99999| Windows Edition | +Supported? | +
|---|---|
| Home | +9 |
+
| Pro | +9 |
+
| Business | +9 |
+
| Enterprise | +9 |
+
| Education | +9 |
+
BIOSRead
This problem is indicated when an application cannot access the Device\PhysicalMemory object beyond the kernel-mode drivers, on any of the Windows Server® 2003 operating systems.
+This problem is indicated when an application cannot access the Device\PhysicalMemory object beyond the kernel-mode drivers, on any of the Windows Server® 2003 operating systems.
The fix enables OEM executable (.exe) files to use the GetSystemFirmwareTable function instead of the NtOpenSection function when the BIOS is queried for the \Device\Physical memory information..
ChangeFolderPathToXPStyle
This fix is required when an application cannot return shell folder paths when it uses the SHGetFolder API.
-The fix intercepts the SHGetFolder path request to the common appdata file path and returns the Windows® XP-style file path instead of the Windows Vista-style file path.
The fix intercepts the SHGetFolder path request to the common appdata file path and returns the Windows® XP-style file path instead of the Windows Vista-style file path.
ClearLastErrorStatusonIntializeCriticalSection
DirectXVersionLie
This problem occurs when an application fails because it does not find the correct version number for DirectX®.
+This problem occurs when an application fails because it does not find the correct version number for DirectX®.
The fix modifies the DXDIAGN GetProp function call to return the correct DirectX version.
You can control this fix further by typing the following command at the command prompt:
MAJORVERSION.MINORVERSION.LETTER
@@ -456,7 +457,7 @@ The following table lists the known compatibility fixes for all Windows operatinIgnoreMSOXMLMF
The problem is indicated by an error message that states that the operating system cannot locate the MSVCR80D.DLL file.
-The fix ignores the registered MSOXMLMF.DLL object, which Microsoft® Office 2007 loads into the operating system any time that you load an XML file, and then it fails the CoGetClassObject for its CLSID. This compatibility fix will just ignore the registered MSOXMLMF and fail the CoGetClassObject for its CLSID.
The fix ignores the registered MSOXMLMF.DLL object, which Microsoft® Office 2007 loads into the operating system any time that you load an XML file, and then it fails the CoGetClassObject for its CLSID. This compatibility fix will just ignore the registered MSOXMLMF and fail the CoGetClassObject for its CLSID.
IgnoreSetROP2
MIG_OFFLINE_PLATFORM_ARCH
32 or 64
While operating offline, this environment variable defines the architecture of the offline system, if the system does not match the WinPE and Scanstate.exe architecture. This environment variable enables the 32-bit ScanState application to gather data from a computer with 64-bit architecture, or the 64-bit ScanState application to gather data from a computer with 32-bit architecture. This is required when auto-detection of the offline architecture doesn’t function properly, for example, when the source system is running a 64-bit version of Windows XP. For example, to set this system environment variable for a 32-bit architecture, at a command prompt type the following:
+While operating offline, this environment variable defines the architecture of the offline system, if the system does not match the WinPE and Scanstate.exe architecture. This environment variable enables the 32-bit ScanState application to gather data from a computer with 64-bit architecture, or the 64-bit ScanState application to gather data from a computer with 32-bit architecture. This is required when auto-detection of the offline architecture doesn't function properly, for example, when the source system is running a 64-bit version of Windows XP. For example, to set this system environment variable for a 32-bit architecture, at a command prompt type the following:
Set MIG_OFFLINE_PLATFORM_ARCH=32You can either:
Specify up to three <role> elements within a <component> — one “Binaries” role element, one “Settings” role element and one “Data” role element. These parameters do not change the migration behavior — their only purpose is to help you categorize the settings that you are migrating. You can nest these <role> elements, but each nested element must be of the same role parameter.
Specify one “Container” <role> element within a <component> element. In this case, you cannot specify any child <rules> elements, only other <component> elements. And each child <component> element must have the same type as that of parent <component> element. For example:
Specify up to three <role> elements within a <component> — one "Binaries" role element, one "Settings" role element and one "Data" role element. These parameters do not change the migration behavior — their only purpose is to help you categorize the settings that you are migrating. You can nest these <role> elements, but each nested element must be of the same role parameter.
Specify one "Container" <role> element within a <component> element. In this case, you cannot specify any child <rules> elements, only other <component> elements. And each child <component> element must have the same type as that of parent <component> element. For example:
<component context="UserAndSystem" type="Application">
<displayName _locID="migapp.msoffice2003">Microsoft Office 2003</displayName>
@@ -3846,7 +3844,7 @@ See the last component in the MigUser.xml file for an example of this element.
~~~
**Example:**
-If GenerateUserPattens('File','%userprofile% \[\*.doc\]','FALSE') is called while USMT is processing user A, then this function will only generate patterns for users B and C. You can use this helper function to build complex rules. For example, to migrate all .doc files from the source computer — but if user X is not migrated, then do not migrate any of the .doc files from user X’s profile.
+If GenerateUserPattens('File','%userprofile% \[\*.doc\]','FALSE') is called while USMT is processing user A, then this function will only generate patterns for users B and C. You can use this helper function to build complex rules. For example, to migrate all .doc files from the source computer — but if user X is not migrated, then do not migrate any of the .doc files from user X's profile.
The following is example code for this scenario. The first <rules> element migrates all.doc files on the source computer with the exception of those inside C:\\Documents and Settings. The second <rules> elements will migrate all .doc files from C:\\Documents and Settings with the exception of the .doc files in the profiles of the other users. Because the second <rules> element will be processed in each migrated user context, the end result will be the desired behavior. The end result is the one we expected.
@@ -4103,12 +4101,12 @@ Syntax:
name
Yes
ID is a string value that is the name used to reference the environment variable. We recommend that ID start with the component’s name to avoid namespace collisions. For example, if your component’s name is MyComponent, and you want a variable that is your component’s install path, you could specify MyComponent.InstallPath.
ID is a string value that is the name used to reference the environment variable. We recommend that ID start with the component's name to avoid namespace collisions. For example, if your component's name is MyComponent, and you want a variable that is your component's install path, you could specify MyComponent.InstallPath.
remap
No, default = FALSE
Specifies whether to evaluate this environment variable as a remapping environment variable. Objects that are located in a path that is underneath this environment variable’s value are automatically moved to where the environment variable points on the destination computer.
Specifies whether to evaluate this environment variable as a remapping environment variable. Objects that are located in a path that is underneath this environment variable's value are automatically moved to where the environment variable points on the destination computer.
@@ -4227,27 +4225,27 @@ The following functions are for internal USMT use only. Do not use them in an .x
You can use the following version tags with various helper functions:
-- “CompanyName”
+- "CompanyName"
-- “FileDescription”
+- "FileDescription"
-- “FileVersion”
+- "FileVersion"
-- “InternalName”
+- "InternalName"
-- “LegalCopyright”
+- "LegalCopyright"
-- “OriginalFilename”
+- "OriginalFilename"
-- “ProductName”
+- "ProductName"
-- “ProductVersion”
+- "ProductVersion"
The following version tags contain values that can be compared:
-- “FileVersion”
+- "FileVersion"
-- “ProductVersion”
+- "ProductVersion"
## Related topics
diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md
index 5b4f53e98a..bc307dfc3a 100644
--- a/windows/deployment/vda-subscription-activation.md
+++ b/windows/deployment/vda-subscription-activation.md
@@ -7,6 +7,7 @@ ms.author: greglin
author: greg-lindsay
description: Learn how to configure virtual machines (VMs) to enable Windows 10 Subscription Activation in a Windows Virtual Desktop Access (VDA) scenario.
keywords: upgrade, update, task sequence, deploy
+ms.custom: seo-marvel-apr2020
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
diff --git a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
index 893b4f6f7c..e9c419383d 100644
--- a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
+++ b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
@@ -1,6 +1,7 @@
---
title: Activate using Active Directory-based activation (Windows 10)
-description: Active Directory-based activation is implemented as a role service that relies on AD DS to store activation objects.
+description: Learn how active directory-based activation is implemented as a role service that relies on AD DS to store activation objects.
+ms.custom: seo-marvel-apr2020
ms.assetid: 08cce6b7-7b5b-42cf-b100-66c363a846af
ms.reviewer:
manager: laurawi
diff --git a/windows/deployment/volume-activation/configure-client-computers-vamt.md b/windows/deployment/volume-activation/configure-client-computers-vamt.md
index f4e102124a..952db8ab4a 100644
--- a/windows/deployment/volume-activation/configure-client-computers-vamt.md
+++ b/windows/deployment/volume-activation/configure-client-computers-vamt.md
@@ -24,8 +24,8 @@ To enable the Volume Activation Management Tool (VAMT) to function correctly, ce
Organizations where the VAMT will be widely used may benefit from making these changes inside the master image for Windows.
-> [IMPORTANT]
-> This procedure only applies to clients running Windows Vista or later. For clients running Windows XP Service Pack 1, see [Connecting Through Windows Firewall](https://docs.microsoft.com/windows/win32/wmisdk/connecting-to-wmi-remotely-with-vbscript).
+> [IMPORTANT]
+> This procedure only applies to clients running Windows Vista or later. For clients running Windows XP Service Pack 1, see [Connecting Through Windows Firewall](https://docs.microsoft.com/windows/win32/wmisdk/connecting-to-wmi-remotely-with-vbscript).
## Configuring the Windows Firewall to allow VAMT access
diff --git a/windows/deployment/volume-activation/volume-activation-management-tool.md b/windows/deployment/volume-activation/volume-activation-management-tool.md
index c73cbc4546..23c0a83614 100644
--- a/windows/deployment/volume-activation/volume-activation-management-tool.md
+++ b/windows/deployment/volume-activation/volume-activation-management-tool.md
@@ -13,13 +13,14 @@ audience: itpro
author: greg-lindsay
ms.date: 04/25/2017
ms.topic: article
+ms.custom: seo-marvel-apr2020
---
# Volume Activation Management Tool (VAMT) Technical Reference
-The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process.
+The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process.
VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in that requires the Microsoft Management Console (MMC) 3.0. VAMT can be installed on any computer that has one of the following Windows operating systems:
-- Windows® 7 or above
+- Windows® 7 or above
- Windows Server 2008 R2 or above
@@ -28,7 +29,7 @@ VAMT is designed to manage volume activation for: Windows 7, Windows 8, Window
VAMT is only available in an EN-US (x86) package.
-## In this Section
+## In this section
|Topic |Description |
|------|------------|
diff --git a/windows/deployment/windows-10-deployment-tools-reference.md b/windows/deployment/windows-10-deployment-tools-reference.md
index 2321163bd1..9bb72ea7bb 100644
--- a/windows/deployment/windows-10-deployment-tools-reference.md
+++ b/windows/deployment/windows-10-deployment-tools-reference.md
@@ -26,5 +26,5 @@ Learn about the tools available to deploy Windows 10.
|[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. |
|[Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md) |The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. |
|[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. |
-|[Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) |The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process. |
+|[Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) |The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process. |
|[User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md) |The User State Migration Tool (USMT) 10.0 is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals |
diff --git a/windows/deployment/windows-10-deployment-tools.md b/windows/deployment/windows-10-deployment-tools.md
index 33f7b49f5e..6a20248ebe 100644
--- a/windows/deployment/windows-10-deployment-tools.md
+++ b/windows/deployment/windows-10-deployment-tools.md
@@ -26,5 +26,5 @@ Learn about the tools available to deploy Windows 10.
|[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. |
|[Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md) |The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. |
|[Deploy Windows To Go in your organization](deploy-windows-to-go.md) |This topic helps you to deploy Windows To Go in your organization. Before you begin deployment, make sure that you have reviewed the topics [Windows To Go: feature overview](planning/windows-to-go-overview.md) and [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) to ensure that you have the correct hardware and are prepared to complete the deployment. You can then use the steps in this topic to start your Windows To Go deployment. |
-|[Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) |The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process. |
+|[Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) |The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process. |
|[User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md) |The User State Migration Tool (USMT) 10.0 is included with the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10. USMT provides a highly customizable user-profile migration experience for IT professionals |
diff --git a/windows/deployment/windows-10-poc-mdt.md b/windows/deployment/windows-10-poc-mdt.md
index c10e477cff..8e1f84c95e 100644
--- a/windows/deployment/windows-10-poc-mdt.md
+++ b/windows/deployment/windows-10-poc-mdt.md
@@ -1,6 +1,7 @@
---
title: Step by step - Deploy Windows 10 in a test lab using MDT
-description: Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit (MDT)
+description: In this article, you'll learn how to deploy Windows 10 in a test lab using Microsoft Deployment Toolkit (MDT).
+ms.custom: seo-marvel-apr2020
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md
index 1db27c1143..87baccf225 100644
--- a/windows/deployment/windows-10-poc-sc-config-mgr.md
+++ b/windows/deployment/windows-10-poc-sc-config-mgr.md
@@ -1,6 +1,6 @@
---
-title: Step by step - Deploy Windows 10 using Microsoft Endpoint Configuration Manager
-description: Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager
+title: Steps to deploy Windows 10 with Microsoft Endpoint Configuration Manager
+description: In this article, you'll learn how to deploy Windows 10 in a test lab using Microsoft endpoint configuration manager.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -14,6 +14,7 @@ ms.author: greglin
author: greg-lindsay
audience: itpro
ms.topic: article
+ms.custom: seo-marvel-apr2020
---
# Deploy Windows 10 in a test lab using Microsoft Endpoint Configuration Manager
diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md
index 6b3110a329..a956b7fa4b 100644
--- a/windows/deployment/windows-10-poc.md
+++ b/windows/deployment/windows-10-poc.md
@@ -1,11 +1,12 @@
---
title: Configure a test lab to deploy Windows 10
+description: In this article, you will learn about concepts and procedures for deploying Windows 10 in a proof of concept lab environment.
+ms.custom: seo-marvel-apr2020
ms.reviewer:
manager: laurawi
ms.audience: itpro
ms.author: greglin
author: greg-lindsay
-description: Concepts and procedures for deploying Windows 10 in a proof of concept lab environment.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md
index dba46b0368..fb1755d660 100644
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@@ -1,7 +1,8 @@
---
title: Windows 10 Subscription Activation
-description: How to dynamically enable Windows 10 Enterprise or Education subscriptions
+description: In this article, you will learn how to dynamically enable Windows 10 Enterprise or Education subscriptions.
keywords: upgrade, update, task sequence, deploy
+ms.custom: seo-marvel-apr2020
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
@@ -39,7 +40,7 @@ Organizations that have an Enterprise agreement can also benefit from the new se
Subscription Activation for Education works the same as the Enterprise version, but in order to use Subscription Activation for Education, you must have a device running Windows 10 Pro Education, version 1903 or later and an active subscription plan with a Windows 10 Enterprise license. For more information, see the [requirements](#windows-10-education-requirements) section.
-## In this article
+## Summary
- [Inherited Activation](#inherited-activation): Description of a new feature available in Windows 10, version 1803 and later.
- [The evolution of Windows 10 deployment](#the-evolution-of-deployment): A short history of Windows deployment.
@@ -60,7 +61,6 @@ To support Inherited Activation, both the host computer and the VM must be runni
## The evolution of deployment
-> [!NOTE]
> The original version of this section can be found at [Changing between Windows SKUs](https://blogs.technet.microsoft.com/mniehaus/2017/10/09/changing-between-windows-skus/).
The following figure illustrates how deploying Windows 10 has evolved with each release. With this release, deployment is automatic.
@@ -105,9 +105,9 @@ If the device is running Windows 10, version 1809 or later:
1. Windows 10, version 1809 must be updated with [KB4497934](https://support.microsoft.com/help/4497934/windows-10-update-kb4497934). Later versions of Windows 10 automatically include this patch.
2. When the user signs in on a Hybrid Azure AD joined device with MFA enabled, a notification will indicate that there is a problem. Click the notification and then click **Fix now** to step through the subscription activation process. See the example below:
- 
- 
- 
+
+
+
### Windows 10 Education requirements
@@ -116,8 +116,8 @@ If the device is running Windows 10, version 1809 or later:
3. The Education tenant must have an active subscription to Microsoft 365 with a Windows 10 Enterprise license or a Windows 10 Enterprise or Education subscription.
4. Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices are not supported.
-> [!IMPORTANT]
-> If Windows 10 Pro is converted to Windows 10 Pro Education [by using benefits available in Store for Education](https://docs.microsoft.com/education/windows/change-to-pro-education#change-using-microsoft-store-for-education), then the feature will not work. You will need to re-image the device by using a Windows 10 Pro Education edition.
+> If Windows 10 Pro is converted to Windows 10 Pro Education [using benefits available in Store for Education](https://docs.microsoft.com/education/windows/change-to-pro-education#change-using-microsoft-store-for-education), then the feature will not work. You will need to re-image the device using a Windows 10 Pro Education edition.
+
## Benefits
@@ -154,10 +154,9 @@ Before Windows 10, version 1903:
After Windows 10, version 1903:
-> [!NOTE]
-> - A Windows 10 Pro Education device will only step up to Windows 10 Education edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019).
->
-> - A Windows 10 Pro device will only step up to Windows 10 Enterprise edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019).
+Note:
+1. A Windows 10 Pro Education device will only step up to Windows 10 Education edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019).
+2. A Windows 10 Pro device will only step up to Windows 10 Enterprise edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019).
### Scenarios
@@ -196,8 +195,7 @@ When you have the required Azure AD subscription, group-based licensing is the p
If you are running Windows 10, version 1803 or later, Subscription Activation will automatically pull the firmware-embedded Windows 10 activation key and activate the underlying Pro License. The license will then step-up to Windows 10 Enterprise using Subscription Activation. This automatically migrates your devices from KMS or MAK activated Enterprise to Subscription activated Enterprise.
-> [!CAUTION]
-> Firmware-embedded Windows 10 activation happens automatically only when we go through the Out-of-Box Experience (OOBE).
+Caution: Firmware-embedded Windows 10 activation happens automatically only when we go through OOBE(Out Of Box Experience)
If you are using Windows 10, version 1607, 1703, or 1709 and have already deployed Windows 10 Enterprise, but you want to move away from depending on KMS servers and MAK keys for Windows client machines, you can seamlessly transition as long as the computer has been activated with a firmware-embedded Windows 10 Pro product key.
diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
index f0a7008b37..6b57a9ab0d 100644
--- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
+++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
@@ -2,7 +2,7 @@
title: Demonstrate Autopilot deployment
ms.reviewer:
manager: laurawi
-description: Step-by-step instructions on how to set-up a Virtual Machine with a Windows Autopilot deployment
+description: In this article, find step-by-step instructions on how to set-up a Virtual Machine with a Windows Autopilot deployment.
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune, upgrade
ms.prod: w10
ms.mktglfcycl: deploy
@@ -13,7 +13,9 @@ author: greg-lindsay
ms.author: greglin
ms.collection: M365-modern-desktop
ms.topic: article
-ms.custom: autopilot
+ms.custom:
+ - autopilot
+ - seo-marvel-apr2020
---
@@ -218,20 +220,20 @@ PS C:\autopilot>
Ensure the VM booted from the installation ISO, click **Next** then click **Install now** and complete the Windows installation process. See the following examples:
- 
- 
- 
- 
- 
- 
+ 
+ 
+ 
+ 
+ 
+ 
-After the VM restarts, during OOBE, it’s fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen. This will offer the fastest way to the desktop. For example:
+After the VM restarts, during OOBE, it's fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen. This will offer the fastest way to the desktop. For example:
- 
+ 
Once the installation is complete, sign in and verify that you are at the Windows 10 desktop, then create your first Hyper-V checkpoint. Checkpoints are used to restore the VM to a previous state. You will create multiple checkpoints throughout this lab, which can be used later to go through the process again.
- 
+ 
To create your first checkpoint, open an elevated Windows PowerShell prompt on the computer running Hyper-V (not on the VM) and run the following:
@@ -244,7 +246,7 @@ Click on the **WindowsAutopilot** VM in Hyper-V Manager and verify that you see
## Capture the hardware ID
> [!NOTE]
-> Normally, the Device ID is captured by the OEM as they run the OA3 Tool on each device in the factory. The OEM then submits the 4K HH created by the OA3 Tool to Microsoft by submitting it with a Computer Build Report (CBR). For purposes of this lab, you are acting as the OEM (capturing the 4K HH), but you’re not going to use the OA3 Tool to capture the full 4K HH for various reasons (you’d have to install the OA3 tool, your device couldn’t have a volume license version of Windows, it’s a more complicated process than using a PS script, etc.). Instead, you’ll simulate running the OA3 tool by running a PowerShell script, which captures the device 4K HH just like the OA3 tool.
+> Normally, the Device ID is captured by the OEM as they run the OA3 Tool on each device in the factory. The OEM then submits the 4K HH created by the OA3 Tool to Microsoft by submitting it with a Computer Build Report (CBR). For purposes of this lab, you are acting as the OEM (capturing the 4K HH), but you're not going to use the OA3 Tool to capture the full 4K HH for various reasons (you'd have to install the OA3 tool, your device couldn't have a volume license version of Windows, it's a more complicated process than using a PS script, etc.). Instead, you'll simulate running the OA3 tool by running a PowerShell script, which captures the device 4K HH just like the OA3 tool.
Follow these steps to run the PS script:
@@ -303,7 +305,7 @@ Verify that there is an **AutopilotHWID.csv** file in the **c:\HWID** directory
-You will need to upload this data into Intune to register your device for Autopilot, so it needs to be transferred to the computer you will use to access the Azure portal. If you are using a physical device instead of a VM, you can copy the file to a USB stick. If you’re using a VM, you can right-click the AutopilotHWID.csv file and copy it, then right-click and paste the file to your desktop (outside the VM).
+You will need to upload this data into Intune to register your device for Autopilot, so it needs to be transferred to the computer you will use to access the Azure portal. If you are using a physical device instead of a VM, you can copy the file to a USB stick. If you're using a VM, you can right-click the AutopilotHWID.csv file and copy it, then right-click and paste the file to your desktop (outside the VM).
If you have trouble copying and pasting the file, just view the contents in Notepad on the VM and copy the text into Notepad outside the VM. Do not use another text editor to do this.
@@ -331,11 +333,11 @@ For this lab, you need an AAD Premium subscription. You can tell if you have a
-If the configuration blade shown above does not appear, it’s likely that you don’t have a **Premium** subscription. Auto-enrollment is a feature only available in AAD Premium.
+If the configuration blade shown above does not appear, it's likely that you don't have a **Premium** subscription. Auto-enrollment is a feature only available in AAD Premium.
To convert your Intune trial account to a free Premium trial account, navigate to **Azure Active Directory** > **Licenses** > **All products** > **Try / Buy** and select **Free trial** for Azure AD Premium, or EMS E5.
-
+
## Configure company branding
@@ -376,7 +378,7 @@ Your VM (or device) can be registered either via Intune or Microsoft Store for B
> [!NOTE]
> If menu items like **Windows enrollment** are not active for you, then look to the far-right blade in the UI. You might need to provide Intune configuration privileges in a challenge window that appeared.
-2. Under **Add Windows Autopilot devices** in the far right pane, browse to the **AutopilotHWID.csv** file you previously copied to your local computer. The file should contain the serial number and 4K HH of your VM (or device). It’s okay if other fields (Windows Product ID) are left blank.
+2. Under **Add Windows Autopilot devices** in the far right pane, browse to the **AutopilotHWID.csv** file you previously copied to your local computer. The file should contain the serial number and 4K HH of your VM (or device). It's okay if other fields (Windows Product ID) are left blank.
@@ -409,7 +411,7 @@ Select **Manage** from the top menu, then click the **Windows Autopilot Deployme
Click the **Add devices** link to upload your CSV file. A message will appear indicating your request is being processed. Wait a few moments before refreshing to see your new device has been added.
-
+
## Create and assign a Windows Autopilot deployment profile
@@ -425,7 +427,7 @@ Pick one:
> [!NOTE]
> Even if you registered your device in MSfB, it will still appear in Intune, though you might have to **sync** and then **refresh** your device list first:
-
+
> The example above lists both a physical device and a VM. Your list should only include only one of these.
@@ -473,7 +475,7 @@ To create a Group, open the Azure portal and select **Azure Active Directory** >
-Select New group from the Groups blade to open the new groups UI. Select the “Security” group type, name the group, and select the “Assigned” membership type:
+Select New group from the Groups blade to open the new groups UI. Select the "Security" group type, name the group, and select the "Assigned" membership type:
Before clicking **Create**, expand the **Members** panel, click your device's serial number (it will then appear under **Selected members**) and then click **Select** to add that device to this group.
@@ -495,9 +497,9 @@ Under **Manage**, click **Assignments**, and then with the **Include** tab highl
Click **Select** and then click **Save**.
-
+
-It’s also possible to assign specific users to a profile, but we will not cover this scenario in the lab. For more detailed information, see [Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/intune/enrollment-autopilot).
+It's also possible to assign specific users to a profile, but we will not cover this scenario in the lab. For more detailed information, see [Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/intune/enrollment-autopilot).
### Create a Windows Autopilot deployment profile using MSfB
@@ -517,15 +519,15 @@ To CREATE the profile:
Select your device from the **Devices** list:
-
+
On the Autopilot deployment dropdown menu, select **Create new profile**:
-
+
Name the profile, choose your desired settings, and then click **Create**:
-
+
The new profile is added to the Autopilot deployment list.
@@ -533,25 +535,25 @@ To ASSIGN the profile:
To assign (or reassign) the profile to a device, select the checkboxes next to the device you registered for this lab, then select the profile you want to assign from the **Autopilot deployment** dropdown menu as shown:
-
+
Confirm the profile was successfully assigned to the intended device by checking the contents of the **Profile** column:
-
+
> [!IMPORTANT]
> The new profile will only be applied if the device has not been started, and gone through OOBE. Settings from a different profile can't be applied when another profile has been applied. Windows would need to be reinstalled on the device for the second profile to be applied to the device.
## See Windows Autopilot in action
-If you shut down your VM after the last reset, it’s time to start it back up again, so it can progress through the Autopilot OOBE experience but do not attempt to start your device again until the **PROFILE STATUS** for your device in Intune has changed from **Not assigned** to **Assigning** and finally **Assigned**:
+If you shut down your VM after the last reset, it's time to start it back up again, so it can progress through the Autopilot OOBE experience but do not attempt to start your device again until the **PROFILE STATUS** for your device in Intune has changed from **Not assigned** to **Assigning** and finally **Assigned**:
Also, make sure to wait at least 30 minutes from the time you've [configured company branding](#configure-company-branding), otherwise these changes might not show up.
> [!TIP]
-> If you reset your device previously after collecting the 4K HH info, and then let it restart back to the first OOBE screen, then you might need to restart the device again to ensure the device is recognized as an Autopilot device and displays the Autopilot OOBE experience you’re expecting. If you do not see the Autopilot OOBE experience, then reset the device again (Settings > Update & Security > Recovery and click on Get started. Under Reset this PC, select Remove everything and Just remove my files. Click on Reset).
+> If you reset your device previously after collecting the 4K HH info, and then let it restart back to the first OOBE screen, then you might need to restart the device again to ensure the device is recognized as an Autopilot device and displays the Autopilot OOBE experience you're expecting. If you do not see the Autopilot OOBE experience, then reset the device again (Settings > Update & Security > Recovery and click on Get started. Under Reset this PC, select Remove everything and Just remove my files. Click on Reset).
- Ensure your device has an internet connection.
- Turn on the device
@@ -569,21 +571,21 @@ Windows Autopilot will now take over to automatically join your device into Azur
## Remove devices from Autopilot
-To use the device (or VM) for other purposes after completion of this lab, you will need to remove (deregister) it from Autopilot via either Intune or MSfB, and then reset it. Instructions for deregistering devices can be found [here](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [here](https://docs.microsoft.com/intune/devices-wipe#delete-devices-from-the-azure-active-directory-portal) and below.
+To use the device (or VM) for other purposes after completion of this lab, you will need to remove (deregister) it from Autopilot via either Intune or MSfB, and then reset it. Instructions for deregistering devices can be found at [Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Remove devices by using wipe, retire, or manually unenrolling the device](https://docs.microsoft.com/intune/devices-wipe#delete-devices-from-the-azure-active-directory-portal) and below.
### Delete (deregister) Autopilot device
You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure Active Directory), log into your Intune Azure portal, then navigate to **Intune > Devices > All Devices**. Select the checkbox next to the device you want to delete, then click the Delete button along the top menu.
-
+
Click **X** when challenged to complete the operation:
-
+
This will remove the device from Intune management, and it will disappear from **Intune > Devices > All devices**. But this does not yet deregister the device from Autopilot, so the device should still appear under **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices**.
-
+
The **Intune > Devices > All Devices** list and the **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices** list mean different things and are two completely separate datastores. The former (All devices) is the list of devices currently enrolled into Intune.
@@ -592,25 +594,25 @@ The **Intune > Devices > All Devices** list and the **Intune > Device Enrollment
To remove the device from the Autopilot program, select the device and click Delete.
-
+
A warning message appears reminding you to first remove the device from Intune, which we previously did.
-
+
At this point, your device has been unenrolled from Intune and also deregistered from Autopilot. After several minutes, click the **Sync** button, followed by the **Refresh** button to confirm the device is no longer listed in the Autopilot program:
-
+
Once the device no longer appears, you are free to reuse it for other purposes.
If you also (optionally) want to remove your device from AAD, navigate to **Azure Active Directory > Devices > All Devices**, select your device, and click the delete button:
-
+
## Appendix A: Verify support for Hyper-V
-Starting with Windows 8, the host computer’s microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](https://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information.
+Starting with Windows 8, the host computer's microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](https://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information.
To verify your computer supports SLAT, open an administrator command prompt, type **systeminfo**, press ENTER, scroll down, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example:
@@ -654,19 +656,19 @@ EPT * Supports Intel extended page tables (SLAT)
#### Prepare the app for Intune
-Before we can pull an application into Intune to make it part of our AP profile, we need to “package” the application for delivery using the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool). After downloading the tool, gather the following three bits of information to use the tool:
+Before we can pull an application into Intune to make it part of our AP profile, we need to "package" the application for delivery using the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool). After downloading the tool, gather the following three bits of information to use the tool:
1. The source folder for your application
2. The name of the setup executable file
3. The output folder for the new file
-For the purposes of this lab, we’ll use the Notepad++ tool as our Win32 app.
+For the purposes of this lab, we'll use the Notepad++ tool as our Win32 app.
Download the Notepad++ msi package [here](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available) and then copy the file to a known location, such as C:\Notepad++msi.
Run the IntuneWinAppUtil tool, supplying answers to the three questions, for example:
-
+
After the tool finishes running, you should have an .intunewin file in the Output folder, which you can now upload into Intune using the following steps.
@@ -676,19 +678,19 @@ Log into the Azure portal and select **Intune**.
Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package.
-
+
Under **App Type**, select **Windows app (Win32)**:
-
+
On the **App package file** blade, browse to the **npp.7.6.3.installer.x64.intunewin** file in your output folder, open it, then click **OK**:
-
+
On the **App Information Configure** blade, provide a friendly name, description, and publisher, such as:
-
+
On the **Program Configuration** blade, supply the install and uninstall commands:
@@ -698,29 +700,29 @@ Uninstall: msiexec /x "{F188A506-C3C6-4411-BE3A-DA5BF1EA6737}" /q
> [!NOTE]
> Likely, you do not have to write the install and uninstall commands yourself because the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool) automatically generated them when it converted the .msi file into a .intunewin file.
-
+
-Simply using an install command like “notepad++.exe /S” will not actually install Notepad++; it will only launch the app. To actually install the program, we need to use the .msi file instead. Notepad++ doesn’t actually have an .msi version of their program, but we got an .msi version from a [third party provider](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available).
+Simply using an install command like "notepad++.exe /S" will not actually install Notepad++; it will only launch the app. To actually install the program, we need to use the .msi file instead. Notepad++ doesn't actually have an .msi version of their program, but we got an .msi version from a [third party provider](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available).
Click **OK** to save your input and activate the **Requirements** blade.
On the **Requirements Configuration** blade, specify the **OS architecture** and the **Minimum OS version**:
-
+
Next, configure the **Detection rules**. For our purposes, we will select manual format:
-
+
Click **Add** to define the rule properties. For **Rule type**, select **MSI**, which will automatically import the right MSI product code into the rule:
-
+
Click **OK** twice to save, as you back out to the main **Add app** blade again for the final configuration.
**Return codes**: For our purposes, leave the return codes at their default values:
-
+
Click **OK** to exit.
@@ -730,11 +732,11 @@ Click the **Add** button to finalize and save your app package.
Once the indicator message says the addition has completed.
-
+
You will be able to find your app in your app list:
-
+
#### Assign the app to your Intune profile
@@ -743,7 +745,7 @@ You will be able to find your app in your app list:
In the **Intune > Client Apps > Apps** pane, select the app package you already created to reveal its properties blade. Then click **Assignments** from the menu:
-
+
Select **Add Group** to open the **Add group** pane that is related to the app.
@@ -753,9 +755,9 @@ For our purposes, select **Required** from the **Assignment type** dropdown menu
Select **Included Groups** and assign the groups you previously created that will use this app:
-
+
-
+
In the **Select groups** pane, click the **Select** button.
@@ -765,7 +767,7 @@ In the **Add group** pane, select **OK**.
In the app **Assignments** pane, select **Save**.
-
+
At this point, you have completed steps to add a Win32 app to Intune.
@@ -779,15 +781,15 @@ Log into the Azure portal and select **Intune**.
Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package.
-
+
Under **App Type**, select **Office 365 Suite > Windows 10**:
-
+
Under the **Configure App Suite** pane, select the Office apps you want to install. For the purposes of this labe we have only selected Excel:
-
+
Click **OK**.
@@ -795,13 +797,13 @@ In the **App Suite Information** pane, enter a unique suite name, and a s
> Enter the name of the app suite as it is displayed in the company portal. Make sure that all suite names that you use are unique. If the same app suite name exists twice, only one of the apps is displayed to users in the company portal.
-
+
Click **OK**.
In the **App Suite Settings** pane, select **Monthly** for the **Update channel** (any selection would be fine for the purposes of this lab). Also select **Yes** for **Automatically accept the app end user license agreement**:
-
+
Click **OK** and then click **Add**.
@@ -812,7 +814,7 @@ Click **OK** and then click **Add**.
In the **Intune > Client Apps > Apps** pane, select the Office package you already created to reveal its properties blade. Then click **Assignments** from the menu:
-
+
Select **Add Group** to open the **Add group** pane that is related to the app.
@@ -822,9 +824,9 @@ For our purposes, select **Required** from the **Assignment type** dropdown menu
Select **Included Groups** and assign the groups you previously created that will use this app:
-
+
-
+
In the **Select groups** pane, click the **Select** button.
@@ -834,7 +836,7 @@ In the **Add group** pane, select **OK**.
In the app **Assignments** pane, select **Save**.
-
+
At this point, you have completed steps to add Office to Intune.
@@ -842,7 +844,7 @@ For more information on adding Office apps to Intune, see [Assign Office 365 app
If you installed both the win32 app (Notepad++) and Office (just Excel) per the instructions in this lab, your VM will show them in the apps list, although it could take several minutes to populate:
-
+
## Glossary
diff --git a/windows/hub/index.yml b/windows/hub/index.yml
index 289a9ff9e7..75355791f6 100644
--- a/windows/hub/index.yml
+++ b/windows/hub/index.yml
@@ -42,7 +42,7 @@ landingContent:
links:
- text: Configure Windows 10
url: /windows/configuration/index
- - text: Accesasibility information for IT Pros
+ - text: Accessibility information for IT Pros
url: /windows/configuration/windows-10-accessibility-for-itpros
- text: Configure access to Microsoft Store
url: /windows/configuration/stop-employees-from-using-microsoft-store
diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md
index fe1e8ae442..218ce9d25c 100644
--- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md
+++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md
@@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: high
audience: ITPro
-ms.author: daniha
+ms.author: siosulli
author: DaniHalfin
manager: dansimp
ms.collection: M365-security-compliance
diff --git a/windows/privacy/data-processor-service-for-windows-enterprise-public-preview-terms.md b/windows/privacy/data-processor-service-for-windows-enterprise-public-preview-terms.md
index 11aacc5fb8..20b56e6e79 100644
--- a/windows/privacy/data-processor-service-for-windows-enterprise-public-preview-terms.md
+++ b/windows/privacy/data-processor-service-for-windows-enterprise-public-preview-terms.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.topic: article
f1.keywords:
- NOCSH
-ms.author: daniha
+ms.author: siosulli
author: DaniHalfin
manager: dansimp
audience: itpro
diff --git a/windows/privacy/deploy-data-processor-service-windows.md b/windows/privacy/deploy-data-processor-service-windows.md
index 66bb8268c7..76db1e584d 100644
--- a/windows/privacy/deploy-data-processor-service-windows.md
+++ b/windows/privacy/deploy-data-processor-service-windows.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.topic: article
f1.keywords:
- NOCSH
-ms.author: daniha
+ms.author: siosulli
author: DaniHalfin
manager: dansimp
audience: itpro
diff --git a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md
index 41c5fa5a8a..4188fd5ad3 100644
--- a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md
+++ b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md
@@ -30,7 +30,7 @@ ms.reviewer:
Desktop Analytics reports are powered by diagnostic data not included in the Basic level.
-In Windows 10, version 1709, we introduced a new feature: "Limit Enhanced diagnostic data to the minimum required by Windows Analytics". When enabled, this feature limits the operating system diagnostic data events included in the Enhanced level to only those described below. Note that the Enhanced level also includes limited crash reports, which are not described below. For more information on the Enhanced level, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md).
+In Windows 10, version 1709, we introduced a new feature: "Limit Enhanced diagnostic data to the minimum required by Windows Analytics". When enabled, this feature limits the operating system diagnostic data events included in the Enhanced level to only the events described below. The Enhanced level also includes limited crash reports, which are not described below. For more information on the Enhanced level, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md).
With the retirement of Windows Analytics, this policy will continue to be supported by Desktop Analytics, but will not include Office related diagnostic data.
