Merging changes synced from https://github.com/MicrosoftDocs/windows-docs-pr (branch live)

2025-06-22 13:53:39 +00:00 · 2020-02-03 18:50:33 +00:00
parent 279239df89 3e0e10bd8b
commit b53a4b31d5
9 changed files with 305 additions and 79 deletions
--- a/devices/hololens/TOC.md
+++ b/devices/hololens/TOC.md
@ -16,9 +16,11 @@
 ## [Install localized version of HoloLens (1st gen)](hololens1-install-localized.md)
 ## [Getting around HoloLens (1st gen)](hololens1-basic-usage.md)
-# HoloLens in commercial environments
+# Deploying HoloLens and Mixed Reality Apps in Commercial Environments
 ## [Commercial feature overview](hololens-commercial-features.md)
 ## [Deployment planning](hololens-requirements.md)
 ## [Commercial feature overview](hololens-commercial-features.md)
 ## [Lincense Requriements](hololens-licenses-requirements.md)
 ## [Commercial Infrastructure Guidance](hololens-commercial-infrastructure.md)
 ## [Unlock Windows Holographic for Business features](hololens1-upgrade-enterprise.md)
 ## [Configure HoloLens using a provisioning package](hololens-provisioning.md)
 ## [Enroll HoloLens in MDM](hololens-enroll-mdm.md)
--- a/devices/hololens/hololens-commercial-infrastructure.md
+++ b/devices/hololens/hololens-commercial-infrastructure.md
@ -0,0 +1,113 @@
 ---
 title: Infrastructure Guidelines for HoloLens
 description: 
 ms.prod: hololens
 ms.sitesec: library
 author: pawinfie
 ms.author: pawinfie
 audience: ITPro
 ms.topic: article
 ms.localizationpriority: high
 ms.date: 1/23/2020
 ms.reviewer: 
 manager: bradke
 appliesto:
 - HoloLens (1st gen)
 - HoloLens 2
 ---
 # Configure Your Network
 This portion of the document will require the following people:
 1.	Network Admin with permissions to make changes to the proxy/firewall
 2.	Azure Active Directory Admin
 3.	Mobile Device Manager Admin
 4.	Teams admin for Remote Assist only
 ## Infrastructure Requirements
 ### HoloLens Specific Network Requirements
 Make sure that these ports and URLs are allowed on your network firewall. This will enable HoloLens to function properly. The latest list can be found [here](hololens-offline.md).
 ### Remote Assist Specific Network Requirements
 1.	The recommended bandwidth for optimal performance of Remote Assist is 1.5Mbps. Detailed network requirements and additional information can be found [here](https://docs.microsoft.com/MicrosoftTeams/prepare-network).
 **Please note, if you don’t network have network speeds of at least 1.5Mbps, Remote Assist will still work. However, quality may suffer.**
 1. Make sure that these ports and URLs are allowed on your network firewall. This will enable Microsoft Teams to function. The latest list can be found [here](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges#skype-for-business-online-and-microsoft-teams).
 ### Guides Specific Network Requirements
 Guides only require network access to download and use the app.
 ## Azure Active Directory Guidance
 This step is only necessary if your company plans on managing the HoloLens and mixed reality apps.
 ### 1. Ensure that you have an Azure AD License. 
 Please [HoloLens Licenses Requirements](hololens-licenses-requirements.md)for additional information.
 ### 2. Ensure that your company’s users are in Azure Active Directory (Azure AD).
 Instructions for adding users can be found [here](https://docs.microsoft.com/azure/active-directory/fundamentals/add-users-azure-active-directory).
 ### 3. We suggest that users who will be need similar licenses are added to a group.
 1. [Create a Group](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal) 
 2. [Add users to groups](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-members-azure-portal)
 ### 4. Ensure that your company’s users (or group of users) are assigned the necessary licenses. 
 Directions for assigning licenses can be found [here](https://docs.microsoft.com/azure/active-directory/fundamentals/license-users-groups).
 ### 5. **IMPORTANT:** Only do this step if users are expected to enroll their HoloLens/Mobile device onto the network. 
 These steps ensure that your company’s users (or a group of users) can add devices.
 1. Option 1: Give all users permission to join devices to Azure AD.
 **Sign in to the Azure portal as an administrator** > **Azure Active Directory** > **Devices** > **Device Settings** >
 **Set Users may join devices to Azure AD to *All***
 1.	Option 2: Give selected users/groups permission to join devices to Azure AD
 **Sign in to the Azure portal as an administrator** > **Azure Active Directory** > **Devices** > **Device Settings** >
 **Set Users may join devices to Azure AD to *Selected***
 ![Image that shows Configuration of Azure AD Joined Devices](images/azure-ad-image.png)
 1.	Option 3: You can block all users from joining their devices to the domain. This means that all devices will need to be manually enrolled by your IT department. 
