diff --git a/devices/surface/surface-enterprise-management-mode.md b/devices/surface/surface-enterprise-management-mode.md
index e42a925b72..0f888bcc93 100644
--- a/devices/surface/surface-enterprise-management-mode.md
+++ b/devices/surface/surface-enterprise-management-mode.md
@@ -154,7 +154,7 @@ Packages created with the Microsoft Surface UEFI Configurator tool are signed wi
* **Key Length** – 2048
* **Hash Algorithm** – SHA-256
* **Type** – SSL Server Authentication
-* **Key Usage** – Key Encipherment
+* **Key Usage** – Digital signature, Key Encipherment
* **Provider** – Microsoft Enhanced RSA and AES Cryptographic Provider
* **Expiration Date** – 15 Months from certificate creation
* **Key Export Policy** – Exportable
diff --git a/devices/surface/windows-autopilot-and-surface-devices.md b/devices/surface/windows-autopilot-and-surface-devices.md
index baef69db7c..2126074cb7 100644
--- a/devices/surface/windows-autopilot-and-surface-devices.md
+++ b/devices/surface/windows-autopilot-and-surface-devices.md
@@ -41,11 +41,16 @@ Support for broad deployments of Surface devices using Windows Autopilot, includ
### Surface device support
Surface devices with support for out-of-box deployment with Windows Autopilot, enrolled during the purchase process with a Surface partner, include the following devices, where the devices ship from the factory with Windows 10 Version 1709:
-* Surface Pro (Model 1796)
+
+* Surface Pro (5th gen)
+* Surface Laptop(1st gen)
+* Surface Studio (1st gen)
+* Surface Pro 6
* Surface Book 2
-* Surface Laptop
-* Surface Studio
+* Surface Laptop 2
+* Surface Studio 2
* Surface Go
+* Surface Go with LTE Advanced
## Surface partners enabled for Windows Autopilot
Enrolling Surface devices in Windows Autopilot at the time of purchase is a capability provided by select Surface partners that are enabled with the capability to identify individual Surface devices during the purchase process and perform enrollment on an organization’s behalf. Devices enrolled by a Surface partner at time of purchase can be shipped directly to users and configured entirely through the zero-touch process of Windows Autopilot, Azure Active Directory, and Mobile Device Management.
diff --git a/education/get-started/get-started-with-microsoft-education.md b/education/get-started/get-started-with-microsoft-education.md
index 6df81f8b27..c57aa58776 100644
--- a/education/get-started/get-started-with-microsoft-education.md
+++ b/education/get-started/get-started-with-microsoft-education.md
@@ -32,7 +32,7 @@ Hello, IT administrators! In this walkthrough, we'll show you how you can quickl
- **Microsoft Teams** to bring conversations, content, and apps together in one place and create collaborate classrooms, connect in professional learning communities, and communicate with school staff
- **Learning Tools** are moving beyond the OneNote desktop app and is now available in Office Lens, OneNote Online, Word Online, and Word desktop
- **Whiteboard** to create interactive lessons on the big screen, share and collaborate real-time by connecting to Class Notebook and Classroom
-- **Windows 10, version 1703 (Creators Update)** which brings 3D for everyone and other new and updated Windows features
+- **Windows 10, version 1703 or later** which brings 3D for everyone and other new and updated Windows features
- **Minecraft: Education Edition** which provides an open and immersive environment to promote creativity, collaboration, and problem-solving
With Microsoft Education, schools can:
@@ -60,11 +60,11 @@ Click the link to watch the video or follow the step-by-step guidance for each.
## Prerequisites
Complete these tasks before you start the walkthrough:
-- Make sure all the devices that you want to configure, such as student PCs, have the latest Windows 10, version 1703 image installed.
+- Make sure all the devices that you want to configure, such as student PCs, have Windows 10 (version 1703 or later) image installed.
- We recommend Windows 10, version 1703 to take advantage of all the new features and functionality that Windows supports. This version of Windows is also compatible with the latest version of the Set up School PCs app and the versions must match in order for Set up School PCs to provision the devices.
+ We recommend Windows 10, version 1703 or later, to take advantage of all the new features and functionality that Windows supports. This version of Windows is also compatible with the latest version of the Set up School PCs app and the versions must match in order for Set up School PCs to provision the devices.
- If you don't have Windows 10, version 1703 installed on your devices, we recommend upgrading. This process takes a while so start this task before proceeding with this walkthrough.
+ If you don't have Windows 10, version 1703 or later, installed on your devices, we recommend upgrading. This process takes a while so start this task before proceeding with this walkthrough.
- Have an education-verified tenant to qualify for an Office 365 for Education subscription. You also need to be education-verified to use School Data Sync and Intune for Education.
diff --git a/mdop/mbam-v25/planning-how-to-secure-the-mbam-websites.md b/mdop/mbam-v25/planning-how-to-secure-the-mbam-websites.md
index 500b84672e..2d7e4cedbf 100644
--- a/mdop/mbam-v25/planning-how-to-secure-the-mbam-websites.md
+++ b/mdop/mbam-v25/planning-how-to-secure-the-mbam-websites.md
@@ -311,7 +311,9 @@ If you already registered SPNs on the machine account rather than in an applicat
-
+## Required Request Filtering Settings
+
+ 'Allow unlisted file name extensions' is required for the application to operate as expected. This can be found by navigating to the 'Microsoft BitLocker Administration and Monitoring' -> Request Filtering -> Edit Feature Settings.