@@ -48,7 +48,7 @@ The following fields are available:
- **GhostCount_Sum:** Total number of instances where the application stopped responding
- **HandleCountAtExit_Sum:** Total handle count for a process when it exits
- **HangCount_Max:** Maximum number of hangs detected
-- **HangCount_Sum:** Total number of application hangs detected
+- **HangCount_Sum:** Total number of application hangs that are detected
- **HardFaultCountAtExit_Sum:** Total number of hard page faults detected for a process when it exits
- **HeartbeatCount:** Heartbeats logged for this summary
- **HeartbeatSuspendedCount:** Heartbeats logged for this summary where the process was suspended
@@ -68,7 +68,7 @@ The following fields are available:
- **WriteSizeInKBAtExit_Sum:** Total size of IO writes for a process when it exited
## Microsoft.Office.TelemetryEngine.IsPreLaunch
-Applicable for Office UWP applications. This event is fired when an office application is initiated for the first-time post upgrade/install from the store. This is part of basic diagnostic data, used to track whether a particular session is launch session or not.
+Applicable for Office UWP applications. This event is fired when an Office application is initiated for the first-time post upgrade/install from the store. It's part of basic diagnostic data. It's used to track whether a particular session is a launch session or not.
- **appVersionBuild:** Third part of the version *.*.XXXXX.*
- **appVersionMajor:** First part of the version X.*.*.*
@@ -77,10 +77,10 @@ Applicable for Office UWP applications. This event is fired when an office appli
- **SessionID:** ID of the session
## Microsoft.Office.SessionIdProvider.OfficeProcessSessionStart
-This event sends basic information upon the start of a new Office session. This is used to count the number of unique sessions seen on a given device. This is used as a heartbeat event to ensure that the application is running on a device or not. In addition, it serves as a critical signal for overall application reliability.
+This event sends basic information upon the start of a new Office session. It's used to count the number of unique sessions seen on a given device. The event is used as a heartbeat event to ensure that the application is running on a device. In addition, it serves as a critical signal for overall application reliability.
-- **AppSessionGuid:** ID of the session which maps to the process of the application
-- **processSessionId:** ID of the session which maps to the process of the application
+- **AppSessionGuid:** ID of the session that maps to the process of the application
+- **processSessionId:** ID of the session that maps to the process of the application
## Microsoft.Office.TelemetryEngine.SessionHandOff
Applicable to Win32 Office applications. This event helps us understand whether there was a new session created to handle a user-initiated file open event. It is a critical diagnostic information that is used to derive reliability signal and ensure that the application is working as expected.
@@ -89,7 +89,7 @@ Applicable to Win32 Office applications. This event helps us understand whether
- **appVersionMajor:** First part of the version X.*.*.*
- **appVersionMinor:** Second part of the version *.X.*.*
- **appVersionRev:** Fourth part of the version *.*.*.XXXXX
-- **childSessionID:** Id of the session that was created to handle the user initiated file open
+- **childSessionID:** ID of the session that was created to handle the user initiated file open
- **parentSessionId:** ID of the session that was already running
## Microsoft.Office.CorrelationMetadata.UTCCorrelationMetadata
@@ -102,15 +102,15 @@ Collects Office metadata through UTC to compare with equivalent data collected t
- **appVersionMajor:** First part of the version X.*.*.*
- **appVersionMinor:** Second part of the version *.X.*.*
- **appVersionRevision:** Fourth part of the version *.*.*.XXXXX
-- **audienceGroup:** Is this part of the insiders or production
+- **audienceGroup:** Is this group part of the insiders or production?
- **audienceId:** ID of the audience setting
- **channel:** Are you part of Semi annual channel or Semi annual channel-Targeted?
-- **deviceClass:** Is this a desktop or a mobile?
+- **deviceClass:** Is this device a desktop device or a mobile device?
- **impressionId:** What features were available to you in this session
- **languageTag:** Language of the app
- **officeUserID:** A unique identifier tied to the office installation on a particular device.
- **osArchitecture:** Is the machine 32 bit or 64 bit?
-- **osEnvironment:** Is this a win32 app or a UWP app?
+- **osEnvironment:** Is this app a win32 app or a UWP app?
- **osVersionString:** Version of the OS
- **sessionID:** ID of the session
@@ -131,7 +131,7 @@ This event is fired when the telemetry engine within an office application is re
- **appVersionMajor:** First part of the version X.*.*.*
- **appVersionMinor:** Second part of the version *.X.*.*
- **appVersionRev:** Fourth part of the version *.*.*.XXXXX
-- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user
+- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user
- **SessionID:** ID of the session
## Microsoft.Office.TelemetryEngine.FirstProcessed
@@ -141,7 +141,7 @@ This event is fired when the telemetry engine within an office application has p
- **appVersionMajor:** First part of the version X.*.*.*
- **appVersionMinor:** Second part of the version *.X.*.*
- **appVersionRev:** Fourth part of the version *.*.*.XXXXX
-- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user
+- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user
- **SessionID:** ID of the session
## Microsoft.Office.TelemetryEngine.FirstRuleRequest
@@ -151,7 +151,7 @@ This event is fired when the telemetry engine within an office application has r
- **appVersionMajor:** First part of the version X.*.*.*
- **appVersionMinor:** Second part of the version *.X.*.*
- **appVersionRev:** Fourth part of the version *.*.*.XXXXX
-- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user
+- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user
- **SessionID:** ID of the session
## Microsoft.Office.TelemetryEngine.Init
@@ -161,18 +161,18 @@ This event is fired when the telemetry engine within an office application has b
- **appVersionMajor:** First part of the version X.*.*.*
- **appVersionMinor:** Second part of the version *.X.*.*
- **appVersionRev:** Fourth part of the version *.*.*.XXXXX
-- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user
+- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user
- **SessionID:** ID of the session
## Microsoft.Office.TelemetryEngine.Resume
-This event is fired when the application resumes from sleep state. Used for understanding whether there are issues in the application life-cycle.
+This event is fired when the application resumes from sleep state. Used for understanding whether there are issues in the application life cycle.
- **appVersionBuild:** Third part of the version *.*.XXXXX.*
- **appVersionMajor:** First part of the version X.*.*.*
- **appVersionMinor:** Second part of the version *.X.*.*
- **appVersionRev:** Fourth part of the version *.*.*.XXXXX
- **maxSequenceIdSeen:** How many events from this session have seen so far?
-- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user
+- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user
- **rulesSubmittedBeforeResume:** How many events were submitted before the process was resumed?
- **SessionID:** ID of the session
@@ -183,7 +183,7 @@ This event is fired when the telemetry engine within an office application fails
- **appVersionMajor:** First part of the version X.*.*.*
- **appVersionMinor:** Second part of the version *.X.*.*
- **appVersionRev:** Fourth part of the version *.*.*.XXXXX
-- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user
+- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user
- **SessionID:** ID of the session
## Microsoft.Office.TelemetryEngine.RuleRequestFailedDueToClientOffline
@@ -193,7 +193,7 @@ This event is fired when the telemetry engine within an office application fails
- **appVersionMajor:** First part of the version X.*.*.*
- **appVersionMinor:** Second part of the version *.X.*.*
- **appVersionRev:** Fourth part of the version *.*.*.XXXXX
-- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user
+- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user
- **SessionID:** ID of the session
## Microsoft.Office.TelemetryEngine.ShutdownComplete
@@ -204,7 +204,7 @@ This event is fired when the telemetry engine within an office application has p
- **appVersionMinor:** Second part of the version *.X.*.*
- **appVersionRev:** Fourth part of the version *.*.*.XXXXX
- **maxSequenceIdSeen:** How many events from this session have seen so far?
-- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user
+- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user
- **rulesSubmittedBeforeResume:** How many events were submitted before the process was resumed?
- **SessionID:** ID of the session
@@ -215,7 +215,7 @@ This event is fired when the telemetry engine within an office application been
- **appVersionMajor:** First part of the version X.*.*.*
- **appVersionMinor:** Second part of the version *.X.*.*
- **appVersionRev:** Fourth part of the version *.*.*.XXXXX
-- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user
+- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user
- **rulesSubmittedBeforeResume:** How many events were submitted before the process was resumed?
- **SessionID:** ID of the session
@@ -227,26 +227,26 @@ This event is fired when the telemetry engine within an office application has p
- **appVersionMinor:** Second part of the version *.X.*.*
- **appVersionRev:** Fourth part of the version *.*.*.XXXXX
- **maxSequenceIdSeen:** How many events from this session have seen so far?
-- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user
+- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user
- **rulesSubmittedBeforeResume:** How many events were submitted before the process was resumed?
- **SessionID:** ID of the session
- **SuspendType:** Type of suspend
## Microsoft.Office.TelemetryEngine.SuspendStart
-This event is fired when the office application suspends as per app life-cycle change. Used for understanding whether there are issues in the application life-cycle.
+This event is fired when the office application suspends as per app life-cycle change. Used for understanding whether there are issues in the application life cycle.
- **appVersionBuild:** Third part of the version *.*.XXXXX.*
- **appVersionMajor:** First part of the version X.*.*.*
- **appVersionMinor:** Second part of the version *.X.*.*
- **appVersionRev:** Fourth part of the version *.*.*.XXXXX
- **maxSequenceIdSeen:** How many events from this session have seen so far?
-- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user
+- **officeUserID:** ID of the installation tied to the device. It does not map to a particular user
- **rulesSubmittedBeforeResume:** How many events were submitted before the process was resumed?
- **SessionID:** ID of the session
- **SuspendType:** Type of suspend
## Microsoft.OSG.OSS.CredProvFramework.ReportResultStop
-This event indicates the result of an attempt to authenticate a user with a credential provider. It helps Microsoft to improve logon reliability. Using this event with Desktop Analytics can help organizations monitor and improve logon success for different methods (for example, biometric) on managed devices.
+This event indicates the result of an attempt to authenticate a user with a credential provider. It helps Microsoft to improve sign-in reliability. Using this event with Desktop Analytics can help organizations monitor and improve sign-in success for different methods (for example, biometric) on managed devices.
The following fields are available:
@@ -262,11 +262,11 @@ The following fields are available:
- **ReturnCode:** Output of the ReportResult function
- **SessionId:** Session identifier
- **Sign-in error status:** The sign-in error status
-- **SubStatus:** Sign-in error sub-status
+- **SubStatus:** Sign-in error substatus
- **UserTag:** Count of the number of times a user has selected a provider
## Microsoft.Windows.Kernel.Power.OSStateChange
-This event denotes the transition between operating system states (e.g., On, Off, Sleep, etc.). By using this event with Desktop Analytics, organizations can use this to monitor reliability and performance of managed devices
+This event denotes the transition between operating system states (On, Off, Sleep, etc.). By using this event with Desktop Analytics, organizations can monitor reliability and performance of managed devices.
The following fields are available:
@@ -281,10 +281,10 @@ The following fields are available:
- **EnergyChangeV2Flags:** Flags for disambiguating EnergyChangeV2 context
- **EventSequence:** A sequential number used to evaluate the completeness of the data
- **LastStateTransition:** ID of the last operating system state transition
-- **LastStateTransitionSub:** ID of the last operating system sub-state transition
+- **LastStateTransitionSub:** ID of the last operating system substate transition
- **StateDurationMS:** Number of milliseconds spent in the last operating system state
- **StateTransition:** ID of the operating system state the system is transitioning to
-- **StateTransitionSub:** ID of the operating system sub-state the system is transitioning to
+- **StateTransitionSub:** ID of the operating system substate the system is transitioning to
- **TotalDurationMS:** Total time (in milliseconds) spent in all states since the last boot
- **TotalUptimeMS:** Total time (in milliseconds) the device was in Up or Running states since the last boot
- **TransitionsToOn:** Number of transitions to the Powered On state since the last boot
@@ -305,7 +305,7 @@ Sends details about any error codes detected during a failed sign-in.
The following fields are available:
- **ntsStatus:** The NTSTATUS error code status returned from an attempted sign-in
-- **ntsSubstatus:** The NTSTATUS error code sub-status returned from an attempted sign-in
+- **ntsSubstatus:** The NTSTATUS error code substatus returned from an attempted sign-in
## Microsoft.Windows.Security.Biometrics.Service.BioServiceActivityCapture
Indicates that a biometric capture was compared to known templates
@@ -327,7 +327,7 @@ The following field is available:
- **ticksSinceBoot:** Duration of boot event (milliseconds)
## Microsoft.Windows.Shell.Desktop.LogonFramework.AllLogonTasks
-This event summarizes the logon procedure to help Microsoft improve performance and reliability. By using this event with Desktop Analytics organizations can help identify logon problems on managed devices.
+This event summarizes the logon procedure to help Microsoft improve performance and reliability. By using this event with Desktop Analytics, organizations can help identify logon problems on managed devices.
The following fields are available:
@@ -341,7 +341,7 @@ The following fields are available:
- **wilActivity:** Indicates errors in the task to help Microsoft improve reliability.
## Microsoft.Windows.Shell.Desktop.LogonFramework.LogonTask
-This event describes system tasks which are part of the user logon sequence and helps Microsoft to improve reliability.
+This event describes system tasks that are part of the user logon sequence and helps Microsoft to improve reliability.
The following fields are available:
@@ -359,7 +359,7 @@ For a device subject to Windows Information Protection policy, learning events a
The following fields are available:
- **actiontype:** Indicates what type of resource access the app was attempting (for example, opening a local document vs. a network resource) when it encountered a policy boundary. Useful for Windows Information Protection administrators to tune policy rules.
-- **appIdType:** Based on the type of application, this indicates what type of app rule a Windows Information Protection administrator would need to create for this app.
+- **appIdType:** Based on the type of application, this field indicates what type of app rule a Windows Information Protection administrator would need to create for this app.
- **appname:** App that triggered the event
- **status:** Indicates whether errors occurred during WIP learning events
@@ -397,11 +397,11 @@ The following fields are available:
- **MonitorWidth:** Number of horizontal pixels in the application host monitor resolution
- **MouseInputSec:** Total number of seconds during which there was mouse input
- **NewProcessCount:** Number of new processes contributing to the aggregate
-- **PartATransform_AppSessionGuidToUserSid:** Flag which influences how other parts of the event are constructed
+- **PartATransform_AppSessionGuidToUserSid:** Flag that influences how other parts of the event are constructed
- **PenInputSec:** Total number of seconds during which there was pen input
- **SpeechRecognitionSec:** Total number of seconds of speech recognition
- **SummaryRound:** Incrementing number indicating the round (batch) being summarized
-- **TargetAsId:** Flag which influences how other parts of the event are constructed
+- **TargetAsId:** Flag that influences how other parts of the event are constructed
- **TotalUserOrDisplayActiveDurationMS:** Total time the user or the display was active (in milliseconds)
- **TouchInputSec:** Total number of seconds during which there was touch input
- **UserActiveDurationMS:** Total time that the user was active including all input methods
@@ -415,7 +415,7 @@ The following fields are available:
## Revisions
### PartA_UserSid removed
-A previous revision of this list stated that a field named PartA_UserSid was a member of the event Microsoft.Windows.LogonController.LogonAndUnlockSubmit. This was incorrect. The list has been updated to reflect that no such field is present in the event.
+A previous revision of this list stated that a field named PartA_UserSid was a member of the event Microsoft.Windows.LogonController.LogonAndUnlockSubmit. This statement was incorrect. The list has been updated to reflect that no such field is present in the event.
### Office events added
In Windows 10, version 1809 (also applies to versions 1709 and 1803 starting with [KB 4462932](https://support.microsoft.com/help/4462932/windows-10-update-kb4462932) and [KB 4462933](https://support.microsoft.com/help/4462933/windows-10-update-kb4462933) respectively), 16 events were added, describing Office app launch and availability. These events were added to improve the precision of Office data in Windows Analytics.
diff --git a/windows/privacy/windows-diagnostic-data-1703.md b/windows/privacy/windows-diagnostic-data-1703.md
index ef7ec52739..ffa7858d15 100644
--- a/windows/privacy/windows-diagnostic-data-1703.md
+++ b/windows/privacy/windows-diagnostic-data-1703.md
@@ -42,7 +42,7 @@ Most diagnostic events contain a header of common data:
| Category Name | Examples |
| - | - |
-| Common Data | Information that is added to most diagnostic events, if relevant and available:
- OS name, version, build, and [locale](https://msdn.microsoft.com/library/windows/desktop/dd318716.aspx)
- User ID -- a unique identifier associated with the user's Microsoft Account (if one is used) or local account. The user's Microsoft Account identifier is not collected from devices configured to send Basic diagnostic data
- Xbox UserID
- Environment from which the event was logged -- Application ID of app or component that logged the event, Session GUID. Used to track events over a given period of time such the period an app is running or between boots of the OS.
- The diagnostic event name, Event ID, [ETW](https://msdn.microsoft.com/library/windows/desktop/bb968803.aspx) opcode, version, schema signature, keywords, and flags
- HTTP header information, including the IP address. This IP address is the source address that’s provided by the network packet header and received by the diagnostics ingestion service.
- Various IDs that are used to correlate and sequence related events together.
- Device ID. This is not the user provided device name, but an ID that is unique for that device.
- Device class -- Desktop, Server, or Mobile
- Event collection time
- Diagnostic level -- Basic or Full, Sample level -- for sampled data, what sample level is this device opted into
|
+| Common Data | Information that is added to most diagnostic events, if relevant and available:
- OS name, version, build, and [locale](https://msdn.microsoft.com/library/windows/desktop/dd318716.aspx)
- User ID - a unique identifier associated with the user's Microsoft Account (if one is used) or local account. The user's Microsoft Account identifier is not collected from devices configured to send Basic diagnostic data
- Xbox UserID
- Environment from which the event was logged - Application ID of app or component that logged the event, Session GUID. Used to track events over a given period of time such the period an app is running or between boots of the OS.
- The diagnostic event name, Event ID, [ETW](https://msdn.microsoft.com/library/windows/desktop/bb968803.aspx) opcode, version, schema signature, keywords, and flags
- HTTP header information, including the IP address. This IP address is the source address that’s provided by the network packet header and received by the diagnostics ingestion service.
- Various IDs that are used to correlate and sequence related events together.
- Device ID. This ID is not the user provided device name, but an ID that is unique for that device.
- Device class - Desktop, Server, or Mobile
- Event collection time
- Diagnostic level - Basic or Full, Sample level - for sampled data, what sample level is this device opted into
|
## Device, Connectivity, and Configuration data
@@ -50,38 +50,38 @@ This type of data includes details about the device, its configuration and conne
| Category Name | Examples |
| - | - |
-| Device properties | Information about the OS and device hardware, such as:
- OS - version name, Edition
- Installation type, subscription status, and genuine OS status
- Processor architecture, speed, number of cores, manufacturer, and model
- OEM details --manufacturer, model, and serial number
- Device identifier and Xbox serial number
- Firmware/BIOS -- type, manufacturer, model, and version
- Memory -- total memory, video memory, speed, and how much memory is available after the device has reserved memory
- Storage -- total capacity and disk type
- Battery -- charge capacity and InstantOn support
- Hardware chassis type, color, and form factor
- Is this a virtual machine?
|
-| Device capabilities | Information about the specific device capabilities such as:
- Camera -- whether the device has a front facing, a rear facing camera, or both.
- Touch screen -- does the device include a touch screen? If so, how many hardware touch points are supported?
- Processor capabilities -- CompareExchange128, LahfSahf, NX, PrefetchW, and SSE2
- Trusted Platform Module (TPM) – whether present and what version
- Virtualization hardware -- whether an IOMMU is present, SLAT support, is virtualization enabled in the firmware
- Voice – whether voice interaction is supported and the number of active microphones
- Number of displays, resolutions, DPI
- Wireless capabilities
- OEM or platform face detection
- OEM or platform video stabilization and quality level set
- Advanced Camera Capture mode (HDR vs. LowLight), OEM vs. platform implementation, HDR probability, and Low Light probability
|
-| Device preferences and settings | Information about the device settings and user preferences such as:
- User Settings – System, Device, Network & Internet, Personalization, Cortana, Apps, Accounts, Time & Language, Gaming, Ease of Access, Privacy, Update & Security
- User-provided device name
- Whether device is domain-joined, or cloud-domain joined (i.e. part of a company-managed network)
- Hashed representation of the domain name
- MDM (mobile device management) enrollment settings and status
- BitLocker, Secure Boot, encryption settings, and status
- Windows Update settings and status
- Developer Unlock settings and status
- Default app choices
- Default browser choice
- Default language settings for app, input, keyboard, speech, and display
- App store update settings
- Enterprise OrganizationID, Commercial ID
|
-| Device peripherals | Information about the device peripherals such as:
- Peripheral name, device model, class, manufacturer and description
- Peripheral device state, install state, and checksum
- Driver name, package name, version, and manufacturer
- HWID - A hardware vendor defined ID to match a device to a driver [INF file](https://msdn.microsoft.com/windows/hardware/drivers/install/hardware-ids)
- Driver state, problem code, and checksum
- Whether driver is kernel mode, signed, and image size
|
-| Device network info | Information about the device network configuration such as:
- Network system capabilities
- Local or Internet connectivity status
- Proxy, gateway, DHCP, DNS details and addresses
- Paid or free network
- Wireless driver is emulated or not
- Access point mode capable
- Access point manufacturer, model, and MAC address
- WDI Version
- Name of networking driver service
- Wi-Fi Direct details
- Wi-Fi device hardware ID and manufacturer
- Wi-Fi scan attempt counts and item counts
- Mac randomization is supported/enabled or not
- Number of spatial streams and channel frequencies supported
- Manual or Auto Connect enabled
- Time and result of each connection attempt
- Airplane mode status and attempts
- Interface description provided by the manufacturer
- Data transfer rates
- Cipher algorithm
- Mobile Equipment ID (IMEI) and Mobile Country Code (MCCO)
- Mobile operator and service provider name
- Available SSIDs and BSSIDs
- IP Address type -- IPv4 or IPv6
- Signal Quality percentage and changes
- Hotspot presence detection and success rate
- TCP connection performance
- Miracast device names
- Hashed IP address
+| Device properties | Information about the OS and device hardware, such as:
- OS - version name, Edition
- Installation type, subscription status, and genuine OS status
- Processor architecture, speed, number of cores, manufacturer, and model
- OEM details - manufacturer, model, and serial number
- Device identifier and Xbox serial number
- Firmware/BIOS - type, manufacturer, model, and version
- Memory - total memory, video memory, speed, and how much memory is available after the device has reserved memory
- Storage - total capacity and disk type
- Battery - charge capacity and InstantOn support
- Hardware chassis type, color, and form factor
- Is this machine a virtual machine?
|
+| Device capabilities | Information about the specific device capabilities such as:
- Camera - whether the device has a front facing, a rear facing camera, or both.
- Touch screen - does the device include a touch screen? If so, how many hardware touch points are supported?
- Processor capabilities - CompareExchange128, LahfSahf, NX, PrefetchW, and SSE2
- Trusted Platform Module (TPM) – whether present and what version
- Virtualization hardware - whether an IOMMU is present, SLAT support, is virtualization enabled in the firmware
- Voice – whether voice interaction is supported and the number of active microphones
- Number of displays, resolutions, DPI
- Wireless capabilities
- OEM or platform face detection
- OEM or platform video stabilization and quality level set
- Advanced Camera Capture mode (HDR vs. LowLight), OEM vs. platform implementation, HDR probability, and Low Light probability
|
+| Device preferences and settings | Information about the device settings and user preferences such as:
- User Settings – System, Device, Network & Internet, Personalization, Cortana, Apps, Accounts, Time & Language, Gaming, Ease of Access, Privacy, Update & Security
- User-provided device name
- Whether device is domain-joined, or cloud-domain joined (that is, part of a company-managed network)
- Hashed representation of the domain name
- MDM (mobile device management) enrollment settings and status
- BitLocker, Secure Boot, encryption settings, and status
- Windows Update settings and status
- Developer Unlock settings and status
- Default app choices
- Default browser choice
- Default language settings for app, input, keyboard, speech, and display
- App store update settings
- Enterprise OrganizationID, Commercial ID
|
+| Device peripherals | Information about the device peripherals such as:
- Peripheral name, device model, class, manufacturer, and description
- Peripheral device state, install state, and checksum
- Driver name, package name, version, and manufacturer
- HWID - A hardware vendor defined ID to match a device to a driver [INF file](https://msdn.microsoft.com/windows/hardware/drivers/install/hardware-ids)
- Driver state, problem code, and checksum
- Whether driver is kernel mode, signed, and image size
|
+| Device network info | Information about the device network configuration such as:
- Network system capabilities
- Local or Internet connectivity status
- Proxy, gateway, DHCP, DNS details, and addresses
- Paid or free network
- Wireless driver is emulated or not
- Access point mode capable
- Access point manufacturer, model, and MAC address
- WDI Version
- Name of networking driver service
- Wi-Fi Direct details
- Wi-Fi device hardware ID and manufacturer
- Wi-Fi scan attempt counts and item counts
- Mac randomization is supported/enabled or not
- Number of spatial streams and channel frequencies supported
- Manual or Auto Connect enabled
- Time and result of each connection attempt
- Airplane mode status and attempts
- Interface description provided by the manufacturer
- Data transfer rates
- Cipher algorithm
- Mobile Equipment ID (IMEI) and Mobile Country Code (MCCO)
- Mobile operator and service provider name
- Available SSIDs and BSSIDs
- IP Address type - IPv4 or IPv6
- Signal Quality percentage and changes
- Hotspot presence detection and success rate
- TCP connection performance
- Miracast device names
- Hashed IP address
## Product and Service Usage data
-This type of data includes details about the usage of the device, operating system, applications and services.
+This type of data includes details about the usage of the device, operating system, applications, and services.
| Category Name | Examples |
| - | - |
-| App usage | Information about Windows and application usage such as:- OS component and app feature usage
- User navigation and interaction with app and Windows features. This could potentially include user input, such as name of a new alarm set, user menu choices, or user favorites.
- Time of and count of app/component launches, duration of use, session GUID, and process ID
- App time in various states – running foreground or background, sleeping, or receiving active user interaction
- User interaction method and duration – whether and length of time user used the keyboard, mouse, pen, touch, speech, or game controller
- Cortana launch entry point/reason
- Notification delivery requests and status
- Apps used to edit images and videos
- SMS, MMS, VCard, and broadcast message usage statistics on primary or secondary line
- Incoming and Outgoing calls and Voicemail usage statistics on primary or secondary line
- Emergency alerts are received or displayed statistics
- Content searches within an app
- Reading activity -- bookmarking used, print used, layout changed
|
-| App or product state | Information about Windows and application state such as:- Start Menu and Taskbar pins
- Online/Offline status
- App launch state –- with deep-link such as Groove launched with an audio track to play, or share contract such as MMS launched to share a picture.
- Personalization impressions delivered
- Whether the user clicked or hovered on UI controls or hotspots
- User feedback Like or Dislike or rating was provided
- Caret location or position within documents and media files -- how much of a book has been read in a single session or how much of a song has been listened to.
|
+| App usage | Information about Windows and application usage such as:- OS component and app feature usage
- User navigation and interaction with app and Windows features. This information could include user input, such as the name of a new alarm set, user menu choices, or user favorites.
- Time of and count of app/component launches, duration of use, session GUID, and process ID
- App time in various states – running foreground or background, sleeping, or receiving active user interaction
- User interaction method and duration – whether and length of time user used the keyboard, mouse, pen, touch, speech, or game controller
- Cortana launch entry point/reason
- Notification delivery requests and status
- Apps used to edit images and videos
- SMS, MMS, VCard, and broadcast message usage statistics on primary or secondary line
- Incoming and Outgoing calls and Voicemail usage statistics on primary or secondary line
- Emergency alerts are received or displayed statistics
- Content searches within an app
- Reading activity - bookmarking used, print used, layout changed
|
+| App or product state | Information about Windows and application state such as:- Start Menu and Taskbar pins
- Online/Offline status
- App launch state –- with deep-link such as Groove launched with an audio track to play, or share contract such as MMS launched to share a picture.
- Personalization impressions delivered
- Whether the user clicked or hovered on UI controls or hotspots
- User feedback Like or Dislike or rating was provided
- Caret location or position within documents and media files - how much of a book has been read in a single session or how much of a song has been listened to.
|
| Login properties | - Login success or failure
- Login sessions and state
|
## Product and Service Performance data
-This type of data includes details about the health of the device, operating system, apps and drivers.
+This type of data includes details about the health of the device, operating system, apps, and drivers.
| Category Name | Description and Examples |
| - | - |
-|Device health and crash data | Information about the device and software health such as:
- Error codes and error messages, name and ID of the app, and process reporting the error
- DLL library predicted to be the source of the error -- xyz.dll
- System generated files -- app or product logs and trace files to help diagnose a crash or hang
- System settings such as registry keys
- User generated files – .doc, .ppt, .csv files where they are indicated as a potential cause for a crash or hang
- Details and counts of abnormal shutdowns, hangs, and crashes
- Crash failure data – OS, OS component, driver, device, 1st and 3rd party app data
- Crash and Hang dumps
- The recorded state of the working memory at the point of the crash.
- Memory in use by the kernel at the point of the crash.
- Memory in use by the application at the point of the crash.
- All the physical memory used by Windows at the point of the crash.
- Class and function name within the module that failed.
|
-|Device performance and reliability data | Information about the device and software performance such as:
- User Interface interaction durations -- Start Menu display times, browser tab switch times, app launch and switch times, and Cortana and search performance and reliability.
- Device on/off performance -- Device boot, shutdown, power on/off, lock/unlock times, and user authentication times (fingerprint and face recognition durations).
- In-app responsiveness -- time to set alarm, time to fully render in-app navigation menus, time to sync reading list, time to start GPS navigation, time to attach picture MMS, and time to complete a Microsoft Store transaction.
- User input responsiveness – onscreen keyboard invocation times for different languages, time to show auto-complete words, pen or touch latencies, latency for handwriting recognition to words, Narrator screen reader responsiveness, and CPU score.
- UI and media performance and glitches/smoothness -- video playback frame rate, audio glitches, animation glitches (stutter when bringing up Start), graphics score, time to first frame, play/pause/stop/seek responsiveness, time to render PDF, dynamic streaming of video from OneDrive performance
- Disk footprint -- Free disk space, out of memory conditions, and disk score.
- Excessive resource utilization – components impacting performance or battery life through high CPU usage during different screen and power states
- Background task performance -- download times, Windows Update scan duration, Microsoft Defender Antivirus scan times, disk defrag times, mail fetch times, service startup and state transition times, and time to index on-device files for search results
- Peripheral and devices -- USB device connection times, time to connect to a wireless display, printing times, network availability and connection times (time to connect to Wi-Fi, time to get an IP address from DHCP etc.), smart card authentication times, automatic brightness environmental response times
- Device setup -- first setup experience times (time to install updates, install apps, connect to network etc.), time to recognize connected devices (printer and monitor), and time to setup Microsoft Account.
- Power and Battery life – power draw by component (Process/CPU/GPU/Display), hours of screen off time, sleep state transition details, temperature and thermal throttling, battery drain in a power state (screen off or screen on), processes and components requesting power use during screen off, auto-brightness details, time device is plugged into AC vs. battery, battery state transitions
- Service responsiveness - Service URI, operation, latency, service success/error codes, and protocol.
- Diagnostic heartbeat – regular signal to validate the health of the diagnostics system
|
-|Movies|Information about movie consumption functionality on the device. This isn't intended to capture user viewing, listening or habits.
- Video Width, height, color pallet, encoding (compression) type, and encryption type
- Instructions for how to stream content for the user -- the smooth streaming manifest of chunks of content files that must be pieced together to stream the content based on screen resolution and bandwidth
- URL for a specific two second chunk of content if there is an error
- Full screen viewing mode details|
-|Music & TV|Information about music and TV consumption on the device. This isn't intended to capture user viewing, listening or habits.
- Service URL for song being downloaded from the music service – collected when an error occurs to facilitate restoration of service
- Content type (video, audio, surround audio)
- Local media library collection statistics -- number of purchased tracks, number of playlists
- Region mismatch -- User OS Region, and Xbox Live region
|
-|Reading|Information about reading consumption functionality on the device. This isn't intended to capture user viewing, listening or habits.
- App accessing content and status and options used to open a Microsoft Store book
- Language of the book
- Time spent reading content
- Content type and size details
|
-|Photos App|Information about photos usage on the device. This isn't intended to capture user viewing, listening or habits.
- File source data -- local, SD card, network device, and OneDrive
- Image & video resolution, video length, file sizes types and encoding
- Collection view or full screen viewer use and duration of view
|
-|On-device file query | Information about local search activity on the device such as: - Kind of query issued and index type (ConstraintIndex, SystemIndex)
- Number of items requested and retrieved
- File extension of search result user interacted with
- Launched item kind, file extension, index of origin, and the App ID of the opening app.
- Name of process calling the indexer and time to service the query.
- A hash of the search scope (file, Outlook, OneNote, IE history)
- The state of the indices (fully optimized, partially optimized, being built)
|
-|Purchasing| Information about purchases made on the device such as:
- Product ID, edition ID and product URI
- Offer details -- price
- Order requested date/time
- Store client type -- web or native client
- Purchase quantity and price
- Payment type -- credit card type and PayPal
|
-|Entitlements | Information about entitlements on the device such as:
- Service subscription status and errors
- DRM and license rights details -- Groove subscription or OS volume license
- Entitlement ID, lease ID, and package ID of the install package
- Entitlement revocation
- License type (trial, offline vs online) and duration
- License usage session
|
+|Device health and crash data | Information about the device and software health such as:
- Error codes and error messages, name and ID of the app, and process reporting the error
- DLL library predicted to be the source of the error - xyz.dll
- System-generated files - app or product logs and trace files to help diagnose a crash or hang
- System settings such as registry keys
- User-generated files – .doc, .ppt, .csv files where they are indicated as a potential cause for a crash or hang
- Details and counts of abnormal shutdowns, hangs, and crashes
- Crash failure data – OS, OS component, driver, device, 1st and 3rd party app data
- Crash and Hang dumps
- The recorded state of the working memory at the point of the crash.
- Memory in use by the kernel at the point of the crash.
- Memory in use by the application at the point of the crash.
- All the physical memory used by Windows at the point of the crash.
- Class and function name within the module that failed.
|
+|Device performance and reliability data | Information about the device and software performance such as:
- User Interface interaction durations - Start Menu display times, browser tab switch times, app launch and switch times, and Cortana and search performance and reliability.
- Device on/off performance - Device boot, shutdown, power on/off, lock/unlock times, and user authentication times (fingerprint and face recognition durations).
- In-app responsiveness - time to set alarm, time to fully render in-app navigation menus, time to sync reading list, time to start GPS navigation, time to attach picture MMS, and time to complete a Microsoft Store transaction.
- User input responsiveness – onscreen keyboard invocation times for different languages, time to show autocomplete words, pen or touch latencies, latency for handwriting recognition to words, Narrator screen reader responsiveness, and CPU score.
- UI and media performance and glitches/smoothness - video playback frame rate, audio glitches, animation glitches (stutter when bringing up Start), graphics score, time to first frame, play/pause/stop/seek responsiveness, time to render PDF, dynamic streaming of video from OneDrive performance
- Disk footprint - Free disk space, out of memory conditions, and disk score.
- Excessive resource utilization – components impacting performance or battery life through high CPU usage during different screen and power states
- Background task performance - download times, Windows Update scan duration, Microsoft Defender Antivirus scan times, disk defrag times, mail fetch times, service startup and state transition times, and time to index on-device files for search results
- Peripheral and devices - USB device connection times, time to connect to a wireless display, printing times, network availability, and connection times (time to connect to Wi-Fi, time to get an IP address from DHCP, and so on), smart card authentication times, automatic brightness environmental response times
- Device setup - first setup experience times (time to install updates, install apps, connect to network etc.), time to recognize connected devices (printer and monitor), and time to setup Microsoft Account.
- Power and Battery life – power draw by component (Process/CPU/GPU/Display), hours of screen off time, sleep state transition details, temperature and thermal throttling, battery drain in a power state (screen off or screen on), processes and components requesting power use during screen off, autobrightness details, time device is plugged into AC vs. battery, battery state transitions
- Service responsiveness - Service URI, operation, latency, service success/error codes, and protocol.
- Diagnostic heartbeat – regular signal to validate the health of the diagnostics system
|
+|Movies|Information about movie consumption functionality on the device. This information isn't intended to capture user viewing, listening, or habits.
- Video Width, height, color pallet, encoding (compression) type, and encryption type
- Instructions for how to stream content for the user - the smooth streaming manifest of chunks of content files that must be pieced together to stream the content based on screen resolution and bandwidth
- URL for a specific two-second chunk of content if there is an error
- Full screen viewing mode details|
+|Music & TV|Information about music and TV consumption on the device. This information isn't intended to capture user viewing, listening, or habits.
- Service URL for song being downloaded from the music service – collected when an error occurs to facilitate restoration of service
- Content type (video, audio, surround audio)
- Local media library collection statistics - number of purchased tracks, number of playlists
- Region mismatch - User OS Region, and Xbox Live region
|
+|Reading|Information about reading consumption functionality on the device. This information isn't intended to capture user viewing, listening, or habits.
- App accessing content and status and options used to open a Microsoft Store book
- Language of the book
- Time spent reading content
- Content type and size details
|
+|Photos App|Information about photos usage on the device. This information isn't intended to capture user viewing, listening, or habits.
- File source data - local, SD card, network device, and OneDrive
- Image & video resolution, video length, file sizes types and encoding
- Collection view or full screen viewer use and duration of view
|
+|On-device file query | Information about local search activity on the device such as: - Type of query issued and index type (ConstraintIndex, SystemIndex)
- Number of items requested and retrieved
- File extension of search result user interacted with
- Launched item kind, file extension, index of origin, and the App ID of the opening app.
- Name of process calling the indexer and time to service the query.
