Merge remote-tracking branch 'refs/remotes/origin/master' into atp-customti-update

.gitignore

@@ -12,4 +12,4 @@ Tools/NuGet/
 packages.config
 
 # User-specific files  
-.vs/
+.vs/

LICENSE

@@ -0,0 +1,395 @@
+Attribution 4.0 International
+
+=======================================================================
+
+Creative Commons Corporation ("Creative Commons") is not a law firm and
+does not provide legal services or legal advice. Distribution of
+Creative Commons public licenses does not create a lawyer-client or
+other relationship. Creative Commons makes its licenses and related
+information available on an "as-is" basis. Creative Commons gives no
+warranties regarding its licenses, any material licensed under their
+terms and conditions, or any related information. Creative Commons
+disclaims all liability for damages resulting from their use to the
+fullest extent possible.
+
+Using Creative Commons Public Licenses
+
+Creative Commons public licenses provide a standard set of terms and
+conditions that creators and other rights holders may use to share
+original works of authorship and other material subject to copyright
+and certain other rights specified in the public license below. The
+following considerations are for informational purposes only, are not
+exhaustive, and do not form part of our licenses.
+
+     Considerations for licensors: Our public licenses are
+     intended for use by those authorized to give the public
+     permission to use material in ways otherwise restricted by
+     copyright and certain other rights. Our licenses are
+     irrevocable. Licensors should read and understand the terms
+     and conditions of the license they choose before applying it.
+     Licensors should also secure all rights necessary before
+     applying our licenses so that the public can reuse the
+     material as expected. Licensors should clearly mark any
+     material not subject to the license. This includes other CC-
+     licensed material, or material used under an exception or
+     limitation to copyright. More considerations for licensors:
+	wiki.creativecommons.org/Considerations_for_licensors
+
+     Considerations for the public: By using one of our public
+     licenses, a licensor grants the public permission to use the
+     licensed material under specified terms and conditions. If
+     the licensor's permission is not necessary for any reason--for
+     example, because of any applicable exception or limitation to
+     copyright--then that use is not regulated by the license. Our
+     licenses grant only permissions under copyright and certain
+     other rights that a licensor has authority to grant. Use of
+     the licensed material may still be restricted for other
+     reasons, including because others have copyright or other
+     rights in the material. A licensor may make special requests,
+     such as asking that all changes be marked or described.
+     Although not required by our licenses, you are encouraged to
+     respect those requests where reasonable. More_considerations
+     for the public: 
+	wiki.creativecommons.org/Considerations_for_licensees
+
+=======================================================================
+
+Creative Commons Attribution 4.0 International Public License
+
+By exercising the Licensed Rights (defined below), You accept and agree
+to be bound by the terms and conditions of this Creative Commons
+Attribution 4.0 International Public License ("Public License"). To the
+extent this Public License may be interpreted as a contract, You are
+granted the Licensed Rights in consideration of Your acceptance of
+these terms and conditions, and the Licensor grants You such rights in
+consideration of benefits the Licensor receives from making the
+Licensed Material available under these terms and conditions.
+
+
+Section 1 -- Definitions.
+
+  a. Adapted Material means material subject to Copyright and Similar
+     Rights that is derived from or based upon the Licensed Material
+     and in which the Licensed Material is translated, altered,
+     arranged, transformed, or otherwise modified in a manner requiring
+     permission under the Copyright and Similar Rights held by the
+     Licensor. For purposes of this Public License, where the Licensed
+     Material is a musical work, performance, or sound recording,
+     Adapted Material is always produced where the Licensed Material is
+     synched in timed relation with a moving image.
+
+  b. Adapter's License means the license You apply to Your Copyright
+     and Similar Rights in Your contributions to Adapted Material in
+     accordance with the terms and conditions of this Public License.
+
+  c. Copyright and Similar Rights means copyright and/or similar rights
+     closely related to copyright including, without limitation,
+     performance, broadcast, sound recording, and Sui Generis Database
+     Rights, without regard to how the rights are labeled or
+     categorized. For purposes of this Public License, the rights
+     specified in Section 2(b)(1)-(2) are not Copyright and Similar
+     Rights.
+
+  d. Effective Technological Measures means those measures that, in the
+     absence of proper authority, may not be circumvented under laws
+     fulfilling obligations under Article 11 of the WIPO Copyright
+     Treaty adopted on December 20, 1996, and/or similar international
+     agreements.
+
+  e. Exceptions and Limitations means fair use, fair dealing, and/or
+     any other exception or limitation to Copyright and Similar Rights
+     that applies to Your use of the Licensed Material.
+
+  f. Licensed Material means the artistic or literary work, database,
+     or other material to which the Licensor applied this Public
+     License.
+
+  g. Licensed Rights means the rights granted to You subject to the
+     terms and conditions of this Public License, which are limited to
+     all Copyright and Similar Rights that apply to Your use of the
+     Licensed Material and that the Licensor has authority to license.
+
+  h. Licensor means the individual(s) or entity(ies) granting rights
+     under this Public License.
+
+  i. Share means to provide material to the public by any means or
+     process that requires permission under the Licensed Rights, such
+     as reproduction, public display, public performance, distribution,
+     dissemination, communication, or importation, and to make material
+     available to the public including in ways that members of the
+     public may access the material from a place and at a time
+     individually chosen by them.
+
+  j. Sui Generis Database Rights means rights other than copyright
+     resulting from Directive 96/9/EC of the European Parliament and of
+     the Council of 11 March 1996 on the legal protection of databases,
+     as amended and/or succeeded, as well as other essentially
+     equivalent rights anywhere in the world.
+
+  k. You means the individual or entity exercising the Licensed Rights
+     under this Public License. Your has a corresponding meaning.
+
+
+Section 2 -- Scope.
+
+  a. License grant.
+
+       1. Subject to the terms and conditions of this Public License,
+          the Licensor hereby grants You a worldwide, royalty-free,
+          non-sublicensable, non-exclusive, irrevocable license to
+          exercise the Licensed Rights in the Licensed Material to:
+
+            a. reproduce and Share the Licensed Material, in whole or
+               in part; and
+
+            b. produce, reproduce, and Share Adapted Material.
+
+       2. Exceptions and Limitations. For the avoidance of doubt, where
+          Exceptions and Limitations apply to Your use, this Public
+          License does not apply, and You do not need to comply with
+          its terms and conditions.
+
+       3. Term. The term of this Public License is specified in Section
+          6(a).
+
+       4. Media and formats; technical modifications allowed. The
+          Licensor authorizes You to exercise the Licensed Rights in
+          all media and formats whether now known or hereafter created,
+          and to make technical modifications necessary to do so. The
+          Licensor waives and/or agrees not to assert any right or
+          authority to forbid You from making technical modifications
+          necessary to exercise the Licensed Rights, including
+          technical modifications necessary to circumvent Effective
+          Technological Measures. For purposes of this Public License,
+          simply making modifications authorized by this Section 2(a)
+          (4) never produces Adapted Material.
+
+       5. Downstream recipients.
+
+            a. Offer from the Licensor -- Licensed Material. Every
+               recipient of the Licensed Material automatically
+               receives an offer from the Licensor to exercise the
+               Licensed Rights under the terms and conditions of this
+               Public License.
+
+            b. No downstream restrictions. You may not offer or impose
+               any additional or different terms or conditions on, or
+               apply any Effective Technological Measures to, the
+               Licensed Material if doing so restricts exercise of the
+               Licensed Rights by any recipient of the Licensed
+               Material.
+
+       6. No endorsement. Nothing in this Public License constitutes or
+          may be construed as permission to assert or imply that You