## Related topics
diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md
index bfd84c39bb..afc9f144c2 100644
--- a/windows/deployment/deploy-enterprise-licenses.md
+++ b/windows/deployment/deploy-enterprise-licenses.md
@@ -181,6 +181,12 @@ You can verify the Windows 10 Enterprise E3 or E5 subscription in **Settings &g
If there are any problems with the Windows 10 Enterprise E3 or E5 license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process.
+>[!NOTE]
+>If you use slmgr /dli or /dlv commands to retrieve the activation information for the Windows 10 E3 or E5 license, the license information displayed will be the following:
+>Name: Windows(R), Professional edition
+>Description: Windows(R) Operating System, RETAIL channel
+>Partial Product Key: 3V66T
+
## Virtual Desktop Access (VDA)
Subscriptions to Windows 10 Enterprise are also available for virtualized clients. Windows 10 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [qualified multitenant hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx).
diff --git a/windows/deployment/deploy-m365.md b/windows/deployment/deploy-m365.md
index 67561a162b..b5d8733948 100644
--- a/windows/deployment/deploy-m365.md
+++ b/windows/deployment/deploy-m365.md
@@ -32,6 +32,14 @@ For Windows 10 deployment, Microsoft 365 includes a fantastic deployment advisor
## Free trial account
+**If you already have a Microsoft services subscription account and access to the Microsoft 365 Admin Center**
+
+From the [Microsoft 365 Admin Center](https://portal.office.com), go to Billing and then Purchase services.
+In the Enterprise Suites section of the service offerings, you will find Microsoft 365 E3 and Microsoft 365 E5 tiles.
+There are "Start Free Trial" options available for your selection by hovering your mouse over the tiles.
+
+**If you do not already have a Microsoft services subscription**
+
You can check out the Microsoft 365 deployment advisor and other resources for free! Just follow the steps below.
>[!NOTE]
diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
index 1750d67101..da352844e5 100644
--- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
@@ -606,7 +606,7 @@ In these steps, you generate offline media from the MDT Production deployment sh
Offline media has its own rules, its own Bootstrap.ini and CustomSettings.ini files. These files are stored in the Control folder of the offline media; they also can be accessed via properties of the offline media in the Deployment Workbench.
-1. On MDT01, using File Explorer, copy the CustomSettings.ini file from the **E:\\MDTBuildLab\\Control** folder to **E:\\MDTOfflineMedia\\Content\\Deploy\\Control**. Overwrite the existing files.
+1. On MDT01, using File Explorer, copy the CustomSettings.ini file from the **E:\MDTProduction\Control** folder to **E:\\MDTOfflineMedia\\Content\\Deploy\\Control**. Overwrite the existing files.
2. Using Deployment Workbench, in the **MDT Production / Advanced Configuration / Media** node, right-click the **MEDIA001** media, and select **Properties**.
3. In the **General** tab, configure the following:
1. Clear the Generate x86 boot image check box.
diff --git a/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md b/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md
index 5ecbefe38b..e1c1d22bc7 100644
--- a/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md
+++ b/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md
@@ -20,6 +20,7 @@ ms.topic: article
- Windows 8.1
- Windows 8
- Windows 7
+- Windows Server 2016
- Windows Server 2012
- Windows Server 2008 R2
@@ -29,10 +30,28 @@ After you deploy and store the customized databases on each of your local comput
## Command-Line Options for Deploying Customized Database Files
+Sample output from the command `Sdbinst.exe /?` in an elevated CMD window:
-The command-line options use the following conventions.
+```
+Microsoft Windows [Version 10.0.14393]
+(c) 2016 Microsoft Corporation. All rights reserved.
-Sdbinst.exe \[-q\] \[-?\] \[-u\] \[-g\] \[-p\] \[-u filepath\] \[-g *GUID*\] \[-n *"name"*\]
+C:\Windows\system32>Sdbinst.exe /?
+Usage: Sdbinst.exe [-?] [-q] [-u] [-g] [-p] [-n[:WIN32|WIN64]] myfile.sdb | {guid} | "name"
+
+ -? - print this help text.
+ -p - Allow SDBs containing patches.
+ -q - Quiet mode: prompts are auto-accepted.
+ -u - Uninstall.
+ -g {guid} - GUID of file (uninstall only).
+ -n "name" - Internal name of file (uninstall only).
+
+C:\Windows\system32>_
+```
+
+The command-line options use the following conventions:
+
+Sdbinst.exe \[-?\] \[-p\] \[-q\] \[-u\] \[-g\] \[-u filepath\] \[-g *GUID*\] \[-n *"name"*\]
The following table describes the available command-line options.
@@ -49,6 +68,18 @@ The following table describes the available command-line options.
+-? |
+Displays the Help for the Sdbinst.exe tool.
+For example,
+sdbinst.exe -?
|
+
+
+-p |
+Allows SDBs installation with Patches
+For example,
+sdbinst.exe -p C:\Windows\AppPatch\Myapp.sdb
|
+
+
-q |
Performs a silent installation with no visible window, status, or warning information. Fatal errors appear only in Event Viewer (Eventvwr.exe).
For example,
@@ -72,18 +103,6 @@ The following table describes the available command-line options.
For example,
sdbinst.exe -n "My_Database"
|
-
--? |
-Displays the Help for the Sdbinst.exe tool.
-For example,
-sdbinst.exe -?
|
-
-
--p |
-Allows SDBs installation with Patches
-For example,
-sdbinst.exe -p C:\Windows\AppPatch\Myapp.sdb
|
-
diff --git a/windows/deployment/planning/windows-10-1803-removed-features.md b/windows/deployment/planning/windows-10-1803-removed-features.md
index 8afb576298..9a42ba6489 100644
--- a/windows/deployment/planning/windows-10-1803-removed-features.md
+++ b/windows/deployment/planning/windows-10-1803-removed-features.md
@@ -33,7 +33,7 @@ We've removed the following features and functionalities from the installed prod
|Language control in the Control Panel| Use the Settings app to change your language settings.|
|HomeGroup|We are removing [HomeGroup](https://support.microsoft.com/help/17145) but not your ability to share printers, files, and folders.