- A hash of the search scope (file, Outlook, OneNote, IE history)
- The state of the indices (fully optimized, partially optimized, being built)
|
+|Purchasing| Information about purchases made on the device such as:
- Product ID, edition ID, and product URI
- Offer details - price
- Order requested date/time
- Store client type - web or native client
- Purchase quantity and price
- Payment type - credit card type and PayPal
|
+|Entitlements | Information about entitlements on the device such as:
- Service subscription status and errors
- DRM and license rights details - Groove subscription or OS volume license
- Entitlement ID, lease ID, and package ID of the install package
- Entitlement revocation
- License type (trial, offline versus online) and duration
- License usage session
|
## Software Setup and Inventory data
@@ -90,7 +90,7 @@ This type of data includes software installation and update information on the d
| Category Name | Data Examples |
| - | - |
| Installed Applications and Install History | Information about apps, drivers, update packages, or OS components installed on the device such as:
- App, driver, update package, or component’s Name, ID, or Package Family Name
- Product, SKU, availability, catalog, content, and Bundle IDs
- OS component, app or driver publisher, language, version and type (Win32 or UWP)
- Install date, method, and install directory, count of install attempts
- MSI package code and product code
- Original OS version at install time
- User or administrator or mandatory installation/update
- Installation type – clean install, repair, restore, OEM, retail, upgrade, and update
|
-| Device update information | Information about Windows Update such as:
- Update Readiness analysis of device hardware, OS components, apps, and drivers (progress, status, and results)
- Number of applicable updates, importance, type
- Update download size and source -- CDN or LAN peers
- Delay upgrade status and configuration
- OS uninstall and rollback status and count
- Windows Update server and service URL
- Windows Update machine ID
- Windows Insider build details
+| Device update information | Information about Windows Update such as:
- Update Readiness analysis of device hardware, OS components, apps, and drivers (progress, status, and results)
- Number of applicable updates, importance, type
- Update download size and source - CDN or LAN peers
- Delay upgrade status and configuration
- OS uninstall and rollback status and count
- Windows Update server and service URL
- Windows Update machine ID
- Windows Insider build details
## Browsing History data
@@ -98,7 +98,7 @@ This type of data includes details about web browsing in the Microsoft browsers.
| Category Name | Description and Examples |
| - | - |
-| Microsoft browser data | Information about Address bar and search box performance on the device such as:- Text typed in address bar and search box
- Text selected for Ask Cortana search
- Service response time
- Auto-completed text if there was an auto-complete
- Navigation suggestions provided based on local history and favorites
- Browser ID
- URLs (which may include search terms)
- Page title
|
+| Microsoft browser data | Information about Address bar and search box performance on the device such as:- Text typed in address bar and search box
- Text selected for Ask Cortana search
- Service response time
- Autocompleted text if there was an autocomplete
- Navigation suggestions provided based on local history and favorites
- Browser ID
- URLs (which may include search terms)
- Page title
|
## Inking Typing and Speech Utterance data
@@ -107,4 +107,4 @@ This type of data gathers details about the voice, inking, and typing input feat
| Category Name | Description and Examples |
| - | - |
-| Voice, inking, and typing | Information about voice, inking and typing features such as:
- Type of pen used (highlighter, ball point, pencil), pen color, stroke height and width, and how long it is used
- Pen gestures (click, double click, pan, zoom, rotate)
- Palm Touch x,y coordinates
- Input latency, missed pen signals, number of frames, strokes, first frame commit time, sample rate
- Ink strokes written, text before and after the ink insertion point, recognized text entered, Input language - processed to remove identifiers, sequencing information, and other data (such as email addresses and numeric values) which could be used to reconstruct the original content or associate the input to the user.
- Text input from Windows Mobile on-screen keyboards except from password fields and private sessions - processed to remove identifiers, sequencing information, and other data (such as email addresses, and numeric values) which could be used to reconstruct the original content or associate the input to the user.
- Text of speech recognition results -- result codes and recognized text
- Language and model of the recognizer, System Speech language
- App ID using speech features
- Whether user is known to be a child
- Confidence and Success/Failure of speech recognition
|
+| Voice, inking, and typing | Information about voice, inking, and typing features such as:
- Type of pen used (highlighter, ball point, pencil), pen color, stroke height and width, and how long it is used
- Pen gestures (click, double-click, pan, zoom, rotate)
- Palm Touch x,y coordinates
- Input latency, missed pen signals, number of frames, strokes, first frame commit time, sample rate
- Ink strokes written, text before and after the ink insertion point, recognized text entered, Input language - processed to remove identifiers, sequencing information, and other data (such as email addresses and numeric values) which could be used to reconstruct the original content or associate the input to the user.
- Text input from Windows Mobile on-screen keyboards except from password fields and private sessions - processed to remove identifiers, sequencing information, and other data (such as email addresses, and numeric values) which could be used to reconstruct the original content or associate the input to the user.
- Text of speech recognition results - result codes and recognized text
- Language and model of the recognizer, System Speech language
- App ID using speech features
- Whether user is known to be a child
- Confidence and Success/Failure of speech recognition
|
diff --git a/windows/privacy/windows-diagnostic-data.md b/windows/privacy/windows-diagnostic-data.md
index 150b4905bd..2fc94568eb 100644
--- a/windows/privacy/windows-diagnostic-data.md
+++ b/windows/privacy/windows-diagnostic-data.md
@@ -28,7 +28,7 @@ Applies to:
Microsoft uses Windows diagnostic data to keep Windows secure and up-to-date, troubleshoot problems, and make product improvements. For users who have turned on "Tailored experiences", it can also be used to offer you personalized tips, ads, and recommendations to enhance Microsoft products and services for your needs. This article describes all types of diagnostic data collected by Windows at the Full level (inclusive of data collected at Basic), with comprehensive examples of data we collect per each type. For additional, detailed technical descriptions of Basic data items, see [Windows 10, version 20H2 required diagnostic events and fields](https://docs.microsoft.com/windows/configuration/basic-level-windows-diagnostic-events-and-fields).
-In addition, this article provides references to equivalent definitions for the data types and examples from [ISO/IEC 19944:2017 Information technology -- Cloud computing -- Cloud services and devices: Data flow, data categories and data use](https://www.iso.org/standard/66674.html). Each data type also has a Data Use statement, for diagnostics and for Tailored experiences on the device, using the terms as defined by the standard. These Data Use statements define the purposes for which Microsoft processes each type of Windows diagnostic data, using a uniform set of definitions referenced at the end of this document and based on the ISO standard. Reference to the ISO standard provides additional clarity about the information collected, and allows easy comparison with other services or guidance that also references the standard.
+In addition, this article provides references to equivalent definitions for the data types and examples from [ISO/IEC 19944:2017 Information technology - Cloud computing - Cloud services and devices: Data flow, data categories, and data use](https://www.iso.org/standard/66674.html). Each data type also has a Data Use statement, for diagnostics and for Tailored experiences on the device, using the terms as defined by the standard. These Data Use statements define the purposes for which Microsoft processes each type of Windows diagnostic data, using a uniform set of definitions referenced at the end of this document and based on the ISO standard. Reference to the ISO standard provides additional clarity about the information collected, and allows easy comparison with other services or guidance that also references the standard.
The data covered in this article is grouped into the following types:
@@ -52,21 +52,21 @@ Header data supports the use of data associated with all diagnostic events. Ther
Information that is added to most diagnostic events, if relevant and available:
-- Diagnostic level -- Basic or Full, Sample level -- for sampled data, what sample level is this device opted into (8.2.3.2.4 Observed Usage of the Service Capability)
+- Diagnostic level - Basic or Full, Sample level - for sampled data, what sample level is this device opted into (8.2.3.2.4 Observed Usage of the Service Capability)
- Operating system name, version, build, and locale (8.2.3.2.2 Telemetry data)
- Event collection time (8.2.3.2.2 Telemetry data)
-- User ID -- a unique identifier associated with the user's Microsoft Account (if one is used) or local account. The user's Microsoft Account identifier is not collected from devices configured to send Basic - diagnostic data (8.2.5 Account data)
+- User ID - a unique identifier associated with the user's Microsoft Account (if one is used) or local account. The user's Microsoft Account identifier is not collected from devices configured to send Basic - diagnostic data (8.2.5 Account data)
- Xbox UserID (8.2.5 Account data)
-- Device ID -- This is not the user provided device name, but an ID that is unique for that device. (8.2.3.2.3 Connectivity data)
-- Device class -- Desktop, Server, or Mobile (8.2.3.2.3 Connectivity data)
-- Environment from which the event was logged -- Application ID of app or component that logged the event, Session GUID. Used to track events over a given period of time, such as the amount of time an app is running or between boots of the operating system (8.2.4 Cloud service provider data)
+- Device ID - This ID is not the user provided device name, but an ID that is unique for that device. (8.2.3.2.3 Connectivity data)
+- Device class - Desktop, Server, or Mobile (8.2.3.2.3 Connectivity data)
+- Environment from which the event was logged - Application ID of app or component that logged the event, Session GUID. Used to track events over a given period of time, such as the amount of time an app is running or between boots of the operating system (8.2.4 Cloud service provider data)
- Diagnostic event name, Event ID, ETW opcode, version, schema signature, keywords, and flags (8.2.4 Cloud service provider data)
- HTTP header information, including the IP address. This IP address is the source address that’s provided by the network packet header and received by the diagnostics ingestion service (8.2.4 Cloud service provider data)
- Various IDs that are used to correlate and sequence related events together (8.2.4 Cloud service provider data)
## Device, Connectivity, and Configuration data
-This type of data includes details about the device, its configuration and connectivity capabilities, and status. Device, Connectivity, and Configuration Data is equivalent to ISO/IEC 19944:2017, 8.2.3.2.3 Connectivity data.
+This type of data includes details about the device, its configuration and connectivity capabilities, and status. Device, Connectivity, and Configuration data is equivalent to ISO/IEC 19944:2017, 8.2.3.2.3 Connectivity data.
### Data Use for Device, Connectivity, and Configuration data
@@ -88,41 +88,41 @@ If a user has enabled Tailored experiences on the device, [Pseudonymized](#pseud
- Data about device properties and capabilities is used to provide tips about how to use or configure the device to get the best performance and user experience.
-- Data about device capabilities, such as whether the device is pen-enabled, is used to recommend (Microsoft and third-party) apps that are appropriate for the device. These may be free or paid apps.
+- Data about device capabilities, such as whether the device is pen-enabled, is used to recommend (Microsoft and third-party) apps that are appropriate for the device. These apps might be free or paid.
### Data Description for Device, Connectivity, and Configuration data type
-**Device properties sub-type:** Information about the operating system and device hardware
+**Device properties subtype:** Information about the operating system and device hardware
- Operating system - version name, edition
- Installation type, subscription status, and genuine operating system status
- Processor architecture, speed, number of cores, manufacturer, and model
-- OEM details --manufacturer, model, and serial number
+- OEM details - manufacturer, model, and serial number
- Device identifier and Xbox serial number
-- Firmware/BIOS operating system -- type, manufacturer, model, and version
-- Memory -- total memory, video memory, speed, and how much memory is available after the device has reserved memory
-- Storage -- total capacity and disk type
-- Battery -- charge capacity and InstantOn support
+- Firmware/BIOS operating system - type, manufacturer, model, and version
+- Memory - total memory, video memory, speed, and how much memory is available after the device has reserved memory
+- Storage - total capacity and disk type
+- Battery - charge capacity and InstantOn support
- Hardware chassis type, color, and form factor
-- Is this a virtual machine?
+- Is this machine a virtual machine?
-**Device capabilities sub-type:** Information about the capabilities of the device
+**Device capabilities subtype:** Information about the capabilities of the device
-- Camera -- whether the device has a front facing camera, a rear facing camera, or both.
-- Touch screen -- Whether the device has a touch screen? If yes, how many hardware touch points are supported?
-- Processor capabilities -- CompareExchange128, LahfSahf, NX, PrefetchW, and SSE2
-- Trusted Platform Module (TPM) -- whether a TPM exists and if yes, what version
-- Virtualization hardware -- whether an IOMMU exists, whether it includes SLAT support, and whether virtualization is enabled in the firmware
-- Voice -- whether voice interaction is supported and the number of active microphones
+- Camera - whether the device has a front facing camera, a rear facing camera, or both.
+- Touch screen - Does the device have a touch screen? If yes, how many hardware touch points are supported?
+- Processor capabilities - CompareExchange128, LahfSahf, NX, PrefetchW, and SSE2
+- Trusted Platform Module (TPM) - whether a TPM exists and if yes, what version
+- Virtualization hardware - whether an IOMMU exists, whether it includes SLAT support, and whether virtualization is enabled in the firmware
+- Voice - whether voice interaction is supported and the number of active microphones
- Number of displays, resolutions, and DPI
- Wireless capabilities
- OEM or platform face detection
- OEM or platform video stabilization and quality-level set
- Advanced Camera Capture mode (HDR versus Low Light), OEM versus platform implementation, HDR probability, and Low Light probability
-**Device preferences and settings sub-type:** Information about the device settings and user preferences
+**Device preferences and settings subtype:** Information about the device settings and user preferences
-- User Settings -- System, Device, Network & Internet, Personalization, Cortana, Apps, Accounts, Time & Language, Gaming, Ease of Access, Privacy, Update & Security
+- User Settings - System, Device, Network & Internet, Personalization, Cortana, Apps, Accounts, Time & Language, Gaming, Ease of Access, Privacy, Update & Security
- User-provided device name
- Whether device is domain-joined, or cloud-domain joined (for example, part of a company-managed network)
- Hashed representation of the domain name
@@ -136,7 +136,7 @@ If a user has enabled Tailored experiences on the device, [Pseudonymized](#pseud
- App store update settings
- Enterprise OrganizationID, Commercial ID
-**Device peripherals sub-type:** Information about the peripherals of the device
+**Device peripherals subtype:** Information about the peripherals of the device
- Peripheral name, device model, class, manufacturer, and description
- Peripheral device state, install state, and checksum
@@ -145,7 +145,7 @@ If a user has enabled Tailored experiences on the device, [Pseudonymized](#pseud
- Driver state, problem code, and checksum
- Whether driver is kernel mode, signed, and image size
-**Device network info sub-type:** Information about the device network configuration
+**Device network info subtype:** Information about the device network configuration
- Network system capabilities
- Local or Internet connectivity status
@@ -170,7 +170,7 @@ If a user has enabled Tailored experiences on the device, [Pseudonymized](#pseud
- Mobile Equipment ID (IMEI) and Mobile Country Code (MCCO)
- Mobile operator and service provider name
- Available SSIDs and BSSIDs
-- IP Address type -- IPv4 or IPv6
+- IP Address type - IPv4 or IPv6
- Signal Quality percentage and changes
- Hotspot presence detection and success rate
- TCP connection performance
@@ -178,7 +178,7 @@ If a user has enabled Tailored experiences on the device, [Pseudonymized](#pseud
- Hashed IP address
## Product and Service Usage data
-This type of data includes details about the usage of the device, operating system, applications and services. Product and Service Usage data is equivalent to ISO/IEC 19944:2017, 8.2.3.2.4 Observed Usage of the Service Capability.
+This type of data includes details about the usage of the device, operating system, applications, and services. Product and Service Usage data is equivalent to ISO/IEC 19944:2017, 8.2.3.2.4 Observed Usage of the Service Capability.
### Data Use for Product and Service Usage data
@@ -195,16 +195,16 @@ This type of data includes details about the usage of the device, operating syst
**With (optional) Tailored experiences:**
If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Usage data from Windows 10 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Usage data from Windows 10 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 users. For example:
-- If data shows that a user has not used a particular feature of Windows, we may recommend that the user try that feature.
-- Data about which apps are most-used on a device is used to provide recommendations for similar or complementary (Microsoft or third-party) apps. These may be free or paid apps.
+- If data shows that a user has not used a particular feature of Windows, we might recommend that the user try that feature.
+- Data about which apps are most-used on a device is used to provide recommendations for similar or complementary (Microsoft or third-party) apps. These apps might be free or paid.
### Data Description for Product and Service Usage data type
-**App usage sub-type:** Information about Windows and application usage
+**App usage subtype:** Information about Windows and application usage
- Operating system component and app feature usage
-- User navigation and interaction with app and Windows features. This could potentially include user input, such as name of a new alarm set, user menu choices, or user favorites
+- User navigation and interaction with app and Windows features. This information could include user input, such as the name of a new alarm set, user menu choices, or user favorites
- Time of and count of app and component launches, duration of use, session GUID, and process ID
- App time in various states –- running in the foreground or background, sleeping, or receiving active user interaction
- User interaction method and duration –- whether the user used a keyboard, mouse, pen, touch, speech, or game controller, and for how long
@@ -215,9 +215,9 @@ If a user has enabled Tailored experiences on the device, [pseudonymized](#pseud
- Incoming and outgoing calls and voicemail usage statistics on primary or secondary lines
- Emergency alerts are received or displayed statistics
- Content searches within an app
-- Reading activity -- bookmarked, printed, or had the layout changed
+- Reading activity - bookmarked, printed, or had the layout changed
-**App or product state sub-type:** Information about Windows and application state
+**App or product state subtype:** Information about Windows and application state
- Start Menu and Taskbar pins
- Online and offline status
@@ -225,18 +225,18 @@ If a user has enabled Tailored experiences on the device, [pseudonymized](#pseud
- Personalization impressions delivered
- Whether the user clicked on, or hovered over, UI controls or hotspots
- User provided feedback, such as Like, Dislike or a rating
-- Caret location or position within documents and media files -- how much has been read in a book in a single session, or how much of a song has been listened to.
+- Caret location or position within documents and media files - how much has been read in a book in a single session, or how much of a song has been listened to.
-**Purchasing sub-type:** Information about purchases made on the device
+**Purchasing subtype:** Information about purchases made on the device
-- Product ID, edition ID and product URI
-- Offer details -- price
+- Product ID, edition ID, and product URI
+- Offer details - price
- Date and time an order was requested
-- Microsoft Store client type -- web or native client
+- Microsoft Store client type - web or native client
- Purchase quantity and price
-- Payment type -- credit card type and PayPal
+- Payment type - credit card type and PayPal
-**Login properties sub-type:** Information about logins on the device
+**Login properties subtype:** Information about logins on the device
- Login success or failure
- Login sessions and state
@@ -259,21 +259,21 @@ If a user has enabled Tailored experiences on the device, [pseudonymized](#pseud
- Data about battery performance on a device may be used to recommend settings changes that can improve battery performance.
- If data shows a device is running low on file storage, we may recommend Windows-compatible cloud storage solutions to free up space.
-- If data shows the device is experiencing performance issues, we may provide recommendations for Windows apps that can help diagnose or resolve these issues. These may be free or paid apps.
+- If data shows the device is experiencing performance issues, we may provide recommendations for Windows apps that can help diagnose or resolve these issues. These apps might be free or paid.
**Microsoft doesn't use crash and hang dump data to [personalize](#personalize), [recommend](#recommend), [offer](#offer), or [promote](#promote) any product or service.**
### Data Description for Product and Service Performance data type
-**Device health and crash data sub-type:** Information about the device and software health
+**Device health and crash data subtype:** Information about the device and software health
- Error codes and error messages, name and ID of the app, and process reporting the error
-- DLL library predicted to be the source of the error -- for example, xyz.dll
-- System generated files -- app or product logs and trace files to help diagnose a crash or hang
+- DLL library predicted to be the source of the error - for example, xyz.dll
+- System-generated files - app or product logs and trace files to help diagnose a crash or hang
- System settings, such as registry keys
-- User generated files -- files that are indicated as a potential cause for a crash or hang. For example, .doc, .ppt, .csv files
+- User-generated files - files that are indicated as a potential cause for a crash or hang. For example, .doc, .ppt, .csv files
- Details and counts of abnormal shutdowns, hangs, and crashes
-- Crash failure data -- operating system, operating system component, driver, device, and 1st and 3rd-party app data
+- Crash failure data - operating system, operating system component, driver, device, and first-party and third-party app data
- Crash and hang dumps, including:
- The recorded state of the working memory at the point of the crash
- Memory in-use by the kernel at the point of the crash.
@@ -281,43 +281,43 @@ If a user has enabled Tailored experiences on the device, [pseudonymized](#pseud
- All the physical memory used by Windows at the point of the crash
- Class and function name within the module that failed.
-**Device performance and reliability data sub-type:** Information about the device and software performance
+**Device performance and reliability data subtype:** Information about the device and software performance
-- User interface interaction durations -- Start menu display times, browser tab switch times, app launch and switch times, and Cortana and Search performance and reliability
-- Device on and off performance -- Device boot, shutdown, power on and off, lock and unlock times, and user authentication times (fingerprint and face recognition durations)
-- In-app responsiveness -- time to set alarm, time to fully render in-app navigation menus, time to sync reading list, time to start GPS navigation, time to attach picture MMS, and time to complete a Microsoft Store transaction
-- User input responsiveness -- onscreen keyboard invocation times for different languages, time to show auto-complete words, pen or touch latencies, latency for handwriting recognition to words, Narrator screen reader responsiveness, and CPU score
-- UI and media performance and glitches versus smoothness -- video playback frame rate, audio glitches, animation glitches (stutter when bringing up Start), graphics score, time to first frame, play/pause/stop/seek responsiveness, time to render PDF, dynamic streaming of video from OneDrive performance
-- Disk footprint -- Free disk space, out of memory conditions, and disk score
-- Excessive resource utilization -- components impacting performance or battery life through high CPU usage during different screen and power states
-- Background task performance -- download times, Windows Update scan duration, Microsoft Defender Antivirus scan times, disk defrag times, mail fetch times, service startup and state transition times, and time to index on-device files for search results
-- Peripheral and devices -- USB device connection times, time to connect to a wireless display, printing times, network availability and connection times (time to connect to Wi-Fi, time to get an IP address from DHCP etc.), smart card authentication times, automatic brightness, and environmental response times
-- Device setup -- first setup experience times (time to install updates, install apps, connect to network, and so on), time to recognize connected devices (printer and monitor), and time to set up a Microsoft Account
-- Power and Battery life -- power draw by component (Process/CPU/GPU/Display), hours of time the screen is off, sleep state transition details, temperature and thermal throttling, battery drain in a power state (screen off or screen on), processes and components requesting power use while the screen is off, auto-brightness details, time device is plugged into AC versus battery, and battery state transitions
-- Service responsiveness -- Service URI, operation, latency, service success and error codes, and protocol
-- Diagnostic heartbeat -- regular signal used to validate the health of the diagnostics system
+- User interface interaction durations - Start menu display times, browser tab switch times, app launch and switch times, and Cortana and Search performance and reliability
+- Device on and off performance - Device boot, shutdown, power on and off, lock and unlock times, and user authentication times (fingerprint and face recognition durations)
+- In-app responsiveness - time to set alarm, time to fully render in-app navigation menus, time to sync reading list, time to start GPS navigation, time to attach picture MMS, and time to complete a Microsoft Store transaction
+- User input responsiveness - onscreen keyboard invocation times for different languages, time to show autocomplete words, pen or touch latencies, latency for handwriting recognition to words, Narrator screen reader responsiveness, and CPU score
+- UI and media performance and glitches versus smoothness - video playback frame rate, audio glitches, animation glitches (stutter when bringing up Start), graphics score, time to first frame, play/pause/stop/seek responsiveness, time to render PDF, dynamic streaming of video from OneDrive performance
+- Disk footprint - Free disk space, out of memory conditions, and disk score
+- Excessive resource utilization - components impacting performance or battery life through high CPU usage during different screen and power states
+- Background task performance - download times, Windows Update scan duration, Microsoft Defender Antivirus scan times, disk defrag times, mail fetch times, service startup and state transition times, and time to index on-device files for search results
+- Peripheral and devices - USB device connection times, time to connect to a wireless display, printing times, network availability and connection times (time to connect to Wi-Fi, time to get an IP address from DHCP etc.), smart card authentication times, automatic brightness, and environmental response times
+- Device setup - first setup experience times (time to install updates, install apps, connect to network, and so on), time to recognize connected devices (printer and monitor), and time to set up a Microsoft Account
+- Power and Battery life - power draw by component (Process/CPU/GPU/Display), hours of time the screen is off, sleep state transition details, temperature and thermal throttling, battery drain in a power state (screen off or screen on), processes and components requesting power use while the screen is off, autobrightness details, time device is plugged into AC versus battery, and battery state transitions
+- Service responsiveness - Service URI, operation, latency, service success and error codes, and protocol
+- Diagnostic heartbeat - regular signal used to validate the health of the diagnostics system
-**Movies sub-type:** Information about movie consumption functionality on the device
+**Movies subtype:** Information about movie consumption functionality on the device
> [!NOTE]
> This isn't intended to capture user viewing, listening, or habits.
- Video Width, height, color palette, encoding (compression) type, and encryption type
-- Instructions about how to stream content for the user -- the smooth streaming manifest of content file chunks that must be pieced together to stream the content based on screen resolution and bandwidth
+- Instructions about how to stream content for the user - the smooth streaming manifest of content file chunks that must be pieced together to stream the content based on screen resolution and bandwidth
- URL for a specific two-second chunk of content if there is an error
- Full-screen viewing mode details
-**Music & TV sub-type:** Information about music and TV consumption on the device
+**Music & TV subtype:** Information about music and TV consumption on the device
> [!NOTE]
> This isn't intended to capture user viewing, listening, or habits.
-- Service URL for song being downloaded from the music service -- collected when an error occurs to facilitate restoration of service
+- Service URL for song being downloaded from the music service - collected when an error occurs to facilitate restoration of service
- Content type (video, audio, or surround audio)
-- Local media library collection statistics -- number of purchased tracks and number of playlists
-- Region mismatch -- User's operating system region and Xbox Live region
+- Local media library collection statistics - number of purchased tracks and number of playlists
+- Region mismatch - User's operating system region and Xbox Live region
-**Reading sub-type:** Information about reading consumption functionality on the device
+**Reading subtype:** Information about reading consumption functionality on the device
> [!NOTE]
> This isn't intended to capture user viewing, listening, or habits.
@@ -327,42 +327,42 @@ If a user has enabled Tailored experiences on the device, [pseudonymized](#pseud
- Time spent reading content
- Content type and size details
-**Photos app sub-type:** Information about photos usage on the device
+**Photos app subtype:** Information about photos usage on the device
> [!NOTE]
> This isn't intended to capture user viewing, listening, or habits.
-- File source data -- local, SD card, network device, and OneDrive
+- File source data - local, SD card, network device, and OneDrive
- Image and video resolution, video length, file sizes types, and encoding
- Collection view or full screen viewer use and duration of view
-**On-device file query sub-type:** Information about local search activity on the device
+**On-device file query subtype:** Information about local search activity on the device
-- Kind of query issued and index type (ConstraintIndex or SystemIndex)
+- Type of query issued and index type (ConstraintIndex or SystemIndex)
- Number of items requested and retrieved
- File extension of search result with which the user interacted
- Launched item type, file extension, index of origin, and the App ID of the opening app
- Name of process calling the indexer and the amount of time to service the query
- A hash of the search scope (file, Outlook, OneNote, or IE history). The state of the indices (fully optimized, partially optimized, or being built)
-**Entitlements sub-type:** Information about entitlements on the device
+**Entitlements subtype:** Information about entitlements on the device
- Service subscription status and errors
-- DRM and license rights details -- Groove subscription or operating system volume license
+- DRM and license rights details - Groove subscription or operating system volume license
- Entitlement ID, lease ID, and package ID of the install package
- Entitlement revocation
- License type (trial, offline versus online) and duration
- License usage session
## Software Setup and Inventory data
-This type of data includes software installation and update information on the device. Software Setup and Inventory Data is a sub-type of ISO/IEC 19944:2017 8.2.3.2.4 Observed Usage of the Service Capability.
+This type of data includes software installation and update information on the device. Software Setup and Inventory Data is a subtype of ISO/IEC 19944:2017 8.2.3.2.4 Observed Usage of the Service Capability.
### Data Use for Software Setup and Inventory data
**For Diagnostics:**
[Pseudonymized](#pseudo) Software Setup and Inventory data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft product and services. For example:
-- Data about the specific drivers that are installed on a device is used to understand whether there are any hardware or driver compatibility issues which should block or delay a Windows update.
+- Data about the specific drivers that are installed on a device is used to understand whether there are any hardware or driver compatibility issues that should block or delay a Windows update.
- Data about when a download starts and finishes on a device is used to understand and address download problems.
- Data about the specific Microsoft Store apps that are installed on a device is used to determine which app updates to provide to the device.
- Data about the antimalware installed on a device is used to understand malware transmissions vectors.
@@ -374,7 +374,7 @@ If a user has enabled Tailored experiences on the device, [pseudonymized](#pseud
### Data Description for Software Setup and Inventory data type
-**Installed applications and install history sub-type:** Information about apps, drivers, update packages, or operating system components installed on the device
+**Installed applications and install history subtype:** Information about apps, drivers, update packages, or operating system components installed on the device
- App, driver, update package, or component’s Name, ID, or Package Family Name
- Product, SKU, availability, catalog, content, and Bundle IDs
@@ -383,13 +383,13 @@ If a user has enabled Tailored experiences on the device, [pseudonymized](#pseud
- MSI package and product code
- Original operating system version at install time
- User, administrator, or mandatory installation or update
-- Installation type -- clean install, repair, restore, OEM, retail, upgrade, or update
+- Installation type - clean install, repair, restore, OEM, retail, upgrade, or update
-**Device update information sub-type:** Information about apps, drivers, update packages, or operating system components installed on the device
+**Device update information subtype:** Information about apps, drivers, update packages, or operating system components installed on the device
- Update Readiness analysis of device hardware, operating system components, apps, and drivers (progress, status, and results)
- Number of applicable updates, importance, and type
-- Update download size and source -- CDN or LAN peers
+- Update download size and source - CDN or LAN peers
- Delay upgrade status and configuration
- Operating system uninstall and rollback status and count
- Windows Update server and service URL
@@ -397,7 +397,7 @@ If a user has enabled Tailored experiences on the device, [pseudonymized](#pseud
- Windows Insider build details
## Browsing History data
-This type of data includes details about web browsing in the Microsoft browsers. Browsing History data is equivalent to ISO/IEC 19944:2017 8.2.3.2.8 Client side browsing history.
+This type of data includes details about web browsing in the Microsoft browsers. Browsing History data is equivalent to ISO/IEC 19944:2017 8.2.3.2.8 Client-side browsing history.
### Data Use for Browsing History data
@@ -413,23 +413,23 @@ This type of data includes details about web browsing in the Microsoft browsers.
**With (optional) Tailored experiences:**
If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Browsing History data from Windows 10 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Browsing History data from Windows 10 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 users. For example:
-- We may recommend that a user download a compatible app from the Microsoft Store if they have browsed to the related website. For example, if a user uses the Facebook website, we may recommend the Facebook app.
+- We might recommend that a user download a compatible app from the Microsoft Store if they have browsed to the related website. For example, if a user uses the Facebook website, we may recommend the Facebook app.
### Data Description for Browsing History data type
-**Microsoft browser data sub-type:** Information about **Address** bar and **Search** box performance on the device
+**Microsoft browser data subtype:** Information about **Address** bar and **Search** box performance on the device
- Text typed in **Address** bar and **Search** box
- Text selected for an Ask Cortana search
- Service response time
-- Auto-completed text, if there was an auto-complete
+- Autocompleted text, if there was an autocomplete
- Navigation suggestions provided based on local history and favorites
- Browser ID
- URLs (may include search terms)
- Page title
## Inking Typing and Speech Utterance data
-This type of data gathers details about the voice, inking, and typing input features on the device. Inking, Typing and Speech Utterance data is a sub-type of ISO/IEC 19944:2017 8.2.3.2.1 End User Identifiable information.
+This type of data gathers details about the voice, inking, and typing input features on the device. Inking, Typing, and Speech Utterance data is a subtype of ISO/IEC 19944:2017 8.2.3.2.1 End User Identifiable information.
### Data Use for Inking, Typing, and Speech Utterance data
@@ -438,7 +438,7 @@ This type of data gathers details about the voice, inking, and typing input feat
- Data about words marked as spelling mistakes and replaced with another word from the context menu is used to improve the spelling feature.
- Data about alternate words shown and selected by the user after right-clicking is used to improve the word recommendation feature.
-- Data about auto-corrected words that were restored back to the original word by the user is used to improve the auto-correct feature.
+- Data about autocorrected words that were restored back to the original word by the user is used to improve the autocorrect feature.
- Data about whether Narrator detected and recognized a touch gesture is used to improve touch gesture recognition.
- Data about handwriting samples sent from the Handwriting Panel is used to help Microsoft improve handwriting recognition.
@@ -448,15 +448,15 @@ This type of data gathers details about the voice, inking, and typing input feat
### Data Description for Inking, Typing, and Speech Utterance data type
-**Voice, inking, and typing sub-type:** Information about voice, inking and typing features
+**Voice, inking, and typing subtype:** Information about voice, inking, and typing features
- Type of pen used (highlighter, ball point, or pencil), pen color, stroke height and width, and how long it is used
- Pen gestures (click, double click, pan, zoom, or rotate)
- Palm Touch x,y coordinates
- Input latency, missed pen signals, number of frames, strokes, first frame commit time, and sample rate
-- Ink strokes written, text before and after the ink insertion point, recognized text entered, input language -- processed to remove identifiers, sequencing information, and other data (such as email addresses and - numeric values), which could be used to reconstruct the original content or associate the input to the user
-- Text input from Windows 10 Mobile on-screen keyboards, except from password fields and private sessions -- processed to remove identifiers, sequencing information, and other data (such as email addresses and numeric values), which could be used to reconstruct the original content or associate the input to the user
-- Text of speech recognition results -- result codes and recognized text
+- Ink strokes written, text before and after the ink insertion point, recognized text entered, input language - processed to remove identifiers, sequencing information, and other data (such as email addresses and - numeric values), which could be used to reconstruct the original content or associate the input to the user
+- Text input from Windows 10 Mobile on-screen keyboards, except from password fields and private sessions - processed to remove identifiers, sequencing information, and other data (such as email addresses and numeric values), which could be used to reconstruct the original content or associate the input to the user
+- Text of speech recognition results - result codes and recognized text
- Language and model of the recognizer and the System Speech language
- App ID using speech features
- Whether user is known to be a child
@@ -496,9 +496,9 @@ Use of the specified data categories give recommendations about Microsoft produc
ISO/IEC 19944:2017 Reference: **9.3.5 Offer upgrades or upsell**
-Implies the source of the data is Microsoft products and services, and the upgrades offered come from Microsoft products and services that are relevant to the context of the current capability. The target audience for the offer is Microsoft customers.
+Implies that the source of the data is Microsoft products and services, and the upgrades offered come from Microsoft products and services that are relevant to the context of the current capability. The target audience for the offer is Microsoft customers.
-Specifically, use of the specified data categories to make an offer or upsell new capability or capacity of a Microsoft product or service which is (i) contextually relevant to the product or service in which it appears; (ii) likely to result in additional future revenue for Microsoft from end user; and (iii) Microsoft receives no consideration for placement.
+Specifically, use of the specified data categories to make an offer or upsell new capability or capacity of a Microsoft product or service that is (i) contextually relevant to the product or service in which it appears; (ii) likely to result in additional future revenue for Microsoft from end user; and (iii) Microsoft receives no consideration for placement.
### Promote
@@ -508,7 +508,7 @@ Use of the specified data categories to promote a product or service in or on a
### Data identification qualifiers
-Here are the list of data identification qualifiers and the ISO/IEC 19944:2017 reference:
+Here are the data identification qualifiers and the ISO/IEC 19944:2017 reference:
- **Pseudonymized Data** 8.3.3 Pseudonymized data. Microsoft usage notes are as defined.
- **Anonymized Data** 8.3.5 Anonymized data. Microsoft usage notes are as defined.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
index 73e002c7c2..5a790c046a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
@@ -57,9 +57,6 @@ The remainder of the provisioning includes Windows Hello for Business requesting
> **This synchronization latency delays the user's ability to authenticate and use on-premises resources until the user's public key has synchronized to Active Directory.** Once synchronized, the user can authenticate and use on-premises resources.
> Read [Azure AD Connect sync: Scheduler](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler) to view and adjust the **synchronization cycle** for your organization.
-> [!NOTE]
-> Microsoft is actively investigating ways to reduce the synchronization latency and delays.
-
diff --git a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
index 4bf706bbbc..824c20a5f1 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
@@ -26,9 +26,9 @@ Debugging and tracing smart card issues requires a variety of tools and approach
- [Certutil](#certutil)
-- [Debugging and tracing using WPP](#debugging-and-tracing-using-wpp)
+- [Debugging and tracing using Windows software trace preprocessor (WPP)](#debugging-and-tracing-using-wpp)
-- [Kerberos protocol, KDC, and NTLM debugging and tracing](#kerberos-protocol-kdc-and-ntlm-debugging-and-tracing)
+- [Kerberos protocol, Key Distribution Center (KDC), and NTLM debugging and tracing](#kerberos-protocol-kdc-and-ntlm-debugging-and-tracing)
- [Smart Card service](#smart-card-service)
@@ -42,22 +42,22 @@ For a complete description of Certutil including examples that show how to use i
### List certificates available on the smart card
-To list certificates that are available on the smart card, type certutil -scinfo.
+To list certificates that are available on the smart card, type `certutil -scinfo`.
> [!NOTE]
> Entering a PIN is not required for this operation. You can press ESC if you are prompted for a PIN.
### Delete certificates on the smart card
-Each certificate is enclosed in a container. When you delete a certificate on the smart card, you are deleting the container for the certificate.
+Each certificate is enclosed in a container. When you delete a certificate on the smart card, you're deleting the container for the certificate.
-To find the container value, type certutil -scinfo.
+To find the container value, type `certutil -scinfo`.
To delete a container, type **certutil -delkey -csp "Microsoft Base Smart Card Crypto Provider"** "<*ContainerValue*>".
## Debugging and tracing using WPP
-Windows software trace preprocessor (WPP) simplifies tracing the operation of the trace provider. It provides a mechanism for the trace provider to log real-time binary messages. Logged messages can be converted to a human-readable trace of the operation. For more information, see [Diagnostics with WPP - The NDIS blog](https://blogs.msdn.com/b/ndis/archive/2011/04/06/diagnostics-with-wpp.aspx).
+WPP simplifies tracing the operation of the trace provider. It provides a mechanism for the trace provider to log real-time binary messages. Logged messages can be converted to a human-readable trace of the operation. For more information, see [Diagnostics with WPP - The NDIS blog](https://blogs.msdn.com/b/ndis/archive/2011/04/06/diagnostics-with-wpp.aspx).