+          are, or that Your use of the Licensed Material is, connected
+          with, or sponsored, endorsed, or granted official status by,
+          the Licensor or others designated to receive attribution as
+          provided in Section 3(a)(1)(A)(i).
+
+  b. Other rights.
+
+       1. Moral rights, such as the right of integrity, are not
+          licensed under this Public License, nor are publicity,
+          privacy, and/or other similar personality rights; however, to
+          the extent possible, the Licensor waives and/or agrees not to
+          assert any such rights held by the Licensor to the limited
+          extent necessary to allow You to exercise the Licensed
+          Rights, but not otherwise.
+
+       2. Patent and trademark rights are not licensed under this
+          Public License.
+
+       3. To the extent possible, the Licensor waives any right to
+          collect royalties from You for the exercise of the Licensed
+          Rights, whether directly or through a collecting society
+          under any voluntary or waivable statutory or compulsory
+          licensing scheme. In all other cases the Licensor expressly
+          reserves any right to collect such royalties.
+
+
+Section 3 -- License Conditions.
+
+Your exercise of the Licensed Rights is expressly made subject to the
+following conditions.
+
+  a. Attribution.
+
+       1. If You Share the Licensed Material (including in modified
+          form), You must:
+
+            a. retain the following if it is supplied by the Licensor
+               with the Licensed Material:
+
+                 i. identification of the creator(s) of the Licensed
+                    Material and any others designated to receive
+                    attribution, in any reasonable manner requested by
+                    the Licensor (including by pseudonym if
+                    designated);
+
+                ii. a copyright notice;
+
+               iii. a notice that refers to this Public License;
+
+                iv. a notice that refers to the disclaimer of
+                    warranties;
+
+                 v. a URI or hyperlink to the Licensed Material to the
+                    extent reasonably practicable;
+
+            b. indicate if You modified the Licensed Material and
+               retain an indication of any previous modifications; and
+
+            c. indicate the Licensed Material is licensed under this
+               Public License, and include the text of, or the URI or
+               hyperlink to, this Public License.
+
+       2. You may satisfy the conditions in Section 3(a)(1) in any
+          reasonable manner based on the medium, means, and context in
+          which You Share the Licensed Material. For example, it may be
+          reasonable to satisfy the conditions by providing a URI or
+          hyperlink to a resource that includes the required
+          information.
+
+       3. If requested by the Licensor, You must remove any of the
+          information required by Section 3(a)(1)(A) to the extent
+          reasonably practicable.
+
+       4. If You Share Adapted Material You produce, the Adapter's
+          License You apply must not prevent recipients of the Adapted
+          Material from complying with this Public License.
+
+
+Section 4 -- Sui Generis Database Rights.
+
+Where the Licensed Rights include Sui Generis Database Rights that
+apply to Your use of the Licensed Material:
+
+  a. for the avoidance of doubt, Section 2(a)(1) grants You the right
+     to extract, reuse, reproduce, and Share all or a substantial
+     portion of the contents of the database;
+
+  b. if You include all or a substantial portion of the database
+     contents in a database in which You have Sui Generis Database
+     Rights, then the database in which You have Sui Generis Database
+     Rights (but not its individual contents) is Adapted Material; and
+
+  c. You must comply with the conditions in Section 3(a) if You Share
+     all or a substantial portion of the contents of the database.
+
+For the avoidance of doubt, this Section 4 supplements and does not
+replace Your obligations under this Public License where the Licensed
+Rights include other Copyright and Similar Rights.
+
+
+Section 5 -- Disclaimer of Warranties and Limitation of Liability.
+
+  a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE
+     EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS
+     AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF
+     ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS,
+     IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION,
+     WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR
+     PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS,
+     ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT
+     KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT
+     ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU.
+
+  b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE
+     TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION,
+     NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT,
+     INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES,
+     COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR
+     USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN
+     ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR
+     DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR
+     IN PART, THIS LIMITATION MAY NOT APPLY TO YOU.
+
+  c. The disclaimer of warranties and limitation of liability provided
+     above shall be interpreted in a manner that, to the extent
+     possible, most closely approximates an absolute disclaimer and
+     waiver of all liability.
+
+
+Section 6 -- Term and Termination.
+
+  a. This Public License applies for the term of the Copyright and
+     Similar Rights licensed here. However, if You fail to comply with
+     this Public License, then Your rights under this Public License
+     terminate automatically.
+
+  b. Where Your right to use the Licensed Material has terminated under
+     Section 6(a), it reinstates:
+
+       1. automatically as of the date the violation is cured, provided
+          it is cured within 30 days of Your discovery of the
+          violation; or
+
+       2. upon express reinstatement by the Licensor.
+
+     For the avoidance of doubt, this Section 6(b) does not affect any
+     right the Licensor may have to seek remedies for Your violations
+     of this Public License.
+
+  c. For the avoidance of doubt, the Licensor may also offer the
+     Licensed Material under separate terms or conditions or stop
+     distributing the Licensed Material at any time; however, doing so
+     will not terminate this Public License.
+
+  d. Sections 1, 5, 6, 7, and 8 survive termination of this Public
+     License.
+
+
+Section 7 -- Other Terms and Conditions.
+
+  a. The Licensor shall not be bound by any additional or different
+     terms or conditions communicated by You unless expressly agreed.
+
+  b. Any arrangements, understandings, or agreements regarding the
+     Licensed Material not stated herein are separate from and
+     independent of the terms and conditions of this Public License.
+
+
+Section 8 -- Interpretation.
+
+  a. For the avoidance of doubt, this Public License does not, and
+     shall not be interpreted to, reduce, limit, restrict, or impose
+     conditions on any use of the Licensed Material that could lawfully
+     be made without permission under this Public License.
+
+  b. To the extent possible, if any provision of this Public License is
+     deemed unenforceable, it shall be automatically reformed to the
+     minimum extent necessary to make it enforceable. If the provision
+     cannot be reformed, it shall be severed from this Public License
+     without affecting the enforceability of the remaining terms and
+     conditions.
+
+  c. No term or condition of this Public License will be waived and no
+     failure to comply consented to unless expressly agreed to by the
+     Licensor.
+
+  d. Nothing in this Public License constitutes or may be interpreted
+     as a limitation upon, or waiver of, any privileges and immunities
+     that apply to the Licensor or You, including from the legal
+     processes of any jurisdiction or authority.
+
+
+=======================================================================
+
+Creative Commons is not a party to its public
+licenses. Notwithstanding, Creative Commons may elect to apply one of
+its public licenses to material it publishes and in those instances
+will be considered the “Licensor.” The text of the Creative Commons
+public licenses is dedicated to the public domain under the CC0 Public
+Domain Dedication. Except for the limited purpose of indicating that
+material is shared under a Creative Commons public license or as
+otherwise permitted by the Creative Commons policies published at
+creativecommons.org/policies, Creative Commons does not authorize the
+use of the trademark "Creative Commons" or any other trademark or logo
+of Creative Commons without its prior written consent including,
+without limitation, in connection with any unauthorized modifications
+to any of its public licenses or any other arrangements,
+understandings, or agreements concerning use of licensed material. For
+the avoidance of doubt, this paragraph does not form part of the
+public licenses.
+
+Creative Commons may be contacted at creativecommons.org.