 ## Mobile Device Manager Admin Steps
 ### Scenario 1: Kiosk Mode
 As a note, auto-launching an app does not currently work for HoloLens.
 How to Set Up Kiosk Mode Using Microsoft Intune.
 #### 1. Sync Microsoft Store to Intune ([Here](https://docs.microsoft.com/intune/apps/windows-store-for-business))
 #### 2.	Check your app settings
 1. Log into your Microsoft Store Business account
 1. **Manage** > **Products and Services** > **Apps and Software** > **Select the app you want to sync** > **Private Store Availability** > **Select “Everyone” or “Specific Groups”**
 1.	If you do not see your apps in **Intune** > **Client Apps** > **Apps** , you may have to [sync your apps](https://docs.microsoft.com/intune/apps/windows-store-for-business#synchronize-apps) again.
 #### 3.	Configuring Kiosk Mode using MDM
 Information on configuring Kiosk Mode in Intune can be found [here](https://docs.microsoft.com/hololens/hololens-kiosk#set-up-kiosk-mode-using-microsoft-intune-or-mdm-windows-10-version-1803)
 >[!NOTE]
    >You can configure different users to have different Kiosk Mode experiences by using “Azure AD” as the “User logon type”. However, this option is only available in Multi-App kiosk mode. Multi-App kiosk mode will work with only one app as well as multiple apps.
 ![Image that shows Configuration of Kiosk Mode in Intune](images/aad-kioskmode.png)
 If you are configuring Kiosk Mode on an MDM other than Intune, please check your MDM provider's documentation.
 ## Additional Intune Quick Links
 1.	[Create Profiles:](https://docs.microsoft.com/intune/configuration/device-profile-create) Profiles allow you to add and configure settings that will be pushed to the devices in your organization.
 1. [CSPs (Configuration Service Providers)](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference#csps-supported-in-hololens-devices) allows you to create and deploy management settings for the devices on your network. Some CSPs are supported by HoloLens devices. (See the list of CSPs for HoloLens [here](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference#csps-supported-in-hololens-devices).
 1.	[Create Compliance Policy](https://docs.microsoft.com/intune/protect/create-compliance-policy)
 1.	 Conditional Access allows/denies mobile devices and mobile applications from accessing company resources. Two documents you may find helpful are [Plan your CA Deployment](https://docs.microsoft.com/azure/active-directory/conditional-access/plan-conditional-access) and [Best Practices](https://docs.microsoft.com/azure/active-directory/conditional-access/best-practices).
 ## Certificates and Authentication
 ### MDM Certificate Distribution
 If your company requires certificates, Intune supports PKCS, PFX, and SCEP. It is important to understand which certificate is right for your company. Please visit [here](https://docs.microsoft.com/intune/protect/certificates-configure) to determine which cert is best for you. If you plan to use certs for HoloLens Authentication, PFX or SCEP may be right for you.
 Steps for SCEP can be found [here](https://docs.microsoft.com/intune/protect/certificates-profile-scep).
 ### Device Certificates
 Certificates can also be added to the HoloLens through package provisioning. Please see [HoloLens Provisioning](hololens-provisioning.md) for additional information.
--- a/devices/hololens/hololens-licenses-requirements.md
+++ b/devices/hololens/hololens-licenses-requirements.md
@ -0,0 +1,50 @@
 ---
 title: Licenses for Mixed Reality Deployment
 description: 
 ms.prod: hololens
 ms.sitesec: library
 author: pawinfie
 ms.author: pawinfie
 audience: ITPro
 ms.topic: article
 ms.localizationpriority: high
 ms.date: 1/23/2020
 ms.reviewer: 
 manager: bradke
 appliesto:
 - HoloLens (1st gen)
 - HoloLens 2
 ---
 # Licenses Required for Mixed Reality Deployment
 If you plan on using a Mobile Device Management system (MDM) to manage your HoloLens, please review the MDM License Guidance section.
 ## Mobile Device Management (MDM) Licenses Guidance
 If you plan on using an MDM other than Intune, an [Azure Active Directory Licenses](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) is required.
 If you plan on using Intune as your MDM, you can acquire an [Enterprise Mobility + Security (EMS) suite (E3 or E5) licenses](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/compare-plans-and-pricing). **Please note that Azure AD is included in both suites.** 
 ## Identify the licenses needed for your scenario and products
 ### Remote Assist License Requirements
 Make sure you have the required licensing and device. Updated licensing and product requirements can be found [here](https://docs.microsoft.com/dynamics365/mixed-reality/remote-assist/requirements).