### Enable the trace
@@ -65,21 +65,21 @@ Using WPP, use one of the following commands to enable tracing:
- **tracelog.exe -kd -rt -start** <*FriendlyName*> **-guid \#**<*GUID*> **-f .\\**<*LogFileName*>**.etl -flags** <*flags*> **-ft 1**
-- **logman start** <*FriendlyName*> **-ets -p {**<*GUID*>**} -**<*Flags*> **-ft 1 -rt -o .\\**<*LogFileName*>**.etl -mode 0x00080000*
+- **logman start** <*FriendlyName*> **-ets -p {**<*GUID*>**} -**<*Flags*> **-ft 1 -rt -o .\\**<*LogFileName*>**.etl -mode 0x00080000**
You can use the parameters in the following table.
| Friendly name | GUID | Flags |
|-------------------|--------------------------------------|-----------|
-| scardsvr | 13038e47-ffec-425d-bc69-5707708075fe | 0xffff |
-| winscard | 3fce7c5f-fb3b-4bce-a9d8-55cc0ce1cf01 | 0xffff |
-| basecsp | 133a980d-035d-4e2d-b250-94577ad8fced | 0x7 |
-| scksp | 133a980d-035d-4e2d-b250-94577ad8fced | 0x7 |
-| msclmd | fb36caf4-582b-4604-8841-9263574c4f2c | 0x7 |
-| credprov | dba0e0e0-505a-4ab6-aa3f-22f6f743b480 | 0xffff |
-| certprop | 30eae751-411f-414c-988b-a8bfa8913f49 | 0xffff |
-| scfilter | eed7f3c9-62ba-400e-a001-658869df9a91 | 0xffff |
-| wudfusbccid | a3c09ba3-2f62-4be5-a50f-8278a646ac9d | 0xffff |
+| `scardsvr` | 13038e47-ffec-425d-bc69-5707708075fe | 0xffff |
+| `winscard` | 3fce7c5f-fb3b-4bce-a9d8-55cc0ce1cf01 | 0xffff |
+| `basecsp` | 133a980d-035d-4e2d-b250-94577ad8fced | 0x7 |
+| `scksp` | 133a980d-035d-4e2d-b250-94577ad8fced | 0x7 |
+| `msclmd` | fb36caf4-582b-4604-8841-9263574c4f2c | 0x7 |
+| `credprov` | dba0e0e0-505a-4ab6-aa3f-22f6f743b480 | 0xffff |
+| `certprop` | 30eae751-411f-414c-988b-a8bfa8913f49 | 0xffff |
+| `scfilter` | eed7f3c9-62ba-400e-a001-658869df9a91 | 0xffff |
+| `wudfusbccid` | a3c09ba3-2f62-4be5-a50f-8278a646ac9d | 0xffff |
Examples
@@ -109,7 +109,7 @@ To stop a trace:
- **logman -stop scardsvr -ets**
-## Kerberos protocol, KDC and NTLM debugging and tracing
+## Kerberos protocol, KDC, and NTLM debugging and tracing
@@ -119,11 +119,11 @@ You can use these resources to troubleshoot these protocols and the KDC:
- [Windows Driver Kit (WDK) and Debugging Tools for Windows (WinDbg)](https://developer.microsoft.com/en-us/windows/hardware/windows-driver-kit). You can use the trace log tool in this SDK to debug Kerberos authentication failures.
-To begin tracing, you can use Tracelog. Different components use different control GUIDs as explained in these examples. For more information, see [Tracelog](https://msdn.microsoft.com/library/windows/hardware/ff552994.aspx).
+To begin tracing, you can use `Tracelog`. Different components use different control GUIDs as explained in these examples. For more information, see [`Tracelog`](https://msdn.microsoft.com/library/windows/hardware/ff552994.aspx).
### NTLM
-To enable tracing for NTLM authentication, run the following at the command line:
+To enable tracing for NTLM authentication, run the following command on the command line:
- **tracelog.exe -kd -rt -start ntlm -guid \#5BBB6C18-AA45-49b1-A15F-085F7ED0AA90 -f .\\ntlm.etl -flags 0x15003 -ft 1**
@@ -143,11 +143,11 @@ To stop tracing for Kerberos authentication, run this command:
### KDC
-To enable tracing for the Key Distribution Center (KDC), run the following at the command line:
+To enable tracing for the KDC, run the following command on the command line:
- **tracelog.exe -kd -rt -start kdc -guid \#1BBA8B19-7F31-43c0-9643-6E911F79A06B -f .\\kdc.etl -flags 0x803 -ft 1**
-To stop tracing for the KDC, run the following at the command line:
+To stop tracing for the KDC, run the following command on the command line:
- **tracelog.exe -stop kdc**
@@ -166,7 +166,7 @@ You can also configure tracing by editing the Kerberos registry values shown in
| Kerberos | HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos
Value name: LogToFile
Value type: DWORD
Value data: 00000001
HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos\\Parameters
Value name: KerbDebugLevel
Value type: DWORD
Value data: c0000043
HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos\\Parameters
Value name: LogToFile
Value type: DWORD
Value data: 00000001 |
| KDC | HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Kdc
Value name: KdcDebugLevel
Value type: DWORD
Value data: c0000803 |
-If you used Tracelog, look for the following log file in your current directory: kerb.etl/kdc.etl/ntlm.etl.
+If you used `Tracelog`, look for the following log file in your current directory: kerb.etl/kdc.etl/ntlm.etl.
If you used the registry key settings shown in the previous table, look for the trace log files in the following locations:
@@ -176,7 +176,7 @@ If you used the registry key settings shown in the previous table, look for the
- KDC: %systemroot%\\tracing\\kdcsvc
-To decode event trace files, you can use Tracefmt (tracefmt.exe). Tracefmt is a command-line tool that formats and displays trace messages from an event trace log file (.etl) or a real-time trace session. Tracefmt can display the messages in the Command Prompt window or save them in a text file. It is located in the \\tools\\tracing subdirectory of the Windows Driver Kit (WDK). For more information, see [Tracefmt](https://msdn.microsoft.com/library/ff552974.aspx).
+To decode event trace files, you can use `Tracefmt` (tracefmt.exe). `Tracefmt` is a command-line tool that formats and displays trace messages from an event trace log file (.etl) or a real-time trace session. `Tracefmt` can display the messages in the Command Prompt window or save them in a text file. It is located in the \\tools\\tracing subdirectory of the Windows Driver Kit (WDK). For more information, see [`Tracefmt`](https://msdn.microsoft.com/library/ff552974.aspx).
## Smart Card service
@@ -184,11 +184,11 @@ The smart card resource manager service runs in the context of a local service.
**To check if Smart Card service is running**
-1. Press CTRL+ALT+DEL, and then click **Start Task Manager**.
+1. Press CTRL+ALT+DEL, and then select **Start Task Manager**.
-2. In the **Windows Task Manager** dialog box, click the **Services** tab.
+2. In the **Windows Task Manager** dialog box, select the **Services** tab.
-3. Click the **Name** column to sort the list alphabetically, and then type **s**.
+3. Select the **Name** column to sort the list alphabetically, and then type **s**.
4. In the **Name** column, look for **SCardSvr**, and then look under the **Status** column to see if the service is running or stopped.
@@ -196,15 +196,15 @@ The smart card resource manager service runs in the context of a local service.
1. Run as administrator at the command prompt.
-2. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
+2. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**.
-3. At the command prompt, type **net stop SCardSvr**.
+3. At the command prompt, type `net stop SCardSvr`.
-4. At the command prompt, type **net start SCardSvr**.
+4. At the command prompt, type `net start SCardSvr`.
-You can use the following command at the command prompt to check whether the service is running: **sc queryex scardsvr**.
+You can use the following command at the command prompt to check whether the service is running: `sc queryex scardsvr`.
-This is an example output from this command:
+The following code sample is an example output from this command:
```console
SERVICE_NAME: scardsvr
@@ -228,14 +228,14 @@ As with any device connected to a computer, Device Manager can be used to view p
1. Navigate to **Computer**.
-2. Right-click **Computer**, and then click **Properties**.
+2. Right-click **Computer**, and then select **Properties**.
-3. Under **Tasks**, click **Device Manager**.
+3. Under **Tasks**, select **Device Manager**.
-4. In Device Manager, expand **Smart card readers**, select the name of the smart card reader you want to check, and then click **Properties**.
+4. In Device Manager, expand **Smart card readers**, select the name of the smart card reader you want to check, and then select **Properties**.
> [!NOTE]
-> If the smart card reader is not listed in Device Manager, in the **Action** menu, click **Scan for hardware changes**.
+> If the smart card reader is not listed in Device Manager, in the **Action** menu, select **Scan for hardware changes**.
## CryptoAPI 2.0 Diagnostics
diff --git a/windows/security/identity-protection/vpn/vpn-profile-options.md b/windows/security/identity-protection/vpn/vpn-profile-options.md
index 19df534358..29b5df1daf 100644
--- a/windows/security/identity-protection/vpn/vpn-profile-options.md
+++ b/windows/security/identity-protection/vpn/vpn-profile-options.md
@@ -316,7 +316,7 @@ After you configure the settings that you want using ProfileXML, you can apply i
## Learn more
-- [Learn how to configure VPN connections in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/vpn-connections-in-microsoft-intune)
+- [Create VPN profiles to connect to VPN servers in Intune](https://docs.microsoft.com/mem/intune/configuration/vpn-settings-configure)
- [VPNv2 configuration service provider (CSP) reference](https://go.microsoft.com/fwlink/p/?LinkId=617588)
- [How to Create VPN Profiles in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=618028)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md
index d6bad09f03..c248a61b46 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.md
@@ -29,16 +29,16 @@ ms.custom: bitlocker
Stored information | Description
-------------------|------------
Hash of the TPM owner password | Beginning with Windows 10, the password hash is not stored in AD DS by default. The password hash can be stored only if the TPM is owned and the ownership was taken by using components of Windows 8.1 or earlier, such as the BitLocker Setup Wizard or the TPM snap-in.
-BitLocker recovery password | The recovery password allows you to unlock and access the drive in the event of a recovery incident. Domain administrators can view the BitLocker recovery password by using the BitLocker Recovery Password Viewer. For more information about this tool, see [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md).
-BitLocker key package | The key package helps to repair damage to the hard disk that would otherwise prevent standard recovery. Using the key package for recovery requires the BitLocker Repair Tool, Repair-bde.
+BitLocker recovery password | The recovery password allows you to unlock and access the drive after a recovery incident. Domain administrators can view the BitLocker recovery password by using the BitLocker Recovery Password Viewer. For more information about this tool, see [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md).
+BitLocker key package | The key package helps to repair damage to the hard disk that would otherwise prevent standard recovery. Using the key package for recovery requires the BitLocker Repair Tool, `Repair-bde`.
## What if BitLocker is enabled on a computer before the computer has joined the domain?
-If BitLocker is enabled on a drive before Group Policy has been applied to enforce backup, the recovery information will not be automatically backed up to AD DS when the computer joins the domain or when Group Policy is subsequently applied. However, you can use the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed drives can be recovered** and **Choose how BitLocker-protected removable drives can be recovered** Group Policy settings to require that the computer be connected to a domain before BitLocker can be enabled to help ensure that recovery information for BitLocker-protected drives in your organization is backed up to AD DS.
+If BitLocker is enabled on a drive before Group Policy has been applied to enforce a backup, the recovery information will not be automatically backed up to AD DS when the computer joins the domain or when Group Policy is subsequently applied. However, you can use the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed drives can be recovered**, and **Choose how BitLocker-protected removable drives can be recovered** Group Policy settings to require the computer to be connected to a domain before BitLocker can be enabled to help ensure that recovery information for BitLocker-protected drives in your organization is backed up to AD DS.
For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
-The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information; however, BitLocker does not automatically manage this process. The manage-bde command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the `$env:SystemDrive` to AD DS, you would use the following command script from an elevated command prompt:
+The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information; however, BitLocker does not automatically manage this process. The `manage-bde` command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the `$env:SystemDrive` to AD DS, you would use the following command script from an elevated command prompt:
```PowerShell
$BitLocker = Get-BitLockerVolume -MountPoint $env:SystemDrive
@@ -61,13 +61,13 @@ Ultimately, determining whether a legitimate backup exists in AD DS requires qu
No. By design, BitLocker recovery password entries do not get deleted from AD DS; therefore, you might see multiple passwords for each drive. To identify the latest password, check the date on the object.
-## What happens if the backup initially fails? Will BitLocker retry the backup?
+## What happens if the backup initially fails? Will BitLocker retry it?
If the backup initially fails, such as when a domain controller is unreachable at the time when the BitLocker setup wizard is run, BitLocker does not try again to back up the recovery information to AD DS.
-When an administrator selects the **Require BitLocker backup to AD DS** check box of the **Store BitLocker recovery information in Active Directory Domain Service (Windows 2008 and Windows Vista)** policy setting, or the equivalent **Do not enable BitLocker until recovery information is stored in AD DS for (operating system | fixed data | removable data) drives** check box in any of the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed data drives can be recovered**, **Choose how BitLocker-protected removable data drives can be recovered** policy settings, this prevents users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. With these settings configured if the backup fails, BitLocker cannot be enabled, ensuring that administrators will be able to recover BitLocker-protected drives in the organization.
+When an administrator selects the **Require BitLocker backup to AD DS** check box of the **Store BitLocker recovery information in Active Directory Domain Service (Windows 2008 and Windows Vista)** policy setting, or the equivalent **Do not enable BitLocker until recovery information is stored in AD DS for (operating system | fixed data | removable data) drives** check box in any of the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed data drives can be recovered**, and **Choose how BitLocker-protected removable data drives can be recovered** policy settings, users can't enable BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. With these settings configured if the backup fails, BitLocker cannot be enabled, ensuring that administrators will be able to recover BitLocker-protected drives in the organization.
For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
-When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker will not automatically retry the backup if it fails. Instead, administrators can create a script for the backup, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain) to capture the information after connectivity is restored.
+When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker will not automatically retry the backup if it fails. Instead, administrators can create a backup script, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain) to capture the information after connectivity is restored.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
index dc0d879c78..8ad995065c 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
@@ -1,6 +1,6 @@
---
title: BitLocker basic deployment (Windows 10)
-description: This topic for the IT professional explains how BitLocker features can be used to protect your data through drive encryption.
+description: This article for the IT professional explains how BitLocker features can be used to protect your data through drive encryption.
ms.assetid: 97c646cb-9e53-4236-9678-354af41151c4
ms.reviewer:
ms.prod: w10
@@ -24,7 +24,7 @@ ms.custom: bitlocker
- Windows 10
-This topic for the IT professional explains how BitLocker features can be used to protect your data through drive encryption.
+This article for the IT professional explains how BitLocker features can be used to protect your data through drive encryption.
## Using BitLocker to encrypt volumes
@@ -39,12 +39,12 @@ BitLocker encryption can be done using the following methods:
- BitLocker control panel
- Windows Explorer
-- manage-bde command line interface
+- manage-bde command-line interface
- BitLocker Windows PowerShell cmdlets
### Encrypting volumes using the BitLocker control panel
-Encrypting volumes with the BitLocker control panel (click **Start**, type **bitlocker**, click **Manage BitLocker**) is how many users will utilize BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet.
+Encrypting volumes with the BitLocker control panel (select **Start**, type *bitlocker*, select **Manage BitLocker**) is how many users will utilize BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data, and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet.
To start encryption for a volume, select **Turn on BitLocker** for the appropriate drive to initialize the BitLocker Drive Encryption Wizard. BitLocker Drive Encryption Wizard options vary based on volume type (operating system volume or data volume).
### Operating system volume
@@ -54,7 +54,7 @@ Upon launch, the BitLocker Drive Encryption Wizard verifies the computer meets t
|Requirement|Description|
|--- |--- |
|Hardware configuration|The computer must meet the minimum requirements for the supported Windows versions.|
-|Operating system|BitLocker is an optional feature which can be installed by Server Manager on Windows Server 2012 and later.|
+|Operating system|BitLocker is an optional feature that can be installed by Server Manager on Windows Server 2012 and later.|
|Hardware TPM|TPM version 1.2 or 2.0. A TPM is not required for BitLocker; however, only a computer with a TPM can provide the additional security of pre-startup system integrity verification and multifactor authentication.|
|BIOS configuration|
A Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware. The boot order must be set to start first from the hard disk, and not the USB or CD drives. The firmware must be able to read from a USB flash drive during startup. |
|File system|For computers that boot natively with UEFI firmware, at least one FAT32 partition for the system drive and one NTFS partition for the operating system drive.
For computers with legacy BIOS firmware, at least two NTFS disk partitions, one for the system drive and one for the operating system drive.
For either firmware, the system drive partition must be at least 350 megabytes (MB) and set as the active partition.|
@@ -75,11 +75,11 @@ It is recommended that drives with little to no data utilize the **used disk spa
> [!NOTE]
> Deleted files appear as free space to the file system, which is not encrypted by **used disk space only**. Until they are wiped or overwritten, deleted files hold information that could be recovered with common data forensic tools.
-Selecting an encryption type and choosing **Next** will give the user the option of running a BitLocker system check (selected by default) which will ensure that BitLocker can properly access the recovery and encryption keys before the volume encryption begins. It is recommended to run this system check before starting the encryption process. If the system check is not run and a problem is encountered when the operating system attempts to start, the user will need to provide the recovery key to start Windows.
+Selecting an encryption type and choosing **Next** will give the user the option of running a BitLocker system check (selected by default) which will ensure that BitLocker can properly access the recovery and encryption keys before the volume encryption begins. We recommend running this system check before starting the encryption process. If the system check is not run and a problem is encountered when the operating system attempts to start, the user will need to provide the recovery key to start Windows.
After completing the system check (if selected), the BitLocker Drive Encryption Wizard will restart the computer to begin encryption. Upon reboot, users are required to enter the password chosen to boot into the operating system volume. Users can check encryption status by checking the system notification area or the BitLocker control panel.
-Until encryption is completed, the only available options for managing BitLocker involve manipulation of the password protecting the operating system volume, backing up the recovery key, and turning BitLocker off.
+Until encryption is completed, the only available options for managing BitLocker involve manipulation of the password protecting the operating system volume, backing up the recovery key, and turning off BitLocker.
### Data volume
@@ -97,12 +97,12 @@ Encryption status displays in the notification area or within the BitLocker cont
There is a new option for storing the BitLocker recovery key using the OneDrive. This option requires that computers are not members of a domain and that the user is using a Microsoft Account. Local accounts do not give the option to utilize OneDrive. Using the OneDrive option is the default, recommended recovery key storage method for computers that are not joined to a domain.
-Users can verify the recovery key was saved properly by checking their OneDrive for the BitLocker folder which is created automatically during the save process. The folder will contain two files, a readme.txt and the recovery key. For users storing more than one recovery password on their OneDrive,
+Users can verify the recovery key was saved properly by checking their OneDrive for the BitLocker folder that is created automatically during the save process. The folder will contain two files, a readme.txt and the recovery key. For users storing more than one recovery password on their OneDrive,
they can identify the required recovery key by looking at the file name. The recovery key ID is appended to the end of the file name.
### Using BitLocker within Windows Explorer
-Windows Explorer allows users to launch the BitLocker Drive Encryption wizard by right clicking on a volume and selecting **Turn On BitLocker**. This option is available on client computers by default. On servers, you must first install the BitLocker and Desktop-Experience features for this option to be available. After selecting **Turn on BitLocker**, the wizard works exactly as it does when launched using the BitLocker control panel.
+Windows Explorer allows users to launch the BitLocker Drive Encryption wizard by right-clicking a volume and selecting **Turn On BitLocker**. This option is available on client computers by default. On servers, you must first install the BitLocker and Desktop-Experience features for this option to be available. After selecting **Turn on BitLocker**, the wizard works exactly as it does when launched using the BitLocker control panel.
## Down-level compatibility
@@ -118,13 +118,13 @@ Table 1: Cross compatibility for Windows 10, Windows 8.1, Windows 8, and Window
|Fully encrypted volume from Windows 7|Presents as fully encrypted|Presented as fully encrypted|N/A|
|Partially encrypted volume from Windows 7|Windows 10 and Windows 8.1 will complete encryption regardless of policy|Windows 8 will complete encryption regardless of policy|N/A|
-## Encrypting volumes using the manage-bde command line interface
+## Encrypting volumes using the manage-bde command-line interface
Manage-bde is a command-line utility that can be used for scripting BitLocker operations. Manage-bde offers additional options not displayed in the BitLocker control panel. For a complete list of the options, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).
-Manage-bde offers a multitude of wider options for configuring BitLocker. This means that using the command syntax may require care and possibly later customization by the user. For example, using just the `manage-bde -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected.
+Manage-bde offers a multitude of wider options for configuring BitLocker. So using the command syntax may require care and possibly later customization by the user. For example, using just the `manage-bde -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected.
-Command line users need to determine the appropriate syntax for a given situation. The following section covers general encryption for operating system volumes and data volumes.
+Command-line users need to determine the appropriate syntax for a given situation. The following section covers general encryption for operating system volumes and data volumes.
### Operating system volume
@@ -136,7 +136,7 @@ A good practice when using manage-bde is to determine the volume status on the t
`manage-bde -status`
-This command returns the volumes on the target, current encryption status and volume type (operating system or data) for each volume. Using this information, users can determine the best encryption method for their environment.
+This command returns the volumes on the target, current encryption status, and volume type (operating system or data) for each volume. Using this information, users can determine the best encryption method for their environment.
**Enabling BitLocker without a TPM**
@@ -149,29 +149,29 @@ manage-bde -on C:
**Enabling BitLocker with a TPM only**
-It is possible to encrypt the operating system volume without any defined protectors using manage-bde. The command to do this is:
+It is possible to encrypt the operating system volume without any defined protectors by using manage-bde. Use this command:
`manage-bde -on C:`
-This will encrypt the drive using the TPM as the protector. If a user is unsure of the protector for a volume, they can use the -protectors option in manage-bde to list this information with the command:
+This command will encrypt the drive using the TPM as the protector. If a user is unsure of the protector for a volume, they can use the -protectors option in manage-bde to list this information with the command:
`manage-bde -protectors -get `
**Provisioning BitLocker with two protectors**
-Another example is a user on non-TPM hardware who wishes to add a password and SID-based protector to the operating system volume. In this instance, the user adds the protectors first. This is done with the command:
+Another example is a user on non-TPM hardware who wishes to add a password and SID-based protector to the operating system volume. In this instance, the user adds the protectors first. Use this command:
`manage-bde -protectors -add C: -pw -sid `
-This command will require the user to enter and then confirm the password protector before adding them to the volume. With the protectors enabled on the volume, the user just needs to turn BitLocker on.
+This command will require the user to enter and then confirm the password protector before adding them to the volume. With the protectors enabled on the volume, the user just needs to turn on BitLocker.
### Data volume
-Data volumes use the same syntax for encryption as operating system volumes but they do not require protectors for the operation to complete. Encrypting data volumes can be done using the base command: `manage-bde -on ` or users can choose to add protectors to the volume. It is recommended that at least one primary protector and a recovery protector be added to a data volume.
+Data volumes use the same syntax for encryption as operating system volumes but they do not require protectors for the operation to complete. Encrypting data volumes can be done using the base command: `manage-bde -on ` or users can choose to add protectors to the volume. We recommend that you add at least one primary protector and a recovery protector to a data volume.
**Enabling BitLocker with a password**
-A common protector for a data volume is the password protector. In the example below, we add a password protector to the volume and turn BitLocker on.
+A common protector for a data volume is the password protector. In the example below, we add a password protector to the volume and turn on BitLocker.
```powershell
manage-bde -protectors -add -pw C:
@@ -322,7 +322,7 @@ Occasionally, all protectors may not be shown when using **Get-BitLockerVolume**
Get-BitLockerVolume C: | fl
```
-If you wanted to remove the existing protectors prior to provisioning BitLocker on the volume, you can utilize the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this requires the GUID associated with the protector to be removed.
+If you want to remove the existing protectors prior to provisioning BitLocker on the volume, you can utilize the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this task requires the GUID associated with the protector to be removed.
A simple script can pipe the values of each **Get-BitLockerVolume** return out to another variable as seen below:
```powershell
@@ -330,7 +330,7 @@ $vol = Get-BitLockerVolume
$keyprotectors = $vol.KeyProtector
```
-Using this, we can display the information in the **$keyprotectors** variable to determine the GUID for each protector.
+Using this script, we can display the information in the **$keyprotectors** variable to determine the GUID for each protector.
Using this information, we can then remove the key protector for a specific volume using the command:
```powershell
@@ -343,7 +343,8 @@ Remove-BitLockerKeyProtector : -KeyProtectorID "{GUID}"
### Operating system volume
Using the BitLocker Windows PowerShell cmdlets is similar to working with the manage-bde tool for encrypting operating system volumes. Windows PowerShell offers users a lot of flexibility. For example, users can add the desired protector as part command for encrypting the volume. Below are examples of common user scenarios and steps to accomplish them using the BitLocker cmdlets for Windows PowerShell.
-To enable BitLocker with just the TPM protector. This can be done using the command:
+
+To enable BitLocker with just the TPM protector, use this command:
```powershell
Enable-BitLocker C:
@@ -357,7 +358,7 @@ Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath -SkipHardwareTes
### Data volume
-Data volume encryption using Windows PowerShell is the same as for operating system volumes. You should add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a SecureString value to store the user defined password. Last, encryption begins.
+Data volume encryption using Windows PowerShell is the same as for operating system volumes. Add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a SecureString value to store the user-defined password. Last, encryption begins.
```powershell
$pw = Read-Host -AsSecureString
@@ -365,14 +366,14 @@ $pw = Read-Host -AsSecureString
Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw
```
-### Using a SID based protector in Windows PowerShell
+### Using a SID-based protector in Windows PowerShell
-The ADAccountOrGroup protector is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it does not unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly failover and be unlocked to any member computer of the cluster.
+The ADAccountOrGroup protector is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it does not unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly fail over and be unlocked to any member computer of the cluster.
> [!WARNING]
> The SID-based protector requires the use of an additional protector (such as TPM, PIN, recovery key, etc.) when used on operating system volumes.
-To add an ADAccountOrGroup protector to a volume requires either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G.
+To add an ADAccountOrGroup protector to a volume, you need either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G.
```powershell
Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Administrator
@@ -389,7 +390,7 @@ Get-ADUser -filter {samaccountname -eq "administrator"}
>
> **Tip:** In addition to the Windows PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This does not require the use of additional features.
-In the example below, the user wishes to add a domain SID based protector to the previously encrypted operating system volume. The user knows the SID for the user account or group they wish to add and uses the following command:
+In the example below, the user wishes to add a domain SID-based protector to the previously encrypted operating system volume. The user knows the SID for the user account or group they wish to add and uses the following command:
```powershell
Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup ""
@@ -400,7 +401,7 @@ Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup "
## Checking BitLocker status
-To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLocker control panel applet, Windows Explorer, manage-bde command line tool, or Windows PowerShell cmdlets. Each option offers different levels of detail and ease of use. We will look at each of the available methods in the following section.
+To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLocker control panel applet, Windows Explorer, manage-bde command-line tool, or Windows PowerShell cmdlets. Each option offers different levels of detail and ease of use. We will look at each of the available methods in the following section.
### Checking BitLocker status with the control panel
@@ -421,7 +422,7 @@ Once BitLocker protector activation is completed, the completion notice is displ
### Checking BitLocker status with manage-bde
-Administrators who prefer a command line interface can utilize manage-bde to check volume status. Manage-bde is capable of returning more information about the volume than the graphical user interface tools in the control panel. For example, manage-bde can display the BitLocker version in use, the encryption type, and the protectors associated with a volume.
+Administrators who prefer a command-line interface can utilize manage-bde to check volume status. Manage-bde is capable of returning more information about the volume than the graphical user interface tools in the control panel. For example, manage-bde can display the BitLocker version in use, the encryption type, and the protectors associated with a volume.
To check the status of a volume using manage-bde, use the following command:
@@ -446,7 +447,7 @@ This command will display information about the encryption method, volume type,
### Provisioning BitLocker during operating system deployment
-Administrators can enable BitLocker prior to operating system deployment from the Windows Pre-installation Environment. This is done with a randomly generated clear key protector applied to the formatted volume and encrypting the volume prior to running the Windows setup process. If the encryption uses the Used Disk Space Only option described later in this document, this step takes only a few seconds and incorporates well into regular deployment processes.
+Administrators can enable BitLocker prior to operating system deployment from the Windows Pre-installation Environment. This task is done with a randomly generated clear key protector applied to the formatted volume and encrypting the volume prior to running the Windows setup process. If the encryption uses the Used Disk Space Only option described later in this document, this step takes only a few seconds and incorporates well into regular deployment processes.
### Decrypting BitLocker volumes
@@ -461,9 +462,9 @@ The control panel does not report decryption progress but displays it in the not
Once decryption is complete, the drive will update its status in the control panel and is available for encryption.
-### Decrypting volumes using the manage-bde command line interface
+### Decrypting volumes using the manage-bde command-line interface
-Decrypting volumes using manage-bde is very straightforward. Decryption with manage-bde offers the advantage of not requiring user confirmation to start the process. Manage-bde uses the -off command to start the decryption process. A sample command for decryption is:
+Decrypting volumes using manage-bde is straightforward. Decryption with manage-bde offers the advantage of not requiring user confirmation to start the process. Manage-bde uses the -off command to start the decryption process. A sample command for decryption is:
```powershell
manage-bde -off C:
diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md
index ea8ab3bf7a..064a82cf8e 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.md
@@ -37,7 +37,7 @@ Generally it imposes a single-digit percentage performance overhead.
## How long will initial encryption take when BitLocker is turned on?
-Although BitLocker encryption occurs in the background while you continue to work, and the system remains usable, encryption times vary depending on the type of drive that is being encrypted, the size of the drive, and the speed of the drive. If you are encrypting very large drives, you may want to set encryption to occur during times when you will not be using the drive.
+Although BitLocker encryption occurs in the background while you continue to work, and the system remains usable, encryption times vary depending on the type of drive that is being encrypted, the size of the drive, and the speed of the drive. If you are encrypting large drives, you may want to set encryption to occur during times when you will not be using the drive.
You can also choose whether or not BitLocker should encrypt the entire drive or just the used space on the drive when you turn on BitLocker. On a new hard drive, encrypting just the used spaced can be considerably faster than encrypting the entire drive. When this encryption option is selected, BitLocker automatically encrypts data as it is saved, ensuring that no data is stored unencrypted.
@@ -82,11 +82,11 @@ The TPM is not involved in any recovery scenarios, so recovery is still possible
## What can prevent BitLocker from binding to PCR 7?
-This happens if a non-Windows OS booted prior to Windows, or if Secure Boot is not available to the device, either because it has been disabled or the hardware does not support it.
+BitLocker can be prevented from binding to PCR 7 if a non-Windows OS booted prior to Windows, or if Secure Boot is not available to the device, either because it has been disabled or the hardware does not support it.
## Can I swap hard disks on the same computer if BitLocker is enabled on the operating system drive?
-Yes, you can swap multiple hard disks on the same computer if BitLocker is enabled, but only if the hard disks were BitLocker-protected on the same computer. The BitLocker keys are unique to the TPM and operating system drive, so if you want to prepare a backup operating system or data drive for use in case of disk failure, you need to make sure that they were matched with the correct TPM. You can also configure different hard drives for different operating systems and then enable BitLocker on each one with different authentication methods (such as one with TPM-only and one with TPM+PIN) without any conflicts.
+Yes, you can swap multiple hard disks on the same computer if BitLocker is enabled, but only if the hard disks were BitLocker-protected on the same computer. The BitLocker keys are unique to the TPM and operating system drive. So if you want to prepare a backup operating system or data drive in case a disk fails, make sure that they were matched with the correct TPM. You can also configure different hard drives for different operating systems and then enable BitLocker on each one with different authentication methods (such as one with TPM-only and one with TPM+PIN) without any conflicts.
## Can I access my BitLocker-protected drive if I insert the hard disk into a different computer?
diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
index f31dcd8374..4f3681db63 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
@@ -1,6 +1,6 @@
---
title: BitLocker recovery guide (Windows 10)
-description: This topic for IT professionals describes how to recover BitLocker keys from AD DS.
+description: This article for IT professionals describes how to recover BitLocker keys from AD DS.
ms.assetid: d0f722e9-1773-40bf-8456-63ee7a95ea14
ms.reviewer:
ms.prod: w10
@@ -24,7 +24,7 @@ ms.custom: bitlocker
- Windows 10
-This topic for IT professionals describes how to recover BitLocker keys from AD DS.
+This article for IT professionals describes how to recover BitLocker keys from AD DS.
Organizations can use BitLocker recovery information saved in Active Directory Domain Services (AD DS) to access BitLocker-protected data. Creating a recovery model for BitLocker while you are planning your BitLocker deployment is recommended.
@@ -46,11 +46,11 @@ BitLocker recovery is the process by which you can restore access to a BitLocker
The following list provides examples of specific events that will cause BitLocker to enter recovery mode when attempting to start the operating system drive:
-- On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md) only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality Administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor, or use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](/Exchange/clients/exchange-activesync/exchange-activesync) (also configurable through [Microsoft Intune](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/microsoft-intune)), to limit the number of failed password attempts before the device goes into Device Lockout.
+- On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md) only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality, administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor. Or they can use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](/Exchange/clients/exchange-activesync/exchange-activesync) (also configurable through [Microsoft Intune](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/microsoft-intune)), to limit the number of failed password attempts before the device goes into Device Lockout.
- On devices with TPM 1.2, changing the BIOS or firmware boot device order causes BitLocker recovery. However, devices with TPM 2.0 do not start BitLocker recovery in this case. TPM 2.0 does not consider a firmware change of boot device order as a security threat because the OS Boot Loader is not compromised.
- Having the CD or DVD drive before the hard drive in the BIOS boot order and then inserting or removing a CD or DVD.
- Failing to boot from a network drive before booting from the hard drive.
-- Docking or undocking a portable computer. In some instances (depending on the computer manufacturer and the BIOS), the docking condition of the portable computer is part of the system measurement and must be consistent to validate the system status and unlock BitLocker. This means that if a portable computer is connected to its docking station when BitLocker is turned on, then it might also need to be connected to the docking station when it is unlocked. Conversely, if a portable computer is not connected to its docking station when BitLocker is turned on, then it might need to be disconnected from the docking station when it is unlocked.
+- Docking or undocking a portable computer. In some instances (depending on the computer manufacturer and the BIOS), the docking condition of the portable computer is part of the system measurement and must be consistent to validate the system status and unlock BitLocker. So if a portable computer is connected to its docking station when BitLocker is turned on, then it might also need to be connected to the docking station when it is unlocked. Conversely, if a portable computer is not connected to its docking station when BitLocker is turned on, then it might need to be disconnected from the docking station when it is unlocked.
- Changes to the NTFS partition table on the disk including creating, deleting, or resizing a primary partition.
- Entering the personal identification number (PIN) incorrectly too many times so that the anti-hammering logic of the TPM is activated. Anti-hammering logic is software or hardware methods that increase the difficulty and cost of a brute force attack on a PIN by not accepting PIN entries until after a certain amount of time has passed.
- Turning off the support for reading the USB device in the pre-boot environment from the BIOS or UEFI firmware if you are using USB-based keys instead of a TPM.
@@ -64,7 +64,7 @@ The following list provides examples of specific events that will cause BitLocke
- Changes to the master boot record on the disk.
- Changes to the boot manager on the disk.
- Hiding the TPM from the operating system. Some BIOS or UEFI settings can be used to prevent the enumeration of the TPM to the operating system. When implemented, this option can make the TPM hidden from the operating system. When the TPM is hidden, BIOS and UEFI secure startup are disabled, and the TPM does not respond to commands from any software.
-- Using a different keyboard that does not correctly enter the PIN or whose keyboard map does not match the keyboard map assumed by the pre-boot environment. This can prevent the entry of enhanced PINs.
+- Using a different keyboard that does not correctly enter the PIN or whose keyboard map does not match the keyboard map assumed by the pre-boot environment. This problem can prevent the entry of enhanced PINs.
- Modifying the Platform Configuration Registers (PCRs) used by the TPM validation profile. For example, including **PCR\[1\]** would result in BitLocker measuring most changes to BIOS settings, causing BitLocker to enter recovery mode even when non-boot critical BIOS settings change.
> [!NOTE]
@@ -93,25 +93,25 @@ For planned scenarios, such as a known hardware or firmware upgrades, you can av
> [!NOTE]
> If suspended BitLocker will automatically resume protection when the PC is rebooted, unless a reboot count is specified using the manage-bde command line tool.
-If software maintenance requires the computer be restarted and you are using two-factor authentication, you can enable BitLocker Network Unlock to provide the secondary authentication factor when the computers do not have an on-premises user to provide the additional authentication method.
+If software maintenance requires the computer to be restarted and you are using two-factor authentication, you can enable BitLocker Network Unlock to provide the secondary authentication factor when the computers do not have an on-premises user to provide the additional authentication method.
Recovery has been described within the context of unplanned or undesired behavior, but you can also cause recovery as an intended production scenario, in order to manage access control. For example, when you redeploy desktop or laptop computers to other departments or employees in your enterprise, you can force BitLocker into recovery before the computer is given to a new user.
## Testing recovery
-Before you create a thorough BitLocker recovery process, we recommend that you test how the recovery process works for both end users (people who call your helpdesk for the recovery password) and administrators (people who help the end user get the recovery password). The –forcerecovery command of manage-bde is an easy way for you to step through the recovery process before your users encounter a recovery situation.
+Before you create a thorough BitLocker recovery process, we recommend that you test how the recovery process works for both end users (people who call your helpdesk for the recovery password) and administrators (people who help the end user get the recovery password). The -forcerecovery command of manage-bde is an easy way for you to step through the recovery process before your users encounter a recovery situation.
**To force a recovery for the local computer:**
-1. Click the **Start** button, type **cmd** in the **Start Search** box, right-click **cmd.exe**, and then click **Run as administrator**.
-2. At the command prompt, type the following command and then press ENTER:
+1. Select the **Start** button, type *cmd* in the **Start Search** box, right-click **cmd.exe**, and then select **Run as administrator**.
+2. At the command prompt, type the following command and then press **Enter**:
`manage-bde -forcerecovery `
**To force recovery for a remote computer:**
-1. On the Start screen, type **cmd.exe**, and then click **Run as administrator**.
+1. On the Start screen, type **cmd.exe**, and then select **Run as administrator**.
2. At the command prompt, type the following command and then press ENTER:
`manage-bde -ComputerName -forcerecovery `
@@ -125,7 +125,7 @@ When planning the BitLocker recovery process, first consult your organization's
Organizations that rely on BitLocker Drive Encryption and BitLocker To Go to protect data on a large number of computers and removable drives running the Windows 10, Windows 8, or Windows 7 operating systems and Windows to Go should consider using the Microsoft BitLocker Administration and Monitoring (MBAM) Tool version 2.0, which is included in the Microsoft Desktop Optimization Pack (MDOP) for Microsoft Software Assurance. MBAM makes BitLocker implementations easier to deploy and manage and allows administrators to provision and monitor encryption for operating system and fixed drives. MBAM prompts the user before encrypting fixed drives. MBAM also manages recovery keys for fixed and removable drives, making recovery easier to manage. MBAM can be used as part of a Microsoft System Center deployment or as a stand-alone solution. For more info, see [Microsoft BitLocker Administration and Monitoring](/microsoft-desktop-optimization-pack/mbam-v25/).