LICENSE-CODE

@@ -0,0 +1,17 @@
+The MIT License (MIT)
+Copyright (c) Microsoft Corporation
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and 
+associated documentation files (the "Software"), to deal in the Software without restriction, 
+including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, 
+and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, 
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial 
+portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT 
+NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. 
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, 
+WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE 
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

README.md

@@ -1,3 +1,8 @@
+## Microsoft Open Source Code of Conduct
+
+This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
+For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.
+
 # Windows IT professional documentation
 
 Welcome! This repository houses the docs that are written for IT professionals for the following products:

ThirdPartyNotices

@@ -0,0 +1,15 @@
+##Legal Notices
+Microsoft and any contributors grant you a license to the Microsoft documentation and other content
+in this repository under the [Creative Commons Attribution 4.0 International Public License](https://creativecommons.org/licenses/by/4.0/legalcode),
+see the [LICENSE](LICENSE) file, and grant you a license to any code in the repository under the [MIT License](https://opensource.org/licenses/MIT), see the
+[LICENSE-CODE](LICENSE-CODE) file.
+
+Microsoft, Windows, Microsoft Azure and/or other Microsoft products and services referenced in the documentation
+may be either trademarks or registered trademarks of Microsoft in the United States and/or other countries.
+The licenses for this project do not grant you rights to use any Microsoft names, logos, or trademarks.
+Microsoft's general trademark guidelines can be found at http://go.microsoft.com/fwlink/?LinkID=254653.
+
+Privacy information can be found at https://privacy.microsoft.com/en-us/
+
+Microsoft and any contributors reserve all others rights, whether under their respective copyrights, patents,
+or trademarks, whether by implication, estoppel or otherwise.

