Virus scan. |
-| requestor | String | Identity of the person that executed the action. |
-| requestorComment | String | Comment that was written when issuing the action. |
-| status | Enum | Current status of the command. Possible values are: "Pending", "InProgress", "Succeeded", "Failed", "TimeOut" and "Cancelled". |
-| machineId | String | Id of the [machine](machine.md) on which the action was executed. |
-| machineId | String | Name of the [machine](machine.md) on which the action was executed. |
-| creationDateTimeUtc | DateTimeOffset | The date and time when the action was created. |
-| lastUpdateTimeUtc | DateTimeOffset | The last date and time when the action status was updated. |
-| relatedFileInfo | Class | Contains two Properties. string ```fileIdentifier```, Enum ```fileIdentifierType``` with the possible values: "Sha1" ,"Sha256" and "Md5". |
-
-
-## Json representation
-
-```json
-{
- "id": "5382f7ea-7557-4ab7-9782-d50480024a4e",
- "type": "Isolate",
- "scope": "Selective",
- "requestor": "Analyst@TestPrd.onmicrosoft.com",
- "requestorComment": "test for docs",
- "status": "Succeeded",
- "machineId": "7b1f4967d9728e5aa3c06a9e617a22a4a5a17378",
- "computerDnsName": "desktop-test",
- "creationDateTimeUtc": "2019-01-02T14:39:38.2262283Z",
- "lastUpdateDateTimeUtc": "2019-01-02T14:40:44.6596267Z",
- "relatedFileInfo": null
-}
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md b/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md
deleted file mode 100644
index ff9c54a53f..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md
+++ /dev/null
@@ -1,109 +0,0 @@
----
-title: View and organize the Microsoft Defender ATP devices list
-description: Learn about the available features that you can use from the Devices list such as sorting, filtering, and exporting the list to enhance investigations.
-keywords: sort, filter, export, csv, device name, domain, last seen, internal IP, health state, active alerts, active malware detections, threat category, review alerts, network, connection, malware, type, password stealer, ransomware, exploit, threat, general malware, unwanted software
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# View and organize the Microsoft Defender ATP Devices list
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-machinesview-abovefoldlink)
-
-The **Devices list** shows a list of the devices in your network where alerts were generated. By default, the queue displays devices with alerts seen in the last 30 days.
-
-At a glance you'll see information such as domain, risk level, OS platform, and other details for easy identification of devices most at risk.
-
-There are several options you can choose from to customize the devices list view. On the top navigation you can:
-
-- Add or remove columns
-- Export the entire list in CSV format
-- Select the number of items to show per page
-- Apply filters
-
-During the onboarding process, the **Devices list** is gradually populated with devices as they begin to report sensor data. Use this view to track your onboarded endpoints as they come online, or download the complete endpoint list as a CSV file for offline analysis.
-
->[!NOTE]
-> If you export the device list, it will contain every device in your organization. It might take a significant amount of time to download, depending on how large your organization is. Exporting the list in CSV format displays the data in an unfiltered manner. The CSV file will include all devices in the organization, regardless of any filtering applied in the view itself.
-
-
-
-## Sort and filter the device list
-
-You can apply the following filters to limit the list of alerts and get a more focused view.
-
-### Risk level
-
-The risk level reflects the overall risk assessment of the device based on a combination of factors, including the types and severity of active alerts on the device. Resolving active alerts, approving remediation activities, and suppressing subsequent alerts can lower the risk level.
-
-### Exposure level
-
-The exposure level reflects the current exposure of the device based on the cumulative impact of its pending security recommendations. The possible levels are low, medium, and high. Low exposure means your devices are less vulnerable from exploitation.
-
-If the exposure level says "No data available," there are a few reasons why this may be the case:
-
-- Device stopped reporting for more than 30 days – in that case it is considered inactive, and the exposure isn't computed
-- Device OS not supported - see [minimum requirements for Microsoft Defender ATP](minimum-requirements.md)
-- Device with stale agent (very unlikely)
-
-### OS Platform
-
-Select only the OS platforms you're interested in investigating.
-
-### Health state
-
-Filter by the following device health states:
-
-- **Active** – Devices that are actively reporting sensor data to the service.
-- **Inactive** – Devices that have completely stopped sending signals for more than 7 days.
-- **Misconfigured** – Devices that have impaired communications with service or are unable to send sensor data. Misconfigured devices can further be classified to:
- - No sensor data
- - Impaired communications
-
- For more information on how to address issues on misconfigured devices see, [Fix unhealthy sensors](fix-unhealthy-sensors.md).
-
-### Antivirus status
-
-Filter devices by antivirus status. Applies to active Windows 10 devices only.
-
-- **Disabled** - Virus & threat protection is turned off.
-- **Not reporting** - Virus & threat protection is not reporting.
-- **Not updated** - Virus & threat protection is not up to date.
-
-For more information, see [View the Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md).
-
-### Threat mitigation status
-
-To view devices that may be affected by a certain threat, select the threat from the dropdown menu, and then select what vulnerability aspect needs to be mitigated.
-
-To learn more about certain threats, see [Threat analytics](threat-analytics.md). For mitigation information, see [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md).
-
-### Windows 10 version
-
-Select only the Windows 10 versions you're interested in investigating.
-
-### Tags & Groups
-
-Filter the list based on the grouping and tagging that you've added to individual devices. See [Create and manage device tags](machine-tags.md) and [Create and manage device groups](machine-groups.md).
-
-## Related topics
-
-- [Investigate devices in the Microsoft Defender ATP Devices list](investigate-machines.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md
deleted file mode 100644
index c4d934024e..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md
+++ /dev/null
@@ -1,129 +0,0 @@
----
-title: Manage Microsoft Defender Advanced Threat Protection alerts
-description: Change the status of alerts, create suppression rules to hide alerts, submit comments, and review change history for individual alerts with the Manage Alert menu.
-keywords: manage alerts, manage, alerts, status, new, in progress, resolved, resolve alerts, suppress, supression, rules, context, history, comments, changes
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Manage Microsoft Defender Advanced Threat Protection alerts
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-managealerts-abovefoldlink)
-
-Microsoft Defender ATP notifies you of possible malicious events, attributes, and contextual information through alerts. A summary of new alerts is displayed in the **Security operations dashboard**, and you can access all alerts in the **Alerts queue**.
-
-You can manage alerts by selecting an alert in the **Alerts queue**, or the **Alerts** tab of the Device page for an individual device.
-
-Selecting an alert in either of those places brings up the **Alert management pane**.
-
-
-
-## Link to another incident
-You can create a new incident from the alert or link to an existing incident.
-
-## Assign alerts
-If an alert is not yet assigned, you can select **Assign to me** to assign the alert to yourself.
-
-
-## Suppress alerts
-There might be scenarios where you need to suppress alerts from appearing in Microsoft Defender Security Center. Microsoft Defender ATP lets you create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization.
-
-Suppression rules can be created from an existing alert. They can be disabled and reenabled if needed.
-
-When a suppression rule is created, it will take effect from the point when the rule is created. The rule will not affect existing alerts already in the queue, prior to the rule creation. The rule will only be applied on alerts that satisfy the conditions set after the rule is created.
-
-There are two contexts for a suppression rule that you can choose from:
-
-- **Suppress alert on this device**
-- **Suppress alert in my organization**
-
-The context of the rule lets you tailor what gets surfaced into the portal and ensure that only real security alerts are surfaced into the portal.
-
-You can use the examples in the following table to help you choose the context for a suppression rule:
-
-| **Context** | **Definition** | **Example scenarios** |
-|:--------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **Suppress alert on this device** | Alerts with the same alert title and on that specific device only will be suppressed.
All other alerts on that device will not be suppressed. |
|
-| **Suppress alert in my organization** | Alerts with the same alert title on any device will be suppressed. |
|
-
-### Suppress an alert and create a new suppression rule:
-Create custom rules to control when alerts are suppressed, or resolved. You can control the context for when an alert is suppressed by specifying the alert title, Indicator of compromise, and the conditions. After specifying the context, you’ll be able to configure the action and scope on the alert.
-
-1. Select the alert you'd like to suppress. This brings up the **Alert management** pane.
-
-2. Select **Create a suppression rule**.
-
- You can create a suppression condition using these attributes. An AND operator is applied between each condition, so suppression occurs only if all conditions are met.
-
- * File SHA1
- * File name - wildcard supported
- * Folder path - wildcard supported
- * IP address
- * URL - wildcard supported
- * Command line - wildcard supported
-
-3. Select the **Triggering IOC**.
-
-4. Specify the action and scope on the alert.
- You can automatically resolve an alert or hide it from the portal. Alerts that are automatically resolved will appear in the resolved section of the alerts queue, alert page, and device timeline and will appear as resolved across Microsoft Defender ATP APIs.
Alerts that are marked as hidden will be suppressed from the entire system, both on the device's associated alerts and from the dashboard and will not be streamed across Microsoft Defender ATP APIs.
-
-
-5. Enter a rule name and a comment.
-
-6. Click **Save**.
-
-#### View the list of suppression rules
-
-1. In the navigation pane, select **Settings** > **Alert suppression**.
-
-2. The list of suppression rules shows all the rules that users in your organization have created.
-
-For more information on managing suppression rules, see [Manage suppression rules](manage-suppression-rules.md)
-
-## Change the status of an alert
-
-You can categorize alerts (as **New**, **In Progress**, or **Resolved**) by changing their status as your investigation progresses. This helps you organize and manage how your team can respond to alerts.
-
-For example, a team leader can review all **New** alerts, and decide to assign them to the **In Progress** queue for further analysis.
-
-Alternatively, the team leader might assign the alert to the **Resolved** queue if they know the alert is benign, coming from a device that is irrelevant (such as one belonging to a security administrator), or is being dealt with through an earlier alert.
-
-
-
-## Alert classification
-You can choose not to set a classification, or specify whether an alert is a true alert or a false alert. It's important to provide the classification of true positive/false positive. This classification is used to monitor alert quality, and make alerts more accurate. The "determination" field defines additional fidelity for a "true positive" classification.
-
-## Add comments and view the history of an alert
-You can add comments and view historical events about an alert to see previous changes made to the alert.
-
-Whenever a change or comment is made to an alert, it is recorded in the **Comments and history** section.
-
-Added comments instantly appear on the pane.
-
-
-## Related topics
-- [Manage suppression rules](manage-suppression-rules.md)
-- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md)
-- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md)
-- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md)
-- [Investigate devices in the Microsoft Defender ATP Devices list](investigate-machines.md)
-- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip.md)
-- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain.md)
-- [Investigate a user account in Microsoft Defender ATP](investigate-user.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-configuration-manager.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-configuration-manager.md
deleted file mode 100644
index c086033e55..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-configuration-manager.md
+++ /dev/null
@@ -1,64 +0,0 @@
----
-title: Manage Microsoft Defender for Endpoint using Configuration Manager
-description: Learn how to manage Microsoft Defender for Endpoint with Configuration Manager
-keywords: post-migration, manage, operations, maintenance, utilization, Configuration Manager, windows defender advanced threat protection, atp, edr
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.technology: windows
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: deniseb
-author: denisebmsft
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- M365-security-compliance
-- m365solution-scenario
-ms.topic: article
-ms.date: 09/22/2020
-ms.reviewer: chventou
----
-
-# Manage Microsoft Defender for Endpoint with Configuration Manager
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-We recommend using We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem), which includes [Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) (Intune) and [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/understand/introduction) (Configuration Manager) to manage your organization's threat protection features for devices (also referred to as endpoints).
-- [Learn more about Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview)
-- [Co-manage Microsoft Defender for Endpoint on Windows 10 devices with Configuration Manager and Intune](manage-atp-post-migration-intune.md)
-
-## Configure Microsoft Defender for Endpoint with Configuration Manager
-
-|Task |Resources to learn more |
-|---------|---------|
-|**Install the Configuration Manager console** if you don't already have it
*If you don't already have the Configuration Manger console, use these resources to get the bits and install it.* |[Get the installation media](https://docs.microsoft.com/mem/configmgr/core/servers/deploy/install/get-install-media)
[Install the Configuration Manager console](https://docs.microsoft.com/mem/configmgr/core/servers/deploy/install/install-consoles) |
-|**Use Configuration Manager to onboard devices** to Microsoft Defender for Endpoint
*If you have devices (or endpoints) not already onboarded to Microsoft Defender for Endpoint, you can do that with Configuration Manager.* |[Onboard to Microsoft Defender for Endpoint with Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/defender-advanced-threat-protection#about-onboarding-to-atp-with-configuration-manager) |
-|**Manage antimalware policies and Windows Firewall security** for client computers (endpoints)
*Configure endpoint protection features, including Microsoft Defender for Endpoint, exploit protection, application control, antimalware, firewall settings, and more.* |[Configuration Manager: Endpoint Protection](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection) |
-|**Choose methods for updating antimalware updates** on your organization's devices
*With Endpoint Protection in Configuration Manager, you can choose from several methods to keep antimalware definitions up to date on your organization's devices.* |[Configure definition updates for Endpoint Protection](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definition-updates)
[Use Configuration Manager to deliver definition updates](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-configmgr) |
-|**Enable Network Protection** to help prevent employees from using apps that malicious content on the Internet
*We recommend using [audit mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection) at first for network protection in a test environment to see which apps would be blocked before rolling out.* |[Turn on network protection with Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection#microsoft-endpoint-configuration-manager) |
-|**Configure controlled folder access** to protect against ransomware
*Controlled folder access is also referred to as antiransomware protection.* |[Endpoint protection: Controlled folder access](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#controlled-folder-access)
[Enable controlled folder access in Microsoft Endpoint Configuration Manage](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders#microsoft-endpoint-configuration-manager) |
-
-## Configure your Microsoft Defender Security Center
-
-If you haven't already done so, **configure your Microsoft Defender Security Center** ([https://securitycenter.windows.com](https://securitycenter.windows.com)) to view alerts, configure threat protection features, and view detailed information about your organization's overall security posture.
-
-You can also configure whether and what features end users can see in the Microsoft Defender Security Center.
-
-- [Overview of the Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use)
-
-- [Endpoint protection: Microsoft Defender Security Center](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-security-center)
-
-## Next steps
-
-- [Get an overview of threat and vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-
-- [Visit the Microsoft Defender Security Center security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard)
-
-- [Manage Microsoft Defender for Endpoint with Intune](manage-atp-post-migration-intune.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-group-policy-objects.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-group-policy-objects.md
deleted file mode 100644
index 512edb5f3c..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-group-policy-objects.md
+++ /dev/null
@@ -1,70 +0,0 @@
----
-title: Manage Microsoft Defender for Endpoint using Group Policy Objects
-description: Learn how to manage Microsoft Defender for Endpoint with Group Policy Objects
-keywords: post-migration, manage, operations, maintenance, utilization, PowerShell, windows defender advanced threat protection, atp, edr
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.technology: windows
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: deniseb
-author: denisebmsft
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- M365-security-compliance
-- m365solution-scenario
-ms.topic: article
-ms.date: 09/22/2020
-ms.reviewer: chventou
----
-
-# Manage Microsoft Defender for Endpoint with Group Policy Objects
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-> [!NOTE]
-> We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem) to manage your organization's threat protection features for devices (also referred to as endpoints). Endpoint Manager includes [Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) and [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/understand/introduction). **[Learn more about Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview)**.
-
-You can use Group Policy Objects in Azure Active Directory Domain Services to manage some settings in Microsoft Defender for Endpoint.
-
-## Configure Microsoft Defender for Endpoint with Group Policy Objects
-
-The following table lists various tasks you can perform to configure Microsoft Defender for Endpoint with Group Policy Objects.
-
-|Task |Resources to learn more |
-|---------|---------|
-|**Manage settings for user and computer objects**
*Customize built-in Group Policy Objects, or create custom Group Policy Objects and organizational units to suit your organizational needs.* |[Administer Group Policy in an Azure Active Directory Domain Services managed domain](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy) |
-|**Configure Microsoft Defender Antivirus**
*Configure antivirus features & capabilities, including policy settings, exclusions, remediation, and scheduled scans on your organization's devices (also referred to as endpoints).* |[Use Group Policy settings to configure and manage Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus)
[Use Group Policy to enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus#use-group-policy-to-enable-cloud-delivered-protection) |
-|**Manage your organization's attack surface reduction rules**
*Customize your attack surface reduction rules by excluding files & folders, or by adding custom text to notification alerts that appear on users' devices.* |[Customize attack surface reduction rules with Group Policy Objects](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction#use-group-policy-to-exclude-files-and-folders) |
-|**Manage exploit protection settings**
*You can customize your exploit protection settings, import a configuration file, and then use Group Policy to deploy that configuration file.* |[Customize exploit protection settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection)
[Import, export, and deploy exploit protection configurations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml)
[Use Group Policy to distribute the configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml#use-group-policy-to-distribute-the-configuration) |
-|**Enable Network Protection** to help prevent employees from using apps that malicious content on the Internet
*We recommend using [audit mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection) at first for network protection in a test environment to see which apps would be blocked before rolling out.* |[Turn on network protection using Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection#group-policy) |
-|**Configure controlled folder access** to protect against ransomware
*[Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders) is also referred to as antiransomware protection.* |[Enable controlled folder access using Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders#group-policy) |
-|**Configure Microsoft Defender SmartScreen** to protect against malicious sites and files on the internet. |[Configure Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings using Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings#group-policy-settings) |
-|**Configure encryption and BitLocker** to protect information on your organization's devices running Windows |[BitLocker Group Policy settings](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings) |
-|**Configure Microsoft Defender Credential Guard** to protect against credential theft attacks |[Enable Windows Defender Credential Guard by using Group Policy](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-manage#enable-windows-defender-credential-guard-by-using-group-policy) |
-
-## Configure your Microsoft Defender Security Center
-
-If you haven't already done so, **configure your Microsoft Defender Security Center** ([https://securitycenter.windows.com](https://securitycenter.windows.com)) to view alerts, configure threat protection features, and view detailed information about your organization's overall security posture.
-
-You can also configure whether and what features end users can see in the Microsoft Defender Security Center.
-
-- [Overview of the Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use)
-
-- [Endpoint protection: Microsoft Defender Security Center](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-security-center)
-
-## Next steps
-
-- [Get an overview of threat and vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-
-- [Visit the Microsoft Defender Security Center security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard)
-
-- [Manage Microsoft Defender for Endpoint with Intune](manage-atp-post-migration-intune.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-intune.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-intune.md
deleted file mode 100644
index eb630aad88..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-intune.md
+++ /dev/null
@@ -1,89 +0,0 @@
----
-title: Manage Microsoft Defender for Endpoint using Intune
-description: Learn how to manage Microsoft Defender for Endpoint with Intune
-keywords: post-migration, manage, operations, maintenance, utilization, intune, windows defender advanced threat protection, atp, edr
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.technology: windows
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: deniseb
-author: denisebmsft
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- M365-security-compliance
-- m365solution-scenario
-ms.topic: article
-ms.date: 09/22/2020
-ms.reviewer: chventou
----
-
-# Manage Microsoft Defender for Endpoint with Intune
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem), which includes Microsoft Intune (Intune) to manage your organization's threat protection features for devices (also referred to as endpoints). [Learn more about Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview).
-
-This article describes how to find your Microsoft Defender for Endpoint settings in Intune, and lists various tasks you can perform.
-
-## Find your Microsoft Defender for Endpoint settings in Intune
-
-> [!IMPORTANT]
-> You must be a global administrator or service administrator in Intune to configure the settings described in this article. To learn more, see **[Types of administrators (Intune)](https://docs.microsoft.com/mem/intune/fundamentals/users-add#types-of-administrators)**.
-
-1. Go to the Azure portal ([https://portal.azure.com](https://portal.azure.com)) and sign in.
-
-2. Under **Azure Services**, choose **Intune**.
-
-3. In the navigation pane on the left, choose **Device configuration**, and then, under **Manage**, choose **Profiles**.
-
-4. Select an existing profile, or create a new one.
-
-> [!TIP]
-> Need help? See **[Using Microsoft Defender for Endpoint with Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection#example-of-using-microsoft-defender-atp-with-intune)**.
-
-## Configure Microsoft Defender for Endpoint with Intune
-
-The following table lists various tasks you can perform to configure Microsoft Defender for Endpoint with Intune. You don't have to configure everything all at once; choose a task, read the corresponding resources, and then proceed.
-
-|Task |Resources to learn more |
-|---------|---------|
-|**Manage your organization's devices using Intune** to protect those devices and data stored on them |[Protect devices with Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/device-protect) |
-|**Integrate Microsoft Defender for Endpoint with Intune** as a Mobile Threat Defense solution
*(for Android devices and devices running Windows 10 or later)* |[Enforce compliance for Microsoft Defender for Endpoint with Conditional Access in Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection) |
-|**Use Conditional Access** to control the devices and apps that can connect to your email and company resources |[Configure Conditional Access in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access) |
-|**Configure Microsoft Defender Antivirus settings** using the Policy configuration service provider ([Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider)) |[Device restrictions: Microsoft Defender Antivirus](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus)
[Policy CSP - Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender) |
-|**If necessary, specify exclusions for Microsoft Defender Antivirus**
*Generally, you shouldn't need to apply exclusions. Microsoft Defender Antivirus includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios.* |[Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows](https://support.microsoft.com/help/822158/virus-scanning-recommendations-for-enterprise-computers)
[Device restrictions: Microsoft Defender Antivirus Exclusions for Windows 10 devices](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions)
[Configure Microsoft Defender Antivirus exclusions on Windows Server 2016 or 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus)|
-|**Configure your attack surface reduction rules** to target software behaviors that are often abused by attackers
*Configure your attack surface reduction rules in [audit mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender) at first (for at least one week and up to two months). You can monitor status using Power BI ([get our template](https://github.com/microsoft/MDATP-PowerBI-Templates/tree/master/Attack%20Surface%20Reduction%20rules)), and then set those rules to active mode when you're ready.* |[Audit mode in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender)
[Endpoint protection: Attack Surface Reduction](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10?toc=/intune/configuration/toc.json&bc=/intune/configuration/breadcrumb/toc.json#attack-surface-reduction)
[Learn more about attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)
[Tech Community blog post: Demystifying attack surface reduction rules - Part 1](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/demystifying-attack-surface-reduction-rules-part-1/ba-p/1306420) |
-|**Configure your network filtering** to block outbound connections from any app to IP addresses or domains with low reputations
*Network filtering is also referred to as [network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection).*
*Make sure that Windows 10 devices have the latest [antimalware platform updates](https://support.microsoft.com/help/4052623/update-for-microsoft-defender-antimalware-platform) installed.*|[Endpoint protection: Network filtering](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#network-filtering)
[Review network protection events in Windows Event Viewer](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection#review-network-protection-events-in-windows-event-viewer) |
-|**Configure controlled folder access** to protect against ransomware
*[Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders) is also referred to as antiransomware protection.* |[Endpoint protection: Controlled folder access](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#controlled-folder-access)
[Enable controlled folder access in Intune](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders#intune) |
-|**Configure exploit protection** to protect your organization's devices from malware that uses exploits to spread and infect other devices
*[Exploit protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exploit-protection) is also referred to as Exploit Guard.* |[Endpoint protection: Microsoft Defender Exploit Guard](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-exploit-guard)
[Enable exploit protection in Intune](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection#intune) |
-|**Configure Microsoft Defender SmartScreen** to protect against malicious sites and files on the internet.
*Microsoft Edge should be installed on your organization's devices. For protection on Google Chrome and FireFox browsers, configure exploit protection.* |[Microsoft Defender SmartScreen](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview)
[Device restrictions: Microsoft Defender SmartScreen](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-smartscreen)
[Policy settings for managing SmartScreen in Intune](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings#mdm-settings) |
-|**Configure Microsoft Defender Firewall** to block unauthorized network traffic flowing into or out of your organization's devices |[Endpoint protection: Microsoft Defender Firewall](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-firewall)
[Microsoft Defender Firewall with Advanced Security](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security) |
-|**Configure encryption and BitLocker** to protect information on your organization's devices running Windows |[Endpoint protection: Windows Encryption](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#windows-encryption)
[BitLocker for Windows 10 devices](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) |
-|**Configure Microsoft Defender Credential Guard** to protect against credential theft attacks |For Windows 10, Windows Server 2016, and Windows Server 2019, see [Endpoint protection: Microsoft Defender Credential Guard](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-credential-guard)
For Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1, and Windows Server 2012 R2, see [Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft, Versions 1 and 2](https://www.microsoft.com/download/details.aspx?id=36036) |
-|**Configure Microsoft Defender Application Control** to choose whether to audit or trust apps on your organization's devices
*Microsoft Defender Application Control is also referred to as [AppLocker](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview).*|[Deploy Microsoft Defender Application Control policies by using Microsoft Intune](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune)
[Endpoint protection: Microsoft Defender Application Control](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-application-control)
[AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp)|
-|**Configure device control and USB peripherals access** to help prevent threats in unauthorized peripherals from compromising your devices |[Control USB devices and other removable media using Microsoft Defender for Endpoint and Intune](https://docs.microsoft.com/windows/security/threat-protection/device-control/control-usb-devices-using-intune) |
-
-## Configure your Microsoft Defender Security Center
-
-If you haven't already done so, **configure your Microsoft Defender Security Center** ([https://securitycenter.windows.com](https://securitycenter.windows.com)) to view alerts, configure threat protection features, and view detailed information about your organization's overall security posture.
-
-You can also configure whether and what features end users can see in the Microsoft Defender Security Center.
-
-- [Overview of the Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use)
-
-- [Endpoint protection: Microsoft Defender Security Center](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-security-center)
-
-## Next steps
-
-- [Get an overview of threat and vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-
-- [Visit the Microsoft Defender Security Center security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-other-tools.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-other-tools.md
deleted file mode 100644
index 111459747f..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-other-tools.md
+++ /dev/null
@@ -1,93 +0,0 @@
----
-title: Manage Microsoft Defender for Endpoint using PowerShell, WMI, and MPCmdRun.exe
-description: Learn how to manage Microsoft Defender for Endpoint with PowerShell, WMI, and MPCmdRun.exe
-keywords: post-migration, manage, operations, maintenance, utilization, PowerShell, WMI, MPCmdRun.exe, windows defender advanced threat protection, atp, edr
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.technology: windows
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: deniseb
-author: denisebmsft
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- M365-security-compliance
-- m365solution-scenario
-ms.topic: article
-ms.date: 09/22/2020
-ms.reviewer: chventou
----
-
-# Manage Microsoft Defender for Endpoint with PowerShell, WMI, and MPCmdRun.exe
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-> [!NOTE]
-> We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem) to manage your organization's threat protection features for devices (also referred to as endpoints). Endpoint Manager includes [Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) and [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/understand/introduction).
-> - [Learn more about Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview)
-> - [Co-manage Microsoft Defender for Endpoint on Windows 10 devices with Configuration Manager and Intune](manage-atp-post-migration-intune.md)
-> - [Manage Microsoft Defender for Endpoint with Intune](manage-atp-post-migration-intune.md)
-
-You can manage some Microsoft Defender Antivirus settings on devices with [PowerShell](#configure-microsoft-defender-for-endpoint-with-powershell), [Windows Management Instrumentation](#configure-microsoft-defender-for-endpoint-with-windows-management-instrumentation-wmi) (WMI), and the [Microsoft Malware Protection Command Line Utility](#configure-microsoft-defender-for-endpoint-with-microsoft-malware-protection-command-line-utility-mpcmdrunexe) (MPCmdRun.exe). For example, you can manage some Microsoft Defender Antivirus settings. And, in some cases, you can customize your attack surface reduction rules and exploit protection settings.
-
-> [!IMPORTANT]
-> Threat protection features that you configure by using PowerShell, WMI, or MCPmdRun.exe can be overwritten by configuration settings that are deployed with Intune or Configuration Manager.
-
-## Configure Microsoft Defender for Endpoint with PowerShell
-
-You can use PowerShell to manage Microsoft Defender Antivirus, exploit protection, and your attack surface reduction rules.
-
-|Task |Resources to learn more |
-|---------|---------|
-|**Manage Microsoft Defender Antivirus**
*View status of antimalware protection, configure preferences for antivirus scans & updates, and make other changes to your antivirus protection.* |[Use PowerShell cmdlets to configure and manage Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus)
[Use PowerShell cmdlets to enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus#use-powershell-cmdlets-to-enable-cloud-delivered-protection) |
-|**Configure exploit protection** to mitigate threats on your organization's devices
*We recommend using exploit protection in [audit mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection#powershell) at first. That way, you can see how exploit protection affects apps your organization is using.* | [Customize exploit protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection)
[PowerShell cmdlets for exploit protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection#powershell-reference) |
-|**Configure attack surface reduction rules** with PowerShell
*You can use PowerShell to exclude files and folders from attack surface reduction rules.* |[Customize attack surface reduction rules: Use PowerShell to exclude files & folders](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction#use-powershell-to-exclude-files-and-folders)
Also, see [António Vasconcelo's graphical user interface tool for setting attack surface reduction rules with PowerShell](https://github.com/anvascon/MDATP_PoSh_Scripts/tree/master/ASR%20GUI). |
-|**Enable Network Protection** with PowerShell
*You can use PowerShell to enable Network Protection.* |[Turn on Network Protection with PowerShell](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection#powershell) |
-|**Configure controlled folder access** to protect against ransomware
*[Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders) is also referred to as antiransomware protection.* |[Enable controlled folder access with PowerShell](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders#powershell) |
-|**Configure Microsoft Defender Firewall** to block unauthorized network traffic flowing into or out of your organization's devices |[Microsoft Defender Firewall with Advanced Security Administration using Windows PowerShell](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell) |
-|**Configure encryption and BitLocker** to protect information on your organization's devices running Windows |[BitLocker PowerShell reference guide](https://docs.microsoft.com/powershell/module/bitlocker/?view=win10-ps&preserve-view=true) |
-
-## Configure Microsoft Defender for Endpoint with Windows Management Instrumentation (WMI)
-
-WMI is a scripting interface that allows you to retrieve, modify, and update settings. To learn more, see [Using WMI](https://docs.microsoft.com/windows/win32/wmisdk/using-wmi).
-
-|Task |Resources to learn more |
-|---------|---------|
-|**Enable cloud-delivered protection** on a device |[Use Windows Management Instruction (WMI) to enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus#use-windows-management-instruction-wmi-to-enable-cloud-delivered-protection) |
-|**Retrieve, modify, and update settings** for Microsoft Defender Antivirus | [Use WMI to configure and manage Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus)
[Review the list of available WMI classes and example scripts](https://docs.microsoft.com/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal)
Also see the archived [Windows Defender WMIv2 Provider reference information](https://docs.microsoft.com/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal?redirectedfrom=MSDN) |
-
-
-## Configure Microsoft Defender for Endpoint with Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe)
-
-On an individual device, you can run a scan, start diagnostic tracing, check for security intelligence updates, and more using the mpcmdrun.exe command-line tool. You can find the utility in `%ProgramFiles%\Windows Defender\MpCmdRun.exe`. Run it from a command prompt.
-
-|Task |Resources to learn more |
-|---------|---------|
-|**Manage Microsoft Defender Antivirus** |[Configure and manage Microsoft Defender Antivirus with mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus) |
-
-## Configure your Microsoft Defender Security Center
-
-If you haven't already done so, **configure your Microsoft Defender Security Center** ([https://securitycenter.windows.com](https://securitycenter.windows.com)) to view alerts, configure threat protection features, and view detailed information about your organization's overall security posture.
-
-You can also configure whether and what features end users can see in the Microsoft Defender Security Center.
-
-- [Overview of the Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use)
-
-- [Endpoint protection: Microsoft Defender Security Center](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#microsoft-defender-security-center)
-
-
-## Next steps
-
-- [Get an overview of threat and vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
-
-- [Visit the Microsoft Defender Security Center security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard)
-
-- [Manage Microsoft Defender for Endpoint with Intune](manage-atp-post-migration-intune.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md
deleted file mode 100644
index 246b542364..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md
+++ /dev/null
@@ -1,45 +0,0 @@
----
-title: Manage Microsoft Defender for Endpoint post migration
-description: Now that you've made the switch to Microsoft Defender for Endpoint, your next step is to manage your threat protection features
-keywords: post-migration, manage, operations, maintenance, utilization, windows defender advanced threat protection, atp, edr
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.technology: windows
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: deniseb
-author: denisebmsft
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- M365-security-compliance
-- m365solution-scenario
-ms.topic: conceptual
-ms.date: 09/22/2020
-ms.reviewer: chventou
----
-
-# Manage Microsoft Defender for Endpoint, post migration
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-After you have moved from your previous endpoint protection and antivirus solution to Microsoft Defender for Endpoint, your next step is to manage your features and capabilities. We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview), which includes [Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) and [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/understand/introduction), to manage your organization's devices and security settings. However, you can use other tools/methods, such as [Group Policy Objects in Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy).
-
-The following table lists various tools/methods you can use, with links to learn more.
-
-
-|Tool/Method |Description |
-|---------|---------|
-|**[Threat and vulnerability management dashboard insights](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights)** in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) |The threat & vulnerability management dashboard provides actionable information that your security operations team can use to reduce exposure and improve your organization's security posture.
See [Threat & vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) and [Overview of the Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use). |
-|**[Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune)** (recommended) |Microsoft Intune (Intune), a component of [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview), focuses on mobile device management (MDM) and mobile application management (MAM). With Intune, you control how your organization’s devices are used, including mobile phones, tablets, and laptops. You can also configure specific policies to control applications.
See [Manage Microsoft Defender for Endpoint using Intune](manage-atp-post-migration-intune.md). |
-|**[Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/understand/introduction)** |Microsoft Endpoint Configuration Manager (Configuration Manager), formerly known as System Center Configuration Manager, is a component of [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview). Configuration Manager is a powerful tool to manage your users, devices, and software.
See [Manage Microsoft Defender for Endpoint with Configuration Manager](manage-atp-post-migration-configuration-manager.md). |
-|**[Group Policy Objects in Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy)** |[Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services/overview) includes built-in Group Policy Objects for users and devices. You can customize the built-in Group Policy Objects as needed for your environment, as well as create custom Group Policy Objects and organizational units (OUs).
See [Manage Microsoft Defender for Endpoint with Group Policy Objects](manage-atp-post-migration-group-policy-objects.md). |
-|**[PowerShell, WMI, and MPCmdRun.exe](manage-atp-post-migration-other-tools.md)** |*We recommend using Microsoft Endpoint Manager (which includes Intune and Configuration Manager) to manage threat protection features on your organization's devices. However, you can configure some settings, such as Microsoft Defender Antivirus settings on individual devices (endpoints) with PowerShell, WMI, or the MPCmdRun.exe tool.*
You can use PowerShell to manage Microsoft Defender Antivirus, exploit protection, and your attack surface reduction rules. See [Configure Microsoft Defender for Endpoint with PowerShell](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-powershell).
You can use Windows Management Instrumentation (WMI) to manage Microsoft Defender Antivirus and exclusions. See [Configure Microsoft Defender for Endpoint with WMI](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-windows-management-instrumentation-wmi).
You can use the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) to manage Microsoft Defender Antivirus and exclusions, as well as validate connections between your network and the cloud. See [Configure Microsoft Defender for Endpoint with MPCmdRun.exe](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-microsoft-malware-protection-command-line-utility-mpcmdrunexe). |
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
deleted file mode 100644
index ab130cb910..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md
+++ /dev/null
@@ -1,106 +0,0 @@
----
-title: Review and approve remediation actions following automated investigations in the Microsoft Defender Security Center
-description: Review and approve (or reject) remediation actions following an automated investigation.
-keywords: autoir, automated, investigation, detection, dashboard, source, threat types, id, tags, devices, duration, filter export
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: deniseb
-author: denisebmsft
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: conceptual
-ms.date: 09/15/2020
----
-
-# Review and approve remediation actions following an automated investigation
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-## Remediation actions
-
-When an [automated investigation](automated-investigations.md) runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *No threats found*.
-
-Depending on
-
-- the type of threat,
-- the resulting verdict, and
-- how your organization's [device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups) are configured,
-
-remediation actions can occur automatically or only upon approval by your organization’s security operations team.
-
-Here are a few examples:
-
-- Example 1: Fabrikam's device groups are set to **Full - remediate threats automatically** (this is the recommended setting). In this case, remediation actions are taken automatically for artifacts that are considered to be malicious following an automated investigation. (See [Review completed actions](#review-completed-actions).)
-
-- Example 2: Contoso's devices are included in a device group that is set for **Semi - require approval for any remediation**. In this case, Contoso's security operations team must review and approve all remediation actions following an automated investigation. (See [Review pending actions](#review-pending-actions).)
-
-- Example 3: Tailspin Toys has their device groups set to **No automated response** (this is not recommended). In this case, automated investigations do not occur. As a result, no remediation actions are taken or pending, and no actions are logged in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center) for their devices. (See [Manage device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups#manage-device-groups))
-
-Whether taken automatically or upon approval, remediation actions following an automated investigation include the following:
-- Quarantine a file
-- Remove a registry key
-- Kill a process
-- Stop a service
-- Remove a registry key
-- Disable a driver
-- Remove a scheduled task
-
-### Automated investigation results and remediation actions
-
-The following table summarizes remediation actions following an automated investigation, how device group settings affect whether actions are taken automatically or upon approval, and what to do in each case.
-
-|Device group setting | Automated investigation results | What to do |
-|:---|:---|:---|
-|**Full - remediate threats automatically** (this is the recommended setting) |A verdict of *Malicious* is reached for a piece of evidence.
Appropriate remediation actions are taken automatically. |[Review completed actions](#review-completed-actions) |
-|**Full - remediate threats automatically** |A verdict of *Suspicious* is reached for a piece of evidence.
Remediation actions are pending approval to proceed. | [Approve (or reject) pending actions](#review-pending-actions) |
-|**Semi - require approval for any remediation** |A verdict of either *Malicious* or *Suspicious* is reached for a piece of evidence.
Remediation actions are pending approval to proceed. |[Approve (or reject) pending actions](#review-pending-actions) |
-|**Semi - require approval for core folders remediation** |A verdict of *Malicious* is reached for a piece of evidence.
If the artifact is a file or executable and is in an operating system directory, such as the Windows folder or the Program files folder, then remediation actions are pending approval.
If the artifact is *not* in an operating system directory, remediation actions are taken automatically. |1. [Approve (or reject) pending actions](#review-pending-actions)
2. [Review completed actions](#review-completed-actions) |
-|**Semi - require approval for core folders remediation** |A verdict of *Suspicious* is reached for a piece of evidence.
Remediation actions are pending approval. |[Approve (or reject) pending actions](#review-pending-actions).|
-|**Semi - require approval for non-temp folders remediation** |A verdict of *Malicious* is reached for a piece of evidence.
If the artifact is a file or executable that is not in a temporary folder, such as the user's downloads folder or temp folder, remediation actions are pending approval.
If the artifact is a file or executable that *is* in a temporary folder, remediation actions are taken automatically. |1. [Approve (or reject) pending actions](#review-pending-actions)
2. [Review completed actions](#review-completed-actions) |
-|**Semi - require approval for non-temp folders remediation** |A verdict of *Suspicious* is reached for a piece of evidence.
Remediation actions are pending approval. |[Approve (or reject) pending actions](#review-pending-actions) |
-|Any of the **Full** or **Semi** automation levels |A verdict of *No threats found* is reached for a piece of evidence.
No remediation actions are taken, and no actions are pending approval. |[View details and results of automated investigations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center) |
-|**No automated response** (this is not recommended)|No automated investigations run, so no verdicts are reached, and no remediation actions are taken or awaiting approval. |[Consider setting up or changing your device groups to use **Full** or **Semi** automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups) |
-
-In Microsoft Defender Advanced Threat Protection, all verdicts are [tracked and viewable in the Microsoft Defender Security Center](#review-completed-actions).
-
-> [!TIP]
-> To learn more about remediation actions following an automated investigation, see [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated).
-
-
-## Review pending actions
-
-1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. You'll see the [Security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard).
-
-2. On the Security operations dashboard, in the navigation pane on the left, choose **Automated investigations** > **Action center**.
-
-3. Review any items on the **Pending** tab.
-
-4. Select an investigation from any of the categories to open a panel where you can approve or reject remediation actions.
-
- Other details such as file or service details, investigation details, and alert details are displayed. From the panel, you can click on the **Open investigation page** link to see the investigation details. You can also select multiple investigations to approve or reject actions on multiple investigations.
-
-## Review completed actions
-
-1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. You'll see the [Security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard).
-
-2. On the Security operations dashboard, in the navigation pane on the left, choose **Automated investigations** > **Action center**.
-
-3. Select the **History** tab. (If need be, expand the time period to display more data.)
-
-4. Select an item to view more details about that remediation action.
-
-## Next steps
-
-- [See the interactive guide: Investigate and remediate threats with Microsoft Defender ATP](https://aka.ms/MDATP-IR-Interactive-Guide)
-
-- [View details and results of automated investigations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center)
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads.md b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads.md
deleted file mode 100644
index 5dfefb6a2a..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads.md
+++ /dev/null
@@ -1,51 +0,0 @@
----
-title: Manage automation file uploads
-description: Enable content analysis and configure the file extension and email attachment extensions that will be submitted for analysis
-keywords: automation, file, uploads, content, analysis, file, extension, email, attachment
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Manage automation file uploads
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automationefileuploads-abovefoldlink)
-
-Enable the content analysis capability so that certain files and email attachments can automatically be uploaded to the cloud for additional inspection in Automated investigation.
-
-Identify the files and email attachments by specifying the file extension names and email attachment extension names.
-
-For example, if you add *exe* and *bat* as file or attachment extension names, then all files or attachments with those extensions will automatically be sent to the cloud for additional inspection during Automated investigation.
-
-## Add file extension names and attachment extension names.
-
-1. In the navigation pane, select **Settings** > **Automation file uploads**.
-
-2. Toggle the content analysis setting between **On** and **Off**.
-
-3. Configure the following extension names and separate extension names with a comma:
- - **File extension names** - Suspicious files except email attachments will be submitted for additional inspection
-
-
-## Related topics
-- [Manage automation folder exclusions](manage-automation-folder-exclusions.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md
deleted file mode 100644
index 056f3d9d05..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md
+++ /dev/null
@@ -1,90 +0,0 @@
----
-title: Manage automation folder exclusions
-description: Add automation folder exclusions to control the files that are excluded from an automated investigation.
-keywords: manage, automation, exclusion, block, clean, malicious
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Manage automation folder exclusions
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automationexclusionfolder-abovefoldlink)
-
-Automation folder exclusions allow you to specify folders that the Automated investigation will skip.
-
-You can control the following attributes about the folder that you'd like to be skipped:
-- Folders
-- Extensions of the files
-- File names
-
-
-**Folders**
-You can specify a folder and its subfolders to be skipped.
-
-
->[!NOTE]
->At this time, use of wild cards as a way to exclude files under a directory is not yet supported.
-
-
-**Extensions**
-You can specify the extensions to exclude in a specific directory. The extensions are a way to prevent an attacker from using an excluded folder to hide an exploit. The extensions explicitly define which files to ignore.
-
-**File names**
-You can specify the file names that you want to be excluded in a specific directory. The names are a way to prevent an attacker from using an excluded folder to hide an exploit. The names explicitly define which files to ignore.
-
-
-
-## Add an automation folder exclusion
-1. In the navigation pane, select **Settings** > **Automation folder exclusions**.
-
-2. Click **New folder exclusion**.
-
-3. Enter the folder details:
-
- - Folder
- - Extensions
- - File names
- - Description
-
-
-4. Click **Save**.
-
->[!NOTE]
-> Live Response commands to collect or examine excluded files will fail with error: "File is excluded". In addition, automated investigations will ignore the excluded items.
-
-## Edit an automation folder exclusion
-1. In the navigation pane, select **Settings** > **Automation folder exclusions**.
-
-2. Click **Edit** on the folder exclusion.
-
-3. Update the details of the rule and click **Save**.
-
-## Remove an automation folder exclusion
-1. In the navigation pane, select **Settings** > **Automation folder exclusions**.
-2. Click **Remove exclusion**.
-
-
-## Related topics
-- [Manage automation allowed/blocked lists](manage-indicators.md)
-- [Manage automation file uploads](manage-automation-file-uploads.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md b/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md
deleted file mode 100644
index 458c0798ce..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md
+++ /dev/null
@@ -1,37 +0,0 @@
----
-title: Manage endpoint detection and response capabilities
-ms.reviewer:
-description:
-keywords:
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: conceptual
----
-
-# Manage endpoint detection and response capabilities
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-Manage the alerts queue, investigate devices in the devices list, take response actions, and hunt for possible threats in your organization using advanced hunting.
-
-
-## In this section
-Topic | Description
-:---|:---
-[Alerts queue](alerts-queue-endpoint-detection-response.md)| View the alerts surfaced in Microsoft Defender Security Center.
-[Devices list](machines-view-overview.md) | Learn how you can view and manage the devices list, manage device groups, and investigate device related alerts.
-[Take response actions](response-actions.md)| Take response actions on devices and files to quickly respond to detected attacks and contain threats.
-[Query data using advanced hunting](advanced-hunting-query-language.md)| Proactively hunt for possible threats across your organization using a powerful search and query tool.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md b/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md
deleted file mode 100644
index 04dc76e4e3..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md
+++ /dev/null
@@ -1,77 +0,0 @@
----
-title: Manage Microsoft Defender ATP incidents
-description: Manage incidents by assigning it, updating its status, or setting its classification.
-keywords: incidents, manage, assign, status, classification, true alert, false alert
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: article
----
-
-# Manage Microsoft Defender ATP incidents
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-Managing incidents is an important part of every cybersecurity operation. You can manage incidents by selecting an incident from the **Incidents queue** or the **Incidents management pane**.
-
-
-Selecting an incident from the **Incidents queue** brings up the **Incident management pane** where you can open the incident page for details.
-
-
-
-
-You can assign incidents to yourself, change the status and classification, rename, or comment on them to keep track of their progress.
-
-> [!TIP]
-> For additional visibility at a glance, incident names are automatically generated based on alert attributes such as the number of endpoints affected, users affected, detection sources or categories. This allows you to quickly understand the scope of the incident.
->
-> For example: *Multi-stage incident on multiple endpoints reported by multiple sources.*
->
-> Incidents that existed prior the rollout of automatic incident naming will retain their names.
->
-
-
-
-
-## Assign incidents
-If an incident has not been assigned yet, you can select **Assign to me** to assign the incident to yourself. Doing so assumes ownership of not just the incident, but also all the alerts associated with it.
-
-## Set status and classification
-### Incident status
-You can categorize incidents (as **Active**, or **Resolved**) by changing their status as your investigation progresses. This helps you organize and manage how your team can respond to incidents.
-
-For example, your SoC analyst can review the urgent **Active** incidents for the day, and decide to assign them to himself for investigation.
-
-Alternatively, your SoC analyst might set the incident as **Resolved** if the incident has been remediated.
-
-### Classification
-You can choose not to set a classification, or decide to specify whether an incident is true or false. Doing so helps the team see patterns and learn from them.
-
-### Add comments
-You can add comments and view historical events about an incident to see previous changes made to it.
-
-Whenever a change or comment is made to an alert, it is recorded in the Comments and history section.
-
-Added comments instantly appear on the pane.
-
-
-
-## Related topics
-- [Incidents queue](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue)
-- [View and organize the Incidents queue](view-incidents-queue.md)
-- [Investigate incidents](investigate-incidents.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
deleted file mode 100644
index b8a672c6a3..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
+++ /dev/null
@@ -1,68 +0,0 @@
----
-title: Create indicators
-ms.reviewer:
-description: Create indicators for a file hash, IP address, URLs, or domains that define the detection, prevention, and exclusion of entities.
-keywords: manage, allowed, blocked, block, clean, malicious, file hash, ip address, urls, domain
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Create indicators
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
-
-Indicator of compromise (IoCs) matching is an essential feature in every endpoint protection solution. This capability gives SecOps the ability to set a list of indicators for detection and for blocking (prevention and response).
-
-Create indicators that define the detection, prevention, and exclusion of entities. You can define the action to be taken as well as the duration for when to apply the action as well as the scope of the device group to apply it to.
-
-Currently supported sources are the cloud detection engine of Microsoft Defender ATP, the automated investigation and remediation engine, and the endpoint prevention engine (Microsoft Defender AV).
-
-**Cloud detection engine**
-The cloud detection engine of Microsoft Defender ATP regularly scans collected data and tries to match the indicators you set. When there is a match, action will be taken according to the settings you specified for the IoC.
-
-**Endpoint prevention engine**
-The same list of indicators is honored by the prevention agent. Meaning, if Microsoft Defender AV is the primary AV configured, the matched indicators will be treated according to the settings. For example, if the action is "Alert and Block", Microsoft Defender AV will prevent file executions (block and remediate) and a corresponding alert will be raised. On the other hand, if the Action is set to "Allow", Microsoft Defender AV will not detect nor block the file from being run.
-
-**Automated investigation and remediation engine**
-The automated investigation and remediation behave the same. If an indicator is set to "Allow", Automated investigation and remediation will ignore a "bad" verdict for it. If set to "Block", Automated investigation and remediation will treat it as "bad".
-
-
-The current supported actions are:
-- Allow
-- Alert only
-- Alert and block
-
-
-You can create an indicator for:
-- [Files](indicator-file.md)
-- [IP addresses, URLs/domains](indicator-ip-domain.md)
-- [Certificates](indicator-certificates.md)
-
-
->[!NOTE]
->There is a limit of 15,000 indicators per tenant.
-
-
-## Related topics
-
-- [Create contextual IoC](respond-file-alerts.md#add-indicator-to-block-or-allow-a-file)
-- [Use the Microsoft Defender ATP indicators API](ti-indicator.md)
-- [Use partner integrated solutions](partner-applications.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md b/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md
deleted file mode 100644
index 2db2ff913f..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md
+++ /dev/null
@@ -1,49 +0,0 @@
----
-title: Manage Microsoft Defender Advanced Threat Protection suppression rules
-description: You might need to prevent alerts from appearing in the portal by using suppression rules. Learn how to manage your suppression rules in Microsoft Defender ATP.
-keywords: manage suppression, rules, rule name, scope, action, alerts, turn on, turn off
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Manage suppression rules
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-There might be scenarios where you need to suppress alerts from appearing in the portal. You can create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization. For more information on how to suppress alerts, see [Suppress alerts](manage-alerts.md).
-
-You can view a list of all the suppression rules and manage them in one place. You can also turn an alert suppression rule on or off.
-
-
-1. In the navigation pane, select **Settings** > **Alert suppression**. The list of suppression rules that users in your organization have created is displayed.
-
-2. Select a rule by clicking on the check-box beside the rule name.
-
-3. Click **Turn rule on**, **Edit rule**, or **Delete rule**. When making changes to a rule, you can choose to release alerts that it has already suppressed, regardless whether or not these alerts match the new criteria.
-
-
-## View details of a suppression rule
-
-1. In the navigation pane, select **Settings** > **Alert suppression**. The list of suppression rules that users in your organization have created is displayed.
-
-2. Click on a rule name. Details of the rule is displayed. You'll see the rule details such as status, scope, action, number of matching alerts, created by, and date when the rule was created. You can also view associated alerts and the rule conditions.
-
-## Related topics
-
-- [Manage alerts](manage-alerts.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/management-apis.md b/windows/security/threat-protection/microsoft-defender-atp/management-apis.md
deleted file mode 100644
index 45de6c024c..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/management-apis.md
+++ /dev/null
@@ -1,82 +0,0 @@
----
-title: Overview of management and APIs
-ms.reviewer:
-description: Learn about the management tools and API categories in Microsoft Defender ATP
-keywords: onboarding, api, siem, rbac, access, portal, integration, investigation, response, entities, entity, user context, application context, streaming
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
----
-
-# Overview of management and APIs
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mgt-apis-abovefoldlink)
-
-Microsoft Defender ATP supports a wide variety of options to ensure that customers can easily adopt the platform.
-
-Acknowledging that customer environments and structures can vary, Microsoft Defender ATP was created with flexibility and granular control to fit varying customer requirements.
-
-## Endpoint onboarding and portal access
-
-Device onboarding is fully integrated into Microsoft Endpoint Configuration Manager and Microsoft Intune for client devices and Azure Security Center for server devices, providing complete end-to-end experience of configuration, deployment, and monitoring. In addition, Microsoft Defender ATP supports Group Policy and other third-party tools used for devices management.
-
-Microsoft Defender ATP provides fine-grained control over what users with access to the portal can see and do through the flexibility of role-based access control (RBAC). The RBAC model supports all flavors of security teams structure:
-- Globally distributed organizations and security teams
-- Tiered model security operations teams
-- Fully segregated divisions with single centralized global security operations teams
-
-## Available APIs
-The Microsoft Defender ATP solution is built on top of an integration-ready platform.
-
-Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Microsoft Defender ATP capabilities.
-
-
-
-The Microsoft Defender ATP APIs can be grouped into three:
-- Microsoft Defender ATP APIs
-- Raw data streaming API
-- SIEM integration
-
-## Microsoft Defender ATP APIs
-
-Microsoft Defender ATP offers a layered API model exposing data and capabilities in a structured, clear and easy to use model, exposed through a standard Azure AD-based authentication and authorization model allowing access in context of users or SaaS applications. The API model was designed to expose entities and capabilities in a consistent form.
-
-Watch this video for a quick overview of Microsoft Defender ATP's APIs.
->[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4d73M]
-
-The **Investigation API** exposes the richness of Microsoft Defender ATP - exposing calculated or 'profiled' entities (for example, device, user, and file) and discrete events (for example, process creation and file creation) which typically describes a behavior related to an entity, enabling access to data via investigation interfaces allowing a query-based access to data. For more information see, [Supported APIs](exposed-apis-list.md).
-
-The **Response API** exposes the ability to take actions in the service and on devices, enabling customers to ingest indicators, manage settings, alert status, as well as take response actions on devices programmatically such as isolate devices from the network, quarantine files, and others.
-
-## Raw data streaming API
-Microsoft Defender ATP raw data streaming API provides the ability for customers to ship real-time events and alerts from their instances as they occur within a single data stream, providing a low latency, high throughput delivery mechanism.
-
-The Microsoft Defender ATP event information is pushed directly to Azure storage for long-term data retention, or to Azure Event Hubs for consumption by visualization services or additional data processing engines.
-
-For more information see, [Raw data streaming API](raw-data-export.md).
-
-
-## SIEM API
-When you enable security information and event management (SIEM) integration it allows you to pull detections from Microsoft Defender Security Center using your SIEM solution or by connecting directly to the detections REST API. This activates the SIEM connector access details section with pre-populated values and an application is created under you Azure Active Directory (AAD) tenant. For more information see, [SIEM integration](enable-siem-integration.md)
-
-## Related topics
-- [Access the Microsoft Defender Advanced Threat Protection APIs ](apis-intro.md)
-- [Supported APIs](exposed-apis-list.md)
-- [Technical partner opportunities](partner-integration.md)
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md
deleted file mode 100644
index e9fa0412b0..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md
+++ /dev/null
@@ -1,63 +0,0 @@
----
-title: Migrate from McAfee to Microsoft Defender for Endpoint
-description: Make the switch from McAfee to Microsoft Defender for Endpoint. Read this article for an overview.
-keywords: migration, windows defender advanced threat protection, atp, edr
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.technology: windows
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: deniseb
-author: denisebmsft
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- M365-security-compliance
-- m365solution-mcafeemigrate
-- m365solution-overview
-ms.topic: conceptual
-ms.custom: migrationguides
-ms.date: 09/22/2020
-ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
----
-
-# Migrate from McAfee to Microsoft Defender Advanced Threat Protection
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-If you are planning to switch from McAfee Endpoint Security (McAfee) to [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender for Endpoint), you're in the right place. Use this article as a guide to plan your migration.
-
-## The migration process
-
-When you switch from McAfee to Microsoft Defender for Endpoint, you follow a process that can be divided into three phases, as described in the following table:
-
-|Phase |Description |
-|--|--|
-|[](mcafee-to-microsoft-defender-prepare.md)
[Prepare for your migration](mcafee-to-microsoft-defender-prepare.md) |During [the **Prepare** phase](mcafee-to-microsoft-defender-prepare.md), you update your organization's devices, get Microsoft Defender for Endpoint, plan your roles and permissions, and grant access to the Microsoft Defender Security Center. You also configure your device proxy and internet settings to enable communication between your organization's devices and Microsoft Defender for Endpoint. |
-|[](mcafee-to-microsoft-defender-setup.md)
[Set up Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-setup.md) |During [the **Setup** phase](mcafee-to-microsoft-defender-setup.md), you enable Microsoft Defender Antivirus and make sure it's in passive mode, and you configure settings & exclusions for Microsoft Defender Antivirus, Microsoft Defender for Endpoint, and McAfee. You also create device groups, collections, and organizational units. Finally, you configure your antimalware policies and real-time protection settings.|
-|[](mcafee-to-microsoft-defender-onboard.md)
[Onboard to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-onboard.md) |During [the **Onboard** phase](mcafee-to-microsoft-defender-onboard.md), you onboard your devices to Microsoft Defender for Endpoint and verify that those devices are communicating with Microsoft Defender for Endpoint. Last, you uninstall McAfee and make sure that protection through Microsoft Defender Antivirus & Microsoft Defender for Endpoint is in active mode. |
-
-## What's included in Microsoft Defender for Endpoint?
-
-In this migration guide, we focus on [next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) and [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) capabilities as a starting point for moving to Microsoft Defender for Endpoint. However, Microsoft Defender for Endpoint includes much more than antivirus and endpoint protection. Microsoft Defender for Endpoint is a unified platform for preventative protection, post-breach detection, automated investigation, and response. The following table summarizes features and capabilities in Microsoft Defender for Endpoint.
-
-| Feature/Capability | Description |
-|---|---|
-| [Threat & vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) | Threat & vulnerability management capabilities help identify, assess, and remediate weaknesses across your endpoints (such as devices). |
-| [Attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction) | Attack surface reduction rules help protect your organization's devices and applications from cyberthreats and attacks. |
-| [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) | Next-generation protection includes Microsoft Defender Antivirus to help block threats and malware. |
-| [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) | Endpoint detection and response capabilities detect, investigate, and respond to intrusion attempts and active breaches. |
-| [Advanced hunting](advanced-hunting-overview.md) | Advanced hunting capabilities enable your security operations team to locate indicators and entities of known or potential threats. |
-| [Behavioral blocking and containment](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment) | Behavioral blocking and containment capabilities help identify and stop threats, based on their behaviors and process trees even when the threat has started execution. |
-| [Automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) | Automated investigation and response capabilities examine alerts and take immediate remediation action to resolve breaches. |
-| [Threat hunting service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts) (Microsoft Threat Experts) | Threat hunting services provide security operations teams with expert level monitoring and analysis, and to help ensure that critical threats aren't missed. |
-
-**Want to learn more? See [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection).**
-
-## Next step
-
-- Proceed to [Prepare for your migration](mcafee-to-microsoft-defender-prepare.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-onboard.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-onboard.md
deleted file mode 100644
index d38a5977e8..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-onboard.md
+++ /dev/null
@@ -1,97 +0,0 @@
----
-title: McAfee to Microsoft Defender for Endpoint - Onboard
-description: This is phase 3, Onboard, for migrating from McAfee to Microsoft Defender for Endpoint.
-keywords: migration, windows defender advanced threat protection, atp, edr
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.technology: windows
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: deniseb
-author: denisebmsft
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- M365-security-compliance
-- m365solution-McAfeemigrate
-- m365solution-scenario
-ms.custom: migrationguides
-ms.topic: article
-ms.date: 09/24/2020
-ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
----
-
-# Migrate from McAfee - Phase 3: Onboard to Microsoft Defender for Endpoint
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-|[](mcafee-to-microsoft-defender-prepare.md)
[Phase 1: Prepare](mcafee-to-microsoft-defender-prepare.md) |[](mcafee-to-microsoft-defender-setup.md)
[Phase 2: Set up](mcafee-to-microsoft-defender-setup.md) |
Phase 3: Onboard |
-|--|--|--|
-|| |*You are here!* |
-
-
-**Welcome to Phase 3 of [migrating from McAfee Endpoint Security (McAfee) to Microsoft Defender Advanced Threat Protection (Microsoft Defender for Endpoint)](mcafee-to-microsoft-defender-migration.md#the-migration-process)**. This migration phase includes the following steps:
-
-1. [Onboard devices to Microsoft Defender for Endpoint](#onboard-devices-to-microsoft-defender-for-endpoint).
-2. [Run a detection test](#run-a-detection-test).
-3. [Uninstall McAfee](#uninstall-mcafee).
-4. [Make sure Microsoft Defender for Endpoint is in active mode](#make-sure-microsoft-defender-for-endpoint-is-in-active-mode).
-
-## Onboard devices to Microsoft Defender for Endpoint
-
-1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in.
-
-2. Choose **Settings** > **Device management** > **Onboarding**.
-
-3. In the **Select operating system to start onboarding process** list, select an operating system.
-
-4. Under **Deployment method**, select an option. Follow the links and prompts to onboard your organization's devices. Need help? See [Onboarding methods](#onboarding-methods) (in this article).
-
-### Onboarding methods
-
-Deployment methods vary, depending on which operating system is selected. Refer to the resources listed in the table below to get help with onboarding.
-
-|Operating system |Method |
-|---------|---------|
-|Windows 10 |- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp)
- [Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm)
- [Mobile Device Management (Intune)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm)
- [Local script](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script)
**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
-|- Windows 8.1 Enterprise
- Windows 8.1 Pro
- Windows 7 SP1 Enterprise
- Windows 7 SP1 Pro | [Microsoft Monitoring Agent](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-atp)
**NOTE**: Microsoft Monitoring Agent is now Azure Log Analytics agent. To learn more, see [Log Analytics agent overview](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). |
-|- Windows Server 2019 and later
- Windows Server 2019 core edition
- Windows Server version 1803 and later |- [Local script](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script)
- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp)
- [Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm)
- [System Center Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm#onboard-windows-10-devices-using-earlier-versions-of-system-center-configuration-manager)
- [VDI onboarding scripts for non-persistent devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi)
**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
-|- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2008 R2 SP1 |- [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#option-1-onboard-servers-through-microsoft-defender-security-center)
- [Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp) |
-|macOS
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra)
iOS
Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |[Onboard non-Windows devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows) |
-
-## Run a detection test
-
-To verify that your onboarded devices are properly connected to Microsoft Defender for Endpoint, you can run a detection test.
-
-
-|Operating system |Guidance |
-|---------|---------|
-|- Windows 10
- Windows Server 2019
- Windows Server, version 1803
- Windows Server 2016
- Windows Server 2012 R2 |See [Run a detection test](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/run-detection-test).
Visit the Microsoft Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)) and try one or more of the scenarios. For example, try the **Cloud-delivered protection** demo scenario. |
-|macOS
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |Download and use the DIY app at [https://aka.ms/mdatpmacosdiy](https://aka.ms/mdatpmacosdiy).
For more information, see [Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac). |
-|Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |1. Run the following command, and look for a result of **1**:
`mdatp health --field real_time_protection_enabled`.
2. Open a Terminal window, and run the following command:
`curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt`.
3. Run the following command to list any detected threats:
`mdatp threat list`.
For more information, see [Microsoft Defender ATP for Linux](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux). |
-
-## Uninstall McAfee
-
-Now that you have onboarded your organization's devices to Microsoft Defender for Endpoint, your next step is to uninstall McAfee.
-
-To get help with this step, go to your McAfee ServicePortal ([http://mysupport.mcafee.com](http://mysupport.mcafee.com)).
-
-## Make sure Microsoft Defender for Endpoint is in active mode
-
-Now that you have uninstalled McAfee, your next step is to make sure that Microsoft Defender Antivirus and endpoint detection and response are enabled and in active mode.
-
-To do this, visit the Microsoft Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)). Try one or more of the demo scenarios on that page, including at least the following:
-- Cloud-delivered protection
-- Potentially Unwanted Applications (PUA)
-- Network Protection (NP)
-
-## Next steps
-
-**Congratulations**! You have completed your [migration from McAfee to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-migration.md#the-migration-process)!
-
-- [Visit your security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard) in the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
-- [Manage Microsoft Defender Advanced Threat Protection, post migration](manage-atp-post-migration.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-prepare.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-prepare.md
deleted file mode 100644
index fe973d1a59..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-prepare.md
+++ /dev/null
@@ -1,124 +0,0 @@
----
-title: McAfee to Microsoft Defender for Endpoint - Prepare
-description: This is phase 1, Prepare, for migrating from McAfee to Microsoft Defender ATP.
-keywords: migration, windows defender advanced threat protection, atp, edr
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.technology: windows
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: deniseb
-author: denisebmsft
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- M365-security-compliance
-- m365solution-mcafeemigrate
-- m365solution-scenario
-ms.topic: article
-ms.custom: migrationguides
-ms.date: 09/22/2020
-ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
----
-
-# Migrate from McAfee - Phase 1: Prepare for your migration
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-|
Phase 1: Prepare |[](mcafee-to-microsoft-defender-setup.md)
[Phase 2: Set up](mcafee-to-microsoft-defender-setup.md) |[](mcafee-to-microsoft-defender-onboard.md)
[Phase 3: Onboard](mcafee-to-microsoft-defender-onboard.md) |
-|--|--|--|
-|*You are here!*| | |
-
-
-**Welcome to the Prepare phase of [migrating from McAfee Endpoint Security (McAfee) to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-migration.md#the-migration-process)**.
-
-This migration phase includes the following steps:
-1. [Get and deploy updates across your organization's devices](#get-and-deploy-updates-across-your-organizations-devices)
-2. [Get Microsoft Defender for Endpoint](#get-microsoft-defender-for-endpoint).
-3. [Grant access to the Microsoft Defender Security Center](#grant-access-to-the-microsoft-defender-security-center).
-4. [Configure device proxy and internet connectivity settings](#configure-device-proxy-and-internet-connectivity-settings).
-
-## Get and deploy updates across your organization's devices
-
-As a best practice, keep your organization's devices and endpoints up to date. Make sure your McAfee Endpoint Security (McAfee) solution is up to date, and that the operating systems and apps your organization is also have the latest updates. Doing this now can help prevent problems later as you migrate to Microsoft Defender ATP and Microsoft Defender Antivirus.
-
-### Make sure your McAfee solution is up to date
-
-Keep McAfee up to date, and make sure that your organization's devices have the latest security updates. Need help? Here are some McAfee resources:
-
-- [McAfee Enterprise Product Documentation: How Endpoint Security Works](https://docs.mcafee.com/bundle/endpoint-security-10.7.x-common-product-guide-windows/page/GUID-1207FF39-D1D2-481F-BBD9-E4079112A8DD.html)
-
-- [McAfee Knowledge Center Technical Article: Windows Security Center intermittently incorrectly reports that Endpoint Security is disabled when running on Windows 10](https://kc.mcafee.com/corporate/index?page=content&id=KB91830)
-
-- [McAfee Knowledge Center Technical Article: Windows Security Center reports Endpoint Security is disabled when Endpoint Security is running](https://kc.mcafee.com/corporate/index?page=content&id=KB91428)
-
-- Your McAfee support ServicePortal ([http://mysupport.mcafee.com](http://mysupport.mcafee.com))
-
-### Make sure your organization's devices are up to date
-
-Need help updating your organization's devices? See the following resources:
-
-|OS | Resource |
-|:--|:--|
-|Windows |[Microsoft Update](https://www.update.microsoft.com) |
-|macOS | [How to update the software on your Mac](https://support.apple.com/HT201541)|
-|iOS |[Update your iPhone, iPad, or iPod touch](https://support.apple.com/HT204204)|
-|Android |[Check & update your Android version](https://support.google.com/android/answer/7680439) |
-|Linux | [Linux 101: Updating Your System](https://www.linux.com/training-tutorials/linux-101-updating-your-system) |
-
-## Get Microsoft Defender for Endpoint
-
-Now that you've updated your organization's devices, the next step is to get Microsoft Defender ATP, assign licenses, and make sure the service is provisioned.
-
-1. Buy or try Microsoft Defender for Endpoint today. [Start a free trial or request a quote](https://aka.ms/mdatp).
-
-2. Verify that your licenses are properly provisioned. [Check your license state](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#check-license-state).
-
-3. As a global administrator or security administrator, set up your dedicated cloud instance of Microsoft Defender for Endpoint. See [Microsoft Defender ATP setup: Tenant configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#tenant-configuration).
-
-4. If endpoints (such as devices) in your organization use a proxy to access the internet, see [Microsoft Defender ATP setup: Network configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#network-configuration).
-
-At this point, you are ready to grant access to your security administrators and security operators who will use the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
-
-> [!NOTE]
-> The Microsoft Defender Security Center is sometimes referred to as the Microsoft Defender ATP portal.
-
-## Grant access to the Microsoft Defender Security Center
-
-The Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) is where you access and configure features and capabilities of Microsoft Defender ATP. To learn more, see [Overview of the Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use).
-
-Permissions to the Microsoft Defender Security Center can be granted by using either basic permissions or role-based access control (RBAC). We recommend using RBAC so that you have more granular control over permissions.
-
-1. Plan the roles and permissions for your security administrators and security operators. See [Role-based access control](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment#role-based-access-control).
-
-2. Set up and configure RBAC. We recommend using [Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) to configure RBAC, especially if your organization is using a combination of Windows 10, macOS, iOS, and Android devices. See [setting up RBAC using Intune](https://docs.microsoft.com/mem/intune/fundamentals/role-based-access-control).
-
- If your organization requires a method other than Intune, choose one of the following options:
- - [Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/servers/deploy/configure/configure-role-based-administration)
- - [Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm)
- - [Windows Admin Center](https://docs.microsoft.com/windows-server/manage/windows-admin-center/overview)
-
-3. Grant access to the Microsoft Defender Security Center. (Need help? See [Manage portal access using RBAC](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac)).
-
-## Configure device proxy and internet connectivity settings
-
-To enable communication between your devices and Microsoft Defender ATP, configure proxy and internet settings. The following table includes links to resources you can use to configure your proxy and internet settings for various operating systems and capabilities:
-
-|Capabilities | Operating System | Resources |
-|--|--|--|
-|[Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) |- [Windows 10](https://docs.microsoft.com/windows/release-information)
- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
- [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |[Configure machine proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet) |
-|EDR |- [Windows Server 2016](https://docs.microsoft.com/windows/release-information/status-windows-10-1607-and-windows-server-2016)
- [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1)
- [Windows 8.1](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows 7 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1) |[Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#configure-proxy-and-internet-connectivity-settings) |
-|EDR |macOS:
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |[Microsoft Defender ATP for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) |
-|[Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) |- [Windows 10](https://docs.microsoft.com/windows/release-information)
- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
- [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803)
- [Windows Server 2016](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-2016) |[Configure and validate Microsoft Defender Antivirus network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus)
|
-|Antivirus |macOS:
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |[Microsoft Defender ATP for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) |
-|Antivirus |Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |[Microsoft Defender ATP for Linux: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux#network-connections)
-
-## Next step
-
-**Congratulations**! You have completed the **Prepare** phase of [migrating from McAfee to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-migration.md#the-migration-process)!