-After a BitLocker recovery has been initiated, users can use a recovery password to unlock access to encrypted data. You must consider both self-recovery and recovery password retrieval methods for your organization.
+After a BitLocker recovery has been initiated, users can use a recovery password to unlock access to encrypted data. Consider both self-recovery and recovery password retrieval methods for your organization.
When you determine your recovery process, you should:
@@ -141,12 +141,12 @@ When you determine your recovery process, you should:
### Self-recovery
-In some cases, users might have the recovery password in a printout or a USB flash drive and can perform self-recovery. We recommend that your organization create a policy for self-recovery. If self-recovery includes using a password or recovery key stored on a USB flash drive, the users should be warned not to store the USB flash drive in the same place as the PC, especially during travel, for example if both the PC and the recovery items are in the same bag it would be very easy for access to be gained to the PC by an unauthorized user. Another policy to consider is having users contact the Helpdesk before or after performing self-recovery so that the root cause can be identified.
+In some cases, users might have the recovery password in a printout or a USB flash drive and can perform self-recovery. We recommend that your organization create a policy for self-recovery. If self-recovery includes using a password or recovery key stored on a USB flash drive, the users should be warned not to store the USB flash drive in the same place as the PC, especially during travel, for example if both the PC and the recovery items are in the same bag, then it's easy for an unauthorized user to access the PC. Another policy to consider is having users contact the Helpdesk before or after performing self-recovery so that the root cause can be identified.
### Recovery password retrieval
-If the user does not have a recovery password in a printout or on a USB flash drive, the user will need to be able to retrieve the recovery password from an online source. If the PC is a member of a domain the recovery password can be backed up to AD DS. However, this does not happen by default, you must have configured the appropriate Group Policy settings before BitLocker was enabled on the PC. BitLocker Group Policy settings can be found in the Local Group Policy Editor or the Group Policy Management Console (GPMC) under **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption**. The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used.
+If the user does not have a recovery password in a printout or on a USB flash drive, the user will need to be able to retrieve the recovery password from an online source. If the PC is a member of a domain, the recovery password can be backed up to AD DS. However, this does not happen by default. You must have configured the appropriate Group Policy settings before BitLocker was enabled on the PC. BitLocker Group Policy settings can be found in the Local Group Policy Editor or the Group Policy Management Console (GPMC) under **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption**. The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used.
- **Choose how BitLocker-protected operating system drives can be recovered**
- **Choose how BitLocker-protected fixed drives can be recovered**
@@ -176,7 +176,7 @@ You can use the name of the user's computer to locate the recovery password in A
### Verify the user's identity
-You should verify that the person that is asking for the recovery password is truly the authorized user of that computer. You may also wish to verify that the computer with the name the user provided belongs to the user.
+Verify that the person that is asking for the recovery password is truly the authorized user of that computer. You might also want to verify that the computer with the name the user provided belongs to the user.
### Locate the recovery password in AD DS
@@ -200,7 +200,7 @@ Before you give the user the recovery password, you should gather any informatio
### Give the user the recovery password
-Because the recovery password is 48 digits long the user may need to record the password by writing it down or typing it on a different computer. If you are using MBAM, the recovery password will be regenerated after it is recovered from the MBAM database to avoid the security risks associated with an uncontrolled password.
+Because the recovery password is 48 digits long, the user might need to record the password by writing it down or typing it on a different computer. If you are using MBAM, the recovery password will be regenerated after it is recovered from the MBAM database to avoid the security risks associated with an uncontrolled password.
> [!NOTE]
> Because the 48-digit recovery password is long and contains a combination of digits, the user might mishear or mistype the password. The boot-time recovery console uses built-in checksum numbers to detect input errors in each 6-digit block of the 48-digit recovery password, and offers the user the opportunity to correct such errors.
@@ -228,11 +228,11 @@ Review and answer the following questions for your organization:
1. What BitLocker protection mode is in effect (TPM, TPM + PIN, TPM + startup key, startup key only)? Which PCR profile is in use on the PC?
2. Did the user merely forget the PIN or lose the startup key? If a token was lost, where might the token be?
3. If TPM mode was in effect, was recovery caused by a boot file change?
-4. If recovery was caused by a boot file change, is this due to an intended user action (for example, BIOS upgrade), or to malicious software?
+4. If recovery was caused by a boot file change, was the change an intended user action (for example, BIOS upgrade), or was it caused by malicious software?
5. When was the user last able to start the computer successfully, and what might have happened to the computer since then?
6. Might the user have encountered malicious software or left the computer unattended since the last successful startup?
-To help you answer these questions, use the BitLocker command-line tool to view the current configuration and protection mode (for example, **manage-bde -status**). Scan the event log to find events that help indicate why recovery was initiated (for example, if boot file change occurred). Both of these capabilities can be performed remotely.
+To help you answer these questions, use the BitLocker command-line tool to view the current configuration and protection mode (for example, **manage-bde -status**). Scan the event log to find events that help indicate why recovery was initiated (for example, if the boot file changed). Both of these capabilities can be performed remotely.
### Resolve the root cause
@@ -257,9 +257,9 @@ If a user has forgotten the PIN, you must reset the PIN while you are logged on
1. Unlock the computer using the recovery password.
2. Reset the PIN:
- 1. Right-click the drive and then click **Change PIN**.
- 2. In the BitLocker Drive Encryption dialog, click **Reset a forgotten PIN**. If you are not logged in with an administrator account you must provide administrative credentials at this time.
- 3. In the PIN reset dialog, provide and confirm the new PIN to use and then click **Finish**.
+ 1. Right-click the drive and then select **Change PIN**.
+ 2. In the BitLocker Drive Encryption dialog, select **Reset a forgotten PIN**. If you are not logged in with an administrator account, provide administrative credentials at this time.
+ 3. In the PIN reset dialog, provide and confirm the new PIN to use and then select **Finish**.
3. You will use the new PIN the next time you unlock the drive.
@@ -271,17 +271,17 @@ If you have lost the USB flash drive that contains the startup key, then you mus
1. Log on as an administrator to the computer that has the lost startup key.
2. Open Manage BitLocker.
-3. Click **Duplicate start up key**, insert the clean USB drive on which you are going to write the key and then click **Save**.
+3. Select **Duplicate start up key**, insert the clean USB drive on which you are going to write the key and then select **Save**.
### Changes to boot files
-This error might occur if you updated the firmware. As a best practice you should suspend BitLocker before making changes to the firmware and then resume protection after the update has completed. This prevents the computer from going into recovery mode. However if changes were made when BitLocker protection was on you can simply log on to the computer using the recovery password and the platform validation profile will be updated so that recovery will not occur the next time.
+This error might occur if you updated the firmware. As a best practice, you should suspend BitLocker before making changes to the firmware and then resume protection after the update has completed. This action prevents the computer from going into recovery mode. However if changes were made when BitLocker protection was on, then log on to the computer using the recovery password, and the platform validation profile will be updated so that recovery will not occur the next time.
## Windows RE and BitLocker Device Encryption
-Windows Recovery Environment (RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair is not able to be run automatically from the PC and instead Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker–protected drives.
+Windows Recovery Environment (RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair can't run automatically from the PC and instead Windows RE is manually started from a repair disk, then the BitLocker recovery key must be provided to unlock the BitLocker–protected drives.
## BitLocker recovery screen
@@ -307,7 +307,7 @@ Example of customized recovery screen:
### BitLocker recovery key hints
-BitLocker metadata has been enhanced in Windows 10, version 1903 to include information about when and where the BitLocker recovery key was backed up. This information is not exposed through the UI or any public API. It is used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume's recovery key. Hints are displayed on the recovery screen and refer to the location where the key has been saved. Hints are displayed in both the modern (blue) and legacy (black) recovery screen. This applies to both the boot manager recovery screen and the WinRE unlock screen.
+BitLocker metadata has been enhanced in Windows 10, version 1903 to include information about when and where the BitLocker recovery key was backed up. This information is not exposed through the UI or any public API. It is used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume's recovery key. Hints are displayed on the recovery screen and refer to the location where the key has been saved. Hints are displayed on both the modern (blue) and legacy (black) recovery screen. This applies to both the boot manager recovery screen and the WinRE unlock screen.
@@ -337,7 +337,7 @@ There are rules governing which hint is shown during the recovery (in order of p
| Printed | No |
| Saved to file | No |
-**Result:** The hint for the Microsoft Account and custom URL are displayed.
+**Result:** The hint for the Microsoft Account and the custom URL are displayed.
@@ -378,7 +378,7 @@ There are rules governing which hint is shown during the recovery (in order of p
|----------------------|-----------------|
| Saved to Microsoft Account | No |
| Saved to Azure AD | No |
-| Saved to Acive Directory | No |
+| Saved to Active Directory | No |
| Printed | No |
| Saved to file | Yes |
| Creation time | **1PM** |
@@ -444,17 +444,17 @@ If the recovery methods discussed earlier in this document do not unlock the vol
> [!NOTE]
> You must use the BitLocker Repair tool **repair-bde** to use the BitLocker key package.
-The BitLocker key package is not saved by default. To save the package along with the recovery password in AD DS you must select the **Backup recovery password and key package** option in the Group Policy settings that control the recovery method. You can also export the key package from a working volume. For more details on how to export key packages, see [Retrieving the BitLocker Key Package](#bkmk-appendixc).
+The BitLocker key package is not saved by default. To save the package along with the recovery password in AD DS, you must select the **Backup recovery password and key package** option in the Group Policy settings that control the recovery method. You can also export the key package from a working volume. For more details about how to export key packages, see [Retrieving the BitLocker Key Package](#bkmk-appendixc).
## Resetting recovery passwords
-You should invalidate a recovery password after it has been provided and used. It should also be done when you intentionally want to invalidate an existing recovery password for any reason.
+Invalidate a recovery password after it has been provided and used. It should also be done when you intentionally want to invalidate an existing recovery password for any reason.
You can reset the recovery password in two ways:
-- **Use manage-bde** You can use manage-bde to remove the old recovery password and add a new recovery password. The procedure identifies the command and the syntax for this method.
-- **Run a script** You can run a script to reset the password without decrypting the volume. The sample script in the procedure illustrates this functionality. The sample script creates a new recovery password and invalidates all other passwords.
+- **Use manage-bde**: You can use manage-bde to remove the old recovery password and add a new recovery password. The procedure identifies the command and the syntax for this method.
+- **Run a script**: You can run a script to reset the password without decrypting the volume. The sample script in the procedure illustrates this functionality. The sample script creates a new recovery password and invalidates all other passwords.
**To reset a recovery password using manage-bde:**
@@ -470,13 +470,13 @@ You can reset the recovery password in two ways:
Manage-bde –protectors –add C: -RecoveryPassword
```
-3. Get the ID of the new recovery password. From the screen copy the ID of the recovery password.
+3. Get the ID of the new recovery password. From the screen, copy the ID of the recovery password.
```powershell
Manage-bde –protectors –get C: -Type RecoveryPassword
```
-4. Backup the new recovery password to AD DS
+4. Back up the new recovery password to AD DS.
```powershell
Manage-bde –protectors –adbackup C: -id {EXAMPLE6-5507-4924-AA9E-AFB2EB003692}
@@ -488,7 +488,7 @@ You can reset the recovery password in two ways:
**To run the sample recovery password script:**
1. Save the following sample script in a VBScript file. For example: ResetPassword.vbs.
-2. At the command prompt, type a command similar to the following:
+2. At the command prompt, type a command similar to the following sample script:
**cscript ResetPassword.vbs**
@@ -576,15 +576,15 @@ WScript.Echo "A new recovery password has been added. Old passwords have been re
You can use two methods to retrieve the key package, as described in [Using Additional Recovery Information](#bkmk-usingaddrecovery):
-- **Export a previously-saved key package from AD DS.** You must have Read access to BitLocker recovery passwords that are stored in AD DS.
+- **Export a previously saved key package from AD DS.** You must have Read access to BitLocker recovery passwords that are stored in AD DS.
- **Export a new key package from an unlocked, BitLocker-protected volume.** You must have local administrator access to the working volume, before any damage has occurred.
-The following sample script exports all previously-saved key packages from AD DS.
+The following sample script exports all previously saved key packages from AD DS.
**To run the sample key package retrieval script:**
1. Save the following sample script in a VBScript file. For example: GetBitLockerKeyPackageADDS.vbs.
-2. At the command prompt, type a command similar to the following:
+2. At the command prompt, type a command similar to the following sample script:
**cscript GetBitLockerKeyPackageADDS.vbs -?**
@@ -733,7 +733,7 @@ The following sample script exports a new key package from an unlocked, encrypte
**To run the sample key package retrieval script:**
1. Save the following sample script in a VBScript file. For example: GetBitLockerKeyPackage.vbs
-2. Open an administrator command prompt, type a command similar to the following:
+2. Open an administrator command prompt, and then type a command similar to the following sample script:
**cscript GetBitLockerKeyPackage.vbs -?**
diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md
index f06b11a197..9ed6f0f984 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
-ms.localizationpriority: #medium
+ms.localizationpriority: medium
ms.author: v-maave
author: martyav
manager: dansimp
diff --git a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md b/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md
index c34ddf46f1..871f49b5a8 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.md
@@ -1,6 +1,6 @@
---
title: BitLocker To Go FAQ (Windows 10)
-description: Learn more about BitLocker To Go — BitLocker drive encryption for removable drives.
+description: "Learn more about BitLocker To Go: BitLocker drive encryption for removable drives."
ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee
ms.reviewer:
ms.author: dansimp
@@ -25,7 +25,14 @@ ms.custom: bitlocker
## What is BitLocker To Go?
-BitLocker To Go is BitLocker Drive Encryption on removable data drives. This includes the encryption of USB flash drives, SD cards, external hard disk drives, and other drives formatted by using the NTFS, FAT16, FAT32, or exFAT file systems. Drive partitioning must meet the [BitLocker Drive Encryption Partitioning Requirements](https://docs.microsoft.com/windows-hardware/manufacture/desktop/bitlocker-drive-encryption#bitlocker-drive-encryption-partitioning-requirements).
+BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of:
-As with BitLocker, drives that are encrypted using BitLocker To Go can be opened with a password or smart card on another computer by using **BitLocker Drive Encryption** in Control Panel.
+- USB flash drives
+- SD cards
+- External hard disk drives
+- Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system.
+
+Drive partitioning must meet the [BitLocker Drive Encryption Partitioning Requirements](https://docs.microsoft.com/windows-hardware/manufacture/desktop/bitlocker-drive-encryption#bitlocker-drive-encryption-partitioning-requirements).
+
+As with BitLocker, you can open drives that are encrypted by BitLocker To Go by using a password or smart card on another computer. In Control Panel, use **BitLocker Drive Encryption**.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
index bf20c5efdd..793722ef06 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
@@ -1,6 +1,6 @@
---
title: BitLocker Use BitLocker Drive Encryption Tools to manage BitLocker (Windows 10)
-description: This topic for the IT professional describes how to use tools to manage BitLocker.
+description: This article for the IT professional describes how to use tools to manage BitLocker.
ms.assetid: e869db9c-e906-437b-8c70-741dd61b5ea6
ms.reviewer:
ms.prod: w10
@@ -23,9 +23,9 @@ ms.custom: bitlocker
**Applies to**
- Windows 10
-This topic for the IT professional describes how to use tools to manage BitLocker.
+This article for the IT professional describes how to use tools to manage BitLocker.
-BitLocker Drive Encryption Tools include the command line tools manage-bde and repair-bde and the BitLocker cmdlets for Windows PowerShell.
+BitLocker Drive Encryption Tools include the command-line tools manage-bde and repair-bde and the BitLocker cmdlets for Windows PowerShell.
Both manage-bde and the BitLocker cmdlets can be used to perform any task that can be accomplished through the BitLocker control panel and are appropriate to use for automated deployments and other scripting scenarios.
@@ -39,11 +39,11 @@ Repair-bde is a special circumstance tool that is provided for disaster recovery
Manage-bde is a command-line tool that can be used for scripting BitLocker operations. Manage-bde offers additional options not displayed in the BitLocker control panel. For a complete list of the manage-bde options, see the [Manage-bde](https://technet.microsoft.com/library/ff829849.aspx) command-line reference.
-Manage-bde includes less default settings and requires greater customization for configuring BitLocker. For example, using just the `manage-bde -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected. The following sections provide examples of common usage scenarios for manage-bde.
+Manage-bde includes fewer default settings and requires greater customization for configuring BitLocker. For example, using just the `manage-bde -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected. The following sections provide examples of common usage scenarios for manage-bde.
### Using manage-bde with operating system volumes
-Listed below are examples of basic valid commands for operating system volumes. In general, using only the `manage-bde -on ` command will encrypt the operating system volume with a TPM-only protector and no recovery key. However, many environments require more secure protectors such as passwords or PIN and expect to be able to recover information with a recovery key. It is recommended that at least one primary protector and a recovery protector be added to an operating system volume.
+Listed below are examples of basic valid commands for operating system volumes. In general, using only the `manage-bde -on ` command will encrypt the operating system volume with a TPM-only protector and no recovery key. However, many environments require more secure protectors such as passwords or PIN and expect to be able to recover information with a recovery key. We recommend that you add at least one primary protector and a recovery protector to an operating system volume.
A good practice when using manage-bde is to determine the volume status on the target system. Use the following command to determine volume status:
@@ -54,7 +54,7 @@ This command returns the volumes on the target, current encryption status, encry
-The following example illustrates enabling BitLocker on a computer without a TPM chip. Before beginning the encryption process you must create the startup key needed for BitLocker and save it to the USB drive. When BitLocker is enabled for the operating system volume, the BitLocker will need to access the USB flash drive to obtain the encryption key (in this example, the drive letter E represents the USB drive). You will be prompted to reboot to complete the encryption process.
+The following example illustrates enabling BitLocker on a computer without a TPM chip. Before beginning the encryption process, you must create the startup key needed for BitLocker and save it to the USB drive. When BitLocker is enabled for the operating system volume, the BitLocker will need to access the USB flash drive to obtain the encryption key (in this example, the drive letter E represents the USB drive). You will be prompted to reboot to complete the encryption process.
```powershell
manage-bde –protectors -add C: -startupkey E:
@@ -63,30 +63,30 @@ manage-bde -on C:
>**Note:** After the encryption is completed, the USB startup key must be inserted before the operating system can be started.
-An alternative to the startup key protector on non-TPM hardware is to use a password and an **ADaccountorgroup** protector to protect the operating system volume. In this scenario, you would add the protectors first. This is done with the command:
+An alternative to the startup key protector on non-TPM hardware is to use a password and an **ADaccountorgroup** protector to protect the operating system volume. In this scenario, you would add the protectors first. To add them, use this command:
```powershell
manage-bde -protectors -add C: -pw -sid
```
-This command will require you to enter and then confirm the password protector before adding them to the volume. With the protectors enabled on the volume, you can then turn BitLocker on.
+This command will require you to enter and then confirm the password protector before adding them to the volume. With the protectors enabled on the volume, you can then turn on BitLocker.
-On computers with a TPM it is possible to encrypt the operating system volume without any defined protectors using manage-bde. The command to do this is:
+On computers with a TPM, it is possible to encrypt the operating system volume without any defined protectors using manage-bde. Use this command:
```powershell
manage-bde -on C:
```
-This will encrypt the drive using the TPM as the default protector. If you are not sure if a TPM protector is available, to list the protectors available for a volume, run the following command:
+This command encrypts the drive using the TPM as the default protector. If you are not sure if a TPM protector is available, to list the protectors available for a volume, run the following command:
```powershell
manage-bde -protectors -get
```
### Using manage-bde with data volumes
-Data volumes use the same syntax for encryption as operating system volumes but they do not require protectors for the operation to complete. Encrypting data volumes can be done using the base command: `manage-bde -on ` or you can choose to add additional protectors to the volume first. It is recommended that at least one primary protector and a recovery protector be added to a data volume.
+Data volumes use the same syntax for encryption as operating system volumes but they do not require protectors for the operation to complete. Encrypting data volumes can be done using the base command: `manage-bde -on ` or you can choose to add additional protectors to the volume first. We recommend that you add at least one primary protector and a recovery protector to a data volume.
-A common protector for a data volume is the password protector. In the example below, we add a password protector to the volume and turn BitLocker on.
+A common protector for a data volume is the password protector. In the example below, we add a password protector to the volume and turn on BitLocker.
```powershell
manage-bde -protectors -add -pw C:
@@ -101,11 +101,11 @@ The BitLocker Repair Tool (Repair-bde) can be used to access encrypted data on a
>**Tip:** If you are not backing up recovery information to AD DS or if you want to save key packages alternatively, you can use the command `manage-bde -KeyPackage` to generate a key package for a volume.
-The Repair-bde command-line tool is intended for use when the operating system does not start or when you cannot start the BitLocker Recovery Console. You should use Repair-bde if the following conditions are true:
+The Repair-bde command-line tool is intended for use when the operating system does not start or when you cannot start the BitLocker Recovery Console. Use Repair-bde if the following conditions are true:
-1. You have encrypted the drive by using BitLocker Drive Encryption.
-2. Windows does not start, or you cannot start the BitLocker recovery console.
-3. You do not have a copy of the data that is contained on the encrypted drive.
+- You have encrypted the drive by using BitLocker Drive Encryption.
+- Windows does not start, or you cannot start the BitLocker recovery console.
+- You do not have a copy of the data that is contained on the encrypted drive.
>**Note:** Damage to the drive may not be related to BitLocker. Therefore, we recommend that you try other tools to help diagnose and resolve the problem with the drive before you use the BitLocker Repair Tool. The Windows Recovery Environment (Windows RE) provides additional options to repair computers.
@@ -249,7 +249,7 @@ Windows PowerShell cmdlets provide a new way for administrators to use when work
Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they are encrypting prior to running Windows PowerShell cmdlets.
A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the Get-BitLockerVolume cmdlet.
-The Get-BitLockerVolume cmdlet output gives information on the volume type, protectors, protection status and other details.
+The Get-BitLockerVolume cmdlet output gives information on the volume type, protectors, protection status, and other details.
>**Tip:** Occasionally, all protectors may not be shown when using `Get-BitLockerVolume` due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a full listing of the protectors.
`Get-BitLockerVolume C: | fl`
@@ -263,9 +263,9 @@ $vol = Get-BitLockerVolume
$keyprotectors = $vol.KeyProtector
```
-Using this, you can display the information in the $keyprotectors variable to determine the GUID for each protector.
+By using this script, you can display the information in the $keyprotectors variable to determine the GUID for each protector.
-Using this information, you can then remove the key protector for a specific volume using the command:
+By using this information, you can then remove the key protector for a specific volume using the command:
```powershell
Remove-BitLockerKeyProtector : -KeyProtectorID "{GUID}"
@@ -291,8 +291,8 @@ Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath -SkipHardwareTes
### Using the BitLocker Windows PowerShell cmdlets with data volumes
-Data volume encryption using Windows PowerShell is the same as for operating system volumes. You should add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a
-SecureString value to store the user defined password.
+Data volume encryption using Windows PowerShell is the same as for operating system volumes. Add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a
+SecureString value to store the user-defined password.
```powershell
$pw = Read-Host -AsSecureString
@@ -301,11 +301,11 @@ Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw
```
### Using an AD Account or Group protector in Windows PowerShell
-The **ADAccountOrGroup** protector, introduced in Windows 8 and Windows Server 2012, is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it does not unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly failover to and be unlocked by any member computer of the cluster.
+The **ADAccountOrGroup** protector, introduced in Windows 8 and Windows Server 2012, is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it does not unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly fail over to and be unlocked by any member computer of the cluster.
>**Warning:** The **ADAccountOrGroup** protector requires the use of an additional protector for use (such as TPM, PIN, or recovery key) when used on operating system volumes
-To add an **ADAccountOrGroup** protector to a volume requires either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G.
+To add an **ADAccountOrGroup** protector to a volume, use either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G.
```powershell
Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Administrator
diff --git a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md
index ac4286c885..e71fba3cbd 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.md
@@ -37,7 +37,7 @@ BitLocker has a storage driver stack that ensures memory dumps are encrypted whe
## Can BitLocker support smart cards for pre-boot authentication?
-BitLocker does not support smart cards for pre-boot authentication. There is no single industry standard for smart card support in the firmware, and most computers either do not implement firmware support for smart cards, or only support specific smart cards and readers. This lack of standardization makes supporting them very difficult.
+BitLocker does not support smart cards for pre-boot authentication. There is no single industry standard for smart card support in the firmware, and most computers either do not implement firmware support for smart cards, or only support specific smart cards and readers. This lack of standardization makes supporting them difficult.
## Can I use a non-Microsoft TPM driver?
@@ -69,7 +69,7 @@ The **Save to USB** option is not shown by default for removable drives. If the
## Why am I unable to automatically unlock my drive?
-Automatic unlocking for fixed data drives requires that the operating system drive also be protected by BitLocker. If you are using a computer that does not have a BitLocker-protected operating system drive, the drive cannot be automatically unlocked. For removable data drives, you can add automatic unlocking by right-clicking the drive in Windows Explorer and clicking **Manage BitLocker**. You will still be able to use the password or smart card credentials you supplied when you turned on BitLocker to unlock the removable drive on other computers.
+Automatic unlocking for fixed data drives requires the operating system drive to also be protected by BitLocker. If you are using a computer that does not have a BitLocker-protected operating system drive, the drive cannot be automatically unlocked. For removable data drives, you can add automatic unlocking by right-clicking the drive in Windows Explorer and clicking **Manage BitLocker**. You will still be able to use the password or smart card credentials you supplied when you turned on BitLocker to unlock the removable drive on other computers.
## Can I use BitLocker in Safe Mode?
@@ -95,8 +95,8 @@ Yes. However, shadow copies made prior to enabling BitLocker will be automatical
## Does BitLocker support virtual hard disks (VHDs)?
BitLocker should work like any specific physical machine within its hardware limitations as long as the environment (physical or virtual) meets Windows Operating System requirements to run.
-- With TPM - Yes it is supported
-- Without TPM - Yes it is supported (with password protector)
+- With TPM: Yes, it is supported.
+- Without TPM: Yes, it is supported (with password protector).
BitLocker is also supported on data volume VHDs, such as those used by clusters, if you are running Windows 10, Windows 8.1, Windows 8, Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012.
diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
index ac7c00f8b6..01a07590a5 100644
--- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
@@ -1,6 +1,6 @@
---
title: Protecting cluster shared volumes and storage area networks with BitLocker (Windows 10)
-description: This topic for IT pros describes how to protect CSVs and SANs with BitLocker.
+description: This article for IT pros describes how to protect CSVs and SANs with BitLocker.
ms.assetid: ecd25a10-42c7-4d31-8a7e-ea52c8ebc092
ms.reviewer:
ms.prod: w10
@@ -23,7 +23,7 @@ ms.custom: bitlocker
**Applies to**
- Windows Server 2016
-This topic for IT pros describes how to protect CSVs and SANs with BitLocker.
+This article for IT pros describes how to protect CSVs and SANs with BitLocker.
BitLocker can protect both physical disk resources and cluster shared volumes version 2.0 (CSV2.0). BitLocker on clustered volumes allows for an additional layer of protection for administrators wishing to protect sensitive, highly available data. By adding additional protectors to the clustered volume, administrators can also add an additional barrier of security to resources within an organization by allowing only certain user accounts access to unlock the BitLocker volume.
@@ -38,15 +38,15 @@ BitLocker on volumes within a cluster are managed based on how the cluster servi
Alternatively, the volume can be a cluster-shared volume, a shared namespace, within the cluster. Windows Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. When using BitLocker with volumes designated for a cluster, the volume will need to turn on
BitLocker before its addition to the storage pool within cluster or put the resource into maintenance mode before BitLocker operations will complete.
-Windows PowerShell or the manage-bde command line interface is the preferred method to manage BitLocker on CSV2.0 volumes. This is recommended over the BitLocker Control Panel item because CSV2.0 volumes are mount points. Mount points are an NTFS object that is used to provide an entry point to other volumes. Mount points do not require the use of a drive letter. Volumes that lack drive letters do not appear in the BitLocker Control Panel item. Additionally, the new Active Directory-based protector option required for cluster disk resource or CSV2.0 resources is not available in the Control Panel item.
+Windows PowerShell or the manage-bde command-line interface is the preferred method to manage BitLocker on CSV2.0 volumes. This method is recommended over the BitLocker Control Panel item because CSV2.0 volumes are mount points. Mount points are an NTFS object that is used to provide an entry point to other volumes. Mount points do not require the use of a drive letter. Volumes that lack drive letters do not appear in the BitLocker Control Panel item. Additionally, the new Active Directory-based protector option required for cluster disk resource or CSV2.0 resources is not available in the Control Panel item.
>**Note:** Mount points can be used to support remote mount points on SMB based network shares. This type of share is not supported for BitLocker encryption.
-For thinly provisioned storage, such as a Dynamic Virtual Hard Disk (VHD), BitLocker runs in Used Disk Space Only encryption mode. You cannot use the **manage-bde -WipeFreeSpace** command to transition the volume to full-volume encryption on these types of volumes. This is blocked in order to avoid expanding thinly provisioned volumes to occupy the entire backing store while wiping the unoccupied (free) space.
+For thinly provisioned storage, such as a Dynamic Virtual Hard Disk (VHD), BitLocker runs in Used Disk Space Only encryption mode. You cannot use the **manage-bde -WipeFreeSpace** command to transition the volume to full-volume encryption on these types of volumes. This action is blocked in order to avoid expanding thinly provisioned volumes to occupy the entire backing store while wiping the unoccupied (free) space.
### Active Directory-based protector
-You can also use an Active Directory Domain Services (AD DS) protector for protecting clustered volumes held within your AD DS infrastructure. The **ADAccountOrGroup** protector is a domain security identifier (SID)-based protector that can be bound to a user account, machine account or group. When an unlock request is made for a protected volume, the BitLocker service interrupts the request and uses the BitLocker protect/unprotect APIs to unlock or deny the request. BitLocker will unlock protected volumes without user intervention by attempting protectors in the following order:
+You can also use an Active Directory Domain Services (AD DS) protector for protecting clustered volumes held within your AD DS infrastructure. The **ADAccountOrGroup** protector is a domain security identifier (SID)-based protector that can be bound to a user account, machine account, or group. When an unlock request is made for a protected volume, the BitLocker service interrupts the request and uses the BitLocker protect/unprotect APIs to unlock or deny the request. BitLocker will unlock protected volumes without user intervention by attempting protectors in the following order:
1. Clear key
2. Driver-based auto-unlock key
@@ -61,7 +61,7 @@ You can also use an Active Directory Domain Services (AD DS) protector for prote
### Turning on BitLocker before adding disks to a cluster using Windows PowerShell
-BitLocker encryption is available for disks before or after addition to a cluster storage pool. The advantage of encrypting volumes prior to adding them to a cluster is that the disk resource does not require suspending the resource to complete the operation. To turn on BitLocker for a disk before adding it to a cluster, do the following:
+BitLocker encryption is available for disks before or after addition to a cluster storage pool. The advantage of encrypting volumes prior to adding them to a cluster is that the disk resource does not require suspending the resource to complete the operation. To turn on BitLocker for a disk before adding it to a cluster:
1. Install the BitLocker Drive Encryption feature if it is not already installed.
2. Ensure the disk is formatted NTFS and has a drive letter assigned to it.
@@ -84,7 +84,7 @@ BitLocker encryption is available for disks before or after addition to a cluste
### Turning on BitLocker for a clustered disk using Windows PowerShell
-When the cluster service owns a disk resource already, it needs to be set into maintenance mode before BitLocker can be enabled. Use the following steps for turning BitLocker on for a clustered disk:
+When the cluster service owns a disk resource already, it needs to be set into maintenance mode before BitLocker can be enabled. Use the following steps for turning on BitLocker for a clustered disk:
1. Install the BitLocker Drive Encryption feature if it is not already installed.
2. Check the status of the cluster disk using Windows PowerShell.
@@ -122,11 +122,11 @@ When the cluster service owns a disk resource already, it needs to be set into m
### Adding BitLocker encrypted volumes to a cluster using manage-bde
-You can also use manage-bde to enable BitLocker on clustered volumes. The steps needed to add a physical disk resource or CSV2.0 volume to an existing cluster includes the following:
+You can also use manage-bde to enable BitLocker on clustered volumes. Follow these steps to add a physical disk resource or CSV2.0 volume to an existing cluster:
1. Verify the BitLocker Drive Encryption feature is installed on the computer.
2. Ensure new storage is formatted as NTFS.
-3. Encrypt the volume, add a recovery key and add the cluster administrator as a protector key using the manage-bde command line interface (see example):
+3. Encrypt the volume, add a recovery key, and add the cluster administrator as a protector key by using the manage-bde command-line interface (see example):
- `Manage-bde -on -used -RP -sid domain\CNO$ -sync`
@@ -135,16 +135,17 @@ You can also use manage-bde to enable BitLocker on clustered volumes. The steps
4. Open the Failover Cluster Manager snap-in or cluster PowerShell cmdlets to enable the disk to be clustered
- - Once the disk is clustered it can also be enabled for CSV.
+ - Once the disk is clustered, it can also be enabled for CSV.
5. During the resource online operation, cluster will check to see if the disk is BitLocker encrypted.
1. If the volume is not BitLocker enabled, traditional cluster online operations occur.
2. If the volume is BitLocker enabled, the following check occurs:
- - If volume is **locked**, BitLocker will impersonate the CNO and unlock the volume using the CNO protector. If this operation fails an event will be logged that the volume could not be unlocked and the online operation will fail.
+ - If volume is **locked**, BitLocker will impersonate the CNO and unlock the volume using the CNO protector. If this operation fails, an event will be logged that the volume could not be unlocked and the online operation will fail.
+
+6. Once the disk is online in the storage pool, it can be added to a CSV by right-clicking the disk resource and choosing **Add to cluster shared volumes**.
-6. Once the disk is online in the storage pool, it can be added to a CSV by right clicking on the disk resource and choosing "**Add to cluster shared volumes**".
CSVs can include both encrypted and unencrypted volumes. To check the status of a particular volume for BitLocker encryption, administrators can utilize the manage-bde -status command with a path to the volume inside the CSV namespace as seen in the example command line below.
```powershell
@@ -153,11 +154,11 @@ manage-bde -status "C:\ClusterStorage\volume1"
### Physical Disk Resources
-Unlike CSV2.0 volumes, physical disk resources can only be accessed by one cluster node at a time. This means that operations such as encrypting, decrypting, locking or unlocking volumes require context to perform. For example, you cannot unlock or decrypt a physical disk resource if you are not administering the cluster node that owns the disk resource because the disk resource is not available.
+Unlike CSV2.0 volumes, physical disk resources can only be accessed by one cluster node at a time. So operations such as encrypting, decrypting, locking, or unlocking volumes require context to perform. For example, you cannot unlock or decrypt a physical disk resource if you are not administering the cluster node that owns the disk resource because the disk resource is not available.
### Restrictions on BitLocker actions with cluster volumes
-The following table contains information about both Physical Disk Resources (i.e. traditional failover cluster volumes) and Cluster Shared Volumes (CSV) and the actions that are allowed by BitLocker in each situation.
+The following table contains information about both Physical Disk Resources (that is, traditional failover cluster volumes) and Cluster Shared Volumes (CSV) and the actions that are allowed by BitLocker in each situation.
@@ -268,7 +269,7 @@ In the case where a physical disk resource experiences a failover event during c
### Other considerations when using BitLocker on CSV2.0
-Some other considerations to take into account for BitLocker on clustered storage include the following:
+Also take these considerations into account for BitLocker on clustered storage:
- BitLocker volumes have to be initialized and beginning encryption before they are available to add to a CSV2.0 volume.
- If an administrator needs to decrypt a CSV volume, remove the volume from the cluster or put into disk maintenance mode. You can add the CSV back to the cluster while waiting for decryption to complete.
- If an administrator needs to start encrypting a CSV volume, remove the volume from the cluster or put it in maintenance mode.
diff --git a/windows/security/information-protection/index.md b/windows/security/information-protection/index.md
index 84ea720232..e72f8d6c68 100644
--- a/windows/security/information-protection/index.md
+++ b/windows/security/information-protection/index.md
@@ -1,6 +1,6 @@
---
title: Information protection (Windows 10)
-description: Learn more about how to protect sesnsitive data across your ogranization.
+description: Learn more about how to protect sensitive data across your organization.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index c2913b23a2..1d2ce21e5e 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -65,6 +65,7 @@
##### [Remediate vulnerabilities](microsoft-defender-atp/tvm-remediation.md)
##### [Exceptions for security recommendations](microsoft-defender-atp/tvm-exception.md)
##### [Plan for end-of-support software](microsoft-defender-atp/tvm-end-of-support-software.md)
+##### [Mitigate zero-day vulnerabilities](microsoft-defender-atp/tvm-zero-day-vulnerabilities.md)
#### [Understand vulnerabilities on your devices]()
##### [Software inventory](microsoft-defender-atp/tvm-software-inventory.md)
##### [Vulnerabilities in my organization](microsoft-defender-atp/tvm-weaknesses.md)
diff --git a/windows/security/threat-protection/auditing/audit-user-device-claims.md b/windows/security/threat-protection/auditing/audit-user-device-claims.md
index 74c7755cb8..bea0be45b0 100644
--- a/windows/security/threat-protection/auditing/audit-user-device-claims.md
+++ b/windows/security/threat-protection/auditing/audit-user-device-claims.md
@@ -1,6 +1,6 @@
---
title: Audit User/Device Claims (Windows 10)
-description: Audit User/Device Claims is an audit policy setting which enables you to audit security events that are generated by user and device claims.
+description: Audit User/Device Claims is an audit policy setting that enables you to audit security events that are generated by user and device claims.
ms.assetid: D3D2BFAF-F2C0-462A-9377-673DB49D5486
ms.reviewer:
manager: dansimp
@@ -25,7 +25,7 @@ Audit User/Device Claims allows you to audit user and device claims information
For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource.
-***Important***: [Audit Logon](audit-logon.md) subcategory must also be enabled in order to get events from this subcategory.
+***Important***: Enable the [Audit Logon](audit-logon.md) subcategory in order to get events from this subcategory.