education/windows/index.md

@@ -1,6 +1,6 @@
 ---
 title: Windows 10 for Education (Windows 10)
-description: Learn how to use Windows 10 in schools.
+description: Learn how to use Windows 10 in schools.
 keywords: Windows 10, education
 ms.prod: w10
 ms.mktglfcycl: deploy

license.md

@@ -1,7 +0,0 @@
-Copyright (c) Microsoft Corporation.  Distributed under the following terms:
-
-1. Microsoft and any contributors to this project each grants you a license, under its respective copyrights, to the documentation under the [Creative Commons Attribution 3.0 United States License](http://creativecommons.org/licenses/by/3.0/us/legalcode).  In addition, with respect to any sample code contained in the documentation, Microsoft and any such contributors grants you an additional license, under its respective intellectual property rights, to use the code to develop or design your software for Microsoft Windows.
-
-2.  Microsoft, Windows, and/or other Microsoft products and services referenced in the documentation may be either trademarks or registered trademarks of Microsoft in the United States and/or other countries. This license does not grant you rights to use any names, logos, or trademarks. For Microsoft’s general trademark guidelines, go to [https://go.microsoft.com/fwlink/?LinkID=254653](https://go.microsoft.com/fwlink/?LinkID=254653).
-
-3.  Microsoft and any contributors reserves all others rights, whether under copyrights, patents, or trademarks, or by implication, estoppel or otherwise.

windows/deploy/resolve-windows-10-upgrade-errors.md

@@ -1,6 +1,6 @@
 ---
-title: Resolve Windows 10 upgrade errors
+title: Resolve Windows 10 upgrade errors - Windows IT Pro
-description: Resolve Windows 10 upgrade errors
+description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors.
 ms.assetid: DFEFE22C-4FEF-4FD9-BFC4-9B419C339502
 keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback
 ms.prod: w10
@@ -11,7 +11,7 @@ author: greg-lindsay
 localizationpriority: high
 ---
 
-# Resolve Windows 10 upgrade errors
+# Resolve Windows 10 upgrade errors : Technical information for IT Pros
 
 **Applies to**
 -   Windows 10
@@ -251,13 +251,15 @@ See the following example:
 
 ### Analyze log files
 
+>The following instructions are meant for IT professionals. Also see the [Upgrade error codes](#upgrade-error-codes) section in this guide to familiarize yourself with [result codes](#result-codes) and [extend codes](#extend-codes).
+
 <P>To analyze Windows Setup log files:
 
 <OL>
-<LI>Determine the Windows Setup error code.
+<LI>Determine the Windows Setup error code. This code should be returned by Windows Setup if it is not successful with the upgrade process.
 <LI>Based on the [extend code](#extend-codes) portion of the error code, determine the type and location of a [log files](#log-files) to investigate.
 <LI>Open the log file in a text editor, such as notepad.
-<LI>Using the result code portion of the Windows Setup error code, search for the result code in the file and find the last occurrence of the code. Alternatively search for the "abort" and abandoning" text strings described in step 7 below.
+<LI>Using the [result code](#result-codes) portion of the Windows Setup error code, search for the result code in the file and find the last occurrence of the code. Alternatively search for the "abort" and abandoning" text strings described in step 7 below.
 <LI>To find the last occurrence of the result code:
   <OL type="a">
   <LI>Scroll to the bottom of the file and click after the last character.

windows/deploy/troubleshoot-upgrade-readiness.md

@@ -11,7 +11,7 @@ If you’re having issues seeing data in Upgrade Readiness after running the Upg
 
 If you still don’t see data in Upgrade Readiness, follow these steps:
 
-1.  Download and extract UpgradeAnalytics.zip. Ensure the “Diagnostics” folder is included.
+1.  Download and extract the [Upgrade Readiness Deployment Script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409). Ensure the “Pilot/Diagnostics” folder is included .
 
 2.  Edit the script as described in [Upgrade Readiness deployment script](upgrade-readiness-deployment-script.md).
 

windows/deploy/upgrade-readiness-deployment-script.md

@@ -31,7 +31,7 @@ The Upgrade Readiness deployment script does the following:
 
 To run the Upgrade Readiness deployment script:
 
-1.  Download the [Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and extract UpgradeAnalytics.zip. Inside, there are two folders: Pilot and Deployment. The Pilot folder contains advanced logging that can help troubleshoot issues and is intended to be run from an elevated command prompt. The Deployment folder offers a lightweight script intended for broad deployment through ConfigMgr or other software deployment system. We recommend manually running the Pilot version of the script on 5-10 machines to verify that everything is configured correctly.  Once you have confirmed that data is flowing successfully, proceed to run the Deployment version throughout your organization.
+1.  Download the [Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and extract the .zip file. Inside, there are two folders: **Pilot** and **Deployment**. The **Pilot** folder contains advanced logging that can help troubleshoot issues and is intended to be run from an elevated command prompt. The **Deployment** folder offers a lightweight script intended for broad deployment through ConfigMgr or other software deployment system. We recommend manually running the Pilot version of the script on 5-10 machines to verify that everything is configured correctly.  Once you have confirmed that data is flowing successfully, proceed to run the Deployment version throughout your organization.
 