-
-- [Proceed to set up Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-setup.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md
deleted file mode 100644
index 8813e53523..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md
+++ /dev/null
@@ -1,258 +0,0 @@
----
-title: McAfee to Microsoft Defender for Endpoint - Setup
-description: This is phase 2, Setup, for migrating from McAfee to Microsoft Defender for Endpoint.
-keywords: migration, windows defender advanced threat protection, atp, edr
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.technology: windows
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: deniseb
-author: denisebmsft
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- M365-security-compliance
-- m365solution-mcafeemigrate
-- m365solution-scenario
-ms.topic: article
-ms.custom: migrationguides
-ms.date: 09/22/2020
-ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
----
-
-# Migrate from McAfee - Phase 2: Set up Microsoft Defender for Endpoint
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-|[](mcafee-to-microsoft-defender-prepare.md)
[Phase 1: Prepare](mcafee-to-microsoft-defender-prepare.md) |
Phase 2: Set up |[](mcafee-to-microsoft-defender-onboard.md)
[Phase 3: Onboard](mcafee-to-microsoft-defender-onboard.md) |
-|--|--|--|
-||*You are here!* | |
-
-
-**Welcome to the Setup phase of [migrating from McAfee Endpoint Security (McAfee) to Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](mcafee-to-microsoft-defender-migration.md#the-migration-process)**. This phase includes the following steps:
-1. [Enable Microsoft Defender Antivirus and confirm it's in passive mode](#enable-microsoft-defender-antivirus-and-confirm-its-in-passive-mode).
-2. [Get updates for Microsoft Defender Antivirus](#get-updates-for-microsoft-defender-antivirus).
-3. [Add Microsoft Defender ATP to the exclusion list for McAfee](#add-microsoft-defender-for-endpoint-to-the-exclusion-list-for-mcafee).
-4. [Add McAfee to the exclusion list for Microsoft Defender Antivirus](#add-mcafee-to-the-exclusion-list-for-microsoft-defender-antivirus).
-5. [Add McAfee to the exclusion list for Microsoft Defender for Endpoint](#add-mcafee-to-the-exclusion-list-for-microsoft-defender-for-endpoint).
-6. [Set up your device groups, device collections, and organizational units](#set-up-your-device-groups-device-collections-and-organizational-units).
-7. [Configure antimalware policies and real-time protection](#configure-antimalware-policies-and-real-time-protection).
-
-## Enable Microsoft Defender Antivirus and confirm it's in passive mode
-
-On certain versions of Windows, such as Windows Server, Microsoft Defender Antivirus might have been uninstalled or disabled when your McAfee solution was installed. This is because Microsoft Defender Antivirus does not enter passive or disabled mode when you install a third-party antivirus product, such as McAfee. (To learn more about this, see [Microsoft Defender Antivirus compatibility](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).)
-
-This step of the migration process includes the following tasks:
-- [Setting DisableAntiSpyware to false on Windows Server](#set-disableantispyware-to-false-on-windows-server)
-- [Reinstalling Microsoft Defender Antivirus on Windows Server](#reinstall-microsoft-defender-antivirus-on-windows-server);
-- [Setting Microsoft Defender Antivirus to passive mode on Windows Server](#set-microsoft-defender-antivirus-to-passive-mode-on-windows-server)
-- [Enabling Microsoft Defender Antivirus on your Windows client devices](#enable-microsoft-defender-antivirus-on-your-windows-client-devices); and
-- [Confirming that Microsoft Defender Antivirus is set to passive mode](#confirm-that-microsoft-defender-antivirus-is-in-passive-mode).
-
-### Set DisableAntiSpyware to false on Windows Server
-
-The [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) registry key was used in the past to disable Microsoft Defender Antivirus, and deploy another antivirus product, such as McAfee. In general, you should not have this registry key on your Windows devices and endpoints; however, if you do have `DisableAntiSpyware` configured, here's how to set its value to false:
-
-1. On your Windows Server device, open Registry Editor.
-
-2. Navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`.
-
-3. In that folder, look for a DWORD entry called **DisableAntiSpyware**.
-
- - If you do not see that entry, you're all set.
-
- - If you do see **DisableAntiSpyware**, proceed to step 4.
-
-4. Right-click the DisableAntiSpyware DWORD, and then choose **Modify**.
-
-5. Set the value to `0`. (This sets the registry key's value to *false*.)
-
-> [!TIP]
-> To learn more about this registry key, see [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware).
-
-### Reinstall Microsoft Defender Antivirus on Windows Server
-
-> [!NOTE]
-> The following procedure applies only to endpoints or devices that are running the following versions of Windows:
-> - Windows Server 2019
-> - Windows Server, version 1803 (core-only mode)
-> - Windows Server 2016
-
-1. As a local administrator on the endpoint or device, open Windows PowerShell.
-
-2. Run the following PowerShell cmdlets:
-
- `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`
-
- `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`
-
-3. To verify Microsoft Defender Antivirus is running, use the following PowerShell cmdlet:
-
- `Get-Service -Name windefend`
-
-> [!TIP]
-> Need help? See [Microsoft Defender Antivirus on Windows Server 2016 and 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016).
-
-### Set Microsoft Defender Antivirus to passive mode on Windows Server
-
-Because your organization is still using McAfee, you must set Microsoft Defender Antivirus to passive mode. That way, McAfee and Microsoft Defender Antivirus can run side by side until you have finished onboarding to Microsoft Defender ATP.
-
-1. Open Registry Editor, and then navigate to
- `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Windows Advanced Threat Protection`.
-
-2. Edit (or create) a DWORD entry called **ForceDefenderPassiveMode**, and specify the following settings:
-
- - Set the DWORD's value to **1**.
-
- - Under **Base**, select **Hexadecimal**.
-
-> [!NOTE]
-> You can use other methods to set the registry key, such as the following:
->- [Group Policy Preference](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn581922(v=ws.11))
->- [Local Group Policy Object tool](https://docs.microsoft.com/windows/security/threat-protection/security-compliance-toolkit-10#what-is-the-local-group-policy-object-lgpo-tool)
->- [A package in Configuration Manager](https://docs.microsoft.com/mem/configmgr/apps/deploy-use/packages-and-programs)
-
-### Enable Microsoft Defender Antivirus on your Windows client devices
-
-Because your organization has been using McAfee as your primary antivirus solution, Microsoft Defender Antivirus is most likely disabled on your organization's Windows devices. This step of the migration process involves enabling Microsoft Defender Antivirus.
-
-To enable Microsoft Defender Antivirus, we recommend using Intune. However, you can any of the methods that are listed in the following table:
-
-|Method |What to do |
-|---------|---------|
-|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)
**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.
2. Select **Devices** > **Configuration profiles**, and then select the profile type you want to configure.
If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
3. Select **Properties**, and then select **Configuration settings: Edit**.
4. Expand **Microsoft Defender Antivirus**.
5. Enable **Cloud-delivered protection**.
6. In the **Prompt users before sample submission** dropdown, select **Send all samples automatically**.
7. In the **Detect potentially unwanted applications** dropdown, select **Enable** or **Audit**.
8. Select **Review + save**, and then choose **Save**.
For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles).|
-|Control Panel in Windows |Follow the guidance here: [Turn on Microsoft Defender Antivirus](https://docs.microsoft.com/mem/intune/user-help/turn-on-defender-windows).
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
-|[Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm/)
or
[Group Policy Management Console](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus) |1. Go to `Computer configuration > Administrative templates > Windows components > Microsoft Defender Antivirus`.
2. Look for a policy called **Turn off Microsoft Defender Antivirus**.
3. Choose **Edit policy setting**, and make sure that policy is disabled. This enables Microsoft Defender Antivirus.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
-
-### Confirm that Microsoft Defender Antivirus is in passive mode
-
-Microsoft Defender Antivirus can run alongside McAfee if you set Microsoft Defender Antivirus to passive mode. You can use either Command Prompt or PowerShell to perform this task, as described in the following table:
-
-|Method |What to do |
-|---------|---------|
-|Command Prompt |1. On a Windows device, open Command Prompt as an administrator.
2. Type `sc query windefend`, and then press Enter.
3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. |
-|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.
2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet.
3. In the list of results, look for **AntivirusEnabled: True**. |
-
-> [!NOTE]
-> You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
-
-## Get updates for Microsoft Defender Antivirus
-
-Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques, even if Microsoft Defender Antivirus is running in [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
-
-There are two types of updates related to keeping Microsoft Defender Antivirus up to date:
-- Security intelligence updates
-- Product updates
-
-To get your updates, follow the guidance in [Manage Microsoft Defender Antivirus updates and apply baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus).
-
-## Add Microsoft Defender for Endpoint to the exclusion list for McAfee
-
-This step of the setup process involves adding Microsoft Defender for Endpoint to the exclusion list for McAfee and any other security products your organization is using.
-
-> [!TIP]
-> To get help configuring exclusions, refer to McAfee documentation, such as the following article: [McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows: Configuring exclusions](https://docs.mcafee.com/bundle/endpoint-security-10.5.0-threat-prevention-product-guide-epolicy-orchestrator-windows/page/GUID-71C5FB4B-A143-43E6-8BF0-8B2C16ABE6DA.html).
-
-The specific exclusions to configure depend on which version of Windows your endpoints or devices are running, and are listed in the following table:
-
-|OS |Exclusions |
-|--|--|
-|- Windows 10, [version 1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803) or later (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information))
- Windows 10, version 1703 or [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709) with [KB4493441](https://support.microsoft.com/help/4493441) installed
- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
- [Windows Server, version 1803](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`
|
-|- [Windows 8.1](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows 7](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1)
- [Windows Server 2016](https://docs.microsoft.com/windows/release-information/status-windows-10-1607-and-windows-server-2016)
- [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`
**NOTE**: Where Monitoring Host Temporary Files 6\45 can be different numbered subfolders.
`C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` |
-
-## Add McAfee to the exclusion list for Microsoft Defender Antivirus
-
-During this step of the setup process, you add McAfee and your other security solutions to the Microsoft Defender Antivirus exclusion list.
-
-When you add [exclusions to Microsoft Defender Antivirus scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus), you should add path and process exclusions. Keep the following points in mind:
-- Path exclusions exclude specific files and whatever those files access.
-- Process exclusions exclude whatever a process touches, but does not exclude the process itself.
-- If you list each executable (.exe) as both a path exclusion and a process exclusion, the process and whatever it touches are excluded.
-- List your process exclusions using their full path and not by their name only. (The name-only method is less secure.)
-
-You can choose from several methods to add your exclusions to Microsoft Defender Antivirus, as listed in the following table:
-
-|Method | What to do|
-|--|--|
-|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)
**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.
2. Select **Devices** > **Configuration profiles**, and then select the profile that you want to configure.
3. Under **Manage**, select **Properties**.
4. Select **Configuration settings: Edit**.
5. Expand **Microsoft Defender Antivirus**, and then expand **Microsoft Defender Antivirus Exclusions**.
6. Specify the files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. For reference, see [Microsoft Defender Antivirus exclusions](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions).
7. Choose **Review + save**, and then choose **Save**. |
-|[Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/) |1. Using the [Configuration Manager console](https://docs.microsoft.com/mem/configmgr/core/servers/manage/admin-console), go to **Assets and Compliance** > **Endpoint Protection** > **Antimalware Policies**, and then select the policy that you want to modify.
2. Specify exclusion settings for files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. |
-|[Group Policy Object](https://docs.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-objects) | 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
4. Double-click the **Path Exclusions** setting and add the exclusions.
- Set the option to **Enabled**.
- Under the **Options** section, click **Show...**.
- Specify each folder on its own line under the **Value name** column.
- If you specify a file, make sure to enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.
5. Click **OK**.
6. Double-click the **Extension Exclusions** setting and add the exclusions.
- Set the option to **Enabled**.
- Under the **Options** section, click **Show...**.
- Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.
7. Click **OK**. |
-|Local group policy object |1. On the endpoint or device, open the Local Group Policy Editor.
2. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Exclusions**.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
3. Specify your path and process exclusions. |
-|Registry key |1. Export the following registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions`.
2. Import the registry key. Here are two examples:
- Local path: `regedit.exe /s c:\temp\ MDAV_Exclusion.reg`
- Network share: `regedit.exe /s \\FileServer\ShareName\MDAV_Exclusion.reg` |
-
-## Add McAfee to the exclusion list for Microsoft Defender for Endpoint
-
-To add exclusions to Microsoft Defender ATP, you create [indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators#create-indicators-for-files).
-
-1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in.
-
-2. In the navigation pane, choose **Settings** > **Rules** > **Indicators**.
-
-3. On the **File hashes** tab, choose **Add indicator**.
-
-3. On the **Indicator** tab, specify the following settings:
- - File hash (Need help? See [Find a file hash using CMPivot](#find-a-file-hash-using-cmpivot) in this article.)
- - Under **Expires on (UTC)**, choose **Never**.
-
-4. On the **Action** tab, specify the following settings:
- - **Response Action**: **Allow**
- - Title and description
-
-5. On the **Scope** tab, under **Device groups**, select either **All devices in my scope** or **Select from list**.
-
-6. On the **Summary** tab, review the settings, and then click **Save**.
-
-### Find a file hash using CMPivot
-
-CMPivot is an in-console utility for Configuration Manager. CMPivot provides access to the real-time state of devices in your environment. It immediately runs a query on all currently connected devices in the target collection and returns the results. To learn more, see [CMPivot overview](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot-overview).
-
-To use CMPivot to get your file hash, follow these steps:
-
-1. Review the [prerequisites](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot#prerequisites).
-
-2. [Start CMPivot](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot#start-cmpivot).
-
-3. Connect to Configuration Manager (`SCCM_ServerName.DomainName.com`).
-
-4. Select the **Query** tab.
-
-5. In the **Device Collection** list, and choose **All Systems (default)**.
-
-6. In the query box, type the following query:
-
-```kusto
-File(c:\\windows\\notepad.exe)
-| project Hash
-```
-> [!NOTE]
-> In the query above, replace *notepad.exe* with the your third-party security product process name.
-
-## Set up your device groups, device collections, and organizational units
-
-| Collection type | What to do |
-|--|--|
-|[Device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups) (formerly called machine groups) enable your security operations team to configure security capabilities, such as automated investigation and remediation.
Device groups are also useful for assigning access to those devices so that your security operations team can take remediation actions if needed.
Device groups are created in the Microsoft Defender Security Center. |1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
2. In the navigation pane on the left, choose **Settings** > **Permissions** > **Device groups**.
3. Choose **+ Add device group**.
4. Specify a name and description for the device group.
5. In the **Automation level** list, select an option. (We recommend **Full - remediate threats automatically**.) To learn more about the various automation levels, see [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated).
6. Specify conditions for a matching rule to determine which devices belong to the device group. For example, you can choose a domain, OS versions, or even use [device tags](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-tags).
7. On the **User access** tab, specify roles that should have access to the devices that are included in the device group.
8. Choose **Done**. |
-|[Device collections](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/introduction-to-collections) enable your security operations team to manage applications, deploy compliance settings, or install software updates on the devices in your organization.
Device collections are created by using [Configuration Manager](https://docs.microsoft.com/mem/configmgr/). |Follow the steps in [Create a collection](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_create). |
-|[Organizational units](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou) enable you to logically group objects such as user accounts, service accounts, or computer accounts. You can then assign administrators to specific organizational units, and apply group policy to enforce targeted configuration settings.
Organizational units are defined in [Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services). | Follow the steps in [Create an Organizational Unit in an Azure Active Directory Domain Services managed domain](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou). |
-
-## Configure antimalware policies and real-time protection
-
-Using Configuration Manager and your device collection(s), configure your antimalware policies.
-
-- See [Create and deploy antimalware policies for Endpoint Protection in Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies).
-
-- While you create and configure your antimalware policies, make sure to review the [real-time protection settings](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) and [enable block at first sight](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus).
-
-> [!TIP]
-> You can deploy the policies before your organization's devices on onboarded.
-
-## Next step
-
-**Congratulations**! You have completed the Setup phase of [migrating from McAfee to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-migration.md#the-migration-process)!
-
-- [Proceed to Phase 3: Onboard to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-onboard.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md
deleted file mode 100644
index 2049e0d9bd..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md
+++ /dev/null
@@ -1,57 +0,0 @@
----
-title: Configure Microsoft Cloud App Security integration
-ms.reviewer:
-description: Learn how to turn on the settings to enable the Microsoft Defender ATP integration with Microsoft Cloud App Security.
-keywords: cloud, app, security, settings, integration, discovery, report
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Configure Microsoft Cloud App Security in Microsoft Defender ATP
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-To benefit from Microsoft Defender Advanced Threat Protection (ATP) cloud app discovery signals, turn on Microsoft Cloud App Security integration.
-
->[!NOTE]
->This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on devices running Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441)), Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464)), Windows 10, version 1809 (OS Build 17763.379 with [KB4489899](https://support.microsoft.com/help/4489899)) or later Windows 10 versions.
-
-> See [Microsoft Defender Advanced Threat Protection integration with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/wdatp-integration) for detailed integration of Microsoft Defender ATP with Microsoft Cloud App Security.
-
-## Enable Microsoft Cloud App Security in Microsoft Defender ATP
-
-1. In the navigation pane, select **Preferences setup** > **Advanced features**.
-2. Select **Microsoft Cloud App Security** and switch the toggle to **On**.
-3. Click **Save preferences**.
-
-Once activated, Microsoft Defender ATP will immediately start forwarding discovery signals to Cloud App Security.
-
-## View the data collected
-
-To view and access Microsoft Defender ATP data in Microsoft Cloud Apps Security, see [Investigate devices in Cloud App Security](https://docs.microsoft.com/cloud-app-security/wdatp-integration#investigate-machines-in-cloud-app-security).
-
-
-For more information about cloud discovery, see [Working with discovered apps](https://docs.microsoft.com/cloud-app-security/discovered-apps).
-
-If you are interested in trying Microsoft Cloud App Security, see [Microsoft Cloud App Security Trial](https://signup.microsoft.com/Signup?OfferId=757c4c34-d589-46e4-9579-120bba5c92ed&ali=1).
-
-## Related topic
-- [Microsoft Cloud App Security integration](microsoft-cloud-app-security-integration.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md
deleted file mode 100644
index a6f03c17c5..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md
+++ /dev/null
@@ -1,55 +0,0 @@
----
-title: Microsoft Cloud App Security integration overview
-ms.reviewer:
-description: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) integrates with Cloud App Security by forwarding all cloud app networking activities.
-keywords: cloud, app, networking, visibility, usage
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.date: 10/18/2018
----
-
-# Microsoft Cloud App Security in Microsoft Defender ATP overview
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-Microsoft Cloud App Security (Cloud App Security) is a comprehensive solution that gives visibility into cloud apps and services by allowing you to control and limit access to cloud apps, while enforcing compliance requirements on data stored in the cloud. For more information, see [Cloud App Security](https://docs.microsoft.com/cloud-app-security/what-is-cloud-app-security).
-
->[!NOTE]
->This feature is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on devices running Windows 10 version 1809 or later.
-
-## Microsoft Defender ATP and Cloud App Security integration
-
-Cloud App Security discovery relies on cloud traffic logs being forwarded to it from enterprise firewall and proxy servers. Microsoft Defender ATP integrates with Cloud App Security by collecting and forwarding all cloud app networking activities, providing unparalleled visibility to cloud app usage. The monitoring functionality is built into the device, providing complete coverage of network activity.
-
-> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4r4yQ]
-
-
-The integration provides the following major improvements to the existing Cloud App Security discovery:
-
-- Available everywhere - Since the network activity is collected directly from the endpoint, it's available wherever the device is, on or off corporate network, as it's no longer depended on traffic routed through the enterprise firewall or proxy servers.
-
-- Works out of the box, no configuration required - Forwarding cloud traffic logs to Cloud App Security requires firewall and proxy server configuration. With the Microsoft Defender ATP and Cloud App Security integration, there's no configuration required. Just switch it on in Microsoft Defender Security Center settings and you're good to go.
-
-- Device context - Cloud traffic logs lack device context. Microsoft Defender ATP network activity is reported with the device context (which device accessed the cloud app), so you are able to understand exactly where (device) the network activity took place, in addition to who (user) performed it.
-
-For more information about cloud discovery, see [Working with discovered apps](https://docs.microsoft.com/cloud-app-security/discovered-apps).
-
-## Related topic
-
-- [Configure Microsoft Cloud App Security integration](microsoft-cloud-app-security-config.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
deleted file mode 100644
index d45c5c585e..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
+++ /dev/null
@@ -1,142 +0,0 @@
----
-title: Microsoft Defender Advanced Threat Protection
-description: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) is an enterprise endpoint security platform that helps defend against advanced persistent threats.
-keywords: introduction to Microsoft Defender Advanced Threat Protection, introduction to Microsoft Defender ATP, cybersecurity, advanced persistent threat, enterprise security, machine behavioral sensor, cloud security, analytics, threat intelligence, attack surface reduction, next-generation protection, automated investigation and remediation, microsoft threat experts, secure score, advanced hunting, microsoft threat protection, cyber threat hunting
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
----
-
-# Microsoft Defender Advanced Threat Protection
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink)
->
-> For more info about Windows 10 Enterprise Edition features and functionality, see [Windows 10 Enterprise edition](https://www.microsoft.com/WindowsForBusiness/buy).
-
-Microsoft Defender Advanced Threat Protection is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.
-
-
->[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4wDob]
-
-Microsoft Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service:
-
-- **Endpoint behavioral sensors**: Embedded in Windows 10, these sensors
- collect and process behavioral signals from the operating system and sends this sensor data to your private, isolated, cloud instance of Microsoft Defender ATP.
-
-
-- **Cloud security analytics**: Leveraging big-data, device-learning, and
- unique Microsoft optics across the Windows ecosystem,
- enterprise cloud products (such as Office 365), and online assets, behavioral signals
- are translated into insights, detections, and recommended responses
- to advanced threats.
-
-- **Threat intelligence**: Generated by Microsoft hunters, security teams,
- and augmented by threat intelligence provided by partners, threat
- intelligence enables Microsoft Defender ATP to identify attacker
- tools, techniques, and procedures, and generate alerts when these
- are observed in collected sensor data.
-
-
-Microsoft Defender ATP
-
-
-
->[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4vnC4?rel=0]
-
-> [!TIP]
-> - Learn about the latest enhancements in Microsoft Defender ATP: [What's new in Microsoft Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
-> - Microsoft Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
-
-
-
-**[Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)**
-This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
-
-
-
-**[Attack surface reduction](overview-attack-surface-reduction.md)**
-The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitation. This set of capabilities also includes [network protection](network-protection.md) and [web protection](web-protection-overview.md), which regulate access to malicious IP addresses, domains, and URLs.
-
-
-
-**[Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10)**
-To further reinforce the security perimeter of your network, Microsoft Defender ATP uses next-generation protection designed to catch all types of emerging threats.
-
-
-
-**[Endpoint detection and response](overview-endpoint-detection-response.md)**
-Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. [Advanced hunting](advanced-hunting-overview.md) provides a query-based threat-hunting tool that lets you proactively find breaches and create custom detections.
-
-
-
-**[Automated investigation and remediation](automated-investigations.md)**
-In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
-
-
-
-**[Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md)**
-
-Microsoft Defender ATP includes Microsoft Secure Score for Devices to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization.
-
-
-
-**[Microsoft Threat Experts](microsoft-threat-experts.md)**
-Microsoft Defender ATP's new managed threat hunting service provides proactive hunting, prioritization, and additional context and insights that further empower Security operation centers (SOCs) to identify and respond to threats quickly and accurately.
-
->[!IMPORTANT]
->Microsoft Defender ATP customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive Targeted Attack Notifications and to collaborate with experts on demand. Experts on Demand is an add-on service. Targeted Attack Notifications are always included after you have been accepted into Microsoft Threat Experts managed threat hunting service.
-Integrate Microsoft Defender Advanced Threat Protection into your existing workflows.
-
-
-
-**[Integration with Microsoft solutions](threat-protection-integration.md)**
- Microsoft Defender ATP directly integrates with various Microsoft solutions, including:
-- Intune
-- Office 365 ATP
-- Azure ATP
-- Azure Security Center
-- Skype for Business
-- Microsoft Cloud App Security
-
-**[Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)**
- With Microsoft Threat Protection, Microsoft Defender ATP and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate and automatically respond to sophisticated attacks.
-
-
-## Related topic
-[Microsoft Defender ATP helps detect sophisticated threats](https://www.microsoft.com/en-us/itshowcase/microsoft-defender-atps-antivirus-capabilities-boost-malware-protection)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md
deleted file mode 100644
index 4b4a872950..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md
+++ /dev/null
@@ -1,95 +0,0 @@
----
-title: Microsoft Defender ATP for Android
-ms.reviewer:
-description: Describes how to install and use Microsoft Defender ATP for Android
-keywords: microsoft, defender, atp, android, installation, deploy, uninstallation, intune
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: conceptual
----
-
-# Microsoft Defender Advanced Threat Protection for Android
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-This topic describes how to install, configure, update, and use Microsoft Defender ATP for Android.
-
-> [!CAUTION]
-> Running other third-party endpoint protection products alongside Microsoft Defender ATP for Android is likely to cause performance problems and unpredictable system errors.
-
-
-## How to install Microsoft Defender ATP for Android
-
-### Prerequisites
-
-- **For end users**
-
- - Microsoft Defender ATP license assigned to the end user(s) of the app. See [Microsoft Defender ATP licensing requirements](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements#licensing-requirements)
-
- - Intune Company Portal app can be downloaded from [Google
- Play](https://play.google.com/store/apps/details?id=com.microsoft.windowsintune.companyportal)
- and is available on the Android device.
-
- - Additionally, device(s) can be
- [enrolled](https://docs.microsoft.com/mem/intune/user-help/enroll-device-android-company-portal)
- via the Intune Company Portal app to enforce Intune device compliance
- policies. This requires the end user to be assigned a Microsoft Intune license.
-
- - For more information on how to assign licenses, see [Assign licenses to
- users](https://docs.microsoft.com/azure/active-directory/users-groups-roles/licensing-groups-assign).
-
-
-- **For Administrators**
-
- - Access to the Microsoft Defender Security Center portal.
-
- > [!NOTE]
- > Microsoft Intune is the only supported Mobile Device Management (MDM) solution for deploying Microsoft Defender ATP for Android. Currently only enrolled devices are supported for enforcing Microsoft Defender ATP for Android related device compliance policies in Intune.
-
- - Access [Microsoft Endpoint Manager admin
- center](https://go.microsoft.com/fwlink/?linkid=2109431), to deploy the
- app to enrolled user groups in your organization.
-
-### System Requirements
-
-- Android devices running Android 6.0 and above.
-- Intune Company Portal app is downloaded from [Google
- Play](https://play.google.com/store/apps/details?id=com.microsoft.windowsintune.companyportal)
- and installed. Device enrollment is required for Intune device compliance policies to be enforced.
-
-### Installation instructions
-
-Microsoft Defender ATP for Android supports installation on both modes of
-enrolled devices - the legacy Device Administrator and Android Enterprise modes.
-**Currently, only Work Profile enrolled devices are supported in Android Enterprise. Support for other Android Enterprise modes will be announced when ready.**
-
-Deployment of Microsoft Defender ATP for Android is via Microsoft Intune (MDM).
-For more information, see [Deploy Microsoft Defender ATP for Android with Microsoft Intune](android-intune.md).
-
-
-> [!NOTE]
-> **Microsoft Defender ATP for Android is available on [Google Play](https://play.google.com/store/apps/details?id=com.microsoft.scmx) now.**
You can connect to Google Play from Intune to deploy Microsoft Defender ATP app, across Device Administrator and Android Enterprise entrollment modes.
-
-## How to Configure Microsoft Defender ATP for Android
-
-Guidance on how to configure Microsoft Defender ATP for Android features is available in [Configure Microsoft Defender ATP for Android features](android-configure.md).
-
-
-
-## Related topics
-- [Deploy Microsoft Defender ATP for with Microsoft Intune](android-intune.md)
-- [Configure Microsoft Defender ATP for Android features](android-configure.md)
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios.md
deleted file mode 100644
index 118ea48672..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios.md
+++ /dev/null
@@ -1,78 +0,0 @@
----
-title: Microsoft Defender ATP for iOS overview
-ms.reviewer:
-description: Describes how to install and use Microsoft Defender ATP for iOS
-keywords: microsoft, defender, atp, ios, overview, installation, deploy, uninstallation, intune
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: conceptual
----
-
-# Microsoft Defender Advanced Threat Protection for iOS
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-> [!IMPORTANT]
-> **PUBLIC PREVIEW EDITION**
->
-> This documentation is for a pre-release solution. The guidelines and the solution are subject to change between now and its general availability.
->
-> As with any pre-release solution, remember to exercise caution when determining the target population for your deployments.
-
-
-The public preview of Microsoft Defender ATP for iOS will offer protection
-against phishing and unsafe network connections from websites, emails, and apps.
-All alerts will be available through a single pane of glass in the Microsoft
-Defender Security Center. The portal gives security teams a centralized view of threats on
-iOS devices along with other platforms.
-
-## Pre-requisites
-
-
-**For End Users**
-
-- Microsoft Defender ATP license assigned to the end user(s) of the app. Refer
- [Assign licenses to
- users](https://docs.microsoft.com/azure/active-directory/users-groups-roles/licensing-groups-assign)
- for instructions on how to assign licenses.
-
-**For Administrators**
-
-- Access to the Microsoft Defender Security Center portal
-
-- Access to [Microsoft Endpoint Manager admin
- center](https://go.microsoft.com/fwlink/?linkid=2109431), to deploy the app
- to enrolled user groups in your organization
-
-**System Requirements**
-
-- iOS devices running iOS 11.0 and above
-
-- Device is enrolled with Intune Company Portal
- [app](https://apps.apple.com/us/app/intune-company-portal/id719171358)
-
-## Resources
-
-- Stay informed about upcoming releases by visiting our [blog](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bg-p/MicrosoftDefenderATPBlog/label-name/iOS)
-
-- Provide feedback through in-app feedback system or through [SecOps
- portal](https://securitycenter.microsoft.com)
-
-
-## Next steps
-
-- [Deploy Microsoft Defender ATP for iOS](ios-install.md)
-- [Configure Microsoft Defender ATP for iOS features](ios-configure-features.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
deleted file mode 100644
index ea21452763..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
+++ /dev/null
@@ -1,133 +0,0 @@
----
-title: Microsoft Defender ATP for Linux
-ms.reviewer:
-description: Describes how to install and use Microsoft Defender ATP for Linux.
-keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: conceptual
----
-
-# Microsoft Defender ATP for Linux
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-This topic describes how to install, configure, update, and use Microsoft Defender ATP for Linux.
-
-> [!CAUTION]
-> Running other third-party endpoint protection products alongside Microsoft Defender ATP for Linux is likely to cause performance problems and unpredictable system errors.
-
-## How to install Microsoft Defender ATP for Linux
-
-### Prerequisites
-
-- Access to the Microsoft Defender Security Center portal
-- Beginner-level experience in Linux and BASH scripting
-- Administrative privileges on the device (in case of manual deployment)
-
-### Installation instructions
-
-There are several methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Linux.
-
-In general you need to take the following steps:
-
-- Ensure that you have a Microsoft Defender ATP subscription, and that you have access to the [Microsoft Defender ATP portal](microsoft-defender-security-center.md).
-- Deploy Microsoft Defender ATP for Linux using one of the following deployment methods:
- - The command-line tool:
- - [Manual deployment](linux-install-manually.md)
- - Third-party management tools:
- - [Deploy using Puppet configuration management tool](linux-install-with-puppet.md)
- - [Deploy using Ansible configuration management tool](linux-install-with-ansible.md)
-
-If you experience any installation failures, refer to [Troubleshooting installation failures in Microsoft Defender ATP for Linux](linux-support-install.md).
-
-### System requirements
-
-- Supported Linux server distributions and versions:
-
- - Red Hat Enterprise Linux 7.2 or higher
- - CentOS 7.2 or higher
- - Ubuntu 16.04 LTS or higher LTS
- - Debian 9 or higher
- - SUSE Linux Enterprise Server 12 or higher
- - Oracle Linux 7.2 or higher
-
-- Minimum kernel version 3.10.0-327
-- The `fanotify` kernel option must be enabled
- > [!CAUTION]
- > Running Microsoft Defender ATP for Linux side by side with other `fanotify`-based security solutions is not supported. It can lead to unpredictable results, including hanging the operating system.
-
-- Disk space: 1GB
-- The solution currently provides real-time protection for the following file system types:
-
- - `btrfs`
- - `ecryptfs`
- - `ext2`
- - `ext3`
- - `ext4`
- - `fuse`
- - `fuseblk`
- - `jfs`
- - `nfs`
- - `overlay`
- - `ramfs`
- - `reiserfs`
- - `tmpfs`
- - `udf`
- - `vfat`
- - `xfs`
-
-After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints.
-
-### Network connections
-
-The following downloadable spreadsheet lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs. If there are, you may need to create an *allow* rule specifically for them.
-
-
-
-|**Item**|**Description**|
-|:-----|:-----|
-|[](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx)
[Spreadsheet](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx) | The spreadsheet provides specific DNS records for service locations, geographic locations, and OS.
-
-
-
-> [!NOTE]
-> For a more specific URL list, see [Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server).
-
-Microsoft Defender ATP can discover a proxy server by using the following discovery methods:
-- Transparent proxy
-- Manual static proxy configuration
-
-If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the previously listed URLs. For transparent proxies, no additional configuration is needed for Microsoft Defender ATP. For static proxy, follow the steps in [Manual Static Proxy Configuration](linux-static-proxy-configuration.md).
-
-> [!WARNING]
-> PAC, WPAD, and authenticated proxies are not supported. Ensure that only a static proxy or transparent proxy is being used.
->
-> SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Microsoft Defender ATP for Linux to the relevant URLs without interception. Adding your interception certificate to the global store will not allow for interception.
-
-For troubleshooting steps, see [Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux](linux-support-connectivity.md).
-
-## How to update Microsoft Defender ATP for Linux
-
-Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. To update Microsoft Defender ATP for Linux, refer to [Deploy updates for Microsoft Defender ATP for Linux](linux-updates.md).
-
-## How to configure Microsoft Defender ATP for Linux
-
-Guidance for how to configure the product in enterprise environments is available in [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md).
-
-## Resources
-
-- For more information about logging, uninstalling, or other topics, see [Resources](linux-resources.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
deleted file mode 100644
index 06899fd04e..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
+++ /dev/null
@@ -1,149 +0,0 @@
----
-title: Microsoft Defender ATP for Mac
-ms.reviewer:
-description: Learn how to install, configure, update, and use Microsoft Defender Advanced Threat Protection for Mac.
-keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dansimp
-author: dansimp
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: conceptual
----
-
-# Microsoft Defender Advanced Threat Protection for Mac
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-This topic describes how to install, configure, update, and use Microsoft Defender ATP for Mac.
-
-> [!CAUTION]
-> Running other third-party endpoint protection products alongside Microsoft Defender ATP for Mac is likely to lead to performance problems and unpredictable side effects. If non-Microsoft endpoint protection is an absolute requirement in your environment, you can still safely take advantage of MDATP for Mac EDR functionality after configuring MDATP for Mac antivirus functionality to run in [Passive mode](mac-preferences.md#enable--disable-passive-mode).
-
-## What’s new in the latest release
-
-[What's new in Microsoft Defender ATP](whats-new-in-microsoft-defender-atp.md)
-
-[What's new in Microsoft Defender ATP for Mac](mac-whatsnew.md)
-
-> [!TIP]
-> If you have any feedback that you would like to share, submit it by opening Microsoft Defender ATP for Mac on your device and navigating to **Help** > **Send feedback**.
-
-To get the latest features, including preview capabilities (such as endpoint detection and response for your Mac devices), configure your macOS device running Microsoft Defender ATP to be an "Insider" device. See [Enable Microsoft Defender ATP Insider Device](endpoint-detection-response-mac-preview.md).
-
-## How to install Microsoft Defender ATP for Mac
-
-### Prerequisites
-
-- A Microsoft Defender ATP subscription and access to the Microsoft Defender Security Center portal
-- Beginner-level experience in macOS and BASH scripting
-- Administrative privileges on the device (in case of manual deployment)
-
-### Installation instructions
-
-There are several methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac.
-
-- Third-party management tools:
- - [Microsoft Intune-based deployment](mac-install-with-intune.md)
- - [JAMF-based deployment](mac-install-with-jamf.md)
- - [Other MDM products](mac-install-with-other-mdm.md)
-
-- Command-line tool:
- - [Manual deployment](mac-install-manually.md)
-
-### System requirements
-
-The three most recent major releases of macOS are supported.
-
-- 10.15 (Catalina), 10.14 (Mojave), 10.13 (High Sierra)
-- Disk space: 1GB
-
-Beta versions of macOS are not supported. macOS Sierra (10.12) support ended on January 1, 2020.
-
-After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints.
-
-### Licensing requirements
-
-Microsoft Defender Advanced Threat Protection for Mac requires one of the following Microsoft Volume Licensing offers:
-
-- Microsoft 365 E5 (M365 E5)
-- Microsoft 365 E5 Security
-- Microsoft 365 A5 (M365 A5)
-
-> [!NOTE]
-> Eligible licensed users may use Microsoft Defender Advanced Threat Protection on up to five concurrent devices.
-> Microsoft Defender Advanced Threat Protection is also available for purchase from a Cloud Solution Provider (CSP). When purchased via a CSP, it does not require Microsoft Volume Licensing offers listed.
-
-### Network connections
-
-The following downloadable spreadsheet lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an *allow* rule specifically for them.
-
-
-
-|**Item**|**Description**|
-|:-----|:-----|
-|[](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx)
[Spreadsheet](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx) | The spreadsheet provides specific DNS records for service locations, geographic locations, and OS.
-
-
-
-Microsoft Defender ATP can discover a proxy server by using the following discovery methods:
-- Proxy autoconfig (PAC)
-- Web Proxy Autodiscovery Protocol (WPAD)
-- Manual static proxy configuration
-
-If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the previously listed URLs.
-
-> [!WARNING]
-> Authenticated proxies are not supported. Ensure that only PAC, WPAD, or a static proxy is being used.
->
-> SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Microsoft Defender ATP for Mac to the relevant URLs without interception. Adding your interception certificate to the global store will not allow for interception.
-
-To test that a connection is not blocked, open [https://x.cp.wd.microsoft.com/api/report](https://x.cp.wd.microsoft.com/api/report) and [https://cdn.x.cp.wd.microsoft.com/ping](https://cdn.x.cp.wd.microsoft.com/ping) in a browser.
-
-If you prefer the command line, you can also check the connection by running the following command in Terminal:
-
-```bash
-curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
-```
-
-The output from this command should be similar to the following:
-
- `OK https://x.cp.wd.microsoft.com/api/report`
-
- `OK https://cdn.x.cp.wd.microsoft.com/ping`
-
-> [!CAUTION]
-> We recommend that you keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) (SIP) enabled on client devices. SIP is a built-in macOS security feature that prevents low-level tampering with the OS, and is enabled by default.
-
-Once Microsoft Defender ATP is installed, connectivity can be validated by running the following command in Terminal:
-```bash
-mdatp --connectivity-test
-```
-
-## How to update Microsoft Defender ATP for Mac
-
-Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. To update Microsoft Defender ATP for Mac, a program named Microsoft AutoUpdate (MAU) is used. To learn more, see [Deploy updates for Microsoft Defender ATP for Mac](mac-updates.md)
-
-## How to configure Microsoft Defender ATP for Mac
-
-Guidance for how to configure the product in enterprise environments is available in [Set preferences for Microsoft Defender ATP for Mac](mac-preferences.md).
-
-## macOS kernel and system extensions
-
-In alignment with macOS evolution, we are preparing a Microsoft Defender ATP for Mac update that leverages system extensions instead of kernel extensions. Visit [What's new in Microsoft Defender Advanced Threat Protection for Mac](mac-whatsnew.md) for relevant details.
-
-## Resources
-
-- For more information about logging, uninstalling, or other topics, see the [Resources](mac-resources.md) page.
-
-- [Privacy for Microsoft Defender ATP for Mac](mac-privacy.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-security-center.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-security-center.md
deleted file mode 100644
index e04a02313b..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-security-center.md
+++ /dev/null
@@ -1,43 +0,0 @@
----
-title: Microsoft Defender Security Center
-description: Microsoft Defender Security Center is the portal where you can access Microsoft Defender Advanced Threat Protection.
-keywords: windows, defender, security, center, defender, advanced, threat, protection
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: conceptual
----
-
-# Microsoft Defender Security Center
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-Microsoft Defender Security Center is the portal where you can access Microsoft Defender Advanced Threat Protection capabilities. It gives enterprise security operations teams a single pane of glass experience to help secure networks.
-
-## In this section
-
-Topic | Description
-:---|:---
-Get started | Learn about the minimum requirements, validate licensing and complete setup, know about preview features, understand data storage and privacy, and how to assign user access to the portal.
-[Onboard devices](onboard-configure.md) | Learn about onboarding client, server, and non-Windows devices. Learn how to run a detection test, configure proxy and Internet connectivity settings, and how to troubleshoot potential onboarding issues.
-[Understand the portal](use.md) | Understand the Security operations, Secure Score, and Threat analytics dashboards as well as how to navigate the portal.
-Investigate and remediate threats | Investigate alerts, devices, and take response actions to remediate threats.
-API and SIEM support | Use the supported APIs to pull and create custom alerts, or automate workflows. Use the supported SIEM tools to pull alerts from Microsoft Defender Security Center.
-Reporting | Create and build Power BI reports using Microsoft Defender ATP data.
-Check service health and sensor state | Verify that the service is running and check the sensor state on devices.
-[Configure Microsoft Defender Security Center settings](preferences-setup.md) | Configure general settings, turn on the preview experience, notifications, and enable other features.
-[Access the Microsoft Defender ATP Community Center](community.md) | Access the Microsoft Defender ATP Community Center to learn, collaborate, and share experiences about the product.
-[Troubleshoot service issues](troubleshoot-mdatp.md) | This section addresses issues that might arise as you use the Microsoft Defender Advanced Threat service.
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md
deleted file mode 100644
index 4aed901842..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md
+++ /dev/null
@@ -1,85 +0,0 @@
----
-title: Microsoft Threat Experts
-ms.reviewer:
-description: Microsoft Threat Experts provides an additional layer of expertise to Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
-keywords: managed threat hunting service, managed threat hunting, managed detection and response (MDR) service, MTE, Microsoft Threat Experts
-search.product: Windows 10
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: conceptual
----
-
-# Microsoft Threat Experts
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-Microsoft Threat Experts is a managed threat hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don’t get missed.
-
-This new capability provides expert-driven insights and data through targeted attack notification and access to experts on demand.
-
-Watch this video for a quick overview of Microsoft Threat Experts.
-
->[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4qZ0B]
-
-
-## Before you begin
-> [!NOTE]
-> Discuss the eligibility requirements with your Microsoft Technical Service provider and account team before you apply to the managed threat hunting service.
-
-Microsoft Defender ATP customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive Targeted Attack Notifications and to collaborate with experts on demand. Experts on Demand is an add-on service. Targeted Attack Notifications are always included after you have been accepted into Microsoft Threat Experts managed threat hunting service.
-
-If you are not enrolled yet and would like to experience its benefits, go to **Settings** > **General** > **Advanced features** > **Microsoft Threat Experts** to apply. Once accepted, you will get the benefits of Targeted Attack Notifications, and start a 90-day trial of Experts on Demand. Contact your Microsoft representative to get a full Experts on-Demand subscription. See [Configure Microsoft Threat Experts capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts#before-you-begin) for details.
-
-## Targeted attack notification
-Microsoft Threat Experts provides proactive hunting for the most important threats to your network, including human adversary intrusions, hands-on-keyboard attacks, or advanced attacks like cyberespionage. The managed hunting service includes:
-- Threat monitoring and analysis, reducing dwell time and risk to the business
-- Hunter-trained artificial intelligence to discover and prioritize both known and unknown attacks
-- Identifying the most important risks, helping SOCs maximize time and energy
-- Scope of compromise and as much context as can be quickly delivered to enable fast SOC response.
-
-## Collaborate with experts, on demand
-Customers can engage our security experts directly from within Microsoft Defender Security Center for timely and accurate response. Experts provide insights needed to better understand the complex threats affecting your organization, from alert inquiries, potentially compromised devices, root cause of a suspicious network connection, to additional threat intelligence regarding ongoing advanced persistent threat campaigns. With this capability, you can:
-
-- Get additional clarification on alerts including root cause or scope of the incident
-- Gain clarity into suspicious device behavior and next steps if faced with an advanced attacker
-- Determine risk and protection regarding threat actors, campaigns, or emerging attacker techniques
-- Seamlessly transition to Microsoft Incident Response (IR) or other third-party Incident Response services when necessary
-
-The option to **Consult a threat expert** is available in several places in the portal so you can engage with experts in the context of your investigation:
-
-- **Help and support menu**
-
-
-- **Device page actions menu**
-
-
-- **Alerts page actions menu**
-
-
-- **File page actions menu**
-
-
-> [!NOTE]
-> Customers with Premier Support subscription mapped to their Office 365 license can track the status of their Experts on Demand cases through Microsoft Services Hub.
-
-Watch this video for a quick overview of the Microsoft Services Hub.
-
->[!VIDEO https://www.microsoft.com/videoplayer/embed/RE4pk9f]
-
-
-## Related topic
-- [Configure Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/migration-guides.md b/windows/security/threat-protection/microsoft-defender-atp/migration-guides.md
deleted file mode 100644
index 308308a4d0..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/migration-guides.md
+++ /dev/null
@@ -1,48 +0,0 @@
----
-title: Migration guides to make the switch to Microsoft Defender for Endpoint
-description: Learn how to make the switch from a non-Microsoft threat protection solution to Microsoft Defender for Endpoint
-search.appverid: MET150
-author: denisebmsft
-ms.author: deniseb
-manager: dansimp
-audience: ITPro
-ms.topic: conceptual
-ms.prod: w10
-ms.localizationpriority: medium
-ms.collection:
-- M365-security-compliance
-- m365solution-scenario
-ms.custom: migrationguides
-ms.reviewer: chriggs, depicker, yongrhee
-f1.keywords: NOCSH
-ms.date: 09/24/2020
----
-
-# Make the switch to Microsoft Defender for Endpoint and Microsoft Defender Antivirus
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-## Migration guides
-
-If you're considering switching from a non-Microsoft threat protection solution to Microsoft Defender for Endpoint with Microsoft Defender Antivirus, check out our migration guidance. Select the scenario that best represents where you are in your deployment process, and see the guidance.
-
-|Scenario |Guidance |
-|:--|:--|
-|You do not have an endpoint protection solution yet, and you want to know more about how Microsoft Defender for Endpoint & Microsoft Defender Antivirus work. |[Microsoft Defender ATP evaluation lab](evaluation-lab.md) |
-|You have Microsoft Defender for Endpoint & Microsoft Defender Antivirus and need some help getting everything set up and configured. |[Microsoft Defender Advanced Threat Protection deployment guide](deployment-phases.md) |
-|You're planning to migrate from McAfee Endpoint Security (McAfee) to Microsoft Defender for Endpoint & Microsoft Defender Antivirus. |[Switch from McAfee to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-migration.md) |
-|You're planning to migrate from Symantec Endpoint Protection (Symantec) to Microsoft Defender for Endpoint & Microsoft Defender Antivirus. |[Switch from Symantec to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-migration.md) |
-|You're planning to migrate from a non-Microsoft endpoint protection solution (other than McAfee or Symantec) to Microsoft Defender for Endpoint & Microsoft Defender Antivirus. |[Make the switch to Microsoft Defender for Endpoint](switch-to-microsoft-defender-migration.md) |
-|You've migrated to Microsoft Defender for Endpoint & Microsoft Defender Antivirus, and you need help with next steps, such as configuring additional features or fine-tuning your security settings. | [Manage Microsoft Defender for Endpoint, post-migration](manage-atp-post-migration.md) |
-
-
-## Got feedback?
-
-Let us know what you think! Submit your feedback at the bottom of the page. We'll take your feedback into account as we continue to improve and add to our migration guidance.
-
-## See also
-
-- [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection)
-- [Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp)
-- [Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection?)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
deleted file mode 100644
index 3e712cd6f9..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
+++ /dev/null
@@ -1,211 +0,0 @@
----
-title: Minimum requirements for Microsoft Defender ATP
-description: Understand the licensing requirements and requirements for onboarding devices to the service
-keywords: minimum requirements, licensing, comparison table
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
----
-
-# Minimum requirements for Microsoft Defender ATP
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-There are some minimum requirements for onboarding devices to the service. Learn about the licensing, hardware and software requirements, and other configuration settings to onboard devices to the service.
-
-> Want to experience Microsoft Defender ATP? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-minreqs-abovefoldlink).
-
-
-> [!TIP]
-> - Learn about the latest enhancements in Microsoft Defender ATP: [Microsoft Defender Advanced Threat Protection Tech Community](https://techcommunity.microsoft.com/t5/Windows-Defender-Advanced-Threat/ct-p/WindowsDefenderAdvanced).
-> - Microsoft Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
-
-## Licensing requirements
-Microsoft Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
-
-- Windows 10 Enterprise E5
-- Windows 10 Education A5
-- Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5
-- Microsoft 365 E5 Security
-- Microsoft 365 A5 (M365 A5)
-
-> [!NOTE]
-> Eligible Licensed Users may use Microsoft Defender Advanced Threat Protection on up to five concurrent devices.
-> Microsoft Defender Advanced Threat Protection is also available for purchase from a Cloud Solution Provider (CSP). When purchased via a CSP, it does not require Microsoft Volume Licensing offers listed.
-
-
-
-Microsoft Defender Advanced Threat Protection, on Windows Server, requires one of the following licensing options:
-
-- [Azure Security Center Standard plan](https://docs.microsoft.com/azure/security-center/security-center-pricing) (per node)
-- Microsoft Defender ATP for Servers (one per covered Server)
-
-> [!NOTE]
-> Customers with a combined minimum of 50 licenses for one or more of the following may acquire Server SLs for Microsoft Defender Advanced Threat Protection for Servers (one per covered Server OSE): Microsoft Defender Advanced Threat Protection, Windows E5/A5, Microsoft 365 E5/A5 and Microsoft 365 E5 Security User SLs. This license applies to Microsoft Defender ATP for Linux.
-
-For detailed licensing information, see the [Product Terms site](https://www.microsoft.com/licensing/terms/) and work with your account team to learn the detailed terms and conditions for the product.
-
-For more information on the array of features in Windows 10 editions, see [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare).
-
-For a detailed comparison table of Windows 10 commercial edition comparison, see the [comparison PDF](https://wfbdevicemanagementprod.blob.core.windows.net/windowsforbusiness/Windows10_CommercialEdition_Comparison.pdf).
-
-## Browser requirements
-Access to Microsoft Defender ATP is done through a browser, supporting the following browsers:
-- Microsoft Edge
-- Internet Explorer version 11
-- Google Chrome
-
-> [!NOTE]
-> While other browsers might work, the mentioned browsers are the ones supported.
-
-
-## Hardware and software requirements
-
-### Supported Windows versions
-- Windows 7 SP1 Enterprise
-- Windows 7 SP1 Pro
-- Windows 8.1 Enterprise
-- Windows 8.1 Pro
-- Windows 10 Enterprise
-- [Windows 10 Enterprise LTSC](https://docs.microsoft.com/windows/whats-new/ltsc/)
-- Windows 10 Education
-- Windows 10 Pro
-- Windows 10 Pro Education
-- Windows server
- - Windows Server 2008 R2 SP1
- - Windows Server 2012 R2
- - Windows Server 2016
- - Windows Server, version 1803 or later
- - Windows Server 2019
-
-Devices on your network must be running one of these editions.
-
-The hardware requirements for Microsoft Defender ATP on devices are the same for the supported editions.
-
-> [!NOTE]
-> Machines running mobile versions of Windows are not supported.
->
-> Virtual Machines running Windows 10 Enterprise 2016 LTSB (which is based on Windows 10, version 1607) may encounter performance issues if run on non-Microsoft virtualization platforms.
->
-> For virtual environments, we recommend using Windows 10 Enterprise LTSC 2019 (which is based on Windows 10, version 1809) or later.
-
-
-### Other supported operating systems
-- Android
-- Linux
-- macOS
-
-> [!NOTE]
-> You'll need to know the exact Linux distributions and versions of Android and macOS that are compatible with Microsoft Defender ATP for the integration to work.
-
-
-
-### Network and data storage and configuration requirements
-When you run the onboarding wizard for the first time, you must choose where your Microsoft Defender Advanced Threat Protection-related information is stored: in the European Union, the United Kingdom, or the United States datacenter.
-
-> [!NOTE]
-> - You cannot change your data storage location after the first-time setup.
-> - Review the [Microsoft Defender ATP data storage and privacy](data-storage-privacy.md) for more information on where and how Microsoft stores your data.
-
-
-### Diagnostic data settings
-
-> [!NOTE]
-> Microsoft Defender ATP doesn't require any specific diagnostic level as long as it's enabled.
-
-Make sure that the diagnostic data service is enabled on all the devices in your organization.
-By default, this service is enabled. It's good practice to check to ensure that you'll get sensor data from them.
-
-**Use the command line to check the Windows 10 diagnostic data service startup type**:
-
-1. Open an elevated command-line prompt on the device:
-
- 1. Go to **Start** and type **cmd**.
-
- 1. Right-click **Command prompt** and select **Run as administrator**.
-
-2. Enter the following command, and press **Enter**:
-
- ```console
- sc qc diagtrack
- ```
-
- If the service is enabled, then the result should look like the following screenshot:
-
- 
-
-
-You'll need to set the service to automatically start if the **START_TYPE** is not set to **AUTO_START**.
-
-
-**Use the command line to set the Windows 10 diagnostic data service to automatically start:**
-
-1. Open an elevated command-line prompt on the endpoint:
-
- 1. Go to **Start** and type **cmd**.
-
- 1. Right-click **Command prompt** and select **Run as administrator**.
-
-2. Enter the following command, and press **Enter**:
-
- ```console
- sc config diagtrack start=auto
- ```
-
-3. A success message is displayed. Verify the change by entering the following command, and press **Enter**:
-
- ```console
- sc qc diagtrack
- ```
-
-
-#### Internet connectivity
-Internet connectivity on devices is required either directly or through proxy.
-
-The Microsoft Defender ATP sensor can utilize a daily average bandwidth of 5 MB to communicate with the Microsoft Defender ATP cloud service and report cyber data. One-off activities such as file uploads and investigation package collection are not included in this daily average bandwidth.
-
-For more information on additional proxy configuration settings, see [Configure device proxy and Internet connectivity settings](configure-proxy-internet.md).
-
-Before you onboard devices, the diagnostic data service must be enabled. The service is enabled by default in Windows 10.
-
-
-## Microsoft Defender Antivirus configuration requirement
-The Microsoft Defender ATP agent depends on the ability of Microsoft Defender Antivirus to scan files and provide information about them.
-
-Configure Security intelligence updates on the Microsoft Defender ATP devices whether Microsoft Defender Antivirus is the active antimalware or not. For more information, see [Manage Microsoft Defender Antivirus updates and apply baselines](../microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md).
-
-When Microsoft Defender Antivirus is not the active antimalware in your organization and you use the Microsoft Defender ATP service, Microsoft Defender Antivirus goes on passive mode.
-
-If your organization has turned off Microsoft Defender Antivirus through group policy or other methods, devices that are onboarded must be excluded from this group policy.
-
-If you are onboarding servers and Microsoft Defender Antivirus is not the active antimalware on your servers, you shouldn't uninstall Microsoft Defender Antivirus. You'll need to configure it to run on passive mode. For more information, see [Onboard servers](configure-server-endpoints.md).
-
-> [!NOTE]
-> Your regular group policy doesn't apply to Tamper Protection, and changes to Microsoft Defender Antivirus settings will be ignored when Tamper Protection is on.
-
-
-For more information, see [Microsoft Defender Antivirus compatibility](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md).
-
-## Microsoft Defender Antivirus Early Launch Antimalware (ELAM) driver is enabled
-If you're running Microsoft Defender Antivirus as the primary antimalware product on your devices, the Microsoft Defender ATP agent will successfully onboard.
-
-If you're running a third-party antimalware client and use Mobile Device Management solutions or Microsoft Endpoint Configuration Manager (current branch), you'll need to ensure that the Microsoft Defender Antivirus ELAM driver is enabled. For more information, see [Ensure that Microsoft Defender Antivirus is not disabled by policy](troubleshoot-onboarding.md#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy).
-
-
-## Related topics
-- [Validate licensing and complete setup](licensing.md)
-- [Onboard devices](onboard-configure.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mssp-list.md b/windows/security/threat-protection/microsoft-defender-atp/mssp-list.md
deleted file mode 100644
index e04b5fd740..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/mssp-list.md
+++ /dev/null
@@ -1,44 +0,0 @@
----
-title: Supported managed security service providers
-description: See the list of MSSPs that Microsoft Defender ATP integrates with
-keywords: managed security service provider, mssp, configure, integration
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Supported managed security service providers
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-Logo |Partner name | Description
-:---|:---|:---
-| [BDO Digital](https://go.microsoft.com/fwlink/?linkid=2090394) | BDO Digital's Managed Defense leverages best practice tools, AI, and in-house security experts for 24/7/365 identity protection
-| [BlueVoyant](https://go.microsoft.com/fwlink/?linkid=2121401) | MDR for Microsoft Defender ATP provides support in monitoring, investigating, and mitigating advanced attacks on endpoints
-| [Cloud Security Center](https://go.microsoft.com/fwlink/?linkid=2099315) | InSpark's Cloud Security Center is a 24x7 managed service that delivers protect, detect & respond capabilities
-| [Cloud SOC](https://go.microsoft.com/fwlink/?linkid=2104265) | Cloud SOC provides 24/7 security monitoring services based on Microsoft cloud and helps you to continuously improve your security posture
-| [CSIS Managed Detection & Response](https://go.microsoft.com/fwlink/?linkid=2091005) | 24/7 monitoring and analysis of security alerts giving companies actionable insights into what, when and how security incidents have taken place
-| [Dell Technologies Advanced Threat Protection](https://go.microsoft.com/fwlink/?linkid=2091004) | Professional monitoring service for malicious behavior and anomalies with 24/7 capability
-| [DXC-Managed Endpoint Threat Detection and Response](https://go.microsoft.com/fwlink/?linkid=2090395) | Identify endpoint threats that evade traditional security defenses and contain them in hours or minutes, not days
-| [NTT Security](https://go.microsoft.com/fwlink/?linkid=2095320) | NTT's EDR Service provides 24/7 security monitoring & response across your endpoint and network
-| [Red Canary](https://go.microsoft.com/fwlink/?linkid=2103852) | Red Canary is a security operations partner for modern teams, MDR deployed in minutes
-| [SecureWorks Managed Detection and Response Powered by Red Cloak](https://go.microsoft.com/fwlink/?linkid=2133634) | Secureworks combines threat intelligence and 20+ years of experience into SaaS and managed security solutions
-| [sepagoSOC](https://go.microsoft.com/fwlink/?linkid=2090491) | Ensure holistic security through sophisticated automated workflows in your zero trust environment
-| [Trustwave Threat Detection & Response Services](https://go.microsoft.com/fwlink/?linkid=2127542) | Threat Detection and Response services for Azure leveraging integrations with Sentinel and Microsoft Defender ATP
-| [Wortell's cloud SOC](https://go.microsoft.com/fwlink/?linkid=2108415) | 24x7 managed Microsoft Defender ATP service for monitoring & response
-| [Zero Trust Analytics Platform (ZTAP)](https://go.microsoft.com/fwlink/?linkid=2090971) | Reduce your alerts by 99% and access a full range of security capabilities from mobile devices
-
-## Related topics
-- [Configure managed service security provider integration](configure-mssp-support.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md b/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md
deleted file mode 100644
index 6f1d18b0e5..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md
+++ /dev/null
@@ -1,50 +0,0 @@
----
-title: Managed security service provider (MSSP) partnership opportunities
-description: Understand how Microsoft Defender ATP integrates with managed security service providers (MSSP)
-keywords: mssp, integration, managed, security, service, provider
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
----
-
-# Managed security service provider partnership opportunities
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
-
-
-Security is recognized as a key component in running an enterprise, however some organizations might not have the capacity or expertise to have a dedicated security operations team to manage the security of their endpoints and network, others may want to have a second set of eyes to review alerts in their network.
-
-
-To address this demand, managed security service providers (MSSP) offer to deliver managed detection and response (MDR) services on top of Microsoft Defender ATP.
-
-
-Microsoft Defender ATP adds partnership opportunities for this scenario and allows MSSPs to take the following actions:
-
-- Get access to MSSP customer's Microsoft Defender Security Center portal
-- Get email notifications, and
-- Fetch alerts through security information and event management (SIEM) tools
-
-
-## Related topic
-- [Configure managed security service provider integration](configure-mssp-support.md)
-
-
-
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
deleted file mode 100644
index ea52e95529..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
+++ /dev/null
@@ -1,88 +0,0 @@
----
-title: Use network protection to help prevent connections to bad sites
-description: Protect your network by preventing users from accessing known malicious and suspicious network addresses
-keywords: Network protection, exploits, malicious website, ip, domain, domains
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-audience: ITPro
-author: denisebmsft
-ms.author: deniseb
-ms.date: 04/30/2019
-ms.reviewer:
-manager: dansimp
-ms.custom: asr
-
----
-
-# Protect your network
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
-
-Network protection expands the scope of [Microsoft Defender SmartScreen](../microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md) to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname).
-
-Network protection is supported beginning with Windows 10, version 1709.
-
-For more details about how to enable network protection, see [Enable network protection](enable-network-protection.md). Use Group Policy, PowerShell, or MDM CSPs to enable and manage network protection in your network.
-
-> [!TIP]
-> You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
-
-Network protection works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
-
-When network protection blocks a connection, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
-
-You can also use [audit mode](audit-windows-defender.md) to evaluate how Network protection would impact your organization if it were enabled.
-
-## Requirements
-
-Network protection requires Windows 10 Pro, Enterprise E3, E5 and Microsoft Defender AV real-time protection.
-
-Windows 10 version | Microsoft Defender Antivirus
--|-
-Windows 10 version 1709 or later | [Microsoft Defender AV real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) and [cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) must be enabled
-
-## Review network protection events in the Microsoft Defender ATP Security Center
-
-Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
-
-You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use advanced hunting to see how network protection settings would affect your environment if they were enabled.
-
-Here is an example query
-
-```kusto
-DeviceEvents
-| where ActionType in ('ExploitGuardNetworkProtectionAudited','ExploitGuardNetworkProtectionBlocked')
-```
-
-## Review network protection events in Windows Event Viewer
-
-You can review the Windows event log to see events that are created when network protection blocks (or audits) access to a malicious IP or domain:
-
-1. [Copy the XML directly](event-views.md).
-
-2. Click **OK**.
-
-3. This will create a custom view that filters to only show the following events related to network protection:
-
- Event ID | Description
- -|-
- 5007 | Event when settings are changed
- 1125 | Event when network protection fires in audit mode
- 1126 | Event when network protection fires in block mode
-
-## Related articles
-
-- [Evaluate network protection](evaluate-network-protection.md) | Undertake a quick scenario that demonstrate how the feature works, and what events would typically be created.
-
-- [Enable network protection](enable-network-protection.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage network protection in your network.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
deleted file mode 100644
index a0f4515971..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
+++ /dev/null
@@ -1,131 +0,0 @@
----
-title: Threat and vulnerability management
-description: This new capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
-keywords: threat & vulnerability management, threat and vulnerability management, MDATP TVM, MDATP-TVM, vulnerability management, vulnerability assessment, threat and vulnerability scanning, secure configuration assessment, microsoft defender atp, microsoft defender atp, endpoint vulnerabilities, next generation
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: ellevin
-author: levinec
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
----
-
-# Threat and vulnerability management
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
-
-Effectively identifying, assessing, and remediating endpoint weaknesses is pivotal in running a healthy security program and reducing organizational risk. Threat and vulnerability management serves as an infrastructure for reducing organizational exposure, hardening endpoint surface area, and increasing organizational resilience.
-
-Discover vulnerabilities and misconfigurations in real time with sensors, and without the need of agents or periodic scans. It prioritizes vulnerabilities based on the threat landscape, detections in your organization, sensitive information on vulnerable devices, and business context.
-
-Watch this video for a quick overview of threat and vulnerability management.
-
->[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4mLsn]
-
-## Bridging the workflow gaps
-
-Threat and vulnerability management is built in, real time, and cloud powered. It's fully integrated with Microsoft endpoint security stack, the Microsoft Intelligent Security Graph, and the application analytics knowledge base.
-
-Vulnerability management is the first solution in the industry to bridge the gap between security administration and IT administration during remediation process. Create a security task or ticket by integrating with Microsoft Intune and Microsoft Endpoint Configuration Manager.
-
-It provides the following solutions to frequently cited gaps across security operations, security administration, and IT administration workflows and communication:
-
-- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities
-- Linked device vulnerability and security configuration assessment data in the context of exposure discovery
-- Built-in remediation processes through Microsoft Intune and Configuration Manager
-
-### Real-time discovery
-
-To discover endpoint vulnerabilities and misconfiguration, threat and vulnerability management uses the same agentless built-in Microsoft Defender ATP sensors to reduce cumbersome network scans and IT overhead.
-
-It also provides:
-
-- Real-time device inventory. Devices onboarded to Microsoft Defender ATP automatically report and push vulnerability and security configuration data to the dashboard.
-- Visibility into software and vulnerabilities. Optics into the organization's software inventory, and software changes like installations, uninstalls, and patches. Newly discovered vulnerabilities are reported with actionable mitigation recommendations for 1st and 3rd party applications.
-- Application runtime context. Visibility on application usage patterns for better prioritization and decision-making.
-- Configuration posture. Visibility into organizational security configuration or misconfigurations. Issues are reported in the dashboard with actionable security recommendations.
-
-### Intelligence-driven prioritization
-
-Threat and vulnerability management helps customers prioritize and focus on those weaknesses that pose the most urgent and the highest risk to the organization. Rather than using static prioritization by severity scores, threat and vulnerability management highlights the most critical weaknesses that need attention. It fuses security recommendations with dynamic threat and business context:
-
-- Exposing emerging attacks in the wild. Through its advanced cyber data and threat analytics platform, threat and vulnerability management dynamically aligns the prioritization of its security recommendations. It focuses on vulnerabilities currently being exploited in the wild and emerging threats that pose the highest risk.
-- Pinpointing active breaches. Microsoft Defender ATP correlates threat and vulnerability management and EDR insights to prioritize vulnerabilities being exploited in an active breach within the organization.
-- Protecting high-value assets. Microsoft Defender ATP's integration with Azure Information Protection allows threat and vulnerability management to identify the exposed devices with business-critical applications, confidential data, or high-value users.
-
-### Seamless remediation
-
-Microsoft Defender ATP's threat and vulnerability management capability allows security administrators and IT administrators to collaborate seamlessly to remediate issues.
-
-- Remediation requests to IT. Through Microsoft Defender ATP's integration with Microsoft Intune and Microsoft Endpoint Configuration Manager, security administrators can create a remediation task in Microsoft Intune from the Security recommendation pages. We plan to expand this capability to other IT security management platforms.
-- Alternate mitigations. Threat and vulnerability management provides insights on additional mitigations, such as configuration changes that can reduce risk associated with software vulnerabilities.
-- Real-time remediation status. Microsoft Defender ATP provides real-time monitoring of the status and progress of remediation activities across the organization.
-
-## Reduce organizational risk with threat and vulnerability management
-
-Watch this video for a comprehensive walk-through of threat and vulnerability management.
-
->[!VIDEO https://aka.ms/MDATP-TVM-Interactive-Guide]
-
-## Before you begin
-
-Ensure that your devices:
-
-- Are onboarded to Microsoft Defender Advanced Threat Protection
-- Run [supported operating systems and platforms](tvm-supported-os.md)
-- Have the following mandatory updates installed and deployed in your network to boost your vulnerability assessment detection rates:
-
-> Release | Security update KB number and link
-> :---|:---
-> Windows 10 Version 1709 | [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441) and [KB 4516071](https://support.microsoft.com/help/4516071/windows-10-update-kb4516071)
-> Windows 10 Version 1803 | [KB4493464](https://support.microsoft.com/help/4493464) and [KB 4516045](https://support.microsoft.com/help/4516045/windows-10-update-kb4516045)
-> Windows 10 Version 1809 | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077)
-> Windows 10 Version 1903 | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941)
-
-- Are onboarded to [Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) and [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure). If you're using Configuration Manager, update your console to the latest version.
-- Have at least one security recommendation that can be viewed in the device page
-- Are tagged or marked as co-managed
-
-## APIs
-
-Run threat and vulnerability management-related API calls to automate vulnerability management workflows. Learn more from this [Microsoft Tech Community blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/threat-amp-vulnerability-management-apis-are-now-generally/ba-p/1304615).
-
-See the following articles for related APIs:
-
-- [Supported Microsoft Defender ATP APIs](exposed-apis-list.md)
-- [Machine APIs](machine.md)
-- [Recommendation APIs](vulnerability.md)
-- [Score APIs](score.md)
-- [Software APIs](software.md)
-- [Vulnerability APIs](vulnerability.md)
-- [List vulnerabilities by machine and software](get-all-vulnerabilities-by-machines.md)
-
-## See also
-
-- [Supported operating systems and platforms](tvm-supported-os.md)
-- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md)
-- [Exposure score](tvm-exposure-score.md)
-- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md)
-- [Security recommendations](tvm-security-recommendation.md)
-- [Remediation and exception](tvm-remediation.md)
-- [Software inventory](tvm-software-inventory.md)
-- [Weaknesses](tvm-weaknesses.md)
-- [Event timeline](threat-and-vuln-mgt-event-timeline.md)
-- [Scenarios](threat-and-vuln-mgt-scenarios.md)
-- [APIs](next-gen-threat-and-vuln-mgt.md#apis)
-- [Configure data access for threat and vulnerability management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
-- [BLOG: Microsoft's Threat & Vulnerability Management now helps thousands of customers to discover, prioritize, and remediate vulnerabilities in real time](https://www.microsoft.com/security/blog/2019/07/02/microsofts-threat-vulnerability-management-now-helps-thousands-of-customers-to-discover-prioritize-and-remediate-vulnerabilities-in-real-time/)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/non-windows.md b/windows/security/threat-protection/microsoft-defender-atp/non-windows.md
deleted file mode 100644
index 36cab9ff28..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/non-windows.md
+++ /dev/null
@@ -1,110 +0,0 @@
----
-title: Microsoft Defender ATP for non-Windows platforms
-description: Learn about Microsoft Defender ATP capabilities for non-Windows platforms
-keywords: non windows, mac, macos, linux, android
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- M365-security-compliance
-- m365solution-evalutatemtp
-ms.topic: article
----
-
-# Microsoft Defender ATP for non-Windows platforms
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
-Microsoft has been on a journey to extend its industry leading endpoint security
-capabilities beyond Windows and Windows Server to macOS, Linux, Android, and
-soon iOS.