**Event volume**:
diff --git a/windows/security/threat-protection/auditing/event-1105.md b/windows/security/threat-protection/auditing/event-1105.md
index e00e49b666..bd4e2bb72a 100644
--- a/windows/security/threat-protection/auditing/event-1105.md
+++ b/windows/security/threat-protection/auditing/event-1105.md
@@ -13,7 +13,7 @@ manager: dansimp
ms.author: dansimp
---
-# 1105(S): Event log automatic backup.
+# 1105(S): Event log automatic backup
**Applies to**
- Windows 10
@@ -71,7 +71,7 @@ This event generates, for example, if the maximum size of Security Event Log fil
***Field Descriptions:***
-**Log** \[Type = UnicodeString\]: the name of the log which was archived (new event log file was created and previous event log was archived). Always “**Security”** for Security Event Logs.
+**Log** \[Type = UnicodeString\]: the name of the log that was archived (new event log file was created and previous event log was archived). Always “**Security”** for Security Event Logs.
**File**: \[Type = FILETIME\]: full path and filename of archived log file.
diff --git a/windows/security/threat-protection/auditing/event-4618.md b/windows/security/threat-protection/auditing/event-4618.md
index 9dcc575df1..4155868172 100644
--- a/windows/security/threat-protection/auditing/event-4618.md
+++ b/windows/security/threat-protection/auditing/event-4618.md
@@ -32,7 +32,7 @@ Account must have **SeAuditPrivilege** (Generate security audits) to be able to
- Only **OrgEventID**, **ComputerName**, and **EventCount** are required—others are optional. Fields not specified appear with “**-**“ in the event description field.
-- If a field doesn’t match the expected data type, the event is not generated. (i.e., if **EventCount** = “XYZ” then no event is generated.)
+- If a field doesn’t match the expected data type, the event is not generated. That is, if **EventCount** = “XYZ”, then no event is generated.
- **UserSid**, **UserName**, and **UserDomain** are not related to each other (think **SubjectUser** fields, where they are)
@@ -98,5 +98,5 @@ Account must have **SeAuditPrivilege** (Generate security audits) to be able to
For 4618(S): A monitored security event pattern has occurred.
-- This event can be invoked only manually/intentionally, it is up to you how interpret this event depends on information you put inside of it.
+- This event can be invoked only manually/intentionally, it is up to you how to interpret this event depends on information you put inside of it.
diff --git a/windows/security/threat-protection/auditing/event-4625.md b/windows/security/threat-protection/auditing/event-4625.md
index 220876b84a..293e52c57f 100644
--- a/windows/security/threat-protection/auditing/event-4625.md
+++ b/windows/security/threat-protection/auditing/event-4625.md
@@ -99,7 +99,7 @@ This event generates on domain controllers, member servers, and workstations.
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that reported information about logon failure.
-- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+- **Account Domain** \[Type = UnicodeString\]**:** subject's domain or computer name. Here are some examples of formats:
- Domain NETBIOS name example: CONTOSO
@@ -111,7 +111,7 @@ This event generates on domain controllers, member servers, and workstations.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
-- **Logon Type** \[Type = UInt32\]**:** the type of logon which was performed. “Table 11. Windows Logon Types” contains the list of possible values for this field.
+- **Logon Type** \[Type = UInt32\]**:** the type of logon that was performed. “Table 11. Windows Logon Types” contains the list of possible values for this field.
**Table 11: Windows Logon Types**
@@ -138,7 +138,7 @@ This event generates on domain controllers, member servers, and workstations.
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that was specified in the logon attempt.
-- **Account Domain** \[Type = UnicodeString\]**:** domain or computer name. Formats vary, and include the following:
+- **Account Domain** \[Type = UnicodeString\]**:** domain or computer name. Here are some examples of formats:
- Domain NETBIOS name example: CONTOSO
@@ -154,9 +154,9 @@ This event generates on domain controllers, member servers, and workstations.
**Failure Information:**
-- **Failure Reason** \[Type = UnicodeString\]**:** textual explanation of **Status** field value. For this event it typically has “**Account locked out**” value.
+- **Failure Reason** \[Type = UnicodeString\]**:** textual explanation of **Status** field value. For this event, it typically has “**Account locked out**” value.
-- **Status** \[Type = HexInt32\]**:** the reason why logon failed. For this event it typically has “**0xC0000234**” value. The most common status codes are listed in Table 12. Windows logon status codes.
+- **Status** \[Type = HexInt32\]**:** the reason why logon failed. For this event, it typically has “**0xC0000234**” value. The most common status codes are listed in Table 12. Windows logon status codes.
**Table 12: Windows logon status codes.**
@@ -165,7 +165,7 @@ This event generates on domain controllers, member servers, and workstations.
| 0XC000005E | There are currently no logon servers available to service the logon request. |
| 0xC0000064 | User logon with misspelled or bad user account |
| 0xC000006A | User logon with misspelled or bad password |
- | 0XC000006D | This is either due to a bad username or authentication information |
+ | 0XC000006D | The cause is either a bad username or authentication information |
| 0XC000006E | Indicates a referenced user name and authentication information are valid, but some user account restriction has prevented successful authentication (such as time-of-day restrictions). |
| 0xC000006F | User logon outside authorized hours |
| 0xC0000070 | User logon from unauthorized workstation |
@@ -173,23 +173,23 @@ This event generates on domain controllers, member servers, and workstations.
| 0xC0000072 | User logon to account disabled by administrator |
| 0XC00000DC | Indicates the Sam Server was in the wrong state to perform the desired operation. |
| 0XC0000133 | Clocks between DC and other computer too far out of sync |
- | 0XC000015B | The user has not been granted the requested logon type (aka logon right) at this machine |
+ | 0XC000015B | The user has not been granted the requested logon type (also called the *logon right*) at this machine |
| 0XC000018C | The logon request failed because the trust relationship between the primary domain and the trusted domain failed. |
- | 0XC0000192 | An attempt was made to logon, but the N**etlogon** service was not started. |
+ | 0XC0000192 | An attempt was made to logon, but the **Netlogon** service was not started. |
| 0xC0000193 | User logon with expired account |
| 0XC0000224 | User is required to change password at next logon |
| 0XC0000225 | Evidently a bug in Windows and not a risk |
| 0xC0000234 | User logon with account locked |
| 0XC00002EE | Failure Reason: An Error occurred during Logon |
- | 0XC0000413 | Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine. |
+ | 0XC0000413 | Logon Failure: The machine you are logging on to is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine. |
| 0x0 | Status OK. |
> [!NOTE]
-> To see the meaning of other status\\sub-status codes you may also check for status code in the Window header file ntstatus.h in Windows SDK.
+> To see the meaning of other status or substatus codes, you might also check for status code in the Window header file ntstatus.h in Windows SDK.
More information:
-- **Sub Status** \[Type = HexInt32\]**:** additional information about logon failure. The most common sub-status codes listed in the “Table 12. Windows logon status codes.”.
+- **Sub Status** \[Type = HexInt32\]**:** additional information about logon failure. The most common substatus codes listed in the “Table 12. Windows logon status codes.”.
**Process Information:**
@@ -213,7 +213,7 @@ More information:
- ::1 or 127.0.0.1 means localhost.
-- **Source Port** \[Type = UnicodeString\]: source port which was used for logon attempt from remote machine.
+- **Source Port** \[Type = UnicodeString\]: source port that was used for logon attempt from remote machine.
- 0 for interactive logons.
@@ -221,7 +221,7 @@ More information:
- **Logon Process** \[Type = UnicodeString\]**:** the name of the trusted logon process that was used for the logon attempt. See event “[4611](event-4611.md): A trusted logon process has been registered with the Local Security Authority” description for more information.
-- **Authentication Package** \[Type = UnicodeString\]**:** The name of the authentication package which was used for the logon authentication process. Default packages loaded on LSA startup are located in “HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig” registry key. Other packages can be loaded at runtime. When a new package is loaded a “[4610](event-4610.md): An authentication package has been loaded by the Local Security Authority” (typically for NTLM) or “[4622](event-4622.md): A security package has been loaded by the Local Security Authority” (typically for Kerberos) event is logged to indicate that a new package has been loaded along with the package name. The most common authentication packages are:
+- **Authentication Package** \[Type = UnicodeString\]**:** The name of the authentication package that was used for the logon authentication process. Default packages loaded on LSA startup are located in “HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig” registry key. Other packages can be loaded at runtime. When a new package is loaded a “[4610](event-4610.md): An authentication package has been loaded by the Local Security Authority” (typically for NTLM) or “[4622](event-4622.md): A security package has been loaded by the Local Security Authority” (typically for Kerberos) event is logged to indicate that a new package has been loaded along with the package name. The most common authentication packages are:
- **NTLM** – NTLM-family Authentication
@@ -231,7 +231,7 @@ More information:
- **Transited Services** \[Type = UnicodeString\] \[Kerberos-only\]**:** the list of transmitted services. Transmitted services are populated if the logon was a result of a S4U (Service For User) logon process. S4U is a Microsoft extension to the Kerberos Protocol to allow an application service to obtain a Kerberos service ticket on behalf of a user – most commonly done by a front-end website to access an internal resource on behalf of a user. For more information about S4U, see
-- **Package Name (NTLM only)** \[Type = UnicodeString\]**:** The name of the LAN Manager sub-package ([NTLM-family](https://msdn.microsoft.com/library/cc236627.aspx) protocol name) that was used during the logon attempt. Possible values are:
+- **Package Name (NTLM only)** \[Type = UnicodeString\]**:** The name of the LAN Manager subpackage ([NTLM-family](https://msdn.microsoft.com/library/cc236627.aspx) protocol name) that was used during the logon attempt. Possible values are:
- “NTLM V1”
@@ -241,7 +241,7 @@ More information:
Only populated if “**Authentication Package” = “NTLM”**.
-- **Key Length** \[Type = UInt32\]**:** the length of [NTLM Session Security](https://msdn.microsoft.com/library/cc236650.aspx) key. Typically it has 128 bit or 56 bit length. This parameter is always 0 if “**Authentication Package” = “Kerberos”**, because it is not applicable for Kerberos protocol. This field will also have “0” value if Kerberos was negotiated using **Negotiate** authentication package.
+- **Key Length** \[Type = UInt32\]**:** the length of [NTLM Session Security](https://msdn.microsoft.com/library/cc236650.aspx) key. Typically, it has a length of 128 bits or 56 bits. This parameter is always 0 if **"Authentication Package" = "Kerberos"**, because it is not applicable for Kerberos protocol. This field will also have “0” value if Kerberos was negotiated using **Negotiate** authentication package.
## Security Monitoring Recommendations
@@ -264,9 +264,9 @@ For 4625(F): An account failed to log on.
- If you have a high-value domain or local account for which you need to monitor every lockout, monitor all [4625](event-4625.md) events with the **“Subject\\Security ID”** that corresponds to the account.
-- We recommend monitoring all [4625](event-4625.md) events for local accounts, because these accounts typically should not be locked out. This is especially relevant for critical servers, administrative workstations, and other high value assets.
+- We recommend monitoring all [4625](event-4625.md) events for local accounts, because these accounts typically should not be locked out. Monitoring is especially relevant for critical servers, administrative workstations, and other high-value assets.
-- We recommend monitoring all [4625](event-4625.md) events for service accounts, because these accounts should not be locked out or prevented from functioning. This is especially relevant for critical servers, administrative workstations, and other high value assets.
+- We recommend monitoring all [4625](event-4625.md) events for service accounts, because these accounts should not be locked out or prevented from functioning. Monitoring is especially relevant for critical servers, administrative workstations, and other high value assets.
- If your organization restricts logons in the following ways, you can use this event to monitor accordingly:
@@ -286,15 +286,15 @@ For 4625(F): An account failed to log on.
| Field | Value to monitor for |
|----------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
- | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC000005E – “There are currently no logon servers available to service the logon request.”
This is typically not a security issue but it can be an infrastructure or availability issue. |
- | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000064 – “User logon with misspelled or bad user account”.
Especially if you get a number of these in a row, it can be a sign of user enumeration attack. |
+ | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC000005E – “There are currently no logon servers available to service the logon request.”
This issue is typically not a security issue, but it can be an infrastructure or availability issue. |
+ | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000064 – “User logon with misspelled or bad user account”.
Especially if you get several of these events in a row, it can be a sign of a user enumeration attack. |
| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC000006A – “User logon with misspelled or bad password” for critical accounts or service accounts.
Especially watch for a number of such events in a row. |
| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC000006D – “This is either due to a bad username or authentication information” for critical accounts or service accounts.
Especially watch for a number of such events in a row. |
| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC000006F – “User logon outside authorized hours”. |
| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000070 – “User logon from unauthorized workstation”. |
| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000072 – “User logon to account disabled by administrator”. |
| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC000015B – “The user has not been granted the requested logon type (aka logon right) at this machine”. |
- | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC0000192 – “An attempt was made to logon, but the Netlogon service was not started”.
This is typically not a security issue but it can be an infrastructure or availability issue. |
+ | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC0000192 – “An attempt was made to logon, but the Netlogon service was not started”.
This issue is typically not a security issue but it can be an infrastructure or availability issue. |
| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000193 – “User logon with expired account”. |
| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC0000413 – “Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine”. |
diff --git a/windows/security/threat-protection/auditing/event-4692.md b/windows/security/threat-protection/auditing/event-4692.md
index 15199dbda5..dc84c4c3d6 100644
--- a/windows/security/threat-protection/auditing/event-4692.md
+++ b/windows/security/threat-protection/auditing/event-4692.md
@@ -30,7 +30,7 @@ This event generates every time that a backup is attempted for the [DPAPI](https
When a computer is a member of a domain, DPAPI has a backup mechanism to allow unprotection of the data. When a Master Key is generated, DPAPI communicates with a domain controller. Domain controllers have a domain-wide public/private key pair, associated solely with DPAPI. The local DPAPI client gets the domain controller public key from a domain controller by using a mutually authenticated and privacy protected RPC call. The client encrypts the Master Key with the domain controller public key. It then stores this backup Master Key along with the Master Key protected by the user's password.
-Periodically, a domain-joined machine will try to send an RPC request to a domain controller to back up the user’s master key so that the user can recover secrets in case his or her password has to be reset. Although the user's keys are stored in the user profile, a domain controller must be contacted to encrypt the master key with a domain recovery key.
+Periodically, a domain-joined machine tries to send an RPC request to a domain controller to back up the user’s master key so that the user can recover secrets in case their password has to be reset. Although the user's keys are stored in the user profile, a domain controller must be contacted to encrypt the master key with a domain recovery key.
This event also generates every time a new DPAPI Master Key is generated, for example.
@@ -91,7 +91,7 @@ Failure event generates when a Master Key backup operation fails for some reason
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested backup operation.
-- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following:
+- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Here are some examples of formats:
- Domain NETBIOS name example: CONTOSO
@@ -107,17 +107,17 @@ Failure event generates when a Master Key backup operation fails for some reason
**Key Information:**
-- **Key Identifier** \[Type = UnicodeString\]: unique identifier of a master key which backup was created. The Master Key is used, with some additional data, to generate an actual symmetric session key to encrypt\\decrypt the data using DPAPI. All of user's Master Keys are located in user profile -> %APPDATA%\\Roaming\\Microsoft\\Windows\\Protect\\%SID% folder. The name of every Master Key file is it’s ID.
+- **Key Identifier** \[Type = UnicodeString\]: unique identifier of a master key which backup was created. The Master Key is used, with some additional data, to generate an actual symmetric session key to encrypt\\decrypt the data using DPAPI. All of user's Master Keys are located in user profile -> %APPDATA%\\Roaming\\Microsoft\\Windows\\Protect\\%SID% folder. The name of every Master Key file is its ID.
- **Recovery Server** \[Type = UnicodeString\]: the name (typically – DNS name) of the computer that you contacted to back up your Master Key. For domain joined machines, it’s typically a name of a domain controller. This parameter might not be captured in the event, and in that case will be empty.
-- **Recovery Key ID** \[Type = UnicodeString\]**:** unique identifier of a recovery key. The recovery key is generated when a user chooses to create a Password Reset Disk (PRD) from the user's Control Panel or when first Master Key is generated. First, DPAPI generates a RSA public/private key pair, which is the recovery key. In this field you will see unique Recovery key ID which was used for Master key backup operation.
+- **Recovery Key ID** \[Type = UnicodeString\]**:** unique identifier of a recovery key. The recovery key is generated when a user chooses to create a Password Reset Disk (PRD) from the user's Control Panel or when first Master Key is generated. First, DPAPI generates an RSA public/private key pair, which is the recovery key. In this field, you will see unique Recovery key ID that was used for Master key backup operation.
- For Failure events this field is typically empty.
+ For Failure events, this field is typically empty.
**Status Information:**
-- **Status Code** \[Type = HexInt32\]**:** hexadecimal unique status code of performed operation. For Success events this field is typically “**0x0**”. To see the meaning of status code you need to convert it to decimal value and us “**net helpmsg STATUS\_CODE**” command to see the description for specific STATUS\_CODE. Here is an example of “net helpmsg” command output for status code 0x3A:
+- **Status Code** \[Type = HexInt32\]**:** hexadecimal unique status code of performed operation. For Success events, this field is typically “**0x0**”. To see the meaning of status code you need to convert it to decimal value and us “**net helpmsg STATUS\_CODE**” command to see the description for specific STATUS\_CODE. Here is an example of “net helpmsg” command output for status code 0x3A:
> \[Net helpmsg 58 illustration](..images/net-helpmsg-58.png)
diff --git a/windows/security/threat-protection/auditing/event-4771.md b/windows/security/threat-protection/auditing/event-4771.md
index af44f02711..9c6cb7f55a 100644
--- a/windows/security/threat-protection/auditing/event-4771.md
+++ b/windows/security/threat-protection/auditing/event-4771.md
@@ -26,7 +26,7 @@ ms.author: dansimp
***Event Description:***
-This event generates every time the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT). This can occur when a domain controller doesn’t have a certificate installed for smart card authentication (for example, with a “Domain Controller” or “Domain Controller Authentication” template), the user’s password has expired, or the wrong password was provided.
+This event generates every time the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT). This problem can occur when a domain controller doesn’t have a certificate installed for smart card authentication (for example, with a “Domain Controller” or “Domain Controller Authentication” template), the user’s password has expired, or the wrong password was provided.
This event generates only on domain controllers.
@@ -103,7 +103,7 @@ This event is not generated if “Do not require Kerberos preauthentication” o
**Network Information:**
-- **Client Address** \[Type = UnicodeString\]**:** IP address of the computer from which the TGT request was received. Formats vary, and include the following:
+- **Client Address** \[Type = UnicodeString\]**:** IP address of the computer from which the TGT request was received. Here are some examples of formats:
- **IPv6** or **IPv4** address.
@@ -117,7 +117,7 @@ This event is not generated if “Do not require Kerberos preauthentication” o
**Additional Information:**
-- **Ticket Options**: \[Type = HexInt32\]: this is a set of different Ticket Flags in hexadecimal format.
+- **Ticket Options**: \[Type = HexInt32\]: this set of different Ticket Flags is in hexadecimal format.
Example:
@@ -125,7 +125,7 @@ This event is not generated if “Do not require Kerberos preauthentication” o
- Binary view: 01000000100000010000000000010000
- - Using **MSB 0** bit numbering we have bit 1, 8, 15 and 27 set = Forwardable, Renewable, Canonicalize, Renewable-ok.
+ - Using **MSB 0**-bit numbering, we have bit 1, 8, 15 and 27 set = Forwardable, Renewable, Canonicalize, Renewable-ok.
> **Note** In the table below **“MSB 0”** bit numbering is used, because RFC documents use this style. In “MSB 0” style bit numbering begins from left.
@@ -146,15 +146,15 @@ The most common values:
| 4 | Proxy | Indicates that the network address in the ticket is different from the one in the TGT used to obtain the ticket. |
| 5 | Allow-postdate | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension). |
| 6 | Postdated | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension). |
-| 7 | Invalid | This flag indicates that a ticket is invalid, and it must be validated by the KDC before use. Application servers must reject tickets which have this flag set. |
+| 7 | Invalid | This flag indicates that a ticket is invalid, and it must be validated by the KDC before use. Application servers must reject tickets that have this flag set. |
| 8 | Renewable | Used in combination with the End Time and Renew Till fields to cause tickets with long life spans to be renewed at the KDC periodically. |
| 9 | Initial | Indicates that a ticket was issued using the authentication service (AS) exchange and not issued based on a TGT. |
| 10 | Pre-authent | Indicates that the client was authenticated by the KDC before a ticket was issued. This flag usually indicates the presence of an authenticator in the ticket. It can also flag the presence of credentials taken from a smart card logon. |
| 11 | Opt-hardware-auth | This flag was originally intended to indicate that hardware-supported authentication was used during pre-authentication. This flag is no longer recommended in the Kerberos V5 protocol. KDCs MUST NOT issue a ticket with this flag set. KDCs SHOULD NOT preserve this flag if it is set by another KDC. |
| 12 | Transited-policy-checked | KILE MUST NOT check for transited domains on servers or a KDC. Application servers MUST ignore the TRANSITED-POLICY-CHECKED flag. |
| 13 | Ok-as-delegate | The KDC MUST set the OK-AS-DELEGATE flag if the service account is trusted for delegation. |
-| 14 | Request-anonymous | KILE not use this flag. |
-| 15 | Name-canonicalize | In order to request referrals the Kerberos client MUST explicitly request the "canonicalize" KDC option for the AS-REQ or TGS-REQ. |
+| 14 | Request-anonymous | KILE does not use this flag. |
+| 15 | Name-canonicalize | To request referrals, the Kerberos client MUST explicitly request the "canonicalize" KDC option for the AS-REQ or TGS-REQ. |
| 16-25 | Unused | - |
| 26 | Disable-transited-check | By default the KDC will check the transited field of a TGT against the policy of the local realm before it will issue derivative tickets based on the TGT. If this flag is set in the request, checking of the transited field is disabled. Tickets issued without the performance of this check will be noted by the reset (0) value of the TRANSITED-POLICY-CHECKED flag, indicating to the application server that the transited field must be checked locally. KDCs are encouraged but not required to honor
the DISABLE-TRANSITED-CHECK option.
Should not be in use, because Transited-policy-checked flag is not supported by KILE. |
| 27 | Renewable-ok | The RENEWABLE-OK option indicates that a renewable ticket will be acceptable if a ticket with the requested life cannot otherwise be provided, in which case a renewable ticket may be issued with a renew-till equal to the requested end time. The value of the renew-till field may still be limited by local limits, or limits selected by the individual principal or server. |
@@ -169,11 +169,11 @@ The most common values:
| Code | Code Name | Description | Possible causes |
|------|--------------------------------|--------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data) | Smart card logon is being attempted and the proper certificate cannot be located. This can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller.
It can also happen when a domain controller doesn’t have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates). |
+| 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data) | Smart card logon is being attempted and the proper certificate cannot be located. This problem can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller.
It can also happen when a domain controller doesn’t have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates). |
| 0x17 | KDC\_ERR\_KEY\_EXPIRED | Password has expired—change password to reset | The user’s password has expired. |
| 0x18 | KDC\_ERR\_PREAUTH\_FAILED | Pre-authentication information was invalid | The wrong password was provided. |
-- **Pre-Authentication Type** \[Type = UnicodeString\]: the code of [pre-Authentication](https://technet.microsoft.com/library/cc772815(v=ws.10).aspx) type which was used in TGT request.
+- **Pre-Authentication Type** \[Type = UnicodeString\]: the code of [pre-Authentication](https://technet.microsoft.com/library/cc772815(v=ws.10).aspx) type that was used in TGT request.
## Table 5. Kerberos Pre-Authentication types.
@@ -181,7 +181,7 @@ The most common values:
| Type | Type Name | Description |
|------|------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 0 | - | Logon without Pre-Authentication. |
-| 2 | PA-ENC-TIMESTAMP | This is a normal type for standard password authentication. |
+| 2 | PA-ENC-TIMESTAMP | This type is normal for standard password authentication. |
| 11 | PA-ETYPE-INFO | The ETYPE-INFO pre-authentication type is sent by the KDC in a KRB-ERROR indicating a requirement for additional pre-authentication. It is usually used to notify a client of which key to use for the encryption of an encrypted timestamp for the purposes of sending a PA-ENC-TIMESTAMP pre-authentication value.
Never saw this Pre-Authentication Type in Microsoft Active Directory environment. |
| 15 | PA-PK-AS-REP\_OLD | Used for Smart Card logon authentication. |
| 16 | PA-PK-AS-REQ | Request sent to KDC in Smart Card authentication scenarios.|
@@ -193,7 +193,7 @@ The most common values:
**Certificate Information:**
-- **Certificate Issuer Name** \[Type = UnicodeString\]**:** the name of Certification Authority which issued smart card certificate. Populated in **Issued by** field in certificate. Always empty for [4771](event-4771.md) events.
+- **Certificate Issuer Name** \[Type = UnicodeString\]**:** the name of Certification Authority that issued smart card certificate. Populated in **Issued by** field in certificate. Always empty for [4771](event-4771.md) events.
- **Certificate Serial Number** \[Type = UnicodeString\]**:** smart card certificate’s serial number. Can be found in **Serial number** field in the certificate. Always empty for [4771](event-4771.md) events.
@@ -208,14 +208,14 @@ For 4771(F): Kerberos pre-authentication failed.
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Security ID”** that corresponds to the high-value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Security ID”** (with other information) to monitor how or when a particular account is being used. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Security ID”** that corresponds to the accounts that should never be used. |
-| **Account whitelist**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Security ID”** for accounts that are outside the allow list. |
+| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Security ID”** for accounts that are outside the allow list. |
| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that don’t comply with naming conventions. |
- You can track all [4771](event-4771.md) events where the **Client Address** is not from your internal IP range or not from private IP ranges.
- If you know that **Account Name** should be used only from known list of IP addresses, track all **Client Address** values for this **Account Name** in [4771](event-4771.md) events. If **Client Address** is not from the allow list, generate the alert.
-- All **Client Address** = ::1 means local authentication. If you know the list of accounts which should log on to the domain controllers, then you need to monitor for all possible violations, where **Client Address** = ::1 and **Account Name** is not allowed to log on to any domain controller.
+- All **Client Address** = ::1 means local authentication. If you know the list of accounts that should log on to the domain controllers, then you need to monitor for all possible violations, where **Client Address** = ::1 and **Account Name** is not allowed to log on to any domain controller.
- All [4771](event-4771.md) events with **Client Port** field value > 0 and < 1024 should be examined, because a well-known port was used for outbound connection.
@@ -227,5 +227,5 @@ For 4771(F): Kerberos pre-authentication failed.
| **Pre-Authentication Type** | Value is **not 2** when only standard password authentication is in use in the organization. For more information, see [Table 5. Kerberos Pre-Authentication types](#kerberos-preauthentication-types). |
| **Pre-Authentication Type** | Value is **not 138** when Kerberos Armoring is enabled for all Kerberos communications in the organization. For more information, see [Table 5. Kerberos Pre-Authentication types](#kerberos-preauthentication-types). |
| **Failure Code** | **0x10** (KDC has no support for PADATA type (pre-authentication data)). This error can help you to more quickly identify smart-card related problems with Kerberos authentication. |
-| **Failure Code** | **0x18** ((Pre-authentication information was invalid), if you see, for example N events in last N minutes. This can be an indicator of brute-force attack on the account password, especially for highly critical accounts. |
+| **Failure Code** | **0x18** ((Pre-authentication information was invalid), if you see, for example N events in last N minutes. This issue can indicate a brute-force attack on the account password, especially for highly critical accounts. |
diff --git a/windows/security/threat-protection/auditing/event-4947.md b/windows/security/threat-protection/auditing/event-4947.md
index deffae0186..a4906d1dbc 100644
--- a/windows/security/threat-protection/auditing/event-4947.md
+++ b/windows/security/threat-protection/auditing/event-4947.md
@@ -90,11 +90,11 @@ This event doesn't generate when Firewall rule was modified via Group Policy.
- **Rule ID** \[Type = UnicodeString\]: the unique identifier for modified firewall rule.
- To see the unique ID of the rule you need to navigate to “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you will see the list of Windows Firewall rule IDs (Name column) with parameters:
+ To see the unique ID of the rule, navigate to the“**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you will see the list of Windows Firewall rule IDs (Name column) with parameters:
-- **Rule Name** \[Type = UnicodeString\]: the name of the rule which was modified. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column:
+- **Rule Name** \[Type = UnicodeString\]: the name of the rule that was modified. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column:
@@ -102,5 +102,5 @@ This event doesn't generate when Firewall rule was modified via Group Policy.
For 4947(S): A change has been made to Windows Firewall exception list. A rule was modified.
-- This event can be helpful in case you want to monitor all Firewall rules modifications which were done locally.
+- This event can be helpful in case you want to monitor all Firewall rules modifications that were done locally.
diff --git a/windows/security/threat-protection/auditing/event-4953.md b/windows/security/threat-protection/auditing/event-4953.md
index 0c705ce6cc..1e9dcd7898 100644
--- a/windows/security/threat-protection/auditing/event-4953.md
+++ b/windows/security/threat-protection/auditing/event-4953.md
@@ -93,11 +93,11 @@ It can happen if Windows Firewall rule registry entry was corrupted.
- **ID** \[Type = UnicodeString\]: the unique identifier for ignored firewall rule.
- To see the unique ID of the rule you need to navigate to “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you will see the list of Windows Firewall rule IDs (Name column) with parameters:
+ To see the unique ID of the rule, navigate to the “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you will see the list of Windows Firewall rule IDs (Name column) with parameters:
-- **Name** \[Type = UnicodeString\]: the name of the rule which was ignored. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column:
+- **Name** \[Type = UnicodeString\]: the name of the rule that was ignored. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column:
diff --git a/windows/security/threat-protection/auditing/event-5056.md b/windows/security/threat-protection/auditing/event-5056.md
index a675d79c58..96e278db56 100644
--- a/windows/security/threat-protection/auditing/event-5056.md
+++ b/windows/security/threat-protection/auditing/event-5056.md
@@ -20,7 +20,7 @@ ms.author: dansimp
- Windows Server 2016
-This event generates in CNG Self-Test function. This is a Cryptographic Next Generation (CNG) function.
+This event generates in CNG Self-Test function. This function is a Cryptographic Next Generation (CNG) function.
For more information about Cryptographic Next Generation (CNG) visit these pages:
@@ -32,7 +32,7 @@ For more information about Cryptographic Next Generation (CNG) visit these pages
-
-This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting.
+This event is mainly used for CNG troubleshooting.
There is no example of this event in this document.
@@ -40,7 +40,7 @@ There is no example of this event in this document.
***Event Schema:***
-*A cryptographic self test was performed.*
+*A cryptographic self-test was performed.*
*Subject:*
diff --git a/windows/security/threat-protection/auditing/event-5060.md b/windows/security/threat-protection/auditing/event-5060.md
index 96344c475f..e24e71d924 100644
--- a/windows/security/threat-protection/auditing/event-5060.md
+++ b/windows/security/threat-protection/auditing/event-5060.md
@@ -1,6 +1,6 @@
---
title: 5060(F) Verification operation failed. (Windows 10)
-description: Describes security event 5060(F) Verification operation failed. This event is generated in case of CNG verification operation failure.
+description: Describes security event 5060(F) Verification operation failed. This event is generated when the CNG verification operation fails.
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
@@ -20,9 +20,9 @@ ms.author: dansimp
- Windows Server 2016
-This event generates in case of CNG verification operation failure.
+This event generates when the Cryptographic Next Generation (CNG) verification operation fails.
-For more information about Cryptographic Next Generation (CNG) visit these pages:
+For more information about CNG, visit these pages:
-
@@ -32,7 +32,7 @@ For more information about Cryptographic Next Generation (CNG) visit these pages
-
-This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting.
+This event is mainly used for CNG troubleshooting.
There is no example of this event in this document.
diff --git a/windows/security/threat-protection/auditing/event-5152.md b/windows/security/threat-protection/auditing/event-5152.md
index a13a14a7de..ece1e4566d 100644
--- a/windows/security/threat-protection/auditing/event-5152.md
+++ b/windows/security/threat-protection/auditing/event-5152.md
@@ -128,9 +128,9 @@ This event is generated for every received network packet.
- 127.0.0.1 , ::1 - localhost
-- **Destination Port** \[Type = UnicodeString\]**:** port number which was used from remote machine to send the packet.
+- **Destination Port** \[Type = UnicodeString\]**:** port number that was used from remote machine to send the packet.
-- **Protocol** \[Type = UInt32\]: number of protocol which was used.
+- **Protocol** \[Type = UInt32\]**:** number of the protocol that was used.
| Service | Protocol Number |
|----------------------------------------------------|-----------------|
@@ -152,15 +152,15 @@ This event is generated for every received network packet.
**Filter Information:**
-- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID which blocked the packet.
+- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that blocked the packet.
- To find specific Windows Filtering Platform filter by ID you need to execute the following command: **netsh wfp show filters**. As result of this command **filters.xml** file will be generated. You need to open this file and find specific substring with required filter ID (**<filterId>**)**,** for example:
+ To find a specific Windows Filtering Platform filter by ID, run the following command: **netsh wfp show filters**. As a result of this command, the **filters.xml** file will be generated. Open this file and find specific substring with required filter ID (**<filterId>**)**,** for example:
- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
-- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
+- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, run the following command: **netsh wfp show state**. As a result of this command **wfpstate.xml** file will be generated. Open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
@@ -168,7 +168,7 @@ This event is generated for every received network packet.
For 5152(F): The Windows Filtering Platform blocked a packet.
-- If you have a pre-defined application which should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
+- If you have a pre-defined application that should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
@@ -178,13 +178,13 @@ For 5152(F): The Windows Filtering Platform blocked a packet.
- If the computer or device should not have access to the Internet, or contains only applications that don’t connect to the Internet, monitor for [5152](event-5152.md) events where **Destination Address** is an IP address from the Internet (not from private IP ranges).
-- If you know that the computer should never contact or be contacted by certain network IP addresses, monitor for these addresses in “**Destination Address**.”
+- If you know that the computer should never contact or should never be contacted by certain network IP addresses, monitor for these addresses in **Destination Address**.
-- If you have an allow list of IP addresses that the computer or device is expected to contact or be contacted by, monitor for IP addresses in **“Destination Address”** that are not in the allow list.
+- If you have an allow list of IP addresses that the computer or device is expected to contact or to be contacted by, monitor for IP addresses in **“Destination Address”** that are not in the allow list.
- If you need to monitor all inbound connections to a specific local port, monitor for [5152](event-5152.md) events with that “**Source Port**.**”**
-- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or compter, for example, anything other than 1, 6, or 17.
+- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or computer, for example, anything other than 1, 6, or 17.
- If the computer’s communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.”
diff --git a/windows/security/threat-protection/auditing/event-5154.md b/windows/security/threat-protection/auditing/event-5154.md
index f66366168d..b464c877d6 100644
--- a/windows/security/threat-protection/auditing/event-5154.md
+++ b/windows/security/threat-protection/auditing/event-5154.md
@@ -75,7 +75,7 @@ This event generates every time [Windows Filtering Platform](https://msdn.micros
**Application Information**:
-- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process which was permitted to listen on the port. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that was permitted to listen on the port. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
@@ -103,7 +103,7 @@ This event generates every time [Windows Filtering Platform](https://msdn.micros
- 127.0.0.1 , ::1 - localhost
-- **Source Port** \[Type = UnicodeString\]: source TCP\\UDP port number which was requested for listening by application.
+- **Source Port** \[Type = UnicodeString\]: source TCP\\UDP port number that was requested for listening by application.
- **Protocol** \[Type = UInt32\]: protocol number. For example:
@@ -115,15 +115,15 @@ This event generates every time [Windows Filtering Platform](https://msdn.micros
**Filter Information:**
-- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID which allows application to listen on the specific port. By default Windows firewall won't prevent a port from being listened by an application and if this application doesn’t match any filters you will get value **0** in this field.
+- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that allows application to listen on the specific port. By default Windows firewall won't prevent a port from being listened by an application and if this application doesn’t match any filters you will get value **0** in this field.
- To find specific Windows Filtering Platform filter by ID you need to execute the following command: **netsh wfp show filters**. As result of this command **filters.xml** file will be generated. You need to open this file and find specific substring with required filter ID (**<filterId>**)**,** for example:
+ To find a specific Windows Filtering Platform filter by ID, run the following command: **netsh wfp show filters**. As a result of this command, the **filters.xml** file will be generated. Open this file and find specific substring with required filter ID (**<filterId>**)**,** for example:
- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
-- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
+- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, run the following command: **netsh wfp show state**. As a result of this command, the **wfpstate.xml** file will be generated. Open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
@@ -131,7 +131,7 @@ This event generates every time [Windows Filtering Platform](https://msdn.micros
For 5154(S): The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
-- If you have a “whitelist” of applications that are associated with certain operating systems or server roles, and that are expected to listen on specific ports, monitor this event for **“Application Name”** and other relevant information.
+- If you have an “allow list” of applications that are associated with certain operating systems or server roles, and that are expected to listen on specific ports, monitor this event for **“Application Name”** and other relevant information.
- If a certain application is allowed to listen only on specific port numbers, monitor this event for **“Application Name”** and **“Network Information\\Source Port**.**”**
@@ -139,7 +139,7 @@ For 5154(S): The Windows Filtering Platform has permitted an application or serv
- If a certain application is allowed to use only TCP or UDP protocols, monitor this event for **“Application Name”** and the protocol number in **“Network Information\\Protocol**.**”**
-- If you have a pre-defined application which should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
+- If you have a predefined application that should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
diff --git a/windows/security/threat-protection/auditing/event-5156.md b/windows/security/threat-protection/auditing/event-5156.md
index 6a97371b47..d44b9a921f 100644
--- a/windows/security/threat-protection/auditing/event-5156.md
+++ b/windows/security/threat-protection/auditing/event-5156.md
@@ -80,7 +80,7 @@ This event generates when [Windows Filtering Platform](https://msdn.microsoft.co
**Application Information**:
-- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process which received the connection. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that received the connection. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
@@ -130,7 +130,7 @@ This event generates when [Windows Filtering Platform](https://msdn.microsoft.co
- **Destination Port** \[Type = UnicodeString\]**:** port number where the connection was received.
-- **Protocol** \[Type = UInt32\]: number of protocol which was used.