When you update to Windows 10, version 1803, you won't see HomeGroup in File Explorer, the Control Panel, or Troubleshoot (**Settings > Update & Security > Troubleshoot**). Any printers, files, and folders that you shared using HomeGroup **will continue to be shared**.
Instead of using HomeGroup, you can now share printers, files and folders by using features that are built into Windows 10:
- [Share your network printer](https://www.bing.com/search?q=share+printer+windows+10)
- [Share files in File Explorer](https://support.microsoft.com/help/4027674/windows-10-share-files-in-file-explorer) |
|**Connect to suggested open hotspots** option in Wi-Fi settings |We previously [disabled the **Connect to suggested open hotspots** option](https://privacy.microsoft.com/windows-10-open-wi-fi-hotspots) and are now removing it from the Wi-Fi settings page. You can manually connect to free wireless hotspots with **Network & Internet** settings, from the taskbar or Control Panel, or by using Wi-Fi Settings (for mobile devices).|
-|XPS Viewer|We're changing the way you get XPS Viewer. In Windows 10, version 1709 and earlier versions, the app is included in the installation image. If you have XPS Viewer and you update to Windows 10, version 1803, there's no action required. You'll still have XPS Viewer.
However, if you install Windows 10, version 1803, on a new device (or as a clean installation), you may need to [install XPS Viewer from **Apps and Features** in the Settings app](https://docs.microsoft.com/windows/application-management/add-apps-and-features) or through [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). If you had XPS Viewer in Windows 10, version 1709, but manually removed it before updating, you'll need to manually reinstall it.|
+|XPS Viewer|We're changing the way you get XPS Viewer. In Windows 10, version 1709 and earlier versions, the app is included in the installation image.
However, if you install Windows 10, version 1803, you may need to [install XPS Viewer from **Apps and Features** in the Settings app](https://docs.microsoft.com/windows/application-management/add-apps-and-features) or through [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). If you had XPS Viewer in Windows 10, version 1709, but manually removed it before updating, you'll need to manually reinstall it.|
## Features we’re no longer developing
diff --git a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
index 7a7dfcc5d0..37103745b0 100644
--- a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
+++ b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
@@ -26,7 +26,7 @@ ms.topic: article
>
>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB, CBB and LTSB may still be displayed in some of our products.
-Semi-Annual Channel (Targeted) is the default servicing channel for all Windows 10 devices except those with the LTSB edition installed. The following table shows the servicing channels available to each edition of Windows 10.
+Semi-Annual Channel is the default servicing channel for all Windows 10 devices except those with the LTSB edition installed. The following table shows the servicing channels available to each Windows 10 edition.
| Windows 10 edition | Semi-Annual Channel (Targeted) | Semi-Annual Channel | Long-Term Servicing Channel | Insider Program |
| --- | --- | --- | --- | --- |
@@ -44,6 +44,9 @@ Semi-Annual Channel (Targeted) is the default servicing channel for all Windows
>[!NOTE]
>The LTSB edition of Windows 10 is only available through the [Microsoft Volume Licensing Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
+>[!NOTE]
+>Semi-Annual Channel (Targeted) should be used only by the customers that are using [Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb). For those, who don't use Windows Update for Business, Semi-Annual Channel (Targeted) would be the same as Semi-Annual Channel.
+
## Assign devices to Semi-Annual Channel
>[!IMPORTANT]
diff --git a/windows/deployment/update/windows-update-logs.md b/windows/deployment/update/windows-update-logs.md
index b65bcc0c93..df6c14cfbf 100644
--- a/windows/deployment/update/windows-update-logs.md
+++ b/windows/deployment/update/windows-update-logs.md
@@ -141,3 +141,5 @@ There are different identifiers for the same update in different contexts. It’
- Small integers (especially in Datastore) can be local IDs
+## Windows Setup log files analysis using SetupDiag tool
+SetupDiag is a diagnostic tool that can be used for analysis of logs related to installation of Windows Updates. For detailed information, see [SetupDiag](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag).
diff --git a/windows/deployment/volume-activation/volume-activation-management-tool.md b/windows/deployment/volume-activation/volume-activation-management-tool.md
index 172989517e..1880d0e682 100644
--- a/windows/deployment/volume-activation/volume-activation-management-tool.md
+++ b/windows/deployment/volume-activation/volume-activation-management-tool.md
@@ -15,17 +15,12 @@ ms.topic: article
The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process.
VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in that requires the Microsoft Management Console (MMC) 3.0. VAMT can be installed on any computer that has one of the following Windows operating systems:
-- Windows® 7
-- Windows 8
-- Windows 8.1
-- Windows 10
-- Windows Server 2008 R2
-- Windows Server® 2012
-- Windows Server 2012 R2
+- Windows® 7 or above
+- Windows Server 2008 R2 or above
+
**Important**
-VAMT is designed to manage volume activation for: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Microsoft Office 2010, and Microsoft Office 2013. Computers installed with volume editions of
-**Windows XP** or **Windows Server 2003** cannot be managed using VAMT. However, Office 2010 and Office 2013 products installed on these two operating systems can still be managed.
+VAMT is designed to manage volume activation for: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 (or obove), Microsoft Office 2010 (or above).
VAMT is only available in an EN-US (x86) package.