-
-Organizations face threats across a variety of platforms and devices. Our teams
-have committed to building security solutions not just *for* Microsoft, but also
-*from* Microsoft to enable our customers to protect and secure their
-heterogenous environments. We're listening to customer feedback and partnering
-closely with our customers to build solutions that meet their needs.
-
-With Microsoft Defender ATP, customers benefit from a unified view of all
-threats and alerts in the Microsoft Defender Security Center, across Windows and
-non-Windows platforms, enabling them to get a full picture of what's happening
-in their environment, which empowers them to more quickly assess and respond to
-threats.
-
-## Microsoft Defender ATP for Mac
-
-Microsoft Defender ATP for Mac offers AV and EDR capabilities for the three
-latest released versions of macOS. Customers can deploy and manage the solution
-through Microsoft Endpoint Manager and Jamf. Just like with Microsoft Office
-applications on macOS, Microsoft Auto Update is used to manage Microsoft
-Defender ATP for Mac updates. For information about the key features and
-benefits, read our
-[announcements](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bg-p/MicrosoftDefenderATPBlog/label-name/macOS).
-
-For more details on how to get started, visit the Microsoft Defender ATP for Mac
-[documentation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac).
-
-## Microsoft Defender ATP for Linux
-
-Microsoft Defender ATP for Linux offers preventative (AV) capabilities for Linux
-servers. This includes a full command line experience to configure and manage
-the agent, initiate scans, and manage threats. We support recent versions of the
-six most common Linux Server distributions: RHEL 7.2+, CentOS Linux 7.2+, Ubuntu
-16 LTS, or higher LTS, SLES 12+, Debian 9+, and Oracle Linux 7.2. Microsoft
-Defender ATP for Linux can be deployed and configured using Puppet, Ansible, or
-using your existing Linux configuration management tool. For information about
-the key features and benefits, read our
-[announcements](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bg-p/MicrosoftDefenderATPBlog/label-name/Linux).
-
-For more details on how to get started, visit the Microsoft Defender ATP for
-Linux
-[documentation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux).
-
-## Microsoft Defender ATP for Android
-
-Microsoft Defender ATP for Android is our mobile threat defense solution for
-devices running Android 6.0 and higher. Both Android Enterprise (Work Profile)
-and Device Administrator modes are supported. On Android, we offer web
-protection, which includes anti-phishing, blocking of unsafe connections, and
-setting of custom indicators. The solution scans for malware and potentially
-unwanted applications (PUA) and offers additional breach prevention capabilities
-through integration with Microsoft Endpoint Manager and Conditional Access. For
-information about the key features and benefits, read our
-[announcements](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bg-p/MicrosoftDefenderATPBlog/label-name/Android).
-
-For more details on how to get started, visit the Microsoft Defender ATP for
-Android
-[documentation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android).
-
-
-
-## Licensing requirements
-
-Eligible Licensed Users may use Microsoft Defender ATP on up to five concurrent
-devices. Microsoft Defender ATP is also available for purchase from a Cloud
-Solution Provider (CSP).
-
-Customers can obtain Microsoft Defender ATP for Mac through a standalone
-Microsoft Defender ATP license, as part of Microsoft 365 A5/E5, or Microsoft 365
-Security.
-
-Recently announced capabilities of Microsoft Defender ATP for Android and soon
-iOS are included in the above mentioned offers as part of the five qualified
-devices for eligible licensed users.
-
-Microsoft Defender ATP for Linux is available through the Microsoft Defender ATP
-for Server SKU that is available for both commercial and education customers.
-
-Please contact your account team or CSP for pricing and additional eligibility
-requirements.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md
deleted file mode 100644
index 6046e47262..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md
+++ /dev/null
@@ -1,93 +0,0 @@
----
-title: Offboard machine API
-description: Learn how to use an API to offboard a device from Windows Defender Advanced Threat Protection (WDATP).
-keywords: apis, graph api, supported apis, collect investigation package
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Offboard machine API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-
-## API description
-Offboard device from Microsoft Defender ATP.
-
-
-## Limitations
- - Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-[!include[Machine actions note](../../includes/machineactionsnote.md)]
-
->[!Note]
-> This API is supported on Windows 10, version 1703 and later, or Windows Server 2019 and later.
-> This API is not supported on MacOS or Linux devices.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Machine.Offboard | 'Offboard machine'
-Delegated (work or school account) | Machine.Offboard | 'Offboard machine'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to 'Global Admin' AD role
->- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
-## HTTP request
-```
-POST https://api.securitycenter.windows.com/api/machines/{id}/offboard
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-Content-Type | string | application/json. **Required**.
-
-## Request body
-In the request body, supply a JSON object with the following parameters:
-
-Parameter | Type | Description
-:---|:---|:---
-Comment | String | Comment to associate with the action. **Required**.
-
-## Response
-If successful, this method returns 201 - Created response code and [Machine Action](machineaction.md) in the response body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-```
-POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/offboard
-Content-type: application/json
-{
- "Comment": "Offboard machine by automation"
-}
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md
deleted file mode 100644
index fdfda0129e..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md
+++ /dev/null
@@ -1,51 +0,0 @@
----
-title: Offboard devices from the Microsoft Defender ATP service
-description: Onboard Windows 10 devices, servers, non-Windows devices from the Microsoft Defender ATP service
-keywords: offboarding, microsoft defender advanced threat protection offboarding, windows atp offboarding
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
----
-
-# Offboard devices from the Microsoft Defender ATP service
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- macOS
-- Linux
-- Windows Server 2012 R2
-- Windows Server 2016
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-offboarddevices-abovefoldlink)
-
-Follow the corresponding instructions depending on your preferred deployment method.
-
-## Offboard Windows 10 devices
-- [Offboard devices using a local script](configure-endpoints-script.md#offboard-devices-using-a-local-script)
-- [Offboard devices using Group Policy](configure-endpoints-gp.md#offboard-devices-using-group-policy)
-- [Offboard devices using Mobile Device Management tools](configure-endpoints-mdm.md#offboard-and-monitor-devices-using-mobile-device-management-tools)
-
-## Offboard Servers
-- [Offboard servers](configure-server-endpoints.md#offboard-windows-servers)
-
-## Offboard non-Windows devices
-- [Offboard non-Windows devices](configure-endpoints-non-windows.md#offboard-non-windows-devices)
-
->[!NOTE]
-> Offboarded devices will remain in the portal until [retention period](data-storage-privacy.md#how-long-will-microsoft-store-my-data-what-is-microsofts-data-retention-policy) for the device's data expires. The status will be switched to ['Inactive'](fix-unhealthy-sensors.md#inactive-devices) 7 days after offboarding.
-> In addition, [Devices that are not active in the last 30 days are not factored in on the data that reflects your organization's threat and vulnerability management exposure score and Microsoft Secure Score for Devices.](tvm-dashboard-insights.md)
-> To view only active devices, you can filter by [health state](machines-view-overview.md#health-state) or by [device tags](machine-tags.md) and [groups](machine-groups.md) etc.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md
deleted file mode 100644
index 3f37f66880..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md
+++ /dev/null
@@ -1,58 +0,0 @@
----
-title: Onboard devices to the Microsoft Defender ATP service
-description: Onboard Windows 10 devices, servers, non-Windows devices and learn how to run a detection test.
-keywords: onboarding, microsoft defender advanced threat protection onboarding, windows atp onboarding, sccm, group policy, mdm, local script, detection test
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
----
-
-# Onboard devices to the Microsoft Defender ATP service
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
-
-You'll need to go the onboarding section of the Microsoft Defender ATP portal to onboard any of the supported devices. Depending on the device, you'll be guided with appropriate steps and provided management and deployment tool options suitable for the device.
-
-In general, to onboard devices to the service:
-
-- Verify that the device fulfills the [minimum requirements](minimum-requirements.md)
-- Depending on the device, follow the configuration steps provided in the onboarding section of the Microsoft Defender ATP portal
-- Use the appropriate management tool and deployment method for your devices
-- Run a detection test to verify that the devices are properly onboarded and reporting to the service
-
->[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bGqr]
-
-## In this section
-Topic | Description
-:---|:---
-[Onboard previous versions of Windows](onboard-downlevel.md)| Onboard Windows 7 and Windows 8.1 devices to Microsoft Defender ATP.
-[Onboard Windows 10 devices](configure-endpoints.md) | You'll need to onboard devices for it to report to the Microsoft Defender ATP service. Learn about the tools and methods you can use to configure devices in your enterprise.
-[Onboard servers](configure-server-endpoints.md) | Onboard Windows Server 2012 R2 and Windows Server 2016 to Microsoft Defender ATP
-[Onboard non-Windows devices](configure-endpoints-non-windows.md) | Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Microsoft Defender Security Center and better protect your organization's network. This experience leverages on a third-party security products' sensor data.
-[Run a detection test on a newly onboarded device](run-detection-test.md) | Run a script on a newly onboarded device to verify that it is properly reporting to the Microsoft Defender ATP service.
-[Configure proxy and Internet settings](configure-proxy-internet.md)| Enable communication with the Microsoft Defender ATP cloud service by configuring the proxy and Internet connectivity settings.
-[Troubleshoot onboarding issues](troubleshoot-onboarding.md) | Learn about resolving issues that might arise during onboarding.
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
-
-
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md
deleted file mode 100644
index 86e8968854..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md
+++ /dev/null
@@ -1,102 +0,0 @@
----
-title: Onboard previous versions of Windows on Microsoft Defender ATP
-description: Onboard supported previous versions of Windows devices so that they can send sensor data to the Microsoft Defender ATP sensor
-keywords: onboard, windows, 7, 81, oms, sp1, enterprise, pro, down level
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Onboard previous versions of Windows
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- Windows 7 SP1 Enterprise
-- Windows 7 SP1 Pro
-- Windows 8.1 Pro
-- Windows 8.1 Enterprise
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-downlevel-abovefoldlink).
-
-Microsoft Defender ATP extends support to include down-level operating systems, providing advanced attack detection and investigation capabilities on supported Windows versions.
-
-To onboard down-level Windows client endpoints to Microsoft Defender ATP, you'll need to:
-- Configure and update System Center Endpoint Protection clients.
-- Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Microsoft Defender ATP as instructed below.
-
-> [!TIP]
-> After onboarding the device, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test.md).
-
-## Configure and update System Center Endpoint Protection clients
-> [!IMPORTANT]
-> This step is required only if your organization uses System Center Endpoint Protection (SCEP).
-
-Microsoft Defender ATP integrates with System Center Endpoint Protection to provide visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware.
-
-The following steps are required to enable this integration:
-- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie)
-- Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting
-- Configure your network to allow connections to the Microsoft Defender Antivirus cloud. For more information, see [Allow connections to the Microsoft Defender Antivirus cloud](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus#allow-connections-to-the-microsoft-defender-antivirus-cloud)
-
-## Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Microsoft Defender ATP
-
-### Before you begin
-Review the following details to verify minimum system requirements:
-- Install the [February 2018 monthly update rollup](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
-
- > [!NOTE]
- > Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro.
-
-- Install the [Update for customer experience and diagnostic telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
-
-- Install either [.NET framework 4.5](https://www.microsoft.com/download/details.aspx?id=30653) (or later) or [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework)
-
- > [!NOTE]
- > Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro.
- > Don't install .NET Framework 4.0.x, since it will negate the above installation.
-
-- Meet the Azure Log Analytics agent minimum system requirements. For more information, see [Collect data from computers in you environment with Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-concept-hybrid#prerequisites)
-
-
-
-1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603) or [Windows 32-bit agent](https://go.microsoft.com/fwlink/?LinkId=828604).
-
-2. Obtain the workspace ID:
- - In the Microsoft Defender ATP navigation pane, select **Settings > Device management > Onboarding**
- - Select **Windows 7 SP1 and 8.1** as the operating system
- - Copy the workspace ID and workspace key
-
-3. Using the Workspace ID and Workspace key choose any of the following installation methods to install the agent:
- - Manually install the agent using setup
- On the **Agent Setup Options** page, select **Connect the agent to Azure Log Analytics (OMS)**
- - [Install the agent using command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-agent-windows#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-agent-windows#add-a-workspace-using-a-script)
-
-4. If you're using a proxy to connect to the Internet see the Configure proxy settings section.
-
-Once completed, you should see onboarded endpoints in the portal within an hour.
-
-### Configure proxy and Internet connectivity settings
-
-- Each Windows endpoint must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-gateway).
-- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that you [enable access to Microsoft Defender ATP service URLs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server).
-
-## Offboard client endpoints
-To offboard, you can uninstall the MMA agent from the endpoint or detach it from reporting to your Microsoft Defender ATP workspace. After offboarding the agent, the endpoint will no longer send sensor data to Microsoft Defender ATP.
-
-> Want to experience Microsoft Defender ATP? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-downlevele-belowfoldlink).
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md
deleted file mode 100644
index cb3d0ee177..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md
+++ /dev/null
@@ -1,71 +0,0 @@
----
-title: Onboard devices without Internet access to Microsoft Defender ATP
-ms.reviewer:
-description: Onboard devices without Internet access so that they can send sensor data to the Microsoft Defender ATP sensor
-keywords: onboard, servers, vm, on-premise, oms gateway, log analytics, azure log analytics, mma
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Onboard devices without Internet access to Microsoft Defender ATP
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-To onboard devices without Internet access, you'll need to take the following general steps:
-
-> [!IMPORTANT]
-> The steps below are applicable only to devices running previous versions of Windows such as:
-Windows Server 2016 and earlier or Windows 8.1 and earlier.
-
-> [!NOTE]
-> - An OMS gateway server cannot be used as proxy for disconnected Windows 10 or Windows Server 2019 devices when configured via 'TelemetryProxyServer' registry or GPO.
-> - For Windows 10 or Windows Server 2019 - while you may use TelemetryProxyServer, it must point to a standard proxy device or appliance.
-> - In addition, Windows 10 or Windows Server 2019 in disconnected environments must be able to update Certificate Trust Lists offline via an internal file or web server.
-> - For more information about updating CTLs offline, see [Configure a file or web server to download the CTL files](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn265983(v=ws.11)#configure-a-file-or-web-server-to-download-the-ctl-files).
-
-For more information about onboarding methods, see the following articles:
-- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel)
-- [Onboard servers to the Microsoft Defender ATP service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-2008-r2-sp1--windows-server-2012-r2-and-windows-server-2016)
-- [Configure device proxy and Internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#configure-the-proxy-server-manually-using-a-registry-based-static-proxy)
-
-## On-premise devices
-
-- Setup Azure Log Analytics (formerly known as OMS Gateway) to act as proxy or hub:
- - [Azure Log Analytics Agent](https://docs.microsoft.com/azure/azure-monitor/platform/gateway#download-the-log-analytics-gateway)
- - [Install and configure Microsoft Monitoring Agent (MMA)](configure-server-endpoints.md#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-atp) point to Microsoft Defender ATP Workspace key & ID
-
-- Offline devices in the same network of Azure Log Analytics
- - Configure MMA to point to:
- - Azure Log Analytics IP as a proxy
- - Microsoft Defender ATP workspace key & ID
-
-## Azure virtual machines
-- Configure and enable [Azure Log Analytics workspace](https://docs.microsoft.com/azure/azure-monitor/platform/gateway)
-
- - Setup Azure Log Analytics Gateway (formerly known as OMS Gateway) to act as proxy or hub:
- - [Azure Log Analytics Gateway](https://docs.microsoft.com/azure/azure-monitor/platform/gateway#download-the-log-analytics-gateway)
- - [Install and configure Microsoft Monitoring Agent (MMA)](configure-server-endpoints.md#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-atp) point to Microsoft Defender ATP Workspace key & ID
- - Offline Azure VMs in the same network of OMS Gateway
- - Configure Azure Log Analytics IP as a proxy
- - Azure Log Analytics Workspace Key & ID
-
- - Azure Security Center (ASC)
- - [Security Policy \> Log Analytics Workspace](https://docs.microsoft.com/azure/security-center/security-center-wdatp#enable-windows-defender-atp-integration)
- - [Threat Detection \> Allow Microsoft Defender ATP to access my data](https://docs.microsoft.com/azure/security-center/security-center-wdatp#enable-windows-defender-atp-integration)
-
- For more information, see [Working with security policies](https://docs.microsoft.com/azure/security-center/tutorial-security-policy).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard.md b/windows/security/threat-protection/microsoft-defender-atp/onboard.md
deleted file mode 100644
index ca17dbdcd7..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/onboard.md
+++ /dev/null
@@ -1,43 +0,0 @@
----
-title: Configure and manage Microsoft Defender ATP capabilities
-ms.reviewer:
-description: Configure and manage Microsoft Defender ATP capabilities such as attack surface reduction, next-generation protection, and security controls
-keywords: configure, manage, capabilities, attack surface reduction, next-generation protection, security controls, endpoint detection and response, auto investigation and remediation, security controls, controls
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
----
-
-# Configure and manage Microsoft Defender ATP capabilities
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-Configure and manage all the Microsoft Defender ATP capabilities to get the best security protection for your organization.
-
-
-## In this section
-Topic | Description
-:---|:---
-[Configure attack surface reduction capabilities](configure-attack-surface-reduction.md) | By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations.
-[Configure next-generation protection](../microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md) | Configure next-generation protection to catch all types of emerging threats.
-[Configure Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md) | Configure and manage how you would like to get cybersecurity threat intelligence from Microsoft Threat Experts.
-[Configure Microsoft Threat Protection integration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration)| Configure other solutions that integrate with Microsoft Defender ATP.
-[Management and API support](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/management-apis)| Pull alerts to your SIEM or use APIs to create custom alerts. Create and build Power BI reports.
-[Configure Microsoft Defender Security Center settings](preferences-setup.md) | Configure portal related settings such as general settings, advanced features, enable the preview experience and others.
-
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-configuration-manager.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-configuration-manager.md
deleted file mode 100644
index c09d936fcd..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-configuration-manager.md
+++ /dev/null
@@ -1,359 +0,0 @@
----
-title: Onboarding using Microsoft Endpoint Configuration Manager
-description: Learn how to onboard to Microsoft Defender ATP using Microsoft Endpoint Configuration Manager
-keywords: onboarding, configuration, deploy, deployment, endpoint configuration manager, mdatp, advanced threat protection, collection creation, endpoint detection response, next generation protection, attack surface reduction
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- M365-security-compliance
-- m365solution-endpointprotect
-- m365solution-scenario
-ms.topic: article
----
-
-# Onboarding using Microsoft Endpoint Configuration Manager
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-## Collection creation
-To onboard Windows 10 devices with Microsoft Endpoint Configuration Manager, the
-deployment can target either and existing collection or a new collection can be
-created for testing. The onboarding like group policy or manual method does
-not install any agent on the system. Within the Configuration Manager console
-the onboarding process will be configured as part of the compliance settings
-within the console. Any system that receives this required configuration will
-maintain that configuration for as long as the Configuration Manager client
-continues to receive this policy from the management point. Follow the steps
-below to onboard systems with Configuration Manager.
-
-1. In Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Device Collections**.
-
- 
-
-2. Right Click **Device Collection** and select **Create Device Collection**.
-
- 
-
-3. Provide a **Name** and **Limiting Collection**, then select **Next**.
-
- 
-
-4. Select **Add Rule** and choose **Query Rule**.
-
- 
-
-5. Click **Next** on the **Direct Membership Wizard** and click on **Edit Query Statement**.
-
- 
-
-6. Select **Criteria** and then choose the star icon.
-
- 
-
-7. Keep criterion type as **simple value**, choose where as **Operating System - build number**, operator as **is greater than or equal to** and value **14393** and click on **OK**.
-
- 
-
-8. Select **Next** and **Close**.
-
- 
-
-9. Select **Next**.
-
- 
-
-After completing this task, you now have a device collection with all the Windows 10 endpoints in the environment.
-
-## Endpoint detection and response
-### Windows 10
-From within the Microsoft Defender Security Center it is possible to download
-the '.onboarding' policy that can be used to create the policy in System Center Configuration
-Manager and deploy that policy to Windows 10 devices.
-
-1. From a Microsoft Defender Security Center Portal, select [Settings and then Onboarding](https://securitycenter.windows.com/preferences2/onboarding).
-
-
-
-2. Under Deployment method select the supported version of **Microsoft Endpoint Configuration Manager**.
-
- 
-
-3. Select **Download package**.
-
- 
-
-4. Save the package to an accessible location.
-5. In Microsoft Endpoint Configuration Manager, navigate to: **Assets and Compliance > Overview > Endpoint Protection > Microsoft Defender ATP Policies**.
-
-6. Right-click **Microsoft Defender ATP Policies** and select **Create Microsoft Defender ATP Policy**.
-
- 
-
-7. Enter the name and description, verify **Onboarding** is selected, then select **Next**.
-
- 
-
-8. Click **Browse**.
-
-9. Navigate to the location of the downloaded file from step 4 above.
-
-10. Click **Next**.
-11. Configure the Agent with the appropriate samples (**None** or **All file types**).
-
- 
-
-12. Select the appropriate telemetry (**Normal** or **Expedited**) then click **Next**.
-
- 
-
-14. Verify the configuration, then click **Next**.
-
- 
-
-15. Click **Close** when the Wizard completes.
-
-16. In the Microsoft Endpoint Configuration Manager console, right-click the Microsoft Defender ATP policy you just created and select **Deploy**.
-
- 
-
-17. On the right panel, select the previously created collection and click **OK**.
-
- 
-
-
-### Previous versions of Windows Client (Windows 7 and Windows 8.1)
-Follow the steps below to identify the Microsoft Defender ATP Workspace ID and Workspace Key, that will be required for the onboarding of previous versions of Windows.
-
-1. From a Microsoft Defender Security Center Portal, select **Settings > Onboarding**.
-
-2. Under operating system choose **Windows 7 SP1 and 8.1**.
-
-3. Copy the **Workspace ID** and **Workspace Key** and save them. They will be used later in the process.
-
- 
-
-4. Install the Microsoft Monitoring Agent (MMA).
- MMA is currently (as of January 2019) supported on the following Windows Operating
- Systems:
-
- - Server SKUs: Windows Server 2008 SP1 or Newer
-
- - Client SKUs: Windows 7 SP1 and later
-
- The MMA agent will need to be installed on Windows devices. To install the
- agent, some systems will need to download the [Update for customer experience
- and diagnostic
- telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
- in order to collect the data with MMA. These system versions include but may not
- be limited to:
-
- - Windows 8.1
-
- - Windows 7
-
- - Windows Server 2016
-
- - Windows Server 2012 R2
-
- - Windows Server 2008 R2
-
- Specifically, for Windows 7 SP1, the following patches must be installed:
-
- - Install
- [KB4074598](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
-
- - Install either [.NET Framework
- 4.5](https://www.microsoft.com/download/details.aspx?id=30653) (or
- later) **or**
- [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework).
- Do not install both on the same system.
-
-5. If you're using a proxy to connect to the Internet see the Configure proxy settings section.
-
-Once completed, you should see onboarded endpoints in the portal within an hour.
-
-## Next generation protection
-Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers.
-
-1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Antimalware Polices** and choose **Create Antimalware Policy**.
-
- 
-
-2. Select **Scheduled scans**, **Scan settings**, **Default actions**, **Real-time protection**, **Exclusion settings**, **Advanced**, **Threat overrides**, **Cloud Protection Service** and **Security intelligence updates** and choose **OK**.
-
- 
-
- In certain industries or some select enterprise customers might have specific
-needs on how Antivirus is configured.
-
-
- [Quick scan versus full scan and custom scan](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus#quick-scan-versus-full-scan-and-custom-scan)
-
- For more details, see [Windows Security configuration framework](https://docs.microsoft.com/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework)
-
-
- 
-
- 
-
- 
-
- 
-
- 
-
- 
-
- 
-
- 
-
-3. Right-click on the newly created antimalware policy and select **Deploy**.
-
- 
-
-4. Target the new antimalware policy to your Windows 10 collection and click **OK**.
-
- 
-
-After completing this task, you now have successfully configured Windows
-Defender Antivirus.
-
-## Attack surface reduction
-The attack surface reduction pillar of Microsoft Defender ATP includes the feature set that is available under Exploit Guard. Attack surface reduction (ASR) rules, Controlled Folder Access, Network Protection and Exploit
-Protection.
-
-All these features provide an audit mode and a block mode. In audit mode there is no end-user impact. All it does is collect additional telemetry and make it available in the Microsoft Defender Security Center. The goal with a deployment is to step-by-step move security controls into block mode.
-
-To set ASR rules in Audit mode:
-
-1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
-
- 
-
-
-2. Select **Attack Surface Reduction**.
-
-
-3. Set rules to **Audit** and click **Next**.
-
- 
-
-4. Confirm the new Exploit Guard policy by clicking on **Next**.
-
- 
-
-
-5. Once the policy is created click **Close**.
-
- 
-
-
-
-6. Right-click on the newly created policy and choose **Deploy**.
-
- 
-
-7. Target the policy to the newly created Windows 10 collection and click **OK**.
-
- 
-
-After completing this task, you now have successfully configured ASR rules in audit mode.
-
-Below are additional steps to verify whether ASR rules are correctly applied to
-endpoints. (This may take few minutes)
-
-
-1. From a web browser, navigate to
-> For more information, see [Add groups to organize users and devices](https://docs.microsoft.com/mem/intune/fundamentals/groups-add).
-
-### Create a group
-
-1. Open the MEM portal.
-
-2. Open **Groups > New Group**.
-
- 
-
-3. Enter details and create a new group.
-
- 
-
-4. Add your test user or device.
-
-5. From the **Groups > All groups** pane, open your new group.
-
-6. Select **Members > Add members**.
-
-7. Find your test user or device and select it.
-
- 
-
-8. Your testing group now has a member to test.
-
-## Create configuration policies
-In the following section, you'll create a number of configuration policies.
-First is a configuration policy to select which groups of users or devices will
-be onboarded to Microsoft Defender ATP. Then you will continue by creating several
-different types of Endpoint security policies.
-
-### Endpoint detection and response
-
-1. Open the MEM portal.
-
-2. Navigate to **Endpoint security > Endpoint detection and response**. Click
- on **Create Profile**.
-
- 
-
-3. Under **Platform, select Windows 10 and Later, Profile - Endpoint detection
- and response > Create**.
-
-4. Enter a name and description, then select **Next**.
-
- 
-
-5. Select settings as required, then select **Next**.
-
- 
-
- >[!NOTE]
- >In this instance, this has been auto populated as Microsoft Defender ATP has already been integrated with Intune. For more information on the integration, see [Enable Microsoft Defender ATP in Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection-configure#to-enable-microsoft-defender-atp).
-
-
- 
-
-6. Add scope tags if necessary, then select **Next**.
-
- 
-
-7. Add test group by clicking on **Select groups to include** and choose your group, then select **Next**.
-
- 
-
-8. Review and accept, then select **Create**.
-
- 
-
-9. You can view your completed policy.
-
- 
-
-### Next-generation protection
-
-1. Open the MEM portal.
-
-2. Navigate to **Endpoint security > Antivirus > Create Policy**.
-
- 
-
-3. Select **Platform - Windows 10 and Later - Windows and Profile – Microsoft
- Defender Antivirus > Create**.
-
-4. Enter name and description, then select **Next**.
-
- 
-
-5. In the **Configuration settings page**: Set the configurations you require for
- Microsoft Defender Antivirus (Cloud Protection, Exclusions, Real-Time
- Protection, and Remediation).
-
- 
-
-6. Add scope tags if necessary, then select **Next**.
-
- 
-
-7. Select groups to include, assign to your test group, then select **Next**.
-
- 
-
-8. Review and create, then select **Create**.
-
- 
-
-9. You'll see the configuration policy you created.
-
- 
-
-### Attack Surface Reduction – Attack surface reduction rules
-
-1. Open the MEM portal.
-
-2. Navigate to **Endpoint security > Attack surface reduction**.
-
-3. Select **Create Policy**.
-
-4. Select **Platform - Windows 10 and Later – Profile - Attack surface reduction
- rules > Create**.
-
- 
-
-5. Enter a name and description, then select **Next**.
-
- 
-
-6. In the **Configuration settings page**: Set the configurations you require for
- Attack surface reduction rules, then select **Next**.
-
- >[!NOTE]
- >We will be configuring all of the Attack surface reduction rules to Audit.
-
- For more information, see [Attack surface reduction rules](attack-surface-reduction.md).
-
- 
-
-7. Add Scope Tags as required, then select **Next**.
-
- 
-
-8. Select groups to include and assign to test group, then select **Next**.
-
- 
-
-9. Review the details, then select **Create**.
-
- 
-
-10. View the policy.
-
- 
-
-### Attack Surface Reduction – Web Protection
-
-1. Open the MEM portal.
-
-2. Navigate to **Endpoint security > Attack surface reduction**.
-
-3. Select **Create Policy**.
-
-4. Select **Windows 10 and Later – Web protection > Create**.
-
- 
-
-5. Enter a name and description, then select **Next**.
-
- 
-
-6. In the **Configuration settings page**: Set the configurations you require for
- Web Protection, then select **Next**.
-
- >[!NOTE]
- >We are configuring Web Protection to Block.
-
- For more information, see [Web Protection](web-protection-overview.md).
-
- 
-
-7. Add **Scope Tags as required > Next**.
-
- 
-
-8. Select **Assign to test group > Next**.
-
- 
-
-9. Select **Review and Create > Create**.
-
- 
-
-10. View the policy.
-
- 
-
-## Validate configuration settings
-
-
-### Confirm Policies have been applied
-
-
-Once the Configuration policy has been assigned, it will take some time to apply.
-
-For information on timing, see [Intune configuration information](https://docs.microsoft.com/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).
-
-To confirm that the configuration policy has been applied to your test device, follow the following process for each configuration policy.
-
-1. Open the MEM portal and navigate to the relevant policy as shown in the
- steps above. The following example shows the next generation protection settings.
-
- 
-
-2. Select the **Configuration Policy** to view the policy status.
-
- 
-
-3. Select **Device Status** to see the status.
-
- 
-
-4. Select **User Status** to see the status.
-
- 
-
-5. Select **Per-setting status** to see the status.
-
- >[!TIP]
- >This view is very useful to identify any settings that conflict with another policy.
-
- 
-
-### Endpoint detection and response
-
-
-1. Before applying the configuration, the Microsoft Defender ATP
- Protection service should not be started.
-
- 
-
-2. After the configuration has been applied, the Microsoft Defender ATP
- Protection Service should be started.
-
- 
-
-3. After the services are running on the device, the device appears in Microsoft
- Defender Security Center.
-
- 
-
-### Next-generation protection
-
-1. Before applying the policy on a test device, you should be able to manually
- manage the settings as shown below.
-
- 
-
-2. After the policy has been applied, you should not be able to manually manage
- the settings.
-
- >[!NOTE]
- > In the following image **Turn on cloud-delivered protection** and
- **Turn on real-time protection** are being shown as managed.
-
- 
-
-### Attack Surface Reduction – Attack surface reduction rules
-
-
-1. Before applying the policy on a test device, pen a PowerShell Window and type `Get-MpPreference`.
-
-2. This should respond with the following lines with no content:
-
- AttackSurfaceReductionOnlyExclusions:
-
- AttackSurfaceReductionRules_Actions:
-
- AttackSurfaceReductionRules_Ids:
-
- 
-
-3. After applying the policy on a test device, open a PowerShell Windows and type `Get-MpPreference`.
-
-4. This should respond with the following lines with content as shown below:
-
- 
-
-### Attack Surface Reduction – Web Protection
-
-1. On the test device, open a PowerShell Windows and type
- `(Get-MpPreference).EnableNetworkProtection`.
-
-2. This should respond with a 0 as shown below.
-
- 
-
-3. After applying the policy, open a PowerShell Windows and type
- `(Get-MpPreference).EnableNetworkProtection`.
-
-4. This should respond with a 1 as shown below.
-
- 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding-notification.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding-notification.md
deleted file mode 100644
index 7052df6942..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/onboarding-notification.md
+++ /dev/null
@@ -1,202 +0,0 @@
----
-title: Create an onboarding or offboarding notification rule
-description: Get a notification when a local onboarding or offboarding script is used.
-keywords: onboarding, offboarding, local, script, notification, rule
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Create a notification rule when a local onboarding or offboarding script is used
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-Create a notification rule so that when a local onboarding or offboardiing script is used, you'll be notified.
-
-## Before you begin
-You'll need to have access to:
- - Microsoft Flow (Flow Plan 1 at a minimum). For more information, see [Flow pricing page](https://flow.microsoft.com/pricing/).
- - Azure Table or SharePoint List or Library / SQL DB
-
-## Create the notification flow
-
-1. In [flow.microsoft.com](https://flow.microsoft.com/).
-
-2. Navigate to **My flows > New > Scheduled - from blank**.
-
- 
-
-
-3. Build a scheduled flow.
- 1. Enter a flow name.
- 2. Specify the start and time.
- 3. Specify the frequency. For example, every 5 minutes.
-
- 
-
-4. Select the + button to add a new action. The new action will be an HTTP request to the Microsoft Defender ATP security center device(s) API. You can also replace it with the out-of-the-box "WDATP Connector" (action: "Machines - Get list of machines").
-
- 
-
-
-5. Enter the following HTTP fields:
-
- - Method: "GET" as a value to get the list of devices.
- - URI: Enter `https://api.securitycenter.windows.com/api/machines`.
- - Authentication: Select "Active Directory OAuth".
- - Tenant: Sign-in to https://portal.azure.com and navigate to **Azure Active Directory > App Registrations** and get the Tenant ID value.
- - Audience: `https://securitycenter.onmicrosoft.com/windowsatpservice\`
- - Client ID: Sign-in to https://portal.azure.com and navigate to **Azure Active Directory > App Registrations** and get the Client ID value.
- - Credential Type: Select "Secret".
- - Secret: Sign-in to https://portal.azure.com and navigate tnd navigate to **Azure Active Directory > App Registrations** and get the Tenant ID value.
-
- 
-
-
-6. Add a new step by selecting **Add new action** then search for **Data Operations** and select
-**Parse JSON**.
-
- 
-
-7. Add Body in the **Content** field.
-
- 
-
-8. Select the **Use sample payload to generate schema** link.
-
- 
-
-9. Copy and paste the following JSON snippet:
-
- ```
- {
- "type": "object",
- "properties": {
- "@@odata.context": {
- "type": "string"
- },
- "value": {
- "type": "array",
- "items": {
- "type": "object",
- "properties": {
- "id": {
- "type": "string"
- },
- "computerDnsName": {
- "type": "string"
- },
- "firstSeen": {
- "type": "string"
- },
- "lastSeen": {
- "type": "string"
- },
- "osPlatform": {
- "type": "string"
- },
- "osVersion": {},
- "lastIpAddress": {
- "type": "string"
- },
- "lastExternalIpAddress": {
- "type": "string"
- },
- "agentVersion": {
- "type": "string"
- },
- "osBuild": {
- "type": "integer"
- },
- "healthStatus": {
- "type": "string"
- },
- "riskScore": {
- "type": "string"
- },
- "exposureScore": {
- "type": "string"
- },
- "aadDeviceId": {},
- "machineTags": {
- "type": "array"
- }
- },
- "required": [
- "id",
- "computerDnsName",
- "firstSeen",
- "lastSeen",
- "osPlatform",
- "osVersion",
- "lastIpAddress",
- "lastExternalIpAddress",
- "agentVersion",
- "osBuild",
- "healthStatus",
- "rbacGroupId",
- "rbacGroupName",
- "riskScore",
- "exposureScore",
- "aadDeviceId",
- "machineTags"
- ]
- }
- }
- }
- }
-
- ```
-
-10. Extract the values from the JSON call and check if the onboarded device(s) is / are already registered at the SharePoint list as an example:
-- If yes, no notification will be triggered
-- If no, will register the new onboarded device(s) in the SharePoint list and a notification will be sent to the Microsoft Defender ATP admin
-
- 
-
- 
-
-11. Under **Condition**, add the following expression: "length(body('Get_items')?['value'])" and set the condition to equal to 0.
-
- 
- 
- 
- 
-
-## Alert notification
-The following image is an example of an email notification.
-
-
-
-
-## Tips
-
-- You can filter here using lastSeen only:
- - Every 60 min:
- - Take all devices last seen in the past 7 days.
-
-- For each device:
- - If last seen property is on the one hour interval of [-7 days, -7days + 60 minutes ] -> Alert for offboarding possibility.
- - If first seen is on the past hour -> Alert for onboarding.
-
-In this solution you will not have duplicate alerts:
-There are tenants that have numerous devices. Getting all those devices might be very expensive and might require paging.
-
-You can split it to two queries:
-1. For offboarding take only this interval using the OData $filter and only notify if the conditions are met.
-2. Take all devices last seen in the past hour and check first seen property for them (if the first seen property is on the past hour, the last seen must be there too).
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md
deleted file mode 100644
index 6ac048cf9d..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md
+++ /dev/null
@@ -1,75 +0,0 @@
----
-title: Onboard to the Microsoft Defender ATP service
-description:
-keywords:
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- M365-security-compliance
-- m365solution-endpointprotect
-- m365solution-scenario
-ms.topic: article
----
-
-# Onboard to the Microsoft Defender ATP service
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
-Deploying Microsoft Defender ATP is a three-phase process:
-
-
-
-
-You are currently in the onboarding phase.
-
-
-
-To deploy Microsoft Defender ATP, you'll need to onboard devices to the service.
-
-Depending on the architecture of your environment, you'll need to use the appropriate management tool that best suites your requirements.
-
-After onboarding the devices, you'll then configure the various capabilities such as endpoint detection and response, next-generation protection, and attack surface reduction.
-
-
-This article provides resources to guide you on:
-- Using various management tools to onboard devices
- - [Onboarding using Microsoft Endpoint Configuration Manager](onboarding-endpoint-configuration-manager.md)
- - [Onboarding using Microsoft Endpoint Manager](onboarding-endpoint-manager.md)
-- Endpoint detection and response configuration
-- Next-generation protection configuration
-- Attack surface reduction configuration
-
-## Related topics
-- [Onboarding using Microsoft Endpoint Configuration Manager](onboarding-endpoint-configuration-manager.md)
-- [Onboarding using Microsoft Endpoint Manager](onboarding-endpoint-manager.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
deleted file mode 100644
index 3996f745b3..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md
+++ /dev/null
@@ -1,47 +0,0 @@
----
-title: Overview of attack surface reduction
-ms.reviewer:
-description: Learn about the attack surface reduction capabilities of Microsoft Defender ATP.
-keywords: asr, attack surface reduction, microsoft defender atp, microsoft defender advanced threat protection, microsoft defender, antivirus, av, windows defender
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: deniseb
-author: denisebmsft
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.custom: asr
-ms.topic: conceptual
----
-
-# Overview of attack surface reduction
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-Help reduce your attack surfaces, by minimizing the places where your organization is vulnerable to cyberthreats and attacks. Use the following resources to configure protection for the devices and applications in your organization.
-
-
-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4woug]
-
-
-Article | Description
--|-
-[Attack surface reduction](./attack-surface-reduction.md) | Reduce vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop malware. (Requires Microsoft Defender Antivirus).
-[Hardware-based isolation](../microsoft-defender-application-guard/md-app-guard-overview.md) | Protect and maintain the integrity of a system as it starts and while it's running. Validate system integrity through local and remote attestation. And, use container isolation for Microsoft Edge to help guard against malicious websites.
-[Application control](../windows-defender-application-control/windows-defender-application-control.md) | Use application control so that your applications must earn trust in order to run.
-[Exploit protection](./exploit-protection.md) | Help protect operating systems and apps your organization uses from being exploited. Exploit protection also works with third-party antivirus solutions.
-[Network protection](./network-protection.md) | Extend protection to your network traffic and connectivity on your organization's devices. (Requires Microsoft Defender Antivirus)
-[Web protection](./web-protection-overview.md) | Secure your devices against web threats and help you regulate unwanted content.
-[Controlled folder access](./controlled-folders.md) | Help prevent malicious or suspicious apps (including file-encrypting ransomware malware) from making changes to files in your key system folders (Requires Microsoft Defender Antivirus)
-[Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md) | Prevent unauthorized traffic from flowing to or from your organization's devices with two-way network traffic filtering.
-[Attack surface reduction FAQ](./attack-surface-reduction-faq.md) | Frequently asked questions about Attack surface reduction rules, licensing, and more.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md
deleted file mode 100644
index a6bc0dc2a2..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md
+++ /dev/null
@@ -1,39 +0,0 @@
----
-title: Overview of custom detections in Microsoft Defender ATP
-ms.reviewer:
-description: Understand how you can use advanced hunting to create custom detections and generate alerts
-keywords: custom detections, alerts, detection rules, advanced hunting, hunt, query, response actions, interval, mdatp, microsoft defender atp
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
----
-
-# Custom detections overview
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-With custom detections, you can proactively monitor for and respond to various events and system states, including suspected breach activity and misconfigured devices. You can do this with customizable detection rules that automatically trigger alerts and response actions.
-
-Custom detections work with [advanced hunting](advanced-hunting-overview.md), which provides a powerful, flexible query language that covers a broad set of event and system information from your network. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
-
-Custom detections provide:
-- Alerts for rule-based detections built from advanced hunting queries
-- Automatic response actions that apply to files and devices
-
-## Related topics
-- [Create detection rules](custom-detection-rules.md)
-- [View and manage detection rules](custom-detections-manage.md)
-- [Advanced hunting overview](advanced-hunting-overview.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md b/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md
deleted file mode 100644
index 4c1e39e0e5..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md
+++ /dev/null
@@ -1,46 +0,0 @@
----
-title: Overview of endpoint detection and response capabilities
-ms.reviewer:
-description: Learn about the endpoint detection and response capabilities in Microsoft Defender ATP
-keywords:
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
----
-
-# Overview of endpoint detection and response
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-Microsoft Defender ATP endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats.
-
-When a threat is detected, alerts are created in the system for an analyst to investigate. Alerts with the same attack techniques or attributed to the same attacker are aggregated into an entity called an _incident_. Aggregating alerts in this manner makes it easy for analysts to collectively investigate and respond to threats.
-
->[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4o1j5]
-
-Inspired by the "assume breach" mindset, Microsoft Defender ATP continuously collects behavioral cyber telemetry. This includes process information, network activities, deep optics into the kernel and memory manager, user login activities, registry and file system changes, and others. The information is stored for six months, enabling an analyst to travel back in time to the start of an attack. The analyst can then pivot in various views and approach an investigation through multiple vectors.
-
-The response capabilities give you the power to promptly remediate threats by acting on the affected entities.
-
-
-## Related topics
-- [Security operations dashboard](security-operations-dashboard.md)
-- [Incidents queue](view-incidents-queue.md)
-- [Alerts queue](alerts-queue.md)
-- [Devices list](machines-view-overview.md)
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md b/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md
deleted file mode 100644
index cf352dd917..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md
+++ /dev/null
@@ -1,33 +0,0 @@
----
-title: Hardware-based isolation (Windows 10)
-ms.reviewer:
-description: Learn about how hardware-based isolation in Windows 10 helps to combat malware.
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.author: macapara
-ms.date: 09/07/2018
----
-
-# Hardware-based isolation in Windows 10
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-Hardware-based isolation helps protect system integrity in Windows 10 and is integrated with Microsoft Defender ATP.
-
-| Feature | Description |
-|------------|-------------|
-| [Windows Defender Application Guard](../microsoft-defender-application-guard/md-app-guard-overview.md) | Application Guard protects your device from advanced attacks while keeping you productive. Using a unique hardware-based isolation approach, the goal is to isolate untrusted websites and PDF documents inside a lightweight container that is separated from the operating system via the native Windows Hypervisor. If an untrusted site or PDF document turns out to be malicious, it still remains contained within Application Guard’s secure container, keeping the desktop PC protected and the attacker away from your enterprise data. |
-| [Windows Defender System Guard](../windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md) | System Guard protects and maintains the integrity of the system as it starts and after it's running, and validates system integrity by using attestation. |
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md b/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md
deleted file mode 100644
index 40d005db5a..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md
+++ /dev/null
@@ -1,134 +0,0 @@
----
-title: Partner applications in Microsoft Defender ATP
-ms.reviewer:
-description: View supported partner applications to enhance the detection, investigation, and threat intelligence capabilities of the platform
-keywords: partners, applications, third-party, connections, sentinelone, lookout, bitdefender, corrata, morphisec, paloalto, ziften, better mobile
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
----
-
-# Partner applications in Microsoft Defender ATP
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
-Microsoft Defender ATP supports third-party applications to help enhance the detection, investigation, and threat intelligence capabilities of the platform.
-
-
-The support for third-party solutions help to further streamline, integrate, and orchestrate defenses from other vendors with Microsoft Defender ATP; enabling security teams to effectively respond better to modern threats.
-
-Microsoft Defender ATP seamlessly integrates with existing security solutions — providing out of the box integration with SIEM, ticketing and IT service management solutions, managed security service providers (MSSP), IoC indicators ingestions and matching, automated device investigation and remediation based on external alerts, and integration with Security orchestration and automation response (SOAR) systems.
-
-## Supported applications
-
-
-### Security information and analytics
-
-Logo |Partner name | Description
-:---|:---|:---
-| [AttackIQ Platform](https://go.microsoft.com/fwlink/?linkid=2103502) | AttackIQ Platform validates Microsoft Defender ATP is configured properly by launching continuous attacks safely on production assets
-| [AzureSentinel](https://go.microsoft.com/fwlink/?linkid=2135705) | Stream alerts from Microsoft Defender Advanced Threat Protection into Azure Sentinel
- | [Cymulate](https://go.microsoft.com/fwlink/?linkid=2135574)| Correlate Microsoft Defender ATP findings with simulated attacks to validate accurate detection and effective response actions
- | [Elastic Security](https://go.microsoft.com/fwlink/?linkid=2139303) | Elastic Security is a free and open solution for preventing, detecting, and responding to threats
- | [IBM QRadar](https://go.microsoft.com/fwlink/?linkid=2113903) | Configure IBM QRadar to collect detections from Microsoft Defender ATP
- | [Micro Focus ArcSight](https://go.microsoft.com/fwlink/?linkid=2113548) | Use Micro Focus ArcSight to pull Microsoft Defender ATP detections
- | [RSA NetWitness](https://go.microsoft.com/fwlink/?linkid=2118566) | Stream Microsoft Defender ATP Alerts to RSA NetWitness leveraging Microsoft Graph Security API
- | [SafeBreach](https://go.microsoft.com/fwlink/?linkid=2114114)| Gain visibility into Microsoft Defender ATP security events that are automatically correlated with SafeBreach simulations
- | [Skybox Vulnerability Control](https://go.microsoft.com/fwlink/?linkid=2127467) | Skybox Vulnerability Control cuts through the noise of vulnerability management, correlating business, network and threat context to uncover your riskiest vulnerabilities
- | [Splunk](https://go.microsoft.com/fwlink/?linkid=2129805) | The Microsoft Defender ATP Add-on allows Splunk users to ingest all of the alerts and supporting information to their Splunk
- | [XM Cyber](https://go.microsoft.com/fwlink/?linkid=2136700) | Prioritize your response to an alert based on risk factors and high value assets
-
-### Orchestration and automation
-
-
-Logo |Partner name | Description
-:---|:---|:---
- | [CyberSponse CyOps](https://go.microsoft.com/fwlink/?linkid=2115943) | CyOps integrates with Microsoft Defender ATP to automate customers' high-speed incident response playbooks
- | [Delta Risk ActiveEye](https://go.microsoft.com/fwlink/?linkid=2127468) | Delta Risk, a leading provider of SOC-as-a-Service and security services, integrate Microsoft Defender ATP with its cloud-native SOAR platform, ActiveEye.
- | [Demisto, a Palo Alto Networks Company](https://go.microsoft.com/fwlink/?linkid=2108414) | Demisto integrates with Microsoft Defender ATP to enable security teams to orchestrate and automate endpoint security monitoring, enrichment and response
- | [Microsoft Flow & Azure Functions](https://go.microsoft.com/fwlink/?linkid=2114300) | Use the Microsoft Defender ATP connectors for Azure Logic Apps & Microsoft Flow to automating security procedures
- | [Rapid7 InsightConnect](https://go.microsoft.com/fwlink/?linkid=2116040) | InsightConnect integrates with Microsoft Defender ATP to accelerate, streamline, and integrate your time-intensive security processes
- | [ServiceNow](https://go.microsoft.com/fwlink/?linkid=2135621) | Ingest alerts into ServiceNow Security Operations solution based on Microsoft Graph API integration
- | [Swimlane](https://go.microsoft.com/fwlink/?linkid=2113902) | Maximize incident response capabilities utilizing Swimlane and Microsoft Defender ATP together
-
-
-### Threat intelligence
-
-Logo |Partner name | Description
-:---|:---|:---
- | [MISP (Malware Information Sharing Platform)](https://go.microsoft.com/fwlink/?linkid=2127543) | Integrate threat indicators from the Open Source Threat Intelligence Sharing Platform into your Microsoft Defender ATP environment
- | [Palo Alto Networks](https://go.microsoft.com/fwlink/?linkid=2099582) | Enrich your endpoint protection by extending Autofocus and other threat feeds to Microsoft Defender ATP using MineMeld
- | [ThreatConnect](https://go.microsoft.com/fwlink/?linkid=2114115) | Alert and/or block on custom threat intelligence from ThreatConnect Playbooks using Microsoft Defender ATP indicators
-
-
-
-### Network security
-Logo |Partner name | Description
-:---|:---|:---
- | [Aruba ClearPass Policy Manager](https://go.microsoft.com/fwlink/?linkid=2127544) | Ensure Microsoft Defender ATP is installed and updated on each endpoint before allowing access to the network
- | [Blue Hexagon for Network](https://go.microsoft.com/fwlink/?linkid=2104613) | Blue Hexagon has built the industry's first real-time deep learning platform for network threat protection
- | [CyberMDX](https://go.microsoft.com/fwlink/?linkid=2135620) | Cyber MDX integrates comprehensive healthcare assets visibility, threat prevention and repose into your Microsoft Defender ATP environment
- |[Vectra Network Detection and Response (NDR)](https://go.microsoft.com/fwlink/?linkid=866934)| Vectra applies AI & security research to detect and respond to cyber-attacks in real time
-
-
-### Cross platform
-Logo |Partner name | Description
-:---|:---|:---
-| [Bitdefender](https://go.microsoft.com/fwlink/?linkid=860032)| Bitdefender GravityZone is a layered next generation endpoint protection platform offering comprehensive protection against the full spectrum of sophisticated cyber threats
- | [Better Mobile](https://go.microsoft.com/fwlink/?linkid=2086214)| AI based MTD solution to stop mobile threats & phishing. Private internet browsing to protect user privacy
-| [Corrata](https://go.microsoft.com/fwlink/?linkid=2081148) | Mobile solution — Protect your mobile devices with granular visibility and control from Corrata
-| [Lookout](https://go.microsoft.com/fwlink/?linkid=866935)| Get Lookout Mobile Threat Protection telemetry for Android and iOS mobile devices
- | [Symantec Endpoint Protection Mobile](https://go.microsoft.com/fwlink/?linkid=2090992)| SEP Mobile helps businesses predict, detect and prevent security threats and vulnerabilities on mobile devices
-| [Zimperium](https://go.microsoft.com/fwlink/?linkid=2118044)|Extend your Microsoft Defender ATP to iOS and Android with Machine Learning-based Mobile Threat Defense
-
-
-## Additional integrations
-Logo |Partner name | Description
-:---|:---|:---
-| [Cyren Web Filter](https://go.microsoft.com/fwlink/?linkid=2108221)| Enhance your Microsoft Defender ATP with advanced Web Filtering
-| [Morphisec](https://go.microsoft.com/fwlink/?linkid=2086215)| Provides Moving Target Defense-powered advanced threat prevention and integrates forensics data directly into WD Security Center dashboards to help prioritize alerts, determine device at-risk score and visualize full attack timeline including internal memory information
-| [THOR Cloud](https://go.microsoft.com/fwlink/?linkid=862988)| Provides on-demand live forensics scans using a signature base with focus on persistent threats
-
-
-
-
-## SIEM integration
-Microsoft Defender ATP supports SIEM integration through a variety of methods — specialized SIEM system interface with out of the box connectors, a generic alert API enabling custom implementations, and an action API enabling alert status management. For more information, see [Enable SIEM integration](enable-siem-integration.md).
-
-## Ticketing and IT service management
-Ticketing solution integration helps to implement manual and automatic response processes. Microsoft Defender ATP can help to create tickets automatically when an alert is generated and resolve the alerts when tickets are closed using the alerts API.
-
-## Security orchestration and automation response (SOAR) integration
-Orchestration solutions can help build playbooks and integrate the rich data model and actions that Microsoft Defender ATP APIs expose to orchestrate responses, such as query for device data, trigger device isolation, block/allow, resolve alert and others.
-
-## External alert correlation and Automated investigation and remediation
-Microsoft Defender ATP offers unique automated investigation and remediation capabilities to drive incident response at scale.
-
-Integrating the automated investigation and response capability with other solutions such as IDS and firewalls help to address alerts and minimize the complexities surrounding network and device signal correlation, effectively streamlining the investigation and threat remediation actions on devices.
-
-External alerts can be pushed into Microsoft Defender ATP and is presented side-by-side with additional device-based alerts from Microsoft Defender ATP. This view provides a full context of the alert — with the real process and the full story of attack.
-
-## Indicators matching
-You can use threat-intelligence from providers and aggregators to maintain and use indicators of compromise (IOCs).
-
-Microsoft Defender ATP allows you to integrate with such solutions and act on IoCs by correlating its rich telemetry and creating alerts when there's a match; leveraging prevention and automated response capabilities to block execution and take remediation actions when there's a match.
-
-Microsoft Defender ATP currently supports IOC matching and remediation for file and network indicators. Blocking is supported for file indicators.
-
-## Support for non-Windows platforms
-Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms, including mobile devices. You'll be able to see alerts from various supported operating systems (OS) in the portal and better protect your organization's network.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/partner-integration.md b/windows/security/threat-protection/microsoft-defender-atp/partner-integration.md
deleted file mode 100644
index 7c6e64db5c..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/partner-integration.md
+++ /dev/null
@@ -1,58 +0,0 @@
----
-title: Microsoft Defender ATP partner opportunities and scenarios
-ms.reviewer:
-description: Learn how you can extend existing security offerings on top of the open framework and a rich set of APIs to build extensions and integrations with Microsoft Defender ATP
-keywords: API, partner, extend, open framework, apis, extensions, integrations, detection, management, response, vulnerabilities, intelligence
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
----
-
-# Microsoft Defender ATP partner opportunities and scenarios
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-
-Partners can easily extend their existing security offerings on top of the open framework and a rich and complete set of APIs to build extensions and integrations with Microsoft Defender ATP.
-
-The APIs span functional areas including detection, management, response, vulnerabilities and intelligence wide range of use cases. Based on the use case and need, partners can either stream or query data from Microsoft Defender ATP.
-
-
-## Scenario 1: External alert correlation and Automated investigation and remediation
-Microsoft Defender ATP offers unique automated investigation and remediation capabilities to drive incident response at scale.
-
-Integrating the automated investigation and response capability with other solutions such as network security products or other endpoint security products will help to address alerts and minimize the complexities surrounding network and device signal correlation, effectively streamlining the investigation and threat remediation actions on devices.
-
-Microsoft Defender ATP adds support for this scenario in the following forms:
-- External alerts can be pushed into Microsoft Defender ATP and presented side-by-side with additional device-based alerts from Microsoft Defender ATP. This view provides the full context of the alert - with the real process and the full story of attack.
-
-- Once an alert is generated, the signal is shared across all Microsoft Defender ATP protected endpoints in the enterprise. Microsoft Defender ATP takes immediate automated or operator-assisted response to address the alert.
-
-## Scenario 2: Security orchestration and automation response (SOAR) integration
-Orchestration solutions can help build playbooks and integrate the rich data model and actions that Microsoft Defender ATP APIs exposes to orchestrate responses, such as query for device data, trigger device isolation, block/allow, resolve alert and others.
-
-## Scenario 3: Indicators matching
-Indicator of compromise (IoCs) matching is an essential feature in every endpoint protection solution. This capability is available in Microsoft Defender ATP and gives the ability to set a list of indicators for prevention, detection and exclusion of entities. One can define the action to be taken as well as the duration for when to apply the action.
-
-The above scenarios serve as examples of the extensibility of the platform. You are not limited to these and we certainly encourage you leverage the open framework to discover and explore other scenarios.
-
-Follow the steps in [Become a Microsoft Defender ATP partner](get-started-partner-integration.md) to integrate your solution in Microsoft Defender ATP.
-
-## Related topic
-- [Overview of management and APIs](management-apis.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
deleted file mode 100644
index f8d7446a76..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
+++ /dev/null
@@ -1,129 +0,0 @@
----
-title: Microsoft Defender Advanced Threat Protection portal overview
-description: Microsoft Defender Security Center can monitor your enterprise network and assist in responding to potential advanced persistent threats (APT) or data breaches.
-keywords: Microsoft Defender Security Center, portal, cybersecurity threat intelligence, dashboard, alerts queue, devices list, settings, device management, advanced attacks
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
----
-
-# Microsoft Defender Security Center portal overview
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
-
-Enterprise security teams can use Microsoft Defender Security Center to monitor and assist in responding to alerts of potential advanced persistent threat activity or data breaches.
-
-You can use [Microsoft Defender Security Center](https://securitycenter.windows.com/) to:
-
-- View, sort, and triage alerts from your endpoints
-- Search for more information on observed indicators such as files and IP Addresses
-- Change Microsoft Defender ATP settings, including time zone and review licensing information
-
-## Microsoft Defender Security Center
-
-When you open the portal, you'll see:
-
-- (1) Navigation pane (select the horizontal lines at the top of the navigation pane to show or hide it)
-- (2) Search, Community center, Localization, Help and support, Feedback
-
- 
-
-> [!NOTE]
-> Malware related detections will only appear if your devices are using Microsoft Defender Antivirus as the default real-time protection antimalware product.
-
-You can navigate through the portal using the menu options available in all sections. Refer to the following table for a description of each section.
-
-Area | Description
-:---|:---
-**(1) Navigation pane** | Use the navigation pane to move between **Dashboards**, **Incidents**, **Devices list**, **Alerts queue**, **Automated investigations**, **Advanced hunting**, **Reports**, **Partners & APIs**, **Threat & Vulnerability Management**, **Evaluation and tutorials**, **Service health**, **Configuration management**, and **Settings**. Select the horizontal lines at the top of the navigation pane to show or hide it.
-**Dashboards** | Access the active automated investigations, active alerts, automated investigations statistics, devices at risk, users at risk, devices with sensor issues, service health, detection sources, and daily devices reporting dashboards.
-**Incidents** | View alerts that have been aggregated as incidents.
-**Devices list** | Displays the list of devices that are onboarded to Microsoft Defender ATP, some information about them, and their exposure and risk levels.
-**Alerts queue** | View alerts generated from devices in your organizations.
-**Automated investigations** | Displays automated investigations that have been conducted in the network, triggering alert, the status of each investigation and other details such as when the investigation started and the duration of the investigation.
-**Advanced hunting** | Advanced hunting allows you to proactively hunt and investigate across your organization using a powerful search and query tool.
-**Reports** | View graphs detailing threat protection, device health and compliance, web protection, and vulnerability.
-**Partners & APIs** | View supported partner connections, which enhance the detection, investigation, and threat intelligence capabilities of the platform. You can also view connected applications, the API explorer, API usage overview, and data export settings.
-**Threat & Vulnerability management** | View your Microsoft Secure Score for Devices, exposure score, exposed devices, vulnerable software, and take action on top security recommendations.
-**Evaluation and tutorials** | Manage test devices, attack simulations, and reports. Learn and experience the Microsoft Defender ATP capabilities through a guided walk-through in a trial environment.
-**Service health** | Provides information on the current status of the Microsoft Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues.
-**Configuration management** | Displays on-boarded devices, your organizations' security baseline, predictive analysis, web protection coverage, and allows you to perform attack surface management on your devices.
-**Settings** | Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set other configuration settings such as permissions, APIs, rules, device management, IT service management, and network assessments.
-**(2) Search, Community center, Localization, Help and support, Feedback** | **Search** - search by device, file, user, URL, IP, vulnerability, software, and recommendation. **Community center** - Access the Community center to learn, collaborate, and share experiences about the product. **Localization** - Set time zones. **Help and support** - Access the Microsoft Defender ATP guide, Microsoft and Microsoft Premier support, license information, simulations & tutorials, Microsoft Defender ATP evaluation lab, consult a threat expert. **Feedback** - Provide comments about what you like or what we can do better.
-
-> [!NOTE]
-> For devices with high resolution DPI scaling issues, please see [Windows scaling issues for high-DPI devices](https://support.microsoft.com/help/3025083/windows-scaling-issues-for-high-dpi-devices) for possible solutions.
-
-## Microsoft Defender ATP icons
-
-The following table provides information on the icons used all throughout the portal:
-
-Icon | Description
-:---|:---
-| Microsoft Defender ATP logo
-| Alert – Indication of an activity correlated with advanced attacks.
-| Detection – Indication of a malware threat detection.
-| Active threat – Threats actively executing at the time of detection.
-| Remediated – Threat removed from the device.
-| Not remediated – Threat not removed from the device.
-| Indicates events that triggered an alert in the **Alert process tree**.
-| Device icon
-| Microsoft Defender Antivirus events
-| Windows Defender Application Guard events
-| Windows Defender Device Guard events
-| Windows Defender Exploit Guard events
-| Windows Defender SmartScreen events
-| Windows Firewall events
-| Response action
-| Process events
-| Network events
-| File events
-| Registry events
-| Load DLL events
-| Other events
-| Access token modification
-| File creation
-| Signer
-| File path
-| Command line
-| Unsigned file
-| Process tree
-| Memory allocation
-| Process injection
-| Powershell command run
- | Community center
- | Notifications
- | Automated investigation - no threats found
- | Automated investigation - failed
- | Automated investigation - partially investigated
- | Automated investigation - terminated by system
- | Automated investigation - pending
- | Automated investigation - running
- | Automated investigation - remediated
- | Automated investigation - partially remediated
- | Threat & Vulnerability Management - threat insights
- | Threat & Vulnerability Management - possible active alert
- | Threat & Vulnerability Management - recommendation insights
-
-## Related topics
-
-- [Overview of Microsoft Defender Security Center](use.md)
-- [View the Security operations dashboard](security-operations-dashboard.md)
-- [View the Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
-- [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md
deleted file mode 100644
index 7525f68b6e..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md
+++ /dev/null
@@ -1,108 +0,0 @@
----
-title: Submit or Update Indicator API
-description: Learn how to use the Submit or Update Indicator API to submit or update a new Indicator entity in Microsoft Defender Advanced Threat Protection.
-keywords: apis, graph api, supported apis, submit, ti, indicator, update
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Submit or Update Indicator API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-
-## API description
-Submits or Updates new [Indicator](ti-indicator.md) entity.
-
-
-
-
-
- 
-
Phase 1: Prepare
-
-
-
- 
-
Phase 2: Set up
-
-
-
-
-
- 
-
Phase 3: Onboard
-
CIDR notation for IPs is supported.
-
-## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-2. There is a limit of 15,000 active indicators per tenant.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Get started](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Ti.ReadWrite | 'Read and write Indicators'
-Application | Ti.ReadWrite.All | 'Read and write All Indicators'
-Delegated (work or school account) | Ti.ReadWrite | 'Read and write Indicators'
-
-
-## HTTP request
-```
-POST https://api.securitycenter.windows.com/api/indicators
-```
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-Content-Type | string | application/json. **Required**.
-
-## Request body
-In the request body, supply a JSON object with the following parameters:
-
-Parameter | Type | Description
-:---|:---|:---
-indicatorValue | String | Identity of the [Indicator](ti-indicator.md) entity. **Required**
-indicatorType | Enum | Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url". **Required**
-action | Enum | The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed". **Required**
-application | String | The application associated with the indicator. **Optional**
-title | String | Indicator alert title. **Required**
-description | String | Description of the indicator. **Required**
-expirationTime | DateTimeOffset | The expiration time of the indicator. **Optional**
-severity | Enum | The severity of the indicator. possible values are: "Informational", "Low", "Medium" and "High". **Optional**
-recommendedActions | String | TI indicator alert recommended actions. **Optional**
-rbacGroupNames | String | Comma-separated list of RBAC group names the indicator would be applied to. **Optional**
-
-
-## Response
-- If successful, this method returns 200 - OK response code and the created / updated [Indicator](ti-indicator.md) entity in the response body.
-- If not successful: this method return 400 - Bad Request. Bad request usually indicates incorrect body.
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-POST https://api.securitycenter.windows.com/api/indicators
-Content-type: application/json
-{
- "indicatorValue": "220e7d15b011d7fac48f2bd61114db1022197f7f",
- "indicatorType": "FileSha1",
- "title": "test",
- "application": "demo-test",
- "expirationTime": "2020-12-12T00:00:00Z",
- "action": "AlertAndBlock",
- "severity": "Informational",
- "description": "test",
- "recommendedActions": "nothing",
- "rbacGroupNames": ["group1", "group2"]
-}
-```
-
-## Related topic
-- [Manage indicators](manage-indicators.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md b/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md
deleted file mode 100644
index f5f432ad15..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md
+++ /dev/null
@@ -1,40 +0,0 @@
----
-title: Configure Microsoft Defender Security Center settings
-description: Use the settings page to configure general settings, permissions, apis, and rules.
-keywords: settings, general settings, permissions, apis, rules
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Configure Microsoft Defender Security Center settings
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-prefsettings-abovefoldlink)
-
-Use the **Settings** menu to modify general settings, advanced features, enable the preview experience, email notifications, and the custom threat intelligence feature.
-
-## In this section
-
-Topic | Description
-:---|:---
-General settings | Modify your general settings that were previously defined as part of the onboarding process.
-Permissions | Manage portal access using RBAC as well as device groups.
-APIs | Enable the threat intel and SIEM integration.
-Rules | Configure suppressions rules and automation settings.
-Device management | Onboard and offboard devices.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
deleted file mode 100644
index 9e4e98ffb5..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
+++ /dev/null
@@ -1,190 +0,0 @@
----
-title: Prepare Microsoft Defender ATP deployment
-description: Prepare stakeholder sign-off, timelines, environment considerations, and adoption order when deploying Microsoft Defender ATP
-keywords: deploy, prepare, stakeholder, timeline, environment, endpoint, server, management, adoption
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- M365-security-compliance
-- m365solution-endpointprotect
-- m365solution-scenario
-ms.topic: article
----
-
-# Prepare Microsoft Defender ATP deployment
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
-
-
-Deploying Microsoft Defender ATP is a three-phase process:
-
-
-
-
-
-You are currently in the preparation phase.
-
-
-Preparation is key to any successful deployment. In this article, you'll be guided on the points you'll need to consider as you prepare to deploy Microsoft Defender ATP.
-
-
-## Stakeholders and Sign-off
-The following section serves to identify all the stakeholders that are involved
-in the project and need to sign-off, review, or stay informed.
-
-Add stakeholders
-to the table below as appropriate for your organization.
-
-- SO = Sign-off on this project
-
-- R = Review this project and provide input
-
-- I = Informed of this project
-
-| Name | Role | Action |
-|----------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------|
-| Enter name and email | **Chief Information Security Officer (CISO)** *An executive representative who serves as sponsor inside the organization for the new technology deployment.* | SO |
-| Enter name and email | **Head of Cyber Defense Operations Center (CDOC)** *A representative from the CDOC team in charge of defining how this change is aligned with the processes in the customers security operations team.* | SO |
-| Enter name and email | **Security Architect** *A representative from the Security team in charge of defining how this change is aligned with the core Security architecture in the organization.* | R |
-| Enter name and email | **Workplace Architect** *A representative from the IT team in charge of defining how this change is aligned with the core workplace architecture in the organization.* | R |
-| Enter name and email | **Security Analyst** *A representative from the CDOC team who can provide input on the detection capabilities, user experience and overall usefulness of this change from a security operations perspective.* | I |
-
-
-## Environment
-
-
-This section is used to ensure your environment is deeply understood by the
-stakeholders which will help identify potential dependencies and/or changes
-required in technologies or processes.
-
-| What | Description |
-|---------------------------------------|-------------|
-| Endpoint count | |
-| Server count | |
-| Management engine | |
-| CDOC distribution | |
-| Security information and event (SIEM) | |
-
-
-## Role-based access control
-
-Microsoft recommends using the concept of least privileges. Microsoft Defender
-ATP leverages built-in roles within Azure Active Directory. Microsoft recommend
-[review the different roles that are
-available](https://docs.microsoft.com/azure/active-directory/active-directory-assign-admin-roles-azure-portal)
-and choose the right one to solve your needs for each persona for this
-application. Some roles may need to be applied temporarily and removed after the
-deployment has been completed.
-
-| Personas | Roles | Azure AD Role (if required) | Assign to |
-|------------------------------|-------|-----------------------------|-----------|
-| Security Administrator | | | |
-| Security Analyst | | | |
-| Endpoint Administrator | | | |
-| Infrastructure Administrator | | | |
-| Business Owner/Stakeholder | | | |
-
-Microsoft recommends using [Privileged Identity
-Management](https://docs.microsoft.com/azure/active-directory/active-directory-privileged-identity-management-configure)
-to manage your roles to provide additional auditing, control, and access review
-for users with directory permissions.
-
-Microsoft Defender ATP supports two ways to manage permissions:
-
-- **Basic permissions management**: Set permissions to either full access or
- read-only. In the case of basic permissions management users with Global
- Administrator or Security Administrator role in Azure Active Directory have
- full access while the Security reader role has read-only access.
-
-- **Role-based access control (RBAC)**: Set granular permissions by defining
- roles, assigning Azure AD user groups to the roles, and granting the user
- groups access to device groups. For more information. see [Manage portal access using role-based access control](rbac.md).
-
-Microsoft recommends leveraging RBAC to ensure that only users that have a
-business justification can access Microsoft Defender ATP.
-
-You can find details on permission guidelines
-[here](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group).
-
-The following example table serves to identify the Cyber Defense Operations
-Center structure in your environment that will help you determine the RBAC
-structure required for your environment.
-
-| Tier | Description | Permission Required |
-|--------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------|
-| Tier 1 | **Local security operations team / IT team**
-
-
-
-
-
-
Phase 1: Prepare
-
-
-
-
-
Phase 2: Set up
-
-
-
-
-
Phase 3: Onboard
-
-
-
-
-
-
-
-
-
-
-
-
This team usually triages and investigates alerts contained within their geolocation and escalates to Tier 2 in cases where an active remediation is required. | |
-| Tier 2 | **Regional security operations team**
This team can see all the devices for their region and perform remediation actions. | View data |
-| Tier 3 | **Global security operations team**
This team consists of security experts and are authorized to see and perform all actions from the portal. | View data
Alerts investigation Active remediation actions
Alerts investigation Active remediation actions
Manage portal system settings
Manage security settings |
-
-
-
-## Adoption Order
-In many cases, organizations will have existing endpoint security products in
-place. The bare minimum every organization should have is an antivirus solution. But in some cases, an organization might also have implanted an EDR solution already.