+- **Protocol** \[Type = UInt32\]: number of the protocol that was used.
| Service | Protocol Number |
|----------------------------------------------------|-----------------|
@@ -152,15 +152,15 @@ This event generates when [Windows Filtering Platform](https://msdn.microsoft.co
**Filter Information:**
-- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID which allowed the connection.
+- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that allowed the connection.
- To find specific Windows Filtering Platform filter by ID you need to execute the following command: **netsh wfp show filters**. As result of this command **filters.xml** file will be generated. You need to open this file and find specific substring with required filter ID (**<filterId>**)**,** for example:
+ To find a specific Windows Filtering Platform filter by ID, run the following command: **netsh wfp show filters**. As a result of this command, the **filters.xml** file will be generated. Open this file and find specific substring with required filter ID (**<filterId>**)**,** for example:
- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
-- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
+- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, run the following command: **netsh wfp show state**. As a result of this command, the **wfpstate.xml** file will be generated. Open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
@@ -168,7 +168,7 @@ This event generates when [Windows Filtering Platform](https://msdn.microsoft.co
For 5156(S): The Windows Filtering Platform has permitted a connection.
-- If you have a pre-defined application which should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
+- If you have a predefined application that should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
@@ -178,9 +178,9 @@ For 5156(S): The Windows Filtering Platform has permitted a connection.
- If the computer or device should not have access to the Internet, or contains only applications that don’t connect to the Internet, monitor for [5156](event-5156.md) events where “**Destination Address”** is an IP address from the Internet (not from private IP ranges).
-- If you know that the computer should never contact or be contacted by certain network IP addresses, monitor for these addresses in “**Destination Address**.**”**
+- If you know that the computer should never contact or should never be contacted by certain network IP addresses, monitor for these addresses in “**Destination Address**.**”**
-- If you have an allow list of IP addresses that the computer or device is expected to contact or be contacted by, monitor for IP addresses in “**Destination Address”** that are not in the allow list.
+- If you have an allow list of IP addresses that the computer or device is expected to contact or to be contacted by, monitor for IP addresses in “**Destination Address”** that are not in the allow list.
- If you need to monitor all inbound connections to a specific local port, monitor for [5156](event-5156.md) events with that “**Source Port**.**”**
diff --git a/windows/security/threat-protection/auditing/event-5157.md b/windows/security/threat-protection/auditing/event-5157.md
index f35e1cf804..88bc5b1315 100644
--- a/windows/security/threat-protection/auditing/event-5157.md
+++ b/windows/security/threat-protection/auditing/event-5157.md
@@ -128,9 +128,9 @@ This event generates when [Windows Filtering Platform](https://msdn.microsoft.co
- 127.0.0.1 , ::1 - localhost
-- **Destination Port** \[Type = UnicodeString\]**:** port number which was used from remote machine to initiate connection.
+- **Destination Port** \[Type = UnicodeString\]**:** port number that was used from remote machine to initiate connection.
-- **Protocol** \[Type = UInt32\]: number of protocol which was used.
+- **Protocol** \[Type = UInt32\]: number of the protocol that was used.
| Service | Protocol Number |
|----------------------------------------------------|-----------------|
@@ -152,15 +152,15 @@ This event generates when [Windows Filtering Platform](https://msdn.microsoft.co
**Filter Information:**
-- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID which blocked the connection.
+- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that blocked the connection.
- To find specific Windows Filtering Platform filter by ID you need to execute the following command: **netsh wfp show filters**. As result of this command **filters.xml** file will be generated. You need to open this file and find specific substring with required filter ID (**<filterId>**)**,** for example:
+ To find a specific Windows Filtering Platform filter by ID, run the following command: **netsh wfp show filters**. As a result of this command, the **filters.xml** file will be generated. Open this file and find specific substring with required filter ID (**<filterId>**)**,** for example:
- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
-- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
+- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, run the following command: **netsh wfp show state**. As a result of this command, the **wfpstate.xml** file will be generated. Open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
@@ -168,7 +168,7 @@ This event generates when [Windows Filtering Platform](https://msdn.microsoft.co
For 5157(F): The Windows Filtering Platform has blocked a connection.
-- If you have a pre-defined application which should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
+- If you have a predefined application that should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
@@ -178,13 +178,13 @@ For 5157(F): The Windows Filtering Platform has blocked a connection.
- If the\` computer or device should not have access to the Internet, or contains only applications that don’t connect to the Internet, monitor for [5157](event-5157.md) events where “**Destination Address”** is an IP address from the Internet (not from private IP ranges).
-- If you know that the computer should never contact or be contacted by certain network IP addresses, monitor for these addresses in “**Destination Address**.**”**
+- If you know that the computer should never contact or should never be contacted by certain network IP addresses, monitor for these addresses in “**Destination Address**.**”**
-- If you have an allow list of IP addresses that the computer or device is expected to contact or be contacted by, monitor for IP addresses in “**Destination Address”** that are not in the allow list.
+- If you have an allow list of IP addresses that the computer or device is expected to contact or to be contacted by, monitor for IP addresses in “**Destination Address”** that are not in the allow list.
- If you need to monitor all inbound connections to a specific local port, monitor for [5157](event-5157.md) events with that “**Source Port**.**”**
-- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or compter, for example, anything other than 1, 6, or 17.
+- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or computer, for example, anything other than 1, 6, or 17.
- If the computer’s communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.”
diff --git a/windows/security/threat-protection/auditing/event-5158.md b/windows/security/threat-protection/auditing/event-5158.md
index 55dd4c04da..76bb82efef 100644
--- a/windows/security/threat-protection/auditing/event-5158.md
+++ b/windows/security/threat-protection/auditing/event-5158.md
@@ -75,7 +75,7 @@ This event generates every time [Windows Filtering Platform](https://msdn.micros
**Application Information**:
-- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process which was permitted to bind to the local port. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that was permitted to bind to the local port. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
@@ -107,7 +107,7 @@ This event generates every time [Windows Filtering Platform](https://msdn.micros
- **Source Port** \[Type = UnicodeString\]**:** port number which application was bind.
-- **Protocol** \[Type = UInt32\]: number of protocol which was used.
+- **Protocol** \[Type = UInt32\]: number of the protocol that was used.
| Service | Protocol Number |
|----------------------------------------------------|-----------------|
@@ -129,15 +129,15 @@ This event generates every time [Windows Filtering Platform](https://msdn.micros
**Filter Information:**
-- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID which allows application to bind the port. By default Windows firewall won't prevent a port from being binded by an application and if this application doesn’t match any filters you will get value 0 in this field.
+- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that allows the application to bind the port. By default, Windows firewall won't prevent a port from being bound by an application. If this application doesn’t match any filters, you will get value 0 in this field.
- To find specific Windows Filtering Platform filter by ID you need to execute the following command: **netsh wfp show filters**. As result of this command **filters.xml** file will be generated. You need to open this file and find specific substring with required filter ID (**<filterId>**)**,** for example:
+ To find a specific Windows Filtering Platform filter by ID, run the following command: **netsh wfp show filters**. As a result of this command, the **filters.xml** file will be generated. Open this file and find specific substring with required filter ID (**<filterId>**)**,** for example:
- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
-- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
+- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, run the following command: **netsh wfp show state**. As a result of this command, the **wfpstate.xml** file will be generated. Open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
@@ -145,7 +145,7 @@ This event generates every time [Windows Filtering Platform](https://msdn.micros
For 5158(S): The Windows Filtering Platform has permitted a bind to a local port.
-- If you have a pre-defined application which should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
+- If you have a predefined application that should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application.
- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
@@ -155,7 +155,7 @@ For 5158(S): The Windows Filtering Platform has permitted a bind to a local port
- If you need to monitor all actions with a specific local port, monitor for [5158](event-5158.md) events with that “**Source Port.”**
-- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or compter, for example, anything other than 6 or 17.
+- Monitor for all connections with a “**Protocol Number”** that is not typical for this device or computer, for example, anything other than 6 or 17.
- If the computer’s communication with “**Destination Address”** should always use a specific “**Destination Port**,**”** monitor for any other “**Destination Port**.”
diff --git a/windows/security/threat-protection/auditing/event-5159.md b/windows/security/threat-protection/auditing/event-5159.md
index 998321eae5..460e244dd8 100644
--- a/windows/security/threat-protection/auditing/event-5159.md
+++ b/windows/security/threat-protection/auditing/event-5159.md
@@ -73,7 +73,7 @@ This event is logged if the Windows Filtering Platform has blocked a bind to a l
**Application Information**:
-- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process which was permitted to bind to the local port. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
+- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that was permitted to bind to the local port. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
@@ -127,15 +127,15 @@ This event is logged if the Windows Filtering Platform has blocked a bind to a l
**Filter Information:**
-- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID which blocks the application from binding to the port. By default, Windows firewall won't prevent a port from binding by an application, and if this application doesn’t match any filters, you will get value 0 in this field.
+- **Filter Run-Time ID** \[Type = UInt64\]: unique filter ID that blocks the application from binding to the port. By default, Windows firewall won't prevent a port from binding by an application, and if this application doesn’t match any filters, you will get value 0 in this field.
- To find specific Windows Filtering Platform filter by ID you need to execute the following command: **netsh wfp show filters**. As a result of this command, **filters.xml** file will be generated. You need to open this file and find the specific substring with the required filter ID (**<filterId>**)**,** for example:
+ To find a specific Windows Filtering Platform filter by ID, run the following command: **netsh wfp show filters**. As a result of this command, the **filters.xml** file will be generated. Open this file and find the specific substring with the required filter ID (**<filterId>**)**,** for example:
- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name.
-- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**<layerId>**)**,** for example:
+- **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find a specific Windows Filtering Platform layer ID, run the following command: **netsh wfp show state**. As a result of this command, the **wfpstate.xml** file will be generated. Open this file and find the specific substring with the required layer ID (**<layerId>**)**,** for example:
diff --git a/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md b/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md
index 0762f04322..58bd7574f2 100644
--- a/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md
+++ b/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md
@@ -1,6 +1,6 @@
---
title: How to get a list of XML data name elements in (Windows 10)
-description: This reference topic for the IT professional explains how to use PowerShell to get a list of XML data name elements that can appear in .
+description: This reference article for the IT professional explains how to use PowerShell to get a list of XML data name elements that can appear in .
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -20,15 +20,15 @@ ms.author: dansimp
The Security log uses a manifest where you can get all of the event schema.
-Run the following from an elevated PowerShell prompt:
+Run the following command from an elevated PowerShell prompt:
```powershell
$secEvents = get-winevent -listprovider "microsoft-windows-security-auditing"
```
-The .events property is a collection of all of the events listed in the manifest on the local machine.
+The `.events` property is a collection of all of the events listed in the manifest on the local machine.
-For each event, there is a .Template property for the XML template used for the event properties (if there are any).
+For each event, there is a `.Template` property for the XML template used for the event properties (if there are any).
For example:
@@ -90,7 +90,7 @@ PS C:\WINDOWS\system32> $SecEvents.events[100].Template
You can use the <Template> and <Description> to map the data name elements that appear in XML view to the names that appear in the event description.
-The <Description> is just the format string (if you’re used to Console.Writeline or sprintf statements) and the <Template> is the source of the input parameters for the <Description>.
+The <Description> is just the format string (if you’re used to `Console.Writeline` or `sprintf` statements), and the <Template> is the source of the input parameters for the <Description>.
Using Security event 4734 as an example:
@@ -124,9 +124,9 @@ Description : A security-enabled local group was deleted.
```
-For the **Subject: Security Id:** text element, it will use the fourth element in the Template, **SubjectUserSid**.
+For the **Subject: Security ID:** text element, it will use the fourth element in the Template, **SubjectUserSid**.
-For **Additional Information Privileges:**, it would use the eighth element **PrivilegeList**.
+For **Additional Information Privileges:**, it would use the eighth element, **PrivilegeList**.
-A caveat to this is an oft-overlooked property of events called Version (in the <SYSTEM> element) that indicates the revision of the event schema and description. Most events have 1 version (all events have Version =0 like the Security/4734 example) but a few events like Security/4624 or Security/4688 have at least 3 versions (versions 0, 1, 2) depending on the OS version where the event is generated. Only the latest version is used for generating events in the Security log. In any case, the Event Version where the Template is taken from should use the same Event Version for the Description.
+A caveat to this principle is an often overlooked property of events called Version (in the <SYSTEM> element) that indicates the revision of the event schema and description. Most events have one version (all events have Version =0 like the Security/4734 example) but a few events like Security/4624 or Security/4688 have at least three versions (versions 0, 1, 2) depending on the OS version where the event is generated. Only the latest version is used for generating events in the Security log. In any case, the Event Version where the Template is taken from should use the same Event Version for the Description.
diff --git a/windows/security/threat-protection/fips-140-validation.md b/windows/security/threat-protection/fips-140-validation.md
index 9b911ac29f..867aadf0d5 100644
--- a/windows/security/threat-protection/fips-140-validation.md
+++ b/windows/security/threat-protection/fips-140-validation.md
@@ -72,7 +72,7 @@ This caveat identifies required configuration and security rules that must be fo
### What is the relationship between FIPS 140-2 and Common Criteria?
-These are two separate security standards with different, but complementary, purposes. FIPS 140-2 is designed specifically for validating software and hardware cryptographic modules, while Common Criteria are designed to evaluate security functions in IT software and hardware products. Common Criteria evaluations often rely on FIPS 140-2 validations to provide assurance that basic cryptographic functionality is implemented properly.
+These are two separate security standards with different, but complementary, purposes. FIPS 140-2 is designed specifically for validating software and hardware cryptographic modules, while Common Criteria is designed to evaluate security functions in IT software and hardware products. Common Criteria evaluations often rely on FIPS 140-2 validations to provide assurance that basic cryptographic functionality is implemented properly.
### How does FIPS 140 relate to Suite B?
diff --git a/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md b/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md
index df44f6142a..bd1b4f57e7 100644
--- a/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md
+++ b/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md
@@ -17,22 +17,22 @@ search.appverid: met150
---
# Troubleshooting malware submission errors caused by administrator block
-In some instances, an administrator block might cause submission issues when you try to submit a potentially infected file to the [Microsoft Security intelligence website](https://www.microsoft.com/wdsi) for analysis. The following process shows how to resolve this.
+In some instances, an administrator block might cause submission issues when you try to submit a potentially infected file to the [Microsoft Security intelligence website](https://www.microsoft.com/wdsi) for analysis. The following process shows how to resolve this problem.
## Review your settings
Open your Azure [Enterprise application settings](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/UserSettings/menuId/). Under **Enterprise Applications** > **Users can consent to apps accessing company data on their behalf**, check whether Yes or No is selected.
-- If this is set to **No**, an AAD administrator for the customer tenant will need to provide consent for the organization. Depending on the configuration with AAD, users might be able to submit a request right from the same dialog box. If there’s no option to ask for admin consent, users need to request for these permissions to be added to their AAD admin. Go to the following section for more information.
+- If **No** is selected, an Azure AD administrator for the customer tenant will need to provide consent for the organization. Depending on the configuration with Azure AD, users might be able to submit a request right from the same dialog box. If there’s no option to ask for admin consent, users need to request for these permissions to be added to their Azure AD admin. Go to the following section for more information.
-- It this is set to **Yes**, ensure the Windows Defender Security Intelligence app setting **Enabled for users to sign-in?** is set to **Yes** [in Azure](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Properties/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/4a918a14-4069-4108-9b7d-76486212d75d). If this is set to **No** you'll need to request an AAD admin enable it.
+- If **Yes** is selected, ensure the Windows Defender Security Intelligence app setting **Enabled for users to sign in?** is set to **Yes** [in Azure](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Properties/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/4a918a14-4069-4108-9b7d-76486212d75d). If **No** is selected, you'll need to request an Azure AD admin enable it.
## Implement Required Enterprise Application permissions
This process requires a global or application admin in the tenant.
1. Open [Enterprise Application settings](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Permissions/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/4a918a14-4069-4108-9b7d-76486212d75d).
- 2. Click **Grant admin consent for organization**.
- 3. If you're able to do so, Review the API permissions required for this application. This should be exactly the same as in the following image. Provide consent for the tenant.
+ 2. Select **Grant admin consent for organization**.
+ 3. If you're able to do so, review the API permissions required for this application, as the following image shows. Provide consent for the tenant.
- 
+ 
4. If the administrator receives an error while attempting to provide consent manually, try either [Option 1](#option-1-approve-enterprise-application-permissions-by-user-request) or [Option 2](#option-2-provide-admin-consent-by-authenticating-the-application-as-an-admin) as possible workarounds.
@@ -59,15 +59,15 @@ This process requires that global admins go through the Enterprise customer sign
-Then, admins review the permissions and make sure to select **Consent on behalf of your organization**, and click **Accept**.
+Then, admins review the permissions and make sure to select **Consent on behalf of your organization**, and then select **Accept**.
All users in the tenant will now be able to use this application.
-## Option 3: Delete and re-add app permissions
+## Option 3: Delete and readd app permissions
If neither of these options resolve the issue, try the following steps (as an admin):
1. Remove previous configurations for the application. Go to [Enterprise applications](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Properties/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/982e94b2-fea9-4d1f-9fca-318cda92f90b)
-and click **delete**.
+and select **delete**.
@@ -78,7 +78,7 @@ and click **delete**.
-4. Review the permissions required by the application, and then click **Accept**.
+4. Review the permissions required by the application, and then select **Accept**.
5. Confirm the permissions are applied in the [Azure portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Permissions/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/ce60a464-5fca-4819-8423-bcb46796b051).
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
index 0beba73e43..248f41713e 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
@@ -13,7 +13,7 @@ ms.author: deniseb
ms.custom: nextgen
ms.reviewer:
manager: dansimp
-ms.date: 11/20/2020
+ms.date: 11/02/2020
---
# Manage Microsoft Defender Antivirus updates and apply baselines
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
index a89853180f..8facb0d850 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
@@ -50,7 +50,7 @@ The following table summarizes what happens with Microsoft Defender Antivirus wh
(1) On Windows Server 2016 or 2019, Microsoft Defender Antivirus will not enter passive or disabled mode if you have also installed a third-party antivirus product. If you install a third-party antivirus product, you should [consider uninstalling Microsoft Defender Antivirus on Windows Server 2016 or 2019](microsoft-defender-antivirus-on-windows-server-2016.md#need-to-uninstall-microsoft-defender-antivirus) to prevent problems caused by having multiple antivirus products installed on a machine.
-If you are Using Windows Server, version 1803 and Windows 2019, you can enable passive mode by setting this registry key:
+If you are using Windows Server, version 1803 or Windows Server 2019, you can enable passive mode by setting this registry key:
- Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
- Name: ForceDefenderPassiveMode
- Type: REG_DWORD
@@ -78,7 +78,7 @@ The following table summarizes the functionality and features that are available
- In Active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Microsoft Defender Antivirus app on the machine itself).
- In Passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are not remediated by Microsoft Defender Antivirus. Files are scanned and reports are provided for threat detections which are shared with the Microsoft Defender ATP service. Therefore, you might encounter alerts in the Security Center console with Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in Passive mode.
-- When [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) (currently in private preview) is turned on, Microsoft Defender Antivirus is not used as the primary antivirus solution, but can still detect and remediate malicious items.
+- When [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) is turned on, Microsoft Defender Antivirus is not used as the primary antivirus solution, but can still detect and remediate malicious items.
- In Automatic disabled mode, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated.
## Keep the following points in mind
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md
index a95fc2b95f..153100cb9f 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md
@@ -1,5 +1,5 @@
---
-title: Schedule regular quick and full scans with Microsoft Defender AV
+title: Schedule regular quick and full scans with Microsoft Defender Antivirus
description: Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans
keywords: quick scan, full scan, quick vs full, schedule scan, daily, weekly, time, scheduled, recurring, regular
search.product: eADQiWindows 10XVcnh
@@ -11,7 +11,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 10/26/2020
+ms.date: 11/02/2020
ms.reviewer: pauhijbr
manager: dansimp
---
@@ -25,6 +25,7 @@ manager: dansimp
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+
> [!NOTE]
> By default, Microsoft Defender Antivirus checks for an update 15 minutes before the time of any scheduled scans. You can [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) to override this default.
@@ -44,7 +45,9 @@ This article describes how to configure scheduled scans with Group Policy, Power
5. Expand the tree to **Windows components > Microsoft Defender Antivirus** and then the **Location** specified in the table below.
-6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
+6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration.
+
+7. Click **OK**, and repeat for any other settings.
Also see the [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) and [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) topics.
@@ -74,12 +77,13 @@ Scheduled scans will run at the day and time you specify. You can use Group Poli
### Use Group Policy to schedule scans
-| Location | Setting | Description | Default setting (if not configured) |
+|Location | Setting | Description | Default setting (if not configured) |
|:---|:---|:---|:---|
|Scan | Specify the scan type to use for a scheduled scan | Quick scan |
|Scan | Specify the day of the week to run a scheduled scan | Specify the day (or never) to run a scan. | Never |
-| Scan | Specify the time of day to run a scheduled scan | Specify the number of minutes after midnight (for example, enter **60** for 1 a.m.). | 2 a.m. |
-| Root | Randomize scheduled task times |In Microsoft Defender Antivirus: Randomize the start time of the scan to any interval from 0 to 4 hours.
In FEP/SCEP: randomize to any interval plus or minus 30 minutes. This can be useful in VM or VDI deployments. | Enabled |
+|Scan | Specify the time of day to run a scheduled scan | Specify the number of minutes after midnight (for example, enter **60** for 1 a.m.). | 2 a.m. |
+|Root | Randomize scheduled task times |In Microsoft Defender Antivirus: Randomize the start time of the scan to any interval from 0 to 4 hours.
In FEP/SCEP: randomize to any interval plus or minus 30 minutes. This can be useful in VM or VDI deployments. | Enabled |
+
### Use PowerShell cmdlets to schedule scans
@@ -100,8 +104,10 @@ See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](u
Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
```WMI
-SignatureFallbackOrder
-SignatureDefinitionUpdateFileSharesSouce
+ScanParameters
+ScanScheduleDay
+ScanScheduleTime
+RandomizeScheduleTaskTimes
```
See the following for more information and allowed parameters:
@@ -138,8 +144,7 @@ See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](u
Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
```WMI
-SignatureFallbackOrder
-SignatureDefinitionUpdateFileSharesSouce
+ScanOnlyIfIdleEnabled
```
See the following for more information and allowed parameters:
@@ -173,8 +178,8 @@ See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](u
Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
```WMI
-SignatureFallbackOrder
-SignatureDefinitionUpdateFileSharesSouce
+RemediationScheduleDay
+RemediationScheduleTime
```
See the following for more information and allowed parameters:
@@ -190,7 +195,8 @@ You can enable a daily quick scan that can be run in addition to your other sche
### Use Group Policy to schedule daily scans
-| Location | Setting | Description | Default setting (if not configured)|
+
+|Location | Setting | Description | Default setting (if not configured) |
|:---|:---|:---|:---|
|Scan | Specify the interval to run quick scans per day | Specify how many hours should elapse before the next quick scan. For example, to run every two hours, enter **2**, for once a day, enter **24**. Enter **0** to never run a daily quick scan. | Never |
|Scan | Specify the time for a daily quick scan | Specify the number of minutes after midnight (for example, enter **60** for 1 a.m.) | 2 a.m. |
@@ -210,8 +216,7 @@ See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](u
Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
```WMI
-SignatureFallbackOrder
-SignatureDefinitionUpdateFileSharesSouce
+ScanScheduleQuickScanTime
```
See the following for more information and allowed parameters:
@@ -224,9 +229,9 @@ You can force a scan to occur after every [protection update](manage-protection-
### Use Group Policy to schedule scans after protection updates
-Location | Setting | Description | Default setting (if not configured)
----|---|---|---
-Signature updates | Turn on scan after Security intelligence update | A scan will occur immediately after a new protection update is downloaded | Enabled
+|Location | Setting | Description | Default setting (if not configured)|
+|:---|:---|:---|:---|
+|Signature updates | Turn on scan after Security intelligence update | A scan will occur immediately after a new protection update is downloaded | Enabled |
## See also
- [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md)
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
index 867107aeaa..007fa751d5 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
@@ -8,7 +8,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
-ms.date: 10/29/2020
+ms.date: 11/03/2020
ms.reviewer:
manager: dansimp
ms.custom: asr
@@ -22,8 +22,8 @@ Answering frequently asked questions about Microsoft Defender Application Guard
## Frequently Asked Questions
-### Can I enable Application Guard on machines equipped with 4 GB RAM?
-We recommend 8 GB RAM for optimal performance but you may use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration.
+### Can I enable Application Guard on machines equipped with 4-GB RAM?
+We recommend 8-GB RAM for optimal performance but you can use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration.
`HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is four cores.)
@@ -33,7 +33,7 @@ We recommend 8 GB RAM for optimal performance but you may use the following regi
### Can employees download documents from the Application Guard Edge session onto host devices?
-In Windows 10 Enterprise edition 1803, users will be able to download documents from the isolated Application Guard container to the host PC. This capability is managed by policy.
+In Windows 10 Enterprise edition 1803, users are able to download documents from the isolated Application Guard container to the host PC. This capability is managed by policy.
In Windows 10 Enterprise edition 1709 or Windows 10 Professional edition 1803, it is not possible to download files from the isolated Application Guard container to the host PC. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device.
@@ -71,19 +71,19 @@ The following Input Method Editors (IME) introduced in Windows 10, version 1903
### I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering?
-This feature is currently experimental only and is not functional without an additional regkey provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, contact Microsoft and we’ll work with you to enable the feature.
+This feature is currently experimental only and is not functional without an additional registry key provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, contact Microsoft and we’ll work with you to enable the feature.
### What is the WDAGUtilityAccount local account?
-This account is part of Application Guard beginning with Windows 10 version 1709 (Fall Creators Update). This account remains disabled until Application Guard is enabled on your device. This item is integrated to the OS and is not considered as a threat/virus/malware.
+This account is part of Application Guard beginning with Windows 10, version 1709 (Fall Creators Update). This account remains disabled until Application Guard is enabled on your device. This item is integrated to the OS and is not considered as a threat/virus/malware.
### How do I trust a subdomain in my site list?
-To trust a subdomain, you must precede your domain with two dots, for example: `..contoso.com` will ensure `mail.contoso.com` or `news.contoso.com` are trusted. The first dot represents the strings for the subdomain name (mail or news), the second dot recognizes the start of the domain name (`contoso.com`). This prevents sites such as `fakesitecontoso.com` from being trusted.
+To trust a subdomain, you must precede your domain with two dots, for example: `..contoso.com` ensures that `mail.contoso.com` or `news.contoso.com` are trusted. The first dot represents the strings for the subdomain name (mail or news), the second dot recognizes the start of the domain name (`contoso.com`). This prevents sites such as `fakesitecontoso.com` from being trusted.
### Are there differences between using Application Guard on Windows Pro vs Windows Enterprise?
-When using Windows Pro or Windows Enterprise, you will have access to using Application Guard's Standalone Mode. However, when using Enterprise you will have access to Application Guard's Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard).
+When using Windows Pro or Windows Enterprise, you have access to using Application Guard in Standalone Mode. However, when using Enterprise you have access to Application Guard in Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard).
### Is there a size limit to the domain lists that I need to configure?
@@ -91,27 +91,27 @@ Yes, both the Enterprise Resource domains hosted in the cloud and the Domains ca
### Why does my encryption driver break Microsoft Defender Application Guard?
-Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, WDAG will not work and result in an error message ("0x80070013 ERROR_WRITE_PROTECT").
+Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (`0x80070013 ERROR_WRITE_PROTECT`).
### Why do the Network Isolation policies in Group Policy and CSP look different?
-There is not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy WDAG are different between CSP and GP.
+There is not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy Application Guard are different between CSP and GP.
-Mandatory network isolation GP policy to deploy WDAG: "DomainSubnets or CloudResources"
-Mandatory network isolation CSP policy to deploy WDAG: "EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)"
+Mandatory network isolation GP policy to deploy Application Guard: "DomainSubnets or CloudResources"
+Mandatory network isolation CSP policy to deploy Application Guard: "EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)"
For EnterpriseNetworkDomainNames, there is no mapped CSP policy.
-Windows Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, WDAG will not work and result in an error message (`0x80070013 ERROR_WRITE_PROTECT`).
+Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (`0x80070013 ERROR_WRITE_PROTECT`).
### Why did Application Guard stop working after I turned off hyperthreading?
If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility Application Guard no longer meets the minimum requirements.
-### Why am I getting the error message ("ERROR_VIRTUAL_DISK_LIMITATION")?
+### Why am I getting the error message "ERROR_VIRTUAL_DISK_LIMITATION"?
-Application Guard may not work correctly on NTFS compressed volumes. If this issue persists, try uncompressing the volume.
+Application Guard might not work correctly on NTFS compressed volumes. If this issue persists, try uncompressing the volume.
-### Why am I getting the error message ("ERR_NAME_NOT_RESOLVED") after not being able to reach PAC file?
+### Why am I getting the error message "ERR_NAME_NOT_RESOLVED" after not being able to reach PAC file?
This is a known issue. To mitigate this you need to create two firewall rules.
For guidance on how to create a firewall rule by using group policy, see:
@@ -119,8 +119,8 @@ For guidance on how to create a firewall rule by using group policy, see:
- [Open Group Policy management console for Microsoft Defender Firewall](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security)
First rule (DHCP Server):
-1. Program path: %SystemRoot%\System32\svchost.exe
-2. Local Service: Sid: S-1-5-80-2009329905-444645132-2728249442-922493431-93864177 (Internet Connection Service (SharedAccess))
+1. Program path: `%SystemRoot%\System32\svchost.exe`
+2. Local Service: `Sid: S-1-5-80-2009329905-444645132-2728249442-922493431-93864177 (Internet Connection Service (SharedAccess))`
3. Protocol UDP
4. Port 67
@@ -129,7 +129,7 @@ This is the same as the first rule, but scoped to local port 68.
In the Microsoft Defender Firewall user interface go through the following steps:
1. Right click on inbound rules, create a new rule.
2. Choose **custom rule**.
-3. Program path: **%SystemRoot%\System32\svchost.exe**.
+3. Program path: `%SystemRoot%\System32\svchost.exe`.
4. Protocol Type: UDP, Specific ports: 67, Remote port: any.
5. Any IP addresses.
6. Allow the connection.
@@ -139,23 +139,26 @@ In the Microsoft Defender Firewall user interface go through the following steps
### Why can I not launch Application Guard when Exploit Guard is enabled?
-There is a known issue such that if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to Windows Security-> App and Browser control -> Exploit Protection Setting -> switch CFG to the “use default".
+There is a known issue such that if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to **Windows Security** > **App and Browser control** > **Exploit Protection Setting**, and then switch CFG to **use default**.
### How can I have ICS in enabled state yet still use Application Guard?
-This is a two-step process.
+ICS is enabled by default in Windows, and ICS must be enabled in order for Application Guard to function correctly. We do not recommend disabling ICS; however, you can disable ICS in part by using a Group Policy and editing registry keys.
-Step 1:
+1. In the Group Policy setting called, *Prohibit use of Internet Connection Sharing on your DNS domain network*, set it to **Disabled**.
-Enable Internet Connection sharing by changing the Group Policy setting *Prohibit use of Internet Connection Sharing on your DNS domain network*, which is part of the MS Security baseline from Enabled to Disabled.
-
-Step 2:
-
-1. Disable IpNat.sys from ICS load
-System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1
-2. Configure ICS (SharedAccess) to enabled
-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3
-3. Disabling IPNAT (Optional)
-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4
-4. Reboot.
\ No newline at end of file
+2. Disable IpNat.sys from ICS load as follows:
+`System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1`
+
+3. Configure ICS (SharedAccess) to enabled as follows:
+`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3`
+
+4. (This is optional) Disable IPNAT as follows:
+`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4`
+
+5. Reboot the device.
+
+## See also
+
+[Configure Microsoft Defender Application Guard policy settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-terms.md b/windows/security/threat-protection/microsoft-defender-atp/android-terms.md
index 0d6e8dcd1c..03ef3030af 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/android-terms.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/android-terms.md
@@ -52,7 +52,7 @@ DO NOT USE THE APPLICATION.**
1. **INSTALLATION AND USE RIGHTS.**
1. **Installation and Use.** You may install and use any number of copies
- of this application on Android enabled device or devices which you own
+ of this application on Android enabled device or devices that you own
or control. You may use this application with your company's valid
subscription of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) or
an online service that includes MDATP functionalities.
@@ -60,13 +60,13 @@ DO NOT USE THE APPLICATION.**
2. **Updates.** Updates or upgrades to MDATP may be required for full
functionality. Some functionality may not be available in all countries.
- 3. **Third Party Programs.** The application may include third party
+ 3. **Third-Party Programs.** The application may include third-party
programs that Microsoft, not the third party, licenses to you under this
agreement. Notices, if any, for the third-party program are included for
your information only.
2. **INTERNET ACCESS MAY BE REQUIRED.** You may incur charges related to
- Internet access, data transfer and other services per the terms of the data
+ Internet access, data transfer, and other services per the terms of the data
service plan and any other agreement you have with your network operator due
to use of the application. You are solely responsible for any network
operator charges.
@@ -92,21 +92,21 @@ DO NOT USE THE APPLICATION.**
improve Microsoft products and services and enhance your experience.
You may limit or control collection of some usage and performance
data through your device settings. Doing so may disrupt your use of
- certain features of the application. For additional information on
- Microsoft's data collection and use, see the [Online Services
+ certain features of the application. For more information about
+ Microsoft data collection and use, see the [Online Services
Terms](https://go.microsoft.com/fwlink/?linkid=2106777).
2. Misuse of Internet-based Services. You may not use any Internet-based
service in any way that could harm it or impair anyone else's use of it
or the wireless network. You may not use the service to try to gain
- unauthorized access to any service, data, account or network by any
+ unauthorized access to any service, data, account, or network by any
means.
4. **FEEDBACK.** If you give feedback about the application to Microsoft, you
- give to Microsoft, without charge, the right to use, share and commercialize
+ give to Microsoft, without charge, the right to use, share, and commercialize
your feedback in any way and for any purpose. You also give to third
parties, without charge, any patent rights needed for their products,
- technologies and services to use or interface with any specific parts of a
+ technologies, and services to use or interface with any specific parts of a
Microsoft software or service that includes the feedback. You will not give
feedback that is subject to a license that requires Microsoft to license its
software or documentation to third parties because we include your feedback
@@ -130,35 +130,34 @@ DO NOT USE THE APPLICATION.**
- publish the application for others to copy;
- - rent, lease or lend the application; or
+ - rent, lease, or lend the application; or
- transfer the application or this agreement to any third party.
6. **EXPORT RESTRICTIONS.** The application is subject to United States export
laws and regulations. You must comply with all domestic and international
export laws and regulations that apply to the application. These laws
- include restrictions on destinations, end users and end use. For additional
+ include restrictions on destinations, end users, and end use. For more
information,
- see[www.microsoft.com/exporting](https://www.microsoft.com/exporting).
+ see [www.microsoft.com/exporting](https://www.microsoft.com/exporting).
7. **SUPPORT SERVICES.** Because this application is "as is," we may not
provide support services for it. If you have any issues or questions about
your use of this application, including questions about your company's
- privacy policy, please contact your company's admin. Do not contact the
+ privacy policy, contact your company's admin. Do not contact the
application store, your network operator, device manufacturer, or Microsoft.
The application store provider has no obligation to furnish support or
maintenance with respect to the application.
8. **APPLICATION STORE.**
- 1. If you obtain the application through an application store (e.g., Google
- Play), please review the applicable application store terms to ensure
+ 1. If you obtain the application through an application store (for example, Google
+ Play), review the applicable application store terms to ensure
your download and use of the application complies with such terms.
- Please note that these Terms are between you and Microsoft and not with
+ Note that these Terms are between you and Microsoft and not with
the application store.
- 2. The respective application store provider and its subsidiaries are third
- party beneficiaries of these Terms, and upon your acceptance of these
+ 2. The respective application store provider and its subsidiaries are third-party beneficiaries of these Terms, and upon your acceptance of these
Terms, the application store provider(s) will have the right to directly
enforce and rely upon any provision of these Terms that grants them a
benefit or rights.
@@ -213,20 +212,20 @@ DO NOT USE THE APPLICATION.**
This limitation applies to:
- anything related to the application, services, content (including code) on
- third party Internet sites, or third party programs; and
+ third-party internet sites, or third-party programs; and
-- claims for breach of contract, warranty, guarantee or condition; consumer
+- claims for breach of contract, warranty, guarantee, or condition; consumer
protection; deception; unfair competition; strict liability, negligence,
- misrepresentation, omission, trespass or other tort; violation of statute or
+ misrepresentation, omission, trespass, or other tort; violation of statute or
regulation; or unjust enrichment; all to the extent permitted by applicable
law.
It also applies even if:
-a. Repair, replacement or refund for the application does not fully compensate
+a. Repair, replacement, or refund for the application does not fully compensate
you for any losses; or
b. Covered Parties knew or should have known about the possibility of the
damages.
-The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages.
+The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential, or other damages.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md
index 34f925b4d8..ed7b21ccdf 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md
@@ -57,7 +57,7 @@ You can access Microsoft Defender ATP API with **Application Context** or **User
- **User Context:**
Used to perform actions in the API on behalf of a user.
- Steps that needs to be taken to access Microsoft Defender ATP API with application context:
+ Steps that need to be taken to access Microsoft Defender ATP API with user context:
1. Create AAD Native-Application.
2. Assign the desired permission to the application, e.g 'Read Alerts', 'Isolate Machines' etc.
3. Get token using the application with user credentials.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
index 4895d24e44..8112a5f3e8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
@@ -11,7 +11,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
audience: ITPro
-ms.date: 08/25/2020
+ms.date: 11/05/2020
ms.reviewer: v-maave
manager: dansimp
ms.custom: asr
@@ -42,7 +42,7 @@ Apps can also be manually added to the trusted list via Configuration Manager an
Controlled folder access is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware). In a ransomware attack, your files can get encrypted and held hostage. With controlled folder access in place, a notification appears on the computer where an app attempted to make changes to a file in a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
-The protected folders include common system folders, and you can [add additional folders](customize-controlled-folders.md#protect-additional-folders). You can also [allow apps](customize-controlled-folders.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders.
+The protected folders include common system folders (including boot sectors), and you can [add additional folders](customize-controlled-folders.md#protect-additional-folders). You can also [allow apps](customize-controlled-folders.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders.