@@ -42,4 +37,4 @@ VAMT is only available in an EN-US (x86) package.
|[Manage VAMT Data](manage-vamt-data.md) |Describes how to save, import, export, and merge a Computer Information List (CILX) file using VAMT. |
|[VAMT Step-by-Step Scenarios](vamt-step-by-step.md) |Provides step-by-step instructions for using VAMT in typical environments. |
|[VAMT Known Issues](vamt-known-issues.md) |Lists known issues in VAMT. |
-
\ No newline at end of file
+
diff --git a/windows/deployment/windows-10-enterprise-subscription-activation.md b/windows/deployment/windows-10-enterprise-subscription-activation.md
index 767a8c0724..a8baa55101 100644
--- a/windows/deployment/windows-10-enterprise-subscription-activation.md
+++ b/windows/deployment/windows-10-enterprise-subscription-activation.md
@@ -63,7 +63,7 @@ The following figure illustrates how deploying Windows 10 has evolved with each
For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following:
-- Windows 10 (Pro or Enterprise) version 1703 or later installed and **activated** on the devices to be upgraded.
+- Windows 10 (Pro or Enterprise) version 1703 or later installed on the devices to be upgraded.
- Azure Active Directory (Azure AD) available for identity management.
- Devices must be Azure AD-joined or Active Directory joined with Azure AD Connect. Workgroup-joined devices are not supported.
diff --git a/windows/deployment/windows-autopilot/user-driven-hybrid.md b/windows/deployment/windows-autopilot/user-driven-hybrid.md
index c084916d3e..d69c5869ba 100644
--- a/windows/deployment/windows-autopilot/user-driven-hybrid.md
+++ b/windows/deployment/windows-autopilot/user-driven-hybrid.md
@@ -32,7 +32,7 @@ To perform a user-driven hybrid AAD joined deployment using Windows Autopilot:
- The device must be connected to the Internet and have access to an Active Directory domain controller.
- The Intune Connector for Active Directory must be installed.
- Note: The Intune Connector will perform an on-prem AD join, therefore users do not need on-prem AD-join permission, assuming the Connector is [configured to perform this action](https://docs.microsoft.com/intune/windows-autopilot-hybrid#increase-the-computer-account-limit-in-the-organizational-unit) on the user's behalf.
-- If using Proxy, WDAP Proxy settings option must be enabled and configured.
+- If using Proxy, WPAD Proxy settings option must be enabled and configured.
**AAD device join**: The hybrid AAD join process uses the system context to perform device AAD join, therefore it is not affected by user based AAD join permission settings. In addition, all users are enabled to join devices to AAD by default.
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md b/windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md
index 30fb733eb0..7e67c7eca1 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md
@@ -21,7 +21,7 @@ ms.topic: article
When performing a remote Windows Autopilot Reset, an MDM service such an Microsoft Intune can be used to initiate the reset process, avoiding the need for IT staff or other administrators to visit each machine to initiate the process.
-To enable a device for a remote Windows Autopilot Reset, the device must be MDM managed, joined to Azure AD, and configured to use the [enrollment status page](enrollment-status.md).
+To enable a device for a remote Windows Autopilot Reset, the device must be MDM managed, joined to Azure AD, and configured to use the [enrollment status page](enrollment-status.md). This feature is not supported on devices that were enrolled using [Autopilot self deploying mode](self-deploying.md).
## Triggering a remote Windows Autopilot Reset
@@ -34,5 +34,8 @@ To trigger a remote Windows Autopilot Reset via Intune, follow these steps:
>[!NOTE]
>The Autopilot Reset option will not be enabled in Microsoft Intune for devices not running Windows 10 build 17672 or higher.
+>[!IMPORTANT]
+>The feature for Autopilot Reset (preview) will stay grayed out, **unless** you reset the device using Autopilot (either using Fresh Reset or manually sysprep the device).
+
Once the reset is complete, the device is again ready for use.
-
\ No newline at end of file
+
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-reset.md b/windows/deployment/windows-autopilot/windows-autopilot-reset.md
index 1a5c9e982d..78eca0eb39 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot-reset.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-reset.md
@@ -33,6 +33,9 @@ Windows Autopilot Reset will block the user from accessing the desktop until thi
>[!IMPORTANT]
>To reestablish Wi-Fi connectivity after reset, make sure the **Connect automatically** box is checked for the device's wireless network connection.
+>[!NOTE]
+>The Autopilot Reset does not support Hybrid Azure AD joined devices.