-
-Historically, replacing any security solution used to be time intensive and difficult
-to achieve due to the tight hooks into the application layer and infrastructure
-dependencies. However, because Microsoft Defender ATP is built into the
-operating system, replacing third-party solutions is now easy to achieve.
-
-Choose the component of Microsoft Defender ATP to be used and remove the ones
-that do not apply. The table below indicates the order Microsoft recommends for
-how the endpoint security suite should be enabled.
-
-| Component | Description | Adoption Order Rank |
-|-----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------|
-| Endpoint Detection & Response (EDR) | Microsoft Defender ATP endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats.
[Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response) | 1 |
-|Threat & Vulnerability Management (TVM)|Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including:
- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities
- Invaluable device vulnerability context during incident investigations
- Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager
[Learn more](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Introducing-a-risk-based-approach-to-threat-and-vulnerability/ba-p/377845).| 2 |
-| Next-generation protection (NGP) | Microsoft Defender Antivirus is a built-in antimalware solution that provides next-generation protection for desktops, portable computers, and servers. Microsoft Defender Antivirus includes:
-Cloud-delivered protection for near-instant detection and blocking of new and emerging threats. Along with machine learning and the Intelligent Security Graph, cloud-delivered protection is part of the next-gen technologies that power Microsoft Defender Antivirus.
- Always-on scanning using advanced file and process behavior monitoring and other heuristics (also known as "real-time protection").
- Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research.
[Learn more](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10). |3 |
-| Attack Surface Reduction (ASR) | Attack surface reduction capabilities in Microsoft Defender ATP helps protect the devices and applications in the organization from new and emerging threats.
[Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) | 4 |
-| Auto Investigation & Remediation (AIR) | Microsoft Defender ATP uses Automated investigations to significantly reduce the volume of alerts that need to be investigated individually. The Automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives.
[Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) | Not applicable |
-| Microsoft Threat Experts (MTE) | Microsoft Threat Experts is a managed hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don't get missed.
[Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts) | Not applicable |
-
-## Next step
-|||
-|:-------|:-----|
-|
[Phase 2: Setup](production-deployment.md) | Set up Microsoft Defender ATP deployment
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md b/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md
deleted file mode 100644
index f031b9edd9..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md
+++ /dev/null
@@ -1,43 +0,0 @@
----
-title: Turn on the preview experience in Microsoft Defender ATP
-description: Turn on the preview experience in Microsoft Defender Advanced Threat Protection to try upcoming features.
-keywords: advanced features, settings, block file
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-# Turn on the preview experience in Microsoft Defender ATP
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-previewsettings-abovefoldlink)
-
-Turn on the preview experience setting to be among the first to try upcoming features.
-
-1. In the navigation pane, select **Settings** > **Advanced features**.
-
- 
-
-
-2. Toggle the setting between **On** and **Off** and select **Save preferences**.
-
-## Related topics
-- [Update general settings in Microsoft Defender ATP](data-retention-settings.md)
-- [Turn on advanced features in Microsoft Defender ATP](advanced-features.md)
-- [Configure email notifications in Microsoft Defender ATP](configure-email-notifications.md)
-- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview.md b/windows/security/threat-protection/microsoft-defender-atp/preview.md
deleted file mode 100644
index 4443433ac4..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/preview.md
+++ /dev/null
@@ -1,82 +0,0 @@
----
-title: Microsoft Defender ATP preview features
-description: Learn how to access Microsoft Defender Advanced Threat Protection preview features.
-keywords: preview, preview experience, Microsoft Defender Advanced Threat Protection, features, updates
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: conceptual
----
-
-# Microsoft Defender ATP preview features
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
->[!IMPORTANT]
->The preview versions are provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-The Microsoft Defender ATP service is constantly being updated to include new feature enhancements and capabilities.
-
-> [!TIP]
-> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-preview-abovefoldlink)
-
-Learn about new features in the Microsoft Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience.
-
->[!TIP]
->Get notified when this page is updated by copying and pasting the following URL into your feed reader: `https://docs.microsoft.com/api/search/rss?search=%22Microsoft+Defender+ATP+preview+features%22&locale=en-us`
-
-For more information on new capabilities that are generally available, see [What's new in Microsoft Defender ATP](whats-new-in-microsoft-defender-atp.md).
-
-## Turn on preview features
-
-You'll have access to upcoming features that you can provide feedback on to help improve the overall experience before features are generally available.
-
-Turn on the preview experience setting to be among the first to try upcoming features.
-
-1. In the navigation pane, select **Settings** > **Advanced features** > **Preview features**.
-
-2. Toggle the setting between **On** and **Off** and select **Save preferences**.
-
-## Preview features
-
-The following features are included in the preview release:
-- [Microsoft Defender ATP for iOS](microsoft-defender-atp-ios.md)
Microsoft Defender ATP now adds support for iOS. Learn how to install, configure, and use Microsoft Defender ATP for iOS.
-
-- [Microsoft Defender ATP for Android](microsoft-defender-atp-android.md)
Microsoft Defender ATP now adds support for Android. Learn how to install, configure, and use Microsoft Defender ATP for Android.
-
-- [Web Content Filtering](web-content-filtering.md)
Web content filtering is part of web protection capabilities in Microsoft Defender ATP. It enables your organization to track and regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic because of compliance regulations, bandwidth usage, or other concerns.
-
- - [Threat and vulnerability management supported operating systems and platforms](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os)
Ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your devices are properly accounted for. Threat & Vulnerability Management supports Windows 7, Windows 10 1607-1703, Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, Windows Server 2019.
Secure Configuration Assessment (SCA) supports Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, and Windows Server 2019.
-
-- [Device health and compliance report](machine-reports.md)
The device health and compliance report provides high-level information about the devices in your organization.
-
-- [Information protection](information-protection-in-windows-overview.md)
-Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection to keep sensitive data secure while enabling productivity in the workplace. Microsoft Defender ATP is seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss prevention (DLP) solution for Windows devices.
-
- >[!NOTE]
- >Partially available from Windows 10, version 1809.
-
-- [Integration with Microsoft Cloud App Security](microsoft-cloud-app-security-integration.md)
Microsoft Cloud App Security leverages Microsoft Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Microsoft Defender ATP monitored devices.
-
- >[!NOTE]
- >Available from Windows 10, version 1809 or later.
-
-- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-version-1803-and-windows-server-2019)
Microsoft Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client devices.
-
-
-> [!TIP]
-> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-preview-belowfoldlink)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
deleted file mode 100644
index 4a974f0e24..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
+++ /dev/null
@@ -1,269 +0,0 @@
----
-title: Set up Microsoft Defender ATP deployment
-description:
-keywords:
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- M365-security-compliance
-- m365solution-endpointprotect
-- m365solution-scenario
-ms.topic: article
----
-
-# Set up Microsoft Defender ATP deployment
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
-Deploying Microsoft Defender ATP is a three-phase process:
-
-
-
-
-
-You are currently in the set up phase.
-
-In this deployment scenario, you'll be guided through the steps on:
-- Licensing validation
-- Tenant configuration
-- Network configuration
-
-
->[!NOTE]
->For the purpose of guiding you through a typical deployment, this scenario will only cover the use of Microsoft Endpoint Configuration Manager. Microsoft Defender ATP supports the use of other onboarding tools but will not cover those scenarios in the deployment guide. For more information, see [Onboard devices to Microsoft Defender ATP](onboard-configure.md).
-
-## Check license state
-
-Checking for the license state and whether it got properly provisioned, can be done through the admin center or through the **Microsoft Azure portal**.
-
-1. To view your licenses go to the **Microsoft Azure portal** and navigate to the [Microsoft Azure portal license section](https://portal.azure.com/#blade/Microsoft_AAD_IAM/LicensesMenuBlade/Products).
-
- 
-
-1. Alternately, in the admin center, navigate to **Billing** > **Subscriptions**.
-
- On the screen you will see all the provisioned licenses and their current **Status**.
-
- 
-
-
-## Cloud Service Provider validation
-
-To gain access into which licenses are provisioned to your company, and to check the state of the licenses, go to the admin center.
-
-1. From the **Partner portal**, click on the **Administer services > Office 365**.
-
-2. Clicking on the **Partner portal** link will leverage the **Admin on behalf** option and will give you access to the customer admin center.
-
- 
-
-
-
-## Tenant Configuration
-
-When accessing [Microsoft Defender Security Center](https://securitycenter.windows.com/) for the first time there will be a set up wizard that will guide you through some initial steps. At the end of the setup wizard there will be a dedicated cloud instance of Microsoft Defender ATP created. The easiest method is to perform these steps from a Windows 10 client device.
-
-1. From a web browser, navigate to
-
-
-
-
-
-
Phase 1: Prepare
-
-
-
-
-
Phase 2: Set up
-
-
-
-
-
-
-
Phase 3: Onboard
-
Suitable only for desktops in a
- stable topology (for example: a desktop in a corporate network behind the
- same proxy)
-
-### Configure the proxy server manually using a registry-based static proxy
-
-Configure a registry-based static proxy to allow only Microsoft Defender ATP
-sensor to report diagnostic data and communicate with Microsoft Defender ATP
-services if a computer is not permitted to connect to the Internet. The static
-proxy is configurable through Group Policy (GP). The group policy can be found
-under:
-
- - Administrative Templates \> Windows Components \> Data Collection and Preview Builds \> Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service
- - Set it to **Enabled** and select **Disable Authenticated Proxy usage**
-
-1. Open the Group Policy Management Console.
-2. Create a policy or edit an existing policy based off the organizational practices.
-3. Edit the Group Policy and navigate to **Administrative Templates \> Windows Components \> Data Collection and Preview Builds \> Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service**.
- 
-
-4. Select **Enabled**.
-5. Select **Disable Authenticated Proxy usage**.
-
-6. Navigate to **Administrative Templates \> Windows Components \> Data Collection and Preview Builds \> Configure connected user experiences and telemetry**.
- 
-7. Select **Enabled**.
-8. Enter the **Proxy Server Name**.
-
-The policy sets two registry values `TelemetryProxyServer` as REG_SZ and `DisableEnterpriseAuthProxy` as REG_DWORD under the registry key `HKLM\Software\Policies\Microsoft\Windows\DataCollection`.
-
-The registry value `TelemetryProxyServer` takes the following string format:
-
-```text
-
[Spreadsheet](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx) | The spreadsheet provides specific DNS records for service locations, geographic locations, and OS.
-
-
-### Microsoft Defender ATP service backend IP range
-
-If you network devices don't support the URLs white-listed in the prior section, you can use the following information.
-
-Microsoft Defender ATP is built on Azure cloud, deployed in the following regions:
-
-- \+\
[Phase 3: Onboard](onboarding.md) | Onboard devices to the service so that the Microsoft Defender ATP service can get sensor data from them.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
deleted file mode 100644
index 38400901cd..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
+++ /dev/null
@@ -1,313 +0,0 @@
----
-title: Pull Microsoft Defender ATP detections using REST API
-description: Learn how call an Microsoft Defender ATP endpoint to pull detections in JSON format using the SIEM REST API.
-keywords: detections, pull detections, rest api, request, response
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Pull Microsoft Defender ATP detections using SIEM REST API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-pullalerts-abovefoldlink)
-
->[!Note]
->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections.
->- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Device and its related Alert details.
->-The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md).
-
-Microsoft Defender ATP supports the OAuth 2.0 protocol to pull detections from the API.
-
-In general, the OAuth 2.0 protocol supports four types of flows:
-- Authorization grant flow
-- Implicit flow
-- Client credentials flow
-- Resource owner flow
-
-For more information about the OAuth specifications, see the [OAuth Website](http://www.oauth.net).
-
-Microsoft Defender ATP supports the _Authorization grant flow_ and _Client credential flow_ to obtain access to pull detections, with Azure Active Directory (AAD) as the authorization server.
-
-The _Authorization grant flow_ uses user credentials to get an authorization code, which is then used to obtain an access token.
-
-The _Client credential flow_ uses client credentials to authenticate against the Microsoft Defender ATP endpoint URL. This flow is suitable for scenarios when an OAuth client creates requests to an API that doesn't require user credentials.
-
-Use the following method in the Microsoft Defender ATP API to pull detections in JSON format.
-
->[!NOTE]
->Microsoft Defender Security Center merges similar alert detections into a single alert. This API pulls alert detections in its raw form based on the query parameters you set, enabling you to apply your own grouping and filtering.
-
-## Before you begin
-- Before calling the Microsoft Defender ATP endpoint to pull detections, you'll need to enable the SIEM integration application in Azure Active Directory (AAD). For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md).
-
-- Take note of the following values in your Azure application registration. You need these values to configure the OAuth flow in your service or daemon app:
- - Application ID (unique to your application)
- - App key, or secret (unique to your application)
- - Your app's OAuth 2.0 token endpoint
- - Find this value by clicking **View Endpoints** at the bottom of the Azure Management Portal in your app's page. The endpoint will look like `https://login.microsoftonline.com/{tenantId}/oauth2/token`.
-
-## Get an access token
-Before creating calls to the endpoint, you'll need to get an access token.
-
-You'll use the access token to access the protected resource, which are detections in Microsoft Defender ATP.
-
-To get an access token, you'll need to do a POST request to the token issuing endpoint. Here is a sample request:
-
-```syntax
-
-POST /72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/token HTTP/1.1
-Host: login.microsoftonline.com
-Content-Type: application/x-www-form-urlencoded
-
-resource=https%3A%2F%2Fgraph.windows.net&client_id=35e0f735-5fe4-4693-9e68-3de80f1d3745&client_secret=IKXc6PxB2eoFNJ%2FIT%2Bl2JZZD9d9032VXz6Ul3D2WyUQ%3D&grant_type=client_credentials
-```
-The response will include an access token and expiry information.
-
-```json
-{
- "token_type": "Bearer",
- "expires_in": "3599",
- "ext_expires_in": "0",
- "expires_on": "1488720683",
- "not_before": "1488720683",
- "resource": "https://graph.windows.net",
- "access_token":"eyJ0eXaioJJOIneiowiouqSuzNiZ345FYOVkaJL0625TueyaJasjhIjEnbMlWqP..."
-}
-```
-You can now use the value in the *access_token* field in a request to the Microsoft Defender ATP API.
-
-## Request
-With an access token, your app can make authenticated requests to the Microsoft Defender ATP API. Your app must append the access token to the Authorization header of each request.
-
-### Request syntax
-Method | Request URI
-:---|:---|
-GET| Use the URI applicable for your region.
**For EU**: `https://wdatp-alertexporter-eu.windows.com/api/alerts` **For US**: `https://wdatp-alertexporter-us.windows.com/api/alerts`
**For UK**: `https://wdatp-alertexporter-uk.windows.com/api/alerts`
-
-### Request header
-Header | Type | Description|
-:--|:--|:--
-Authorization | string | Required. The Azure AD access token in the form **Bearer** <*token*>. |
-
-### Request parameters
-
-Use optional query parameters to specify and control the amount of data returned in a response. If you call this method without parameters, the response contains all the alerts in your organization in the last 2 hours.
-
-Name | Value| Description
-:---|:---|:---
-sinceTimeUtc | DateTime | Defines the lower time bound alerts are retrieved from, based on field:
`LastProcessedTimeUtc`
The time range will be: from sinceTimeUtc time to current time.
**NOTE**: When not specified, all alerts generated in the last two hours are retrieved.
-untilTimeUtc | DateTime | Defines the upper time bound alerts are retrieved.
The time range will be: from `sinceTimeUtc` time to `untilTimeUtc` time.
**NOTE**: When not specified, the default value will be the current time.
-ago | string | Pulls alerts in the following time range: from `(current_time - ago)` time to `current_time` time.
Value should be set according to **ISO 8601** duration format
E.g. `ago=PT10M` will pull alerts received in the last 10 minutes.
-limit | int | Defines the number of alerts to be retrieved. Most recent alerts will be retrieved based on the number defined.
**NOTE**: When not specified, all alerts available in the time range will be retrieved.
-machinegroups | string | Specifies device groups to pull alerts from.
**NOTE**: When not specified, alerts from all device groups will be retrieved.
Example:
```https://wdatp-alertexporter-eu.securitycenter.windows.com/api/Alerts/?machinegroups=UKMachines&machinegroups=FranceMachines```
-DeviceCreatedMachineTags | string | Single device tag from the registry.
-CloudCreatedMachineTags | string | Device tags that were created in Microsoft Defender Security Center.
-
-### Request example
-The following example demonstrates how to retrieve all the detections in your organization.
-
-```syntax
-GET https://wdatp-alertexporter-eu.windows.com/api/alerts
-Authorization: Bearer
This team usually triages and investigates alerts contained within their geolocation and escalates to Tier 2 in cases where an active remediation is required.
-Tier 2 | **Regional security operations team**
This team can see all the devices for their region and perform remediation actions.
-Tier 3 | **Global security operations team**
This team consists of security experts and are authorized to see and perform all actions from the portal.
-
-Microsoft Defender ATP RBAC is designed to support your tier- or role-based model of choice and gives you granular control over what roles can see, devices they can access, and actions they can take. The RBAC framework is centered around the following controls:
-
-- **Control who can take specific action**
- - Create custom roles and control what Microsoft Defender ATP capabilities they can access with granularity.
-
-- **Control who can see information on specific device group or groups**
- - [Create device groups](machine-groups.md) by specific criteria such as names, tags, domains, and others, then grant role access to them using a specific Azure Active Directory (Azure AD) user group.
-
-To implement role-based access, you'll need to define admin roles, assign corresponding permissions, and assign Azure AD user groups assigned to the roles.
-
-
-### Before you begin
-Before using RBAC, it's important that you understand the roles that can grant permissions and the consequences of turning on RBAC.
-
-
-> [!WARNING]
-> Before enabling the feature, it's important that you have a Global Administrator role or Security Administrator role in Azure AD and that you have your Azure AD groups ready to reduce the risk of being locked out of the portal.
-
-When you first log in to Microsoft Defender Security Center, you're granted either full access or read only access. Full access rights are granted to users with Security Administrator or Global Administrator roles in Azure AD. Read only access is granted to users with a Security Reader role in Azure AD.
-
-Someone with a Microsoft Defender ATP Global administrator role has unrestricted access to all devices, regardless of their device group association and the Azure AD user groups assignments
-
-> [!WARNING]
-> Initially, only those with Azure AD Global Administrator or Security Administrator rights will be able to create and assign roles in Microsoft Defender Security Center, therefore, having the right groups ready in Azure AD is important.
->
-> **Turning on role-based access control will cause users with read-only permissions (for example, users assigned to Azure AD Security reader role) to lose access until they are assigned to a role.**
->
->Users with admin permissions are automatically assigned the default built-in Microsoft Defender ATP global administrator role with full permissions. After opting in to use RBAC, you can assign additional users that are not Azure AD Global or Security Administrators to the Microsoft Defender ATP global administrator role.
->
-> After opting in to use RBAC, you cannot revert to the initial roles as when you first logged into the portal.
-
-
-
-## Related topic
-- [Create and manage device groups in Microsoft Defender ATP](machine-groups.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/recommendation.md
deleted file mode 100644
index c094ae5bec..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/recommendation.md
+++ /dev/null
@@ -1,62 +0,0 @@
----
-title: Recommendation methods and properties
-description: Retrieves top recent alerts.
-keywords: apis, graph api, supported apis, get, alerts, recent
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Recommendation resource type
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-## Methods
-Method |Return Type |Description
-:---|:---|:---
-[List all recommendations](get-all-recommendations.md) | Recommendation collection | Retrieves a list of all security recommendations affecting the organization
-[Get recommendation by Id](get-recommendation-by-id.md) | Recommendation | Retrieves a security recommendation by its ID
-[Get recommendation software](get-recommendation-software.md)| [Software](software.md) | Retrieves a security recommendation related to a specific software
-[Get recommendation devices](get-recommendation-machines.md)|MachineRef collection | Retrieves a list of devices associated with the security recommendation
-[Get recommendation vulnerabilities](get-recommendation-vulnerabilities.md) | [Vulnerability](vulnerability.md) collection | Retrieves a list of vulnerabilities associated with the security recommendation
-
-
-## Properties
-Property | Type | Description
-:---|:---|:---
-id | String | Recommendation ID
-productName | String | Related software name
-recommendationName | String | Recommendation name
-Weaknesses | Long | Number of discovered vulnerabilities
-Vendor | String | Related vendor name
-recommendedVersion | String | Recommended version
-recommendationCategory | String | Recommendation category. Possible values are: "Accounts", "Application", "Network", "OS", "SecurityStack
-subCategory | String | Recommendation sub-category
-severityScore | Double | Potential impact of the configuration to the organization's Microsoft Secure Score for Devices (1-10)
-publicExploit | Boolean | Public exploit is available
-activeAlert | Boolean | Active alert is associated with this recommendation
-associatedThreats | String collection | Threat analytics report is associated with this recommendation
-remediationType | String | Remediation type. Possible values are: "ConfigurationChange","Update","Upgrade","Uninstall"
-Status | Enum | Recommendation exception status. Possible values are: "Active" and "Exception"
-configScoreImpact | Double | Microsoft Secure Score for Devices impact
-exposureImpacte | Double | Exposure score impact
-totalMachineCount | Long | Number of installed devices
-exposedMachinesCount | Long | Number of installed devices that are exposed to vulnerabilities
-nonProductivityImpactedAssets | Long | Number of devices which are not affected
-relatedComponent | String | Related software component
diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
deleted file mode 100644
index cad6f89bbe..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
+++ /dev/null
@@ -1,290 +0,0 @@
----
-title: Take response actions on a file in Microsoft Defender ATP
-description: Take response actions on file related alerts by stopping and quarantining a file or blocking a file and checking activity details.
-keywords: respond, stop and quarantine, block file, deep analysis
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Take response actions on a file
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-responddile-abovefoldlink)
-
-Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files, you can check activity details in the Action center.
-
-Response actions are available on a file's detailed profile page. Once on this page, you can switch between the new and old page layouts by toggling **new File page**. The rest of this article describes the newer page layout.
-
-Response actions run along the top of the file page, and include:
-
-- Stop and Quarantine File
-- Add Indicator
-- Download file
-- Consult a threat expert
-- Action center
-
-You can also submit files for deep analysis, to run the file in a secure cloud sandbox. When the analysis is complete, you'll get a detailed report that provides information about the behavior of the file. You can submit files for deep analysis and read past reports by selecting the **Deep analysis** tab. It's located below the file information cards.
-
-Some actions require certain permissions. The following table describes what action certain permissions can take on portable executable (PE) and non-PE files:
-
-Permission | PE files | Non-PE files
-:---|:---|:---
-View data | X | X
-Alerts investigation | ☑ | X
-Live response basic | X | X
-Live response advanced | ☑ |☑
-
-For more information on roles, see [Create and manage roles for role-based access control](user-roles.md).
-
-
-## Stop and quarantine files in your network
-
-You can contain an attack in your organization by stopping the malicious process and quarantining the file where it was observed.
-
->[!IMPORTANT]
->You can only take this action if:
->
-> - The device you're taking the action on is running Windows 10, version 1703 or later
-> - The file does not belong to trusted third-party publishers or not signed by Microsoft
-> - Microsoft Defender Antivirus must at least be running on Passive mode. For more information, see [Microsoft Defender Antivirus compatibility](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md).
-
-The **Stop and Quarantine File** action includes stopping running processes, quarantining the files, and deleting persistent data, such as any registry keys.
-
-This action takes effect on devices with Windows 10, version 1703 or later, where the file was observed in the last 30 days.
-
->[!NOTE]
->You’ll be able to restore the file from quarantine at any time.
-
-### Stop and quarantine files
-
-1. Select the file you want to stop and quarantine. You can select a file from any of the following views or use the Search box:
-
- - **Alerts** - click the corresponding links from the Description or Details in the Artifact timeline
- - **Search box** - select **File** from the drop–down menu and enter the file name
-
-
- >[!NOTE]
- >The stop and quarantine file action is limited to a maximum of 1000 devices. To stop a file on a larger number of devices, see [Add indicator to block or allow file](#add-indicator-to-block-or-allow-a-file).
-
-2. Go to the top bar and select **Stop and Quarantine File**.
-
- 
-
-3. Specify a reason, then click **Confirm**.
-
- 
-
- The Action center shows the submission information:
- 
-
- - **Submission time** - Shows when the action was submitted.
- - **Success** - Shows the number of devices where the file has been stopped and quarantined.
- - **Failed** - Shows the number of devices where the action failed and details about the failure.
- - **Pending** - Shows the number of devices where the file is yet to be stopped and quarantined from. This can take time for cases when the device is offline or not connected to the network.
-
-4. Select any of the status indicators to view more information about the action. For example, select **Failed** to see where the action failed.
-
-**Notification on device user**:
-When the file is being removed from a device, the following notification is shown:
-
-
-
-In the device timeline, a new event is added for each device where a file was stopped and quarantined.
-
-For files that widely used throughout an organization, a warning is shown before an action is implemented, to validate that the operation is intended.
-
-## Restore file from quarantine
-
-You can roll back and remove a file from quarantine if you’ve determined that it’s clean after an investigation. Run the following command on each device where the file was quarantined.
-
-1. Open an elevated command–line prompt on the device:
-
- a. Go to **Start** and type _cmd_.
-
- b. Right–click **Command prompt** and select **Run as administrator**.
-
-2. Enter the following command, and press **Enter**:
-
- ```Powershell
- “%ProgramFiles%\Windows Defender\MpCmdRun.exe” –Restore –Name EUS:Win32/CustomEnterpriseBlock –All
- ```
-
-> [!NOTE]
-> In some scenarios, the **ThreatName** may appear as: EUS:Win32/CustomEnterpriseBlock!cl.
->
-> Microsoft Defender ATP will restore all custom blocked files that were quarantined on this device in the last 30 days.
-
-## Add indicator to block or allow a file
-
-You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on devices in your organization.
-
->[!IMPORTANT]
->
->- This feature is available if your organization uses Microsoft Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md).
->
->- The Antimalware client version must be 4.18.1901.x or later.
->- This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time.
->- This response action is available for devices on Windows 10, version 1703 or later.
->- The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or block action.
-
->[!NOTE]
-> The PE file needs to be in the device timeline for you to be able to take this action.
->
-> There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.
-
-### Enable the block file feature
-
-To start blocking files, you first need to [turn the **Block or allow** feature on](advanced-features.md) in Settings.
-
-### Allow or block file
-
-When you add an indicator hash for a file, you can choose to raise an alert and block the file whenever a device in your organization attempts to run it.
-
-Files automatically blocked by an indicator won't show up in the files's Action center, but the alerts will still be visible in the Alerts queue.
-
- See [manage indicators](manage-indicators.md) for more details on blocking and raising alerts on files.
-
-To stop blocking a file, remove the indicator. You can do so via the **Edit Indicator** action on the file's profile page. This action will be visible in the same position that the **Add Indicator** action was, before you added the indicator.
-
-You can also edit indicators from the **Settings** page, under **Rules** > **Indicators**. Indicators are listed in this area by their file's hash.
-
-## Download or collect file
-
-Selecting **Download file** from the response actions allows you to download a local, password-protected .zip archive containing your file.
-
-
-
-When you select this action, a fly-out will appear. From the fly-out, you can record a reason as to why you are downloading the file. You can also set a password to open the file.
-
-
-
-If a file is not already stored by Microsoft Defender ATP, you cannot download it. Instead, you will see a **Collect file** button in the same location. If a file has not been seen in the organization in the past 30 days, **Collect file** will be disabled.
-
-## Consult a threat expert
-
-You can consult a Microsoft threat expert for more insights regarding a potentially compromised device or already compromised ones. Microsoft Threat Experts can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights not just regarding a potentially compromised device, but also to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, or a threat intelligence context that you see on your portal dashboard.
-
-See [Consult a Microsoft Threat Expert](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts#consult-a-microsoft-threat-expert-about-suspicious-cybersecurity-activities-in-your-organization) for details.
-
-## Check activity details in Action center
-
-The **Action center** provides information on actions that were taken on a device or file. You’ll be able to view the following details:
-
-- Investigation package collection
-- Antivirus scan
-- App restriction
-- Device isolation
-
-All other related details are also shown, for example, submission date/time, submitting user, and if the action succeeded or failed.
-
-
-
-
-## Deep analysis
-
-Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that are often new or unknown. Clicking a file takes you to the file view where you can see the file's metadata. To enrich the data related to the file, you can submit the file for deep analysis.
-
-The Deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications, and communication with IPs.
-Deep analysis currently supports extensive analysis of portable executable (PE) files (including _.exe_ and _.dll_ files).
-
-Deep analysis of a file takes several minutes. Once the file analysis is complete, the Deep Analysis tab will update to display the date and time of the latest results available, as well as a summary of the report itself.
-
-The Deep analysis summary includes a list of observed *behaviors*, some of which can indicate malicious activity, and *observables*, including contacted IPs and files created on the disk. If nothing was found, these sections will simply display a brief message.
-
-Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts.
-
-Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for any other reason where you suspect malicious behavior. This feature is available within the **Deep analysis** tab, on the file's profile page.
-
->[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4aAYy?rel=0]
-
-**Submit for deep analysis** is enabled when the file is available in the Microsoft Defender ATP backend sample collection, or if it was observed on a Windows 10 device that supports submitting to deep analysis.
-
-> [!NOTE]
-> Only files from Windows 10 can be automatically collected.
-
-You can also manually submit a sample through the [Microsoft Security Center Portal](https://www.microsoft.com/security/portal/submission/submit.aspx) if the file was not observed on a Windows 10 device, and wait for **Submit for deep analysis** button to become available.
-
-> [!NOTE]
-> Due to backend processing flows in the Microsoft Security Center Portal, there could be up to 10 minutes of latency between file submission and availability of the deep analysis feature in Microsoft Defender ATP.
-
-When the sample is collected, Microsoft Defender ATP runs the file in is a secure environment and creates a detailed report of observed behaviors and associated artifacts, such as files dropped on devices, communication to IPs, and registry modifications.
-
-**Submit files for deep analysis:**
-
-1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following views:
-
- - Alerts - click the file links from the **Description** or **Details** in the Artifact timeline
- - **Devices list** - click the file links from the **Description** or **Details** in the **Device in organization** section
- - Search box - select **File** from the drop–down menu and enter the file name
-
-2. In the **Deep analysis** tab of the file view, click **Submit**.
-
- 
-
->**Note** Only PE files are supported, including _.exe_ and _.dll_ files
-
-A progress bar is displayed and provides information on the different stages of the analysis. You can then view the report when the analysis is done.
-
-> [!NOTE]
-> Depending on device availability, sample collection time can vary. There is a 3–hour timeout for sample collection. The collection will fail and the operation will abort if there is no online Windows 10 device reporting at that time. You can re–submit files for deep analysis to get fresh data on the file.
-
-**View deep analysis reports**
-
-View the deep analysis report that Microsoft Defender ATP provides to see the details of the deep analysis that was conducted on the file you submitted. This feature is available in the file view context.
-
-You can view the comprehensive report that provides details on the following sections:
-
-- Behaviors
-- Observables
-
-The details provided can help you investigate if there are indications of a potential attack.
-
-1. Select the file you submitted for deep analysis.
-2. Select the **Deep analysis** tab. If there are any previous reports, the report summary will appear in this tab.
-
- 
-
-**Troubleshoot deep analysis**
-
-If you encounter a problem when trying to submit a file, try each of the following troubleshooting steps.
-
-1. Ensure that the file in question is a PE file. PE files typically have _.exe_ or _.dll_ extensions (executable programs or applications).
-1. Ensure the service has access to the file, that it still exists, and has not been corrupted or modified.
-1. You can wait a short while and try to submit the file again, in case the queue is full or there was a temporary connection or communication error.
-1. If the sample collection policy is not configured, then the default behavior is to allow sample collection. If it is configured, then verify the policy setting allows sample collection before submitting the file again. When sample collection is configured, then check the following registry value:
-
- ```Powershell
- Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
- Name: AllowSampleCollection
- Type: DWORD
- Hexadecimal value :
- Value = 0 – block sample collection
- Value = 1 – allow sample collection
- ```
-
-1. Change the organizational unit through the Group Policy. For more information, see [Configure with Group Policy](configure-endpoints-gp.md).
-1. If these steps do not resolve the issue, contact [winatp@microsoft.com](mailto:winatp@microsoft.com).
-
-## Related topics
-
-- [Take response actions on a device](respond-machine-alerts.md)
-- [Investigate files](investigate-files.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md
deleted file mode 100644
index 62ea654ded..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md
+++ /dev/null
@@ -1,207 +0,0 @@
----
-title: Take response actions on a device in Microsoft Defender ATP
-description: Take response actions on a device such as isolating devices, collecting an investigation package, managing tags, running av scan, and restricting app execution.
-keywords: respond, isolate, isolate device, collect investigation package, action center, restrict, manage tags, av scan, restrict app
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Take response actions on a device
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-respondmachine-abovefoldlink)
-
-Quickly respond to detected attacks by isolating devices or collecting an investigation package. After taking action on devices, you can check activity details on the Action center.
-
-Response actions run along the top of a specific device page and include:
-
-- Manage tags
-- Initiate Automated Investigation
-- Initiate Live Response Session
-- Collect investigation package
-- Run antivirus scan
-- Restrict app execution
-- Isolate device
-- Consult a threat expert
-- Action center
-
-[  ](images/response-actions.png#lightbox)
-
- You can find device pages from any of the following views:
-
-- **Security operations dashboard** - Select a device name from the Devices at risk card.
-- **Alerts queue** - Select the device name beside the device icon from the alerts queue.
-- **Devices list** - Select the heading of the device name from the devices list.
-- **Search box** - Select Device from the drop-down menu and enter the device name.
-
->[!IMPORTANT]
-> - These response actions are only available for devices on Windows 10, version 1703 or later.
-> - For non-Windows platforms, response capabilities (such as Device isolation) are dependent on the third-party capabilities.
-
-## Manage tags
-
-Add or manage tags to create a logical group affiliation. Device tags support proper mapping of the network, enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident.
-
-For more information on device tagging, see [Create and manage device tags](machine-tags.md).
-
-## Initiate Automated Investigation
-
-You can start a new general purpose automated investigation on the device if needed. While an investigation is running, any other alert generated from the device will be added to an ongoing Automated investigation until that investigation is completed. In addition, if the same threat is seen on other devices, those devices are added to the investigation.
-
-For more information on automated investigations, see [Overview of Automated investigations](automated-investigations.md).
-
-## Initiate Live Response Session
-
-Live response is a capability that gives you instantaneous access to a device by using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats — real time.
-
-Live response is designed to enhance investigations by enabling you to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.
-
-For more information on live response, see [Investigate entities on devices using live response](live-response.md).
-
-## Collect investigation package from devices
-
-As part of the investigation or response process, you can collect an investigation package from a device. By collecting the investigation package, you can identify the current state of the device and further understand the tools and techniques used by the attacker.
-
-To download the package (Zip file) and investigate the events that occurred on a device
-
-1. Select **Collect investigation package** from the row of response actions at the top of the device page.
-2. Specify in the text box why you want to perform this action. Select **Confirm**.
-3. The zip file will download
-
-Alternate way:
-
-1. Select **Action center** from the response actions section of the device page.
-
- 
-
-3. In the Action center fly-out, select **Package collection package available** to download the zip file.
-
- 
-
-The package contains the following folders:
-
-| Folder | Description |
-|:---|:---------|
-|Autoruns | Contains a set of files that each represent the content of the registry of a known auto start entry point (ASEP) to help identify attacker’s persistency on the device.
->If ScanAvgCPULoadFactor is not configured, the default value is a limit of 50% maximum CPU load during a scan.
->For more information, see [configure-advanced-scan-types-microsoft-defender-antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus).
-
-## Restrict app execution
-
-In addition to containing an attack by stopping malicious processes, you can also lock down a device and prevent subsequent attempts of potentially malicious programs from running.
-
->[!IMPORTANT]
-> - This action is available for devices on Windows 10, version 1709 or later.
-> - This feature is available if your organization uses Microsoft Defender Antivirus.
-> - This action needs to meet the Windows Defender Application Control code integrity policy formats and signing requirements. For more information, see [Code integrity policy formats and signing](https://docs.microsoft.com/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard#code-integrity-policy-formats-and-signing).
-
-To restrict an application from running, a code integrity policy is applied that only allows files to run if they are signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling compromised devices and performing further malicious activities.
-
->[!NOTE]
->You’ll be able to reverse the restriction of applications from running at any time. The button on the device page will change to say **Remove app restrictions**, and then you take the same steps as restricting app execution.
-
-Once you have selected **Restrict app execution** on the device page, type a comment and select **Confirm**. The Action center will show the scan information and the device timeline will include a new event.
-
-
-
-**Notification on device user**:
-When an app is restricted, the following notification is displayed to inform the user that an app is being restricted from running:
-
-
-
-## Isolate devices from the network
-
-Depending on the severity of the attack and the sensitivity of the device, you might want to isolate the device from the network. This action can help prevent the attacker from controlling the compromised device and performing further activities such as data exfiltration and lateral movement.
-
->[!IMPORTANT]
->- Full isolation is available for devices on Windows 10, version 1703.
->- Selective isolation is available for devices on Windows 10, version 1709 or later.
-
-This device isolation feature disconnects the compromised device from the network while retaining connectivity to the Microsoft Defender ATP service, which continues to monitor the device.
-
-On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also choose to enable Outlook, Microsoft Teams, and Skype for Business connectivity (a.k.a 'Selective Isolation').
-
->[!NOTE]
->You’ll be able to reconnect the device back to the network at any time. The button on the device page will change to say **Release from isolation**, and then you take the same steps as isolating the device.
-
-Once you have selected **Isolate device** on the device page, type a comment and select **Confirm**. The Action center will show the scan information and the device timeline will include a new event.
-
-
-
->[!NOTE]
->The device will remain connected to the Microsoft Defender ATP service even if it is isolated from the network. If you've chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the device is isolated.
-
-**Notification on device user**:
-When a device is being isolated, the following notification is displayed to inform the user that the device is being isolated from the network:
-
-
-
-## Consult a threat expert
-
-You can consult a Microsoft threat expert for more insights regarding a potentially compromised device or already compromised ones. Microsoft Threat Experts can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights not just regarding a potentially compromised device, but also to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, or a threat intelligence context that you see on your portal dashboard.
-
-See [Consult a Microsoft Threat Expert](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts#consult-a-microsoft-threat-expert-about-suspicious-cybersecurity-activities-in-your-organization) for details.
-
-
-## Check activity details in Action center
-
-The **Action center** provides information on actions that were taken on a device or file. You’ll be able to view the following details:
-
-- Investigation package collection
-- Antivirus scan
-- App restriction
-- Device isolation
-
-All other related details are also shown, for example, submission date/time, submitting user, and if the action succeeded or failed.
-
-
-
-## Related topic
-- [Take response actions on a file](respond-file-alerts.md)
-- [Report inaccuracy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md b/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md
deleted file mode 100644
index f4b6552adb..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md
+++ /dev/null
@@ -1,91 +0,0 @@
----
-title: Restrict app execution API
-description: Use this API to create calls related to restricting an application from executing.
-keywords: apis, graph api, supported apis, collect investigation package
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Restrict app execution API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-
-## API description
-Restrict execution of all applications on the device except a predefined set.
-
-
-## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-[!include[Device actions note](../../includes/machineactionsnote.md)]
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Machine.RestrictExecution | 'Restrict code execution'
-Delegated (work or school account) | Machine.RestrictExecution | 'Restrict code execution'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles.md) for more information)
->- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
-## HTTP request
-```
-POST https://api.securitycenter.windows.com/api/machines/{id}/restrictCodeExecution
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-Content-Type | string | application/json. **Required**.
-
-## Request body
-In the request body, supply a JSON object with the following parameters:
-
-Parameter | Type | Description
-:---|:---|:---
-Comment | String | Comment to associate with the action. **Required**.
-
-## Response
-If successful, this method returns 201 - Created response code and [Machine Action](machineaction.md) in the response body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/restrictCodeExecution
-Content-type: application/json
-{
- "Comment": "Restrict code execution due to alert 1234"
-}
-
-```
-
-- To remove code execution restriction from a device, see [Remove app restriction](unrestrict-code-execution.md).
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/review-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/review-alerts.md
deleted file mode 100644
index 55fe2974c7..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/review-alerts.md
+++ /dev/null
@@ -1,107 +0,0 @@
----
-title: Review alerts in Microsoft Defender Advanced Threat Protection
-description: Review alert information, including a visualized alert story and details for each step of the chain.
-keywords: incident, incidents, machines, devices, users, alerts, alert, investigation, graph, evidence
-ms.prod: microsoft-365-enterprise
-ms.pagetype: security
-f1.keywords:
-- NOCSH
-ms.author: daniha
-author: danihalfin
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: conceptual
-ms.date: 5/1/2020
----
-
-# Review alerts in Microsoft Defender Advanced Threat Protection
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-managealerts-abovefoldlink)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-The new alert page in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) provides full context to the alert, by combining attack signals and alerts related to the selected alert, to construct a detailed alert story.
-
-Quickly triage, investigate, and take effective action on alerts that affect your organization. Understand why they were triggered, and their impact from one location.
-
-## Getting started with an alert
-
-Clicking on an alert's name in Microsoft Defender ATP will land you on its alert page. On the alert page, all the information will be shown in context of the selected alert. Each alert page consists of 4 sections:
-
-1. **The alert title** shows the alert's name and is there to remind you which alert started your current investigation regardless of what you have selected on the page.
-2. [**Affected assets**](#review-affected-assets) lists cards of devices and users affected by this alert that are clickable for further information and actions.
-3. [**The alert story**](#investigate-using-the-alert-story) displays all entities related to the alert, interconnected by a tree view. The alert in the title will be the one in focus when you first land on your selected alert's page. Entities in the alert story are expandable and clickable, to provide additional information and expedite response by allowing you to take actions right in the context of the alert page.
-4. [**The details pane**](#take-action-from-the-details-pane) will show the details of the selected alert at first, with details and actions related to this alert. If you click on any of the affected assets or entities in the alert story, the details pane will change to provide contextual information and actions for the selected object.
-
-
-
-Note the detection status for your alert. Blocked, prevented, or remediated means actions were already taken by Microsoft Defender ATP.
-Start by reviewing the *automated investigation details* in your alert's [details pane](#take-action-from-the-details-pane), to see which actions were already taken, as well as reading the alert's description for recommended actions.
-
-
-
-Other information available in the details pane when the alert opens includes MITRE techniques, source, and additional contextual details.
-
-## Review affected assets
-
-Clicking on a device or a user card in the affected assets sections will switch to the details of the device or user in the details pane.
-
-- **For devices** the details pane will display information about the device itself, like Domain, Operating System, and IP. Active alerts and the logged on users on that device are also available. You can take immediate action by isolating the device, restricting app execution, or running an antivirus scan. Alternatively, you could collect an investigation package, initiate an automated investigation, or go to the device page to investigate from the device's point of view.
-- **For users** the details pane will display detailed user information, such as the user's SAM name and SID, as well as logon types performed by this user and any alerts and incidents related to it. You can click *Open user page* to continue the investigation from that user's point of view.
-
- 
-
-## Investigate using the alert story
-
-The alert story details why the alert was triggered, related events that happened before and after, as well as other related entities.
-
-Entities are clickable and every entity that isn't an alert is expandable using the expand icon on the right side of that entity's card. The entity in focus will be indicated by a blue stripe to the left side of that entity's card, with the alert in the title being in focus at first.
-
-Expand entities to view details at-a-glance about them. Clicking on an entity will switch the context of the details pane to this entity, and will allow you to review further information, as well as manage that entity. Clicking on *...* to the right of the entity card will reveal all actions available for that entity. These same actions appear in the details pane when that entity is in focus.
-
-> [!NOTE]
-> The alert story section may contain more than one alert, with additional alerts related to the same execution tree appearing before or after the alert you've selected.
-
-
-
-## Take action from the details pane
-
-Once you've selected an entity of interest, the details pane will change to display information about the selected entity type, historic information, when its available, and offer controls to **take action** on this entity directly from the alert page.
-
-Once you're done investigating, go back to the alert you started with, mark the alert's status as **Resolved** and classify it as either **False alert** or **True alert**. Classifying alerts helps tune this capability to provide more true alerts and less false alerts.
-
-If you classify it as a true alert, you can also select a determination, as shown in the image below.
-
-
-
-If you are experiencing a false alert with a line-of-business application, create a suppression rule to avoid this type of alert in the future.
-
-
-
-> [!TIP]
-> If you're experiencing any issues not described above, use the 🙂 button to provide feedback or open a support ticket.
-
-## Transitioning to the new alert page
-
-When making the move to the new alert page you will notice that we have centralized information from the alert process tree, the incident graph, and the artifact timeline into the [alert story](#investigate-using-the-alert-story), with some information available through the [affected assets](#review-affected-assets) section. Any additional information has been consolidated into the details pane for the relevant entities.
-
-## Video overview of the new alert page
-
-> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4yiO5]
-
-## Related topics
-
-- [View and organize the incidents queue](view-incidents-queue.md)
-- [Investigate incidents](investigate-incidents.md)
-- [Manage incidents](manage-incidents.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md
deleted file mode 100644
index a902dc094d..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md
+++ /dev/null
@@ -1,140 +0,0 @@
----
-title: Advanced Hunting API
-ms.reviewer:
-description: Learn to use the advanced hunting API to run advanced queries on Microsoft Defender Advanced Threat Protection. Find out about limitations and see an example.
-keywords: apis, supported apis, advanced hunting, query
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Advanced hunting API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-## Limitations
-1. You can only run a query on data from the last 30 days.
-2. The results will include a maximum of 100,000 rows.
-3. The number of executions is limited per tenant: up to 10 calls per minute, 10 minutes of running time every hour and 4 hours of running time a day.
-4. The maximal execution time of a single request is 10 minutes.
-5. 429 response will represent reaching quota limit either by number of requests or by CPU. The 429 response body will also indicate the time until the quota is renewed.
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | AdvancedQuery.Read.All | 'Run advanced queries'
-Delegated (work or school account) | AdvancedQuery.Read | 'Run advanced queries'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have 'View Data' AD role
->- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
-## HTTP request
-```
-POST https://api.securitycenter.windows.com/api/advancedqueries/run
-```
-
-## Request headers
-
-Header | Value
-:---|:---
-Authorization | Bearer {token}. **Required**.
-Content-Type | application/json
-
-## Request body
-In the request body, supply a JSON object with the following parameters:
-
-Parameter | Type | Description
-:---|:---|:---
-Query | Text | The query to run. **Required**.
-
-## Response
-If successful, this method returns 200 OK, and _QueryResponse_ object in the response body.
-
-
-## Example
-
-Request
-
-Here is an example of the request.
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-
-```
-POST https://api.securitycenter.windows.com/api/advancedqueries/run
-Content-type: application/json
-{
- "Query":"DeviceProcessEvents
- | where InitiatingProcessFileName =~ 'powershell.exe'
- | where ProcessCommandLine contains 'appdata'
- | project Timestamp, FileName, InitiatingProcessFileName, DeviceId
- | limit 2"
-}
-```
-
-Response
-
-Here is an example of the response.
-
->[!NOTE]
->The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
-
-```json
-{
- "Schema": [
- {
- "Name": "Timestamp",
- "Type": "DateTime"
- },
- {
- "Name": "FileName",
- "Type": "String"
- },
- {
- "Name": "InitiatingProcessFileName",
- "Type": "String"
- },
- {
- "Name": "DeviceId",
- "Type": "String"
- }
- ],
- "Results": [
- {
- "Timestamp": "2020-02-05T01:10:26.2648757Z",
- "FileName": "csc.exe",
- "InitiatingProcessFileName": "powershell.exe",
- "DeviceId": "10cbf9182d4e95660362f65cfa67c7731f62fdb3"
- },
- {
- "Timestamp": "2020-02-05T01:10:26.5614772Z",
- "FileName": "csc.exe",
- "InitiatingProcessFileName": "powershell.exe",
- "DeviceId": "10cbf9182d4e95660362f65cfa67c7731f62fdb3"
- }
- ]
-}
-```
-
-## Related topic
-- [Microsoft Defender ATP APIs introduction](apis-intro.md)
-- [Advanced Hunting from Portal](advanced-hunting-query-language.md)
-- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md
deleted file mode 100644
index 00381d0550..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md
+++ /dev/null
@@ -1,122 +0,0 @@
----
-title: Advanced Hunting with Powershell API Basics
-ms.reviewer:
-description: Learn the basics of querying the Microsoft Defender Advanced Threat Protection API, using PowerShell.
-keywords: apis, supported apis, advanced hunting, query
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Advanced Hunting using PowerShell
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
-Run advanced queries using PowerShell, see [Advanced Hunting API](run-advanced-query-api.md).
-
-In this section we share PowerShell samples to retrieve a token and use it to run a query.
-
-## Before you begin
-You first need to [create an app](apis-intro.md).
-
-## Preparation instructions
-
-- Open a PowerShell window.
-- If your policy does not allow you to run the PowerShell commands, you can run the below command:
- ```
- Set-ExecutionPolicy -ExecutionPolicy Bypass
- ```
-
->For more details, see [PowerShell documentation](https://docs.microsoft.com/powershell/module/microsoft.powershell.security/set-executionpolicy)
-
-## Get token
-
-- Run the following:
-
-```
-$tenantId = '00000000-0000-0000-0000-000000000000' # Paste your own tenant ID here
-$appId = '11111111-1111-1111-1111-111111111111' # Paste your own app ID here
-$appSecret = '22222222-2222-2222-2222-222222222222' # Paste your own app secret here
-
-$resourceAppIdUri = 'https://api.securitycenter.windows.com'
-$oAuthUri = "https://login.windows.net/$TenantId/oauth2/token"
-$body = [Ordered] @{
- resource = "$resourceAppIdUri"
- client_id = "$appId"
- client_secret = "$appSecret"
- grant_type = 'client_credentials'
-}
-$response = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $body -ErrorAction Stop
-$aadToken = $response.access_token
-```
-
-where
-- $tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the data of this tenant)
-- $appId: ID of your AAD app (the app must have 'Run advanced queries' permission to Microsoft Defender ATP)
-- $appSecret: Secret of your AAD app
-
-## Run query
-
-Run the following query:
-
-```
-$query = 'RegistryEvents | limit 10' # Paste your own query here
-
-$url = "https://api.securitycenter.windows.com/api/advancedqueries/run"
-$headers = @{
- 'Content-Type' = 'application/json'
- Accept = 'application/json'
- Authorization = "Bearer $aadToken"
-}
-$body = ConvertTo-Json -InputObject @{ 'Query' = $query }
-$webResponse = Invoke-WebRequest -Method Post -Uri $url -Headers $headers -Body $body -ErrorAction Stop
-$response = $webResponse | ConvertFrom-Json
-$results = $response.Results
-$schema = $response.Schema
-```
-
-- $results contains the results of your query
-- $schema contains the schema of the results of your query
-
-### Complex queries
-
-If you want to run complex queries (or multilines queries), save your query in a file and, instead of the first line in the above sample, run the below command:
-
-```
-$query = [IO.File]::ReadAllText("C:\myQuery.txt"); # Replace with the path to your file
-```
-
-## Work with query results
-
-You can now use the query results.
-
-To output the results of the query in CSV format in file file1.csv do the below:
-
-```
-$results | ConvertTo-Csv -NoTypeInformation | Set-Content file1.csv
-```
-
-To output the results of the query in JSON format in file file1.json do the below:
-
-```
-$results | ConvertTo-Json | Set-Content file1.json
-```
-
-
-## Related topic
-- [Microsoft Defender ATP APIs](apis-intro.md)
-- [Advanced Hunting API](run-advanced-query-api.md)
-- [Advanced Hunting using Python](run-advanced-query-sample-python.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md
deleted file mode 100644
index 282cc94d06..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md
+++ /dev/null
@@ -1,152 +0,0 @@
----
-title: Advanced Hunting with Python API Guide
-ms.reviewer:
-description: Learn how to query using the Microsoft Defender Advanced Threat Protection API, by using Python, with examples.
-keywords: apis, supported apis, advanced hunting, query
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Advanced Hunting using Python
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-Run advanced queries using Python, see [Advanced Hunting API](run-advanced-query-api.md).
-
-In this section we share Python samples to retrieve a token and use it to run a query.
-
->**Prerequisite**: You first need to [create an app](apis-intro.md).
-
-## Get token
-
-- Run the following:
-
-```
-
-import json
-import urllib.request
-import urllib.parse
-
-tenantId = '00000000-0000-0000-0000-000000000000' # Paste your own tenant ID here
-appId = '11111111-1111-1111-1111-111111111111' # Paste your own app ID here
-appSecret = '22222222-2222-2222-2222-222222222222' # Paste your own app secret here
-
-url = "https://login.windows.net/%s/oauth2/token" % (tenantId)
-
-resourceAppIdUri = 'https://api.securitycenter.windows.com'
-
-body = {
- 'resource' : resourceAppIdUri,
- 'client_id' : appId,
- 'client_secret' : appSecret,
- 'grant_type' : 'client_credentials'
-}
-
-data = urllib.parse.urlencode(body).encode("utf-8")
-
-req = urllib.request.Request(url, data)
-response = urllib.request.urlopen(req)
-jsonResponse = json.loads(response.read())
-aadToken = jsonResponse["access_token"]
-
-```
-
-where
-- tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the data of this tenant)
-- appId: ID of your AAD app (the app must have 'Run advanced queries' permission to Microsoft Defender ATP)
-- appSecret: Secret of your AAD app
-
-## Run query
-
- Run the following query:
-
-```
-query = 'RegistryEvents | limit 10' # Paste your own query here
-
-url = "https://api.securitycenter.windows.com/api/advancedqueries/run"
-headers = {
- 'Content-Type' : 'application/json',
- 'Accept' : 'application/json',
- 'Authorization' : "Bearer " + aadToken
-}
-
-data = json.dumps({ 'Query' : query }).encode("utf-8")
-
-req = urllib.request.Request(url, data, headers)
-response = urllib.request.urlopen(req)
-jsonResponse = json.loads(response.read())
-schema = jsonResponse["Schema"]
-results = jsonResponse["Results"]
-
-```
-
-- schema contains the schema of the results of your query
-- results contains the results of your query
-
-### Complex queries
-
-If you want to run complex queries (or multilines queries), save your query in a file and, instead of the first line in the above sample, run the below command:
-
-```
-queryFile = open("D:\\Temp\\myQuery.txt", 'r') # Replace with the path to your file
-query = queryFile.read()
-queryFile.close()
-```
-
-## Work with query results
-
-You can now use the query results.
-
-To iterate over the results do the below:
-
-```
-for result in results:
- print(result) # Prints the whole result
- print(result["EventTime"]) # Prints only the property 'EventTime' from the result
-
-
-```
-
-
-To output the results of the query in CSV format in file file1.csv do the below:
-
-```
-import csv
-
-outputFile = open("D:\\Temp\\file1.csv", 'w')
-output = csv.writer(outputFile)
-output.writerow(results[0].keys())
-for result in results:
- output.writerow(result.values())
-
-outputFile.close()
-```
-
-To output the results of the query in JSON format in file file1.json do the below:
-
-```
-outputFile = open("D:\\Temp\\file1.json", 'w')
-json.dump(results, outputFile)
-outputFile.close()
-```
-
-
-## Related topic
-- [Microsoft Defender ATP APIs](apis-intro.md)
-- [Advanced Hunting API](run-advanced-query-api.md)
-- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md
deleted file mode 100644
index 1219b9aa21..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md
+++ /dev/null
@@ -1,97 +0,0 @@
----
-title: Run antivirus scan API
-description: Use this API to create calls related to running an antivirus scan on a device.
-keywords: apis, graph api, supported apis, remove device from isolation
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Run antivirus scan API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-
-## API description
-Initiate Microsoft Defender Antivirus scan on a device.
-
-
-## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-[!include[Device actions note](../../includes/machineactionsnote.md)]
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Machine.Scan | 'Scan machine'
-Delegated (work or school account) | Machine.Scan | 'Scan machine'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles.md) for more information)
->- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
-## HTTP request
-```
-POST https://api.securitycenter.windows.com/api/machines/{id}/runAntiVirusScan
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-Content-Type | string | application/json
-
-## Request body
-In the request body, supply a JSON object with the following parameters:
-
-Parameter | Type | Description
-:---|:---|:---
-Comment | String | Comment to associate with the action. **Required**.
-ScanType| String | Defines the type of the Scan. **Required**.
-
-**ScanType** controls the type of scan to perform and can be one of the following:
-
-- **Quick** – Perform quick scan on the device
-- **Full** – Perform full scan on the device
-
-
-
-## Response
-If successful, this method returns 201, Created response code and _MachineAction_ object in the response body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/runAntiVirusScan
-Content-type: application/json
-{
- "Comment": "Check machine for viruses due to alert 3212",
- “ScanType”: “Full”
-}
-```
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md b/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md
deleted file mode 100644
index a40530476f..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md
+++ /dev/null
@@ -1,58 +0,0 @@
----
-title: Run a detection test on a newly onboarded Microsoft Defender ATP device
-description: Run the detection script on a newly onboarded device to verify that it is properly onboarded to the Microsoft Defender ATP service.
-keywords: detection test, detection, powershell, script, verify, onboarding, microsoft defender advanced threat protection onboarding, clients, servers, test
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: article
----
-
-# Run a detection test on a newly onboarded Microsoft Defender ATP device
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- Supported Windows 10 versions
-- Windows Server 2012 R2
-- Windows Server 2016
-- Windows Server, version 1803
-- Windows Server, 2019
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
-Run the following PowerShell script on a newly onboarded device to verify that it is properly reporting to the Microsoft Defender ATP service.
-
-1. Create a folder: 'C:\test-MDATP-test'.
-2. Open an elevated command-line prompt on the device and run the script:
-
- 1. Go to **Start** and type **cmd**.
-
- 1. Right-click **Command Prompt** and select **Run as administrator**.
-
- 
-
-3. At the prompt, copy and run the following command:
-
- ```powershell
- powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-MDATP-test\\invoice.exe');Start-Process 'C:\\test-MDATP-test\\invoice.exe'
- ```
-
-The Command Prompt window will close automatically. If successful, the detection test will be marked as completed and a new alert will appear in the portal for the onboarded device in approximately 10 minutes.
-
-## Related topics
-- [Onboard Windows 10 devices](configure-endpoints.md)
-- [Onboard servers](configure-server-endpoints.md)
-- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/score.md b/windows/security/threat-protection/microsoft-defender-atp/score.md
deleted file mode 100644
index edeeea026b..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/score.md
+++ /dev/null
@@ -1,44 +0,0 @@
----
-title: Score methods and properties
-description: Retrieves your organization's exposure score, device secure score, and exposure score by device group
-keywords: apis, graph api, supported apis, score, exposure score, device secure score, exposure score by device group
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: ellevin
-author: levinec
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Score resource type
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-## Methods
-
-Method |Return Type |Description
-:---|:---|:---
-[Get exposure score](get-exposure-score.md) | [Score](score.md) | Get the organizational exposure score.
-[Get device secure score](get-device-secure-score.md) | [Score](score.md) | Get the organizational device secure score.
-[List exposure score by device group](get-machine-group-exposure-score.md)| [Score](score.md) | List scores by device group.
-
-## Properties
-
-Property | Type | Description
-:---|:---|:---
-Score | Double | The current score.
-Time | DateTime | The date and time in which the call for this API was made.
-RbacGroupName | String | The device group name.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md b/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md
deleted file mode 100644
index 608a4bedcf..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md
+++ /dev/null
@@ -1,125 +0,0 @@
----
-title: Microsoft Defender Security Center Security operations dashboard
-description: Use the dashboard to identify devices at risk, keep track of the status of the service, and see statistics and information about devices and alerts.
-keywords: dashboard, alerts, new, in progress, resolved, risk, devices at risk, infections, reporting, statistics, charts, graphs, health, active malware detections, threat category, categories, password stealer, ransomware, exploit, threat, low severity, active malware
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
----
-
-# Microsoft Defender Security Center Security operations dashboard
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-secopsdashboard-abovefoldlink)
-
-The **Security operations dashboard** is where the endpoint detection and response capabilities are surfaced. It provides a high level overview of where detections were seen and highlights where response actions are needed.
-
-The dashboard displays a snapshot of:
-
-- Active alerts
-- Devices at risk
-- Sensor health
-- Service health
-- Daily devices reporting
-- Active automated investigations
-- Automated investigations statistics
-- Users at risk
-- Suspicious activities
-
-
-
-
-You can explore and investigate alerts and devices to quickly determine if, where, and when suspicious activities occurred in your network to help you understand the context they appeared in.
-
-From the **Security operations dashboard** you will see aggregated events to facilitate the identification of significant events or behaviors on a device. You can also drill down into granular events and low-level indicators.
-
-It also has clickable tiles that give visual cues on the overall health state of your organization. Each tile opens a detailed view of the corresponding overview.
-
-## Active alerts
-You can view the overall number of active alerts from the last 30 days in your network from the tile. Alerts are grouped into **New** and **In progress**.
-
-
-
-Each group is further sub-categorized into their corresponding alert severity levels. Click the number of alerts inside each alert ring to see a sorted view of that category's queue (**New** or **In progress**).
-
-For more information see, [Alerts overview](alerts-queue.md).
-
-Each row includes an alert severity category and a short description of the alert. You can click an alert to see its detailed view. For more information see, [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md) and [Alerts overview](alerts-queue.md).
-
-
-## Devices at risk
-This tile shows you a list of devices with the highest number of active alerts. The total number of alerts for each device is shown in a circle next to the device name, and then further categorized by severity levels at the far end of the tile (hover over each severity bar to see its label).
-
-
-
-Click the name of the device to see details about that device. For more information see, [Investigate devices in the Microsoft Defender Advanced Threat Protection Devices list](investigate-machines.md).
-
-You can also click **Devices list** at the top of the tile to go directly to the **Devices list**, sorted by the number of active alerts. For more information see, [Investigate devices in the Microsoft Defender Advanced Threat Protection Devices list](investigate-machines.md).
-
-## Devices with sensor issues
-The **Devices with sensor issues** tile provides information on the individual device’s ability to provide sensor data to the Microsoft Defender ATP service. It reports how many devices require attention and helps you identify problematic devices.
-
-
-
-There are two status indicators that provide information on the number of devices that are not reporting properly to the service:
-- **Misconfigured** – These devices might partially be reporting sensor data to the Microsoft Defender ATP service and might have configuration errors that need to be corrected.
-- **Inactive** - Devices that have stopped reporting to the Microsoft Defender ATP service for more than seven days in the past month.
-
-When you click any of the groups, you’ll be directed to devices list, filtered according to your choice. For more information, see [Check sensor state](check-sensor-status.md) and [Investigate devices](investigate-machines.md).
-
-## Service health
-The **Service health** tile informs you if the service is active or if there are issues.
-
-
-
-For more information on the service health, see [Check the Microsoft Defender ATP service health](service-status.md).
-
-
-## Daily devices reporting
-The **Daily devices reporting** tile shows a bar graph that represents the number of devices reporting daily in the last 30 days. Hover over individual bars on the graph to see the exact number of devices reporting in each day.
-
-
-
-
-## Active automated investigations
-You can view the overall number of automated investigations from the last 30 days in your network from the **Active automated investigations** tile. Investigations are grouped into **Pending action**, **Waiting for device**, and **Running**.
-
-
-
-
-## Automated investigations statistics
-This tile shows statistics related to automated investigations in the last seven days. It shows the number of investigations completed, the number of successfully remediated investigations, the average pending time it takes for an investigation to be initiated, the average time it takes to remediate an alert, the number of alerts investigated, and the number of hours of automation saved from a typical manual investigation.
-
-
-
-You can click on **Automated investigations**, **Remediated investigations**, and **Alerts investigated** to navigate to the **Investigations** page, filtered by the appropriate category. This lets you see a detailed breakdown of investigations in context.
-
-## Users at risk
-The tile shows you a list of user accounts with the most active alerts and the number of alerts seen on high, medium, or low alerts.
-
-
-
-Click the user account to see details about the user account. For more information see [Investigate a user account](investigate-user.md).
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-secopsdashboard-belowfoldlink)
-
-## Related topics
-- [Understand the Microsoft Defender Advanced Threat Protection portal](use.md)
-- [Portal overview](portal-overview.md)
-- [View the Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
-- [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/service-status.md b/windows/security/threat-protection/microsoft-defender-atp/service-status.md
deleted file mode 100644
index b9325d8184..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/service-status.md
+++ /dev/null
@@ -1,62 +0,0 @@
----
-title: Check the Microsoft Defender ATP service health
-description: Check Microsoft Defender ATP service health, see if the service is experiencing issues and review previous issues that have been resolved.
-keywords: dashboard, service, issues, service health, current status, status history, summary of impact, preliminary root cause, resolution, resolution time, expected resolution time
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Check the Microsoft Defender Advanced Threat Protection service health
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-servicestatus-abovefoldlink)
-
-The **Service health** provides information on the current status of the Microsoft Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues. If there are issues, you'll see details related to the issue such as when the issue was detected, what the preliminary root cause is, and the expected resolution time.
-
-You'll also see information on historical issues that have been resolved and details such as the date and time when the issue was resolved. When there are no issues on the service, you'll see a healthy status.
-
-You can view details on the service health by clicking the tile from the **Security operations dashboard** or selecting the **Service health** menu from the navigation pane.
-
-The **Service health** details page has the following tabs:
-
-- **Current status**
-- **Status history**
-
-## Current status
-The **Current status** tab shows the current state of the Microsoft Defender ATP service. When the service is running smoothly a healthy service health is shown. If there are issues seen, the following service details are shown to help you gain better insight about the issue:
-
-- Date and time for when the issue was detected
-- A short description of the issue
-- Update time
-- Summary of impact
-- Preliminary root cause
-- Next steps
-- Expected resolution time
-
-Updates on the progress of an issue is reflected on the page as the issue gets resolved. You'll see updates on information such as an updated estimate resolution time or next steps.
-
-When an issue is resolved, it gets recorded in the **Status history** tab.
-
-## Status history
-The **Status history** tab reflects all the historical issues that were seen and resolved. You'll see details of the resolved issues along with the other information that were included while it was being resolved.
-
-### Related topic
-- [View the Security operations dashboard](security-operations-dashboard.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md b/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md
deleted file mode 100644
index 65012f7ca0..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md
+++ /dev/null
@@ -1,78 +0,0 @@
----
-title: Set device value API
-description: Learn how to specify the value of a device using a Microsoft Defender Advanced Threat Protection API.
-keywords: apis, graph api, supported apis, tags, machine tags
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: ellevin
-author: levinec
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Set device value API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-## API description
-
-Set the device value of a specific [Machine](machine.md).
-See [threat and vulnerability management scenarios](threat-and-vuln-mgt-scenarios.md) for more information.
-
-## Limitations
-
-1. You can post on devices last seen according to your configured retention period.
-
-2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Machine.ReadWrite.All | 'Read and write all machine information'
-Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
-
->[!Note]
-> When obtaining a token using user credentials:
->
->- The user needs to have at least the following role permission: 'Manage security setting'. For more (See [Create and manage roles](user-roles.md) for more information)
->- User needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
-
-## HTTP request
-
-```http
-POST https://api.securitycenter.microsoft.com/api/machines/{machineId}/setDeviceValue
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-Content-Type | string | application/json. **Required**.
-
-## Request body
-
-```json
-{
- "DeviceValue": "{device value}"
-}
-```
-
-## Response
-
-If successful, this method returns 200 - Ok response code and the updated Machine in the response body.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/software.md b/windows/security/threat-protection/microsoft-defender-atp/software.md
deleted file mode 100644
index 514baa2899..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/software.md
+++ /dev/null
@@ -1,52 +0,0 @@
----
-title: Software methods and properties
-description: Retrieves top recent alerts.
-keywords: apis, graph api, supported apis, get, alerts, recent
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Software resource type
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-## Methods
-
-Method |Return Type |Description
-:---|:---|:---
-[List software](get-software.md) | Software collection | List the organizational software inventory.
-[Get software by Id](get-software-by-id.md) | Software | Get a specific software by its software ID.
-[List software version distribution](get-software-ver-distribution.md)| Distribution collection | List software version distribution by software ID.
-[List machines by software](get-machines-by-software.md)| MachineRef collection | Retrieve a list of devices that are associated with the software ID.
-[List vulnerabilities by software](get-vuln-by-software.md) | [Vulnerability](vulnerability.md) collection | Retrieve a list of vulnerabilities associated with the software ID.
-[Get missing KBs](get-missing-kbs-software.md) | KB collection | Get a list of missing KBs associated with the software ID
-
-## Properties
-
-Property | Type | Description
-:---|:---|:---
-id | String | Software ID
-Name | String | Software name
-Vendor | String | Software vendor name
-Weaknesses | Long | Number of discovered vulnerabilities
-publicExploit | Boolean | Public exploit exists for some of the vulnerabilities
-activeAlert | Boolean | Active alert is associated with this software
-exposedMachines | Long | Number of exposed devices
-impactScore | Double | Exposure score impact of this software
diff --git a/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md b/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md
deleted file mode 100644
index 60c046ee70..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md
+++ /dev/null
@@ -1,90 +0,0 @@
----
-title: Stop and quarantine file API
-description: Learn how to stop running a file on a device and delete the file in Microsoft Defender Advanced Threat Protection. See an example.
-keywords: apis, graph api, supported apis, stop and quarantine file
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Stop and quarantine file API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-
-## API description
-Stop execution of a file on a device and delete it.
-
-
-## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-[!include[Device actions note](../../includes/machineactionsnote.md)]
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Machine.StopAndQuarantine | 'Stop And Quarantine'
-Delegated (work or school account) | Machine.StopAndQuarantine | 'Stop And Quarantine'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles.md) for more information)
->- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
-## HTTP request
-```
-POST https://api.securitycenter.windows.com/api/machines/{id}/StopAndQuarantineFile
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-Content-Type | string | application/json. **Required**.
-
-## Request body
-In the request body, supply a JSON object with the following parameters:
-
-Parameter | Type | Description
-:---|:---|:---
-Comment | String | Comment to associate with the action. **Required**.
-Sha1 | String | Sha1 of the file to stop and quarantine on the device. **Required**.
-
-## Response
-If successful, this method returns 201 - Created response code and [Machine Action](machineaction.md) in the response body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/StopAndQuarantineFile
-Content-type: application/json
-{
- "Comment": "Stop and quarantine file on machine due to alert 441688558380765161_2136280442",
- "Sha1": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9"
-}
-
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md b/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md
deleted file mode 100644
index 2fa6615e6a..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md
+++ /dev/null
@@ -1,51 +0,0 @@
----
-title: Supported Microsoft Defender Advanced Threat Protection response APIs
-description: Learn about the specific response related Microsoft Defender Advanced Threat Protection API calls.