 1.	[Remote Assist License](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis)
 1.	[Teams Freemium/Teams](https://products.office.com/microsoft-teams/free)
 1.	[Azure Active Directory (Azure AD) License](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis)
 ### Guides License Requirements
 Updated licensing and device requirements can be found [here](https://docs.microsoft.com/dynamics365/mixed-reality/guides/requirements).
 1.	[Azure Active Directory (Azure AD) License](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis)
 1.	[Power BI](https://powerbi.microsoft.com/desktop/)
 1.	[Guides](https://docs.microsoft.com/dynamics365/mixed-reality/guides/setup)
 ### Scenario 1: Kiosk Mode
 If you are not planning to use an MDM to manage your device and you are planning to use a local account or an MSA as the login identity, you will not need any additional licenses. Kiosk mode can be accomplished using a provisioning packages.
 1.	If you are **not** planning to use an MDM to manage your device and you are planning to use a local account or an MSA as the login identity, you will not need any additional licenses. Kiosk mode can be accomplished using a provisioning packages.
 1.	If you are planning to use an MDM other than Intune, your MDM provider will have steps on configuring Kiosk mode. 
 1. If you are planning to use **Intune** as your MDM, implementation directions can be found in [Configuring your Network for HoloLens]().
--- a/devices/hololens/hololens-offline.md
+++ b/devices/hololens/hololens-offline.md
@ -17,6 +17,8 @@ appliesto:
 - HoloLens 2
 ---
 # Manage connection endpoints for HoloLens 
 Some HoloLens components, apps, and related services transfer data to Microsoft network endpoints. This article lists different endpoints and URLs that need to be whitelisted in your network configuratiion (e.g. proxy or firewall) for those components to be functional.    
 ## Near-offline setup
@ -59,7 +61,7 @@ In addition to the list above, to take full advantage of HoloLens functionality,
 | Certificates                                        | activation-v2.sls.microsoft.com/*                                   |   |   |   |
 |                                                     | crl.microsoft.com/pki/crl/*                                         |   |   |   |
 |                                                     | ocsp.digicert.com/*                                                 |   |   |   |
-|                                                     | www.microsoft.com/pkiops/*                                          |   |   |   |
+|                                                     | https://www.microsoft.com/pkiops/*                                          |   |   |   |
 | Cortana and Search                                  | store-images.*microsoft.com                                         |   |   |   |
 |                                                     | www.bing.com/client                                                 |   |   |   |
 |                                                     | www.bing.com                                                        |   |   |   |
@ -76,7 +78,7 @@ In addition to the list above, to take full advantage of HoloLens functionality,
 |                                                     | location-inference-westus.cloudapp.net                              |   |   |   |
 | Diagnostic Data                                     | v10.events.data.microsoft.com                                       |   |   |   |
 |                                                     | v10.vortex-win.data.microsoft.com/collect/v1                        |   |   |   |
-|                                                     | www.microsoft.com                                                   |   |   |   |
+|                                                     | https://www.microsoft.com                                                   |   |   |   |
 |                                                     | co4.telecommand.telemetry.microsoft.com                             |   |   |   |
 |                                                     | cs11.wpc.v0cdn.net                                                  |   |   |   |
 |                                                     | cs1137.wpc.gammacdn.net                                             |   |   |   |
@ -106,7 +108,7 @@ In addition to the list above, to take full advantage of HoloLens functionality,
 |                                                     | officeclient.microsoft.com                                          |   |   |   |
 |                                                     | outlook.office365.com                                               |   |   |   |
 |                                                     | client-office365-tas.msedge.net                                     |   |   |   |
-|                                                     | www.office.com                                                      |   |   |   |
+|                                                     | https://www.office.com                                                      |   |   |   |
 |                                                     | onecollector.cloudapp.aria                                          |   |   |   |
 |                                                     | v10.events.data.microsoft.com/onecollector/1.0/                     |   |   |   |
 |                                                     | self.events.data.microsoft.com                                      |   |   |   |
--- a/devices/hololens/images/aad-kioskmode.PNG
+++ b/devices/hololens/images/aad-kioskmode.PNG
--- a/devices/hololens/images/azure-ad-image.PNG
+++ b/devices/hololens/images/azure-ad-image.PNG
--- a/mdop/agpm/resources-for-agpm.md
+++ b/mdop/agpm/resources-for-agpm.md
@ -23,15 +23,15 @@ ms.date: 08/30/2016
 ### Microsoft Desktop Optimization Pack resources
-   [Microsoft Desktop Optimization Pack (MDOP) for Software Assurance TechCenter](https://go.microsoft.com/fwlink/?LinkID=159870) (http://www.microsoft.com/technet/mdop): Links to MDOP videos and resources.