 2.  Edit the following parameters in RunConfig.bat:
 

windows/deploy/upgrade-readiness-resolve-issues.md

@@ -53,7 +53,7 @@ For applications assessed as **Attention needed**, review the table below for de
 | Upgrade Assessment | Action required prior to upgrade? | Issue     | What it means   | Guidance   |
 |--------------------|-----------------------------------|-----------|-----------------|------------|
 | Attention needed   | No                                | Application is removed during upgrade              | Compatibility issues were detected and the application will not migrate to the new operating system. <br>                                                                                                                                             | No action is required for the upgrade to proceed.                                                                                                                                                                                                                                                                                                                                         |
-| Attention needed   | Yes                               | Blocking upgrade                                   | Blocking issues were detected and Upgrade Analytics is not able to remove the application during upgrade. <br><br>The application may work on the new operating system.<br>                                                                       | Remove the application before upgrading, and reinstall and test on new operating system.                                                                                                                                                                                                                                                                                                  |
+| Attention needed   | Yes                               | Blocking upgrade                                   | Blocking issues were detected and Upgrade Readiness is not able to remove the application during upgrade. <br><br>The application may work on the new operating system.<br>                                                                       | Remove the application before upgrading, and reinstall and test on new operating system.                                                                                                                                                                                                                                                                                                  |
 | Attention needed   | No                                | Evaluate application on new OS                     | The application will migrate, but issues were detected that may impact its performance on the new operating system.                                                                                                                                     | No action is required for the upgrade to proceed, but be sure to test the application on the new operating system.<br>                                                                                                                                                                                                                                                                  |
 | Attention needed   | No                                | Does not work with new OS, but won’t block upgrade | The application is not compatible with the new operating system, but won’t block the upgrade.                                                                                                                                                           | No action is required for the upgrade to proceed, however, you’ll have to install a compatible version of the application on the new operating system.<br>                                                                                                                                                                                                                              |
 | Attention needed   | Yes                               | Does not work with new OS, and will block upgrade  | The application is not compatible with the new operating system and will block the upgrade.                                                                                                                                                             | Remove the application before upgrading. <br><br>A compatible version of the application may be available.<br>                                                                                                                                                                                                                                                                      |

windows/deploy/upgrade-readiness-upgrade-overview.md

@@ -17,9 +17,13 @@ The following color-coded status changes are reflected on the upgrade overview b
     - No delay in processing device inventory data = "Last updated" banner is displayed in green.
     - Delay processing device inventory data = "Last updated" banner is displayed in amber.
 - Computers with incomplete data:
-    - Less than 4% = Count is displayed in black.
+    - Less than 4% = Count is displayed in green.
     - 4% - 10% = Count is displayed in amber.
     - Greater than 10%  = Count is displayed in red.
+- Computers with outdated KB:
+    - Less than 10% = Count is displayed in green.
+    - 10% - 30% = Count is displayed in amber.
+    - Greater than 30%  = Count is displayed in red.
 - User changes:
     - Pending user changes = User changes count displays "Data refresh pending" in amber.
     - No pending user changes = User changes count displays "Up to date" in green.
@@ -28,6 +32,8 @@ The following color-coded status changes are reflected on the upgrade overview b
     - If the current value is an older OS version than the recommended value, but not deprecated, the version is displayed in amber.
     - If the current value is a deprecated OS version, the version is displayed in red.
 
+Click on a row to drill down and see details about individual computers. If KBs are missing, see [Deploy the compatibility update and related KBs](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#deploy-the-compatibility-update-and-related-kbs) for information on required KBs.
+
 In the following example, there is no delay in data processing, less than 4% of computers (6k\294k) have incomplete data, there are no pending user changes, and the currently selected target OS version is the same as the recommended version:
 
 ![Upgrade overview](images/ur-overview.png)

windows/deploy/use-upgrade-readiness-to-manage-windows-upgrades.md

@@ -51,4 +51,4 @@ To change the target version setting, click on **Solutions Settings**, which app
 
 On the **Upgrade Readiness Settings** page, choose one of the options in the drop down box and click **Save**. The changes in the target version setting are reflected in evaluations when a new snapshot is uploaded to your workspace.
 
-![Target version](images/ua-cg-09.png)
+![Target version](images/ur-settings.png)

windows/keep-secure/TOC.md

@@ -168,6 +168,7 @@
 ##### [Choose the Right BitLocker Countermeasure](choose-the-right-bitlocker-countermeasure.md)
 #### [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)
 ### [Encrypted Hard Drive](encrypted-hard-drive.md)
+### [Enterprise Certificate Pinning](enterprise-certificate-pinning.md)
 ### [Security auditing](security-auditing-overview.md)
 #### [Basic security audit policies](basic-security-audit-policies.md)
 ##### [Create a basic audit policy for an event category](create-a-basic-audit-policy-settings-for-an-event-category.md)
@@ -572,7 +573,7 @@
 ###### [Domain member: Maximum machine account password age](domain-member-maximum-machine-account-password-age.md)
 ###### [Domain member: Require strong (Windows 2000 or later) session key](domain-member-require-strong-windows-2000-or-later-session-key.md)
 ###### [Interactive logon: Display user information when the session is locked](interactive-logon-display-user-information-when-the-session-is-locked.md)
-###### [Interactive logon: Don\'t display last signed-in](interactive-logon-do-not-display-last-user-name.md)
+###### [Interactive logon: Don't display last signed-in](interactive-logon-do-not-display-last-user-name.md)
 ###### [Interactive logon: Do not require CTRL+ALT+DEL](interactive-logon-do-not-require-ctrl-alt-del.md)
 ###### [Interactive logon: Machine account lockout threshold](interactive-logon-machine-account-lockout-threshold.md)
 ###### [Interactive logon: Machine inactivity limit](interactive-logon-machine-inactivity-limit.md)
@@ -768,10 +769,12 @@
 ######## [Submit files for analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis)
 ######## [View deep analysis reports](respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports)
 ######## [Troubleshoot deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis)
-#### [Configure SIEM tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md)
+#### [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md)
-##### [Configure an Azure Active Directory application for SIEM integration](configure-aad-windows-defender-advanced-threat-protection.md)
+##### [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
-##### [Configure Splunk to consume Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
+##### [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
-##### [Configure HP ArcSight to consume Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
+##### [Configure HP ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
+##### [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
+##### [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
 #### [Use the threat intelligence API to create custom alerts](use-custom-ti-windows-defender-advanced-threat-protection.md)
 ##### [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
 ##### [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md)

windows/keep-secure/api-portal-mapping-windows-defender-advanced-threat-protection.md