-keywords: response apis, graph api, supported apis, actor, alerts, device, user, domain, ip, file
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
----
-
-# Supported Microsoft Defender ATP query APIs
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-> [!TIP]
-> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-supported-response-apis-abovefoldlink)
-
-Learn about the supported response related API calls you can run and details such as the required request headers, and expected response from the calls.
-
-## In this section
-Topic | Description
-:---|:---
-Collect investigation package | Run this to collect an investigation package from a device.
-Isolate device | Run this to isolate a device from the network.
-Unisolate device | Remove a device from isolation.
-Restrict code execution | Run this to contain an attack by stopping malicious processes. You can also lock down a device and prevent subsequent attempts of potentially malicious programs from running.
-Unrestrict code execution | Run this to reverse the restriction of applications policy after you have verified that the compromised device has been remediated.
-Run antivirus scan | Remotely initiate an antivirus scan to help identify and remediate malware that might be present on a compromised device.
-Stop and quarantine file | Run this call to stop running processes, quarantine files, and delete persistency such as registry keys.
-Request sample | Run this call to request a sample of a file from a specific device. The file will be collected from the device and uploaded to a secure storage.
-Block file | Run this to prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware.
-Unblock file | Allow a file run in the organization using Microsoft Defender Antivirus.
-Get package SAS URI | Run this to get a URI that allows downloading an investigation package.
-Get MachineAction object | Run this to get MachineAction object.
-Get MachineActions collection | Run this to get MachineAction collection.
-Get FileActions collection | Run this to get FileActions collection.
-Get FileMachineAction object | Run this to get FileMachineAction object.
-Get FileMachineActions collection | Run this to get FileMachineAction collection.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-migration.md b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-migration.md
deleted file mode 100644
index c9b60c2b17..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-migration.md
+++ /dev/null
@@ -1,63 +0,0 @@
----
-title: Make the switch from a non-Microsoft endpoint solution to Microsoft Defender for Endpoint
-description: Make the switch to Microsoft Defender for Endpoint. Read this article for an overview.
-keywords: migration, windows defender advanced endpoint protection, for Endpoint, edr
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: deniseb
-author: denisebmsft
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- M365-security-compliance
-- m365solution-migratetomdatp
-- m365solution-overview
-ms.topic: conceptual
-ms.custom: migrationguides
-ms.date: 09/24/2020
-ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
----
-
-# Make the switch from a non-Microsoft endpoint solution to Microsoft Defender for Endpoint
-
-If you are planning to switch from a non-Microsoft endpoint protection solution to [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection), and you're looking for help, you're in the right place. Use this article as a guide to plan your migration.
-
-> [!TIP]
-> - If you're currently using McAfee Endpoint Security (McAfee), see [Migrate from McAfee to Microsoft Defender for Endpoint](mcafee-to-microsoft-defender-migration.md).
-> - If you're currently using Symantec Endpoint Protection (Symantec), see [Migrate from Symantec to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-migration.md).
-
-## The migration process
-
-When you switch to Microsoft Defender for Endpoint, you follow a process that can be divided into three phases, as described in the following table:
-
-|Phase |Description |
-|--|--|
-|[](switch-to-microsoft-defender-prepare.md)
[Prepare for your migration](switch-to-microsoft-defender-prepare.md) |During [the **Prepare** phase](switch-to-microsoft-defender-prepare.md), you update your organization's devices, get Microsoft Defender for Endpoint, plan your roles and permissions, and grant access to the Microsoft Defender Security Center. You also configure your device proxy and internet settings to enable communication between your organization's devices and Microsoft Defender for Endpoint. |
-|[](switch-to-microsoft-defender-setup.md)
[Set up Microsoft Defender for Endpoint](switch-to-microsoft-defender-setup.md) |During [the **Setup** phase](switch-to-microsoft-defender-setup.md), you enable Microsoft Defender Antivirus and make sure it's in passive mode, and you configure settings & exclusions for Microsoft Defender Antivirus, Microsoft Defender for Endpoint, and your existing endpoint protection solution. You also create device groups, collections, and organizational units. Finally, you configure your antimalware policies and real-time protection settings.|
-|[](switch-to-microsoft-defender-onboard.md)
[Onboard to Microsoft Defender for Endpoint](switch-to-microsoft-defender-onboard.md) |During [the **Onboard** phase](switch-to-microsoft-defender-onboard.md), you onboard your devices to Microsoft Defender for Endpoint and verify that those devices are communicating with Microsoft Defender for Endpoint. Last, you uninstall your existing endpoint protection solution and make sure that protection through Microsoft Defender Antivirus & Microsoft Defender for Endpoint is in active mode. |
-
-## What's included in Microsoft Defender for Endpoint?
-
-In this migration guide, we focus on [next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) and [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) capabilities as a starting point for moving to Microsoft Defender for Endpoint. However, Microsoft Defender for Endpoint includes much more than antivirus and endpoint protection. Microsoft Defender for Endpoint is a unified platform for preventative protection, post-breach detection, automated investigation, and response. The following table summarizes features and capabilities in Microsoft Defender for Endpoint.
-
-| Feature/Capability | Description |
-|---|---|
-| [Threat & vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) | Threat & vulnerability management capabilities help identify, assess, and remediate weaknesses across your endpoints (such as devices). |
-| [Attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction) | Attack surface reduction rules help protect your organization's devices and applications from cyberthreats and attacks. |
-| [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) | Next-generation protection includes Microsoft Defender Antivirus to help block threats and malware. |
-| [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) | Endpoint detection and response capabilities detect, investigate, and respond to intrusion attempts and active breaches. |
-| [Advanced hunting](advanced-hunting-overview.md) | Advanced hunting capabilities enable your security operations team to locate indicators and entities of known or potential threats. |
-| [Behavioral blocking and containment](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment) | Behavioral blocking and containment capabilities help identify and stop threats, based on their behaviors and process trees even when the threat has started execution. |
-| [Automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) | Automated investigation and response capabilities examine alerts and take immediate remediation action to resolve breaches. |
-| [Threat hunting service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts) (Microsoft Threat Experts) | Threat hunting services provide security operations teams with expert level monitoring and analysis, and to help ensure that critical threats aren't missed. |
-
-**Want to learn more? See [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection).**
-
-## Next step
-
-- Proceed to [Prepare for your migration](switch-to-microsoft-defender-prepare.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-onboard.md b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-onboard.md
deleted file mode 100644
index 4852139083..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-onboard.md
+++ /dev/null
@@ -1,93 +0,0 @@
----
-title: Switch to Microsoft Defender for Endpoint - Onboard
-description: This is phase 3, Onboard, for migrating from a non-Microsoft solution to Microsoft Defender for Endpoint.
-keywords: migration, windows defender advanced threat protection, atp, edr
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.technology: windows
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: deniseb
-author: denisebmsft
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- M365-security-compliance
-- m365solution-migratetomdatp
-ms.custom: migrationguides
-ms.topic: article
-ms.date: 09/24/2020
-ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
----
-
-# Switch to Microsoft Defender for Endpoint - Phase 3: Onboard
-
-|[](switch-to-microsoft-defender-prepare.md)
[Phase 1: Prepare](switch-to-microsoft-defender-prepare.md) |[](switch-to-microsoft-defender-setup.md)
[Phase 2: Set up](switch-to-microsoft-defender-setup.md) |
Phase 3: Onboard |
-|--|--|--|
-|| |*You are here!* |
-
-
-**Welcome to Phase 3 of [switching to Microsoft Defender for Endpoint](switch-to-microsoft-defender-migration.md#the-migration-process)**. This migration phase includes the following steps:
-
-1. [Onboard devices to Microsoft Defender for Endpoint](#onboard-devices-to-microsoft-defender-for-endpoint).
-2. [Run a detection test](#run-a-detection-test).
-3. [Uninstall your non-Microsoft solution](#uninstall-your-non-microsoft-solution).
-4. [Make sure Microsoft Defender for Endpoint is in active mode](#make-sure-microsoft-defender-for-endpoint-is-in-active-mode).
-
-## Onboard devices to Microsoft Defender for Endpoint
-
-1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in.
-
-2. Choose **Settings** > **Device management** > **Onboarding**.
-
-3. In the **Select operating system to start onboarding process** list, select an operating system.
-
-4. Under **Deployment method**, select an option. Follow the links and prompts to onboard your organization's devices. Need help? See [Onboarding methods](#onboarding-methods) (in this article).
-
-### Onboarding methods
-
-Deployment methods vary, depending on which operating system is selected. Refer to the resources listed in the table below to get help with onboarding.
-
-|Operating system |Method |
-|---------|---------|
-|Windows 10 |- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp)
- [Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm)
- [Mobile Device Management (Intune)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm)
- [Local script](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script)
**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
-|- Windows 8.1 Enterprise
- Windows 8.1 Pro
- Windows 7 SP1 Enterprise
- Windows 7 SP1 Pro | [Microsoft Monitoring Agent](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-atp)
**NOTE**: Microsoft Monitoring Agent is now Azure Log Analytics agent. To learn more, see [Log Analytics agent overview](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). |
-|- Windows Server 2019 and later
- Windows Server 2019 core edition
- Windows Server version 1803 and later |- [Local script](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script)
- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp)
- [Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm)
- [System Center Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm#onboard-windows-10-devices-using-earlier-versions-of-system-center-configuration-manager)
- [VDI onboarding scripts for non-persistent devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi)
**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
-|- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2008 R2 SP1 |- [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#option-1-onboard-servers-through-microsoft-defender-security-center)
- [Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp) |
-|macOS
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra)
iOS
Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |[Onboard non-Windows devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows) |
-
-## Run a detection test
-
-To verify that your onboarded devices are properly connected to Microsoft Defender for Endpoint, you can run a detection test.
-
-
-|Operating system |Guidance |
-|---------|---------|
-|- Windows 10
- Windows Server 2019
- Windows Server, version 1803
- Windows Server 2016
- Windows Server 2012 R2 |See [Run a detection test](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/run-detection-test).
Visit the Microsoft Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)) and try one or more of the scenarios. For example, try the **Cloud-delivered protection** demo scenario. |
-|macOS
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |Download and use the DIY app at [https://aka.ms/mdatpmacosdiy](https://aka.ms/mdatpmacosdiy).
For more information, see [Microsoft Defender Advanced Threat Protection for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac). |
-|Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |1. Run the following command, and look for a result of **1**:
`mdatp health --field real_time_protection_enabled`.
2. Open a Terminal window, and run the following command:
`curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt`.
3. Run the following command to list any detected threats:
`mdatp threat list`.
For more information, see [Microsoft Defender ATP for Linux](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux). |
-
-## Uninstall your non-Microsoft solution
-
-Now that you have onboarded your organization's devices to Microsoft Defender for Endpoint, your next step is to uninstall your non-Microsoft endpoint protection solution.
-
-To get help with this step, reach out to your solution provider's technical support team.
-
-## Make sure Microsoft Defender for Endpoint is in active mode
-
-Now that you have uninstalled your non-Microsoft endpoint protection solution, your next step is to make sure that Microsoft Defender Antivirus and Microsoft Defender for Endpoint are enabled and in active mode.
-
-To do this, visit the Microsoft Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)). Try one or more of the demo scenarios on that page, including at least the following:
-- Cloud-delivered protection
-- Potentially Unwanted Applications (PUA)
-- Network Protection (NP)
-
-## Next steps
-
-**Congratulations**! You have completed your [migration to Microsoft Defender for Endpoint](switch-to-microsoft-defender-migration.md#the-migration-process)!
-
-- [Visit your security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard) in the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
-- [Manage Microsoft Defender for Endpoint, post migration](manage-atp-post-migration.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-prepare.md b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-prepare.md
deleted file mode 100644
index 5896bc9f4e..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-prepare.md
+++ /dev/null
@@ -1,114 +0,0 @@
----
-title: Switch to Microsoft Defender for Endpoint - Prepare
-description: This is phase 1, Prepare, for migrating to Microsoft Defender for Endpoint.
-keywords: migration, windows defender advanced threat protection, atp, edr
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.technology: windows
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: deniseb
-author: denisebmsft
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- M365-security-compliance
-- m365solution-migratetomdatp
-ms.topic: article
-ms.custom: migrationguides
-ms.date: 09/22/2020
-ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
----
-
-# Switch to Microsoft Defender for Endpoint - Phase 1: Prepare
-
-|
Phase 1: Prepare |[](switch-to-microsoft-defender-setup.md)
[Phase 2: Set up](switch-to-microsoft-defender-setup.md) |[](switch-to-microsoft-defender-onboard.md)
[Phase 3: Onboard](switch-to-microsoft-defender-onboard.md) |
-|--|--|--|
-|*You are here!*| | |
-
-
-**Welcome to the Prepare phase of [switching to Microsoft Defender for Endpoint](switch-to-microsoft-defender-migration.md#the-migration-process)**.
-
-This migration phase includes the following steps:
-1. [Get and deploy updates across your organization's devices](#get-and-deploy-updates-across-your-organizations-devices)
-2. [Get Microsoft Defender for Endpoint](#get-microsoft-defender-for-endpoint).
-3. [Grant access to the Microsoft Defender Security Center](#grant-access-to-the-microsoft-defender-security-center).
-4. [Configure device proxy and internet connectivity settings](#configure-device-proxy-and-internet-connectivity-settings).
-
-## Get and deploy updates across your organization's devices
-
-As a best practice, keep your organization's devices and endpoints up to date. Make sure your existing endpoint protection and antivirus solution is up to date, and that the operating systems and apps your organization is also have the latest updates. Doing this now can help prevent problems later as you migrate to Microsoft Defender for Endpoint and Microsoft Defender Antivirus.
-
-### Make sure your existing solution is up to date
-
-Keep your existing endpoint protection solution up to date, and make sure that your organization's devices have the latest security updates.
-
-Need help? See your solution provider's documentation.
-
-### Make sure your organization's devices are up to date
-
-Need help updating your organization's devices? See the following resources:
-
-|OS | Resource |
-|:--|:--|
-|Windows |[Microsoft Update](https://www.update.microsoft.com) |
-|macOS | [How to update the software on your Mac](https://support.apple.com/HT201541)|
-|iOS |[Update your iPhone, iPad, or iPod touch](https://support.apple.com/HT204204)|
-|Android |[Check & update your Android version](https://support.google.com/android/answer/7680439) |
-|Linux | [Linux 101: Updating Your System](https://www.linux.com/training-tutorials/linux-101-updating-your-system) |
-
-## Get Microsoft Defender for Endpoint
-
-Now that you've updated your organization's devices, the next step is to get Microsoft Defender for Endpoint, assign licenses, and make sure the service is provisioned.
-
-1. Buy or try Microsoft Defender for Endpoint today. [Start a free trial or request a quote](https://aka.ms/mdatp).
-
-2. Verify that your licenses are properly provisioned. [Check your license state](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#check-license-state).
-
-3. As a global administrator or security administrator, set up your dedicated cloud instance of Microsoft Defender for Endpoint. See [Microsoft Defender for Endpoint setup: Tenant configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#tenant-configuration).
-
-4. If endpoints (such as devices) in your organization use a proxy to access the internet, see [Microsoft Defender for Endpoint setup: Network configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#network-configuration).
-
-At this point, you are ready to grant access to your security administrators and security operators who will use the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
-
-> [!NOTE]
-> The Microsoft Defender Security Center is sometimes referred to as the Microsoft Defender for Endpoint portal, and can be accessed at [https://aka.ms/MDATPportal](https://aka.ms/MDATPportal).
-
-## Grant access to the Microsoft Defender Security Center
-
-The Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) is where you access and configure features and capabilities of Microsoft Defender for Endpoint. To learn more, see [Overview of the Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use).
-
-Permissions to the Microsoft Defender Security Center can be granted by using either basic permissions or role-based access control (RBAC). We recommend using RBAC so that you have more granular control over permissions.
-
-1. Plan the roles and permissions for your security administrators and security operators. See [Role-based access control](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment#role-based-access-control).
-
-2. Set up and configure RBAC. We recommend using [Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) to configure RBAC, especially if your organization is using a combination of Windows 10, macOS, iOS, and Android devices. See [setting up RBAC using Intune](https://docs.microsoft.com/mem/intune/fundamentals/role-based-access-control).
-
- If your organization requires a method other than Intune, choose one of the following options:
- - [Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/servers/deploy/configure/configure-role-based-administration)
- - [Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm)
- - [Windows Admin Center](https://docs.microsoft.com/windows-server/manage/windows-admin-center/overview)
-
-3. Grant access to the Microsoft Defender Security Center. (Need help? See [Manage portal access using RBAC](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac)).
-
-## Configure device proxy and internet connectivity settings
-
-To enable communication between your devices and Microsoft Defender for Endpoint, configure proxy and internet settings. The following table includes links to resources you can use to configure your proxy and internet settings for various operating systems and capabilities:
-
-|Capabilities | Operating System | Resources |
-|--|--|--|
-|[Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) |- [Windows 10](https://docs.microsoft.com/windows/release-information)
- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
- [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |[Configure machine proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet) |
-|EDR |- [Windows Server 2016](https://docs.microsoft.com/windows/release-information/status-windows-10-1607-and-windows-server-2016)
- [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1)
- [Windows 8.1](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows 7 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1) |[Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#configure-proxy-and-internet-connectivity-settings) |
-|EDR |macOS:
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |[Microsoft Defender ATP for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) |
-|[Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) |- [Windows 10](https://docs.microsoft.com/windows/release-information)
- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
- [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803)
- [Windows Server 2016](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-2016) |[Configure and validate Microsoft Defender Antivirus network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus)
|
-|Antivirus |macOS:
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |[Microsoft Defender ATP for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) |
-|Antivirus |Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |[Microsoft Defender ATP for Linux: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux#network-connections) |
-
-## Next step
-
-**Congratulations**! You have completed the **Prepare** phase of [switching to Microsoft Defender for Endpoint](switch-to-microsoft-defender-migration.md#the-migration-process)!
-
-- [Proceed to set up Microsoft Defender for Endpoint](switch-to-microsoft-defender-setup.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md
deleted file mode 100644
index b8c66898af..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md
+++ /dev/null
@@ -1,254 +0,0 @@
----
-title: Switch to Microsoft Defender for Endpoint - Setup
-description: This is phase 2, Setup, for switching to Microsoft Defender for Endpoint.
-keywords: migration, windows defender advanced threat protection, atp, edr
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.technology: windows
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: deniseb
-author: denisebmsft
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- M365-security-compliance
-- m365solution-migratetomdatp
-ms.topic: article
-ms.custom: migrationguides
-ms.date: 09/22/2020
-ms.reviewer: jesquive, chventou, jonix, chriggs, owtho
----
-
-# Switch to Microsoft Defender for Endpoint - Phase 2: Setup
-
-|[](switch-to-microsoft-defender-prepare.md)
[Phase 1: Prepare](switch-to-microsoft-defender-prepare.md) |
Phase 2: Set up |[](switch-to-microsoft-defender-onboard.md)
[Phase 3: Onboard](switch-to-microsoft-defender-onboard.md) |
-|--|--|--|
-||*You are here!* | |
-
-
-**Welcome to the Setup phase of [switching to Microsoft Defender for Endpoint](switch-to-microsoft-defender-migration.md#the-migration-process)**. This phase includes the following steps:
-1. [Enable Microsoft Defender Antivirus and confirm it's in passive mode](#enable-microsoft-defender-antivirus-and-confirm-its-in-passive-mode).
-2. [Get updates for Microsoft Defender Antivirus](#get-updates-for-microsoft-defender-antivirus).
-3. [Add Microsoft Defender for Endpoint to the exclusion list for your existing endpoint solution](#add-microsoft-defender-for-endpoint-to-the-exclusion-list-for-your-existing-solution).
-4. [Add your existing solution to the exclusion list for Microsoft Defender Antivirus](#add-your-existing-solution-to-the-exclusion-list-for-microsoft-defender-antivirus).
-5. [Add your existing solution to the exclusion list for Microsoft Defender for Endpoint](#add-your-existing-solution-to-the-exclusion-list-for-microsoft-defender-for-endpoint).
-6. [Set up your device groups, device collections, and organizational units](#set-up-your-device-groups-device-collections-and-organizational-units).
-7. [Configure antimalware policies and real-time protection](#configure-antimalware-policies-and-real-time-protection).
-
-## Enable Microsoft Defender Antivirus and confirm it's in passive mode
-
-On certain versions of Windows, such as Windows Server, Microsoft Defender Antivirus might have been uninstalled or disabled when your McAfee solution was installed. This is because Microsoft Defender Antivirus does not enter passive or disabled mode when you install a third-party antivirus product, such as McAfee. (To learn more about this, see [Microsoft Defender Antivirus compatibility](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).)
-
-This step of the migration process includes the following tasks:
-- [Setting DisableAntiSpyware to false on Windows Server](#set-disableantispyware-to-false-on-windows-server)
-- [Reinstalling Microsoft Defender Antivirus on Windows Server](#reinstall-microsoft-defender-antivirus-on-windows-server);
-- [Setting Microsoft Defender Antivirus to passive mode on Windows Server](#set-microsoft-defender-antivirus-to-passive-mode-on-windows-server)
-- [Enabling Microsoft Defender Antivirus on your Windows client devices](#enable-microsoft-defender-antivirus-on-your-windows-client-devices); and
-- [Confirming that Microsoft Defender Antivirus is set to passive mode](#confirm-that-microsoft-defender-antivirus-is-in-passive-mode).
-
-### Set DisableAntiSpyware to false on Windows Server
-
-The [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) registry key was used in the past to disable Microsoft Defender Antivirus, and deploy another antivirus product, such as McAfee. In general, you should not have this registry key on your Windows devices and endpoints; however, if you do have `DisableAntiSpyware` configured, here's how to set its value to false:
-
-1. On your Windows Server device, open Registry Editor.
-
-2. Navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`.
-
-3. In that folder, look for a DWORD entry called **DisableAntiSpyware**.
-
- - If you do not see that entry, you're all set.
-
- - If you do see **DisableAntiSpyware**, proceed to step 4.
-
-4. Right-click the DisableAntiSpyware DWORD, and then choose **Modify**.
-
-5. Set the value to `0`. (This sets the registry key's value to *false*.)
-
-> [!TIP]
-> To learn more about this registry key, see [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware).
-
-### Reinstall Microsoft Defender Antivirus on Windows Server
-
-> [!NOTE]
-> The following procedure applies only to endpoints or devices that are running the following versions of Windows:
-> - Windows Server 2019
-> - Windows Server, version 1803 (core-only mode)
-> - Windows Server 2016
-
-1. As a local administrator on the endpoint or device, open Windows PowerShell.
-
-2. Run the following PowerShell cmdlets:
-
- `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`
-
- `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`
-
-3. To verify Microsoft Defender Antivirus is running, use the following PowerShell cmdlet:
-
- `Get-Service -Name windefend`
-
-> [!TIP]
-> Need help? See [Microsoft Defender Antivirus on Windows Server 2016 and 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016).
-
-### Set Microsoft Defender Antivirus to passive mode on Windows Server
-
-Because your organization is still using your existing endpoint protection solution, you must set Microsoft Defender Antivirus to passive mode. That way, your existing solution and Microsoft Defender Antivirus can run side by side until you have finished onboarding to Microsoft Defender for Endpoint.
-
-1. Open Registry Editor, and then navigate to
- `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Windows Advanced Threat Protection`.
-
-2. Edit (or create) a DWORD entry called **ForceDefenderPassiveMode**, and specify the following settings:
-
- - Set the DWORD's value to **1**.
-
- - Under **Base**, select **Hexadecimal**.
-
-> [!NOTE]
-> You can use other methods to set the registry key, such as the following:
->- [Group Policy Preference](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn581922(v=ws.11))
->- [Local Group Policy Object tool](https://docs.microsoft.com/windows/security/threat-protection/security-compliance-toolkit-10#what-is-the-local-group-policy-object-lgpo-tool)
->- [A package in Configuration Manager](https://docs.microsoft.com/mem/configmgr/apps/deploy-use/packages-and-programs)
-
-### Enable Microsoft Defender Antivirus on your Windows client devices
-
-Because your organization has been using a non-Microsoft antivirus solution, Microsoft Defender Antivirus is most likely disabled on your organization's Windows devices. This step of the migration process involves enabling Microsoft Defender Antivirus.
-
-To enable Microsoft Defender Antivirus, we recommend using Intune. However, you can any of the methods that are listed in the following table:
-
-|Method |What to do |
-|---------|---------|
-|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)
**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.
2. Select **Devices** > **Configuration profiles**, and then select the profile type you want to configure.
If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
3. Select **Properties**, and then select **Configuration settings: Edit**.
4. Expand **Microsoft Defender Antivirus**.
5. Enable **Cloud-delivered protection**.
6. In the **Prompt users before sample submission** dropdown, select **Send all samples automatically**.
7. In the **Detect potentially unwanted applications** dropdown, select **Enable** or **Audit**.
8. Select **Review + save**, and then choose **Save**.
For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles).|
-|Control Panel in Windows |Follow the guidance here: [Turn on Microsoft Defender Antivirus](https://docs.microsoft.com/mem/intune/user-help/turn-on-defender-windows).
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
-|[Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm/)
or
[Group Policy Management Console](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus) |1. Go to `Computer configuration > Administrative templates > Windows components > Microsoft Defender Antivirus`.
2. Look for a policy called **Turn off Microsoft Defender Antivirus**.
3. Choose **Edit policy setting**, and make sure that policy is disabled. This enables Microsoft Defender Antivirus.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
-
-### Confirm that Microsoft Defender Antivirus is in passive mode
-
-Microsoft Defender Antivirus can run alongside your existing endpoint protection solution if you set Microsoft Defender Antivirus to passive mode. You can use either Command Prompt or PowerShell to perform this task, as described in the following table:
-
-|Method |What to do |
-|---------|---------|
-|Command Prompt |1. On a Windows device, open Command Prompt as an administrator.
2. Type `sc query windefend`, and then press Enter.
3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. |
-|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.
2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet.
3. In the list of results, look for **AntivirusEnabled: True**. |
-
-> [!NOTE]
-> You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
-
-## Get updates for Microsoft Defender Antivirus
-
-Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques, even if Microsoft Defender Antivirus is running in [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
-
-There are two types of updates related to keeping Microsoft Defender Antivirus up to date:
-- Security intelligence updates
-- Product updates
-
-To get your updates, follow the guidance in [Manage Microsoft Defender Antivirus updates and apply baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus).
-
-## Add Microsoft Defender for Endpoint to the exclusion list for your existing solution
-
-This step of the setup process involves adding Microsoft Defender for Endpoint to the exclusion list for your existing endpoint protection solution and any other security products your organization is using.
-
-> [!TIP]
-> To get help configuring exclusions, refer to your solution provider's documentation.
-
-The specific exclusions to configure depend on which version of Windows your endpoints or devices are running, and are listed in the following table:
-
-|OS |Exclusions |
-|--|--|
-|- Windows 10, [version 1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803) or later (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information))
- Windows 10, version 1703 or [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709) with [KB4493441](https://support.microsoft.com/help/4493441) installed
- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
- [Windows Server, version 1803](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`
|
-|- [Windows 8.1](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows 7](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1)
- [Windows Server 2016](https://docs.microsoft.com/windows/release-information/status-windows-10-1607-and-windows-server-2016)
- [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`
**NOTE**: Where Monitoring Host Temporary Files 6\45 can be different numbered subfolders.
`C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` |
-
-## Add your existing solution to the exclusion list for Microsoft Defender Antivirus
-
-During this step of the setup process, you add your existing solution to the Microsoft Defender Antivirus exclusion list.
-
-When you add [exclusions to Microsoft Defender Antivirus scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus), you should add path and process exclusions. Keep the following points in mind:
-- Path exclusions exclude specific files and whatever those files access.
-- Process exclusions exclude whatever a process touches, but does not exclude the process itself.
-- If you list each executable (.exe) as both a path exclusion and a process exclusion, the process and whatever it touches are excluded.
-- List your process exclusions using their full path and not by their name only. (The name-only method is less secure.)
-
-You can choose from several methods to add your exclusions to Microsoft Defender Antivirus, as listed in the following table:
-
-|Method | What to do|
-|--|--|
-|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)
**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.
2. Select **Devices** > **Configuration profiles**, and then select the profile that you want to configure.
3. Under **Manage**, select **Properties**.
4. Select **Configuration settings: Edit**.
5. Expand **Microsoft Defender Antivirus**, and then expand **Microsoft Defender Antivirus Exclusions**.
6. Specify the files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. For reference, see [Microsoft Defender Antivirus exclusions](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions).
7. Choose **Review + save**, and then choose **Save**. |
-|[Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/) |1. Using the [Configuration Manager console](https://docs.microsoft.com/mem/configmgr/core/servers/manage/admin-console), go to **Assets and Compliance** > **Endpoint Protection** > **Antimalware Policies**, and then select the policy that you want to modify.
2. Specify exclusion settings for files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. |
-|[Group Policy Object](https://docs.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-objects) | 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
4. Double-click the **Path Exclusions** setting and add the exclusions.
- Set the option to **Enabled**.
- Under the **Options** section, click **Show...**.
- Specify each folder on its own line under the **Value name** column.
- If you specify a file, make sure to enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.
5. Click **OK**.
6. Double-click the **Extension Exclusions** setting and add the exclusions.
- Set the option to **Enabled**.
- Under the **Options** section, click **Show...**.
- Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.
7. Click **OK**. |
-|Local group policy object |1. On the endpoint or device, open the Local Group Policy Editor.
2. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Exclusions**.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
3. Specify your path and process exclusions. |
-|Registry key |1. Export the following registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions`.
2. Import the registry key. Here are two examples:
- Local path: `regedit.exe /s c:\temp\ MDAV_Exclusion.reg`
- Network share: `regedit.exe /s \\FileServer\ShareName\MDAV_Exclusion.reg` |
-
-## Add your existing solution to the exclusion list for Microsoft Defender for Endpoint
-
-To add exclusions to Microsoft Defender for Endpoint, you create [indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators#create-indicators-for-files).
-
-1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in.
-
-2. In the navigation pane, choose **Settings** > **Rules** > **Indicators**.
-
-3. On the **File hashes** tab, choose **Add indicator**.
-
-3. On the **Indicator** tab, specify the following settings:
- - File hash (Need help? See [Find a file hash using CMPivot](#find-a-file-hash-using-cmpivot) in this article.)
- - Under **Expires on (UTC)**, choose **Never**.
-
-4. On the **Action** tab, specify the following settings:
- - **Response Action**: **Allow**
- - Title and description
-
-5. On the **Scope** tab, under **Device groups**, select either **All devices in my scope** or **Select from list**.
-
-6. On the **Summary** tab, review the settings, and then click **Save**.
-
-### Find a file hash using CMPivot
-
-CMPivot is an in-console utility for Configuration Manager. CMPivot provides access to the real-time state of devices in your environment. It immediately runs a query on all currently connected devices in the target collection and returns the results. To learn more, see [CMPivot overview](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot-overview).
-
-To use CMPivot to get your file hash, follow these steps:
-
-1. Review the [prerequisites](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot#prerequisites).
-
-2. [Start CMPivot](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot#start-cmpivot).
-
-3. Connect to Configuration Manager (`SCCM_ServerName.DomainName.com`).
-
-4. Select the **Query** tab.
-
-5. In the **Device Collection** list, and choose **All Systems (default)**.
-
-6. In the query box, type the following query:
-
-```kusto
-File(c:\\windows\\notepad.exe)
-| project Hash
-```
-> [!NOTE]
-> In the query above, replace *notepad.exe* with the your third-party security product process name.
-
-## Set up your device groups, device collections, and organizational units
-
-| Collection type | What to do |
-|--|--|
-|[Device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups) (formerly called machine groups) enable your security operations team to configure security capabilities, such as automated investigation and remediation.
Device groups are also useful for assigning access to those devices so that your security operations team can take remediation actions if needed.
Device groups are created in the Microsoft Defender Security Center. |1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
2. In the navigation pane on the left, choose **Settings** > **Permissions** > **Device groups**.
3. Choose **+ Add device group**.
4. Specify a name and description for the device group.
5. In the **Automation level** list, select an option. (We recommend **Full - remediate threats automatically**.) To learn more about the various automation levels, see [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated).
6. Specify conditions for a matching rule to determine which devices belong to the device group. For example, you can choose a domain, OS versions, or even use [device tags](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-tags).
7. On the **User access** tab, specify roles that should have access to the devices that are included in the device group.
8. Choose **Done**. |
-|[Device collections](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/introduction-to-collections) enable your security operations team to manage applications, deploy compliance settings, or install software updates on the devices in your organization.
Device collections are created by using [Configuration Manager](https://docs.microsoft.com/mem/configmgr/). |Follow the steps in [Create a collection](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_create). |
-|[Organizational units](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou) enable you to logically group objects such as user accounts, service accounts, or computer accounts. You can then assign administrators to specific organizational units, and apply group policy to enforce targeted configuration settings.
Organizational units are defined in [Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services). | Follow the steps in [Create an Organizational Unit in an Azure Active Directory Domain Services managed domain](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou). |
-
-## Configure antimalware policies and real-time protection
-
-Using Configuration Manager and your device collection(s), configure your antimalware policies.
-
-- See [Create and deploy antimalware policies for Endpoint Protection in Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies).
-
-- While you create and configure your antimalware policies, make sure to review the [real-time protection settings](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) and [enable block at first sight](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus).
-
-> [!TIP]
-> You can deploy the policies before your organization's devices on onboarded.
-
-## Next step
-
-**Congratulations**! You have completed the Setup phase of [switching to Microsoft Defender for Endpoint](switch-to-microsoft-defender-migration.md#the-migration-process)!
-
-- [Proceed to Phase 3: Onboard to Microsoft Defender for Endpoint](switch-to-microsoft-defender-onboard.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md
deleted file mode 100644
index 371f380e63..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md
+++ /dev/null
@@ -1,63 +0,0 @@
----
-title: Migrate from Symantec to Microsoft Defender for Endpoint
-description: Get an overview of how to make the switch from Symantec to Microsoft Defender for Endpoint
-keywords: migration, windows defender advanced threat protection, atp, edr
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.technology: windows
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: deniseb
-author: denisebmsft
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- M365-security-compliance
-- m365solution-symantecmigrate
-- m365solution-overview
-ms.topic: conceptual
-ms.date: 09/22/2020
-ms.custom: migrationguides
-ms.reviewer: depicker, yongrhee, chriggs
----
-
-# Migrate from Symantec to Microsoft Defender for Endpoint
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-If you are planning to switch from Symantec Endpoint Protection (Symantec) to [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection), you're in the right place. Use this article as a guide to plan your migration.
-
-## The migration process
-
-When you switch from Symantec to Microsoft Defender for Endpoint, you follow a process that can be divided into three phases, as described in the following table:
-
-|Phase |Description |
-|--|--|
-|[](symantec-to-microsoft-defender-atp-prepare.md)
[Prepare for your migration](symantec-to-microsoft-defender-atp-prepare.md) |During the **Prepare** phase, you get Microsoft Defender for Endpoint, plan your roles and permissions, and grant access to the Microsoft Defender Security Center. You also configure your device proxy and internet settings to enable communication between your organization's devices and Microsoft Defender for Endpoint. |
-|[](symantec-to-microsoft-defender-atp-setup.md)
[Set up Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-setup.md) |During the **Setup** phase, you configure settings and exclusions for Microsoft Defender Antivirus, Microsoft Defender for Endpoint, and Symantec Endpoint Protection. You also create device groups, collections, and organizational units. Finally, you configure your antimalware policies and real-time protection settings.|
-|[](symantec-to-microsoft-defender-atp-onboard.md)
[Onboard to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-onboard.md) |During the **Onboard** phase, you onboard your devices to Microsoft Defender for Endpoint and verify that those devices are communicating with Microsoft Defender for Endpoint. Last, you uninstall Symantec and make sure protection through Microsoft Defender for Endpoint is in active mode. |
-
-## What's included in Microsoft Defender for Endpoint?
-
-In this migration guide, we focus on [next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) and [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) capabilities as a starting point for moving to Microsoft Defender for Endpoint. However, Microsoft Defender for Endpoint includes much more than antivirus and endpoint protection. Microsoft Defender for Endpoint is a unified platform for preventative protection, post-breach detection, automated investigation, and response. The following table summarizes features and capabilities in Microsoft Defender for Endpoint.
-
-| Feature/Capability | Description |
-|---|---|
-| [Threat & vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) | Threat & vulnerability management capabilities help identify, assess, and remediate weaknesses across your endpoints (such as devices). |
-| [Attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction) | Attack surface reduction rules help protect your organization's devices and applications from cyberthreats and attacks. |
-| [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) | Next-generation protection includes Microsoft Defender Antivirus to help block threats and malware. |
-| [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) | Endpoint detection and response capabilities detect, investigate, and respond to intrusion attempts and active breaches. |
-| [Advanced hunting](advanced-hunting-overview.md) | Advanced hunting capabilities enable your security operations team to locate indicators and entities of known or potential threats. |
-| [Behavioral blocking and containment](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment) | Behavioral blocking and containment capabilities help identify and stop threats, based on their behaviors and process trees even when the threat has started execution. |
-| [Automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) | Automated investigation and response capabilities examine alerts and take immediate remediation action to resolve breaches. |
-| [Threat hunting service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts) (Microsoft Threat Experts) | Threat hunting services provide security operations teams with expert level monitoring and analysis, and to help ensure that critical threats aren't missed. |
-
-**Want to learn more? See [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection).**
-
-## Next step
-
-- Proceed to [Prepare for your migration](symantec-to-microsoft-defender-atp-prepare.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md
deleted file mode 100644
index 38143cfd5f..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md
+++ /dev/null
@@ -1,108 +0,0 @@
----
-title: Symantec to Microsoft Defender for Endpoint - Phase 3, Onboarding
-description: This is Phase 3, Onboarding, of migrating from Symantec to Microsoft Defender for Endpoint
-keywords: migration, windows defender advanced threat protection, atp, edr
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.technology: windows
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: deniseb
-author: denisebmsft
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- M365-security-compliance
-- m365solution-symantecmigrate
-ms.topic: article
-ms.date: 09/24/2020
-ms.custom: migrationguides
-ms.reviewer: depicker, yongrhee, chriggs
----
-
-# Migrate from Symantec - Phase 3: Onboard to Microsoft Defender for Endpoint
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-|[](symantec-to-microsoft-defender-atp-prepare.md)
[Phase 1: Prepare](symantec-to-microsoft-defender-atp-prepare.md) |[](symantec-to-microsoft-defender-atp-setup.md)
[Phase 2: Set up](symantec-to-microsoft-defender-atp-setup.md) |
Phase 3: Onboard |
-|--|--|--|
-|| |*You are here!* |
-
-
-**Welcome to Phase 3 of [migrating from Symantec to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)**. This migration phase includes the following steps:
-
-1. [Onboard devices to Microsoft Defender for Endpoint](#onboard-devices-to-microsoft-defender-for-endpoint).
-2. [Run a detection test](#run-a-detection-test).
-3. [Uninstall Symantec](#uninstall-symantec).
-4. [Make sure Microsoft Defender for Endpoint is in active mode](#make-sure-microsoft-defender-for-endpoint-is-in-active-mode).
-
-## Onboard devices to Microsoft Defender for Endpoint
-
-1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in.
-
-2. Choose **Settings** > **Device management** > **Onboarding**.
-
-3. In the **Select operating system to start onboarding process** list, select an operating system.
-
-4. Under **Deployment method**, select an option. Follow the links and prompts to onboard your organization's devices. Need help? See [Onboarding methods](#onboarding-methods) (in this article).
-
-### Onboarding methods
-
-Deployment methods vary, depending on which operating system is selected. Refer to the resources listed in the table below to get help with onboarding.
-
-|Operating system |Method |
-|---------|---------|
-|Windows 10 |- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp)
- [Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm)
- [Mobile Device Management (Intune)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm)
- [Local script](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script)
**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
-|- Windows 8.1 Enterprise
- Windows 8.1 Pro
- Windows 7 SP1 Enterprise
- Windows 7 SP1 Pro | [Microsoft Monitoring Agent](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-atp)
**NOTE**: Microsoft Monitoring Agent is now Azure Log Analytics agent. To learn more, see [Log Analytics agent overview](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). |
-|- Windows Server 2019 and later
- Windows Server 2019 core edition
- Windows Server version 1803 and later |- [Local script](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script)
- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp)
- [Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm)
- [System Center Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm#onboard-windows-10-devices-using-earlier-versions-of-system-center-configuration-manager)
- [VDI onboarding scripts for non-persistent devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi)
**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
-|- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2008 R2 SP1 |- [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#option-1-onboard-servers-through-microsoft-defender-security-center)
- [Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp) |
-|macOS
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra)
iOS
Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |[Onboard non-Windows devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows) |
-
-## Run a detection test
-
-To verify that your onboarded devices are properly connected to Microsoft Defender for Endpoint, you can run a detection test.
-
-
-|Operating system |Guidance |
-|---------|---------|
-|- Windows 10
- Windows Server 2019
- Windows Server, version 1803
- Windows Server 2016
- Windows Server 2012 R2 |See [Run a detection test](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/run-detection-test).
Visit the Microsoft Defender ATP demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)) and try one or more of the scenarios. For example, try the **Cloud-delivered protection** demo scenario. |
-|macOS
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |Download and use the DIY app at [https://aka.ms/mdatpmacosdiy](https://aka.ms/mdatpmacosdiy).
For more information, see [Microsoft Defender Advanced Threat Protection for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac). |
-|Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |1. Run the following command, and look for a result of **1**:
`mdatp health --field real_time_protection_enabled`.
2. Open a Terminal window, and run the following command:
`curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt`.
3. Run the following command to list any detected threats:
`mdatp threat list`.
For more information, see [Microsoft Defender ATP for Linux](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux). |
-
-## Uninstall Symantec
-
-Now that you have onboarded your organization's devices to Microsoft Defender for Endpoint, your next step is to uninstall Symantec.
-
-1. [Disable Tamper Protection](https://knowledge.broadcom.com/external/article?legacyId=tech192023) in Symantec.
-
-2. Delete the uninstall password for Symantec:
- 1. On your Windows devices, open Registry Editor as an administrator.
- 2. Go to `HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC`.
- 3. Look for an entry named **SmcInstData**. Right-click the item, and then choose **Delete**.
-
-3. Remove Symantec from your devices. If you need help with this, see Broadcom's documentation. Here are a few Broadcom resources:
- - [Uninstall Symantec Endpoint Protection](https://knowledge.broadcom.com/external/article/156148/uninstall-symantec-endpoint-protection.html)
- - Windows devices: [Manually uninstall Endpoint Protection 14 clients on Windows](https://knowledge.broadcom.com/external/article?articleId=170040)
- - macOS computers: [Remove Symantec software for Mac using RemoveSymantecMacFiles](https://knowledge.broadcom.com/external/article?articleId=151387)
- - Linux devices: [Frequently Asked Questions for Endpoint Protection for Linux](https://knowledge.broadcom.com/external/article?articleId=162054)
-
-## Make sure Microsoft Defender for Endpoint is in active mode
-
-Now that you have uninstalled Symantec, your next step is to make sure that Microsoft Defender Antivirus and Microsoft Defender for Endpoint are enabled and in active mode.
-
-To do this, visit the Microsoft Defender for Endpoint demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)). Try one or more of the demo scenarios on that page, including at least the following:
-- Cloud-delivered protection
-- Potentially Unwanted Applications (PUA)
-- Network Protection (NP)
-
-## Next steps
-
-**Congratulations**! You have completed your [migration from Symantec to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)!
-
-- [Visit your security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard) in the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
-
-- [Manage Microsoft Defender for Endpoint, post migration](manage-atp-post-migration.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md
deleted file mode 100644
index cc678c90eb..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md
+++ /dev/null
@@ -1,94 +0,0 @@
----
-title: Symantec to Microsoft Defender for Endpoint - Phase 1, Preparing
-description: This is Phase 1, Prepare, of migrating from Symantec to Microsoft Defender for Endpoint.
-keywords: migration, windows defender advanced threat protection, atp, edr
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.technology: windows
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: deniseb
-author: denisebmsft
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- M365-security-compliance
-- m365solution-symantecmigrate
-ms.topic: article
-ms.date: 09/22/2020
-ms.custom: migrationguides
-ms.reviewer: depicker, yongrhee, chriggs
----
-
-# Migrate from Symantec - Phase 1: Prepare for your migration
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-|
Phase 1: Prepare |[](symantec-to-microsoft-defender-atp-setup.md)
[Phase 2: Set up](symantec-to-microsoft-defender-atp-setup.md) |[](symantec-to-microsoft-defender-atp-onboard.md)
[Phase 3: Onboard](symantec-to-microsoft-defender-atp-onboard.md) |
-|--|--|--|
-|*You are here!*| | |
-
-
-**Welcome to the Prepare phase of [migrating from Symantec to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)**.
-
-This migration phase includes the following steps:
-1. [Get Microsoft Defender for Endpoint](#get-microsoft-defender-for-endpoint).
-2. [Grant access to the Microsoft Defender Security Center](#grant-access-to-the-microsoft-defender-security-center).
-3. [Configure device proxy and internet connectivity settings](#configure-device-proxy-and-internet-connectivity-settings).
-
-## Get Microsoft Defender for Endpoint
-
-To get started, you must have Microsoft Defender for Endpoint, with licenses assigned and provisioned.
-
-1. Buy or try Microsoft Defender for Endpoint today. [Visit Microsoft Defender for Endpoint to start a free trial or request a quote](https://aka.ms/mdatp).
-
-2. Verify that your licenses are properly provisioned. [Check your license state](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#check-license-state).
-
-3. As a global administrator or security administrator, set up your dedicated cloud instance of Microsoft Defender for Endpoint. See [Microsoft Defender for Endpoint setup: Tenant configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#tenant-configuration).
-
-4. If endpoints (such as devices) in your organization use a proxy to access the internet, see [Microsoft Defender for Endpoint setup: Network configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#network-configuration).
-
-At this point, you are ready to grant access to your security administrators and security operators who will use the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
-
-> [!NOTE]
-> The Microsoft Defender Security Center is sometimes referred to as the Microsoft Defender for Endpoint portal.
-
-## Grant access to the Microsoft Defender Security Center
-
-The Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) is where you access and configure features and capabilities of Microsoft Defender for Endpoint. To learn more, see [Overview of the Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use).
-
-Permissions to the Microsoft Defender Security Center can be granted by using either basic permissions or role-based access control (RBAC). We recommend using RBAC so that you have more granular control over permissions.
-
-1. Plan the roles and permissions for your security administrators and security operators. See [Role-based access control](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment#role-based-access-control).
-
-2. Set up and configure RBAC. We recommend using [Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) to configure RBAC, especially if your organization is using a combination of Windows 10, macOS, iOS, and Android devices. See [setting up RBAC using Intune](https://docs.microsoft.com/mem/intune/fundamentals/role-based-access-control).
-
- If your organization requires a method other than Intune, choose one of the following options:
- - [Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/servers/deploy/configure/configure-role-based-administration)
- - [Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm)
- - [Windows Admin Center](https://docs.microsoft.com/windows-server/manage/windows-admin-center/overview)
-
-3. Grant access to the Microsoft Defender Security Center. (Need help? See [Manage portal access using RBAC](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac)).
-
-## Configure device proxy and internet connectivity settings
-
-To enable communication between your devices and Microsoft Defender for Endpoint, configure proxy and internet settings. The following table includes links to resources you can use to configure your proxy and internet settings for various operating systems and capabilities:
-
-|Capabilities | Operating System | Resources |
-|:----|:----|:---|
-|[Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) |- [Windows 10](https://docs.microsoft.com/windows/release-information)
- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
- [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |[Configure machine proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet) |
-|EDR |- [Windows Server 2016](https://docs.microsoft.com/windows/release-information/status-windows-10-1607-and-windows-server-2016)
- [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1)
- [Windows 8.1](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows 7 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1) |[Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#configure-proxy-and-internet-connectivity-settings) |
-|EDR |macOS:
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |[Microsoft Defender ATP for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) |
-|[Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) |- [Windows 10](https://docs.microsoft.com/windows/release-information)
- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
- [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803)
- [Windows Server 2016](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-2016) |[Configure and validate Microsoft Defender Antivirus network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus)
|
-|Antivirus |macOS:
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |[Microsoft Defender ATP for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) |
-|Antivirus |Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |[Microsoft Defender ATP for Linux: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux#network-connections) |
-
-## Next step
-
-**Congratulations**! You have completed the **Prepare** phase of [migrating from Symantec to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)!
-
-- [Proceed to set up Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-setup.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md
deleted file mode 100644
index f36e72d95c..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md
+++ /dev/null
@@ -1,230 +0,0 @@
----
-title: Symantec to Microsoft Defender for Endpoint - Phase 2, Setting Up
-description: This is Phase 2, Setup, of migrating from Symantec to Microsoft Defender for Endpoint
-keywords: migration, windows defender advanced threat protection, atp, edr
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.technology: windows
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: deniseb
-author: denisebmsft
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- M365-security-compliance
-- m365solution-symantecmigrate
-ms.topic: article
-ms.date: 09/24/2020
-ms.custom: migrationguides
-ms.reviewer: depicker, yongrhee, chriggs
----
-
-# Migrate from Symantec - Phase 2: Set up Microsoft Defender for Endpoint
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-|[](symantec-to-microsoft-defender-atp-prepare.md)
[Phase 1: Prepare](symantec-to-microsoft-defender-atp-prepare.md) |
Phase 2: Set up |[](symantec-to-microsoft-defender-atp-onboard.md)
[Phase 3: Onboard](symantec-to-microsoft-defender-atp-onboard.md) |
-|--|--|--|
-||*You are here!* | |
-
-
-**Welcome to the Setup phase of [migrating from Symantec to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)**. This phase includes the following steps:
-1. [Enable or reinstall Microsoft Defender Antivirus (for certain versions of Windows)](#enable-or-reinstall-microsoft-defender-antivirus-for-certain-versions-of-windows).
-2. [Enable Microsoft Defender Antivirus](#enable-microsoft-defender-antivirus).
-3. [Get updates for Microsoft Defender Antivirus](#get-updates-for-microsoft-defender-antivirus).
-4. [Add Microsoft Defender for Endpoint to the exclusion list for Symantec](#add-microsoft-defender-for-endpoint-to-the-exclusion-list-for-symantec).
-5. [Add Symantec to the exclusion list for Microsoft Defender Antivirus](#add-symantec-to-the-exclusion-list-for-microsoft-defender-antivirus).
-6. [Add Symantec to the exclusion list for Microsoft Defender for Endpoint](#add-symantec-to-the-exclusion-list-for-microsoft-defender-for-endpoint).
-7. [Set up your device groups, device collections, and organizational units](#set-up-your-device-groups-device-collections-and-organizational-units).
-8. [Configure antimalware policies and real-time protection](#configure-antimalware-policies-and-real-time-protection).
-
-## Enable or reinstall Microsoft Defender Antivirus (for certain versions of Windows)
-
-> [!TIP]
-> If you're running Windows 10, you do not need to perform this task. Proceed to **[Enable Microsoft Defender Antivirus](#enable-microsoft-defender-antivirus)**.
-
-On certain versions of Windows, Microsoft Defender Antivirus might have been uninstalled or disabled. This is because Microsoft Defender Antivirus does not enter passive or disabled mode when you install a third-party antivirus product, such as Symantec. To learn more, see [Microsoft Defender Antivirus compatibility](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
-
-Now that you're moving from Symantec to Microsoft Defender for Endpoint, you'll need to enable or reinstall Microsoft Defender Antivirus, and set it to passive mode.
-
-### Reinstall Microsoft Defender Antivirus on Windows Server
-
-> [!NOTE]
-> The following procedure applies only to endpoints or devices that are running the following versions of Windows:
-> - Windows Server 2019
-> - Windows Server, version 1803 (core-only mode)
-> - Windows Server 2016
->
-> Microsoft Defender Antivirus is built into Windows 10, but it might be disabled. In this case, proceed to [Enable Microsoft Defender Antivirus](#enable-microsoft-defender-antivirus).
-
-1. As a local administrator on the endpoint or device, open Windows PowerShell.
-
-2. Run the following PowerShell cmdlets:
- `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`
- `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`
-
-3. To verify Microsoft Defender Antivirus is running, use the following PowerShell cmdlet:
- `Get-Service -Name windefend`
-
-> [!TIP]
-> Need help? See [Microsoft Defender Antivirus on Windows Server 2016 and 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016).
-
-### Set Microsoft Defender Antivirus to passive mode on Windows Server
-
-Because your organization is still using Symantec, you must set Microsoft Defender Antivirus to passive mode. That way, Symantec and Microsoft Defender Antivirus can run side by side until you have finished onboarding to Microsoft Defender for Endpoint.
-
-1. Open Registry Editor, and then navigate to
- `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Windows Advanced Threat Protection`.
-
-2. Edit (or create) a DWORD entry called **ForceDefenderPassiveMode**, and specify the following settings:
- - Set the DWORD's value to **1**.
- - Under **Base**, select **Hexadecimal**.
-
-> [!NOTE]
-> You can use other methods to set the registry key, such as the following:
->- [Group Policy Preference](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn581922(v=ws.11))
->- [Local Group Policy Object tool](https://docs.microsoft.com/windows/security/threat-protection/security-compliance-toolkit-10#what-is-the-local-group-policy-object-lgpo-tool)
->- [A package in Configuration Manager](https://docs.microsoft.com/mem/configmgr/apps/deploy-use/packages-and-programs)
-
-## Enable Microsoft Defender Antivirus
-
-Because your organization has been using Symantec as your primary antivirus solution, Microsoft Defender Antivirus is most likely disabled on your organization's Windows devices. This step of the migration process involves enabling Microsoft Defender Antivirus.
-
-To enable Microsoft Defender Antivirus, we recommend using Intune. However, you can any of the methods that are listed in the following table:
-
-|Method |What to do |
-|---------|---------|
-|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)
**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.
2. Select **Devices** > **Configuration profiles**, and then select the profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
3. Select **Properties**, and then select **Configuration settings: Edit**.
4. Expand **Microsoft Defender Antivirus**.
5. Enable **Cloud-delivered protection**.
6. In the **Prompt users before sample submission** dropdown, select **Send all samples automatically**.
7. In the **Detect potentially unwanted applications** dropdown, select **Enable** or **Audit**.
8. Select **Review + save**, and then choose **Save**.
For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles).|
-|Control Panel in Windows |Follow the guidance here: [Turn on Microsoft Defender Antivirus](https://docs.microsoft.com/mem/intune/user-help/turn-on-defender-windows).
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
-|[Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm/)
or
[Group Policy Management Console](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus) |1. Go to `Computer configuration > Administrative templates > Windows components > Microsoft Defender Antivirus`.
2. Look for a policy called **Turn off Microsoft Defender Antivirus**.
3. Choose **Edit policy setting**, and make sure that policy is disabled. This enables Microsoft Defender Antivirus.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
-
-### Verify that Microsoft Defender Antivirus is in passive mode
-
-Microsoft Defender Antivirus can run alongside Symantec if you set Microsoft Defender Antivirus to passive mode. You can use either Command Prompt or PowerShell to perform this task, as described in the following table:
-
-|Method |What to do |
-|---------|---------|
-|Command Prompt |1. On a Windows device, open Command Prompt as an administrator.
2. Type `sc query windefend`, and then press Enter.
3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. |
-|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.
2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet.
3. In the list of results, look for **AntivirusEnabled: True**. |
-
-> [!NOTE]
-> You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
-
-## Get updates for Microsoft Defender Antivirus
-
-Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques, even if Microsoft Defender Antivirus is running in [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
-
-There are two types of updates related to keeping Microsoft Defender Antivirus up to date:
-- Security intelligence updates
-- Product updates
-
-To get your updates, follow the guidance in [Manage Microsoft Defender Antivirus updates and apply baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus).
-
-## Add Microsoft Defender for Endpoint to the exclusion list for Symantec
-
-This step of the setup process involves adding Microsoft Defender for Endpoint to the exclusion list for Symantec and any other security products your organization is using. The specific exclusions to configure depend on which version of Windows your endpoints or devices are running, and are listed in the following table:
-
-|OS |Exclusions |
-|--|--|
-|- Windows 10, [version 1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803) or later (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information))
- Windows 10, version 1703 or [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709) with [KB4493441](https://support.microsoft.com/help/4493441) installed
- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
- [Windows Server, version 1803](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`
|
-|- [Windows 8.1](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows 7](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1)
- [Windows Server 2016](https://docs.microsoft.com/windows/release-information/status-windows-10-1607-and-windows-server-2016)
- [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`
**NOTE**: Where Monitoring Host Temporary Files 6\45 can be different numbered subfolders.
`C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` |
-
-## Add Symantec to the exclusion list for Microsoft Defender Antivirus
-
-During this step of the setup process, you add Symantec and your other security solutions to the Microsoft Defender Antivirus exclusion list.
-
-> [!NOTE]
-> To get an idea of which processes and services to exclude, see Broadcom's [Processes and services used by Endpoint Protection 14](https://knowledge.broadcom.com/external/article/170706/processes-and-services-used-by-endpoint.html).
-
-When you add [exclusions to Microsoft Defender Antivirus scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus), you should add path and process exclusions. Keep the following points in mind:
-- Path exclusions exclude specific files and whatever those files access.
-- Process exclusions exclude whatever a process touches, but does not exclude the process itself.
-- If you list each executable (.exe) as both a path exclusion and a process exclusion, the process and whatever it touches are excluded.
-- List your process exclusions using their full path and not by their name only. (The name-only method is less secure.)
-
-You can choose from several methods to add your exclusions to Microsoft Defender Antivirus, as listed in the following table:
-
-|Method | What to do|
-|--|--|
-|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)
**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.
2. Select **Devices** > **Configuration profiles**, and then select the profile that you want to configure.
3. Under **Manage**, select **Properties**.
4. Select **Configuration settings: Edit**.
5. Expand **Microsoft Defender Antivirus**, and then expand **Microsoft Defender Antivirus Exclusions**.
6. Specify the files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. For reference, see [Microsoft Defender Antivirus exclusions](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions).
7. Choose **Review + save**, and then choose **Save**. |
-|[Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/) |1. Using the [Configuration Manager console](https://docs.microsoft.com/mem/configmgr/core/servers/manage/admin-console), go to **Assets and Compliance** > **Endpoint Protection** > **Antimalware Policies**, and then select the policy that you want to modify.
2. Specify exclusion settings for files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. |
-|[Group Policy Object](https://docs.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-objects) | 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
4. Double-click the **Path Exclusions** setting and add the exclusions.
- Set the option to **Enabled**.
- Under the **Options** section, click **Show...**.
- Specify each folder on its own line under the **Value name** column.
- If you specify a file, make sure to enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.
5. Click **OK**.
6. Double-click the **Extension Exclusions** setting and add the exclusions.
- Set the option to **Enabled**.
- Under the **Options** section, click **Show...**.
- Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.
7. Click **OK**. |
-|Local group policy object |1. On the endpoint or device, open the Local Group Policy Editor.
2. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Exclusions**.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
3. Specify your path and process exclusions. |
-|Registry key |1. Export the following registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions`.
2. Import the registry key. Here are two examples:
- Local path: `regedit.exe /s c:\temp\ MDAV_Exclusion.reg`
- Network share: `regedit.exe /s \\FileServer\ShareName\MDAV_Exclusion.reg` |
-
-## Add Symantec to the exclusion list for Microsoft Defender for Endpoint
-
-To add exclusions to Microsoft Defender for Endpoint, you create [indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators#create-indicators-for-files).
-
-1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in.
-
-2. In the navigation pane, choose **Settings** > **Rules** > **Indicators**.
-
-3. On the **File hashes** tab, choose **Add indicator**.
-
-3. On the **Indicator** tab, specify the following settings:
- - File hash (Need help? See [Find a file hash using CMPivot](#find-a-file-hash-using-cmpivot) in this article.)
- - Under **Expires on (UTC)**, choose **Never**.
-
-4. On the **Action** tab, specify the following settings:
- - **Response Action**: **Allow**
- - Title and description
-
-5. On the **Scope** tab, under **Device groups**, select either **All devices in my scope** or **Select from list**.
-
-6. On the **Summary** tab, review the settings, and then click **Save**.
-
-### Find a file hash using CMPivot
-
-CMPivot is an in-console utility for Configuration Manager. CMPivot provides access to the real-time state of devices in your environment. It immediately runs a query on all currently connected devices in the target collection and returns the results. To learn more, see [CMPivot overview](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot-overview).
-
-To use CMPivot to get your file hash, follow these steps:
-
-1. Review the [prerequisites](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot#prerequisites).
-
-2. [Start CMPivot](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot#start-cmpivot).
-
-3. Connect to Configuration Manager (`SCCM_ServerName.DomainName.com`).
-
-4. Select the **Query** tab.
-
-5. In the **Device Collection** list, and choose **All Systems (default)**.
-
-6. In the query box, type the following query:
-
-```kusto
-File(c:\\windows\\notepad.exe)
-| project Hash
-```
-> [!NOTE]
-> In the query above, replace *notepad.exe* with the your third-party security product process name.
-
-## Set up your device groups, device collections, and organizational units
-
-| Collection type | What to do |
-|--|--|
-|[Device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups) (formerly called machine groups) enable your security operations team to configure security capabilities, such as automated investigation and remediation.
Device groups are also useful for assigning access to those devices so that your security operations team can take remediation actions if needed.
Device groups are created in the Microsoft Defender Security Center. |1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
2. In the navigation pane on the left, choose **Settings** > **Permissions** > **Device groups**.
3. Choose **+ Add device group**.
4. Specify a name and description for the device group.
5. In the **Automation level** list, select an option. (We recommend **Full - remediate threats automatically**.) To learn more about the various automation levels, see [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated).
6. Specify conditions for a matching rule to determine which devices belong to the device group. For example, you can choose a domain, OS versions, or even use [device tags](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-tags).
7. On the **User access** tab, specify roles that should have access to the devices that are included in the device group.
8. Choose **Done**. |
-|[Device collections](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/introduction-to-collections) enable your security operations team to manage applications, deploy compliance settings, or install software updates on the devices in your organization.
Device collections are created by using [Configuration Manager](https://docs.microsoft.com/mem/configmgr/). |Follow the steps in [Create a collection](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_create). |
-|[Organizational units](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou) enable you to logically group objects such as user accounts, service accounts, or computer accounts. You can then assign administrators to specific organizational units, and apply group policy to enforce targeted configuration settings.
Organizational units are defined in [Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services). | Follow the steps in [Create an Organizational Unit in an Azure Active Directory Domain Services managed domain](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou). |
-
-## Configure antimalware policies and real-time protection
-
-Using Configuration Manager and your device collection(s), configure your antimalware policies.
-
-- See [Create and deploy antimalware policies for Endpoint Protection in Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies).
-
-- While you create and configure your antimalware policies, make sure to review the [real-time protection settings](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) and [enable block at first sight](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus).
-
-> [!TIP]
-> You can deploy the policies before your organization's devices on onboarded.
-
-## Next step
-
-**Congratulations**! You have completed the Setup phase of [migrating from Symantec to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)!
-
-- [Proceed to Phase 3: Onboard to Microsoft Defender for Endpoint](symantec-to-microsoft-defender-atp-onboard.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md
deleted file mode 100644
index bdb20dff52..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md
+++ /dev/null
@@ -1,110 +0,0 @@
----
-title: Track and respond to emerging threats with Microsoft Defender ATP threat analytics
-ms.reviewer:
-description: Learn about emerging threats and attack techniques and how to stop them. Assess their impact to your organization and evaluate your organizational resilience.
-keywords: threat analytics, risk evaluation, OS mitigation, microcode mitigation, mitigation status
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: lomayor
-author: lomayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: article
----
-
-# Track and respond to emerging threats with threat analytics
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-With more sophisticated adversaries and new threats emerging frequently and prevalently, it's critical to be able to quickly:
-
-- Assess the impact of new threats
-- Review your resilience against or exposure to the threats
-- Identify the actions you can take to stop or contain the threats
-
-Threat analytics is a set of reports from expert Microsoft security researchers covering the most relevant threats, including:
-
-- Active threat actors and their campaigns
-- Popular and new attack techniques
-- Critical vulnerabilities
-- Common attack surfaces
-- Prevalent malware
-
-Each report provides a detailed analysis of a threat and extensive guidance on how to defend against the threat. It also incorporates data from your network, indicating whether the threat is active and if you have applicable security updates and recommended settings in place.
-
-Watch this short video to learn more about how threat analytics can help you track the latest threats and stop them.
-
-
-> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bw1f]
-
-## View the threat analytics dashboard
-
-The threat analytics dashboard is a great jump off point for getting to the reports that are most relevant to your organization. It summarizes the threats in the following sections:
-
-- **Latest threats**—lists the most recently published threat reports, along with the number of devices with active and resolved alerts.
-- **High-impact threats**—lists the threats that have had the highest impact to the organization. This section ranks threats by the number of devices that have active alerts.
-- **Threat summary**—shows the overall impact of all the threats reported in threat analytics by showing the number of threats with active and resolved alerts.
-
-Select a threat from the dashboard to view the report for that threat.
-
-
-
-## View a threat analytics report
-
-Each threat analytics report provides information in three sections: **Overview**, **Analyst report**, and **Mitigations**.
-
-### Quickly understand a threat and assess its impact to your network in the overview
-
-The **Overview** section provides a preview of the detailed analyst report. It also provides charts that highlight the impact of the threat to your organization and your exposure through misconfigured and unpatched devices.
-
-
-_Overview section of a threat analytics report_
-
-#### Organizational impact
-Each report includes charts designed to provide information about the organizational impact of a threat:
-- **Devices with alerts**—shows the current number of distinct devices that have been impacted by the threat. A device is categorized as **Active** if there is at least one alert associated with that threat and **Resolved** if *all* alerts associated with the threat on the device have been resolved.
-- **Devices with alerts over time**—shows the number of distinct devices with **Active** and **Resolved** alerts over time. The number of resolved alerts indicates how quickly your organization responds to alerts associated with a threat. Ideally, the chart should be showing alerts resolved within a few days.
-
-#### Organizational resilience and exposure
-Each report includes charts that provide an overview of how resilient your organization is against a given threat:
-- **Security configuration status**—shows the number of devices that have applied the recommended security settings that can help mitigate the threat. Devices are considered **Secure** if they have applied _all_ the tracked settings.
-- **Vulnerability patching status**—shows the number of devices that have applied security updates or patches that address vulnerabilities exploited by the threat.
-
-### Get expert insight from the analyst report
-Go to the **Analyst report** section to read through the detailed expert write-up. Most reports provide detailed descriptions of attack chains, including tactics and techniques mapped to the MITRE ATT&CK framework, exhaustive lists of recommendations, and powerful [threat hunting](advanced-hunting-overview.md) guidance.
-
-
-_Analyst report section of a threat analytics report_
-
-### Review list of mitigations and the status of your devices
-In the **Mitigations** section, review the list of specific actionable recommendations that can help you increase your organizational resilience against the threat. The list of tracked mitigations includes recommended settings and vulnerability patches. It also shows the number of devices that don't have these mitigations in place.
-
-Mitigation information in this section incorporates data from [threat and vulnerability management](next-gen-threat-and-vuln-mgt.md), which also provides detailed drill-down information from various links in the report.
-
-
-_Mitigations section of a threat analytics report_
-
-
-## Additional report details and limitations
-When using the reports, keep the following in mind:
-
-- Data is scoped based on your role-based access control (RBAC) scope. You will see the status of devices in [groups that you can access](machine-groups.md).
-- Charts reflect only mitigations that are tracked. Check the report overview for additional mitigations that are not shown in the charts.
-- Mitigations don't guarantee complete resilience. The provided mitigations reflect the best possible actions needed to improve resiliency.
-- Devices are counted as "unavailable" if they have not transmitted data to the service.
-- Antivirus-related statistics are based on Microsoft Defender Antivirus settings. Devices with third-party antivirus solutions can appear as "exposed".
-
-## Related topics
-- [Proactively find threats with advanced hunting](advanced-hunting-overview.md)
-- [Assess and resolve security weaknesses and exposures](next-gen-threat-and-vuln-mgt.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md
deleted file mode 100644
index 86dbfb50a0..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md
+++ /dev/null
@@ -1,145 +0,0 @@
----
-title: Event timeline in threat and vulnerability management
-description: Event timeline is a "risk news feed" that helps you interpret how risk is introduced into the organization, and which mitigations happened to reduce it.
-keywords: event timeline, mdatp event timeline, mdatp tvm event timeline, threat and vulnerability management, Microsoft Defender Advanced Threat Protection
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: ellevin
-author: levinec
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: conceptual
----
-# Event timeline - threat and vulnerability management
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
-
-Event timeline is a risk news feed that helps you interpret how risk is introduced into the organization through new vulnerabilities or exploits. You can view events that may impact your organization's risk. For example, you can find new vulnerabilities that were introduced, vulnerabilities that became exploitable, exploit that was added to an exploit kit, and more.
-
-Event timeline also tells the story of your [exposure score](tvm-exposure-score.md) so you can determine the cause of large changes. Reduce you exposure score by addressing what needs to be remediated based on the prioritized [security recommendations](tvm-security-recommendation.md).
-
-## Navigate to the Event timeline page
-
-You can access Event timeline mainly through three ways:
-
-- In the threat and vulnerability management navigation menu in the Microsoft Defender Security Center
-- Top events card in the [threat and vulnerability management dashboard](tvm-dashboard-insights.md). The highest impact events (for example, affect the most devices or critical vulnerabilities)
-- Hovering over the Exposure Score graph in the [threat and vulnerability management dashboard](tvm-dashboard-insights.md)
-
-### Navigation menu
-
-Go to the threat and vulnerability management navigation menu and select **Event timeline** to view impactful events.
-
-### Top events card
-
-In the threat and vulnerability management dashboard, the "Top events" card displays the three most impactful events in the last 7 days. Select **Show more** to go to the Event timeline page.
-
-
-
-### Exposure score graph
-
-In the threat and vulnerability management dashboard, hover over the Exposure score graph to view top events from that day that impacted your devices. If there are no events, then none will be shown.
-
-
-
-Selecting **Show all events from this day** takes you to the Event timeline page with a custom date range for that day.
-
-
-
-Select **Custom range** to change the date range to another custom one, or a pre-set time range.
-
-
-
-## Event timeline overview
-
-On the Event timeline page, you can view the all the necessary info related to an event.
-
-Features:
-
-- Customize columns
-- Filter by event type or percent of impacted devices
-- View 30, 50, or 100 items per page
-
-The two large numbers at the top of the page show the number of new vulnerabilities and exploitable vulnerabilities, not events. Some events can have multiple vulnerabilities, and some vulnerabilities can have multiple events.
-
-
-
->[!NOTE]
->Event type called "New configuration assessment" coming soon.
-
-### Columns
-
-- **Date**: month, day, year
-- **Event**: impactful event, including component, type, and number of impacted devices
-- **Related component**: software
-- **Originally impacted devices**: the number, and percentage, of impacted devices when this event originally occurred. You can also filter by the percent of originally impacted devices, out of your total number of devices.