+-   [Microsoft Desktop Optimization Pack (MDOP) for Software Assurance TechCenter](https://go.microsoft.com/fwlink/?LinkID=159870) (https://www.microsoft.com/technet/mdop): Links to MDOP videos and resources.
 -   [Enterprise products: MDOP](https://go.microsoft.com/fwlink/?LinkID=160297): Overviews and information about the benefits of applications in MDOP.
 ### Group Policy resources
-   [Group Policy TechCenter](https://go.microsoft.com/fwlink/?LinkID=145531) (http://www.microsoft.com/grouppolicy): Links to Group Policy documentation, tools, and downloads.
+-   [Group Policy TechCenter](https://go.microsoft.com/fwlink/?LinkID=145531) (https://www.microsoft.com/grouppolicy): Links to Group Policy documentation, tools, and downloads.
-   [Group Policy Team Blog](https://go.microsoft.com/fwlink/?LinkID=75192) (http://blogs.technet.com/GroupPolicy): Stay current on the latest news about Group Policy with articles by the Group Policy Team and other experts.
+-   [Group Policy Team Blog](https://go.microsoft.com/fwlink/?LinkID=75192) (https://blogs.technet.com/GroupPolicy): Stay current on the latest news about Group Policy with articles by the Group Policy Team and other experts.
 -   [Group Policy Forum](https://go.microsoft.com/fwlink/?LinkID=145532): Do you have questions about Group Policy or AGPM? You can post your questions to the forum, and receive answers from the experts.
--- a/windows/security/identity-protection/access-control/active-directory-accounts.md
+++ b/windows/security/identity-protection/access-control/active-directory-accounts.md
@ -480,7 +480,7 @@ Each default local account in Active Directory has a number of account settings
 <td><p>Use DES encryption types for this account</p></td>
 <td><p>Provides support for the Data Encryption Standard (DES). DES supports multiple levels of encryption, including Microsoft Point-to-Point Encryption (MPPE) Standard (40-bit and 56-bit), MPPE standard (56-bit), MPPE Strong (128-bit), Internet Protocol security (IPSec) DES (40-bit), IPSec 56-bit DES, and IPSec Triple DES (3DES).</p>
 <div class="alert">
-<strong>Note</strong><br/><p>DES is not enabled by default in Windows Server operating systems starting with Windows Server 2008 R2, nor in Windows client operating systems starting with Windows 7. For these operating systems, computers will not use DES-CBC-MD5 or DES-CBC-CRC cipher suites by default. If your environment requires DES, then this setting might affect compatibility with client computers or services and applications in your environment. For more information, see <a href="http://blogs.technet.com/b/askds/archive/2010/10/19/hunting-down-des-in-order-to-securely-deploy-kerberos.aspx" data-raw-source="[Hunting down DES in order to securely deploy Kerberos](http://blogs.technet.com/b/askds/archive/2010/10/19/hunting-down-des-in-order-to-securely-deploy-kerberos.aspx)">Hunting down DES in order to securely deploy Kerberos</a>.</p>
+<strong>Note</strong><br/><p>DES is not enabled by default in Windows Server operating systems starting with Windows Server 2008 R2, nor in Windows client operating systems starting with Windows 7. For these operating systems, computers will not use DES-CBC-MD5 or DES-CBC-CRC cipher suites by default. If your environment requires DES, then this setting might affect compatibility with client computers or services and applications in your environment. For more information, see <a href="https://blogs.technet.com/b/askds/archive/2010/10/19/hunting-down-des-in-order-to-securely-deploy-kerberos.aspx" data-raw-source="[Hunting down DES in order to securely deploy Kerberos](https://blogs.technet.com/b/askds/archive/2010/10/19/hunting-down-des-in-order-to-securely-deploy-kerberos.aspx)">Hunting down DES in order to securely deploy Kerberos</a>.</p>
 </div>
 <div>
--- a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md
@ -1,6 +1,6 @@
 ---
-title: Windows Defender Antivirus VDI deployment guide
+title: Windows Defender Antivirus Virtual Desktop Infrastructure deployment guide
-description: Learn how to deploy Windows Defender Antivirus in a VDI environment for the best balance between protection and performance.
+description: Learn how to deploy Windows Defender Antivirus in a virtual desktop environment for the best balance between protection and performance.
 keywords: vdi, hyper-v, vm, virtual machine, windows defender, antivirus, av, virtual desktop, rds, remote desktop
 search.product: eADQiWindows 10XVcnh
 ms.pagetype: security
@ -12,7 +12,7 @@ ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
 ms.custom: nextgen
-ms.date: 09/03/2018
+ms.date: 01/31/2020
 ms.reviewer: 
 manager: dansimp
 ---
@ -25,13 +25,13 @@ manager: dansimp
 In addition to standard on-premises or hardware configurations, you can also use Windows Defender Antivirus in a remote desktop (RDS) or virtual desktop infrastructure (VDI) environment.