+
## Scenarios
Windows Autopilot Reset supports two scenarios:
diff --git a/windows/security/identity-protection/access-control/active-directory-security-groups.md b/windows/security/identity-protection/access-control/active-directory-security-groups.md
index 0b2f989db7..3b7f39ee7e 100644
--- a/windows/security/identity-protection/access-control/active-directory-security-groups.md
+++ b/windows/security/identity-protection/access-control/active-directory-security-groups.md
@@ -258,279 +258,286 @@ The following tables provide descriptions of the default groups that are located
Yes |
+[Device Owners](#bkmk-device-owners) |
+Yes |
+Yes |
+Yes |
+Yes |
+
+
[Distributed COM Users](#bkmk-distributedcomusers) |
Yes |
Yes |
Yes |
Yes |
-
+
[DnsUpdateProxy](#bkmk-dnsupdateproxy) |
Yes |
Yes |
Yes |
Yes |
-
+
[DnsAdmins](#bkmk-dnsadmins) |
Yes |
Yes |
Yes |
Yes |
-
+
[Domain Admins](#bkmk-domainadmins) |
Yes |
Yes |
Yes |
Yes |
-
+
[Domain Computers](#bkmk-domaincomputers) |
Yes |
Yes |
Yes |
Yes |
-
+
[Domain Controllers](#bkmk-domaincontrollers) |
Yes |
Yes |
Yes |
Yes |
-
+
[Domain Guests](#bkmk-domainguests) |
Yes |
Yes |
Yes |
Yes |
-
+
[Domain Users](#bkmk-domainusers) |
Yes |
Yes |
Yes |
Yes |
-
+
[Enterprise Admins](#bkmk-entadmins) |
Yes |
Yes |
Yes |
Yes |
-
-[Enterprise Key Admins](#bkmk-enterprise-key-admins) |
+
+[Enterprise Key Admins](#enterprise-key-admins) |
Yes |
|
|
|
-
+
[Enterprise Read-only Domain Controllers](#bkmk-entrodc) |
Yes |
Yes |
Yes |
Yes |
-
+
[Event Log Readers](#bkmk-eventlogreaders) |
Yes |
Yes |
Yes |
Yes |
-
+
[Group Policy Creator Owners](#bkmk-gpcreatorsowners) |
Yes |
Yes |
Yes |
Yes |
-
+
[Guests](#bkmk-guests) |
Yes |
Yes |
Yes |
Yes |
-
+
[Hyper-V Administrators](#bkmk-hypervadministrators) |
Yes |
Yes |
Yes |
|
-
+
[IIS_IUSRS](#bkmk-iis-iusrs) |
Yes |
Yes |
Yes |
Yes |
-
+
[Incoming Forest Trust Builders](#bkmk-inforesttrustbldrs) |
Yes |
Yes |
Yes |
Yes |
-
+
[Key Admins](#key-admins) |
Yes |
|
|
|
-
+
[Network Configuration Operators](#bkmk-networkcfgoperators) |
Yes |
Yes |
Yes |
Yes |
-
+
[Performance Log Users](#bkmk-perflogusers) |
Yes |
Yes |
Yes |
Yes |
-
+
[Performance Monitor Users](#bkmk-perfmonitorusers) |
Yes |
Yes |
Yes |
Yes |
-
+
[Pre–Windows 2000 Compatible Access](#bkmk-pre-ws2kcompataccess) |
Yes |
Yes |
Yes |
Yes |
-
+
[Print Operators](#bkmk-printoperators) |
Yes |
Yes |
Yes |
Yes |
-
+
[Protected Users](#bkmk-protectedusers) |
Yes |
Yes |
|
|
-
+
[RAS and IAS Servers](#bkmk-rasandias) |
Yes |
Yes |
Yes |
Yes |
-
+
[RDS Endpoint Servers](#bkmk-rdsendpointservers) |
Yes |
Yes |
Yes |
|
-
+
[RDS Management Servers](#bkmk-rdsmanagementservers) |
Yes |
Yes |
Yes |
|
-
+
[RDS Remote Access Servers](#bkmk-rdsremoteaccessservers) |
Yes |
Yes |
Yes |
|
-
+
[Read-only Domain Controllers](#bkmk-rodc) |
Yes |
Yes |
Yes |
Yes |
-
+
[Remote Desktop Users](#bkmk-remotedesktopusers) |
Yes |
Yes |
Yes |
Yes |
-
+
[Remote Management Users](#bkmk-remotemanagementusers) |
Yes |
Yes |
Yes |
|
-
+
[Replicator](#bkmk-replicator) |
Yes |
Yes |
Yes |
Yes |
-
+
[Schema Admins](#bkmk-schemaadmins) |
Yes |
Yes |
Yes |
Yes |
-
+
[Server Operators](#bkmk-serveroperators) |
Yes |
Yes |
Yes |
Yes |
-
+
[Storage Replica Administrators](#storage-replica-administrators) |
Yes |
|
|
|
-
+
[System Managed Accounts Group](#system-managed-accounts-group) |
Yes |
|
|
|
-
+
[Terminal Server License Servers](#bkmk-terminalserverlic) |
Yes |
Yes |
Yes |
Yes |
-
+
[Users](#bkmk-users) |
Yes |
Yes |
Yes |
Yes |
-
+
[Windows Authorization Access Group](#bkmk-winauthaccess) |
Yes |
Yes |
Yes |
Yes |
-
+
[WinRMRemoteWMIUsers_](#bkmk-winrmremotewmiusers-) |
|
Yes |
@@ -1208,6 +1215,68 @@ This security group includes the following changes since Windows Server 2008:
+### Device Owners
+This group is not currently used in Windows.
+
+Microsoft does not recommend changing the default configuration where this security group has zero members. Changing the default configuration could hinder future scenarios that rely on this group.
+
+The Device Owners group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
+
+
+
+
+
+
+
+
+
+
+
+Well-Known SID/RID |
+S-1-5-32-583 |
+
+
+Type |
+BuiltIn Local |
+
+
+Default container |
+CN=BuiltIn, DC=<domain>, DC= |
+
+
+Default members |
+None |
+
+
+Default member of |
+None |
+
+
+Protected by ADMINSDHOLDER? |
+No |
+
+
+Safe to move out of default container? |
+Can be moved out but it is not recommended |
+
+
+Safe to delegate management of this group to non-Service admins? |
+No |
+
+
+Default User Rights |
+[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight
+[Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight
+[Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege
+[Change the time zone](/windows/device-security/security-policy-settings/change-the-time-zone): SeTimeZonePrivilege
+ |
+
+
+
+
### Distributed COM Users
@@ -3692,6 +3761,7 @@ This security group was introduced in Windows Server 2012, and it has not chang
+
## See also
- [Security Principals](security-principals.md)
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
index 0e10a79093..a588960870 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
@@ -22,8 +22,6 @@ ms.date: 08/17/2017
- Windows Server 2016
-Prefer video? See [Windows Defender Credential Guard Design](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=mD3geLJyC_8304300474) in the **Deep Dive into Windows Defender Credential Guard** video series.