-- **Currently impacted devices**: the current number, and percentage, of devices that this event currently impacts. You can find this field by selecting **Customize columns**.
-- **Types**: reflect time-stamped events that impact the score. They can be filtered.
- - Exploit added to an exploit kit
- - Exploit was verified
- - New public exploit
- - New vulnerability
-- **Score trend**: exposure score trend
-
-### Icons
-
-The following icons show up next to events:
-
--  New public exploit
--  New vulnerability was published
--  Exploit found in exploit kit
--  Exploit verified
-
-### Drill down to a specific event
-
-Once you select an event, a flyout will appear with a list of the details and current CVEs that affect your devices. You can show more CVEs or view the related recommendation.
-
-The arrow below "score trend" helps you determine whether this event potentially raised or lowered your organizational exposure score. Higher exposure score means devices are more vulnerable to exploitation.
-
-
-
-From there, select **Go to related security recommendation** view the recommendation that addresses the new software vulnerability in the [security recommendations page](tvm-security-recommendation.md). After reading the description and vulnerability details in the security recommendation, you can [submit a remediation request](tvm-security-recommendation.md#request-remediation), and track the request in the [remediation page](tvm-remediation.md).
-
-## View Event timelines in software pages
-
-To open a software page, select an event > select the hyperlinked software name (like Visual Studio 2017) in the section called "Related component" in the flyout. [Learn more about software pages](tvm-software-inventory.md#software-pages)
-
-A full page will appear with all the details of a specific software. Mouse over the graph to see the timeline of events for that specific software.
-
-
-
-Navigate to the event timeline tab to view all the events related to that software. You can also see security recommendations, discovered vulnerabilities, installed devices, and version distribution.
-
-
-
-## Related topics
-
-- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md)
-- [Supported operating systems and platforms](tvm-supported-os.md)
-- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md)
-- [Exposure score](tvm-exposure-score.md)
-- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md)
-- [Security recommendations](tvm-security-recommendation.md)
-- [Remediation and exception](tvm-remediation.md)
-- [Software inventory](tvm-software-inventory.md)
-- [Weaknesses](tvm-weaknesses.md)
-- [Event timeline](threat-and-vuln-mgt-event-timeline.md)
-- [Scenarios](threat-and-vuln-mgt-scenarios.md)
-- [APIs](next-gen-threat-and-vuln-mgt.md#apis)
-- [Configure data access for threat and vulnerability management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
-- [Advanced hunting overview](overview-hunting.md)
-- [All advanced hunting tables](advanced-hunting-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
deleted file mode 100644
index 77b4642f92..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
+++ /dev/null
@@ -1,105 +0,0 @@
----
-title: Scenarios - threat and vulnerability management
-description: Learn how threat and vulnerability management can be used to help security admins, IT admins, and SecOps collaborate.
-keywords: mdatp-tvm scenarios, mdatp, tvm, tvm scenarios, reduce threat & vulnerability exposure, reduce threat and vulnerability, improve security configuration, increase Microsoft Secure Score for Devices, increase threat & vulnerability Microsoft Secure Score for Devices, Microsoft Secure Score for Devices, exposure score, security controls
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: ellevin
-author: levinec
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: article
----
-
-# Scenarios - threat and vulnerability management
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-## Use advanced hunting query to search for devices with High active alerts or critical CVE public exploit
-
-1. Go to **Advanced hunting** from the left-hand navigation pane of the Microsoft Defender Security Center.
-
-2. Scroll down to the TVM advanced hunting schemas to familiarize yourself with the column names.
-
-3. Enter the following queries:
-
-```kusto
-// Search for devices with High active alerts or Critical CVE public exploit
-DeviceTvmSoftwareInventoryVulnerabilities
-| join kind=inner(DeviceTvmSoftwareVulnerabilitiesKB) on CveId
-| where IsExploitAvailable == 1 and CvssScore >= 7
-| summarize NumOfVulnerabilities=dcount(CveId),
-DeviceName=any(DeviceName) by DeviceId
-| join kind =inner(DeviceAlertEvents) on DeviceId
-| summarize NumOfVulnerabilities=any(NumOfVulnerabilities),
-DeviceName=any(DeviceName) by DeviceId, AlertId
-| project DeviceName, NumOfVulnerabilities, AlertId
-| order by NumOfVulnerabilities desc
-
-```
-
-## Define a device's value to the organization
-
-Defining a device’s value helps you differentiate between asset priorities. The device value is used to incorporate the risk appetite of an individual asset into the threat and vulnerability management exposure score calculation. Devices marked as “high value” will receive more weight.
-
-You can also use the [set device value API](set-device-value.md).
-
-Device value options:
-
-- Low
-- Normal (Default)
-- High
-
-Examples of devices that should be marked as high value:
-
-- Domain controllers, Active Directory
-- Internet facing devices
-- VIP devices
-- Devices hosting internal/external production services
-
-### Set device value
-
-1. Navigate to any device page, the easiest place is from the device inventory.
-
-2. Select **Device Value** from three dots next to the actions bar at the top of the page.
- 
-
-
-
-3. A flyout will appear with the current device value and what it means. Review the value of the device and choose the one that best fits your device.
-
-
-
-## Related topics
-
-- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md)
-- [Supported operating systems and platforms](tvm-supported-os.md)
-- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md)
-- [Exposure score](tvm-exposure-score.md)
-- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md)
-- [Security recommendations](tvm-security-recommendation.md)
-- [Remediation and exception](tvm-remediation.md)
-- [Software inventory](tvm-software-inventory.md)
-- [Weaknesses](tvm-weaknesses.md)
-- [Event timeline](threat-and-vuln-mgt-event-timeline.md)
-- [APIs](next-gen-threat-and-vuln-mgt.md#apis)
-- [Configure data access for threat and vulnerability management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
-- [Advanced hunting overview](overview-hunting.md)
-- [All advanced hunting tables](advanced-hunting-reference.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md b/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md
deleted file mode 100644
index a4691bc3cc..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md
+++ /dev/null
@@ -1,71 +0,0 @@
----
-title: Understand threat intelligence concepts in Microsoft Defender ATP
-description: Create custom threat alerts for your organization and learn the concepts around threat intelligence in Microsoft Defender Advanced Threat Protection.
-keywords: threat intelligence, alert definitions, indicators of compromise, ioc
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
----
-
-# Understand threat intelligence concepts
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-threatindicator-abovefoldlink)
-
-Advanced cybersecurity attacks comprise of multiple complex malicious events, attributes, and contextual information. Identifying and deciding which of these activities qualify as suspicious can be a challenging task. Your knowledge of known attributes and abnormal activities specific to your industry is fundamental in knowing when to call an observed behavior as suspicious.
-
-With Microsoft Defender ATP, you can create custom threat alerts that can help you keep track of possible attack activities in your organization. You can flag suspicious events to piece together clues and possibly stop an attack chain. These custom threat alerts will only appear in your organization and will flag events that you set it to track.
-
-Before creating custom threat alerts, it's important to know the concepts behind alert definitions and indicators of compromise (IOCs) and the relationship between them.
-
-## Alert definitions
-Alert definitions are contextual attributes that can be used collectively to identify early clues on a possible cybersecurity attack. These indicators are typically a combination of activities, characteristics, and actions taken by an attacker to successfully achieve the objective of an attack. Monitoring these combinations of attributes is critical in gaining a vantage point against attacks and possibly interfering with the chain of events before an attacker's objective is reached.
-
-## Indicators of compromise (IOC)
-IOCs are individually-known malicious events that indicate that a network or device has already been breached. Unlike alert definitions, these indicators are considered as evidence of a breach. They are often seen after an attack has already been carried out and the objective has been reached, such as exfiltration. Keeping track of IOCs is also important during forensic investigations. Although it might not provide the ability to intervene with an attack chain, gathering these indicators can be useful in creating better defenses for possible future attacks.
-
-## Relationship between alert definitions and IOCs
-In the context of Microsoft Defender ATP, alert definitions are containers for IOCs and defines the alert, including the metadata that is raised in case of a specific IOC match. Various metadata is provided as part of the alert definitions. Metadata such as alert definition name of attack, severity, and description is provided along with other options.
-
-Each IOC defines the concrete detection logic based on its type and value as well as its action, which determines how it is matched. It is bound to a specific alert definition that defines how a detection is displayed as an alert on the Microsoft Defender ATP console.
-
-Here is an example of an IOC:
-- Type: Sha1
-- Value: 92cfceb39d57d914ed8b14d0e37643de0797ae56
-- Action: Equals
-
-IOCs have a many-to-one relationship with alert definitions such that an alert definition can have many IOCs that correspond to it.
-
-## In this section
-
-Topic | Description
-:---|:---
-[Pull detections to your SIEM tools](configure-siem.md)| Learn about different ways to pull detections.
-[Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)| Learn about enabling the SIEM integration feature in the **Settings** page in the portal so that you can use and generate the required information to configure supported SIEM tools.
-[Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md)| Learn about installing the REST API Modular Input App and other configuration settings to enable Splunk to pull Microsoft Defender ATP detections.
-[Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Microsoft Defender ATP detections.
-[Microsoft Defender ATP Detection fields](api-portal-mapping.md) | Understand what data fields are exposed as part of the alerts API and how they map to Microsoft Defender Security Center.
-[Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md) | Use the Client credentials OAuth 2.0 flow to pull detections from Microsoft Defender ATP using REST API.
-[Troubleshoot SIEM tool integration issues](troubleshoot-siem.md) | Address issues you might encounter when using the SIEM integration feature.
-
-
-
-## Related topics
-- [Manage indicators](manage-indicators.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md
deleted file mode 100644
index a8d1540ac2..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md
+++ /dev/null
@@ -1,69 +0,0 @@
----
-title: Integrate Microsoft Defender ATP with other Microsoft solutions
-ms.reviewer:
-description: Learn how Microsoft Defender ATP integrates with other Microsoft solutions, including Azure Advanced Threat Protection and Azure Security Center.
-keywords: microsoft threat protection, conditional access, office, advanced threat protection, azure atp, azure security center, microsoft cloud app security
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
----
-
-# Microsoft Defender ATP and other Microsoft solutions
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-## Integrate with other Microsoft solutions
-
- Microsoft Defender ATP directly integrates with various Microsoft solutions.
-
-### Azure Advanced Threat Protection (Azure ATP)
- Suspicious activities are processes running under a user context. The integration between Microsoft Defender ATP and Azure ATP provides the flexibility of conducting cyber security investigation across activities and identities.
-
-### Azure Security Center
-Microsoft Defender ATP provides a comprehensive server protection solution, including endpoint detection and response (EDR) capabilities on Windows Servers.
-
-### Azure Information Protection
-Keep sensitive data secure while enabling productivity in the workplace through data discovery and data protection.
-
-### Conditional Access
-Microsoft Defender ATP's dynamic device risk score is integrated into the Conditional Access evaluation, ensuring that only secure devices have access to resources.
-
-
-### Microsoft Cloud App Security
-Microsoft Cloud App Security leverages Microsoft Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Microsoft Defender ATP monitored devices.
-
-### Office 365 Advanced Threat Protection (Office 365 ATP)
-[Office 365 ATP](https://docs.microsoft.com/office365/securitycompliance/office-365-atp) helps protect your organization from malware in email messages or files through ATP Safe Links, ATP Safe Attachments, advanced Anti-Phishing, and spoof intelligence capabilities. The integration between Office 365 ATP and Microsoft Defender ATP enables security analysts to go upstream to investigate the entry point of an attack. Through threat intelligence sharing, attacks can be contained and blocked.
-
->[!NOTE]
-> Office 365 ATP data is displayed for events within the last 30 days. For alerts, Office 365 ATP data is displayed based on first activity time. After that, the data is no longer available in Office 365 ATP.
-
-### Skype for Business
-The Skype for Business integration provides a way for analysts to communicate with a potentially compromised user or device owner through a simple button from the portal.
-
-## Microsoft Threat Protection
- With Microsoft Threat Protection, Microsoft Defender ATP and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate and automatically respond to sophisticated attacks.
-
- [Learn more about Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)
-
-
-## Related topics
-- [Configure integration and other advanced features](advanced-features.md)
-- [Microsoft Threat Protection overview](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)
-- [Turn on Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-enable)
-- [Protect users, data, and devices with Conditional Access](conditional-access.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md
deleted file mode 100644
index 3fff8e808b..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md
+++ /dev/null
@@ -1,91 +0,0 @@
----
-title: Threat protection report in Microsoft Defender ATP
-description: Track alert detections, categories, and severity using the threat protection report
-keywords: alert detection, source, alert by category, alert severity, alert classification, determination
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Threat protection report in Microsoft Defender ATP
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
-The threat protection report provides high-level information about alerts generated in your organization. The report includes trending information showing the detection sources, categories, severities, statuses, classifications, and determinations of alerts across time.
-
-The dashboard is structured into two sections:
-
-
-
-Section | Description
-:---|:---
-1 | Alerts trends
-2 | Alert summary
-
-## Alert trends
-By default, the alert trends display alert information from the 30-day period ending in the latest full day. To gain better perspective on trends occurring in your organization, you can fine-tune the reporting period by adjusting the time period shown. To adjust the time period, select a time range from the drop-down options:
-
-- 30 days
-- 3 months
-- 6 months
-- Custom
-
->[!NOTE]
->These filters are only applied on the alert trends section. It doesn't affect the alert summary section.
-
-
-## Alert summary
-While the alert trends shows trending alert information, the alert summary shows alert information scoped to the current day.
-
- The alert summary allows you to drill down to a particular alert queue with the corresponding filter applied to it. For example, clicking on the EDR bar in the Detection sources card will bring you the alerts queue with results showing only alerts generated from EDR detections.
-
->[!NOTE]
->The data reflected in the summary section is scoped to 180 days prior to the current date. For example if today's date is November 5, 2019, the data on the summary section will reflect numbers starting from May 5, 2019 to November 5, 2019.
-> The filter applied on the trends section is not applied on the summary section.
-
-## Alert attributes
-The report is made up of cards that display the following alert attributes:
-
-- **Detection sources**: shows information about the sensors and detection technologies that provide the data used by Microsoft Defender ATP to trigger alerts.
-
-- **Threat categories**: shows the types of threat or attack activity that triggered alerts, indicating possible focus areas for your security operations.
-
-- **Severity**: shows the severity level of alerts, indicating the collective potential impact of threats to your organization and the level of response needed to address them.
-
-- **Status**: shows the resolution status of alerts, indicating the efficiency of your manual alert responses and of automated remediation (if enabled).
-
-- **Classification & determination**: shows how you have classified alerts upon resolution, whether you have classified them as actual threats (true alerts) or as incorrect detections (false alerts). These cards also show the determination of resolved alerts, providing additional insight like the types of actual threats found or the legitimate activities that were incorrectly detected.
-
-
-
-
-## Filter data
-
-Use the provided filters to include or exclude alerts with certain attributes.
-
->[!NOTE]
->These filters apply to **all** the cards in the report.
-
-For example, to show data about high-severity alerts only:
-
-1. Under **Filters > Severity**, select **High**
-2. Ensure that all other options under **Severity** are deselected.
-3. Select **Apply**.
-
-## Related topic
-- [Device health and compliance report](machine-reports.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md b/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md
deleted file mode 100644
index 039703000c..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md
+++ /dev/null
@@ -1,81 +0,0 @@
----
-title: Indicator resource type
-description: Specify the entity details and define the expiration of the indicator using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
-keywords: apis, supported apis, get, TiIndicator, Indicator, recent
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Indicator resource type
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-- See the corresponding [Indicators page](https://securitycenter.windows.com/preferences2/custom_ti_indicators/files) in the portal.
-
-Method|Return Type |Description
-:---|:---|:---
-[List Indicators](get-ti-indicators-collection.md) | [Indicator](ti-indicator.md) Collection | List [Indicator](ti-indicator.md) entities.
-[Submit Indicator](post-ti-indicator.md) | [Indicator](ti-indicator.md) | Submits [Indicator](ti-indicator.md) entity.
-[Delete Indicator](delete-ti-indicator-by-id.md) | No Content | Deletes [Indicator](ti-indicator.md) entity.
-
-
-## Properties
-Property | Type | Description
-:---|:---|:---
-id | String | Identity of the [Indicator](ti-indicator.md) entity.
-indicatorValue | String | The value of the [Indicator](ti-indicator.md).
-indicatorType | Enum | Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url".
-application | String | The application associated with the indicator.
-action | Enum | The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed".
-sourceType | Enum | "User" in case the Indicator created by a user (e.g. from the portal), "AadApp" in case it submitted using automated application via the API.
-source | string | The name of the user/application that submitted the indicator.
-createdBy | String | Unique identity of the user/application that submitted the indicator.
-lastUpdatedBy | String | Identity of the user/application that last updated the indicator.
-creationTimeDateTimeUtc | DateTimeOffset | The date and time when the indicator was created.
-expirationTime | DateTimeOffset | The expiration time of the indicator.
-lastUpdateTime | DateTimeOffset | The last time the indicator was updated.
-severity | Enum | The severity of the indicator. possible values are: "Informational", "Low", "Medium" and "High".
-title | String | Indicator title.
-description | String | Description of the indicator.
-recommendedActions | String | Recommended actions for the indicator.
-rbacGroupNames | List of strings | RBAC device group names where the indicator is exposed and active. Empty list in case it exposed to all devices.
-
-
-## Json representation
-
-```json
-{
- "id": "994",
- "indicatorValue": "881c0f10c75e64ec39d257a131fcd531f47dd2cff2070ae94baa347d375126fd",
- "indicatorType": "FileSha256",
- "action": "AlertAndBlock",
- "application": null,
- "source": "user@contoso.onmicrosoft.com",
- "sourceType": "User",
- "createdBy": "user@contoso.onmicrosoft.com",
- "severity": "Informational",
- "title": "Michael test",
- "description": "test",
- "recommendedActions": "nothing",
- "creationTimeDateTimeUtc": "2019-12-19T09:09:46.9139216Z",
- "expirationTime": null,
- "lastUpdateTime": "2019-12-19T09:09:47.3358111Z",
- "lastUpdatedBy": null,
- "rbacGroupNames": ["team1"]
-}
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/time-settings.md b/windows/security/threat-protection/microsoft-defender-atp/time-settings.md
deleted file mode 100644
index c2362f07ac..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/time-settings.md
+++ /dev/null
@@ -1,96 +0,0 @@
----
-title: Microsoft Defender Security Center time zone settings
-description: Use the info contained here to configure the Microsoft Defender Security Center time zone settings and view license information.
-keywords: settings, Microsoft Defender, cybersecurity threat intelligence, advanced threat protection, time zone, utc, local time, license
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Microsoft Defender Security Center time zone settings
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-settings-abovefoldlink)
-
-Use the **Time zone** menu  to configure the time zone and view license information.
-
-## Time zone settings
-The aspect of time is important in the assessment and analysis of perceived and actual cyberattacks.
-
-Cyberforensic investigations often rely on time stamps to piece together the sequence of events. It’s important that your system reflects the correct time zone settings.
-
-Microsoft Defender ATP can display either Coordinated Universal Time (UTC) or local time.
-
-Your current time zone setting is shown in the Microsoft Defender ATP menu. You can change the displayed time zone in the **Time zone** menu.
-
-.
-
-### UTC time zone
-Microsoft Defender ATP uses UTC time by default.
-
-Setting the Microsoft Defender ATP time zone to UTC will display all system timestamps (alerts, events, and others) in UTC for all users. This can help security analysts working in different locations across the globe to use the same time stamps while investigating events.
-
-### Local time zone
-You can choose to have Microsoft Defender ATP use local time zone settings. All alerts and events will be displayed using your local time zone.
-
-The local time zone is taken from your device’s regional settings. If you change your regional settings, the Microsoft Defender ATP time zone will also change. Choosing this setting means that the timestamps displayed in Microsoft Defender ATP will be aligned to local time for all Microsoft Defender ATP users. Analysts located in different global locations will now see the Microsoft Defender ATP alerts according to their regional settings.
-
-Choosing to use local time can be useful if the analysts are located in a single location. In this case it might be easier to correlate events to local time, for example – when a local user clicked on a suspicious email link.
-
-### Set the time zone
-The Microsoft Defender ATP time zone is set by default to UTC.
-Setting the time zone also changes the times for all Microsoft Defender ATP views.
-To set the time zone:
-
-1. Click the **Time zone** menu .
-2. Select the **Timezone UTC** indicator.
-3. Select **Timezone UTC** or your local time zone, for example -7:00.
-
-### Regional settings
-To apply different date formats for Microsoft Defender ATP, use regional settings for Internet Explorer (IE) and Microsoft Edge (Edge). If you're using another browser such as Google Chrome, follow the required steps to change the time and date settings for that browser.
-
-
-**Internet Explorer (IE) and Microsoft Edge**
-
-IE and Microsoft Edge use the **Region** settings configured in the **Clocks, Language, and Region** option in the Control panel.
-
-
-#### Known issues with regional formats
-
-**Date and time formats**
-There are some known issues with the time and date formats. If you configure your regional settings to anything other than the supported formats, the portal may not correctly reflect your settings.
-
-The following date and time formats are supported:
-- Date format MM/dd/yyyy
-- Date format dd/MM/yyyy
-- Time format hh:mm:ss (12 hour format)
-
-The following date and time formats are currently not supported:
-- Date format yyyy-MM-dd
-- Date format dd-MMM-yy
-- Date format dd/MM/yy
-- Date format MM/dd/yy
-- Date format with yy. Will only show yyyy.
-- Time format HH:mm:ss (24 hour format)
-
-**Decimal symbol used in numbers**
-Decimal symbol used is always a dot, even if a comma is selected in the **Numbers** format settings in **Region** settings. For example, 15,5K is displayed as 15.5K.
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md
deleted file mode 100644
index ba95b235f8..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md
+++ /dev/null
@@ -1,119 +0,0 @@
----
-title: Troubleshoot problems with attack surface reduction rules
-description: Resources and sample code to troubleshoot issues with attack surface reduction rules in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
-keywords: troubleshoot, error, fix, windows defender eg, asr, rules, hips, troubleshoot, audit, exclusion, false positive, broken, blocking, microsoft defender atp, microsoft defender advanced threat protection
-search.product: eADQiWindows 10XVcnh
-ms.pagetype: security
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.localizationpriority: medium
-audience: ITPro
-author: denisebmsft
-ms.author: deniseb
-ms.date: 03/27/2019
-ms.reviewer:
-manager: dansimp
-ms.custom: asr
----
-
-# Troubleshoot attack surface reduction rules
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-When you use [attack surface reduction rules](attack-surface-reduction.md) you may run into issues, such as:
-
-- A rule blocks a file, process, or performs some other action that it should not (false positive)
-
-- A rule does not work as described, or does not block a file or process that it should (false negative)
-
-There are four steps to troubleshooting these problems:
-
-1. [Confirm prerequisites](#confirm-prerequisites)
-
-2. [Use audit mode to test the rule](#use-audit-mode-to-test-the-rule)
-
-3. [Add exclusions for the specified rule](#add-exclusions-for-a-false-positive) (for false positives)
-
-4. [Submit support logs](#collect-diagnostic-data-for-file-submissions)
-
-## Confirm prerequisites
-
-Attack surface reduction rules will only work on devices with the following conditions:
-
-- Endpoints are running Windows 10 Enterprise, version 1709 (also known as the Fall Creators Update).
-
-- Endpoints are using Microsoft Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Microsoft Defender AV to disable itself](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md).
-
-- [Real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) is enabled.
-
-- Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
-
-If these prerequisites have all been met, proceed to the next step to test the rule in audit mode.
-
-## Use audit mode to test the rule
-
-You can visit the Windows Defender Test ground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm attack surface reduction rules are generally working for pre-configured scenarios and processes on a device, or you can use audit mode, which enables rules for reporting only.
-
-Follow these instructions in [Use the demo tool to see how attack surface reduction rules work](evaluate-attack-surface-reduction.md) to test the specific rule you are encountering problems with.
-
-1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to **Audit mode** (value: **2**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md). Audit mode allows the rule to report the file or process, but will still allow it to run.
-
-2. Perform the activity that is causing an issue (for example, open or execute the file or process that should be blocked but is being allowed).
-
-3. [Review the attack surface reduction rule event logs](attack-surface-reduction.md) to see if the rule would have blocked the file or process if the rule had been set to **Enabled**.
-
-If a rule is not blocking a file or process that you are expecting it should block, first check if audit mode is enabled.
-
-Audit mode may have been enabled for testing another feature, or by an automated PowerShell script, and may not have been disabled after the tests were completed.
-
-If you've tested the rule with the demo tool and with audit mode, and attack surface reduction rules are working on pre-configured scenarios, but the rule is not working as expected, proceed to either of the following sections based on your situation:
-
-1. If the attack surface reduction rule is blocking something that it should not block (also known as a false positive), you can [first add an attack surface reduction rule exclusion](#add-exclusions-for-a-false-positive).
-
-2. If the attack surface reduction rule is not blocking something that it should block (also known as a false negative), you can proceed immediately to the last step, [collecting diagnostic data and submitting the issue to us](#collect-diagnostic-data-for-file-submissions).
-
-## Add exclusions for a false positive
-
-If the attack surface reduction rule is blocking something that it should not block (also known as a false positive), you can add exclusions to prevent attack surface reduction rules from evaluating the excluded files or folders.
-
-To add an exclusion, see [Customize Attack surface reduction](customize-attack-surface-reduction.md).
-
->[!IMPORTANT]
->You can specify individual files and folders to be excluded, but you cannot specify individual rules.
->This means any files or folders that are excluded will be excluded from all ASR rules.
-
-## Report a false positive or false negative
-
-Use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/wdsi/filesubmission) to report a false negative or false positive for network protection. With a Windows E5 subscription, you can also [provide a link to any associated alert](../microsoft-defender-atp/alerts-queue.md).
-
-## Collect diagnostic data for file submissions
-
-When you report a problem with attack surface reduction rules, you are asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues.
-
-1. Open an elevated command prompt and change to the Windows Defender directory:
-
- ```console
- cd c:\program files\windows defender
- ```
-
-2. Run this command to generate the diagnostic logs:
-
- ```console
- mpcmdrun -getfiles
- ```
-
-3. By default, they are saved to `C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab`. Attach the file to the submission form.
-
-## Related articles
-
-- [Attack surface reduction rules](attack-surface-reduction.md)
-
-- [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
-
-- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-collect-support-log.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-collect-support-log.md
deleted file mode 100644
index eecaf63643..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-collect-support-log.md
+++ /dev/null
@@ -1,75 +0,0 @@
----
-title: Collect support logs in Microsoft Defender ATP using live response
-description: Learn how to collect logs using live response to troubleshoot Microsoft Defender ATP issues
-keywords: support, log, collect, troubleshoot, live response, liveanalyzer, analyzer, live, response
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: troubleshooting
----
-
-# Collect support logs in Microsoft Defender ATP using live response
-
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-When contacting support, you may be asked to provide the output package of the Microsoft Defender ATP Client Analyzer tool.
-
-This topic provides instructions on how to run the tool via Live Response.
-
-1. Download the appropriate script
- * Microsoft Defender ATP client sensor logs only: [LiveAnalyzer.ps1 script](https://aka.ms/MDATPLiveAnalyzer).
- - Result package approximate size: ~100Kb
- * Microsoft Defender ATP client sensor and Antivirus logs: [LiveAnalyzer+MDAV.ps1 script](https://aka.ms/MDATPLiveAnalyzerAV).
- - Result package approximate size: ~10Mb
-
-2. Initiate a [Live Response session](live-response.md#initiate-a-live-response-session-on-a-device) on the machine you need to investigate.
-
-3. Select **Upload file to library**.
-
- 
-
-4. Select **Choose file**.
-
- 
-
-5. Select the downloaded file named MDATPLiveAnalyzer.ps1 and then click on **Confirm**
-
-
- 
-
-
-6. While still in the LiveResponse session, use the commands below to run the analyzer and collect the result file:
-
- ```console
- Run MDATPLiveAnalyzer.ps1
- GetFile "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\MDATPClientAnalyzerResult.zip" -auto
- ```
-
- 
-
-
->[!NOTE]
-> - The latest preview version of MDATPClientAnalyzer can be downloaded here: [https://aka.ms/Betamdatpanalyzer](https://aka.ms/Betamdatpanalyzer).
->
-> - The LiveAnalyzer script downloads the troubleshooting package on the destination machine from: https://mdatpclientanalyzer.blob.core.windows.net.
->
-> If you cannot allow the machine to reach the above URL, then upload MDATPClientAnalyzerPreview.zip file to the library before running the LiveAnalyzer script:
->
-> ```console
-> PutFile MDATPClientAnalyzerPreview.zip -overwrite
-> Run MDATPLiveAnalyzer.ps1
-> GetFile "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\MDATPClientAnalyzerResult.zip" -auto
-> ```
->
-> - For more information on gathering data locally on a machine in case the machine isn't communicating with Microsoft Defender ATP cloud services, or does not appear in MDATP portal as expected, see [Verify client connectivity to Microsoft Defender ATP service URLs](configure-proxy-internet.md#verify-client-connectivity-to-microsoft-defender-atp-service-urls).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md
deleted file mode 100644
index 2773899fc2..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md
+++ /dev/null
@@ -1,205 +0,0 @@
----
-title: Troubleshoot exploit protection mitigations
-keywords: Exploit protection, mitigations, troubleshoot, import, export, configure, emet, convert, conversion, deploy, install
-description: Learn how to deal with unwanted mitigations in Windows Security, including a process to remove all mitigations and import a baseline configuration file instead.
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-audience: ITPro
-author: dansimp
-ms.author: dansimp
-ms.date: 08/09/2018
-ms.reviewer:
-manager: dansimp
----
-
-# Troubleshoot exploit protection mitigations
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-When you create a set of exploit protection mitigations (known as a configuration), you might find that the configuration export and import process does not remove all unwanted mitigations.
-
-You can manually remove unwanted mitigations in Windows Security, or you can use the following process to remove all mitigations and then import a baseline configuration file instead.
-
-1. Remove all process mitigations with this PowerShell script:
-
- ```PowerShell
- # Check if Admin-Privileges are available
- function Test-IsAdmin {
- ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
- }
-
- # Delete ExploitGuard ProcessMitigations for a given key in the registry. If no other settings exist under the specified key,
- # the key is deleted as well
- function Remove-ProcessMitigations([Object] $Key, [string] $Name) {
- Try {
- if ($Key.GetValue("MitigationOptions")) {
- Write-Host "Removing MitigationOptions for: " $Name
- Remove-ItemProperty -Path $Key.PSPath -Name "MitigationOptions" -ErrorAction Stop;
- }
- if ($Key.GetValue("MitigationAuditOptions")) {
- Write-Host "Removing MitigationAuditOptions for: " $Name
- Remove-ItemProperty -Path $Key.PSPath -Name "MitigationAuditOptions" -ErrorAction Stop;
- }
-
- # Remove the FilterFullPath value if there is nothing else
- if (($Key.SubKeyCount -eq 0) -and ($Key.ValueCount -eq 1) -and ($Key.GetValue("FilterFullPath"))) {
- Remove-ItemProperty -Path $Key.PSPath -Name "FilterFullPath" -ErrorAction Stop;
- }
-
- # If the key is empty now, delete it
- if (($Key.SubKeyCount -eq 0) -and ($Key.ValueCount -eq 0)) {
- Write-Host "Removing empty Entry: " $Name
- Remove-Item -Path $Key.PSPath -ErrorAction Stop
- }
- }
- Catch {
- Write-Host "ERROR:" $_.Exception.Message "- at ($MitigationItemName)"
- }
- }
-
- # Delete all ExploitGuard ProcessMitigations
- function Remove-All-ProcessMitigations {
- if (!(Test-IsAdmin)) {
- throw "ERROR: No Administrator-Privileges detected!"; return
- }
-
- Get-ChildItem -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" | ForEach-Object {
- $MitigationItem = $_;
- $MitigationItemName = $MitigationItem.PSChildName
-
- Try {
- Remove-ProcessMitigations $MitigationItem $MitigationItemName
-
- # "UseFilter" indicate full path filters may be present
- if ($MitigationItem.GetValue("UseFilter")) {
- Get-ChildItem -Path $MitigationItem.PSPath | ForEach-Object {
- $FullPathItem = $_
- if ($FullPathItem.GetValue("FilterFullPath")) {
- $Name = $MitigationItemName + "-" + $FullPathItem.GetValue("FilterFullPath")
- Write-Host "Removing FullPathEntry: " $Name
- Remove-ProcessMitigations $FullPathItem $Name
- }
-
- # If there are no subkeys now, we can delete the "UseFilter" value
- if ($MitigationItem.SubKeyCount -eq 0) {
- Remove-ItemProperty -Path $MitigationItem.PSPath -Name "UseFilter" -ErrorAction Stop
- }
- }
- }
- if (($MitigationItem.SubKeyCount -eq 0) -and ($MitigationItem.ValueCount -eq 0)) {
- Write-Host "Removing empty Entry: " $MitigationItemName
- Remove-Item -Path $MitigationItem.PSPath -ErrorAction Stop
- }
- }
- Catch {
- Write-Host "ERROR:" $_.Exception.Message "- at ($MitigationItemName)"
- }
- }
- }
-
- # Delete all ExploitGuard System-wide Mitigations
- function Remove-All-SystemMitigations {
-
- if (!(Test-IsAdmin)) {
- throw "ERROR: No Administrator-Privileges detected!"; return
- }
-
- $Kernel = Get-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel"
-
- Try {
- if ($Kernel.GetValue("MitigationOptions"))
- { Write-Host "Removing System MitigationOptions"
- Remove-ItemProperty -Path $Kernel.PSPath -Name "MitigationOptions" -ErrorAction Stop;
- }
- if ($Kernel.GetValue("MitigationAuditOptions"))
- { Write-Host "Removing System MitigationAuditOptions"
- Remove-ItemProperty -Path $Kernel.PSPath -Name "MitigationAuditOptions" -ErrorAction Stop;
- }
- } Catch {
- Write-Host "ERROR:" $_.Exception.Message "- System"
- }
- }
-
- Remove-All-ProcessMitigations
- Remove-All-SystemMitigations
- ```
-
-2. Create and import an XML configuration file with the following default mitigations, as described in Import, export, and deploy Exploit Protection configurations:
-
- ```xml
-
-
-There are some known issues with the time and date formats.
-
-The following date formats are supported:
-- MM/dd/yyyy
-- dd/MM/yyyy
-
-The following date and time formats are currently not supported:
-- Date format yyyy/MM/dd
-- Date format dd/MM/yy
-- Date format with yy. Will only show yyyy.
-- Time format HH:mm:ss is not supported (the 12 hour AM/PM format is not supported). Only the 24-hour format is supported.
-
-**Use of comma to indicate thousand**
-Support of use of comma as a separator in numbers are not supported. Regions where a number is separated with a comma to indicate a thousand, will only see the use of a dot as a separator. For example, 15,5K is displayed as 15.5K.
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-troubleshoot-belowfoldlink)
-
-## Microsoft Defender ATP tenant was automatically created in Europe
-When you use Azure Security Center to monitor servers, a Microsoft Defender ATP tenant is automatically created. The Microsoft Defender ATP data is stored in Europe by default.
-
-
-
-
-
-## Related topics
-- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md)
-- [Review events and errors using Event Viewer](event-error-codes.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md
deleted file mode 100644
index f925f8ec6f..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md
+++ /dev/null
@@ -1,103 +0,0 @@
----
-title: Troubleshoot problems with Network protection
-description: Resources and sample code to troubleshoot issues with Network protection in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
-keywords: troubleshoot, error, fix, windows defender eg, asr, rules, hips, troubleshoot, audit, exclusion, false positive, broken, blocking, microsoft defender atp, microsoft defender advanced threat protection
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-audience: ITPro
-author: dansimp
-ms.author: dansimp
-ms.date: 03/27/2019
-ms.reviewer:
-manager: dansimp
----
-
-# Troubleshoot network protection
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-* IT administrators
-
-When you use [Network protection](network-protection.md) you may encounter issues, such as:
-
-* Network protection blocks a website that is safe (false positive)
-* Network protection fails to block a suspicious or known malicious website (false negative)
-
-There are four steps to troubleshooting these problems:
-
-1. Confirm prerequisites
-2. Use audit mode to test the rule
-3. Add exclusions for the specified rule (for false positives)
-4. Submit support logs
-
-## Confirm prerequisites
-
-Network protection will only work on devices with the following conditions:
-
->[!div class="checklist"]
-> * Endpoints are running Windows 10 Enterprise edition, version 1709 or higher (also known as the Fall Creators Update).
-> * Endpoints are using Microsoft Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Microsoft Defender AV to disable itself](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md).
-> * [Real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) is enabled.
-> * [Cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) is enabled.
-> * Audit mode is not enabled. Use [Group Policy](enable-network-protection.md#group-policy) to set the rule to **Disabled** (value: **0**).
-
-## Use audit mode
-
-You can enable network protection in audit mode and then visit a website that we've created to demo the feature. All website connections will be allowed by network protection but an event will be logged to indicate any connection that would have been blocked if network protection was enabled.
-
-1. Set network protection to **Audit mode**.
-
- ```PowerShell
- Set-MpPreference -EnableNetworkProtection AuditMode
- ```
-
-1. Perform the connection activity that is causing an issue (for example, attempt to visit the site, or connect to the IP address you do or don't want to block).
-
-1. [Review the network protection event logs](network-protection.md#review-network-protection-events-in-windows-event-viewer) to see if the feature would have blocked the connection if it had been set to **Enabled**.
-
- If network protection is not blocking a connection that you are expecting it should block, enable the feature.
-
- ```PowerShell
- Set-MpPreference -EnableNetworkProtection Enabled
- ```
-
-## Report a false positive or false negative
-
-If you've tested the feature with the demo site and with audit mode, and network protection is working on pre-configured scenarios, but is not working as expected for a specific connection, use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/wdsi/filesubmission) to report a false negative or false positive for network protection. With an E5 subscription, you can also [provide a link to any associated alert](../microsoft-defender-atp/alerts-queue.md).
-
-## Exclude website from network protection scope
-
-To allow the website that is being blocked (false positive), add its URL to the [list of trusted sites](https://blogs.msdn.microsoft.com/asiatech/2014/08/19/how-to-add-web-sites-to-trusted-sites-via-gpo-from-dc-installed-ie10-or-higher-ie-version/). Web resources from this list bypass the network protection check.
-
-## Collect diagnostic data for file submissions
-
-When you report a problem with network protection, you are asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues.
-
-1. Open an elevated command prompt and change to the Windows Defender directory:
-
- ```PowerShell
- cd c:\program files\windows defender
- ```
-
-1. Run this command to generate the diagnostic logs:
-
- ```PowerShell
- mpcmdrun -getfiles
- ```
-
-1. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. Attach the file to the submission form.
-
-## Related topics
-
-* [Network protection](network-protection.md)
-* [Evaluate network protection](evaluate-network-protection.md)
-* [Enable network protection](enable-network-protection.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md
deleted file mode 100644
index 42a3ad5d0b..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md
+++ /dev/null
@@ -1,94 +0,0 @@
----
-title: Troubleshoot onboarding issues and error messages
-description: Troubleshoot onboarding issues and error message while completing setup of Microsoft Defender Advanced Threat Protection.
-keywords: troubleshoot, troubleshooting, Azure Active Directory, onboarding, error message, error messages, microsoft defender atp
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: troubleshooting
----
-
-# Troubleshoot subscription and portal access issues
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-troublshootonboarding-abovefoldlink)
-
-
-This page provides detailed steps to troubleshoot issues that might occur when setting up your Microsoft Defender ATP service.
-
-If you receive an error message, Microsoft Defender Security Center will provide a detailed explanation on what the issue is and relevant links will be supplied.
-
-## No subscriptions found
-
-If while accessing Microsoft Defender Security Center you get a **No subscriptions found** message, it means the Azure Active Directory (AAD) used to login the user to the portal, does not have a Microsoft Defender ATP license.
-
-Potential reasons:
-- The Windows E5 and Office E5 licenses are separate licenses.
-- The license was purchased but not provisioned to this AAD instance.
- - It could be a license provisioning issue.
- - It could be you inadvertently provisioned the license to a different Microsoft AAD than the one used for authentication into the service.
-
-For both cases you should contact Microsoft support at [General Microsoft Defender ATP Support](https://support.microsoft.com/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636419533611396913) or
-[Volume license support](https://www.microsoft.com/licensing/servicecenter/Help/Contact.aspx).
-
-
-
-## Your subscription has expired
-
-If while accessing Microsoft Defender Security Center you get a **Your subscription has expired** message, your online service subscription has expired. Microsoft Defender ATP subscription, like any other online service subscription, has an expiration date.
-
-You can choose to renew or extend the license at any point in time. When accessing the portal after the expiration date a **Your subscription has expired** message will be presented with an option to download the device offboarding package, should you choose to not renew the license.
-
-> [!NOTE]
-> For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
-
-
-
-## You are not authorized to access the portal
-
-If you receive a **You are not authorized to access the portal**, be aware that Microsoft Defender ATP is a security monitoring, incident investigation and response product, and as such, access to it is restricted and controlled by the user.
-For more information see, [**Assign user access to the portal**](https://docs.microsoft.com/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection).
-
-
-
-## Data currently isn't available on some sections of the portal
-If the portal dashboard, and other sections show an error message such as "Data currently isn't available":
-
-
-
-You'll need to allow the `securitycenter.windows.com` and all sub-domains under it. For example `*.securitycenter.windows.com`.
-
-
-## Portal communication issues
-If you encounter issues with accessing the portal, missing data, or restricted access to portions of the portal, you'll need to verify that the following URLs are allowed and open for communication.
-
-- `*.blob.core.windows.net
-crl.microsoft.com`
-- `https://*.microsoftonline-p.com`
-- `https://*.securitycenter.windows.com`
-- `https://automatediracs-eus-prd.securitycenter.windows.com`
-- `https://login.microsoftonline.com`
-- `https://login.windows.net`
-- `https://onboardingpackagescusprd.blob.core.windows.net`
-- `https://secure.aadcdn.microsoftonline-p.com`
-- `https://securitycenter.windows.com`
-- `https://static2.sharepointonline.com`
-
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md
deleted file mode 100644
index d55165aaae..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md
+++ /dev/null
@@ -1,452 +0,0 @@
----
-title: Troubleshoot Microsoft Defender ATP onboarding issues
-description: Troubleshoot issues that might arise during the onboarding of devices or to the Microsoft Defender ATP service.
-keywords: troubleshoot onboarding, onboarding issues, event viewer, data collection and preview builds, sensor data and diagnostics
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: troubleshooting
----
-
-# Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-- Windows Server 2012 R2
-- Windows Server 2016
-
-You might need to troubleshoot the Microsoft Defender ATP onboarding process if you encounter issues.
-This page provides detailed steps to troubleshoot onboarding issues that might occur when deploying with one of the deployment tools and common errors that might occur on the devices.
-
-## Troubleshoot issues with onboarding tools
-
-If you have completed the onboarding process and don't see devices in the [Devices list](investigate-machines.md) after an hour, it might indicate an onboarding or connectivity problem.
-
-### Troubleshoot onboarding when deploying with Group Policy
-
-Deployment with Group Policy is done by running the onboarding script on the devices. The Group Policy console does not indicate if the deployment has succeeded or not.
-
-If you have completed the onboarding process and don't see devices in the [Devices list](investigate-machines.md) after an hour, you can check the output of the script on the devices. For more information, see [Troubleshoot onboarding when deploying with a script](#troubleshoot-onboarding-when-deploying-with-a-script).
-
-If the script completes successfully, see [Troubleshoot onboarding issues on the devices](#troubleshoot-onboarding-issues-on-the-device) for additional errors that might occur.
-
-### Troubleshoot onboarding issues when deploying with Microsoft Endpoint Configuration Manager
-
-When onboarding devices using the following versions of Configuration Manager:
-
-- Microsoft Endpoint Configuration Manager
-- System Center 2012 Configuration Manager
-- System Center 2012 R2 Configuration Manager
-
-Deployment with the above-mentioned versions of Configuration Manager is done by running the onboarding script on the devices. You can track the deployment in the Configuration Manager Console.
-
-If the deployment fails, you can check the output of the script on the devices.
-
-If the onboarding completed successfully but the devices are not showing up in the **Devices list** after an hour, see [Troubleshoot onboarding issues on the device](#troubleshoot-onboarding-issues-on-the-device) for additional errors that might occur.
-
-### Troubleshoot onboarding when deploying with a script
-
-**Check the result of the script on the device:**
-
-1. Click **Start**, type **Event Viewer**, and press **Enter**.
-
-2. Go to **Windows Logs** > **Application**.
-
-3. Look for an event from **WDATPOnboarding** event source.
-
-If the script fails and the event is an error, you can check the event ID in the following table to help you troubleshoot the issue.
-
-> [!NOTE]
-> The following event IDs are specific to the onboarding script only.
-
-Event ID | Error Type | Resolution steps
-:---:|:---|:---
- `5` | Offboarding data was found but couldn't be deleted | Check the permissions on the registry, specifically
`HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`.
-`10` | Onboarding data couldn't be written to registry | Check the permissions on the registry, specifically
`HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`.
Verify that the script has been run as an administrator.
-`15` | Failed to start SENSE service |Check the service health (`sc query sense` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights).
If the device is running Windows 10, version 1607 and running the command `sc query sense` returns `START_PENDING`, reboot the device. If rebooting the device doesn't address the issue, upgrade to KB4015217 and try onboarding again.
-`15` | Failed to start SENSE service | If the message of the error is: System error 577 or error 1058 has occurred, you need to enable the Microsoft Defender Antivirus ELAM driver, see [Ensure that Microsoft Defender Antivirus is not disabled by a policy](#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy) for instructions.
-`30` | The script failed to wait for the service to start running | The service could have taken more time to start or has encountered errors while trying to start. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes.md).
-`35` | The script failed to find needed onboarding status registry value | When the SENSE service starts for the first time, it writes onboarding status to the registry location
`HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status`.
The script failed to find it after several seconds. You can manually test it and check if it's there. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes.md).
-`40` | SENSE service onboarding status is not set to **1** | The SENSE service has failed to onboard properly. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes.md).
-`65` | Insufficient privileges| Run the script again with administrator privileges.
-
-### Troubleshoot onboarding issues using Microsoft Intune
-
-You can use Microsoft Intune to check error codes and attempt to troubleshoot the cause of the issue.
-
-If you have configured policies in Intune and they are not propagated on devices, you might need to configure automatic MDM enrollment.
-
-Use the following tables to understand the possible causes of issues while onboarding:
-
-- Microsoft Intune error codes and OMA-URIs table
-- Known issues with non-compliance table
-- Mobile Device Management (MDM) event logs table
-
-If none of the event logs and troubleshooting steps work, download the Local script from the **Device management** section of the portal, and run it in an elevated command prompt.
-
-#### Microsoft Intune error codes and OMA-URIs
-
-Error Code Hex | Error Code Dec | Error Description | OMA-URI | Possible cause and troubleshooting steps
-:---:|:---|:---|:---|:---
-0x87D1FDE8 | -2016281112 | Remediation failed | Onboarding
Offboarding | **Possible cause:** Onboarding or offboarding failed on a wrong blob: wrong signature or missing PreviousOrgIds fields.
**Troubleshooting steps:**
Check the event IDs in the [View agent onboarding errors in the device event log](#view-agent-onboarding-errors-in-the-device-event-log) section.
Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://docs.microsoft.com/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10).
- | | | | Onboarding
Offboarding
SampleSharing | **Possible cause:** Microsoft Defender ATP Policy registry key does not exist or the OMA DM client doesn't have permissions to write to it.
**Troubleshooting steps:** Ensure that the following registry key exists: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
If it doesn't exist, open an elevated command and add the key.
- | | | | SenseIsRunning
OnboardingState
OrgId | **Possible cause:** An attempt to remediate by read-only property. Onboarding has failed.
**Troubleshooting steps:** Check the troubleshooting steps in [Troubleshoot onboarding issues on the device](#troubleshoot-onboarding-issues-on-the-device).
Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://docs.microsoft.com/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10).
- | | | | All | **Possible cause:** Attempt to deploy Microsoft Defender ATP on non-supported SKU/Platform, particularly Holographic SKU.
Currently supported platforms:
Enterprise, Education, and Professional.
Server is not supported.
- 0x87D101A9 | -2016345687 |SyncML(425): The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient. | All | **Possible cause:** Attempt to deploy Microsoft Defender ATP on non-supported SKU/Platform, particularly Holographic SKU.
Currently supported platforms:
Enterprise, Education, and Professional.
-
-#### Known issues with non-compliance
-
-The following table provides information on issues with non-compliance and how you can address the issues.
-
-Case | Symptoms | Possible cause and troubleshooting steps
-:---:|:---|:---
- `1` | Device is compliant by SenseIsRunning OMA-URI. But is non-compliant by OrgId, Onboarding and OnboardingState OMA-URIs. | **Possible cause:** Check that user passed OOBE after Windows installation or upgrade. During OOBE onboarding couldn't be completed but SENSE is running already.
**Troubleshooting steps:** Wait for OOBE to complete.
- `2` | Device is compliant by OrgId, Onboarding, and OnboardingState OMA-URIs, but is non-compliant by SenseIsRunning OMA-URI. | **Possible cause:** Sense service's startup type is set as "Delayed Start". Sometimes this causes the Microsoft Intune server to report the device as non-compliant by SenseIsRunning when DM session occurs on system start.
**Troubleshooting steps:** The issue should automatically be fixed within 24 hours.
- `3` | Device is non-compliant | **Troubleshooting steps:** Ensure that Onboarding and Offboarding policies are not deployed on the same device at same time.
-
-#### Mobile Device Management (MDM) event logs
-
-View the MDM event logs to troubleshoot issues that might arise during onboarding:
-
-Log name: Microsoft\Windows\DeviceManagement-EnterpriseDiagnostics-Provider
-
-Channel name: Admin
-
-ID | Severity | Event description | Troubleshooting steps
-:---|:---|:---|:---
-1819 | Error | Microsoft Defender Advanced Threat Protection CSP: Failed to Set Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3). | Download the [Cumulative Update for Windows 10, 1607](https://go.microsoft.com/fwlink/?linkid=829760).
-
-## Troubleshoot onboarding issues on the device
-
-If the deployment tools used does not indicate an error in the onboarding process, but devices are still not appearing in the devices list in an hour, go through the following verification topics to check if an error occurred with the Microsoft Defender ATP agent.
-
-- [View agent onboarding errors in the device event log](#view-agent-onboarding-errors-in-the-device-event-log)
-- [Ensure the diagnostic data service is enabled](#ensure-the-diagnostics-service-is-enabled)
-- [Ensure the service is set to start](#ensure-the-service-is-set-to-start)
-- [Ensure the device has an Internet connection](#ensure-the-device-has-an-internet-connection)
-- [Ensure that Microsoft Defender Antivirus is not disabled by a policy](#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy)
-
-### View agent onboarding errors in the device event log
-
-1. Click **Start**, type **Event Viewer**, and press **Enter**.
-
-2. In the **Event Viewer (Local)** pane, expand **Applications and Services Logs** > **Microsoft** > **Windows** > **SENSE**.
-
- > [!NOTE]
- > SENSE is the internal name used to refer to the behavioral sensor that powers Microsoft Defender ATP.
-
-3. Select **Operational** to load the log.
-
-4. In the **Action** pane, click **Filter Current log**.
-
-5. On the **Filter** tab, under **Event level:** select **Critical**, **Warning**, and **Error**, and click **OK**.
-
- 
-
-6. Events which can indicate issues will appear in the **Operational** pane. You can attempt to troubleshoot them based on the solutions in the following table:
-
-Event ID | Message | Resolution steps
-:---:|:---|:---
- `5` | Microsoft Defender Advanced Threat Protection service failed to connect to the server at _variable_ | [Ensure the device has Internet access](#ensure-the-device-has-an-internet-connection).
- `6` | Microsoft Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-script.md).
- `7` | Microsoft Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Ensure the device has Internet access](#ensure-the-device-has-an-internet-connection), then run the entire onboarding process again.
- `9` | Microsoft Defender Advanced Threat Protection service failed to change its start type. Failure code: variable | If the event happened during onboarding, reboot and re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-script.md).
If the event happened during offboarding, contact support.
-`10` | Microsoft Defender Advanced Threat Protection service failed to persist the onboarding information. Failure code: variable | If the event happened during onboarding, re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-script.md).
If the problem persists, contact support.
-`15` | Microsoft Defender Advanced Threat Protection cannot start command channel with URL: _variable_ | [Ensure the device has Internet access](#ensure-the-device-has-an-internet-connection).
-`17` | Microsoft Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: variable | [Run the onboarding script again](configure-endpoints-script.md). If the problem persists, contact support.
-`25` | Microsoft Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: _variable_ | Contact support.
-`27` | Failed to enable Microsoft Defender Advanced Threat Protection mode in Windows Defender. Onboarding process failed. Failure code: variable | Contact support.
-`29` | Failed to read the offboarding parameters. Error type: %1, Error code: %2, Description: %3 | Ensure the device has Internet access, then run the entire offboarding process again.
-`30` | Failed to disable $(build.sense.productDisplayName) mode in Microsoft Defender Advanced Threat Protection. Failure code: %1 | Contact support.
-`32` | $(build.sense.productDisplayName) service failed to request to stop itself after offboarding process. Failure code: %1 | Verify that the service start type is manual and reboot the device.
-`55` | Failed to create the Secure ETW autologger. Failure code: %1 | Reboot the device.
-`63` | Updating the start type of external service. Name: %1, actual start type: %2, expected start type: %3, exit code: %4 | Identify what is causing changes in start type of mentioned service. If the exit code is not 0, fix the start type manually to expected start type.
-`64` | Starting stopped external service. Name: %1, exit code: %2 | Contact support if the event keeps re-appearing.
-`68` | The start type of the service is unexpected. Service name: %1, actual start type: %2, expected start type: %3 | Identify what is causing changes in start type. Fix mentioned service start type.
-`69` | The service is stopped. Service name: %1 | Start the mentioned service. Contact support if persists.
-
-
-
-There are additional components on the device that the Microsoft Defender ATP agent depends on to function properly. If there are no onboarding related errors in the Microsoft Defender ATP agent event log, proceed with the following steps to ensure that the additional components are configured correctly.
-
-
-
-### Ensure the diagnostic data service is enabled
-
-If the devices aren't reporting correctly, you might need to check that the Windows 10 diagnostic data service is set to automatically start and is running on the device. The service might have been disabled by other programs or user configuration changes.
-
-First, you should check that the service is set to start automatically when Windows starts, then you should check that the service is currently running (and start it if it isn't).
-
-### Ensure the service is set to start
-
-**Use the command line to check the Windows 10 diagnostic data service startup type**:
-
-1. Open an elevated command-line prompt on the device:
-
- a. Click **Start**, type **cmd**, and press **Enter**.
-
- b. Right-click **Command prompt** and select **Run as administrator**.
-
-2. Enter the following command, and press **Enter**:
-
- ```text
- sc qc diagtrack
- ```
-
- If the service is enabled, then the result should look like the following screenshot:
-
- 
-
- If the `START_TYPE` is not set to `AUTO_START`, then you'll need to set the service to automatically start.
-
-**Use the command line to set the Windows 10 diagnostic data service to automatically start:**
-
-1. Open an elevated command-line prompt on the device:
-
- a. Click **Start**, type **cmd**, and press **Enter**.
-
- b. Right-click **Command prompt** and select **Run as administrator**.
-
-2. Enter the following command, and press **Enter**:
-
- ```text
- sc config diagtrack start=auto
- ```
-
-3. A success message is displayed. Verify the change by entering the following command, and press **Enter**:
-
- ```text
- sc qc diagtrack
- ```
-
-4. Start the service.
-
- a. In the command prompt, type the following command and press **Enter**:
-
- ```text
- sc start diagtrack
- ```
-
-### Ensure the device has an Internet connection
-
-The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender ATP service.
-
-WinHTTP is independent of the Internet browsing proxy settings and other user context applications and must be able to detect the proxy servers that are available in your particular environment.
-
-To ensure that sensor has service connectivity, follow the steps described in the [Verify client connectivity to Microsoft Defender ATP service URLs](configure-proxy-internet.md#verify-client-connectivity-to-microsoft-defender-atp-service-urls) topic.
-
-If the verification fails and your environment is using a proxy to connect to the Internet, then follow the steps described in [Configure proxy and Internet connectivity settings](configure-proxy-internet.md) topic.
-
-### Ensure that Microsoft Defender Antivirus is not disabled by a policy
-
-> [!IMPORTANT]
-> The following only applies to devices that have **not** yet received the August 2020 (version 4.18.2007.8) update to Microsoft Defender Antivirus.
->
-> The update ensures that Microsoft Defender Antivirus cannot be turned off on client devices via system policy.
-
-**Problem**: The Microsoft Defender ATP service does not start after onboarding.
-
-**Symptom**: Onboarding successfully completes, but you see error 577 or error 1058 when trying to start the service.
-
-**Solution**: If your devices are running a third-party antimalware client, the Microsoft Defender ATP agent needs the Early Launch Antimalware (ELAM) driver to be enabled. You must ensure that it's not turned off by a system policy.
-
-- Depending on the tool that you use to implement policies, you'll need to verify that the following Windows Defender policies are cleared:
-
- - DisableAntiSpyware
- - DisableAntiVirus
-
- For example, in Group Policy there should be no entries such as the following values:
-
- - `
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment
-Windows Server 2008 R2 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment
-Windows Server 2012 R2 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment
-Windows Server 2016 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment
-Windows Server 2019 | Operating System (OS) vulnerabilities
Software product vulnerabilities
Operating System (OS) configuration assessment
Security controls configuration assessment
Software product configuration assessment
-macOS 10.13 "High Sierra" and above | Operating System (OS) vulnerabilities
Software product vulnerabilities
-Linux | Not supported (planned)
-
-## Related topics
-
-- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md)
-- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md)
-- [Exposure score](tvm-exposure-score.md)
-- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md)
-- [Security recommendations](tvm-security-recommendation.md)
-- [Remediation and exception](tvm-remediation.md)
-- [Software inventory](tvm-software-inventory.md)
-- [Weaknesses](tvm-weaknesses.md)
-- [Event timeline](threat-and-vuln-mgt-event-timeline.md)
-- [Scenarios](threat-and-vuln-mgt-scenarios.md)
-- [APIs](next-gen-threat-and-vuln-mgt.md#apis)
-- [Configure data access for threat and vulnerability management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
deleted file mode 100644
index 523a9d850b..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
+++ /dev/null
@@ -1,153 +0,0 @@
----
-title: Weaknesses found by threat and vulnerability management
-description: Lists the common vulnerabilities and exposures (CVE) ID of weaknesses found in the software running in your organization. Discovered by the Microsoft Defender ATP threat and vulnerability management capability.
-keywords: mdatp threat & vulnerability management, threat and vulnerability management, mdatp tvm weaknesses page, finding weaknesses through tvm, tvm vulnerability list, vulnerability details in tvm
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: ellevin
-author: levinec
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: conceptual
----
-# Weaknesses found by threat and vulnerability management
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
-
-Threat and vulnerability management uses the same signals in Microsoft Defender ATP's endpoint protection to scan and detect vulnerabilities.
-
-The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization by listing the Common Vulnerabilities and Exposures (CVE) ID. You can also view the severity, Common Vulnerability Scoring System (CVSS) rating, prevalence in your organization, corresponding breach, threat insights, and more.
-
->[!NOTE]
->If there is no official CVE-ID assigned to a vulnerability, the vulnerability name is assigned by threat and vulnerability management.
-
->[!IMPORTANT]
->To boost your vulnerability assessment detection rates, you can download the following mandatory security updates and deploy them in your network:
->- 19H1 customers | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941)
->- RS5 customers | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077)
->- RS4 customers | [KB 4516045](https://support.microsoft.com/help/4516045/windows-10-update-kb4516045)
->- RS3 customers | [KB 4516071](https://support.microsoft.com/help/4516071/windows-10-update-kb4516071)
-
-## Navigate to the Weaknesses page
-
-Access the Weaknesses page a few different ways:
-
-- Selecting **Weaknesses** from the threat and vulnerability management navigation menu in the [Microsoft Defender Security Center](portal-overview.md)
-- Global search
-
-### Navigation menu
-
-Go to the threat and vulnerability management navigation menu and select **Weaknesses** to open the list of CVEs.
-
-### Vulnerabilities in global search
-
-1. Go to the global search drop-down menu.
-2. Select **Vulnerability** and key-in the Common Vulnerabilities and Exposures (CVE) ID that you're looking for, then select the search icon. The **Weaknesses** page opens with the CVE information that you're looking for.
-
-3. Select the CVE to open a flyout panel with more information, including the vulnerability description, details, threat insights, and exposed devices.
-
-To see the rest of the vulnerabilities in the **Weaknesses** page, type CVE, then select search.
-
-## Weaknesses overview
-
-Remediate the vulnerabilities in exposed devices to reduce the risk to your assets and organization. If the **Exposed Devices** column shows 0, that means you aren't at risk.
-
-
-
-### Breach and threat insights
-
-View related breach and threat insights in the **Threat** column when the icons are colored red.
-
- >[!NOTE]
- > Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight icon  and breach insight icon .
-
-The breach insights icon is highlighted if there's a vulnerability found in your organization.
-
-
-The threat insights icon is highlighted if there are associated exploits in the vulnerability found in your organization. Hovering over the icon shows whether the threat is a part of an exploit kit, or connected to specific advanced persistent campaigns or activity groups. When available, there is a link to a Threat Analytics report with zero-day exploitation news, disclosures, or related security advisories.
-
-
-
-### Gain vulnerability insights
-
-If you select a CVE, a flyout panel will open with more information, including the vulnerability description, details, threat insights, and exposed devices.
-
-The "OS Feature" category is shown in relevant scenarios.
-
- 
-
-## View Common Vulnerabilities and Exposures (CVE) entries in other places
-
-### Top vulnerable software in the dashboard
-
-1. Go to the [threat and vulnerability management dashboard](tvm-dashboard-insights.md) and scroll down to the **Top vulnerable software** widget. You will see the number of vulnerabilities found in each software, along with threat information and a high-level view of device exposure over time.
-
- 
-
-2. Select the software you want to investigate to go to a drilldown page.
-3. Select the **Discovered vulnerabilities** tab.
-4. Select the vulnerability you want to investigate for more information on vulnerability details
-
- 
-
-### Discover vulnerabilities in the device page
-
-View related weaknesses information in the device page.
-
-1. Go to the Microsoft Defender Security Center navigation menu bar, then select the device icon. The **Devices list** page opens.
-2. In the **Devices list** page, select the device name that you want to investigate.
-
- 
-
-3. The device page will open with details and response options for the device you want to investigate.
-4. Select **Discovered vulnerabilities**.
-
- 
-
-5. Select the vulnerability that you want to investigate to open up a flyout panel with the CVE details, such as: vulnerability description, threat insights, and detection logic.
-
-#### CVE Detection logic
-
-Similar to the software evidence, we now show the detection logic we applied on a device in order to state that it's vulnerable. The new section is called "Detection Logic" (in any discovered vulnerability in the device page) and shows the detection logic and source.
-
-The "OS Feature" category is also shown in relevant scenarios. A CVE would affect devices that run a vulnerable OS only if a specific OS component is enabled. Let's say Windows Server 2019 has vulnerability in its DNS component. With this new capability, we’ll only attach this CVE to the Windows Server 2019 devices with the DNS capability enabled in their OS.
-
-
-
-## Report inaccuracy
-
-Report a false positive when you see any vague, inaccurate, or incomplete information. You can also report on security recommendations that have already been remediated.
-
-1. Open the CVE on the Weaknesses page.
-2. Select **Report inaccuracy** and a flyout pane will open.
-3. Select the inaccuracy category from the drop-down menu and fill in your email address and inaccuracy details.
-4. Select **Submit**. Your feedback is immediately sent to the threat and vulnerability management experts.
-
-## Related topics
-
-- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md)
-- [Supported operating systems and platforms](tvm-supported-os.md)
-- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md)
-- [Exposure score](tvm-exposure-score.md)
-- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md)
-- [Security recommendations](tvm-security-recommendation.md)
-- [Remediation and exception](tvm-remediation.md)
-- [Software inventory](tvm-software-inventory.md)
-- [Event timeline](threat-and-vuln-mgt-event-timeline.md)
-- [Scenarios](threat-and-vuln-mgt-scenarios.md)
-- [APIs](next-gen-threat-and-vuln-mgt.md#apis)
-- [Configure data access for threat and vulnerability management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md b/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md
deleted file mode 100644
index c518418a7f..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md
+++ /dev/null
@@ -1,96 +0,0 @@
----
-title: Release device from isolation API
-description: Use this API to create calls related to release a device from isolation.
-keywords: apis, graph api, supported apis, remove device from isolation
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
-
----
-
-# Release device from isolation API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-
-## API description
-Undo isolation of a device.
-
-
-## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-[!include[Device actions note](../../includes/machineactionsnote.md)]
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Machine.Isolate | 'Isolate machine'
-Delegated (work or school account) | Machine.Isolate | 'Isolate machine'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles.md) for more information)
->- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
-## HTTP request
-```
-POST https://api.securitycenter.windows.com/api/machines/{id}/unisolate
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-Content-Type | string | application/json. **Required**.
-
-
-## Request body
-In the request body, supply a JSON object with the following parameters:
-
-Parameter | Type | Description
-:---|:---|:---
-Comment | String | Comment to associate with the action. **Required**.
-
-## Response
-If successful, this method returns 201 - Created response code and [Machine Action](machineaction.md) in the response body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-```
-POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/unisolate
-Content-type: application/json
-{
- "Comment": "Unisolate machine since it was clean and validated"
-}
-
-```
-
-
-- To isolate a device, see [Isolate device](isolate-machine.md).
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md b/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md
deleted file mode 100644
index 50319acfe5..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md
+++ /dev/null
@@ -1,92 +0,0 @@
----
-title: Remove app restriction API
-description: Use this API to create calls related to removing a restriction from applications from executing.
-keywords: apis, graph api, supported apis, remove device from isolation
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Remove app restriction API
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-
-## API description
-Enable execution of any application on the device.
-
-
-## Limitations
-1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-[!include[Device actions note](../../includes/machineactionsnote.md)]
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Machine.RestrictExecution | 'Restrict code execution'
-Delegated (work or school account) | Machine.RestrictExecution | 'Restrict code execution'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles.md) for more information)
->- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
-## HTTP request
-```
-POST https://api.securitycenter.windows.com/api/machines/{id}/unrestrictCodeExecution
-```
-
-## Request headers
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-Content-Type | string | application/json. **Required**.
-
-## Request body
-In the request body, supply a JSON object with the following parameters:
-
-Parameter | Type | Description
-:---|:---|:---
-Comment | String | Comment to associate with the action. **Required**.
-
-## Response
-If successful, this method returns 201 - Created response code and [Machine Action](machineaction.md) in the response body.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-```
-POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/unrestrictCodeExecution
-Content-type: application/json
-{
- "Comment": "Unrestrict code execution since machine was cleaned and validated"
-}
-
-```
-
-
-To restrict code execution on a device, see [Restrict app execution](restrict-code-execution.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/update-alert.md b/windows/security/threat-protection/microsoft-defender-atp/update-alert.md
deleted file mode 100644
index 9c9268711b..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/update-alert.md
+++ /dev/null
@@ -1,102 +0,0 @@
----
-title: Update alert entity API
-description: Learn how to update a Microsoft Defender ATP alert by using this API. You can update the status, determination, classification, and assignedTo properties.
-keywords: apis, graph api, supported apis, get, alert, information, id
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Update alert
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-
-## API description
-Updates properties of existing [Alert](alerts.md).
-
Submission of **comment** is available with or without updating properties.
-
Updatable properties are: ```status```, ```determination```, ```classification``` and ```assignedTo```.
-
-
-## Limitations
-1. You can update alerts that available in the API. See [List Alerts](get-alerts.md) for more information.
-2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-
-
-## Permissions
-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
-
-Permission type | Permission | Permission display name
-:---|:---|:---
-Application | Alerts.ReadWrite.All | 'Read and write all alerts'
-Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
-
->[!Note]
-> When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'Alerts investigation' (See [Create and manage roles](user-roles.md) for more information)
->- The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
-
-## HTTP request
-```
-PATCH /api/alerts/{id}
-```
-
-## Request headers
-
-Name | Type | Description
-:---|:---|:---
-Authorization | String | Bearer {token}. **Required**.
-Content-Type | String | application/json. **Required**.
-
-
-## Request body
-In the request body, supply the values for the relevant fields that should be updated.
-
Existing properties that are not included in the request body will maintain their previous values or be recalculated based on changes to other property values.
-
For best performance you shouldn't include existing values that haven't change.
-
-Property | Type | Description
-:---|:---|:---
-status | String | Specifies the current status of the alert. The property values are: 'New', 'InProgress' and 'Resolved'.
-assignedTo | String | Owner of the alert
-classification | String | Specifies the specification of the alert. The property values are: 'Unknown', 'FalsePositive', 'TruePositive'.
-determination | String | Specifies the determination of the alert. The property values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'
-comment | String | Comment to be added to the alert.
-
-[!include[Improve request performance](../../includes/improve-request-performance.md)]
-
-## Response
-If successful, this method returns 200 OK, and the [alert](alerts.md) entity in the response body with the updated properties. If alert with the specified id was not found - 404 Not Found.
-
-
-## Example
-
-**Request**
-
-Here is an example of the request.
-
-```
-PATCH https://api.securitycenter.windows.com/api/alerts/121688558380765161_2136280442
-Content-Type: application/json
-
-{
- "status": "Resolved",
- "assignedTo": "secop2@contoso.com",
- "classification": "FalsePositive",
- "determination": "Malware",
- "comment": "Resolve my alert and assign to secop2"
-}
-```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/use.md b/windows/security/threat-protection/microsoft-defender-atp/use.md
deleted file mode 100644
index da8874d9ba..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/use.md
+++ /dev/null
@@ -1,46 +0,0 @@
----
-title: Overview of Microsoft Defender Security Center
-description: Learn about the features on Microsoft Defender Security Center, including how alerts work, and suggestions on how to investigate possible breaches and attacks.
-keywords: dashboard, alerts queue, manage alerts, investigation, investigate alerts, investigate devices, submit files, deep analysis, high, medium, low, severity, ioc, ioa
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: conceptual
----
-
-# Overview of Microsoft Defender Security Center
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-usewdatp-abovefoldlink)
-
-Microsoft Defender Security Center is the portal where you can access Microsoft Defender Advanced Threat Protection capabilities.
-
-Use the **Security operations** dashboard to gain insight on the various alerts on devices and users in your network.
-
-Use the **Threat & Vulnerability Management** dashboard to expand your visibility on the overall security posture of your organization. You'll see devices that require attention and recommendations that can help you reduce the attack surface in your organization.
-
-Use the **Threat analytics** dashboard to continually assess and control risk exposure to Spectre and Meltdown.
-
-### In this section
-
-Topic | Description
-:---|:---
-[Portal overview](portal-overview.md) | Understand the portal layout and area descriptions.