-See the [Microsoft Desktop virtualization site](https://www.microsoft.com/server-cloud/products/virtual-desktop-infrastructure/) for more details on Microsoft Remote Desktop Services and VDI support.
+See [Windows Virtual Desktop Documentation](https://docs.microsoft.com/azure/virtual-desktop) for more details on Microsoft Remote Desktop Services and VDI support.
 For Azure-based virtual machines, you can also review the [Install Endpoint Protection in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection) topic.
 With the ability to easily deploy updates to VMs running in VDIs, we've shortened this guide to focus on how you can get updates on your machines quickly and easily. You no longer need to create and seal golden images on a periodic basis, as updates are expanded into their component bits on the host server and then downloaded directly to the VM when it's turned on.
-This guide will show you how to configure your VMs for optimal protection and performance, including how to:
+This guide describes how to configure your VMs for optimal protection and performance, including how to:
 - [Set up a dedicated VDI file share for security intelligence updates](#set-up-a-dedicated-vdi-file-share)
 - [Randomize scheduled scans](#randomize-scheduled-scans)
@ -41,64 +41,93 @@ This guide will show you how to configure your VMs for optimal protection and pe
 - [Scan out-of-date machines or machines that have been offline for a while](#scan-vms-that-have-been-offline)
 - [Apply exclusions](#exclusions)
-You can also download the whitepaper [Windows Defender Antivirus on Virtual Desktop Infrastructure](https://demo.wd.microsoft.com/Content/wdav-testing-vdi-ssu.pdf) which looks at the new shared security intelligence update feature, alongside performance testing and guidance on how you can test antivirus performance on your own VDI.
+You can also download the whitepaper [Windows Defender Antivirus on Virtual Desktop Infrastructure](https://demo.wd.microsoft.com/Content/wdav-testing-vdi-ssu.pdf), which looks at the new shared security intelligence update feature, alongside performance testing and guidance on how you can test antivirus performance on your own VDI.
 > [!IMPORTANT]
-> While the VDI can be hosted on Windows Server 2012 or Windows Server 2016, the virtual machines (VMs) should be running Windows 10, 1607 at a minimum, due to increased protection technologies and features that are unavailable in earlier versions of Windows.
+> Although the VDI can be hosted on Windows Server 2012 or Windows Server 2016, the virtual machines (VMs) should be running Windows 10, 1607 at a minimum, due to increased protection technologies and features that are unavailable in earlier versions of Windows.<br/>There are performance and feature improvements to the way in which Windows Defender AV operates on virtual machines in Windows 10 Insider Preview, build 18323 (and later). We'll identify in this guide if you need to be using an Insider Preview build; if it isn't specified, then the minimum required version for the best protection and performance is Windows 10 1607.
 > [!NOTE]
 > There are performance and feature improvements to the way in which Windows Defender AV operates on virtual machines in Windows 10 Insider Preview, build 18323 (and later). We'll identify in this guide if you need to be using an Insider Preview build; if it isn't specified, then the minimum required version for the best protection and performance is Windows 10 1607.
 ### Set up a dedicated VDI file share
-In Windows 10, version 1903, we introduced the shared security intelligence feature. This offloads the unpackaging of downloaded security intelligence updates onto a host machine - thus saving previous CPU, disk, and memory resources on individual machines.
+In Windows 10, version 1903, we introduced the shared security intelligence feature. This offloads the unpackaging of downloaded security intelligence updates onto a host machine - thus saving previous CPU, disk, and memory resources on individual machines. You can set this feature with [Intune](https://docs.microsoft.com/intune/fundamentals/what-is-intune), Group Policy, or PowerShell.
-You can set this feature with Intune, Group Policy, or PowerShell.
+> [!TIP]
 > If you don't already have Intune, [try it for free](https://docs.microsoft.com/intune/fundamentals/free-trial-sign-up)! 
-Open the Intune management portal either by searching for Intune on https://portal.azure.com or going to https://devicemanagement.microsoft.com and logging in.
+Open the Intune Management Portal either by searching for Intune on [https://portal.azure.com](https://portal.azure.com) or going to [https://devicemanagement.microsoft.com](https://devicemanagement.microsoft.com) and logging in.
-1. To create a group with only the devices or users you specify:
+#### To create a group with only the devices or users you specify
 1. Go to **Groups**. Click **New group**. Use the following values:
    1. Group type: **Security**
    2. Group name: **VDI test VMs**
    3. Group description: *Optional*
    4. Membership type: **Assigned**
-1. Add the devices or users you want to be a part of this test and then click **Create** to save the group. It’s a good idea to create a couple of groups, one with VMs running the latest Insider Preview build and with the shared security intelligence update feature enabled, and another with VMs that are running Windows 10 1809 or earlier versions. This will help when you create dashboards to test the performance changes.