@@ -0,0 +1,73 @@
+---
+title: Windows Defender ATP alert API fields
+description: Understand how the alert API fields map to the values in the Windows Defender ATP portal.
+keywords: alerts, alert fields, fields, api, fields, pull alerts, rest api, request, response
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+---
+
+# Windows Defender ATP alert API fields
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+Understand what data fields are exposed as part of the alerts API and how they map to the Windows Defender ATP portal.
+
+
+#	Alert API fields and portal mapping
+Field numbers match the numbers in the images below.
+
+Portal label  | SIEM field name | Description
+:---|:---|:---
+1	| LinkToWDATP |	Link back to the alert page in Windows Defender ATP
+2	|	Alert ID	| Alert ID visible in the link: `https://securitycenter.windows.com/alert/<alert id>`
+3	| AlertTitle | Alert	title
+4	| Actor |	Actor name
+5	| AlertTime |	Last time the alert was observed
+6 | Severity |	Alert severity
+7	| Category |	Alert category
+8 | Status in queue | Alert status in queue
+9	| ComputerDnsName|	Computer DNS name and machine name
+10| IoaDefinitionId	| (Internal only)  <br><br>  ID for the IOA (Indication of attack) that this alert belongs to. It usually correlates with the title. <br><br> **Note**: This is an internal ID of the rule which triggers the alert. It's provided here as it can be used for aggregations in the SIEM.
+11 | UserName	| The user context relevant to the activity on the machine which triggered the alert. NOTE: Not yet populated.
+12 | FileName	| File name
+13 | FileHash	| Sha1 of file observed
+14 | FilePath	| File path
+15 | IpAddress |	IP of the IOC (when relevant)
+16 | URL	| URL of the IOC (when relevant)  
+17 | FullId	| (Internal only)  <br><br> Unique ID for each combination of IOC and Alert ID. Provides the ability to apply dedup logic in the SIEM.
+18 | AlertPart	| (Internal only)  <br><br> Alerts which contain multiple IOCs will be split into several messages, each message contains one IOC and a running counter. The counter provides the ability to reconstruct the alerts in the SIEM.
+19 | LastProccesedTimeUtc | (Internal only)  <br><br>	Time the alert was last processed in Windows Defender ATP.
+20 | Source| Alert detection source (Windows Defender AV, Windows Defender ATP, and Device Guard)
+21 | ThreatCategory| Windows Defender AV threat category
+22 | ThreatFamily |	Windows Defender AV family name
+23 | RemediationAction |	Windows Defender AV threat category	 |
+24 | WasExecutingWhileDetected	| Indicates if a file was running while being detected.
+25|	RemediationIsSuccess	| Indicates if an alert was successfully remediated.
+26 | Sha1	| Sha1 of file observed	in alert timeline and in file side pane (when available)
+27 | Md5 | Md5 of file observed	(when available)
+28 | Sha256 |	Sha256 of file observed	(when available)
+29	|	ThreatName	| Windows Defender AV threat name
+
+>[!NOTE]
+> Fields #21-29 are related to Windows Defender Antivirus alerts.
+
+![Image of actor profile with numbers](images/atp-actor.png)
+
+![Image of alert timeline with numbers](images/atp-alert-timeline-numbered.png)
+
+![Image of new alerts with numbers](images/atp-alert-source.png)
+
+![Image of machine timeline with numbers](images/atp-remediated-alert.png)
+
+![Image of file details](images/atp-file-details.png)

windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md

@@ -22,7 +22,7 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-You need to add an application in your Azure Active Directory (AAD) tenant then authorize the Windows Defender ATP Alerts Export application  to communicate with it so that your security information and events management (SIEM) tool can consume alerts from Windows Defender ATP portal.
+You need to add an application in your Azure Active Directory (AAD) tenant then authorize the Windows Defender ATP Alerts Export application  to communicate with it so that your security information and events management (SIEM) tool can pull alerts from Windows Defender ATP portal.
 
 1. Login to the [Azure management portal](https://ms.portal.azure.com).
 
@@ -78,12 +78,12 @@ You need to add an application in your Azure Active Directory (AAD) tenant then
 
 23. Save the application changes.
 
-After configuring the application in AAD, you'll need to obtain a refresh token. You'll need to use the token when you configure the connector for your SIEM tool in the next steps. The token lets the connector access Windows Defender ATP events to be consumed by your SIEM.
+After configuring the application in AAD, you'll need to obtain a refresh token. You'll need to use the token when you configure the connector for your SIEM tool in the next steps. The token lets the connector access Windows Defender ATP events to be pulled by your SIEM.
 
 ## Obtain a refresh token using an events URL
 Obtain a refresh token used to retrieve the Windows Defender Advanced Threat Protection events to your SIEM. This section provides information on how you can use an events URL to obtain the required refresh token.
 >[!NOTE]
->For HP ArcSight, you can obtain a refresh token using the restutil tool. For more information, see [Configure HP ArcSight to consume alerts](configure-arcsight-windows-defender-advanced-threat-protection.md).
+>For HP ArcSight, you can obtain a refresh token using the restutil tool. For more information, see [Configure HP ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md).
 
 ### Before you begin
 Get the following information from your Azure Active Directory (AAD) application by selecting the **View Endpoint** on the application configuration page:
@@ -111,6 +111,6 @@ You'll use these values to obtain a refresh token.
 After configuring your AAD application and generating a refresh token, you can proceed to configure your SIEM tool.
 