-[View the Security operations dashboard](security-operations-dashboard.md) | The Microsoft Defender ATP **Security operations dashboard** provides a snapshot of your network. You can view aggregates of alerts, the overall status of the service of the devices on your network, investigate devices, files, and URLs, and see snapshots of threats seen on devices.
-[View the Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) | The **Threat & Vulnerability Management dashboard** lets you view exposure and Microsoft Secure Score for Devices side-by-side with top security recommendations, software vulnerability, remediation activities, and exposed devices.
-[View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics.md) | The **Threat analytics** dashboard helps you continually assess and control risk exposure to threats. Use the charts to quickly identify devices for the presence or absence of mitigations.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
deleted file mode 100644
index 3e7673cab5..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md
+++ /dev/null
@@ -1,115 +0,0 @@
----
-title: Create and manage roles for role-based access control
-description: Create roles and define the permissions assigned to the role as part of the role-based access control implementation in the Microsoft Defender Security Center
-keywords: user roles, roles, access rbac
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Create and manage roles for role-based access control
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-roles-abovefoldlink)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-## Create roles and assign the role to an Azure Active Directory group
-
-The following steps guide you on how to create roles in Microsoft Defender Security Center. It assumes that you have already created Azure Active Directory user groups.
-
-1. Log in to [Microsoft Defender Security Center](https://securitycenter.windows.com/) using account with a Security administrator or Global administrator role assigned.
-
-2. In the navigation pane, select **Settings > Roles**.
-
-3. Select **Add item**.
-
-4. Enter the role name, description, and permissions you'd like to assign to the role.
-
-5. Select **Next** to assign the role to an Azure AD Security group.
-
-6. Use the filter to select the Azure AD group that you'd like to add to this role to.
-
-7. **Save and close**.
-
-8. Apply the configuration settings.
-
-> [!IMPORTANT]
-> After creating roles, you'll need to create a device group and provide access to the device group by assigning it to a role that you just created.
-
-### Permission options
-
-- **View data**
- - **Security operations** - View all security operations data in the portal
- - **Threat and vulnerability management** - View threat and vulnerability management data in the portal
-
-- **Active remediation actions**
- - **Security operations** - Take response actions, approve or dismiss pending remediation actions, manage allowed/blocked lists for automation and indicators
- - **Threat and vulnerability management - Exception handling** - Create new exceptions and manage active exceptions
- - **Threat and vulnerability management - Remediation handling** - Submit new remediation requests, create tickets, and manage existing remediation activities
-
-- **Alerts investigation** - Manage alerts, initiate automated investigations, run scans, collect investigation packages, manage device tags, and download only portable executable (PE) files
-
-- **Manage portal system settings** - Configure storage settings, SIEM and threat intel API settings (applies globally), advanced settings, automated file uploads, roles and device groups
-
- > [!NOTE]
- > This setting is only available in the Microsoft Defender ATP administrator (default) role.
-
-- **Manage security settings in Security Center** - Configure alert suppression settings, manage folder exclusions for automation, onboard and offboard devices, and manage email notifications, manage evaluation lab
-
-- **Live response capabilities**
- - **Basic** commands:
- - Start a live response session
- - Perform read only live response commands on remote device (excluding file copy and execution
- - **Advanced** commands:
- - Download a file from the remote device via live response
- - Download PE and non-PE files from the file page
- - Upload a file to the remote device
- - View a script from the files library
- - Execute a script on the remote device from the files library
-
-For more information on the available commands, see [Investigate devices using Live response](live-response.md).
-
-## Edit roles
-
-1. Log in to [Microsoft Defender Security Center](https://securitycenter.windows.com/) using account with Security administrator or Global administrator role assigned.
-
-2. In the navigation pane, select **Settings > Roles**.
-
-3. Select the role you'd like to edit.
-
-4. Click **Edit**.
-
-5. Modify the details or the groups that are assigned to the role.
-
-6. Click **Save and close**.
-
-## Delete roles
-
-1. Log in to [Microsoft Defender Security Center](https://securitycenter.windows.com/) using account with Security administrator or Global administrator role assigned.
-
-2. In the navigation pane, select **Settings > Roles**.
-
-3. Select the role you'd like to delete.
-
-4. Click the drop-down button and select **Delete role**.
-
-## Related topic
-
-- [User basic permissions to access the portal](basic-permissions.md)
-- [Create and manage device groups](machine-groups.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/user.md b/windows/security/threat-protection/microsoft-defender-atp/user.md
deleted file mode 100644
index e94dd0bb1d..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/user.md
+++ /dev/null
@@ -1,31 +0,0 @@
----
-title: User resource type
-description: Retrieve recent Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) alerts related to users.
-keywords: apis, graph api, supported apis, get, alerts, recent
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# User resource type
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-Method|Return Type |Description
-:---|:---|:---
-[List User related alerts](get-user-related-alerts.md) | [alert](alerts.md) collection | List all the alerts that are associated with a [user](user.md).
-[List User related devices](get-user-related-machines.md) | [machine](machine.md) collection | List all the devices that were logged on by a [user](user.md).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md b/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md
deleted file mode 100644
index a1fa8c6d8a..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md
+++ /dev/null
@@ -1,83 +0,0 @@
----
-title: View and organize the Incidents queue
-ms.reviewer:
-description: See the list of incidents and learn how to apply filters to limit the list and get a more focused view.
-keywords: view, organize, incidents, aggregate, investigations, queue, ttp
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: ellevin
-author: levinec
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# View and organize the Microsoft Defender Advanced Threat Protection Incidents queue
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
-The **Incidents queue** shows a collection of incidents that were flagged from devices in your network. It helps you sort through incidents to prioritize and create an informed cybersecurity response decision.
-
-By default, the queue displays incidents seen in the last 30 days, with the most recent incident showing at the top of the list, helping you see the most recent incidents first.
-
-There are several options you can choose from to customize the Incidents queue view.
-
-On the top navigation you can:
-- Customize columns to add or remove columns
-- Modify the number of items to view per page
-- Select the items to show per page
-- Batch-select the incidents to assign
-- Navigate between pages
-- Apply filters
-
-
-
-## Sort and filter the incidents queue
-You can apply the following filters to limit the list of incidents and get a more focused view.
-
-### Severity
-
-Incident severity | Description
-:---|:---
-High (Red) | Threats often associated with advanced persistent threats (APT). These incidents indicate a high risk due to the severity of damage they can inflict on devices.
-Medium (Orange) | Threats rarely observed in the organization, such as anomalous registry change, execution of suspicious files, and observed behaviors typical of attack stages.
-Low (Yellow) | Threats associated with prevalent malware and hack-tools that do not necessarily indicate an advanced threat targeting the organization.
-Informational (Grey) | Informational incidents might not be considered harmful to the network but might be good to keep track of.
-
-## Assigned to
-You can choose to filter the list by selecting assigned to anyone or ones that are assigned to you.
-
-### Category
-Incidents are categorized based on the description of the stage by which the cybersecurity kill chain is in. This view helps the threat analyst to determine priority, urgency, and corresponding response strategy to deploy based on context.
-
-### Status
-You can choose to limit the list of incidents shown based on their status to see which ones are active or resolved.
-
-### Data sensitivity
-Use this filter to show incidents that contain sensitivity labels.
-
-## Incident naming
-
-To understand the incident's scope at a glance, incident names are automatically generated based on alert attributes such as the number of endpoints affected, users affected, detection sources or categories.
-
-For example: *Multi-stage incident on multiple endpoints reported by multiple sources.*
-
-> [!NOTE]
-> Incidents that existed prior the rollout of automatic incident naming will retain their name.
-
-
-## See also
-- [Incidents queue](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue)
-- [Manage incidents](manage-incidents.md)
-- [Investigate incidents](investigate-incidents.md)
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/vulnerability.md b/windows/security/threat-protection/microsoft-defender-atp/vulnerability.md
deleted file mode 100644
index 121df4f64b..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/vulnerability.md
+++ /dev/null
@@ -1,53 +0,0 @@
----
-title: Vulnerability methods and properties
-description: Retrieves vulnerability information
-keywords: apis, graph api, supported apis, get, vulnerability
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: dolmont
-author: DulceMontemayor
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Vulnerability resource type
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
-
-[!include[Prerelease information](../../includes/prerelease.md)]
-
-## Methods
-Method |Return Type |Description
-:---|:---|:---
-[Get all vulnerabilities](get-all-vulnerabilities.md) | Vulnerability collection | Retrieves a list of all the vulnerabilities affecting the organization
-[Get vulnerability by Id](get-vulnerability-by-id.md) | Vulnerability | Retrieves vulnerability information by its ID
-[List devices by vulnerability](get-machines-by-vulnerability.md)| MachineRef collection | Retrieve a list of devices that are associated with the vulnerability ID
-
-
-## Properties
-Property | Type | Description
-:---|:---|:---
-id | String | Vulnerability ID
-Name | String | Vulnerability title
-Description | String | Vulnerability description
-Severity | String | Vulnerability Severity. Possible values are: “Low”, “Medium”, “High”, “Critical”
-cvssV3 | Double | CVSS v3 score
-exposedMachines | Long | Number of exposed devices
-publishedOn | DateTime | Date when vulnerability was published
-updatedOn | DateTime | Date when vulnerability was updated
-publicExploit | Boolean | Public exploit exists
-exploitVerified | Boolean | Exploit is verified to work
-exploitInKit | Boolean | Exploit is part of an exploit kit
-exploitTypes | String collection | Exploit impact. Possible values are: “Denial of service”, “Local privilege escalation”, “Denial of service”
-exploitUris | String collection | Exploit source URLs
diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md
deleted file mode 100644
index 4dd4166246..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md
+++ /dev/null
@@ -1,150 +0,0 @@
----
-title: Web content filtering
-description: Use web content filtering in Microsoft Defender ATP to track and regulate access to websites based on their content categories.
-keywords: web protection, web threat protection, web browsing, monitoring, reports, cards, domain list, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: ellevin
-author: levinec
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Web content filtering
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-> [!IMPORTANT]
-> **Web content filtering is currently in public preview**
-> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
-> For more information, see [Microsoft Defender ATP preview features](preview.md).
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1)
-
-Web content filtering is part of [Web protection](web-protection-overview.md) capabilities in Microsoft Defender ATP. It enables your organization to track and regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic because of compliance regulations, bandwidth usage, or other concerns.
-
-Configure policies across your device groups to block certain categories. Blocking a category prevents users within specified device groups from accessing URLs associated with the category. For any category that's not blocked, the URLs are automatically audited. Your users can access the URLs without disruption, and you'll gather access statistics to help create a more custom policy decision. Your users will see a block notification if an element on the page they're viewing is making calls to a blocked resource.
-
-Web content filtering is available on the major web browsers, with blocks performed by Windows Defender SmartScreen (Microsoft Edge) and Network Protection (Chrome and Firefox). For more information about browser support, see the prerequisites section.
-
-Summarizing the benefits:
-
-- Users are prevented from accessing websites in blocked categories, whether they're browsing on-premises or away
-- Conveniently deploy policies to groups of users using device groups defined in [Microsoft Defender ATP role-based access control settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac)
-- Access web reports in the same central location, with visibility over actual blocks and web usage
-
-## User experience
-
-The blocking experience for Chrome/Firefox is provided by Network Protection, which provides a system-level toast notifying the user of a blocked connection.
-
-For a more user-friendly in-browser experience, consider using Microsoft Edge.
-
-## Prerequisites
-
-Before trying out this feature, make sure you have the following requirements:
-
-- Windows 10 Enterprise E5 license OR Microsoft 365 E3 + Microsoft 365 E5 Security add-on.
-- Access to Microsoft Defender Security Center portal
-- Devices running Windows 10 Anniversary Update (version 1607) or later with the latest MoCAMP update.
-
-If Windows Defender SmartScreen isn't turned on, Network Protection will take over the blocking. It requires [enabling Network Protection](enable-network-protection.md) on the device.
-
-## Data handling
-
-We will follow whichever region you have elected to use as part of your [Microsoft Defender ATP data handling settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy). Your data will not leave the data center in that region. In addition, your data will not be shared with any third-parties, including our data providers. However, we may send them aggregate data (across users and organizations) to help them improve their feeds.
-
-## Turn on web content filtering
-
-From the left-hand navigation menu, select **Settings > General > Advanced Features**. Scroll down until you see the entry for **Web content filtering**. Switch the toggle to **On** and **Save preferences**.
-
-### Configure web content filtering policies
-
-Web content filtering policies specify which site categories are blocked on which device groups. To manage the policies, go to **Settings > Rules > Web content filtering**.
-
-Use the filter to locate policies that contain certain blocked categories or are applied to specific device groups.
-
-### Create a policy
-
-To add a new policy:
-
-1. Select **Add policy** on the **Web content filtering** page in **Settings**.
-2. Specify a name.
-3. Select the categories to block. Use the expand icon to fully expand each parent category and select specific web content categories.
-4. Specify the policy scope. Select the device groups to specify where to apply the policy. Only devices in the selected device groups will be prevented from accessing websites in the selected categories.
-5. Review the summary and save the policy. The policy may take up to 15 minutes to apply to your selected devices.
-
-Tip: You can deploy a policy without selecting any category on a device group. This action will create an audit only policy, to help you understand user behavior before creating a block policy.
-
->[!NOTE]
->If you are removing a policy or changing device groups at the same time, this might cause a delay in policy deployment.
-
->[!IMPORTANT]
->Blocking the "Uncategorized" category may lead to unexpected and undesired results.
-
-### Allow specific websites
-
-It's possible to override the blocked category in web content filtering to allow a single site by creating a custom indicator policy. The custom indicator policy will supersede the web content filtering policy when it's applied to the device group in question.
-
-1. Create a custom indicator in the Microsoft Defender Security Center by going to **Settings** > **Indicators** > **URL/Domain** > **Add Item**
-2. Enter the domain of the site
-3. Set the policy action to **Allow**.
-
-## Web content filtering cards and details
-
-Select **Reports > Web protection** to view cards with information about web content filtering and web threat protection. The following cards provide summary information about web content filtering.
-
-### Web activity by category
-
-This card lists the parent web content categories with the largest increase or decrease in the number of access attempts. Understand drastic changes in web activity patterns in your organization from last 30 days, 3 months, or 6 months. Select a category name to view more information.
-
-In the first 30 days of using this feature, your organization might not have enough data to display this information.
-
-
-
-### Web content filtering summary card
-
-This card displays the distribution of blocked access attempts across the different parent web content categories. Select one of the colored bars to view more information about a specific parent web category.
-
-
-
-### Web activity summary card
-
-This card displays the total number of requests for web content in all URLs.
-
-
-
-### View card details
-
-You can access the **Report details** for each card by selecting a table row or colored bar from the chart in the card. The report details page for each card contains extensive statistical data about web content categories, website domains, and device groups.
-
-
-
-- **Web categories**: Lists the web content categories that have had access attempts in your organization. Select a specific category to open a summary flyout.
-
-- **Domains**: Lists the web domains that have been accessed or blocked in your organization. Select a specific domain to view detailed information about that domain.
-
-- **Device groups**: Lists all the device groups that have generated web activity in your organization
-
-Use the time range filter at the top left of the page to select a time period. You can also filter the information or customize the columns. Select a row to open a flyout pane with even more information about the selected item.
-
-## Errors and issues
-
-### Limitations and known issues in this preview
-
-- Only Microsoft Edge is supported if your device's OS configuration is Server (cmd > Systeminfo > OS Configuration). Network Protection is only supported in Inspect mode on Server devices, which is responsible for securing traffic across Chrome/Firefox.
-
-- Unassigned devices will have incorrect data shown within the report. In the Report details > Device groups pivot, you may see a row with a blank Device Group field. This group contains your unassigned devices before they get put into your specified group. The report for this row may not contain an accurate count of devices or access counts.
-
-## Related topics
-
-- [Web protection overview](web-protection-overview.md)
-- [Web threat protection](web-threat-protection.md)
-- [Monitor web security](web-protection-monitoring.md)
-- [Respond to web threats](web-protection-response.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md b/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md
deleted file mode 100644
index bcceac7999..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md
+++ /dev/null
@@ -1,61 +0,0 @@
----
-title: Monitoring web browsing security in Microsoft Defender ATP
-description: Use web protection in Microsoft Defender ATP to monitor web browsing security
-keywords: web protection, web threat protection, web browsing, monitoring, reports, cards, domain list, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: ellevin
-author: levinec
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Monitor web browsing security
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1)
-
-Web protection lets you monitor your organization’s web browsing security through reports under **Reports > Web protection** in the Microsoft Defender Security Center. The report contains cards that provide web threat detection statistics.
-
-- **Web threat protection detections over time** — this trending card displays the number of web threats detected by type during the selected time period (Last 30 days, Last 3 months, Last 6 months)
-
- 
-
-- **Web threat protection summary** — this card displays the total web threat detections in the past 30 days, showing distribution across the different types of web threats. Selecting a slice opens the list of the domains that were found with malicious or unwanted websites.
-
- 
-
->[!Note]
->It can take up to 12 hours before a block is reflected in the cards or the domain list.
-
-## Types of web threats
-Web protection categorizes malicious and unwanted websites as:
-- **Phishing** — websites that contain spoofed web forms and other phishing mechanisms designed to trick users into divulging credentials and other sensitive information
-- **Malicious** — websites that host malware and exploit code
-- **Custom indicator** — websites whose URLs or domains you've added to your [custom indicator list](manage-indicators.md) for blocking
-
-## View the domain list
-Select a specific web threat category in the **Web threat protection summary** card to open the **Domains** page and display the list of the domains under that threat category. The page provides the following information for each domain:
-
-- **Access count** — number of requests for URLs in the domain
-- **Blocks** — number of times requests were blocked
-- **Access trend** — change in number of access attempts
-- **Threat category** — type of web threat
-- **Devices** — number of devices with access attempts
-
-Select a domain to view the list of devices that have attempted to access URLs in that domain as well as the list of URLs.
-
-## Related topics
-- [Web protection overview](web-protection-overview.md)
-- [Web content filtering](web-content-filtering.md)
-- [Web threat protection](web-threat-protection.md)
-- [Respond to web threats](web-protection-response.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md b/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md
deleted file mode 100644
index 717f128f7c..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md
+++ /dev/null
@@ -1,54 +0,0 @@
----
-title: Web protection
-description: Learn about web protection in Microsoft Defender ATP and how it can protect your organization
-keywords: web protection, web threat protection, web browsing, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser, malicious websites
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: ellevin
-author: levinec
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Web protection
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1)
-
-Web protection in Microsoft Defender ATP is a capability made up of [Web threat protection](web-threat-protection.md) and [Web content filtering](web-content-filtering.md). Web protection lets you secure your devices against web threats and helps you regulate unwanted content. You can find Web protection reports in the Microsoft Defender Security Center by going to **Reports > Web protection**.
-
-
-
-## Web threat protection
-
-The cards that make up web threat protection are **Web threat detections over time** and **Web threat summary**.
-
-Web threat protection includes:
-- Comprehensive visibility into web threats affecting your organization
-- Investigation capabilities over web-related threat activity through alerts and comprehensive profiles of URLs and the devices that access these URLs
-- A full set of security features that track general access trends to malicious and unwanted websites
-
-## Web content filtering
-
-The cards that comprise web content filtering are **Web activity by category**, **Web content filtering summary**, and **Web activity summary**.
-
-Web content filtering includes:
-- Users are prevented from accessing websites in blocked categories, whether they are browsing on-premises or away
-- You can conveniently deploy varied policies to various sets of users using the device groups defined in the [Microsoft Defender ATP role-based access control settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac)
-- You can access web reports in the same central location, with visibility over actual blocks and web usage
-
-## In this section
-
-Topic | Description
-:---|:---
-[Web threat protection](web-threat-protection.md) | Stop access to phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, as well as sites that you have blocked.
-[Web content filtering](web-content-filtering.md) | Track and regulate access to websites based on their content categories.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-protection-response.md b/windows/security/threat-protection/microsoft-defender-atp/web-protection-response.md
deleted file mode 100644
index 41fb1e22a8..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/web-protection-response.md
+++ /dev/null
@@ -1,74 +0,0 @@
----
-title: Respond to web threats in Microsoft Defender ATP
-description: Respond to alerts related to malicious and unwanted websites. Understand how web threat protection informs end users through their web browsers and Windows notifications
-keywords: web protection, web threat protection, web browsing, alerts, response, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser, notifications, end users, Windows notifications, blocking page,
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: ellevin
-author: levinec
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Respond to web threats
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1)
-
-Web protection in Microsoft Defender ATP lets you efficiently investigate and respond to alerts related to malicious websites and websites in your custom indicator list.
-
-## View web threat alerts
-Microsoft Defender ATP generates the following [alerts](manage-alerts.md) for malicious or suspicious web activity:
-- **Suspicious connection blocked by network protection** — this alert is generated when an attempt to access a malicious website or a website in your custom indicator list is *stopped* by network protection in *block* mode
-- **Suspicious connection detected by network protection** — this alert is generated when an attempt to access a malicious website or a website in your custom indicator list is detected by network protection in *audit only* mode
-
-Each alert provides the following information:
-- Device that attempted to access the blocked website
-- Application or program used to send the web request
-- Malicious URL or URL in the custom indicator list
-- Recommended actions for responders
-
-
-
->[!Note]
->To reduce the volume of alerts, Microsoft Defender ATP consolidates web threat detections for the same domain on the same device each day to a single alert. Only one alert is generated and counted into the [web protection report](web-protection-monitoring.md).
-
-## Inspect website details
-You can dive deeper by selecting the URL or domain of the website in the alert. This opens a page about that particular URL or domain with various information, including:
-- Devices that attempted to access website
-- Incidents and alerts related to the website
-- How frequent the website was seen in events in your organization
-
- 
-
-[Learn more about URL or domain entity pages](investigate-domain.md)
-
-## Inspect the device
-You can also check the device that attempted to access a blocked URL. Selecting the name of the device on the alert page opens a page with comprehensive information about the device.
-
-[Learn more about device entity pages](investigate-machines.md)
-
-## Web browser and Windows notifications for end users
-
-With web protection in Microsoft Defender ATP, your end users will be prevented from visiting malicious or unwanted websites using Microsoft Edge or other browsers. Because blocking is performed by [network protection](network-protection.md), they will see a generic error from the web browser. They will also see a notification from Windows.
-
-
-*Web threat blocked on Microsoft Edge*
-
-
-*Web threat blocked on Chrome*
-
-## Related topics
-- [Web protection overview](web-protection-overview.md)
-- [Web content filtering](web-content-filtering.md)
-- [Web threat protection](web-threat-protection.md)
-- [Monitor web security](web-protection-monitoring.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/web-threat-protection.md
deleted file mode 100644
index d9d063c82f..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/web-threat-protection.md
+++ /dev/null
@@ -1,48 +0,0 @@
----
-title: Protect your organization against web threats
-description: Learn about web protection in Microsoft Defender ATP and how it can protect your organization
-keywords: web protection, web threat protection, web browsing, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: ellevin
-author: levinec
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-# Protect your organization against web threats
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1)
-
-Web threat protection is part of [Web protection](web-protection-overview.md) in Microsoft Defender ATP. It uses [network protection](network-protection.md) to secure your devices against web threats. By integrating with Microsoft Edge and popular third-party browsers like Chrome and Firefox, web threat protection stops web threats without a web proxy and can protect devices while they are away or on premises. Web threat protection stops access to phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, as well as sites that you have blocked in your [custom indicator list](manage-indicators.md).
-
->[!Note]
->It can take up to an hour for devices to receive new customer indicators.
-
-## Prerequisites
-Web protection uses network protection to provide web browsing security on Microsoft Edge and third-party web browsers.
-
-To turn on network protection on your devices:
-- Edit the Microsoft Defender ATP security baseline under **Web & Network Protection** to enable network protection before deploying or redeploying it. [Learn about reviewing and assigning the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md#review-and-assign-the-microsoft-defender-atp-security-baseline)
-- Turn network protection on using Intune device configuration, SCCM, Group Policy, or your MDM solution. [Read more about enabling network protection](enable-network-protection.md)
-
->[!Note]
->If you set network protection to **Audit only**, blocking will be unavailable. Also, you will be able to detect and log attempts to access malicious and unwanted websites on Microsoft Edge only.
-
-## Related topics
-
-- [Web protection overview](web-protection-overview.md)
-- [Web threat protection](web-threat-protection.md)
-- [Monitor web security](web-protection-monitoring.md)
-- [Respond to web threats](web-protection-response.md)
-- [Network protection](network-protection.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
deleted file mode 100644
index 38c6bd4b37..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
+++ /dev/null
@@ -1,192 +0,0 @@
----
-title: What's new in Microsoft Defender ATP
-description: See what features are generally available (GA) in the latest release of Microsoft Defender ATP, as well as security features in Windows 10 and Windows Server.
-keywords: what's new in microsoft defender atp, ga, generally available, capabilities, available, new
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: secure
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection:
-- m365-security-compliance
-- m365initiative-defender-endpoint
-ms.topic: conceptual
----
-
-# What's new in Microsoft Defender ATP
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-
-
-**Applies to:**
-
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-The following features are generally available (GA) in the latest release of Microsoft Defender ATP as well as security features in Windows 10 and Windows Server.
-
-For more information preview features, see [Preview features](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection).
-
-
-> [!TIP]
-> RSS feed: Get notified when this page is updated by copying and pasting the following URL into your feed reader:
->
-> ```https
-> https://docs.microsoft.com/api/search/rss?search=%22Microsoft+Defender+ATP+as+well+as+security+features+in+Windows+10+and+Windows+Server.%22&locale=en-us
-> ```
-
-## September 2020
-- [Microsoft Defender ATP for Android](microsoft-defender-atp-android.md)
Microsoft Defender ATP now adds support for Android. Learn how to install, configure, update, and use Microsoft Defender ATP for Android.
-- [Threat and vulnerability management macOS support](tvm-supported-os.md)
Threat and vulnerability management for macOS is now in public preview, and will continuously detect vulnerabilities on your macOS devices to help you prioritize remediation by focusing on risk. Learn more from this [Microsoft Tech Community blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/microsoft-defender-for-endpoint-adds-depth-and-breadth-to-threat/ba-p/1695824).
-
-## July 2020
-- [Create indicators for certificates](manage-indicators.md)
Create indicators to allow or block certificates.
-
-## June 2020
-- [Microsoft Defender ATP for Linux](microsoft-defender-atp-linux.md)
Microsoft Defender ATP now adds support for Linux. Learn how to install, configure, update, and use Microsoft Defender ATP for Linux.
-
-- [Attack simulators in the evaluation lab](evaluation-lab.md#threat-simulator-scenarios)
Microsoft Defender ATP has partnered with various threat simulation platforms to give you convenient access to test the capabilities of the platform right from the within the portal.
-
-
-## April 2020
-
-- [Threat & Vulnerability Management API support](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list)
Run Threat & Vulnerability Management-related API calls such as get your organization's threat exposure score or device secure score, software and device vulnerability inventory, software version distribution, device vulnerability information, security recommendation information. Learn more from this [Microsoft Tech Community blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/threat-amp-vulnerability-management-apis-are-now-generally/ba-p/1304615).
-
-## November-December 2019
-
-- [Microsoft Defender ATP for Mac](microsoft-defender-atp-mac.md)
Microsoft Defender ATP for Mac brings the next-generation protection to Mac devices. Core components of the unified endpoint security platform will now be available for Mac devices, including [endpoint detection and response](endpoint-detection-response-mac-preview.md).
-
-- [Threat & Vulnerability Management application and application version end-of-life information](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation)
Applications and application versions which have reached their end-of-life are tagged or labeled as such so you are aware that they will no longer be supported, and can take action to either uninstall or replace. Doing so will help lessen the risks related to various vulnerability exposures due to unpatched applications.
-
-- [Threat & Vulnerability Management Advanced Hunting Schemas](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference)
Use the Threat & Vulnerability Management tables in the Advanced hunting schema to query about software inventory, vulnerability knowledgebase, security configuration assessment, and security configuration knowledgebase.
-
- - [Threat & Vulnerability Management role-based access controls](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
Use the new permissions to allow maximum flexibility to create SecOps-oriented roles, Threat & Vulnerability Management-oriented roles, or hybrid roles so only authorized users are accessing specific data to do their task. You can also achieve even further granularity by specifying whether a Threat & Vulnerability Management role can only view vulnerability-related data, or can create and manage remediation and exceptions.
-
-## October 2019
-
-- [Indicators for IP addresses, URLs/Domains](manage-indicators.md)
You can now allow or block URLs/domains using your own threat intelligence.
-
-
-- [Microsoft Threat Experts - Experts on Demand](microsoft-threat-experts.md)
You now have the option to consult with Microsoft Threat Experts from several places in the portal to help you in the context of your investigation.
-
-- [Connected Azure AD applications](connected-applications.md)
The Connected applications page provides information about the Azure AD applications connected to Microsoft Defender ATP in your organization.
-
-- [API Explorer](api-explorer.md)
The API explorer makes it easy to construct and perform API queries, test and send requests for any available Microsoft Defender ATP API endpoint.
-
-
-## September 2019
-
-- [Tamper Protection settings using Intune](../microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md#turn-tamper-protection-on-or-off-for-your-organization-using-intune)
You can now turn Tamper Protection on (or off) for your organization in the Microsoft 365 Device Management Portal (Intune).
-
-- [Live response](live-response.md)
Get instantaneous access to a device using a remote shell connection. Do in-depth investigative work and take immediate response actions to promptly contain identified threats - real-time.
-
-- [Evaluation lab](evaluation-lab.md)
The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of device and environment configuration so that you can
- focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action.
-
-- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-2008-r2-sp1--windows-server-2012-r2-and-windows-server-2016)
You can now onboard Windows Server 2008 R2 SP1.
-
-
-## June 2019
-
-- [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
A new built-in capability that uses a risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
-
-- [Device health and compliance report](machine-reports.md) The device health and compliance report provides high-level information about the devices in your organization.
-
-## May 2019
-
-- [Threat protection reports](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-protection-reports-windows-defender-advanced-threat-protection)
The threat protection report provides high-level information about alerts generated in your organization.
-
-
-- [Microsoft Threat Experts](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts)
Microsoft Threat Experts is the new managed threat hunting service in Microsoft Defender ATP that provides proactive hunting, prioritization, and additional context and insights that further empower security operations centers (SOCs) to identify and respond to threats quickly and accurately. It provides additional layer of expertise and optics that Microsoft customers can utilize to augment security operation capabilities as part of Microsoft 365.
-
-- [Indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/ti-indicator)
APIs for indicators are now generally available.
-
-
-- [Interoperability](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/partner-applications)
Microsoft Defender ATP supports third-party applications to help enhance the detection, investigation, and threat intelligence capabilities of the platform.
-
-
-## April 2019
-- [Microsoft Threat Experts Targeted Attack Notification capability](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts#targeted-attack-notification)
Microsoft Threat Experts' Targeted Attack Notification alerts are tailored to organizations to provide as much information as can be quickly delivered thus bringing attention to critical threats in their network, including the timeline, scope of breach, and the methods of intrusion.
-
-- [Microsoft Defender ATP API](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/apis-intro)
Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Microsoft Defender ATP capabilities.
-
-
-
-## February 2019
-- [Incidents](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/incidents-queue)
Incident is a new entity in Microsoft Defender ATP that brings together all relevant alerts and related entities to narrate the broader attack story, giving analysts better perspective on the purview of complex threats.
-
-- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection)
Onboard supported versions of Windows devices so that they can send sensor data to the Microsoft Defender ATP sensor.
-
-
-## October 2018
-- [Attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)
All Attack surface reduction rules are now supported on Windows Server 2019.
-
-- [Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard)
Controlled folder access is now supported on Windows Server 2019.
-
-- [Custom detection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-custom-detections)
With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of advanced hunting through the creation of custom detection rules.
-
-- [Integration with Azure Security Center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center)
Microsoft Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Microsoft Defender ATP to provide improved threat detection for Windows Servers.
-
-- [Managed security service provider (MSSP) support](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection)
Microsoft Defender ATP adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Microsoft Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools.
-
-- [Removable device control](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/19/windows-defender-atp-has-protections-for-usb-and-removable-devices/)
Microsoft Defender ATP provides multiple monitoring and control features to help prevent threats from removable devices, including new settings to allow or block specific hardware IDs.
-
-- [Support for iOS and Android devices](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection#turn-on-third-party-integration)
iOS and Android devices are now supported and can be onboarded to the service.
-
-- [Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics)
-Threat Analytics is a set of interactive reports published by the Microsoft Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats.
-
-- New in Windows 10 version 1809, there are two new attack surface reduction rules:
- - Block Adobe Reader from creating child processes
- - Block Office communication application from creating child processes.
-
-- [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10)
- - Antimalware Scan Interface (AMSI) was extended to cover Office VBA macros as well. [Office VBA + AMSI: Parting the veil on malicious macros](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/).
- - Microsoft Defender Antivirus, new in Windows 10 version 1809, can now [run within a sandbox](https://www.microsoft.com/security/blog/2018/10/26/windows-defender-antivirus-can-now-run-in-a-sandbox) (preview), increasing its security.
- - [Configure CPU priority settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus) for Microsoft Defender Antivirus scans.
-
-
-
-## March 2018
-- [Advanced Hunting](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection)
-Query data using advanced hunting in Microsoft Defender ATP.
-
-- [Attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)
- New attack surface reduction rules:
- - Use advanced protection against ransomware
- - Block credential stealing from the Windows local security authority subsystem (lsass.exe)
- - Block process creations originating from PSExec and WMI commands
- - Block untrusted and unsigned processes that run from USB
- - Block executable content from email client and webmail
-
-- [Automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection)
Use Automated investigations to investigate and remediate threats.
-
- >[!NOTE]
- >Available from Windows 10, version 1803 or later.
-
-- [Conditional Access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection)
Enable conditional access to better protect users, devices, and data.
-
-- [Microsoft Defender ATP Community center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection)
- The Microsoft Defender ATP Community Center is a place where community members can learn, collaborate, and share experiences about the product.
-
-- [Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard)
-You can now block untrusted processes from writing to disk sectors using Controlled Folder Access.
-
-- [Onboard non-Windows devices](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection)
- Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Microsoft Defender Security Center and better protect your organization's network.
-
-- [Role-based access control (RBAC)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection)
- Using role-based access control (RBAC), you can create roles and groups within your security operations team to grant appropriate access to the portal.
-
-
-- [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10)
-Microsoft Defender Antivirus now shares detection status between M365 services and interoperates with Microsoft Defender ATP. For more information, see [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus).
-
- Block at first sight can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files. For more information, see [Enable block at first sight](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus).
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
index 263e076dda..022c938160 100644
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
@@ -2,7 +2,7 @@
title: Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings (Windows 10)
description: A list of all available settings for Microsoft Defender SmartScreen using Group Policy and mobile device management (MDM) settings.
keywords: SmartScreen Filter, Windows SmartScreen, Microsoft Defender SmartScreen
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
@@ -12,6 +12,7 @@ ms.date: 09/28/2020
ms.reviewer:
manager: dansimp
ms.author: dansimp
+ms.technology: mde
---
# Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings
**Applies to:**
@@ -25,7 +26,7 @@ See [Windows 10 (and later) settings to protect devices using Intune](https://do
## Group Policy settings
-SmartScreen uses registry-based Administrative Template policy settings. For more info about Group Policy, see the [Group Policy TechCenter](https://go.microsoft.com/fwlink/p/?LinkId=214514). This site provides links to the latest technical documentation, videos, and downloads for Group Policy.
+SmartScreen uses registry-based Administrative Template policy settings.
## Recommended Group Policy and MDM settings for your organization
-By default, Microsoft Defender SmartScreen lets employees bypass warnings. Unfortunately, this can let employees continue to an unsafe site or to continue to download an unsafe file, even after being warned. Because of this possibility, we strongly recommend that you set up Microsoft Defender SmartScreen to block high-risk interactions instead of providing just a warning.
+By default, Microsoft Defender SmartScreen lets employees bypass warnings. Unfortunately, this feature can let employees continue to an unsafe site or to continue to download an unsafe file, even after being warned. Because of this possibility, we strongly recommend that you set up Microsoft Defender SmartScreen to block high-risk interactions instead of providing just a warning.
To better help you protect your organization, we recommend turning on and using these specific Microsoft Defender SmartScreen Group Policy and MDM settings.
Setting
@@ -34,28 +35,27 @@ SmartScreen uses registry-based Administrative Template policy settings. For mor
Windows 10, version 2004:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreenWindows 10, version 1703:
-
Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen
Administrative Templates\Windows Components\File Explorer\Configure Windows SmartScreenAt least Windows Server 2012, Windows 8 or Windows RT
+Windows 10, version 1703:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen
Administrative Templates\Windows Components\File Explorer\Configure Windows SmartScreen
+At least Windows Server 2012, Windows 8 or Windows RTThis policy setting turns on Microsoft Defender SmartScreen.
Windows 10, version 2004:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install ControlWindows 10, version 1703:
-
Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install ControlWindows 10, version 1703
-This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.This setting does not protect against malicious content from USB devices, network shares or other non-internet sources.
+This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet. This setting does not protect against malicious content from USB devices, network shares, or other non-internet sources.
-
Windows 10, version 2004:
+
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen
Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreenWindows 10, version 2004:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen (Microsoft Edge version 45 and earlier)
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen (Microsoft Edge version 45 and earlier)
Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreenMicrosoft Edge on Windows 10 or later
This policy setting turns on Microsoft Defender SmartScreen.
-
Windows 10, version 2004:
+
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files
Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for filesWindows 10, version 2004:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files (Microsoft Edge version 45 and earlier)
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files (Microsoft Edge version 45 and earlier)
Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for filesMicrosoft Edge on Windows 10, version 1511 or later
This policy setting stops employees from bypassing the Microsoft Defender SmartScreen warnings about potentially malicious files.
-
@@ -160,7 +160,7 @@ For Microsoft Defender SmartScreen Edge MDM policies, see [Policy CSP - Browser]
Windows 10, version 2004:
+
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites
Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for sitesWindows 10, version 2004:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites (Microsoft Edge version 45 and earlier)
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites (Microsoft Edge version 45 and earlier)
Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for sitesMicrosoft Edge on Windows 10, version 1511 or later
This policy setting stops employees from bypassing the Microsoft Defender SmartScreen warnings about potentially malicious sites.
@@ -144,12 +145,12 @@ Use the following table to develop your own objectives and determine which appli
@@ -146,12 +147,12 @@ The following table compares the features and functions of Software Restriction
@@ -158,6 +160,7 @@ Pick the correct version of each .dll for the Windows release you plan to suppor
+
+
+## More information
+
+- [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
index 61a59f78bf..13d6752759 100644
--- a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
+++ b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
@@ -1,9 +1,9 @@
---
title: Plan for WDAC policy management (Windows 10)
description: Learn about the decisions you need to make to establish the processes for managing and maintaining Windows Defender Application Control policies.
-keywords: security, malware
+keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 02/21/2018
+ms.technology: mde
---
# Plan for Windows Defender Application Control lifecycle policy management
@@ -65,7 +66,7 @@ Each time that a process is blocked by WDAC, events will be written to either th
Collecting these events in a central location can help you maintain your WDAC policy and troubleshoot rule configuration problems. Event collection technologies such as those available in Windows allow administrators to subscribe to specific event channels and have the events from source computers aggregated into a forwarded event log on a Windows Server operating system collector. For more info about setting up an event subscription, see [Configure Computers to Collect and Forward Events](https://go.microsoft.com/fwlink/p/?LinkId=145012).
-Additionally, WDAC events are collected by [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) and can be queried using the [advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md) feature.
+Additionally, WDAC events are collected by [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) and can be queried using the [advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md) feature.
## Application and user support policy
diff --git a/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md
index 19bcd021e5..ed001ad80e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md
+++ b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md
@@ -1,9 +1,9 @@
---
title: Query Application Control events with Advanced Hunting (Windows 10)
description: Learn how to query Windows Defender Application Control events across your entire organization by using Advanced Hunting.
-keywords: security, malware
+keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 12/06/2018
+ms.technology: mde
---
# Querying Application Control events centrally using Advanced hunting
@@ -22,12 +23,12 @@ ms.date: 12/06/2018
A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode.
While Event Viewer helps to see the impact on a single system, IT Pros want to gauge the impact across many systems.
-In November 2018, we added functionality in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) that makes it easy to view WDAC events centrally from all systems that are connected to Microsoft Defender ATP.
+In November 2018, we added functionality in Microsoft Defender for Endpoint that makes it easy to view WDAC events centrally from all systems that are connected to Defender for Endpoint.
-Advanced hunting in Microsoft Defender ATP allows customers to query data using a rich set of capabilities. WDAC events can be queried with using an ActionType that starts with “AppControl”.
+Advanced hunting in Microsoft Defender for Endpoint allows customers to query data using a rich set of capabilities. WDAC events can be queried with using an ActionType that starts with “AppControl”.
This capability is supported beginning with Windows version 1607.
-Here is a simple example query that shows all the WDAC events generated in the last seven days from machines being monitored by Microsoft Defender ATP:
+Here is a simple example query that shows all the WDAC events generated in the last seven days from machines being monitored by Microsoft Defender for Endpoint:
```
DeviceEvents
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index 134df74024..b692c51861 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -1,9 +1,9 @@
---
title: Understand WDAC policy rules and file rules (Windows 10)
description: Learn how Windows Defender Application Control provides control over a computer running Windows 10 by using policies that include policy rules and file rules.
-keywords: security, malware
+keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 03/04/2020
+ms.technology: mde
---
# Understand WDAC policy rules and file rules
diff --git a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md
index 601d01340e..936314d342 100644
--- a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md
@@ -3,7 +3,7 @@ title: Policy creation for common WDAC usage scenarios (Windows 10)
description: Develop a plan for deploying Windows Defender Application Control (WDAC) in your organization based on these common scenarios.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 03/01/2018
+ms.technology: mde
---
# Windows Defender Application Control deployment in different scenarios: types of devices
@@ -41,7 +42,7 @@ In the next set of topics, we will explore each of the above scenarios using a f
Lamna Healthcare Company (Lamna) is a large healthcare provider operating in the United States. Lamna employs thousands of people, from doctors and nurses to accountants, in-house lawyers, and IT technicians. Their device use cases are varied and include single-user workstations for their professional staff, shared kiosks used by doctors and nurses to access patient records, dedicated medical devices such as MRI scanners, and many others. Additionally, Lamna has a relaxed, bring-your-own-device policy for many of their professional staff.
-Lamna uses [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) (MEM) in hybrid mode with both Configuration Manager (MEMCM) and Intune. Although they use MEM to deploy many applications, Lamna has always had very relaxed application usage practices: individual teams and employees have been able to install and use any applications they deem necessary for their role on their own workstations. Lamna also recently started to use [Microsoft Defender Advanced Threat Protection](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) (MDATP) for better endpoint detection and response.
+Lamna uses [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) (MEM) in hybrid mode with both Configuration Manager (MEMCM) and Intune. Although they use MEM to deploy many applications, Lamna has always had very relaxed application usage practices: individual teams and employees have been able to install and use any applications they deem necessary for their role on their own workstations. Lamna also recently started to use [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) for better endpoint detection and response.
> [!NOTE]
> Microsoft Endpoint Configuration Manager was previously known as System Center Configuration Manager.
diff --git a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
index ae0cd53f63..9443134723 100644
--- a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
+++ b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
@@ -1,10 +1,10 @@
---
title: Understand Windows Defender Application Control policy design decisions (Windows 10)
-description: Understand Windows Defender Application Control policy design decisions.
-keywords: security, malware
+description: Understand Windows Defender Application Control policy design decisions.
+keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
manager: dansimp
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
ms.date: 02/08/2018
+ms.technology: mde
---
# Understand Windows Defender Application Control policy design decisions
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
index f49176ee48..8e289e4bf3 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
@@ -1,9 +1,9 @@
---
title: Use code signing to simplify application control for classic Windows applications (Windows 10)
description: With embedded signing, your WDAC policies typically do not have to be updated when an app is updated. To set this up, you can choose from a variety of methods.
-keywords: security, malware
+keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 05/03/2018
+ms.technology: mde
---
# Use code signing to simplify application control for classic Windows applications
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md b/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md
index 766037be4b..4703d016ee 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md
@@ -4,7 +4,7 @@ description: You can sign code integrity policies with the Device Guard signing
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.author: dansimp
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ author: jsuther1974
ms.reviewer: isbrahm
manager: dansimp
ms.date: 02/19/2019
+ms.technology: mde
---
# Optional: Use the Device Guard Signing Portal in the Microsoft Store for Business
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
index f5a09fc5c6..c951c3b825 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
@@ -1,9 +1,9 @@
---
title: Use signed policies to protect Windows Defender Application Control against tampering (Windows 10)
-description: Signed WDAC policies give organizations the highest level of malware protection available in Windows 10.
-keywords: security, malware
+description: Signed WDAC policies give organizations the highest level of malware protection available in Windows 10.
+keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 05/03/2018
+ms.technology: mde
---
# Use signed policies to protect Windows Defender Application Control against tampering
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md
index 79a167e2a1..5392e5253b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md
@@ -5,7 +5,7 @@ keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
manager: dansimp
ms.author: dansimp
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ ms.collection: M365-security-compliance
author: jsuther1974
ms.reviewer: isbrahm
ms.date: 05/03/2018
+ms.technology: mde
---
# Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules
@@ -33,17 +34,17 @@ As of Windows 10, version 1703, you can use WDAC policies not only to control ap
To work with these options, the typical method is to create a policy that only affects plug-ins, add-ins, and modules, then merge it into your 'master' policy (merging is described in the next section).
-For example, to create a WDAC policy that allows **addin1.dll** and **addin2.dll** to run in **ERP1.exe**, your organization's enterprise resource planning (ERP) application, run the following commands. Note that in the second command, **+=** is used to add a second rule to the **$rule** variable:
+For example, to create a WDAC policy allowing **addin1.dll** and **addin2.dll** to run in **ERP1.exe**, your organization's enterprise resource planning (ERP) application, run the following commands. Note that in the second command, **+=** is used to add a second rule to the **$rule** variable:
```powershell
-$rule = New-CIPolicyRule -DriverFilePath '.\ERP1.exe' -Level FileName -AppID '.\temp\addin1.dll'
-$rule += New-CIPolicyRule -DriverFilePath '.\ERP1.exe' -Level FileName -AppID '.\temp\addin2.dll'
+$rule = New-CIPolicyRule -DriverFilePath '.\temp\addin1.dll' -Level FileName -AppID '.\ERP1.exe'
+$rule += New-CIPolicyRule -DriverFilePath '.\temp\addin1.dll' -Level FileName -AppID '.\ERP1.exe'
New-CIPolicy -Rules $rule -FilePath ".\AllowERPAddins.xml" -UserPEs
```
As another example, to create a WDAC policy that blocks **addin3.dll** from running in Microsoft Word, run the following command. You must include the `-Deny` option to block the specified add-ins in the specified application:
```powershell
-$rule = New-CIPolicyRule -DriverFilePath '.\winword.exe' -Level FileName -Deny -AppID '.\temp\addin3.dll'
+$rule = New-CIPolicyRule -DriverFilePath '.\temp\addin3.dll' -Level FileName -Deny -AppID '.\winword.exe'
New-CIPolicy -Rules $rule -FilePath ".\BlockAddins.xml" -UserPEs
```
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md
index 5490ef7a77..9670e64011 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md
@@ -1,9 +1,9 @@
---
title: Windows Defender Application Control and .NET Hardening (Windows 10)
description: Dynamic Code Security is an application control feature that can verify code loaded by .NET at runtime.
-keywords: security, malware
+keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 08/20/2018
+ms.technology: mde
---
# Windows Defender Application Control and .NET hardening
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
index 7705229827..089a7ea67f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
@@ -3,7 +3,7 @@ title: Authorize reputable apps with the Intelligent Security Graph (ISG) (Windo
description: Automatically authorize applications that Microsoft’s ISG recognizes as having known good reputation.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 03/10/2020
+ms.technology: mde
---
# Authorize reputable apps with the Intelligent Security Graph (ISG)
@@ -90,7 +91,7 @@ This step is not required for WDAC policies deployed over MDM using the AppLocke
## Security considerations with the Intelligent Security Graph
-Since the Microsoft Intelligent Security Graph is a heuristic-based mechanism, it does not provide the same security guarantees that explicit allow or deny rules do. It is best suited for deployment to systems where each user is configured as a standard user and there are other monitoring systems in place like Microsoft Defender Advanced Threat Protection to help provide optics into what users are doing.
+Since the Microsoft Intelligent Security Graph is a heuristic-based mechanism, it does not provide the same security guarantees that explicit allow or deny rules do. It is best suited for deployment to systems where each user is configured as a standard user and there are other monitoring systems in place like Microsoft Defender for Endpoint to help provide optics into what users are doing.
Users with administrator privileges or malware running as an administrator user on the system may be able to circumvent the intent of WDAC when the Microsoft Intelligent Security Graph option is allowed by circumventing or corrupting the heuristics used to assign reputation to application executables. The Microsoft Intelligent Security Graph option uses the same heuristic tracking as managed installer and so for application installers that include an option to automatically run the application at the end of the installation process the heuristic may over-authorize.
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md
index d6810894b4..c3397bfba4 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md
@@ -1,9 +1,9 @@
---
title: Authorize apps deployed with a WDAC managed installer (Windows 10)
-description: Explains how you can use a managed installer to automatically authorize applications deployed and installed by a designated software distribution solution, such as Microsoft Endpoint Configuration Manager.
-keywords: security, malware
+description: Explains how you can use a managed installer to automatically authorize applications deployed and installed by a designated software distribution solution, such as Microsoft Endpoint Configuration Manager.
+keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -15,6 +15,7 @@ ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 08/14/2020
+ms.technology: mde
---
# Authorize apps deployed with a WDAC managed installer
diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md
index 9fe4c819a1..03f0eb6f0d 100644
--- a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md
+++ b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md
@@ -3,7 +3,7 @@ title: WDAC and AppLocker Overview
description: Compare Windows application control technologies.
keywords: security, malware, allow-list, block-list
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: w10
+ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
@@ -16,6 +16,7 @@ ms.author: deniseb
manager: dansimp
ms.date: 09/30/2020
ms.custom: asr
+ms.technology: mde
---
# Windows Defender Application Control and AppLocker Overview
diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md
new file mode 100644
index 0000000000..46ef9319e7
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md
@@ -0,0 +1,139 @@
+---
+title: Windows Defender Application Control Wizard Base Policy Creation
+description: Creating new base application control policies with the Microsoft Windows Defender Application (WDAC) Wizard.
+keywords: allow listing, block listing, security, malware
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: m365-security
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
+ms.collection: M365-security-compliance
+author: jgeurten
+ms.reviewer: isbrahm
+ms.author: dansimp
+manager: dansimp
+ms.topic: conceptual
+ms.date: 10/14/2020
+ms.technology: mde
+---
+
+# Creating a new Base Policy with the Wizard
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 and above
+
+When creating policies for use with Windows Defender Application Control (WDAC), it is recommended to start with a template policy and then add or remove rules to suit your application control scenario. For this reason, the WDAC Wizard offers three template policies to start from and customize during the base policy creation workflow. Prerequisite information about application control can be accessed through the [WDAC design guide](windows-defender-application-control-design-guide.md). This page outlines the steps to create a new application control policy from a template, configure the policy options, and the signer and file rules.
+
+
+## Template Base Policies
+
+Each of the template policies has a unique set of policy allow list rules that will affect the circle-of-trust and security model of the policy. The following table lists the policies in increasing order of trust and freedom. For instance, the Default Windows mode policy trusts fewer application publishers and signers than the Signed and Reputable mode policy. The Default Windows policy will have a smaller circle-of-trust with better security than the Signed and Reputable policy, but at the expense of compatibility.
+
+
+| Template Base Policy | Description |
+|---------------------------------|-------------------------------------------------------------------|
+| **Default Windows Mode** | Default Windows mode will authorize the following components:
|
+| **Allow Microsoft Mode** | Allow mode will authorize the following components:
|
+| **Signed and Reputable Mode** | Signed and Reputable mode will authorize the following components:
|
+
+*Italicized content denotes the changes in the current policy with respect to the policy prior.*
+
+More information about the Default Windows Mode and Allow Microsoft Mode policies can be accessed through the [Example WDAC base policies article](example-wdac-base-policies.md).
+
+
+
+Once the base template is selected, give the policy a name and choose where to save the application control policy on disk.
+
+## Configuring Policy Rules
+
+Upon page launch, policy rules will be automatically enabled/disabled depending on the chosen template from the previous page. Choose to enable or disable the desired policy rule options by pressing the slider button next to the policy rule titles. A short description of each rule will appear at the bottom of the page when the mouse hovers over the rule title.
+
+### Policy Rules Description
+
+A description of each policy rule, beginning with the left-most column, is provided below. The [Policy rules article](select-types-of-rules-to-create.md#windows-defender-application-control-policy-rules) provides a full description of each policy rule.
+
+| Rule option | Description |
+|------------ | ----------- |
+| **Advanced Boot Options Menu** | The F8 preboot menu is disabled by default for all WDAC policies. Setting this rule option allows the F8 menu to appear to physically present users. |
+| **Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it. |
+| **Disable Script Enforcement** | This option disables script enforcement options. Unsigned PowerShell scripts and interactive PowerShell are no longer restricted to [Constrained Language Mode](https://docs.microsoft.com/powershell/module/microsoft.powershell.core/about/about_language_modes). NOTE: This option is only supported with the Windows 10 May 2019 Update (1903) and higher. Using it on earlier versions of Windows 10 is not supported and may have unintended results. |
+|**[Hypervisor-protected code integrity (HVCI)](https://docs.microsoft.com/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity)**| When enabled, policy enforcement uses virtualization-based security to run the code integrity service inside a secure environment. HVCI provides stronger protections against kernel malware.|
+| **Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft’s Intelligent Security Graph (ISG). |
+| **Managed Installer** | Use this option to automatically allow applications installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager, that has been defined as a managed installer. |
+| **Require WHQL** | By default, legacy drivers that are not Windows Hardware Quality Labs (WHQL) signed are allowed to execute. Enabling this rule requires that every executed driver is WHQL signed and removes legacy driver support. Going forward, every new Windows 10–compatible driver must be WHQL certified. |
+| **Update Policy without Rebooting** | Use this option to allow future WDAC policy updates to apply without requiring a system reboot. |
+| **Unsigned System Integrity Policy** | Allows the policy to remain unsigned. When this option is removed, the policy must be signed and have UpdatePolicySigners added to the policy to enable future policy modifications. |
+| **User Mode Code Integrity** | WDAC policies restrict both kernel-mode and user-mode binaries. By default, only kernel-mode binaries are restricted. Enabling this rule option validates user mode executables and scripts. |
+
+> [!div class="mx-imgBorder"]
+> 
+
+### Advanced Policy Rules Description
+
+Selecting the **+ Advanced Options** label will show another column of policy rules; advanced policy rules. A description of each policy rule is provided below.
+
+| Rule option | Description |
+|------------ | ----------- |
+| **Boot Audit on Failure** | Used when the WDAC policy is in enforcement mode. When a driver fails during startup, the WDAC policy will be placed in audit mode so that Windows will load. Administrators can validate the reason for the failure in the CodeIntegrity event log. |
+| **Disable Flight Signing** | If enabled, WDAC policies will not trust flightroot-signed binaries. This would be used in the scenario in which organizations only want to run released binaries, not flight/preview-signed builds. |
+| **Disable Runtime FilePath Rule Protection** | Disable default FilePath rule protection (apps and executables allowed based on file path rules must come from a file path that’s only writable by an administrator) for any FileRule that allows a file based on FilePath. |
+| **Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically loaded libraries (DLLs). |
+| **Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically revalidate the reputation for files that were authorized by the ISG.|
+| **Require EV Signers** | In addition to being WHQL signed, this rule requires that drivers must have been submitted by a partner that has an Extended Verification (EV) certificate. All Windows 10 and later drivers will meet this requirement. |
+
+
+
+> [!NOTE]
+> We recommend that you **enable Audit Mode** initially because it allows you to test new WDAC policies before you enforce them. With audit mode, no application is blocked—instead the policy logs an event whenever an application outside the policy is started. For this reason, all templates have Audit Mode enabled by default.
+
+## Creating custom file rules
+
+[File rules](select-types-of-rules-to-create.md#windows-defender-application-control-file-rule-levels) in an application control policy will specify the level at which applications will be identified and trusted. File rules are the main mechanism for defining trust in the application control policy. Selecting the **+ Custom Rules** will open the custom file rule conditions panel to create custom file rules for your policy. The Wizard supports four types of file rules:
+
+### Publisher Rules
+
+The Publisher file rule type uses properties in the code signing certificate chain to base file rules. Once the file to base the rule off of, called the *reference file*, is selected, use the slider to indicate the specificity of the rule. The table below shows the relationship between the slider placement, the corresponding WDAC rule level and its description. The lower the placement on the table and the UI slider, the greater the specificity of the rule.
+
+| Rule Condition | WDAC Rule Level | Description |
+|------------ | ----------- | ----------- |
+| **Issuing CA** | PCACertificate | Highest available certificate is added to the signers. This is typically the PCA certificate, one level below the root certificate. Any file signed by this certificate will be affected. |
+| **Publisher** | Publisher | This rule is a combination of the PCACertificate rule and the common name (CN) of the leaf certificate. Any file signed by a major CA but with a leaf from a specific company, for example a device driver corp, is affected. |
+| **File version** | SignedVersion | This rule is a combination of PCACertificate, publisher, and a version number. Anything from the specified publisher with a version at or above the one specified is affected. |
+| **File name** | FilePublisher | Most specific. Combination of the file name, publisher, and PCA certificate as well as a minimum version number. Files from the publisher with the specified name and greater or equal to the specified version are affected. |
+
+
+
+
+### Filepath Rules
+
+Filepath rules do not provide the same security guarantees that explicit signer rules do, as they are based on mutable access permissions. To create a filepath rule, select the file using the *Browse* button.
+
+### File Attribute Rules
+
+The Wizard supports the creation of [file name rules](select-types-of-rules-to-create.md#windows-defender-application-control-filename-rules) based on authenticated file attributes. File name rules are useful when an application and its dependencies (for example, DLLs) may all share the same product name, for instance. This rule level allows users to easily create targeted policies based on the Product Name file name parameter. To select the file attribute to create the rule, move the slider on the Wizard to the desired attribute. The table below describes each of the supported file attributes off which to create a rule.
+
+| Rule level | Description |
+|------------ | ----------- |
+| **Original Filename** | Specifies the original file name, or the name with which the file was first created, of the binary. |
+| **File description** | Specifies the file description provided by the developer of the binary. |
+| **Product name** | Specifies the name of the product with which the binary ships. |
+| **Internal name** | Specifies the internal name of the binary. |
+
+> [!div class="mx-imgBorder"]
+> 
+
+### File Hash Rules
+
+Lastly, the Wizard supports creating file rules using the hash of the file. Although this level is specific, it can cause additional administrative overhead to maintain the current product versions’ hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. By default, the Wizard will use file hash as the fallback in case a file rule cannot be created using the specified file rule level.
+
+
+#### Deleting Signing Rules
+
+The policy signing rules list table on the left of the page will document the allow and deny rules in the template, as well as any custom rules you create. Template signing rules and custom rules can be deleted from the policy by selecting the rule from the rules list table. Once the rule is highlighted, press the delete button underneath the table. you will be prompted for additional confirmation. Select `Yes` to remove the rule from the policy and the rules table.
+
+## Up next
+
+- [Editing a WDAC policy using the Wizard](wdac-wizard-editing-policy.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md
new file mode 100644
index 0000000000..bca81708e6
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md
@@ -0,0 +1,112 @@
+---
+title: Windows Defender Application Control Wizard Supplemental Policy Creation
+description: Creating supplemental application control policies with the WDAC Wizard.
+keywords: allowlisting, blocklisting, security, malware, supplemental policy
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: m365-security
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
+ms.collection: M365-security-compliance
+author: jgeurten
+ms.reviewer: isbrahm
+ms.author: dansimp
+manager: dansimp
+ms.topic: conceptual
+ms.date: 10/14/2020
+ms.technology: mde
+---
+
+# Creating a new Supplemental Policy with the Wizard
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 and above
+
+Beginning in Windows 10 version 1903, WDAC supports the creation of multiple active policies on a device. One or more supplemental policies allow customers to expand a [WDAC base policy](wdac-wizard-create-base-policy.md) to increase the circle of trust of the policy. A supplemental policy can expand only one base policy, but multiple supplementals can expand the same base policy. When using supplemental policies, applications allowed by the base or its supplemental policy/policies will be allowed to execute.
+
+Prerequisite information about application control can be accessed through the [WDAC design guide](windows-defender-application-control-design-guide.md). This page outlines the steps to create a supplemental application control policy, configure the policy options, and the signer and file rules.
+
+## Expanding a Base Policy
+
+Once the Supplemental Policy type is chosen on the New Policy page, policy name and file dialog fields can be used to name and save the supplemental policy. The next step requires selecting a base policy to expand. To expand a base policy, the base must allow supplemental policies. The WDAC Wizard will verify if the base policy allows supplementals and will show the following confirmation.
+
+
+
+If the base policy is not configured for supplemental policies, the Wizard will attempt to convert the policy to one that can be supplemented. Once successful, the Wizard will show a dialog demonstrating that the addition of the Allow Supplemental Policy rule was completed.
+
+
+
+Policies that cannot be supplemented, for instance, a supplemental policy, will be detected by the Wizard and will show the following error. Only a base policy can be supplemented. More information on supplemental policies can be found on our [Multiple Policies article](deploy-multiple-windows-defender-application-control-policies.md).
+
+
+
+## Configuring Policy Rules
+
+Upon page launch, policy rules will be automatically enabled/disabled depending on the chosen base policy from the previous page. Most of the supplemental policy rules must be inherited from the base policy. The Wizard will automatically parse the base policy and set the required supplemental policy rules to match the base policy rules. Inherited policy rules will be grayed out and will not be modifiable in the user interface.
+
+A short description of the rule will be shown at the bottom of the page when the cursor is placed on the rule title.
+
+### Configurable Supplemental Policy Rules Description
+
+There are only three policy rules that can be configured by the supplemental policy. A description of each policy rule, beginning with the left-most column, is provided below. Selecting the **+ Advanced Options** label will show another column of policy rules; advanced policy rules.
+
+
+| Rule option | Description |
+|------------ | ----------- |
+| **Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft’s Intelligent Security Graph (ISG). |
+| **Managed Installer** | Use this option to automatically allow applications installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager, that has been defined as a managed installer. |
+| **Disable Runtime FilePath Rule Protection** | Disable default FilePath rule protection (apps and executables allowed based on file path rules must come from a file path that’s only writable by an administrator) for any FileRule that allows a file based on FilePath. |
+
+
+
+## Creating custom file rules
+
+File rules in an application control policy will specify the level at which applications will be identified and trusted. File rules are the main mechanism for defining trust in the application control policy. Selecting the **+ Custom Rules** will open the custom file rule conditions panel to create and customize targeted file rules for your policy. The Wizard supports four types of file rules:
+
+### Publisher Rules
+
+The Publisher file rule type uses properties in the code signing certificate chain to base file rules. Once the file to base the rule off of, called the *reference file*, is selected, use the slider to indicate the specificity of the rule. The table below shows the relationship between the slider placement, the corresponding WDAC rule level, and its description. The lower the placement on the table and the UI slider, the greater the specificity of the rule.
+
+| Rule Condition | WDAC Rule Level | Description |
+|------------ | ----------- | ----------- |
+| **Issuing CA** | PCACertificate | Highest available certificate is added to the signers. This certificate is typically the PCA certificate, one level below the root certificate. Any file signed by this certificate will be affected. |
+| **Publisher** | Publisher | This rule is a combination of the PCACertificate rule and the common name (CN) of the leaf certificate. Any file signed by a major CA but with a leaf from a specific company, for example a device driver publisher, is affected. |
+| **File version** | SignedVersion | This rule is a combination of the PCACertificate and Publisher rule, and a version number. Anything from the specified publisher with a version at or above the one specified is affected. |
+| **File name** | FilePublisher | Most specific. Combination of the file name, publisher, and PCA certificate and a minimum version number. Files from the publisher with the specified name and greater or equal to the specified version are affected. |
+
+
+
+
+### Filepath Rules
+
+Filepath rules do not provide the same security guarantees that explicit signer rules do, as they are based on mutable access permissions. To create a filepath rule, select the file using the *Browse* button.
+
+### File Attribute Rules
+
+The Wizard supports the creation of [file name rules](select-types-of-rules-to-create.md#windows-defender-application-control-filename-rules) based on authenticated file attributes. File name rules are useful when an application and its dependencies (for example, DLLs) may all share the same product name, for instance. This rule level allows users to easily create targeted policies based on the Product Name file name. To select the file attribute to create the rule, move the slider on the Wizard to the desired attribute. The table below describes each of the supported file attributes off which to create a rule.
+
+| Rule level | Description |
+|------------ | ----------- |
+| **Original Filename** | Specifies the original file name, or the name with which the file was first created, of the binary. |
+| **File description** | Specifies the file description provided by the developer of the binary. |
+| **Product name** | Specifies the name of the product with which the binary ships. |
+| **Internal name** | Specifies the internal name of the binary. |
+
+
+
+
+### File Hash Rules
+
+Lastly, the Wizard supports creating file rules using the hash of the file. Although this level is specific, it can cause extra administrative overhead to maintain the current product versions’ hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. By default, the Wizard will use file hash as the fallback in case a file rule cannot be created using the specified file rule level.
+
+
+#### Deleting Signing Rules
+
+The table on the left of the page will document the allow and deny rules in the template, and any custom rules you create. Rules can be deleted from the policy by selecting the rule from the rules list table. Once the rule is highlighted, press the delete button underneath the table. you will be prompted for additional confirmation. Select `Yes` to remove the rule from the policy and the rules table.
+
+## Up next
+
+- [Editing a WDAC policy using the Wizard](wdac-wizard-editing-policy.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md
new file mode 100644
index 0000000000..2b94c7f004
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md
@@ -0,0 +1,73 @@
+---
+title: Editing Windows Defender Application Control Policies with the Wizard
+description: Editing existing base and supplemental policies with the Microsoft WDAC Wizard.
+keywords: allowlisting, blocklisting, security, malware
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: m365-security
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+audience: ITPro
+ms.collection: M365-security-compliance
+author: jgeurten
+ms.reviewer: isbrahm
+ms.author: dansimp
+manager: dansimp
+ms.topic: conceptual
+ms.date: 10/14/2020
+ms.technology: mde
+---
+
+# Editing existing base and supplemental WDAC policies with the Wizard
+
+**Applies to**
+- Windows 10
+- Windows Server 2016 and above
+
+The WDAC Wizard makes editing and viewing WDAC policies easier than the PowerShell cmdlets or manually. The Wizard currently supports the following editing capabilities:
+
+
+
+## Configuring Policy Rules
+
+The `Policy Rules` page will load with the in-edit policy rules configured per the set rules. Selecting the `+ Advanced Options` button will reveal the advanced policy rule options panel. This grouping of rules contains additional policy rule options that are less common to the majority of users. To edit any of the rules, flip the corresponding policy rule state. For instance, to disable Audit Mode and enable Enforcement Mode in the figure below, the button beside the `Audit Mode` label needs only to be pressed. Once the policy rules are configured, select the Next button to continue the next stage of editing: [Adding File Rules](#adding-file-rules).
+
+
+
+A description of the policy rule is shown at the bottom of the page when the cursor is placed over the rule title. For a complete list of the policy rules and their capabilities, see the [Windows Defender Application Control policy rules table](select-types-of-rules-to-create.md#windows-defender-application-control-policy-rules).
+
+## Adding File Rules
+
+The WDAC Wizard allows users to add rules to their existing policy seamlessly. Previously, this would have involved creating a new policy with the new rules and merging it with the existing policy.
+
+Selecting the `+ Custom Rules` button will open the Custom Rules panel. For more information on creating new policy file rules, see the guidelines provided in the [creating policy file rules section](wdac-wizard-create-base-policy.md#creating-custom-file-rules).
+
+## Removing File Rules
+
+The WDAC Wizard makes deleting file rules from an existing policy quick and easy. To remove any type of file rule: publisher rule, path rule, filename rule, or a hash rule, select the rule in the `Policy Signing Rules List` table on the left-hand side of the page. Selecting the rule will highlight the entire row. Once the row is highlighted, select the remove icon underneath the table. The Wizard will prompt for user confirmation before removing the file rule. Once removed, the rule will no longer appear in the policy or the table.
+
+
+
+**Note:** removing a publisher rule will also remove the associated File Attribute rules. For instance, in the xml block below, removing ID_SIGNER_CONTOSO_PUBLISHER would also remove the rules ID_FILEATTRIB_LOB_APP_1 and ID_FILEATTRIB_LOB_APP_2.
+
+```xml
+
-[Edit an existing topic using the Edit link](contribute-to-a-topic.md)
-
diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml
new file mode 100644
index 0000000000..20d56ff5c8
--- /dev/null
+++ b/windows/whats-new/index.yml
@@ -0,0 +1,68 @@
+### YamlMime:Landing
+
+title: What's new in Windows 10 # < 60 chars
+summary: Find out about new features and capabilities in the latest release of Windows 10. # < 160 chars
+
+metadata:
+ title: What's new in Windows 10 # Required; page title displayed in search results. Include the brand. < 60 chars.
+ description: Find out about new features and capabilities in the latest release of Windows 10. # Required; article description that is displayed in search results. < 160 chars.
+ services: windows-10
+ ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
+ ms.subservice: subservice
+ ms.topic: landing-page # Required
+ ms.collection: windows-10
+ author: greg-lindsay #Required; your GitHub user alias, with correct capitalization.
+ ms.author: greglin #Required; microsoft alias of author; optional team alias.
+ ms.date: 02/09/2021 #Required; mm/dd/yyyy format.