+1. Go to **Groups** > **New group**. 
-1. To create a group that will include any machine in your tenant that is a VM, even when they are newly created:
+2. Specify the following values:
   - Group type: **Security**
   - Group name: **VDI test VMs**
   - Group description: *Optional*
   - Membership type: **Assigned**
 3. Add the devices or users you want to be a part of this test and then click **Create** to save the group. 
 It’s a good idea to create a couple of groups, one with VMs running the latest Insider Preview build and with the shared security intelligence update feature enabled, and another with VMs that are running Windows 10 1809 or earlier versions. This will help when you create dashboards to test the performance changes.
 #### To create a group that will include any machine in your tenant that is a VM, even when they are newly created
 1. Go to **Groups** > **New group**. 
 2. Specify the following values:
   - Group type: **Security**
   - Group name: **VDI test VMs**
   - Group description: *Optional*
   - Membership type: **Dynamic Device**
 3. Click **Simple rule**, and select **deviceModel**, **Equals**, and enter **Virtual Machine**. 
 4. Click **Add query** and then **Create** to save the group.
 5. Go to **Device configuration**, then **Profiles**. You can modify an existing custom profile or create a new one. 
 #### Create a new device configuration profile
 In this example, we create a new device configuration profile by clicking **Create profile**.
 1. Go to **Groups**. Click **New group**. Use the following values:
    1. Group type: **Security**
    2. Group name: **VDI test VMs**
    3. Group description: *Optional*
    4. Membership type: **Dynamic Device**
 1. Click **Simple rule**, and select **deviceModel**, **Equals**, and enter **Virtual Machine**. Click **Add query** and then **Create** to save the group.
 1. Go to **Device configuration**, then **Profiles**. You can modify an existing custom profile or create a new one. In this demo I’m going to create a new one by clicking **Create profile**.
 1. Name it, choose **Windows 10 and later** as the Platform and – most importantly – select **Custom** as the profile type.
-1. The **Custom OMA-URI Settings** blade is opened automatically. Click **Add** then enter the following values:
+
-    1. Name: **VDI shared sig location**
+2. The **Custom OMA-URI Settings** blade is opened automatically. Click **Add** then enter the following values:
-    1. Description: *Optional*
+   - Name: **VDI shared sig location**
-    1. OMA-URI: **./Vendor/MSFT/Defender/SharedSignatureRoot**
+   - Description: *Optional*
-    1. Data type: **String**
+   - OMA-URI: **./Vendor/MSFT/Defender/SharedSignatureRoot**
-    1. Value: **\\<sharedlocation\>\wdav-update\** (see the [Download and unpackage](#download-and-unpackage-the-latest-updates) section for what this will be)
+   - Data type: **String**
-1. Click **Ok** to close the details blade, then **OK** again to close the **Custom OMA-URI Settings** blade. Click **Create** to save the new profile. The profile details page now appears.
+   - `\\<sharedlocation\>\wdav-update\` (see the [Download and unpackage](#download-and-unpackage-the-latest-updates) section for what this will be)
-1. Click **Assignments**. The **Include** tab is automatically selected. In the drop-down menu, select **Selected Groups**, then click **Select groups to include**. Click the **VDI test VMs** group and then **Select**. 
+
-1. Click **Evaluate** to see how many users/devices will be impacted. If the number makes sense, click **Save**. If the number doesn’t make sense, go back to the groups blade and confirm the group contains the right users or devices.
+3. Click **Ok** to close the details blade, then **OK** again to close the **Custom OMA-URI Settings** blade. 
-1. The profile will now be deployed to the impacted devices. Note that this may take some time.
+
 4. Click **Create** to save the new profile. The profile details page now appears.
 5. Click **Assignments**. The **Include** tab is automatically selected. In the drop-down menu, select **Selected Groups**, then click **Select groups to include**. Click the **VDI test VMs** group and then **Select**. 
 6. Click **Evaluate** to see how many users/devices will be impacted. If the number makes sense, click **Save**. If the number doesn’t make sense, go back to the groups blade and confirm the group contains the right users or devices.
 The profile will now be deployed to the impacted devices. This may take some time.
 #### Use Group Policy to enable the shared security intelligence feature:
 1. On your Group Policy management computer, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click Edit.
 1. In the **Group Policy Management Editor** go to **Computer configuration**.
 1. Click **Administrative templates**.
 1. Expand the tree to **Windows components > Windows Defender Antivirus > Security Intelligence Updates**
 1. Double-click Define security intelligence location for VDI clients and set the option to Enabled. A field automatically appears, enter *\\<sharedlocation\>\wdav-update *(see the [Download and unpackage](#download-and-unpackage-the-latest-updates) section for what this will be). Click **OK**.