You can use [audit mode](audit-windows-defender.md) to evaluate how controlled folder access would impact your organization if it were enabled. You can also visit the Windows Defender Test ground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
index 6262a58c47..603f751bdd 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
@@ -84,7 +84,7 @@ The following is a sample for reference, using [GUID values for ASR rules](attac
`OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules`
-`Value: {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}=2|{3B576869-A4EC-4529-8536-B80A7769E899}=1|{D4F940AB-401B-4EfC-AADC-AD5F3C50688A}=2|{D3E037E1-3EB8-44C8-A917-57927947596D}=1|{5BEB7EFE-FD9A-4556-801D-275E5FFC04CC}=0|{BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550}=1`
+`Value: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84=2|3B576869-A4EC-4529-8536-B80A7769E899=1|D4F940AB-401B-4EfC-AADC-AD5F3C50688A=2|D3E037E1-3EB8-44C8-A917-57927947596D=1|5BEB7EFE-FD9A-4556-801D-275E5FFC04CC=0|BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550=1`
The values to enable, disable, or enable in audit mode are:
diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md
index c53ee2581c..0bdc19aaac 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md
@@ -28,7 +28,7 @@ ms.topic: article
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
-Enable security information and event management (SIEM) integration so you can pull detections from Microsoft Defender Security Center using your SIEM solution or by connecting directly to the detections REST API.
+Enable security information and event management (SIEM) integration so you can pull detections from Microsoft Defender Security Center. Pull detections using your SIEM solution or by connecting directly to the detections REST API.
>[!NOTE]
>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections.
@@ -36,7 +36,14 @@ Enable security information and event management (SIEM) integration so you can p
>- The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md).
## Prerequisites
-- The user who activates the setting must have permissions to create an app in Azure Active Directory (AAD). This is someone with the following roles: Security Administrator and either Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.
+
+- The user who activates the setting must have permissions to create an app in Azure Active Directory (AAD). This is someone with the following roles:
+
+ - Security Administrator and either Global Administrator
+ - Cloud Application Administrator
+ - Application Administrator
+ - Owner of the service principal
+
- During the initial activation, a pop-up screen is displayed for credentials to be entered. Make sure that you allow pop-ups for this site.
## Enabling SIEM integration
@@ -47,7 +54,7 @@ Enable security information and event management (SIEM) integration so you can p
>[!TIP]
>If you encounter an error when trying to enable the SIEM connector application, check the pop-up blocker settings of your browser. It might be blocking the new window being opened when you enable the capability.
-2. Select **Enable SIEM integration**. This activates the **SIEM connector access details** section with pre-populated values and an application is created under you Azure Active Directory (AAD) tenant.
+2. Select **Enable SIEM integration**. This activates the **SIEM connector access details** section with pre-populated values and an application is created under your Azure Active Directory (Azure AD) tenant.
> [!WARNING]
>The client secret is only displayed once. Make sure you keep a copy of it in a safe place.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md b/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md
index 4d724bc3ca..22c665b822 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md
@@ -24,10 +24,10 @@ ms.topic: conceptual
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
-Endpoint detection and response capabilities in Microsoft Defender ATP for Mac are now in preview. To get these and other preview features, you must set up your Mac device to be an "Insider" device as described in this article. For scale deployment, we recommend using [Jamf](#enable-the-insider-program-with-jamf) or [Intune](#enable-the-insider-program-with-intune).
+To get preview features for Mac, you must set up your device to be an "Insider" device as described in this article. For scale deployment, we recommend using [Jamf](#enable-the-insider-program-with-jamf) or [Intune](#enable-the-insider-program-with-intune).
->[!IMPORTANT]
->Make sure you have enabled [Microsoft Defender ATP for Mac](microsoft-defender-atp-mac.md#how-to-install-microsoft-defender-atp-for-mac), and pay attention to the “earlyPreview” flag. See documentation for [Jamf](mac-install-with-jamf.md), [Intune](mac-install-with-intune.md) and [manual deployment](mac-install-manually.md) instructions.
+> [!IMPORTANT]
+> Make sure you have enabled [Microsoft Defender ATP for Mac](microsoft-defender-atp-mac.md#how-to-install-microsoft-defender-atp-for-mac), and pay attention to the “earlyPreview” flag. See documentation for [Jamf](mac-install-with-jamf.md), [Intune](mac-install-with-intune.md), and [manual deployment](mac-install-manually.md) instructions.
## Enable the Insider program with Jamf
@@ -49,7 +49,7 @@ Endpoint detection and response capabilities in Microsoft Defender ATP for Mac a
1. From the JAMF console, navigate to **Computers > Configuration Profiles**, navigate to the configuration profile you'd like to use, then select **Custom Settings**.
-1. Create an entry with com.microsoft.wdav as the preference domain and upload the .plist created earlier.
+1. Create an entry with com.microsoft.wdav as the preference domain and upload the `.plist` created earlier.
> [!WARNING]
> You must enter the correct preference domain (com.microsoft.wdav), otherwise the preferences will not be recognized by the product
@@ -117,7 +117,7 @@ Endpoint detection and response capabilities in Microsoft Defender ATP for Mac a
1. Choose a name for the profile. Change **Platform=macOS** to **Profile type=Custom**. Select **Configure**.
-1. Save the .plist created earlier as com.microsoft.wdav.xml.
+1. Save the `.plist` created earlier as com.microsoft.wdav.xml.
1. Enter com.microsoft.wdav as the custom configuration profile name.
@@ -150,17 +150,17 @@ For versions earlier than 100.78.0, run:
To get the latest version of the Microsoft Defender ATP for Mac, set the Microsoft AutoUpdate to “Fast Ring”. To get “Microsoft AutoUpdate”, download it from [Release history for Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/officeupdates/release-history-microsoft-autoupdate).
-To verify you are running the correct version, run ‘mdatp --health’ on the device.
+To verify you are running the correct version, run `mdatp --health` on the device.
* The required version is 100.72.15 or later.
-* If the version is not as expected, verify that Microsoft Auto Update is set to automatically download and install updates by running ‘defaults read com.microsoft.autoupdate2’ from terminal.
-* To change update settings use documentation in [Update Office for Mac automatically](https://support.office.com/article/update-office-for-mac-automatically-bfd1e497-c24d-4754-92ab-910a4074d7c1).
+* If the version is not as expected, verify that Microsoft Auto Update is set to automatically download and install updates by running `defaults read com.microsoft.autoupdate2` from the terminal.
+* To change update settings, see [Update Office for Mac automatically](https://support.office.com/article/update-office-for-mac-automatically-bfd1e497-c24d-4754-92ab-910a4074d7c1).
* If you are not using Office for Mac, download and run the AutoUpdate tool.
### A device still does not appear on Microsoft Defender Security Center
-After a successful deployment and onboarding of the correct version, check that the device has connectivity to the cloud service by running ‘mdatp --connectivity-test’.
+After a successful deployment and onboarding of the correct version, check that the device has connectivity to the cloud service by running `mdatp --connectivity-test`.
-* Check that you enabled the early preview flag. In terminal run “mdatp –health” and look for the value of “edrEarlyPreviewEnabled”. It should be “Enabled”.
+* Check that you enabled the early preview flag. In the terminal, run `mdatp –health` and look for the value of “edrEarlyPreviewEnabled”. It should be “Enabled”.
If you followed the manual deployment instructions, you were prompted to enable Kernel Extensions. Pay attention to the “System Extension note” in the [manual deployment documentation](mac-install-manually.md#application-installation-macos-1015-and-older-versions) and use the “Manual Deployment” section in the [troubleshoot kernel extension documentation](mac-support-kext.md#manual-deployment).
diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md
index 20194e3e9e..c93c7f464b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md
@@ -56,7 +56,7 @@ This page explains how to create an AAD application, get an access token to Micr
-3. In the registration from, enter the following information then click **Register**.
+3. In the registration from, enter the following information then select **Register**.
@@ -65,45 +65,45 @@ This page explains how to create an AAD application, get an access token to Micr
4. Allow your Application to access Microsoft Defender ATP and assign it 'Read alerts' permission:
- - On your application page, click **API Permissions** > **Add permission** > **APIs my organization uses** > type **WindowsDefenderATP** and click on **WindowsDefenderATP**.
+ - On your application page, select **API Permissions** > **Add permission** > **APIs my organization uses** > type **WindowsDefenderATP** and select on **WindowsDefenderATP**.
- **Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear.
- - Choose **Delegated permissions** > **Alert.Read** > Click on **Add permissions**
+ - Choose **Delegated permissions** > **Alert.Read** > select **Add permissions**
- - **Important note**: You need to select the relevant permissions. 'Read alerts' is only an example!
+ - **Important note**: Select the relevant permissions. Read alerts is only an example.
For instance,
- To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission
- To [isolate a device](isolate-machine.md), select 'Isolate machine' permission
- - To determine which permission you need, please look at the **Permissions** section in the API you are interested to call.
+ - To determine which permission you need, view the **Permissions** section in the API you are interested to call.
- - Click **Grant consent**
+ - Select **Grant consent**
- **Note**: Every time you add permission you must click on **Grant consent** for the new permission to take effect.
+ **Note**: Every time you add permission you must select on **Grant consent** for the new permission to take effect.
6. Write down your application ID and your tenant ID:
- - On your application page, go to **Overview** and copy the following:
+ - On your application page, go to **Overview** and copy the following information:
## Get an access token
-For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds)
+For more information on AAD token, see [Azure AD tutorial](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds)
### Using C#
- Copy/Paste the below class in your application.
-- Use **AcquireUserTokenAsync** method with the your application ID, tenant ID, user name and password to acquire a token.
+- Use **AcquireUserTokenAsync** method with your application ID, tenant ID, user name, and password to acquire a token.
```csharp
namespace WindowsDefenderATP
@@ -145,10 +145,10 @@ For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.co
## Validate the token
-Sanity check to make sure you got a correct token:
+Verify to make sure you got a correct token:
- Copy/paste into [JWT](https://jwt.ms) the token you got in the previous step in order to decode it
- Validate you get a 'scp' claim with the desired app permissions
-- In the screen shot below you can see a decoded token acquired from the app in the tutorial:
+- In the screenshot below you can see a decoded token acquired from the app in the tutorial:
@@ -156,7 +156,7 @@ Sanity check to make sure you got a correct token:
- Choose the API you want to use - [Supported Microsoft Defender ATP APIs](exposed-apis-list.md)
- Set the Authorization header in the HTTP request you send to "Bearer {token}" (Bearer is the Authorization scheme)
-- The Expiration time of the token is 1 hour (you can send more then one request with the same token)
+- The Expiration time of the token is 1 hour (you can send more than one request with the same token)
- Example of sending a request to get a list of alerts **using C#**
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-patch.jpg b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-patch.jpg
new file mode 100644
index 0000000000..e0fa906808
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-patch.jpg differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-security-recommendation.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-security-recommendation.png
new file mode 100644
index 0000000000..a1f9e7d70a
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-security-recommendation.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-flyout-400.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-flyout-400.png
new file mode 100644
index 0000000000..04b9835601
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-flyout-400.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-flyout.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-flyout.png
new file mode 100644
index 0000000000..941dd99ba8
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-flyout.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-inventory.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-inventory.png
new file mode 100644
index 0000000000..b4b4696b61
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-inventory.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-page.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-page.png
new file mode 100644
index 0000000000..b3fd3b18a8
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-page.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-top-security-recommendations.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-top-security-recommendations.png
new file mode 100644
index 0000000000..1957e7f571
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-top-security-recommendations.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-top-software.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-top-software.png
new file mode 100644
index 0000000000..094e2a7992
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-top-software.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-weakness-name.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-weakness-name.png
new file mode 100644
index 0000000000..ac2610fdaa
Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-weakness-name.png differ
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md
index a56afd0ef7..9a095843cc 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md
@@ -776,8 +776,6 @@ Follow the instructions on [Schedule scans with Microsoft Defender ATP for Mac](
8. Select **Open**. Set the **Display Name** to **Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus**.
- - Manifest File: Select **Upload Manifest File**.
-
**Options tab**
Keep default values.
**Limitations tab**
Keep default values.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine.md b/windows/security/threat-protection/microsoft-defender-atp/machine.md
index 4fbc97c8a3..e2c6f6756f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machine.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machine.md
@@ -59,7 +59,7 @@ lastExternalIpAddress | String | Last IP through which the [machine](machine.md)
healthStatus | Enum | [machine](machine.md) health status. Possible values are: "Active", "Inactive", "ImpairedCommunication", "NoSensorData" and "NoSensorDataImpairedCommunication"
rbacGroupName | String | Machine group Name.
rbacGroupId | Int | Machine group unique ID.
-riskScore | Nullable Enum | Risk score as evaluated by Microsoft Defender ATP. Possible values are: 'None', 'Low', 'Medium' and 'High'.
+riskScore | Nullable Enum | Risk score as evaluated by Microsoft Defender ATP. Possible values are: 'None', 'Informational', 'Low', 'Medium' and 'High'.
exposureScore | Nullable Enum | [Exposure score](tvm-exposure-score.md) as evaluated by Microsoft Defender ATP. Possible values are: 'None', 'Low', 'Medium' and 'High'.
aadDeviceId | Nullable representation Guid | AAD Device ID (when [machine](machine.md) is AAD Joined).
machineTags | String collection | Set of [machine](machine.md) tags.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
index b659b20797..0f05ee52c8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
@@ -51,8 +51,8 @@ Microsoft Defender Advanced Threat Protection requires one of the following Micr
Microsoft Defender Advanced Threat Protection, on Windows Server, requires one of the following licensing options:
-- [Azure Security Center Standard plan](https://docs.microsoft.com/azure/security-center/security-center-pricing) (per node)
-- Microsoft Defender ATP for Servers (one per covered Server)
+- [Azure Security Center with Azure Defender enabled](https://docs.microsoft.com/azure/security-center/security-center-pricing)
+- Microsoft Defender ATP for Servers (one per covered server)
> [!NOTE]
> Customers with a combined minimum of 50 licenses for one or more of the following may acquire Server SLs for Microsoft Defender Advanced Threat Protection for Servers (one per covered Server OSE): Microsoft Defender Advanced Threat Protection, Windows E5/A5, Microsoft 365 E5/A5 and Microsoft 365 E5 Security User SLs. This license applies to Microsoft Defender ATP for Linux.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md b/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md
index 4158bfea2b..0ad991db3c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md
@@ -1,6 +1,6 @@
---
title: Supported Microsoft Defender Advanced Threat Protection response APIs
-description: Learn about the specific response related Microsoft Defender Advanced Threat Protection API calls.
+description: Learn about the specific response-related Microsoft Defender Advanced Threat Protection API calls.
keywords: response apis, graph api, supported apis, actor, alerts, device, user, domain, ip, file
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@@ -28,24 +28,24 @@ ms.topic: conceptual
> [!TIP]
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-supported-response-apis-abovefoldlink)
-Learn about the supported response related API calls you can run and details such as the required request headers, and expected response from the calls.
+Learn about the supported response-related API calls you can run and details such as the required request headers, and expected response from the calls.
## In this section
Topic | Description
:---|:---
-Collect investigation package | Run this to collect an investigation package from a device.
-Isolate device | Run this to isolate a device from the network.
+Collect investigation package | Run this API to collect an investigation package from a device.
+Isolate device | Run this API to isolate a device from the network.
Unisolate device | Remove a device from isolation.
-Restrict code execution | Run this to contain an attack by stopping malicious processes. You can also lock down a device and prevent subsequent attempts of potentially malicious programs from running.
+Restrict code execution | Run this API to contain an attack by stopping malicious processes. You can also lock down a device and prevent subsequent attempts of potentially malicious programs from running.
Unrestrict code execution | Run this to reverse the restriction of applications policy after you have verified that the compromised device has been remediated.
Run antivirus scan | Remotely initiate an antivirus scan to help identify and remediate malware that might be present on a compromised device.
Stop and quarantine file | Run this call to stop running processes, quarantine files, and delete persistency such as registry keys.
Request sample | Run this call to request a sample of a file from a specific device. The file will be collected from the device and uploaded to a secure storage.
-Block file | Run this to prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware.
+Block file | Run this API to prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware.
Unblock file | Allow a file run in the organization using Microsoft Defender Antivirus.
-Get package SAS URI | Run this to get a URI that allows downloading an investigation package.
-Get MachineAction object | Run this to get MachineAction object.
+Get package SAS URI | Run this API to get a URI that allows downloading an investigation package.
+Get MachineAction object | Run this API to get MachineAction object.
Get MachineActions collection | Run this to get MachineAction collection.
-Get FileActions collection | Run this to get FileActions collection.
-Get FileMachineAction object | Run this to get FileMachineAction object.
-Get FileMachineActions collection | Run this to get FileMachineAction collection.
+Get FileActions collection | Run this API to get FileActions collection.
+Get FileMachineAction object | Run this API to get FileMachineAction object.
+Get FileMachineActions collection | Run this API to get FileMachineAction collection.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-zero-day-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-zero-day-vulnerabilities.md
new file mode 100644
index 0000000000..62b6465eab
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-zero-day-vulnerabilities.md
@@ -0,0 +1,103 @@
+---
+title: Mitigate zero-day vulnerabilities - threat and vulnerability management
+description: Learn how to find and mitigate zero-day vulnerabilities in your environment through threat and vulnerability management.
+keywords: mdatp tvm zero day vulnerabilities, tvm, threat & vulnerability management, zero day, 0-day, mitigate 0 day vulnerabilities, vulnerable CVE
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: ellevin
+author: levinec
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection:
+- m365-security-compliance
+- m365initiative-defender-endpoint
+ms.topic: article
+---
+
+# Mitigate zero-day vulnerabilities - threat and vulnerability management
+
+[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
+
+**Applies to:**
+
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md)
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
+
+A zero-day vulnerability is a publicly disclosed vulnerability for which no official patches or security updates have been released. Zero-day vulnerabilities often have high severity levels and are actively exploited.
+
+Threat and vulnerability management will only display zero-day vulnerabilities it has information about.
+
+## Find information about zero-day vulnerabilities
+
+Once a zero-day vulnerability has been found, information about it will be conveyed through the following experiences in the Microsoft Defender Security Center.
+
+### Threat and vulnerability management dashboard
+
+Look for recommendations with a zero-day tag in the “Top security recommendations” card.
+
+
+
+Find top software with the zero-day tag in the "Top vulnerable software" card.
+
+
+
+### Weaknesses page
+
+Look for the named zero-day vulnerability along with a description and details.
+
+- If this vulnerability has a CVE-ID assigned, you’ll see the zero-day label next to the CVE name.
+
+- If this vulnerability has no CVE-ID assigned, you will find it under an internal, temporary name that looks like “TVM-XXXX-XXXX”. The name will be updated once an official CVE-ID has been assigned, but the previous internal name will still be searchable and found in the side-panel.
+
+
+
+### Software inventory page
+
+Look for software with the zero-day tag. Filter by the "zero day" tag to only see software with zero-day vulnerabilities.
+
+
+
+### Software page
+
+Look for a zero-day tag for each software that has been affected by the zero–day vulnerability.
+
+
+
+### Security recommendations page
+
+View clear suggestions regarding remediation and mitigation options, including workarounds if they exist. Filter by the "zero day" tag to only see security recommendations addressing zero-day vulnerabilities.
+
+If there is software with a zero-day vulnerability and additional vulnerabilities to address, you will get one recommendation regarding all vulnerabilities.
+
+
+
+## Addressing zero-day vulnerabilities
+
+Go to the security recommendation page and select a recommendation with a zero-day. A flyout will open with information about the zero-day and other vulnerabilities for that software.
+
+There will be a link to mitigation options and workarounds if they are available. Workarounds may help reduce the risk posed by this zero-day vulnerability until a patch or security update can be deployed.
+
+Open remediation options and choose the attention type. An "attention required" remediation option is recommended for the zero-day vulnerabilities, since an update hasn't been released yet. If there are older vulnerabilities for this software you wish to remediation, you can override the "attention required" remediation option and choose “update.”
+
+
+
+## Patching zero-day vulnerabilities
+
+When a patch is released for the zero-day, the recommendation will be changed to “Update” and a blue label next to it that says “New security update for zero day.” It will no longer consider as a zero-day, the zero-day tag will be removed from all pages.
+
+
+
+## Related topics
+
+- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md)
+- [Dashboard](tvm-dashboard-insights.md)
+- [Security recommendations](tvm-security-recommendation.md)
+- [Software inventory](tvm-software-inventory.md)
+- [Vulnerabilities in my organization](tvm-weaknesses.md)
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
index 263e076dda..9b9d8baad8 100644
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
@@ -42,7 +42,7 @@ SmartScreen uses registry-based Administrative Template policy settings. For mor
Windows 10, version 2004:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control
Windows 10, version 1703:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control
Windows 10, version 1703
-This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.This setting does not protect against malicious content from USB devices, network shares or other non-internet sources.Important: Using a trustworthy browser helps ensure that these protections work as expected.
+This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet. This setting does not protect against malicious content from USB devices, network shares, or other non-internet sources.Important: Using a trustworthy browser helps ensure that these protections work as expected.
Windows 10, version 2004:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreenWindows 10, version 1703:
Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen
Windows 10, Version 1607 and earlier:
Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen
@@ -160,7 +160,7 @@ For Microsoft Defender SmartScreen Edge MDM policies, see [Policy CSP - Browser]
## Recommended Group Policy and MDM settings for your organization
-By default, Microsoft Defender SmartScreen lets employees bypass warnings. Unfortunately, this can let employees continue to an unsafe site or to continue to download an unsafe file, even after being warned. Because of this possibility, we strongly recommend that you set up Microsoft Defender SmartScreen to block high-risk interactions instead of providing just a warning.
+By default, Microsoft Defender SmartScreen lets employees bypass warnings. Unfortunately, this feature can let employees continue to an unsafe site or to continue to download an unsafe file, even after being warned. Because of this possibility, we strongly recommend that you set up Microsoft Defender SmartScreen to block high-risk interactions instead of providing just a warning.
To better help you protect your organization, we recommend turning on and using these specific Microsoft Defender SmartScreen Group Policy and MDM settings.
Policy maintenance
SRP policies must be updated by using the Local Security Policy snap-in (if the policies are created locally) or the Group Policy Management Console (GPMC).
AppLocker policies can be updated by using the Local Security Policy snap-in (if the policies are created locally), or the GPMC, or the Windows PowerShell AppLocker cmdlets.
AppLocker policies can be updated by using the Local Security Policy snap-in, if the policies are created locally, or the GPMC, or the Windows PowerShell AppLocker cmdlets.
Policy application
Enforcement mode
SRP works in the “deny list mode” where administrators can create rules for files that they do not want to allow in this Enterprise whereas the rest of the file are allowed to run by default.
-SRP can also be configured in the “allow list mode” such that the by default all files are blocked and administrators need to create allow rules for files that they want to allow.
AppLocker by default works in the “allow list mode” where only those files are allowed to run for which there is a matching allow rule.
SRP works in the “deny list mode” where administrators can create rules for files that they don't want to allow in this Enterprise, but the rest of the files are allowed to run by default.
+SRP can also be configured in the “allow list mode” such that by default all files are blocked and administrators need to create allow rules for files that they want to allow.
By default, AppLocker works in allow list mode. Only those files are allowed to run for which there's a matching allow rule.
File types that can be controlled
Designated file types
SRP supports an extensible list of file types that are considered executable. You can add extensions for files that should be considered executable.
AppLocker does not support this. AppLocker currently supports the following file extensions:
+AppLocker doesn't support this. AppLocker currently supports the following file extensions:
Executables (.exe, .com)
DLLs (.ocx, .dll)
Editing the hash value
SRP allows you to select a file to hash.
AppLocker computes the hash value itself. Internally it uses the SHA2 Authenticode hash for Portable Executables (exe and DLL) and Windows Installers and a SHA2 flat file hash for the rest.
AppLocker computes the hash value itself. Internally it uses the SHA2 Authenticode hash for Portable Executables (exe and DLL) and Windows Installers and an SHA2 flat file hash for the rest.
Support for different security levels
With SRP, you can specify the permissions with which an app can run. So, you can configure a rule such that notepad always runs with restricted permissions and never with administrative privileges.
+With SRP, you can specify the permissions with which an app can run. Then configure a rule such that Notepad always runs with restricted permissions and never with administrative privileges.
SRP on Windows Vista and earlier supported multiple security levels. On Windows 7, that list was restricted to just two levels: Disallowed and Unrestricted (Basic User translates to Disallowed).
AppLocker does not support security levels.
@@ -144,12 +144,12 @@ Use the following table to develop your own objectives and determine which appli
Support for rule exceptions
SRP does not support rule exceptions
AppLocker rules can have exceptions which allow administrators to create rules such as “Allow everything from Windows except for Regedit.exe”.
AppLocker rules can have exceptions that allow administrators to create rules such as “Allow everything from Windows except for Regedit.exe”.
Support for audit mode
SRP does not support audit mode. The only way to test SRP policies is to set up a test environment and run a few experiments.
AppLocker supports audit mode which allows administrators to test the effect of their policy in the real production environment without impacting the user experience. Once you are satisfied with the results, you can start enforcing the policy.
SRP doesn't support audit mode. The only way to test SRP policies is to set up a test environment and run a few experiments.
AppLocker supports audit mode that allows administrators to test the effect of their policy in the real production environment without impacting the user experience. Once you are satisfied with the results, you can start enforcing the policy.
Support for exporting and importing policies
Rule enforcement
Internally, SRP rules enforcement happens in the user-mode which is less secure.
Internally, AppLocker rules for exes and dlls are enforced in the kernel-mode which is more secure than enforcing them in the user-mode.
Internally, SRP rules enforcement happens in user-mode, which is less secure.
Internally, AppLocker rules for exes and dlls are enforced in kernel-mode, which is more secure than enforcing them in the user-mode.
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
index 1611fdc1c9..45a707db18 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
@@ -29,19 +29,19 @@ manager: dansimp
- Group Policy
-You can add information about your organization in a contact card to the Windows Security app. This can include a link to a support site, a phone number for a help desk, and an email address for email-based support.
+You can add information about your organization in a contact card to the Windows Security app. You can include a link to a support site, a phone number for a help desk, and an email address for email-based support.
-This information will also be shown in some enterprise-specific notifications (including those for the [Block at first sight feature](/windows/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus), and [potentially unwanted applications](/windows/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus).
+This information will also be shown in some enterprise-specific notifications (including notifications for the [Block at first sight feature](/windows/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus), and [potentially unwanted applications](/windows/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus)).
-Users can click on the displayed information to initiate a support request:
+Users can select the displayed information to initiate a support request:
-- Clicking **Call** or the phone number will open Skype to start a call to the displayed number
-- Clicking **Email** or the email address will create a new email in the machine's default email app address to the displayed email
-- Clicking **Help portal** or the website URL will open the machine's default web browser and go to the displayed address
+- Select **Call** or the phone number to open Skype to start a call to the displayed number.
+- Select **Email** or the email address to create a new email in the machine's default email app address to the displayed email.
+- Select **Help portal** or the website URL to open the machine's default web browser and go to the displayed address.
## Requirements
@@ -67,12 +67,12 @@ This can only be done in Group Policy.
5. After you've enabled the contact card or the customized notifications (or both), you must configure the **Specify contact company name** to **Enabled**. Enter your company or organization's name in the field in the **Options** section. Click **OK**.
-6. To ensure the custom notifications or contact card appear, you must also configure at least one of the following settings by opening them, setting them to **Enabled** and adding the contact information in the field under **Options**:
+6. To ensure the custom notifications or contact card appear, you must also configure at least one of the following settings. Open the setting, select **Enabled**, and then add the contact information in the field under **Options**:
1. **Specify contact email address or Email ID**
2. **Specify contact phone number or Skype ID**
3. **Specify contact website**
-7. Click **OK** after configuring each setting to save your changes.
+7. Select **OK** after you configure each setting to save your changes.
>[!IMPORTANT]
>You must specify the contact company name and at least one contact method - email, phone number, or website URL. If you do not specify the contact name and a contact method the customization will not apply, the contact card will not show, and notifications will not be customized.
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md
index 4209ff2f58..7a394abba3 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md
@@ -24,7 +24,7 @@ manager: dansimp
The **Firewall & network protection** section contains information about the firewalls and network connections used by the machine, including the status of Windows Defender Firewall and any other third-party firewalls. IT administrators and IT pros can get configuration guidance from the [Windows Defender Firewall with Advanced Security documentation library](../windows-firewall/windows-firewall-with-advanced-security.md).
-In Windows 10, version 1709 and later, the section can be hidden from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
+In Windows 10, version 1709 and later, the section can be hidden from users of the machine. This information is useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
## Hide the Firewall & network protection section
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md
index f3c4b5e3d9..63e2d82171 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md
@@ -25,9 +25,9 @@ manager: dansimp
The **Virus & threat protection** section contains information and settings for antivirus protection from Microsoft Defender Antivirus and third-party AV products.
-In Windows 10, version 1803, this section also contains information and settings for ransomware protection and recovery. This includes Controlled folder access settings to prevent unknown apps from changing files in protected folders, plus Microsoft OneDrive configuration to help you recover from a ransomware attack. This area also notifies users and provides recovery instructions in the event of a ransomware attack.
+In Windows 10, version 1803, this section also contains information and settings for ransomware protection and recovery. This includes Controlled folder access settings to prevent unknown apps from changing files in protected folders, plus Microsoft OneDrive configuration to help you recover from a ransomware attack. This area also notifies users and provides recovery instructions in case of a ransomware attack.
-IT administrators and IT pros can get more information and documentation about configuration from the following:
+IT administrators and IT pros can get more configuration information from these articles:
- [Microsoft Defender Antivirus in the Windows Security app](../microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md)
- [Microsoft Defender Antivirus documentation library](../microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md)
@@ -36,7 +36,7 @@ IT administrators and IT pros can get more information and documentation about c
- [Office 365 advanced protection](https://support.office.com/en-us/article/office-365-advanced-protection-82e72640-39be-4dc7-8efd-740fb289123a)
- [Ransomware detection and recovering your files](https://support.office.com/en-us/article/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f?ui=en-US&rs=en-US&ad=US)
-You can choose to hide the **Virus & threat protection** section or the **Ransomware protection** area from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
+You can hide the **Virus & threat protection** section or the **Ransomware protection** area from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for these features.
## Hide the Virus & threat protection section
diff --git a/windows/security/threat-protection/windows-firewall/encryption-zone.md b/windows/security/threat-protection/windows-firewall/encryption-zone.md
index 097cbdf870..715a2eef02 100644
--- a/windows/security/threat-protection/windows-firewall/encryption-zone.md
+++ b/windows/security/threat-protection/windows-firewall/encryption-zone.md
@@ -23,9 +23,9 @@ ms.date: 04/19/2017
- Windows 10
- Windows Server 2016
-Some servers in the organization host data that is very sensitive, including medical, financial, or other personally identifying data. Government or industry regulations might require that this sensitive information must be encrypted when it is transferred between devices.
+Some servers in the organization host data that's very sensitive, including medical, financial, or other personal data. Government or industry regulations might require that this sensitive information must be encrypted when it is transferred between devices.
-To support the additional security requirements of these servers, we recommend that you create an encryption zone to contain the devices and that requires that the sensitive inbound and outbound network traffic be encrypted.
+To support the additional security requirements of these servers, we recommend that you create an encryption zone to contain the devices and that requires that the sensitive inbound and outbound network traffic is encrypted.
You must create a group in Active Directory to contain members of the encryption zone. The settings and rules for the encryption zone are typically similar to those for the isolated domain, and you can save time and effort by copying those GPOs to serve as a starting point. You then modify the security methods list to include only algorithm combinations that include encryption protocols.
diff --git a/windows/security/threat-protection/windows-firewall/firewall-gpos.md b/windows/security/threat-protection/windows-firewall/firewall-gpos.md
index e40d0eddc7..8a214a169f 100644
--- a/windows/security/threat-protection/windows-firewall/firewall-gpos.md
+++ b/windows/security/threat-protection/windows-firewall/firewall-gpos.md
@@ -25,6 +25,4 @@ ms.date: 04/19/2017
All the devices on Woodgrove Bank's network that run Windows are part of the isolated domain, except domain controllers. To configure firewall rules, the GPO described in this section is linked to the domain container in the Active Directory OU hierarchy, and then filtered by using security group filters and WMI filters.
-The GPO created for the example Woodgrove Bank scenario include the following:
-
-- [GPO\_DOMISO\_Firewall](gpo-domiso-firewall.md)
+The GPO created for the example Woodgrove Bank scenario includes [GPO\_DOMISO\_Firewall](gpo-domiso-firewall.md).
diff --git a/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md b/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md
index da4b632a34..3d79b04f30 100644
--- a/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md
+++ b/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md
@@ -25,9 +25,9 @@ ms.date: 08/17/2017
Before starting the planning process for a Windows Defender Firewall with Advanced Security deployment, you must collect and analyze up-to-date information about the network, the directory services, and the devices that are already deployed in the organization. This information enables you to create a design that accounts for all possible elements of the existing infrastructure. If the gathered information is not accurate, problems can occur when devices and devices that were not considered during the planning phase are encountered during implementation.
-Review each of the following topics for guidance about the kinds of information that you must gather:
+Review each of the following articles for guidance about the kinds of information that you must gather:
-- [Gathering Information about Your Current Network Infrastructure](gathering-information-about-your-current-network-infrastructure.md)
+- [Gathering Information about Your Conversational Network Infrastructure](gathering-information-about-your-current-network-infrastructure.md)
- [Gathering Information about Your Active Directory Deployment](gathering-information-about-your-active-directory-deployment.md)
diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md
index ee39cb7790..7ca03d22e7 100644
--- a/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md
+++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md
@@ -22,14 +22,14 @@ ms.date: 08/17/2017
This GPO is authored by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. Woodgrove Bank began by copying and pasting the GPO for the Windows Server 2008 version of the isolated domain GPO, and then renamed the copy to reflect its new purpose.
-This GPO supports the ability for servers that contain sensitive data to require encryption for all connection requests. It is intended to only apply to server computers that are running Windows Server 2012, Windows Server 2008 R2 or Windows Server 2008.
+This GPO supports the ability for servers that contain sensitive data to require encryption for all connection requests. It is intended to only apply to server computers that are running Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008.
## IPsec settings
-The copied GPO includes and continues to use the IPsec settings that configure key exchange, main mode, and quick mode algorithms for the isolated domain The following changes are made to encryption zone copy of the GPO:
+The copied GPO includes and continues to use the IPsec settings that configure key exchange, main mode, and quick mode algorithms for the isolated domain. The following changes are made to encryption zone copy of the GPO:
-The encryption zone servers require all connections to be encrypted. To do this, change the IPsec default settings for the GPO to enable the setting **Require encryption for all connection security rules that use these settings**. This disables all integrity-only algorithm combinations.
+The encryption zone servers require all connections to be encrypted. To do this, change the IPsec default settings for the GPO to enable the setting **Require encryption for all connection security rules that use these settings**. This setting disables all integrity-only algorithm combinations.
## Connection security rules
diff --git a/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md b/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
index 2caa25566a..29b25a7dd2 100644
--- a/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
+++ b/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
@@ -37,9 +37,9 @@ To create a domain isolation or server isolation design, you must understand the
## IPsec performance considerations
-Although IPsec is critically important in securing network traffic going to and from your devices, there are costs associated with its use. The mathematically intensive cryptographic algorithms require a significant amount of computing power, which can prevent your device from making use of all of the available bandwidth. For example, an IPsec-enabled device using the AES encryption protocols on a 10 gigabits per second (Gbps) network link might see a throughput of 4.5 Gbps. This is due to the demands placed on the CPU to perform the cryptographic functions required by the IPsec integrity and encryption algorithms.
+Although IPsec is critically important in securing network traffic going to and from your devices, there are costs associated with its use. The mathematically intensive cryptographic algorithms require a significant amount of computing power, which can prevent your device from making use of all of the available bandwidth. For example, an IPsec-enabled device using the AES encryption protocols on a 10 gigabits per second (Gbps) network link might see a throughput of 4.5 Gbps. This reduction is due to the demands placed on the CPU to perform the cryptographic functions required by the IPsec integrity and encryption algorithms.
-IPsec task offload is a Windows technology that supports network adapters equipped with dedicated cryptographic processors to perform the computationally intensive work required by IPsec. This frees up a device’s CPU and can dramatically increase network throughput. For the same network link as above, the throughput with IPsec task offload enabled improves to about 9.2 Gbps.
+IPsec task offload is a Windows technology that supports network adapters equipped with dedicated cryptographic processors to perform the computationally intensive work required by IPsec. This configuration frees up a device’s CPU and can dramatically increase network throughput. For the same network link as above, the throughput with IPsec task offload enabled improves to about 9.2 Gbps.
## Domain isolation design
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md
index db22ee475a..eb25e2cf9c 100644
--- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md
@@ -29,7 +29,7 @@ Before Windows Sandbox is installed, the dynamic base image package is stored as
## Memory management
-Traditional VMs apportion statically sized allocations of host memory. When resource needs change, classic VMs have limited mechanisms for adjusting their resource needs. On the other hand, containers collaborate with the host to dynamically determine how host resources are allocated. This is similar to how processes normally compete for memory on the host. If the host is under memory pressure, it can reclaim memory from the container much like it would with a process.
+Traditional VMs apportion statically sized allocations of host memory. When resource needs change, classic VMs have limited mechanisms for adjusting their resource needs. On the other hand, containers collaborate with the host to dynamically determine how host resources are allocated. This method is similar to how processes normally compete for memory on the host. If the host is under memory pressure, it can reclaim memory from the container much like it would with a process.
@@ -51,7 +51,7 @@ Windows Sandbox employs a unique policy that allows the virtual processors of th
Hardware accelerated rendering is key to a smooth and responsive user experience, especially for graphics-intensive use cases. Microsoft works with its graphics ecosystem partners to integrate modern graphics virtualization capabilities directly into DirectX and Windows Display Driver Model (WDDM), the driver model used by Windows.
-This allows programs running inside the sandbox to compete for GPU resources with applications that are running on the host.
+This feature allows programs running inside the sandbox to compete for GPU resources with applications that are running on the host.
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
index 2ac125c33b..16214a5f59 100644
--- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
@@ -8,7 +8,7 @@ ms.author: dansimp
manager: dansimp
ms.collection:
ms.topic: article
-ms.localizationpriority:
+ms.localizationpriority: medium
ms.date:
ms.reviewer:
---