-
Kerberos, NTLM, and Credential manager isolate secrets by using virtualization-based security. Previous versions of Windows stored secrets in the Local Security Authority (LSA). Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Windows Defender Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using virtualization-based security and is not accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment.
@@ -46,4 +44,4 @@ Here's a high-level overview on how the LSA is isolated by using virtualization-
[Virtualization-based security](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=1CoELLJyC_6704300474)
-[Credentials protected by Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
\ No newline at end of file
+[Credentials protected by Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
index 626de0ca3e..b315be80ea 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@@ -21,10 +21,9 @@ ms.date: 03/01/2019
- Windows 10
- Windows Server 2016
-Prefer video? See [Windows Defender Credential Guard Deployment](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=sRcyvLJyC_3304300474) in the Deep Dive into Windows Defender Credential Guard video series.
## Enable Windows Defender Credential Guard
-Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-credential-guard-by-using-group-policy), the [registry](#enable-credential-guard-by-using-the-registry), or the Windows Defender Device Guard and Windows Defender Credential Guard [hardware readiness tool](#hardware-readiness-tool). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine.
+Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy), the [registry](#enable-windows-defender-credential-guard-by-using-the-registry), or the Windows Defender Device Guard and Windows Defender Credential Guard [hardware readiness tool](#hardware-readiness-tool). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine.
The same set of procedures used to enable Windows Defender Credential Guard on physical machines applies also to virtual machines.
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
index 01d5a2d5a7..efceecd400 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
@@ -21,9 +21,6 @@ ms.date: 01/12/2018
- Windows 10
- Windows Server 2016
-Prefer video? See
-[Windows Defender Credential Guard Deployment](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=sRcyvLJyC_3304300474)
-in the Deep Dive into Windows Defender Credential Guard video series.
For Windows Defender Credential Guard to provide protection, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally, Windows Defender Credential Guard blocks specific authentication capabilities, so applications that require such capabilities will break. We will refer to this as [Application requirements](#application-requirements). Beyond that, computers can meet additional hardware and firmware qualifications, and receive additional protections. Those computers will be more hardened against certain threats. For detailed information on baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017, refer to the tables in [Security Considerations](#security-considerations).
diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
index a7abd09380..d82576afc9 100644
--- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
+++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
@@ -71,7 +71,7 @@ To allow fingerprint matching, you must have devices with fingerprint sensors an
### Facial recognition sensors
To allow facial recognition, you must have devices with integrated special infrared (IR) sensors and software. Facial recognition sensors use special cameras that see in IR light, letting them tell the difference between a photo and a living person while scanning an employee’s facial features. These sensors, like the fingerprint sensors, must also include anti-spoofing measures (required) and a way to configure them (optional).
-- False Accept Rate (FAR): <0.001
+- False Accept Rate (FAR): <0.001%
- False Reject Rate (FRR) without Anti-spoofing or liveness detection: <5%
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
index 7eeaa651d5..ef8b59ba42 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
@@ -28,6 +28,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
[Azure AD joined provisioning in a Federated environment](#azure-ad-joined-provisioning-in-a-federated-environment)
[Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed environment](#hybrid-azure-ad-joined-provisioning-in-a-key-trust-deployment-in-a-managed-environment)
[Hybrid Azure AD joined provisioning in a Certificate Trust deployment in a Managed environment](#hybrid-azure-ad-joined-provisioning-in-a-certificate-trust-deployment-in-a-managed-environment)
+[Hybrid Azure AD joined provisioning in a Certificate Trust deployment in a Federated environment](#hybrid-azure-ad-joined-provisioning-in-a-certificate-trust-deployment-in-a-federated-environment)
[Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Managed environment](#hybrid-azure-ad-joined-provisioning-in-a-synchronous-certificate-trust-deployment-in-a-managed-environment)
[Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment](#hybrid-azure-ad-joined-provisioning-in-a-synchronous-certificate-trust-deployment-in-a-federated-environment)
[Domain joined provisioning in an On-premises Key Trust deployment](#domain-joined-provisioning-in-an-on-premises-key-trust-deployment)
@@ -56,7 +57,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
|C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns key ID to the application which signals the end of user provisioning and the application exits.|
[Return to top](#windows-hello-for-business-provisioning)
-## Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed envrionment
+## Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed environment
| Phase | Description |
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
index ac6315a04d..6b4a465a9c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
@@ -71,7 +71,7 @@ The minimum required enterprise certificate authority that can be used with Wind
## Directory Synchronization ##
The two directories used in hybrid deployments must be synchronized. You need Azure Active Directory Connect to synchronize user accounts in the on-premises Active Directory with Azure Active Directory.
-Organizations using older directory synchronization technology, such as DirSync or Azure AD sync need to upgrade to Azure AD Connect
+Organizations using older directory synchronization technology, such as DirSync or Azure AD sync, need to upgrade to Azure AD Connect. In case the schema of your local AD DS was changed since the last directory synchronization, you may need to [refresh directory schema](https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-installation-wizard#refresh-directory-schema).