+ localization_priority: medium
+
+# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
+
+landingContent:
+# Cards and links should be based on top customer tasks or top subjects
+# Start card title with a verb
+ # Card (optional)
+ - title: What's new in Windows 10
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: What's new in Windows 10, version 20H2
+ url: whats-new-windows-10-version-20H2.md
+ - text: What's new in Windows 10, version 2004
+ url: whats-new-windows-10-version-2004.md
+ - text: What's new in Windows 10, version 1909
+ url: whats-new-windows-10-version-1909.md
+ - text: What's new in Windows 10, version 1903
+ url: whats-new-windows-10-version-1903.md
+ - text: What's new in Windows 10, version 1809
+ url: whats-new-windows-10-version-1809.md
+ - text: What's new in Windows 10, version 1803
+ url: whats-new-windows-10-version-1803.md
+
+ # Card (optional)
+ - title: Learn more
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Windows 10 release information
+ url: https://docs.microsoft.com/en-us/windows/release-health/release-information
+ - text: Windows 10 release health dashboard
+ url: https://docs.microsoft.com/windows/release-information/
+ - text: Windows 10 update history
+ url: https://support.microsoft.com/topic/windows-10-update-history-7dd3071a-3906-fa2c-c342-f7f86728a6e3
+ - text: Windows 10 features we’re no longer developing
+ url: https://docs.microsoft.com/windows/deployment/planning/windows-10-deprecated-features
+ - text: Features and functionality removed in Windows 10
+ url: https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features
+ - text: Compare Windows 10 Editions
+ url: https://go.microsoft.com/fwlink/p/?LinkId=690485
+
+ # Card (optional)
+ - title: See also
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Windows 10 Enterprise LTSC
+ url: ltsc/index.md
+ - text: Edit an existing topic using the Edit link
+ url: contribute-to-a-topic.md
\ No newline at end of file
diff --git a/windows/whats-new/ltsc/TOC.md b/windows/whats-new/ltsc/TOC.md
index e49aee21fc..a16525cda0 100644
--- a/windows/whats-new/ltsc/TOC.md
+++ b/windows/whats-new/ltsc/TOC.md
@@ -1,4 +1,4 @@
# [Windows 10 Enterprise LTSC](index.md)
-## [What's new in Windows 10 Enterprise 2019 LTSC](whats-new-windows-10-2019.md)
-## [What's new in Windows 10 Enterprise 2016 LTSC](whats-new-windows-10-2016.md)
-## [What's new in Windows 10 Enterprise 2015 LTSC](whats-new-windows-10-2015.md)
+## [What's new in Windows 10 Enterprise LTSC 2019](whats-new-windows-10-2019.md)
+## [What's new in Windows 10 Enterprise LTSC 2016](whats-new-windows-10-2016.md)
+## [What's new in Windows 10 Enterprise LTSC 2015](whats-new-windows-10-2015.md)
diff --git a/windows/whats-new/ltsc/index.md b/windows/whats-new/ltsc/index.md
index b1464088fc..171020f940 100644
--- a/windows/whats-new/ltsc/index.md
+++ b/windows/whats-new/ltsc/index.md
@@ -22,31 +22,31 @@ ms.topic: article
This topic provides links to articles with information about what's new in each release of Windows 10 Enterprise LTSC, and includes a short description of this servicing channel.
-[What's New in Windows 10 Enterprise 2019 LTSC](whats-new-windows-10-2019.md)
-[What's New in Windows 10 Enterprise 2016 LTSC](whats-new-windows-10-2016.md)
-[What's New in Windows 10 Enterprise 2015 LTSC](whats-new-windows-10-2015.md)
+[What's New in Windows 10 Enterprise LTSC 2019](whats-new-windows-10-2019.md)
+[What's New in Windows 10 Enterprise LTSC 2016](whats-new-windows-10-2016.md)
+[What's New in Windows 10 Enterprise LTSC 2015](whats-new-windows-10-2015.md)
-## The Long Term Servicing Channel (LTSC)
+## The Long-Term Servicing Channel (LTSC)
The following table summarizes equivalent feature update versions of Windows 10 LTSC and semi-annual channel (SAC) releases.
| LTSC release | Equivalent SAC release | Availability date |
| --- | --- | --- |
-| Windows 10 Enterprise 2015 LTSC | Windows 10, Version 1507 | 7/29/2015 |
-| Windows 10 Enterprise 2016 LTSC | Windows 10, Version 1607 | 8/2/2016 |
-| Windows 10 Enterprise 2019 LTSC | Windows 10, Version 1809 | 11/13/2018 |
+| Windows 10 Enterprise LTSC 2015 | Windows 10, Version 1507 | 7/29/2015 |
+| Windows 10 Enterprise LTSC 2016 | Windows 10, Version 1607 | 8/2/2016 |
+| Windows 10 Enterprise LTSC 2019 | Windows 10, Version 1809 | 11/13/2018 |
>[!NOTE]
->The Long Term Servicing Channel was previously called the Long Term Servicing Branch (LTSB). All references to LTSB are changed in this article to LTSC for consistency, even though the name of previous versions might still be displayed as LTSB.
+>The Long-Term Servicing Channel was previously called the Long-Term Servicing Branch (LTSB). All references to LTSB are changed in this article to LTSC for consistency, even though the name of previous versions might still be displayed as LTSB.
With the LTSC servicing model, customers can delay receiving feature updates and instead only receive monthly quality updates on devices. Features from Windows 10 that could be updated with new functionality, including Cortana, Edge, and all in-box Universal Windows apps, are also not included. Feature updates are offered in new LTSC releases every 2–3 years instead of every 6 months, and organizations can choose to install them as in-place upgrades or even skip releases over a 10-year life cycle. Microsoft is committed to providing bug fixes and security patches for each LTSC release during this 10 year period.
>[!IMPORTANT]
->The Long Term Servicing Channel is not intended for deployment on most or all the PCs in an organization. The LTSC edition of Windows 10 provides customers with access to a deployment option for their special-purpose devices and environments. These devices typically perform a single important task and don’t need feature updates as frequently as other devices in the organization. These devices are also typically not heavily dependent on support from external apps and tools. Since the feature set for LTSC does not change for the lifetime of the release, over time there might be some external tools that do not continue to provide legacy support. See [LTSC: What is it, and when it should be used](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181).
+>The Long-Term Servicing Channel is not intended for deployment on most or all the PCs in an organization. The LTSC edition of Windows 10 provides customers with access to a deployment option for their special-purpose devices and environments. These devices typically perform a single important task and don’t need feature updates as frequently as other devices in the organization. These devices are also typically not heavily dependent on support from external apps and tools. Since the feature set for LTSC does not change for the lifetime of the release, over time there might be some external tools that do not continue to provide legacy support. See [LTSC: What is it, and when it should be used](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181).
For detailed information about Windows 10 servicing, see [Overview of Windows as a service](/windows/deployment/update/waas-overview).
## See Also
[What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
-[Windows 10 - Release information](https://docs.microsoft.com/windows/windows-10/release-information): Windows 10 current versions by servicing option.
+[Windows 10 - Release information](https://docs.microsoft.com/windows/release-health/release-information): Windows 10 current versions by servicing option.
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2015.md b/windows/whats-new/ltsc/whats-new-windows-10-2015.md
index aace786788..d0408f77d6 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2015.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2015.md
@@ -1,10 +1,10 @@
---
-title: What's new in Windows 10 Enterprise 2015 LTSC
+title: What's new in Windows 10 Enterprise LTSC 2015
ms.reviewer:
manager: laurawi
ms.author: greglin
-description: New and updated IT Pro content about new features in Windows 10 Enterprise 2015 LTSC (also known as Windows 10 Enterprise 2015 LTSB).
-keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise 2015 LTSC"]
+description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2015 (also known as Windows 10 Enterprise 2015 LTSB).
+keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise LTSC 2015"]
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -14,15 +14,15 @@ ms.localizationpriority: low
ms.topic: article
---
-# What's new in Windows 10 Enterprise 2015 LTSC
+# What's new in Windows 10 Enterprise LTSC 2015
**Applies to**
-- Windows 10 Enterprise 2015 LTSC
+- Windows 10 Enterprise LTSC 2015
-This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise 2015 LTSC (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md).
+This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2015 (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md).
>[!NOTE]
->Features in Windows 10 Enterprise 2015 LTSC are equivalent to [Windows 10, version 1507](../whats-new-windows-10-version-1507-and-1511.md).
+>Features in Windows 10 Enterprise LTSC 2015 are equivalent to [Windows 10, version 1507](../whats-new-windows-10-version-1507-and-1511.md).
## Deployment
@@ -280,7 +280,7 @@ By using [Group Policy Objects](https://go.microsoft.com/fwlink/p/?LinkId=699279
- **Peer-to-peer delivery**, which administrators can enable to make delivery of updates to branch offices and remote sites with limited bandwidth very efficient.
-- **Use with existing tools** such as Microsoft Endpoint Configuration Manager and the [Enterprise Mobility Suite](https://docs.microsoft.com/enterprise-mobility-security).
+- **Use with existing tools** such as Microsoft Endpoint Manager and the [Enterprise Mobility Suite](https://docs.microsoft.com/enterprise-mobility-security).
Together, these Windows Update for Business features help reduce device management costs, provide controls over update deployment, offer quicker access to security updates, as well as provide access to the latest innovations from Microsoft on an ongoing basis. Windows Update for Business is a free service for all Windows 10 Pro, Enterprise, and Education editions, and can be used independent of, or in conjunction with, existing device management solutions such as [Windows Server Update Services (WSUS)](https://technet.microsoft.com/library/hh852345.aspx) and [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr).
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2016.md b/windows/whats-new/ltsc/whats-new-windows-10-2016.md
index 37619d2d6f..3b3891912c 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2016.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2016.md
@@ -1,10 +1,10 @@
---
-title: What's new in Windows 10 Enterprise 2016 LTSC
+title: What's new in Windows 10 Enterprise LTSC 2016
ms.reviewer:
manager: laurawi
ms.author: greglin
-description: New and updated IT Pro content about new features in Windows 10 Enterprise 2016 LTSC (also known as Windows 10 Enterprise 2016 LTSB).
-keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise 2016 LTSC"]
+description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2016 (also known as Windows 10 Enterprise 2016 LTSB).
+keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise LTSC 2016"]
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -14,15 +14,15 @@ ms.localizationpriority: low
ms.topic: article
---
-# What's new in Windows 10 Enterprise 2016 LTSC
+# What's new in Windows 10 Enterprise LTSC 2016
**Applies to**
-- Windows 10 Enterprise 2016 LTSC
+- Windows 10 Enterprise LTSC 2016
-This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise 2016 LTSC (LTSB), compared to Windows 10 Enterprise 2015 LTSC (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md).
+This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2016 (LTSB), compared to Windows 10 Enterprise LTSC 2015 (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md).
>[!NOTE]
->Features in Windows 10 Enterprise 2016 LTSC are equivalent to Windows 10, version 1607.
+>Features in Windows 10 Enterprise LTSC 2016 are equivalent to Windows 10, version 1607.
## Deployment
@@ -71,7 +71,7 @@ Isolated User Mode is now included with Hyper-V so you don't have to install it
When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name in this version of Windows 10. Customers who have already deployed Microsoft Passport for Work will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
-Additional changes for Windows Hello in Windows 10 Enterprise 2016 LTSC:
+Additional changes for Windows Hello in Windows 10 Enterprise LTSC 2016:
- Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys.
- Group Policy settings for managing Windows Hello for Business are now available for both **User Configuration** and **Computer Configuration**.
@@ -124,11 +124,11 @@ Several new features and management options have been added to Windows Defender
- [Run a Windows Defender scan from the command line](/windows/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus).
- [Detect and block Potentially Unwanted Applications with Windows Defender](/windows/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) during download and install times.
-### Windows Defender Advanced Threat Protection (ATP)
+### Microsoft Defender for Endpoint
-With the growing threat from more sophisticated targeted attacks, a new security solution is imperative in securing an increasingly complex network ecosystem. Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service, built into Windows 10 that enables enterprise customers detect, investigate, and respond to advanced threats on their networks.
+With the growing threat from more sophisticated targeted attacks, a new security solution is imperative in securing an increasingly complex network ecosystem. Microsoft Defender for Endpoint is a security service, built into Windows 10 that enables enterprise customers detect, investigate, and respond to advanced threats on their networks.
-[Learn more about Windows Defender Advanced Threat Protection (ATP)](/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection).
+[Learn more about Microsoft Defender for Endpoint](/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection).
### VPN security
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
index 591f85814f..62b6502a5e 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
@@ -1,10 +1,10 @@
---
-title: What's new in Windows 10 Enterprise 2019 LTSC
+title: What's new in Windows 10 Enterprise LTSC 2019
ms.reviewer:
manager: laurawi
ms.author: greglin
-description: New and updated IT Pro content about new features in Windows 10 Enterprise 2019 LTSC (also known as Windows 10 Enterprise 2019 LTSB).
-keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise 2019 LTSC"]
+description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2019 (also known as Windows 10 Enterprise 2019 LTSB).
+keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise LTSC 2019"]
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -13,15 +13,15 @@ ms.localizationpriority: low
ms.topic: article
---
-# What's new in Windows 10 Enterprise 2019 LTSC
+# What's new in Windows 10 Enterprise LTSC 2019
**Applies to**
-- Windows 10 Enterprise 2019 LTSC
+- Windows 10 Enterprise LTSC 2019
-This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise 2019 LTSC, compared to Windows 10 Enterprise 2016 LTSC (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](index.md).
+This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2019, compared to Windows 10 Enterprise LTSC 2016 (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](index.md).
>[!NOTE]
->Features in Windows 10 Enterprise 2019 LTSC are equivalent to Windows 10, version 1809.
+>Features in Windows 10 Enterprise LTSC 2019 are equivalent to Windows 10, version 1809.
Windows 10 Enterprise LTSC 2019 builds on Windows 10 Pro, version 1809 adding premium features designed to address the needs of large and mid-size organizations (including large academic institutions), such as:
- Advanced protection against modern security threats
@@ -36,7 +36,7 @@ The Windows 10 Enterprise LTSC 2019 release is an important release for LTSC use
## Microsoft Intune
->Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later. This includes support for features such as [Windows Autopilot](#windows-autopilot). However, note that Windows Update for Business (WUfB) does not currently support any LTSC releases, therefore you should use WSUS or Configuration Manager for patching.
+Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later. This includes support for features such as [Windows Autopilot](#windows-autopilot). However, note that Windows Update for Business (WUfB) does not currently support any LTSC releases, therefore you should use WSUS or Configuration Manager for patching.
## Security
@@ -44,11 +44,11 @@ This version of Window 10 includes security improvements for threat protection,
### Threat protection
-#### Windows Defender ATP
+#### Microsoft Defender for Endpoint
-The Windows Defender Advanced Threat Protection ([Windows Defender ATP](/windows/security/threat-protection/index)) platform includes the security pillars shown in the following diagram. In this version of Windows, Windows Defender ATP includes powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management.
+The [Microsoft Defender for Endpoint](/windows/security/threat-protection/index) platform includes the security pillars shown in the following diagram. In this version of Windows, Defender for Endpoint includes powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management.
-
+
##### Attack surface reduction
@@ -72,9 +72,9 @@ But these protections can also be configured separately. And, unlike HVCI, code
### Endpoint detection and response
-Endpoint detection and response is improved. Enterprise customers can now take advantage of the entire Windows security stack with Microsoft Defender Antivirus **detections** and Device Guard **blocks** being surfaced in the Windows Defender ATP portal.
+Endpoint detection and response is improved. Enterprise customers can now take advantage of the entire Windows security stack with Microsoft Defender Antivirus **detections** and Device Guard **blocks** being surfaced in the Microsoft Defender for Endpoint portal.
- Windows Defender is now called Microsoft Defender Antivirus and now shares detection status between M365 services and interoperates with Windows Defender ATP. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus).
+ Windows Defender is now called Microsoft Defender Antivirus and now shares detection status between M365 services and interoperates with Microsoft Defender for Endpoint. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus).
We've also [increased the breadth of the documentation library for enterprise security admins](/windows/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10). The new library includes information on:
- [Deploying and enabling AV protection](/windows/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus)
@@ -85,7 +85,7 @@ Endpoint detection and response is improved. Enterprise customers can now take a
Some of the highlights of the new library include [Evaluation guide for Microsoft Defender AV](/windows/threat-protection/microsoft-defender-antivirus//evaluate-microsoft-defender-antivirus) and [Deployment guide for Microsoft Defender AV in a virtual desktop infrastructure environment](/windows/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus).
- New features for Microsoft Defender AV in Windows 10 Enterprise 2019 LTSC include:
+ New features for Microsoft Defender AV in Windows 10 Enterprise LTSC 2019 include:
- [Updates to how the Block at First Sight feature can be configured](/windows/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus)
- [The ability to specify the level of cloud-protection](/windows/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus)
- [Microsoft Defender Antivirus protection in the Windows Defender Security Center app](/windows/threat-protection/microsoft-defender-antivirus/windows-defender-security-center-antivirus)
@@ -100,24 +100,37 @@ Endpoint detection and response is improved. Enterprise customers can now take a
- Historical detection capability ensures new detection rules apply to up to six months of stored data to detect previous attacks that might not have been noticed.
**Threat response** is improved when an attack is detected, enabling immediate action by security teams to contain a breach:
-- [Take response actions on a machine](/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by isolating machines or collecting an investigation package.
+ - [Take response actions on a machine](/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by isolating machines or collecting an investigation package.
- [Take response actions on a file](/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file.
Additional capabilities have been added to help you gain a holistic view on **investigations** include:
-- [Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics) - Threat Analytics is a set of interactive reports published by the Windows Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats.
-- [Query data using Advanced hunting in Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection)
+
+- [Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics) - Threat Analytics is a set of interactive reports published by the Microsoft Defender for Endpoint research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats.
+
+- [Query data using Advanced hunting in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection)
+
- [Use Automated investigations to investigate and remediate threats](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection)
+
- [Investigate a user account](/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection) - Identify user accounts with the most active alerts and investigate cases of potential compromised credentials.
+
- [Alert process tree](/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection#alert-process-tree) - Aggregates multiple detections and related events into a single view to reduce case resolution time.
-- [Pull alerts using REST API](/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection) - Use REST API to pull alerts from Windows Defender ATP.
+
+- [Pull alerts using REST API](/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection) - Use REST API to pull alerts from Microsoft Defender for Endpoint.
Other enhanced security features include:
-- [Check sensor health state](/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection) - Check an endpoint's ability to provide sensor data and communicate with the Windows Defender ATP service and fix known issues.
-- [Managed security service provider (MSSP) support](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection) - Windows Defender ATP adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools.
-- [Integration with Azure Security Center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center) - Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers.
-- [Integration with Microsoft Cloud App Security](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration) - Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Windows Defender ATP monitored machines.
-- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019) - Windows Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines.
-- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection) - Onboard supported versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor.
+
+- [Check sensor health state](/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection) - Check an endpoint's ability to provide sensor data and communicate with the Microsoft Defender for Endpoint service and fix known issues.
+
+- [Managed security service provider (MSSP) support](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection) - Microsoft Defender for Endpoint adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools.
+
+- [Integration with Azure Defender](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center) - Microsoft Defender for Endpoint integrates with Azure Defender to provide a comprehensive server protection solution. With this integration Azure Defender can leverage the power of Defender for Endpoint to provide improved threat detection for Windows Servers.
+
+- [Integration with Microsoft Cloud App Security](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration) - Microsoft Cloud App Security leverages Microsoft Defender for Endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Defender for Endpoint monitored machines.
+
+- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019) - Microsoft Defender for Endpoint now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines.
+
+- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection) - Onboard supported versions of Windows machines so that they can send sensor data to the Microsoft Defender for Endpoint sensor.
+
- [Enable conditional access to better protect users, devices, and data](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection)
We've also added a new assessment for the Windows time service to the **Device performance & health** section. If we detect that your device’s time is not properly synced with our time servers and the time-syncing service is disabled, we’ll provide the option for you to turn it back on.
@@ -127,15 +140,15 @@ We’re continuing to work on how other security apps you’ve installed show up
This also means you’ll see more links to other security apps within **Windows Security**. For example, if you open the **Firewall & network protection** section, you’ll see the firewall apps that are running on your device under each firewall type, which includes domain, private, and public networks).
You can read more about ransomware mitigations and detection capability at:
-- [Averting ransomware epidemics in corporate networks with Windows Defender ATP](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/)
+- [Averting ransomware epidemics in corporate networks with Microsoft Defender for Endpoint](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/)
- [Ransomware security intelligence](https://docs.microsoft.com/windows/security/threat-protection/intelligence/ransomware-malware)
- [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/)
-Also see [New capabilities of Windows Defender ATP further maximizing the effectiveness and robustness of endpoint security](https://blogs.windows.com/business/2018/04/17/new-capabilities-of-windows-defender-atp-further-maximizing-the-effectiveness-and-robustness-of-endpoint-security/#62FUJ3LuMXLQidVE.97)
+Also see [New capabilities of Microsoft Defender for Endpoint further maximizing the effectiveness and robustness of endpoint security](https://blogs.windows.com/business/2018/04/17/new-capabilities-of-windows-defender-atp-further-maximizing-the-effectiveness-and-robustness-of-endpoint-security/#62FUJ3LuMXLQidVE.97)
-Get a quick, but in-depth overview of Windows Defender ATP for Windows 10: [Windows Defender Advanced Threat Protection](/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection).
+Get a quick, but in-depth overview of Microsoft Defender for Endpoint for Windows 10: [Defender for Endpoint](/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection).
-For more information about features of Windows Defender ATP available in different editions of Windows 10, see the [Windows 10 commercial edition comparison](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf).
+For more information about features of Microsoft Defender for Endpoint available in different editions of Windows 10, see the [Windows 10 commercial edition comparison](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf).
### Information protection
@@ -172,10 +185,16 @@ For example, you can choose the XTS-AES 256 encryption algorithm, and have it ap
To achieve this:
1. Configure the [encryption method settings](https://docs.microsoft.com/intune/endpoint-protection-windows-10#windows-encryption) in the Windows 10 Endpoint Protection profile to the desired encryption algorithm.
+
2. [Assign the policy](https://docs.microsoft.com/intune/device-profile-assign) to your Autopilot device group.
- - **IMPORTANT**: The encryption policy must be assigned to **devices** in the group, not users.
+
+ > [!IMPORTANT]
+ > The encryption policy must be assigned to **devices** in the group, not users.
+
3. Enable the Autopilot [Enrollment Status Page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices.
- - **IMPORTANT**: If the ESP is not enabled, the policy will not apply before encryption starts.
+
+ > [!IMPORTANT]
+ > If the ESP is not enabled, the policy will not apply before encryption starts.
### Identity protection
@@ -186,16 +205,25 @@ Improvements have been added are to Windows Hello for Business and Credential Gu
New features in Windows Hello enable a better device lock experience, using multifactor unlock with new location and user proximity signals. Using Bluetooth signals, you can configure your Windows 10 device to automatically lock when you walk away from it, or to prevent others from accessing the device when you are not present.
New features in [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification.md) include:
+
- You can now reset a forgotten PIN without deleting company managed data or apps on devices managed by [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune).
+
- For Windows Phone devices, an administrator is able to initiate a remote PIN reset through the Intune portal.
+
- For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**. For more details, check out [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-features#pin-reset).
-[Windows Hello](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features) now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in the [Kiosk configuration](#kiosk-configuration) section.
+[Windows Hello](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features) now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in [Kiosk configuration](#kiosk-configuration).
+
- Windows Hello is now [password-less on S-mode](https://www.windowslatest.com/2018/02/12/microsoft-make-windows-10-password-less-platform/).
+
- Support for S/MIME with Windows Hello for Business and APIs for non-Microsoft identity lifecycle management solutions.
+
- Windows Hello is part of the account protection pillar in Windows Defender Security Center. Account Protection will encourage password users to set up Windows Hello Face, Fingerprint or PIN for faster sign in, and will notify Dynamic lock users if Dynamic lock has stopped working because their phone or device Bluetooth is off.
+
- You can set up Windows Hello from lock screen for MSA accounts. We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options.
+
- New [public API](https://docs.microsoft.com/uwp/api/windows.security.authentication.web.core.webauthenticationcoremanager.findallaccountsasync#Windows_Security_Authentication_Web_Core_WebAuthenticationCoreManager_FindAllAccountsAsync_Windows_Security_Credentials_WebAccountProvider_) for secondary account SSO for a particular identity provider.
+
- It is easier to set up Dynamic lock, and WD SC actionable alerts have been added when Dynamic lock stops working (ex: phone Bluetooth is off).
For more information, see: [Windows Hello and FIDO2 Security Keys enable secure and easy authentication for shared devices](https://blogs.windows.com/business/2018/04/17/windows-hello-fido2-security-keys/#OdKBg3pwJQcEKCbJ.97)
@@ -204,7 +232,10 @@ For more information, see: [Windows Hello and FIDO2 Security Keys enable secure
Windows Defender Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It is designed to protect against well-known threats such as Pass-the-Hash and credential harvesting.
-Windows Defender Credential Guard has always been an optional feature, but Windows 10 in S mode turns this functionality on by default when the machine has been Azure Active Directory joined. This provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode. Please note that Windows Defender Credential Guard is available only to S mode devices or Enterprise and Education Editions.
+Windows Defender Credential Guard has always been an optional feature, but Windows 10 in S mode turns this functionality on by default when the machine has been Azure Active Directory joined. This provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode.
+
+> [!NOTE]
+> Windows Defender Credential Guard is available only to S mode devices or Enterprise and Education Editions.
For more information, see [Credential Guard Security Considerations](/windows/access-protection/credential-guard/credential-guard-requirements#security-considerations).
@@ -232,26 +263,26 @@ The WSC service now requires antivirus products to run as a protected process to
WSC now includes the Fluent Design System elements you know and love. You’ll also notice we’ve adjusted the spacing and padding around the app. It will now dynamically size the categories on the main page if more room is needed for extra info. We also updated the title bar so that it will use your accent color if you have enabled that option in **Color Settings**.
-
+
#### Group Policy Security Options
The security setting [**Interactive logon: Display user information when the session is locked**](/windows/device-security/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked) has been updated to work in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**.
A new security policy setting
-[**Interactive logon: Don't display username at sign-in**](/windows/device-security/security-policy-settings/interactive-logon-dont-display-username-at-sign-in) has been introduced in Windows 10 Enterprise 2019 LTSC. This security policy setting determines whether the username is displayed during sign in. It works in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. The setting only affects the **Other user** tile.
+[**Interactive logon: Don't display username at sign-in**](/windows/device-security/security-policy-settings/interactive-logon-dont-display-username-at-sign-in) has been introduced in Windows 10 Enterprise LTSC 2019. This security policy setting determines whether the username is displayed during sign in. It works in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. The setting only affects the **Other user** tile.
#### Windows 10 in S mode
We’ve continued to work on the **Current threats** area in [Virus & threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen:
-
+
## Deployment
### Windows Autopilot
-[Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) is a deployment tool introduced with Windows 10, version 1709 and is also available for Windows 10 Enterprise 2019 LTSC (and later versions). Windows Autopilot provides a modern device lifecycle management service powered by the cloud to deliver a zero touch experience for deploying Windows 10.
+[Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) is a deployment tool introduced with Windows 10, version 1709 and is also available for Windows 10 Enterprise LTSC 2019 (and later versions). Windows Autopilot provides a modern device lifecycle management service powered by the cloud to deliver a zero touch experience for deploying Windows 10.
Windows Autopilot is currently available with Surface, Dell, HP, and Lenovo. Other OEM partners such as Panasonic, and Acer will support Autopilot soon. Check the [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog) or this article for updated information.
@@ -265,7 +296,7 @@ IT Pros can use Autopilot Reset to quickly remove personal files, apps, and sett
### MBR2GPT.EXE
-MBR2GPT.EXE is a new command-line tool introduced with Windows 10, version 1703 and also available in Windows 10 Enterprise 2019 LTSC (and later versions). MBR2GPT converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS).
+MBR2GPT.EXE is a new command-line tool introduced with Windows 10, version 1703 and also available in Windows 10 Enterprise LTSC 2019 (and later versions). MBR2GPT converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS).
The GPT partition format is newer and enables the use of larger and more disk partitions. It also provides added data reliability, supports additional partition types, and enables faster boot and shutdown speeds. If you convert the system disk on a computer from MBR to GPT, you must also configure the computer to boot in UEFI mode, so make sure that your device supports UEFI before attempting to convert the system disk.
@@ -277,14 +308,17 @@ For details, see [MBR2GPT.EXE](/windows/deployment/mbr-to-gpt).
The following new DISM commands have been added to manage feature updates:
- DISM /Online /Initiate-OSUninstall
- – Initiates a OS uninstall to take the computer back to the previous installation of windows.
- DISM /Online /Remove-OSUninstall
- – Removes the OS uninstall capability from the computer.
- DISM /Online /Get-OSUninstallWindow
- – Displays the number of days after upgrade during which uninstall can be performed.
- DISM /Online /Set-OSUninstallWindow
- – Sets the number of days after upgrade during which uninstall can be performed.
+- **DISM /Online /Initiate-OSUninstall**
+ - Initiates an OS uninstall to take the computer back to the previous installation of windows.
+
+- **DISM /Online /Remove-OSUninstall**
+ - Removes the OS uninstall capability from the computer.
+
+- **DISM /Online /Get-OSUninstallWindow**
+ - Displays the number of days after upgrade during which uninstall can be performed.
+
+- **DISM /Online /Set-OSUninstallWindow**
+ - Sets the number of days after upgrade during which uninstall can be performed.
For more information, see [DISM operating system uninstall command-line options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/dism-uninstallos-command-line-options).
@@ -293,27 +327,29 @@ For more information, see [DISM operating system uninstall command-line options]
You can now run your own custom actions or scripts in parallel with Windows Setup. Setup will also migrate your scripts to next feature release, so you only need to add them once.
Prerequisites:
-- Windows 10, version 1803 or Windows 10 Enterprise 2019 LTSC, or later.
+- Windows 10, version 1803 or Windows 10 Enterprise LTSC 2019, or later.
- Windows 10 Enterprise or Pro
For more information, see [Run custom actions during feature update](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions).
It is also now possible to run a script if the user rolls back their version of Windows using the PostRollback option.
- /PostRollback
Enhancements to the detection capabilities include:
- [Use the threat intelligence API to create custom alerts](/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection) - Understand threat intelligence concepts, enable the threat intel application, and create custom threat intelligence alerts for your organization.
@@ -107,12 +107,12 @@ New features in Windows Defender Advanced Threat Protection (ATP) for Windows 10
- Historical detection capability ensures new detection rules apply to up to six months of stored data to detect previous attacks that might not have been noticed
- **Investigation**
- Enterprise customers can now take advantage of the entire Windows security stack with Microsoft Defender Antivirus detections and Device Guard blocks being surfaced in the Windows Defender ATP portal. Other capabilities have been added to help you gain a holistic view on investigations.
+ Enterprise customers can now take advantage of the entire Windows security stack with Microsoft Defender Antivirus detections and Device Guard blocks being surfaced in the Microsoft Defender for Endpoint portal. Other capabilities have been added to help you gain a holistic view on investigations.
Other investigation enhancements include:
- [Investigate a user account](/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection) - Identify user accounts with the most active alerts and investigate cases of potential compromised credentials.
- [Alert process tree](/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection#alert-process-tree) - Aggregates multiple detections and related events into a single view to reduce case resolution time.
- - [Pull alerts using REST API](/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection) - Use REST API to pull alerts from Windows Defender ATP.
+ - [Pull alerts using REST API](/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection) - Use REST API to pull alerts from Microsoft Defender for Endpoint.
- **Response**
When detecting an attack, security response teams can now take immediate action to contain a breach:
@@ -121,11 +121,11 @@ New features in Windows Defender Advanced Threat Protection (ATP) for Windows 10
- **Other features**
- - [Check sensor health state](/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection) - Check an endpoint's ability to provide sensor data and communicate with the Windows Defender ATP service and fix known issues.
+ - [Check sensor health state](/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection) - Check an endpoint's ability to provide sensor data and communicate with the Microsoft Defender for Endpoint service and fix known issues.
-You can read more about ransomware mitigations and detection capability in Windows Defender Advanced Threat Protection in the blog: [Averting ransomware epidemics in corporate networks with Windows Defender ATP](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/).
+You can read more about ransomware mitigations and detection capability in Microsoft Defender for Endpoint in the blog: [Averting ransomware epidemics in corporate networks with Microsoft Defender for Endpoint](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/).
-Get a quick, but in-depth overview of Windows Defender ATP for Windows 10 and the new capabilities in Windows 10, version 1703 see [Windows Defender ATP for Windows 10 Creators Update](https://technet.microsoft.com/windows/mt782787).
+Get a quick, but in-depth overview of Microsoft Defender for Endpoint for Windows 10 and the new capabilities in Windows 10, version 1703 see [Microsoft Defender for Endpoint for Windows 10 Creators Update](https://technet.microsoft.com/windows/mt782787).
### Microsoft Defender Antivirus
Windows Defender is now called Microsoft Defender Antivirus, and we've [increased the breadth of the documentation library for enterprise security admins](/windows/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10).
@@ -186,7 +186,7 @@ You can also now collect your audit event logs by using the Reporting configurat
The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](/windows/deployment/update/waas-configure-wufb#pause-feature-updates) and [Pause Quality Updates](/windows/deployment/update/waas-configure-wufb#pause-quality-updates).
-Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details.
+Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferral periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details.
### Windows Insider for Business
@@ -252,13 +252,13 @@ For more info, see [Implement server-side support for mobile application managem
In Windows 10, version 1703, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we are introducing [Microsoft Message Analyzer](https://www.microsoft.com/download/details.aspx?id=44226) as an additional tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost.
### Application Virtualization for Windows (App-V)
-Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10, version 1703 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Additionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart.
+Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10, version 1703 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Additionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically clean up your unpublished packages after a device restart.
For more info, see the following topics:
- [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-provision-a-vm)
- [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-sequencing)
- [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-updating)
-- [Automatically cleanup unpublished packages on the App-V client](/windows/application-management/app-v/appv-auto-clean-unpublished-packages)
+- [Automatically clean up unpublished packages on the App-V client](/windows/application-management/app-v/appv-auto-clean-unpublished-packages)
### Windows diagnostic data
@@ -294,7 +294,7 @@ Windows 10 Mobile, version 1703 also includes the following enhancements:
- OTC update tool
- Continuum display management
- Individually turn off the monitor or phone screen when not in use
- - Indiviudally adjust screen time-out settings
+ - individually adjust screen time-out settings
- Continuum docking solutions
- Set Ethernet port properties
- Set proxy properties for the Ethernet port
diff --git a/windows/whats-new/whats-new-windows-10-version-1709.md b/windows/whats-new/whats-new-windows-10-version-1709.md
index 468c6ddce9..b33762e67f 100644
--- a/windows/whats-new/whats-new-windows-10-version-1709.md
+++ b/windows/whats-new/whats-new-windows-10-version-1709.md
@@ -85,9 +85,9 @@ The AssignedAccess CSP has been expanded to make it easy for administrators to c
**Windows security baselines** have been updated for Windows 10. A [security baseline](https://docs.microsoft.com/windows/device-security/windows-security-baselines) is a group of Microsoft-recommended configuration settings and explains their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](https://docs.microsoft.com/windows/device-security/security-compliance-toolkit-10).
-### Windows Defender ATP
+### Microsoft Defender for Endpoint
-Windows Defender ATP has been expanded with powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management. For more information, see [View the Windows Defender Advanced Threat Protection Security analytics dashboard](https://docs.microsoft.com/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection).
+Microsoft Defender for Endpoint has been expanded with powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management. For more information, see [View the Microsoft Defender for Endpoint Security analytics dashboard](https://docs.microsoft.com/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection).
### Windows Defender Application Guard
@@ -149,7 +149,7 @@ Several network stack enhancements are available in this release. Some of these
[Windows 10 Features](https://www.microsoft.com/windows/features): Review general information about Windows 10 features.
[What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
[What's new in Windows 10, version 1709](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-windows): See what’s new in Windows 10 hardware.
-[Windows 10 Fall Creators Update Next Generation Security](https://www.youtube.com/watch?v=JDGMNFwyUg8): YouTube video about Windows Defender ATP in Windows 10, version 1709.
+[Windows 10 Fall Creators Update Next Generation Security](https://www.youtube.com/watch?v=JDGMNFwyUg8): YouTube video about Microsoft Defender for Endpoint in Windows 10, version 1709.
[Threat protection on Windows 10](https://docs.microsoft.com/windows/security/threat-protection/):Detects advanced attacks and data breaches, automates security incidents and improves security posture.
diff --git a/windows/whats-new/whats-new-windows-10-version-1803.md b/windows/whats-new/whats-new-windows-10-version-1803.md
index 93bcfb411b..f18ad34787 100644
--- a/windows/whats-new/whats-new-windows-10-version-1803.md
+++ b/windows/whats-new/whats-new-windows-10-version-1803.md
@@ -173,7 +173,7 @@ The new [security baseline for Windows 10 version 1803](https://docs.microsoft.c
### Microsoft Defender Antivirus
-Microsoft Defender Antivirus now shares detection status between M365 services and interoperates with Windows Defender ATP. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus).
+Microsoft Defender Antivirus now shares detection status between M365 services and interoperates with Microsoft Defender for Endpoint. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus).
### Windows Defender Exploit Guard
@@ -181,15 +181,15 @@ Windows Defender Exploit Guard enhanced attack surface area reduction, extended
For more information, see [Reduce attack surfaces](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction)
-### Windows Defender ATP
+### Microsoft Defender for Endpoint
-[Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection) has been enhanced with many new capabilities. For more information, see the following topics:
+[Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection) has been enhanced with many new capabilities. For more information, see the following topics:
-- [Query data using Advanced hunting in Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection)
+- [Query data using Advanced hunting in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection)
- [Use Automated investigations to investigate and remediate threats](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection)
- [Enable conditional access to better protect users, devices, and data](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection)
-Also see [New capabilities of Windows Defender ATP further maximizing the effectiveness and robustness of endpoint security](https://blogs.windows.com/business/2018/04/17/new-capabilities-of-windows-defender-atp-further-maximizing-the-effectiveness-and-robustness-of-endpoint-security/#62FUJ3LuMXLQidVE.97)
+Also see [New capabilities of Microsoft Defender for Endpoint further maximizing the effectiveness and robustness of endpoint security](https://blogs.windows.com/business/2018/04/17/new-capabilities-of-windows-defender-atp-further-maximizing-the-effectiveness-and-robustness-of-endpoint-security/#62FUJ3LuMXLQidVE.97)
### Windows Defender Application Guard
@@ -233,5 +233,5 @@ Support in [Windows Defender Application Guard](#windows-defender-application-gu
- [Windows 10 Features](https://www.microsoft.com/windows/features): Review general information about Windows 10 features.
- [What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
- [What's new in Windows 10, version 1709](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-windows): See what’s new in Windows 10 hardware.
-- [Windows 10 Fall Creators Update Next Generation Security](https://www.youtube.com/watch?v=JDGMNFwyUg8): YouTube video about Windows Defender ATP in Windows 10, version 1709.
+- [Windows 10 Fall Creators Update Next Generation Security](https://www.youtube.com/watch?v=JDGMNFwyUg8): YouTube video about Microsoft Defender for Endpoint in Windows 10, version 1709.
diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md
index 309ce421df..f748bb87cf 100644
--- a/windows/whats-new/whats-new-windows-10-version-1809.md
+++ b/windows/whats-new/whats-new-windows-10-version-1809.md
@@ -133,32 +133,32 @@ Windows Defender Credential Guard has always been an optional feature, but Windo
A network connection is now required to set up a new device. As a result, we removed the “skip for now” option in the network setup page in Out Of Box Experience (OOBE).
-### Windows Defender ATP
+### Microsoft Defender for Endpoint
-[Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection) has been enhanced with many new capabilities. For more information, see the following topics:
+[Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection) has been enhanced with many new capabilities. For more information, see the following topics:
- [Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics)
-Threat Analytics is a set of interactive reports published by the Windows Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats.
+Threat Analytics is a set of interactive reports published by the Microsoft Defender for Endpoint research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats.
- [Custom detection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-custom-detections)
With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules.
- [Managed security service provider (MSSP) support](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection)
-Windows Defender ATP adds support for this scenario by providing MSSP integration.
+Microsoft Defender for Endpoint adds support for this scenario by providing MSSP integration.
The integration will allow MSSPs to take the following actions:
Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools.
-- [Integration with Azure Security Center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center)
-Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers.
+- [Integration with Azure Defender](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center)
+Microsoft Defender for Endpoint integrates with Azure Defender to provide a comprehensive server protection solution. With this integration Azure Defender can leverage the power of Microsoft Defender for Endpoint to provide improved threat detection for Windows Servers.
- [Integration with Microsoft Cloud App Security](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration)
-Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Windows Defender ATP monitored machines.
+Microsoft Cloud App Security leverages Microsoft Defender for Endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Microsoft Defender for Endpoint monitored machines.
- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019)
-Windows Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines.
+Microsoft Defender for Endpoint now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines.
- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection)
-Onboard supported versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor
+Onboard supported versions of Windows machines so that they can send sensor data to the Microsoft Defender for Endpoint sensor
## Cloud Clipboard
diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md
index aed8001e95..fbe745b3a6 100644
--- a/windows/whats-new/whats-new-windows-10-version-1903.md
+++ b/windows/whats-new/whats-new-windows-10-version-1903.md
@@ -53,7 +53,7 @@ SetupDiag is a command-line tool that can help diagnose why a Windows 10 update
## Servicing
-- [**Delivery Optimization**](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Microsoft 365 Apps for enterprise updates, and Intune content, with Microsoft Endpoint Configuration Manager content coming soon!
+- [**Delivery Optimization**](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization): Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Microsoft 365 Apps for enterprise updates, and Intune content, with Microsoft Endpoint Manager content coming soon!
- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically logon as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed.
- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
- **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally.
@@ -66,7 +66,7 @@ SetupDiag is a command-line tool that can help diagnose why a Windows 10 update
### Windows Information Protection
-With this release, Windows Defender ATP extends discovery and protection of sensitive information with [Auto Labeling](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels#how-wip-protects-automatically-classified-files).
+With this release, Microsoft Defender for Endpoint extends discovery and protection of sensitive information with [Auto Labeling](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels#how-wip-protects-automatically-classified-files).
### Security configuration framework
@@ -80,15 +80,15 @@ The draft release of the [security configuration baseline settings](https://blog
[Intune Security Baselines](https://docs.microsoft.com/intune/security-baselines) (Preview): Now includes many settings supported by Intune that you can use to help secure and protect your users and devices. You can automatically set these settings to values recommended by security teams.
-### Microsoft Defender Advanced Threat Protection (ATP):
+### Microsoft Defender for Endpoint
- [Attack surface area reduction](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) – IT admins can configure devices with advanced web protection that enables them to define allow and deny lists for specific URL’s and IP addresses.
- [Next generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) – Controls have been extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage.
- Integrity enforcement capabilities – Enable remote runtime attestation of Windows 10 platform.
- - Tamper-proofing capabilities – Uses virtualization-based security to isolate critical ATP security capabilities away from the OS and attackers.
-- [Platform support](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114) – In addition to Windows 10, Windows Defender ATP’s functionality has been extended to support Windows 7 and Windows 8.1 clients, as well as macOS, Linux, and Windows Server with both its Endpoint Detection (EDR) and Endpoint Protection Platform (EPP) capabilities.
+ - Tamper-proofing capabilities – Uses virtualization-based security to isolate critical Microsoft Defender for Endpoint security capabilities away from the OS and attackers.
+- [Platform support](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114) – In addition to Windows 10, Microsoft Defender for Endpoint’s functionality has been extended to support Windows 7 and Windows 8.1 clients, as well as macOS, Linux, and Windows Server with both its Endpoint Detection (EDR) and Endpoint Protection Platform (EPP) capabilities.
-### Microsoft Defender ATP next-gen protection technologies:
+### Microsoft Defender for Endpoint next-gen protection technologies:
- **Advanced machine learning**: Improved with advanced machine learning and AI models that enable it to protect against apex attackers using innovative vulnerability exploit techniques, tools and malware.
- **Emergency outbreak protection**: Provides emergency outbreak protection which will automatically update devices with new intelligence when a new outbreak has been detected.
diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md
index 314e4d3826..7b71eef3d5 100644
--- a/windows/whats-new/whats-new-windows-10-version-1909.md
+++ b/windows/whats-new/whats-new-windows-10-version-1909.md
@@ -32,7 +32,7 @@ If you are updating from an older version of Windows 10 (version 1809 or earlier
### Windows Server Update Services (WSUS)
-Pre-release Windows 10 feature updates are now available to IT administrators using WSUS. Microsoft Endpoint Configuration Manager version 1906 or later is required. For more information, see [Publishing pre-release Windows 10 feature updates to WSUS](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Publishing-pre-release-Windows-10-feature-updates-to-WSUS/ba-p/845054).
+Pre-release Windows 10 feature updates are now available to IT administrators using WSUS. Microsoft Endpoint Manager version 1906 or later is required. For more information, see [Publishing pre-release Windows 10 feature updates to WSUS](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Publishing-pre-release-Windows-10-feature-updates-to-WSUS/ba-p/845054).
The Windows 10, version 1909 enablement package will be available on WSUS as [KB4517245](https://support.microsoft.com/kb/4517245), which can be deployed on existing deployments of Windows 10, version 1903.
diff --git a/windows/whats-new/whats-new-windows-10-version-2004.md b/windows/whats-new/whats-new-windows-10-version-2004.md
index 8c86914b6b..6e7a63e0fe 100644
--- a/windows/whats-new/whats-new-windows-10-version-2004.md
+++ b/windows/whats-new/whats-new-windows-10-version-2004.md
@@ -18,7 +18,7 @@ ms.topic: article
**Applies to**
- Windows 10, version 2004
-This article lists new and updated features and content that are of interest to IT Pros for Windows 10, version 2004, also known as the Windows 10 May 2020 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1909.
+This article lists new and updated features and content that are of interest to IT Pros for Windows 10, version 2004, also known as the Windows 10 May 2020 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1909.
To download and install Windows 10, version 2004, use Windows Update (**Settings > Update & Security > Windows Update**). For more information, see this [video](https://aka.ms/Windows-10-May-2020-Update).
@@ -30,8 +30,11 @@ To download and install Windows 10, version 2004, use Windows Update (**Settings
### Windows Hello
- Windows Hello is now supported as Fast Identity Online 2 (FIDO2) authenticator across all major browsers including Chrome and Firefox.
+
- You can now enable passwordless sign-in for Microsoft accounts on your Windows 10 device by going to **Settings > Accounts > Sign-in options**, and selecting **On** under **Make your device passwordless**. Enabling passwordless sign in will switch all Microsoft accounts on your Windows 10 device to modern authentication with Windows Hello Face, Fingerprint, or PIN.
-- Windows Hello PIN sign-in support is [added to Safe mode](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#windows-hello-pin-in-safe-mode-build-18995).
+
+- Windows Hello PIN sign-in support is [added to Safe mode](https://docs.microsoft.com/windows-insider/archive/new-in-20H1#windows-hello-pin-in-safe-mode-build-18995).
+
- Windows Hello for Business now has Hybrid Azure Active Directory support and phone number sign-in (MSA). FIDO2 security key support is expanded to Azure Active Directory hybrid environments, enabling enterprises with hybrid environments to take advantage of [passwordless authentication](https://docs.microsoft.com/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Expanding Azure Active Directory support for FIDO2 preview to hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894).
### Windows Defender System Guard
@@ -52,7 +55,7 @@ Note: [Application Guard for Office](https://support.office.com/article/applicat
### Windows Setup
-Windows Setup [answer files](https://docs.microsoft.com/windows-hardware/manufacture/desktop/update-windows-settings-and-scripts-create-your-own-answer-file-sxs) (unattend.xml) have [improved language ](https://oofhours.com/2020/06/01/new-in-windows-10-2004-better-language-handling/).
+Windows Setup [answer files](https://docs.microsoft.com/windows-hardware/manufacture/desktop/update-windows-settings-and-scripts-create-your-own-answer-file-sxs) (unattend.xml) have [improved language handling](https://oofhours.com/2020/06/01/new-in-windows-10-2004-better-language-handling/).
Improvements in Windows Setup with this release also include:
- Reduced offline time during feature updates
@@ -84,7 +87,7 @@ Also see [What's new in Microsoft Intune](https://docs.microsoft.com/mem/intune/
### Windows Assessment and Deployment Toolkit (ADK)
-Download the Windows ADK and Windows PE add-on for Windows 10, version 2004 [here](https://docs.microsoft.com/windows-hardware/get-started/adk-install).
+Download the Windows ADK and Windows PE add-on for Windows 10, version 2004 here: [Download and install the Windows ADK](https://docs.microsoft.com/windows-hardware/get-started/adk-install).
For information about what's new in the ADK, see [What's new in the Windows ADK for Windows 10, version 2004](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-kits-and-tools#whats-new-in-the-windows-adk-for-windows-10-version-2004).
@@ -105,34 +108,37 @@ Windows PowerShell cmdlets have been improved:
- **Enable-DeliveryOptimizationVerboseLogs** is a new cmdlet that enables a greater level of logging detail to assist in troubleshooting.
Additional improvements:
-- Enterprise network [throttling is enhanced](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#new-download-throttling-options-for-delivery-optimization-build-18917) to optimize foreground vs. background throttling.
+- Enterprise network [throttling is enhanced](https://docs.microsoft.com/windows-insider/archive/new-in-20H1#new-download-throttling-options-for-delivery-optimization-build-18917) to optimize foreground vs. background throttling.
- Automatic cloud-based congestion detection is available for PCs with cloud service support.
The following [Delivery Optimization](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization) policies are removed in this release:
- Percentage of Maximum Download Bandwidth (DOPercentageMaxDownloadBandwidth)
- - Reason: Replaced with separate policies for foreground and background
+ - Reason: Replaced with separate policies for foreground and background.
- Max Upload Bandwidth (DOMaxUploadBandwidth)
- - Reason: impacts uploads to internet peers only, which isn't used in Enterprises.
+ - Reason: Impacts uploads to internet peers only, which isn't used in enterprises.
- Absolute max throttle (DOMaxDownloadBandwidth)
- - Reason: separated to foreground and background
+ - Reason: Separated to foreground and background.
### Windows Update for Business
[Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb) enhancements in this release include:
+
- Intune console updates: target version is now available allowing you to specify which version of Windows 10 you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy.
+
- Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we have created a new policy that enables admins to opt devices out of the built-in safeguard holds.
+
- Update less: Last year, we [changed update installation policies](https://blogs.windows.com/windowsexperience/2019/04/04/improving-the-windows-10-update-experience-with-control-quality-and-transparency/#l2jH7KMkOkfcWdBs.97) for Windows 10 to only target devices running a feature update version that is nearing end of service. As a result, many devices are only updating once a year. To enable all devices to make the most of this policy change, and to prevent confusion, we have removed deferrals from the Windows Update settings **Advanced Options** page starting on Windows 10, version 2004. If you wish to continue leveraging deferrals, you can use local Group Policy (**Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview builds and Feature Updates are received** or **Select when Quality Updates are received**). For more information about this change, see [Simplified Windows Update settings for end users](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplified-windows-update-settings-for-end-users/ba-p/1497215).
## Networking
### Wi-Fi 6 and WPA3
-Windows now supports the latest Wi-Fi standards with [Wi-Fi 6 and WPA3](https://support.microsoft.com/help/4562575/windows-10-faster-more-secure-wifi). Wi-Fi 6 gives you better wireless coverage and performance with added security. WPA3 provides improved Wi-Fi security and secures open networks.
+Windows now supports the latest Wi-Fi standards with [Wi-Fi 6 and WPA3](https://support.microsoft.com/help/4562575/windows-10-faster-more-secure-wifi). Wi-Fi 6 gives you better wireless coverage and performance with added security. WPA3 provides improved Wi-Fi security and secures open networks.
### TEAP
-In this release, Tunnel Extensible Authentication Protocol (TEAP) has been added as an authentication method to allow chaining together multiple credentials into a single EAP transaction. TEAP networks can be configured by [enterprise policy](https://docs.microsoft.com/openspecs/windows_protocols/ms-gpwl/94cf6896-c28e-4865-b12a-d83ee38cd3ea).
+In this release, Tunnel Extensible Authentication Protocol (TEAP) has been added as an authentication method to allow chaining together multiple credentials into a single EAP transaction. TEAP networks can be configured by [enterprise policy](https://docs.microsoft.com/openspecs/windows_protocols/ms-gpwl/94cf6896-c28e-4865-b12a-d83ee38cd3ea).
## Virtualization
@@ -176,7 +182,7 @@ Also see information about the exciting new Edge browser [here](https://blogs.wi
## Application settings
-This release enables explicit [control over when Windows automatically restarts apps](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#control-over-restarting-apps-at-sign-in-build-18965) that were open when you restart your PC.
+This release enables explicit [Control over restarting apps at sign-in (Build 18965)](https://docs.microsoft.com/windows-insider/archive/new-in-20H1#control-over-restarting-apps-at-sign-in-build-18965) that were open when you restart your PC.
## Windows Shell
@@ -185,9 +191,13 @@ Several enhancements to the Windows 10 user interface are implemented in this re
### Cortana
[Cortana](https://www.microsoft.com/cortana) has been updated and enhanced in Windows 10, version 2004:
+
- Productivity: chat-based UI gives you the ability to [interact with Cortana using typed or spoken natural language queries](https://support.microsoft.com/help/4557165) to easily get information across Microsoft 365 and stay on track. Productivity focused capabilities such as finding people profiles, checking schedules, joining meetings, and adding to lists in Microsoft To Do are currently available to English speakers in the US.
- - In the coming months, with regular app updates through the Microsoft Store, we’ll enhance this experience to support wake word invocation and enable listening when you say “Cortana,” offer more productivity capabilities such as surfacing relevant emails and documents to help you prepare for meetings, and expand supported capabilities for international users.
+
+ - In the coming months, with regular app updates through the Microsoft Store, we’ll enhance this experience to support wake word invocation and enable listening when you say “Cortana,” offer more productivity capabilities such as surfacing relevant emails and documents to help you prepare for meetings, and expand supported capabilities for international users.
+
- Security: tightened access to Cortana so that you must be securely logged in with your work or school account or your Microsoft account before using Cortana. Because of this tightened access, some consumer skills including music, connected home, and third-party skills will no longer be available. Additionally, users [get cloud-based assistance services that meet Office 365’s enterprise-level privacy, security, and compliance promises](https://docs.microsoft.com/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide) as set out in the Online Services Terms.
+
- Move the Cortana window: drag the Cortana window to a more convenient location on your desktop.
For updated information, see the [Microsoft 365 blog](https://aka.ms/CortanaUpdatesMay2020).
@@ -198,21 +208,21 @@ Windows Search is improved in several ways. For more information, see [Superchar
### Virtual Desktops
-You can now [rename your virtual desktops](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#renaming-your-virtual-desktops-build-18975), instead of getting stuck with the system-issued names like Desktop 1.
+There is a new [Update on Virtual Desktop renaming (Build 18975)](https://docs.microsoft.com/windows-insider/archive/new-in-20H1#update-on-virtual-desktop-renaming-build-18975), where, instead of getting stuck with the system-issued names like Desktop 1, you can now rename your virtual desktops more freely.
### Bluetooth pairing
-Pairing Bluetooth devices with your computer will occur through notifications, so you won't need to go to the Settings app to finish pairing. Other improvements include faster pairing and device name display. For more information, see [Improving your Bluetooth pairing experience](https://docs.microsoft.com/windows-insider/at-home/Whats-new-wip-at-home-20h1#improving-your-bluetooth-pairing-experience-build-18985).
+Pairing Bluetooth devices with your computer will occur through notifications, so you won't need to go to the Settings app to finish pairing. Other improvements include faster pairing and device name display. For more information, see [Improving your Bluetooth pairing experience](https://docs.microsoft.com/windows-insider/archive/new-in-20h1#improving-your-bluetooth-pairing-experience-build-18985).
### Reset this PC
-The 'reset this PC' recovery function now includes a [cloud download](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#new-reset-this-pc-option-cloud-download-build-18970) option.
+The 'reset this PC' recovery function now includes a [cloud download](https://docs.microsoft.com/windows-insider/archive/new-in-20H1#reset-your-pc-from-the-cloud-build-18970) option.
### Task Manager
The following items are added to Task Manager in this release:
- GPU Temperature is available on the Performance tab for devices with a dedicated GPU card.
-- Disk type is now [listed for each disk on the Performance tab](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#disk-type-visible-in-task-manager-performance-tab-build-18898).
+- Disk type is now [listed for each disk on the Performance tab](https://docs.microsoft.com/windows-insider/archive/new-in-20H1#disk-type-now-visible-in-task-manager-performance-tab-build-18898).
## Graphics & display
@@ -222,7 +232,7 @@ The following items are added to Task Manager in this release:
### 2-in-1 PCs
-A [new tablet experience](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#new-tablet-experience-for-2-in-1-convertible-pcs-build-18970) for two-in-one convertible PCs is available. The screen will be optimized for touch when you detach your two-in-one's keyboard, but you'll still keep the familiar look of your desktop without interruption.
+See [Introducing a new tablet experience for 2-in-1 convertible PCs! (Build 18970)](https://docs.microsoft.com/windows-insider/archive/new-in-20H1#introducing-a-new-tablet-experience-for-2-in-1-convertible-pcs-build-18970) for details on a new tablet experience for two-in-one convertible PCs that is now available. The screen will be optimized for touch when you detach your two-in-one's keyboard, but you'll still keep the familiar look of your desktop without interruption.
### Specialized displays
@@ -235,24 +245,24 @@ Examples include:
- Dedicated video monitoring
- Monitor panel testing and validation
- Independent Hardware Vendor (IHV) driver testing and validation
-
+
To prevent Windows from using a display, choose Settings > Display and click Advanced display settings. Select a display to view or change, and then set the Remove display from desktop setting to On. The display will now be available for a specialized use.
## Desktop Analytics
-[Desktop Analytics](https://docs.microsoft.com/configmgr/desktop-analytics/overview) is a cloud-connected service, integrated with Configuration Manager that provides data-driven insights to the management of Windows endpoints in your organization. Desktop Analytics requires a Windows E3 or E5 license, or a Microsoft 365 E3 or E5 license.
+[Desktop Analytics](https://docs.microsoft.com/configmgr/desktop-analytics/overview) is a cloud-connected service, integrated with Configuration Manager that provides data-driven insights to the management of Windows endpoints in your organization. Desktop Analytics requires a Windows E3 or E5 license, or a Microsoft 365 E3 or E5 license.
For information about Desktop Analytics and this release of Windows 10, see [What's new in Desktop Analytics](https://docs.microsoft.com/mem/configmgr/desktop-analytics/whats-new).
## See Also
-[What’s new for IT pros in Windows 10, version 2004](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/what-s-new-for-it-pros-in-windows-10-version-2004/ba-p/1419764): Windows IT Pro blog.
-[What’s new in the Windows 10 May 2020 Update](https://blogs.windows.com/windowsexperience/2020/05/27/whats-new-in-the-windows-10-may-2020-update/): Windows Insider blog.
-[What's New in Windows Server](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server): New and updated features in Windows Server.
-[Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.
-[What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
-[Start developing on Windows 10, version 2004 today](https://blogs.windows.com/windowsdeveloper/2020/05/12/start-developing-on-windows-10-version-2004-today/): New and updated features in Windows 10 that are of interest to developers.
-[What's new for business in Windows 10 Insider Preview Builds](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new): A preview of new features for businesses.
-[What's new in Windows 10, version 2004 - Windows Insiders](https://docs.microsoft.com/windows-insider/at-home/whats-new-wip-at-home-20h1): This list also includes consumer focused new features.
-[Features and functionality removed in Windows 10](https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features): Removed features.
-[Windows 10 features we’re no longer developing](https://docs.microsoft.com/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.
+- [What’s new for IT pros in Windows 10, version 2004](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/what-s-new-for-it-pros-in-windows-10-version-2004/ba-p/1419764): Windows IT Pro blog.
+- [What’s new in the Windows 10 May 2020 Update](https://blogs.windows.com/windowsexperience/2020/05/27/whats-new-in-the-windows-10-may-2020-update/): Windows Insider blog.
+- [What's New in Windows Server](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server): New and updated features in Windows Server.
+- [Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.
+- [What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
+- [Start developing on Windows 10, version 2004 today](https://blogs.windows.com/windowsdeveloper/2020/05/12/start-developing-on-windows-10-version-2004-today/): New and updated features in Windows 10 that are of interest to developers.
+- [What's new for business in Windows 10 Insider Preview Builds](https://docs.microsoft.com/windows-insider/Active-Dev-Branch): A preview of new features for businesses.
+- [What's new in Windows 10, version 2004 - Windows Insiders](https://docs.microsoft.com/windows-insider/at-home/whats-new-wip-at-home-20h1): This list also includes consumer focused new features.
+- [Features and functionality removed in Windows 10](https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features): Removed features.
+- [Windows 10 features we’re no longer developing](https://docs.microsoft.com/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.
diff --git a/windows/whats-new/whats-new-windows-10-version-20H2.md b/windows/whats-new/whats-new-windows-10-version-20H2.md
new file mode 100644
index 0000000000..ec7ffb671e
--- /dev/null
+++ b/windows/whats-new/whats-new-windows-10-version-20H2.md
@@ -0,0 +1,152 @@
+---
+title: What's new in Windows 10, version 20H2
+description: New and updated features in Windows 10, version 20H2 (also known as the Windows 10 October 2020 Update).
+keywords: ["What's new in Windows 10", "Windows 10", "October 2020 Update"]
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.author: greglin
+manager: laurawi
+ms.localizationpriority: high
+ms.topic: article
+---
+
+# What's new in Windows 10, version 20H2 for IT Pros
+
+**Applies to**
+- Windows 10, version 20H2
+
+This article lists new and updated features and content that is of interest to IT Pros for Windows 10, version 20H2, also known as the Windows 10 October 2020 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 2004.
+
+> [!NOTE]
+> With this release and future releases, the Windows 10 release nomenclature is changing from a year and month pattern (YYMM) to a year and half-year pattern (YYH1, YYH2).
+
+As with previous fall releases, Windows 10, version 20H2 is a scoped set of features for select performance improvements, enterprise features, and quality enhancements. As an [H2-targeted release](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet), 20H2 is serviced for 30 months from the release date for devices running Windows 10 Enterprise or Windows 10 Education editions.
+
+To download and install Windows 10, version 20H2, use Windows Update (**Settings > Update & Security > Windows Update**). For more information, including a video, see [How to get the Windows 10 October 2020 Update](https://community.windows.com/videos/how-to-get-the-windows-10-october-2020-update/7c7_mWN0wi8).
+
+## Microsoft Edge
+
+This release automatically includes the new Chromium-based [Microsoft Edge](https://www.microsoft.com/edge/business) browser instead of the legacy version of Edge. For more information, see the [Microsoft Edge documentation](https://docs.microsoft.com/microsoft-edge/).
+
+## Servicing
+
+### Windows Update
+
+There are several changes that help improve the security of devices that scan Windows Server Update Services (WSUS) for updates. For more information, see [Changes to improve security for Windows devices scanning WSUS](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/changes-to-improve-security-for-windows-devices-scanning-wsus/ba-p/1645547).
+
+Starting with Windows 10, version 20H2, LCUs and SSUs have been combined into a single cumulative monthly update, available via Microsoft Catalog or Windows Server Update Services. For more information, see [Simplifying on-premises deployment of servicing stack updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplifying-on-premises-deployment-of-servicing-stack-updates/ba-p/1646039).
+
+## Deployment
+
+New guidance is available to help prepare a [servicing strategy](https://docs.microsoft.com/windows/deployment/update/waas-servicing-strategy-windows-10-updates) and move your devices to the latest version of Windows 10 quickly and as seamlessly as possible.
+
+Activities are grouped into the following phases: **Plan** > **Prepare** > **Deploy**:
+
+**Plan** your deployment by evaluating and understanding essential activities:
+- Create a [phased deployment plan](https://docs.microsoft.com/windows/deployment/update/create-deployment-plan)
+- Assign [roles and responsibilities](https://docs.microsoft.com/windows/deployment/update/plan-define-readiness#process-manager) within your organization
+- Set [criteria](https://docs.microsoft.com/windows/deployment/update/plan-define-readiness#set-criteria-for-rating-apps) to establish readiness for the upgrade process
+- Evaluate your [infrastructure and tools](https://docs.microsoft.com/windows/deployment/update/eval-infra-tools)
+- Determine [readiness](https://docs.microsoft.com/windows/deployment/update/plan-determine-app-readiness) for your business applications
+- Create an effective, schedule-based [servicing strategy](https://docs.microsoft.com/windows/deployment/update/plan-define-strategy)
+
+**Prepare** your devices and environment for deployment by performing necessary actions:
+- Update [infrastructure and tools](https://docs.microsoft.com/windows/deployment/update/prepare-deploy-windows#prepare-infrastructure-and-environment)
+- Ensure the needed [services](https://docs.microsoft.com/windows/deployment/update/prepare-deploy-windows#prepare-applications-and-devices) are available
+- Resolve issues with [unhealthy devices](https://docs.microsoft.com/windows/deployment/update/prepare-deploy-windows#address-unhealthy-devices)
+- Ensure that [users are ready](https://docs.microsoft.com/windows/deployment/update/prepare-deploy-windows) for updates
+
+**Deploy** and manage Windows 10 strategically in your organization:
+- Use [Windows Autopilot](https://docs.microsoft.com/mem/autopilot/windows-autopilot) to streamline the set up, configuration, and delivery of new devices
+- Use [Configuration Manager](https://docs.microsoft.com/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager) or [MDT](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt) to deploy new devices and update existing devices
+- Use [Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-configure-wufb) with Group Policy to [customize update settings](https://docs.microsoft.com/windows/deployment/update/waas-wufb-group-policy) for your devices
+- [Deploy Windows updates](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wsus) with Windows Server Update Services (WSUS)
+- Manage bandwidth for updates with [Delivery Optimization](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization)
+- [Monitor Windows Updates](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor) with Update Compliance
+
+### Windows Autopilot
+
+Enhancements to Windows Autopilot since the last release of Windows 10 include:
+- [Windows Autopilot for HoloLens](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-autopilot-for-hololens-2/ba-p/1371494): Set up HoloLens 2 devices with Windows Autopilot for HoloLens 2 self-deploying mode.
+- [Windows Autopilot with co-management](https://docs.microsoft.com/mem/configmgr/comanage/quickstart-autopilot): Co-management and Autopilot together can help you reduce cost and improve the end user experience.
+- Enhancements to Windows Autopilot deployment reporting are in preview. From the Microsoft Endpoint Manager admin center (endpoint.microsoft.com), select **Devices** > **Monitor** and scroll down to the **Enrollment** section. Click **Autopilot deployment (preview)**.
+
+### Windows Assessment and Deployment Toolkit (ADK)
+
+There is no new ADK for Windows 10, version 20H2. The ADK for Windows 10, version 2004 will also work with Windows 10, version 20H2. For more information, see [Download and install the Windows ADK](https://docs.microsoft.com/windows-hardware/get-started/adk-install).
+
+## Device management
+
+Modern Device Management (MDM) policy is extended with new [Local Users and Groups settings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-localusersandgroups) that match the options available for devices managed through Group Policy.
+
+For more information about what's new in MDM, see [What's new in mobile device enrollment and management](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management)
+
+## Security
+
+### Microsoft Defender for Endpoint
+
+This release includes improved support for non-ASCII file paths for Microsoft Defender Advanced Threat Protection (ATP) Auto Incident Response (IR).
+
+The [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) parameter is deprecated in this release.
+
+### Microsoft Defender Application Guard for Office
+
+Microsoft Defender Application Guard now supports Office: With [Microsoft Defender Application Guard for Office](https://docs.microsoft.com/microsoft-365/security/office-365-security/install-app-guard), you can launch untrusted Office documents (from outside the Enterprise) in an isolated container to prevent potentially malicious content from compromising your device.
+
+### Windows Hello
+
+With specialized hardware and software components available on devices shipping with Windows 10, version 20H2 configured out of factory, Windows Hello now offers added support for virtualization-based security with supporting fingerprint and face sensors. This feature isolates and secures a user's biometric authentication data.
+
+## Virtualization
+
+### Windows Sandbox
+
+New policies for [Windows Sandbox](https://docs.microsoft.com/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview) are available in this release. For more information, see [Policy CSP - WindowsSandbox](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-windowssandbox).
+
+### Windows Virtual Desktop (WVD)
+
+> **Note**: WVD is not tied directly to a Windows 10 release, but it is included here as an evolving capability of Windows.
+
+New capabilities in WVD were announced at Ignite 2020. For more information, see [Announcing new management, security, and monitoring capabilities in Windows Virtual Desktop](https://aka.ms/wvd-ignite2020-blogpost).
+
+In addition, [Windows Virtual Desktop is now generally available in the Azure Government cloud](https://azure.microsoft.com/updates/windows-virtual-desktop-is-now-generally-available-in-the-azure-government-cloud/).
+
+## Windows Shell
+
+Some enhancements to the Windows 10 user interface are implemented in this release:
+
+- With this release, the solid color behind tiles on the Start menu is replaced with a partially transparent background. Tiles are also theme-aware.
+- Icons on the Start menu no longer have a square outline around each icon.
+- Notifications are slightly updated in appearance.
+- You can now change the monitor refresh rate on advanced display settings.
+- Alt+Tab now shows Edge browser tabs by default. You can edit this setting under **Settings** > **System** > **Multitasking**: **Alt+Tab**.
+- The System control panel under System and Security has been updated to the Settings > About page. Links to Device Manager, Remote desktop, System protection, Advanced system settings, and Rename this PC are moved to the About page.
+
+### 2-in-1 PCs
+
+On a 2-in-1 device, Windows will now automatically switch to tablet mode when you detach the screen.
+
+## Surface
+
+Windows 10 Pro and Enterprise are now [available on Surface Hub 2](https://techcommunity.microsoft.com/t5/surface-it-pro-blog/announcing-the-availability-of-windows-10-pro-and-enterprise-on/ba-p/1624107). For more information, see [What's new in Surface Hub 2S for IT admins](https://docs.microsoft.com/surface-hub/surface-hub-2s-whats-new).
+
+## Desktop Analytics
+
+[Desktop Analytics](https://docs.microsoft.com/configmgr/desktop-analytics/overview) is a cloud-connected service, integrated with Configuration Manager that provides data-driven insights to the management of Windows endpoints in your organization. Desktop Analytics requires a Windows E3 or E5 license, or a Microsoft 365 E3 or E5 license.
+
+For information about Desktop Analytics and this release of Windows 10, see [What's new in Desktop Analytics](https://docs.microsoft.com/mem/configmgr/desktop-analytics/whats-new).
+
+## See Also
+
+[What’s new for IT pros in Windows 10, version 20H2](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/what-s-new-for-it-pros-in-windows-10-version-20h2/ba-p/1800132)
+[Get started with the October 2020 update to Windows 10](https://www.linkedin.com/learning/windows-10-october-2020-update-new-features-2/get-started-with-the-october-2020-update-to-windows-10)
+[Learn Windows 10 with the October 2020 Update](https://www.linkedin.com/learning/windows-10-october-2020-update-essential-training/learn-windows-10-with-the-october-2020-update)
+[What's New in Windows Server](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server): New and updated features in Windows Server.
+[Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.
+[What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
+[Announcing more ways we’re making app development easier on Windows](https://blogs.windows.com/windowsdeveloper/2020/09/22/kevin-gallo-microsoft-ignite-2020/): Simplifying app development in Windows.
+[Features and functionality removed in Windows 10](https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features): Removed features.
+[Windows 10 features we’re no longer developing](https://docs.microsoft.com/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.