 1. Deploy the GPO to the VMs you want to test.
-#### Use PowerShell to enable the shared security intelligence feature:
+1. On your Group Policy management computer, open the Group Policy Management Console, right-click the Group Policy Object you want to configure, and then click **Edit**.
 2. In the **Group Policy Management Editor** go to **Computer configuration**.
 3. Click **Administrative templates**.
 4. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Security Intelligence Updates**.
 5. Double-click **Define security intelligence location for VDI clients**, and then set the option to **Enabled**. A field automatically appears.
 6. Enter `\\<sharedlocation\>\wdav-update` (see the [Download and unpackage](#download-and-unpackage-the-latest-updates) section for what this will be). 
 7. Click **OK**.
 8. Deploy the GPO to the VMs you want to test.
 #### Use PowerShell to enable the shared security intelligence feature
 Use the following cmdlet to enable the feature. You’ll need to then push this as you normally would push PowerShell-based configuration policies onto the VMs:
 ```PowerShell
@ -108,6 +137,7 @@ Set-MpPreference -SharedSignaturesPath \\<shared location>\wdav-update
 See the [Download and unpackage](#download-and-unpackage-the-latest-updates) section for what the \<shared location\> will be.
 ### Download and unpackage the latest updates
 Now you can get started on downloading and installing new updates. We’ve created a sample PowerShell script for you below. This script is the easiest way to download new updates and get them ready for your VMs. You should then set the script to run at a certain time on the management machine by using a scheduled task (or, if you’re familiar with using PowerShell scripts in Azure, Intune, or SCCM, you could also use those).
 ```PowerShell
@ -126,26 +156,38 @@ cmd /c "cd $vdmpath & c: & mpam-fe.exe /x"
 You can set a scheduled task to run once a day so that whenever the package is downloaded and unpacked then the VMs will receive the new update. 
 We suggest starting with once a day – but you should experiment with increasing or decreasing the frequency to understand the impact. 
-Note that security intelligence packages are typically published once every three to four hours, so setting a frequency shorter than four hours isn’t advised as it will increase the network overhead on your management machine for no benefit.
+
 Security intelligence packages are typically published once every three to four hours. Setting a frequency shorter than four hours isn’t advised because it will increase the network overhead on your management machine for no benefit.
 #### Set a scheduled task to run the powershell script
 1. On the management machine, open the Start menu and type **Task Scheduler**. Open it and select **Create task…** on the side panel.
 1. Enter the name as **Security intelligence unpacker**. Go to the **Trigger** tab. Click **New…** Select **Daily** and click **OK**.
 1. Go to the **Actions** tab. Click **New…** Enter **PowerShell** in the **Program/Script** field. Enter 
-    *-ExecutionPolicy Bypass c:\wdav-update\vdmdlunpack.ps1* 
+2. Enter the name as **Security intelligence unpacker**. Go to the **Trigger** tab. Click **New…** Select **Daily** and click **OK**.
-in the **Add arguments** field. Click **OK**. You can choose to configure additional settings if you wish. Click OK to save the scheduled task.
+3. Go to the **Actions** tab. Click **New…** Enter **PowerShell** in the **Program/Script** field. Enter `-ExecutionPolicy Bypass c:\wdav-update\vdmdlunpack.ps1` in the **Add arguments** field. Click **OK**. 
 4. You can choose to configure additional settings if you wish. 
 5. Click **OK** to save the scheduled task.
 You can initiate the update manually by right-clicking on the task and clicking **Run**.
 #### Download and unpackage manually
 If you would prefer to do everything manually, this what you would need to do to replicate the script’s behavior:
-1. Create a new folder on the system root called *wdav_update* to store intelligence updates, for example, create the folder *c:\wdav_update*
+
-1. Create a subfolder under *wdav_update* with a GUID name, such as *{00000000-0000-0000-0000-000000000000}*; for example *c:\wdav_update\{00000000-0000-0000-0000-000000000000}* (note, in the script we set it so the last 12 digits of the GUID are the year, month, day, and time when the file was downloaded so that a new folder is created each time. You can change this so that the file is downloaded to the same folder each time)
+1. Create a new folder on the system root called `wdav_update` to store intelligence updates, for example, create the folder `c:\wdav_update`.
-1. Download a security intelligence package from https://www.microsoft.com/wdsi/definitions  into the GUID folder. The file should be named *mpam-fe.exe*.
+
-1. Open a cmd prompt window and navigate to the GUID folder you created. Use the **/X** extraction command to extract the files, for example **mpam-fe.exe /X**.