### Section Review
> [!div class="checklist"]
diff --git a/windows/security/information-protection/windows-information-protection/wip-learning.md b/windows/security/information-protection/windows-information-protection/wip-learning.md
index 6574cf15e2..bb80483994 100644
--- a/windows/security/information-protection/windows-information-protection/wip-learning.md
+++ b/windows/security/information-protection/windows-information-protection/wip-learning.md
@@ -24,7 +24,7 @@ ms.date: 02/26/2019
- Windows 10, version 1703 and later
- Windows 10 Mobile, version 1703 and later
-With WIP Learning, you can intelligently tune which apps and websites are included in your WIP policy to help reduce disruptive prompts and keep it accurate and relevant. WIP Learning generates two reports: The **App learning report** and the **Website learning report**. Both reports are accessed from Microsoft Azure Intune, and you can alternately access the App learning report from Microsoft Operations Management Suite (OMS).
+With WIP Learning, you can intelligently tune which apps and websites are included in your WIP policy to help reduce disruptive prompts and keep it accurate and relevant. WIP Learning generates two reports: The **App learning report** and the **Website learning report**. Both reports can be accessed from Microsoft Azure Intune.
The **App learning report** monitors your apps, not in policy, that attempt to access work data. You can identify these apps using the report and add them to your WIP policies to avoid productivity disruption before fully enforcing WIP with [“Block”](protect-enterprise-data-using-wip.md#bkmk-modes) mode. Frequent monitoring of the report will help you continuously identify access attempts so you can update your policy accordingly.
@@ -44,59 +44,42 @@ In the **Website learning report**, you can view a summary of the devices that h
-Once you have the apps and websites showing up in the WIP Learning logging reports, you can decide whether to add them to your app protection policies. Next, we'll look at how to do that in Operations Management Suite (OMS).
+Once you have the apps and websites showing up in the WIP Learning logging reports, you can decide whether to add them to your app protection policies.
-## View the WIP app learning report in Microsoft Operations Management Suite
+## Use the WIP section of Device Health
-From Intune, you can open OMS by choosing **WIP in the OMS console**. Then you can view the WIP App learning blade to monitor access events per app, and devices that have reported WIP access events:
+You can use Device Health to adjust your WIP protection policy. See [Using Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-using#windows-information-protection) to learn more.
-
-
-If you don't have OMS linked to your Microsoft Azure Account, and want to configure your environment for Windows Analytics: Device Health, see [Get Started with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-get-started) for more information.
-
->[!NOTE]
->Intune has a 14 day data retention capacity, while OMS offers better querying capabilities and longer data retention.
+If you want to configure your environment for Windows Analytics: Device Health, see [Get Started with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-get-started) for more information.
Once you have WIP policies in place, by using the WIP section of Device Health, you can:
- Reduce disruptive prompts by adding rules to allow data sharing from approved apps.
- Tune WIP rules by confirming that certain apps are allowed or denied by current policy.
-
+## Use Device Health and Intune to adjust WIP protection policy
-The **APP LEARNING** tile shows details of app statistics that you can use to evaluate each incident and update app policies by using WIP AppIDs.
+The information needed for the following steps can be found using Device Health, which you will first have to set up. Learn more about how you can [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor).
-
+1. In **Device Health** click the app you want to add to your policy and copy the publisher information.
-In this chart view, you can see apps that have been used on connected devices which, when clicked on, will open additional details on the app, including details you need to adjust your WIP Policy:
-
-
+2. In Intune, click **App protection policies** and then choose the app policy you want to add an application to.
-Here, you can copy the **WipAppid** and use it to adjust your WIP protection policies.
+3. Click **Protected apps**, and then click **Add Apps**.
-## Use OMS and Intune to adjust WIP protection policy
-
-1. Click the **APP LEARNING** tile in OMS, as described above, to determine which apps are being used for work so you can add those you choose to your WIP policy.
-
-2. Click the app you want to add to your policy and copy the publisher information from the app details screen.
-
-3. Back in Intune, click **App protection policies** and then choose the app policy you want to add an application to.
-
-4. Click **Protected apps**, and then click **Add Apps**.
-
-5. In the **Recommended apps** drop down menu, choose either **Store apps** or **Desktop apps**, depending on the app you've chosen (for example, an executable (EXE) is a desktop app).
+4. In the **Recommended apps** drop down menu, choose either **Store apps** or **Desktop apps**, depending on the app you've chosen (for example, an executable (EXE) is a desktop app).
-6. In **NAME** (optional), type the name of the app, and then in **PUBLISHER** (required), paste the publisher information that you copied in step 2 above.
+5. In **NAME** (optional), type the name of the app, and then in **PUBLISHER** (required), paste the publisher information that you copied in step 1 above.
-7. Type the name of the product in **PRODUCT NAME** (required) (this will probably be the same as what you typed for **NAME**).
+6. Type the name of the product in **PRODUCT NAME** (required) (this will probably be the same as what you typed for **NAME**).
-8. Back in OMS, copy the name of the executable (for example, snippingtool.exe) and then go back to Intune and paste it in **FILE** (required).
+7. Copy the name of the executable (for example, snippingtool.exe) and paste it in **FILE** (required).
-9. Go back to OMS one more time and note the version number of the app and type it in **MIN VERSION** in Intune (alternately, you can specify the max version, but one or the other is required), and then select the **ACTION**: **Allow** or **Deny**
+8. Type the version number of the app into **MIN VERSION** in Intune (alternately, you can specify the max version, but one or the other is required), and then select the **ACTION**: **Allow** or **Deny**
When working with WIP-enabled apps and WIP-unknown apps, it is recommended that you start with **Silent** or **Allow overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Block**. For more information about WIP modes, see: [Protect enterprise data using WIP: WIP-modes](protect-enterprise-data-using-wip.md#bkmk-modes)
diff --git a/windows/security/threat-protection/auditing/event-4769.md b/windows/security/threat-protection/auditing/event-4769.md
index ea200b936f..4387af7e0b 100644
--- a/windows/security/threat-protection/auditing/event-4769.md
+++ b/windows/security/threat-protection/auditing/event-4769.md
@@ -224,7 +224,7 @@ The most common values:
| 0x18 | KDC\_ERR\_PREAUTH\_FAILED | Pre-authentication information was invalid | The wrong password was provided.