 ## Related topics
-- [Configure security information and events management (SIEM) tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md)
+- [Configure security information and events management (SIEM) tools to pull alerts](configure-siem-windows-defender-advanced-threat-protection.md)
-- [Configure Splunk to consume alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
+- [Configure Splunk to pull alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
-- [Configure HP ArcSight to consume alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
+- [Configure HP ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)

windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md

@@ -1,6 +1,6 @@
 ---
-title: Configure HP ArcSight to consume Windows Defender ATP alerts
+title: Configure HP ArcSight to pull Windows Defender ATP alerts
-description: Configure HP ArcSight to receive and consume alerts from the Windows Defender ATP portal.
+description: Configure HP ArcSight to receive and pull alerts from the Windows Defender ATP portal.
 keywords: configure hp arcsight, security information and events management tools, arcsight
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
@@ -11,7 +11,7 @@ author: mjcaparas
 localizationpriority: high
 ---
 
-# Configure HP ArcSight to consume Windows Defender ATP alerts
+# Configure HP ArcSight to pull Windows Defender ATP alerts
 
 **Applies to:**
 
@@ -21,86 +21,163 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-You'll need to configure HP ArcSight so that it can consume Windows Defender ATP alerts.
+You'll need to install and configure some files and tools to use HP ArcSight so that it can pull Windows Defender ATP alerts.
 
 ## Before you begin
+Configuring the HP ArcSight Connector tool requires several configuration files for it to pull and parse alerts from your Azure Active Directory (AAD) application.
 
-- Get the following information from your Azure Active Directory (AAD) application by selecting **View Endpoint** on the application configuration page:
+This section guides you in getting the necessary information to set and use the required configuration files correctly.
-    - OAuth 2 Token refresh URL
-    - OAuth 2 Client ID
-    - OAuth 2 Client secret
-- Download the [WDATP-connector.properties](http://download.microsoft.com/download/3/9/C/39C703C2-487C-4C3E-AFD8-14C2253C2F12/WDATP-connector.properties) file and update the following values:
 
-  - **client_ID**: OAuth 2 Client ID
+- Make sure you have enabled the SIEM integration feature from the **Preferences setup** menu. For more information, see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md).
-  - **client_secret**: OAuth 2 Client secret
-  - **auth_url**:  ```https://login.microsoftonline.com/<tenantID>?resource=https%3A%2F%2FWDATPAlertExport.Seville.onmicrosoft.com ```
 
-    >[!NOTE]
+- Have the file you saved from enabling the SIEM integration feature ready. You'll need to get the following values:
-    >Replace *tenantID* with your tenant ID.
+  - OAuth 2.0 Token refresh URL
+  - OAuth 2.0 Client ID
+  - OAuth 2.0 Client secret
 
-  - **token_url**: `https://login.microsoftonline.com/<tenantID>/oauth2/token`
+- Have the following configuration files ready:
+  - WDATP-connector.properties
+  - WDATP-connector.jsonparser.properties
 
-    >[!NOTE]
+    You would have saved a .zip file which contains these two files when you chose HP ArcSight as the SIEM type you use in your organization.
-    >Replace the *tenantID* value with your tenant ID.
 
-  - **redirect_uri**: ```https://localhost:44300/wdatpconnector```
+- Make sure you generate the following tokens and have them ready:
-  - **scope**: Leave the value blank
+  - Access token
+  - Refresh token
 
-- Download the [WDATP-connector.jsonparser.properties](http://download.microsoft.com/download/0/8/A/08A4957D-0923-4353-B25F-395EAE363E8C/WDATP-connector.jsonparser.properties) file. This file is used to parse the information from Windows Defender ATP to HP ArcSight consumable format.
+  You can generate these tokens from the **SIEM integration** setup section of the portal.
-- Install the HP ArcSight REST FlexConnector package. You can find this in the HPE Software center. Install the package on a server that has access to the Internet.
 
-## Configure HP ArcSight
+## Install and configure HP ArcSight SmartConnector
-The following steps assume that you have completed all the required steps in [Before you begin](#before-you-begin). For more information, see the ArcSight FlexConnector Developer's guide.
+The following steps assume that you have completed all the required steps in [Before you begin](#before-you-begin).
 
-1. Save the [WDATP-connector.jsonparser.properties file](http://download.microsoft.com/download/0/8/A/08A4957D-0923-4353-B25F-395EAE363E8C/WDATP-connector.jsonparser.properties) file into the connector installation folder. 
+1. Install the latest 32-bit Windows SmartConnector installer. You can find this in the HPE Software center. The tool is typically installed in the following default location: `C:\Program Files\ArcSightSmartConnectors\current\bin`.</br></br>You can choose where to save the tool, for example C:\\*folder_location*\current\bin where *folder_location* represents the installation location.
 
-2. Save the [WDATP-connector.properties](http://download.microsoft.com/download/3/9/C/39C703C2-487C-4C3E-AFD8-14C2253C2F12/WDATP-connector.properties) file into the `<root>\current\user\agent\flexagent` folder of the connector installation folder.
+2. Follow the installation wizard through the following tasks:
+  - Introduction
+  - Choose Install Folder
+  - Choose Install Set
+  - Choose Shortcut Folder
+  - Pre-Installation Summary
+  - Installing...
 
-3. Open an elevated command-line:
+  You can keep the default values for each of these tasks or modify the selection to suit your requirements.
 