+2. Create a subfolder under *wdav_update* with a GUID name, such as `{00000000-0000-0000-0000-000000000000}`; for example `c:\wdav_update\{00000000-0000-0000-0000-000000000000}`.
  Note: In the script we set it so the last 12 digits of the GUID are the year, month, day, and time when the file was downloaded so that a new folder is created each time. You can change this so that the file is downloaded to the same folder each time.
 3. Download a security intelligence package from [https://www.microsoft.com/wdsi/definitions](https://www.microsoft.com/wdsi/definitions)  into the GUID folder. The file should be named `mpam-fe.exe`.
 4. Open a cmd prompt window and navigate to the GUID folder you created. Use the **/X** extraction command to extract the files, for example `mpam-fe.exe /X`.
   Note: The VMs will pick up the updated package whenever a new GUID folder is created with an extracted update package or whenever an existing folder is updated with a new extracted package.
 ### Randomize scheduled scans
@ -161,17 +203,23 @@ See [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) for
 You can specify the type of scan that should be performed during a scheduled scan.
 Quick scans are the preferred approach as they are designed to look in all places where malware needs to reside to be active.
-1. Expand the tree to **Windows components > Windows Defender > Scan** and configure the following setting:  
+1. Expand the tree to **Windows components > Windows Defender > Scan**.
-    - Double-click **Specify the scan type to use for a scheduled scan** and set the option to **Enabled** and **Quick scan**. Click **OK**.
+2. Double-click **Specify the scan type to use for a scheduled scan** and set the option to **Enabled** and **Quick scan**. 
 3. Click **OK**.
 ### Prevent notifications
 Sometimes, Windows Defender Antivirus notifications may be sent to or persist across multiple sessions. In order to minimize this problem, you can use the lock down the Windows Defender Antivirus user interface.
-1. Expand the tree to **Windows components > Windows Defender > Client Interface** and configure the following settings:
+1. Expand the tree to **Windows components > Windows Defender > Client Interface**. 
-   - Double-click **Suppress all notifications** and set the option to **Enabled**. Click **OK**. This prevents notifications from Windows Defender AV appearing in the action center on Windows 10 when scans or remediation is performed.
+2. Double-click **Suppress all notifications** and set the option to **Enabled**. 
 3. Click **OK**. 
 This prevents notifications from Windows Defender AV appearing in the action center on Windows 10 when scans or remediation is performed.
 ### Disable scans after an update
@ -180,25 +228,36 @@ This setting will prevent a scan from occurring after receiving an update. You c
 > [!IMPORTANT]
 > Running scans after an update will help ensure your VMs are protected with the latest Security intelligence updates. Disabling this option will reduce the protection level of your VMs and should only be used when first creating or deploying the base image.
-1. Expand the tree to **Windows components > Windows Defender > Signature Updates** and configure the following setting:
+1. Expand the tree to **Windows components > Windows Defender > Signature Updates**. 
-   - Double-click **Turn on scan after signature update** and set the option to **Disabled**. Click **OK**. This prevents a scan from running immediately after an update.
+2. Double-click **Turn on scan after signature update** and set the option to **Disabled**. 
 3. Click **OK**. 
 This prevents a scan from running immediately after an update.
 ### Scan VMs that have been offline 
-1. Expand the tree to **Windows components > Windows Defender > Scan** and configure the following setting:
+1. Expand the tree to **Windows components > Windows Defender > Scan**. 
-1. Double-click the **Turn on catch-up quick scan** setting and set the option to **Enabled**. Click **OK**. This forces a scan if the VM has missed two or more consecutive scheduled scans.
+2. Double-click the **Turn on catch-up quick scan** setting and set the option to **Enabled**. 
 3. Click **OK**. 
 This forces a scan if the VM has missed two or more consecutive scheduled scans.
 ### Enable headless UI mode
 - Double-click **Enable headless UI mode** and set the option to **Enabled**. Click **OK**. This hides the entire Windows Defender AV user interface from users.
 1. Double-click **Enable headless UI mode** and set the option to **Enabled**. 
 2. Click **OK**. 
 This hides the entire Windows Defender AV user interface from users.
 ### Exclusions
-On Windows Server 2016, Windows Defender Antivirus will automatically deliver the right exclusions for servers running a VDI environment. However, if you are running an older Windows server version, you can refer to the exclusions that are applied on this page:
+
- [Configure Windows Defender Antivirus exclusions on Windows Server](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus)
+On Windows Server 2016, Windows Defender Antivirus will automatically deliver the right exclusions for servers running a VDI environment. However, if you are running an older Windows server version, see [Configure Windows Defender Antivirus exclusions on Windows Server](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus).
 ## Additional resources