This error code cannot occur in event “[4768](event-4768.md). A Kerberos authentication ticket (TGT) was requested”. It occurs in “[4771](event-4771.md). Kerberos pre-authentication failed” event. |
| 0x19 | KDC\_ERR\_PREAUTH\_REQUIRED | Additional pre-authentication required | This error often occurs in UNIX interoperability scenarios. MIT-Kerberos clients do not request pre-authentication when they send a KRB\_AS\_REQ message. If pre-authentication is required (the default), Windows systems will send this error. Most MIT-Kerberos clients will respond to this error by giving the pre-authentication, in which case the error can be ignored, but some clients might not respond in this way. |
| 0x1A | KDC\_ERR\_SERVER\_NOMATCH | KDC does not know about the requested server | No information. |
-| 0x1B | KDC\_ERR\_SVC\_UNAVAILABLE | KDC is unavailable | No information. |
+| 0x1B | KDC\_ERR\_MUST\_USE\_USER2USER | Server principal valid for user2user only | This error occurs because the service is missing an SPN. |
| 0x1F | KRB\_AP\_ERR\_BAD\_INTEGRITY | Integrity check on decrypted field failed | The authenticator was encrypted with something other than the session key. The result is that the client cannot decrypt the resulting message. The modification of the message could be the result of an attack or it could be because of network noise. |
| 0x20 | KRB\_AP\_ERR\_TKT\_EXPIRED | The ticket has expired | The smaller the value for the “Maximum lifetime for user ticket” Kerberos policy setting, the more likely it is that this error will occur. Because ticket renewal is automatic, you should not have to do anything if you get this message. |
| 0x21 | KRB\_AP\_ERR\_TKT\_NYV | The ticket is not yet valid | The ticket presented to the server is not yet valid (in relationship to the server time). The most probable cause is that the clocks on the KDC and the client are not synchronized.
If cross-realm Kerberos authentication is being attempted, then you should verify time synchronization between the KDC in the target realm and the KDC in the client realm, as well. |
diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
index 37859694d9..3d7368b36a 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
@@ -20,9 +20,9 @@ ms.date: 10/02/2018
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-The potentially unwanted application (PUA) protection feature in Windows Defender Antivirus can identify and block PUAs from downloading and installing on endpoints in your network.
+The potentially unwanted application (PUA) protection feature in Windows Defender Antivirus can detect and block PUAs on endpoints in your network.
-These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use. PUA can also refer to applications that are considered to have a poor reputation.
+These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use. PUA can also refer to applications that are considered to have poor reputation.
Typical PUA behavior includes:
@@ -37,25 +37,17 @@ These applications can increase the risk of your network being infected with mal
## How it works
-PUAs are blocked when a user attempts to download or install the detected file, and if the file meets one of the following conditions:
+Windows Defender Antivirus blocks detected PUA files and attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantined.
-- The file is being scanned from the browser
-- The file is in a folder with "**downloads**" in the path
-- The file is in a folder with "**temp**" in the path
-- The file is on the user's desktop
-- The file does not meet one of these conditions and is not under *%programfiles%*, *%appdata%*, or *%windows%*
-
-The file is placed in the quarantine section so it won't run.
-
-When a PUA is detected on an endpoint, the endpoint will present a notification to the user ([unless notifications have been disabled](configure-notifications-windows-defender-antivirus.md)) in the same format as normal threat detections (prefaced with "PUA:").
+When a PUA is detected on an endpoint, Windows Defender Antivirus presents a notification to the user ([unless notifications have been disabled](configure-notifications-windows-defender-antivirus.md)) in the same format as normal threat detections (prefaced with "PUA:").
They will also appear in the usual [quarantine list in the Windows Security app](windows-defender-security-center-antivirus.md#detection-history).
## View PUA events
-PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager or Intune.
+PUA events are reported in the Windows Event Viewer, but not in System Center Configuration Manager or Intune.
-Hoever, PUA detections will be reported if you have set up email notifications for detections.
+You can turn on email notifications for PUA detections.
See [Troubleshoot event IDs](troubleshoot-windows-defender-antivirus.md) for details on viewing Windows Defender Antivirus events. PUA events are recorded under event ID 1160.
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
index 5d82fb8254..1c4e998102 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
@@ -27,7 +27,9 @@ You might want to do this when testing how the features will work in your organi
While the features will not block or prevent apps, scripts, or files from being modified, the Windows Event Log will record events as if the features were fully enabled. This means you can enable audit mode and then review the event log to see what impact the feature would have had were it enabled.
-You can use Windows Defender Advanced Threat Protection to get greater deatils for each event, especially for investigating attack surface reduction rules. Using the Windows Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
+To find the audited entries, go to **Applications and Services** > **Microsoft** > **Windows** > **Windows Defender** > **Operational**.
+
+You can use Windows Defender Advanced Threat Protection to get greater details for each event, especially for investigating attack surface reduction rules. Using the Windows Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
This topic provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer.
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
index 93e5640492..707aa20197 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
@@ -9,8 +9,8 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: andreabichsel
-ms.author: v-anbic
+author: Justinha
+ms.author: justinha
ms.date: 04/02/2019
---