-    a. Go to **Start** and type **cmd**.
+3. Open File Explorer and locate the two configuration files you saved when you enabled the SIEM integration feature. Put the two files in the SmartConnector installation location, for example:
 
-    b. Right-click **Command prompt** and select **Run as administrator**.
+  - WDATP-connector.jsonparser.properties: C:\\*folder_location*\current\user\agent\flexagent\
 
-4. Enter the following command and press **Enter**: ```runagentsetup.bat```. The Connector Setup pop-up window appears.
+  - WDATP-connector.properties: C:\\*folder_location*\current\user\agent\flexagent\
 
-5. In the form fill in the following required fields with these values:
+  >[!NOTE]
-    >[!NOTE]
+  >You must put the configuration files in this location, where *folder_location* represents the location where you installed the tool.
-    >All other values in the form are optional and can be left blank.
+4. After the installation of the core connector completes, the Connector Setup window opens. In the Connector Setup window, select **Add a Connector**.
 
-    <table>
+5. Select Type: **ArcSight FlexConnector REST** and click **Next**.
-    <tbody style="vertical-align:top;">
-    <tr>
-    <th>Field</th>
-    <th>Value</th>
-    </tr>
-    <tr>
-    <td>Configuration File</td>
-    <td>Type in the name of the client property file. It must match the client property file.</td>
-    </tr>
-    <td>Events URL</td>
-    <td>Depending on the location of your datacenter, select either the EU or the US URL: </br></br> **For EU**:  https://<i></i>wdatp-alertexporter-eu.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
- </br>**For US:** https://<i></i>wdatp-alertexporter-us.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME</td>
-    <tr>
-    <td>Authentication Type</td>
-    <td>OAuth 2</td>
-    </tr>
-    <td>OAuth 2 Client Properties file</td>
-    <td>Select *wdatp-connector.properties*.</td>
-    <tr>
-    <td>Refresh Token</td>
-    <td>You can use the Windows Defender ATP events URL or the restutil tool to get obtain a refresh token. <br> For more information on getting your refresh token using the events URL, see [Obtain a refresh token](configure-aad-windows-defender-advanced-threat-protection.md#obtain-a-refresh-token). </br> </br>**To get your refresh token using the restutil tool:** </br> a. Open a command prompt. Navigate to `C:\ArcSightSmartConnectors\<descriptive_name>\current\bin`. </br></br> b. Type: `arcsight restutil token -config C:\ArcSightSmartConnectors_Prod\WDATP\WDATP-connector.properties`. A Web browser window will open. </br> </br>c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials. </br> </br>d.	A refresh token is shown in the command prompt. </br></br> e. Paste the value in the form.
-    </td>
-    </tr>
-    </tr>
-    </table>
-6. Select **Next**, then **Save**.
 
-7. Run the connector. You can choose to run in Service mode or Application mode.
+6.	Type the following information in the parameter details form. All other values in the form are optional and can be left blank.
 
-8. In the HP ArcSight console, create a **Windows Defender ATP** channel with intervals and properties suitable to your enterprise needs. Windows Defender ATP alerts will appear as discrete events, with “Microsoft” as the vendor and “Windows Defender ATP” as the device name.  
+  <table>
+     <tbody style="vertical-align:top;">
+     <tr>
+     <th>Field</th>
+     <th>Value</th>
+     </tr>
+     <tr>
+     <td>Configuration File</td>
+     <td>Type in the name of the client property file. The name must match the file provided in the .zip that you downloaded.
+     For example, if the configuration file in "flexagent" directory is named "WDATP-Connector.jsonparser.properties", you must type "WDATP-Connector" as the name of the client property file.</td>
+     </tr>
+     <td>Events URL</td>
+     <td>Depending on the location of your datacenter, select either the EU or the US URL: </br></br> **For EU**:  https://<i></i>wdatp-alertexporter-eu.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
+  </br>**For US:** https://<i></i>wdatp-alertexporter-us.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME</td>
+     <tr>
+     <td>Authentication Type</td>
+     <td>OAuth 2</td>
+     </tr>
+     <td>OAuth 2 Client Properties file</td>
+     <td>Browse to the location of the *wdatp-connector.properties* file. The name must match the file provided in the .zip that you downloaded.</td>
+     <tr>
+     <td>Refresh Token</td>
+     <td>You can obtain a refresh token in two ways: by generating a refresh token from the **SIEM integration preferences setup** page or using the restutil tool. <br><br> For more information on generating a refresh token from the **Preferences setup** , see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md). </br> </br>**Get your refresh token using the restutil tool:** </br> a. Open a command prompt. Navigate to C:\\*folder_location*\current\bin where *folder_location* represents the location where you installed the tool. </br></br> b. Type: `arcsight restutil token -config` from the bin directory. A Web browser window will open. </br> </br>c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials. </br> </br>d.	A refresh token is shown in the command prompt. </br></br> e. Copy and paste it into the **Refresh Token** field.
+     </td>
+     </tr>
+     </tr>
+     </table>  
+7. A browser window is opened by the connector. Login with your application credentials. After you log in, you'll be asked to give permission to your OAuth2 Client. You must give permission to your OAuth 2 Client so that the connector configuration can authenticate. </br></br>
+If the `redirect_uri` is a https URL, you'll be redirected to a URL on the local host. You'll see a page that requests for you to trust the certificate supplied by the connector running on the local host. You'll need to trust this certificate if the redirect_uri is a https. </br></br> If however you specify a http URL for the redirect_uri, you do not need to provide consent in trusting the certificate.
+
+8. Continue with the connector setup by returning to the HP ArcSight Connector Setup window.
+
+9. Select the **ArcSight Manager (encrypted)** as the destination and click **Next**.
+
+10. Type in the destination IP/hostname in **Manager Hostname** and your credentials in the parameters form. All other values in the form should be retained with the default values. Click **Next**.
+
+11. Type in a name for the connector in the connector details form. All other values in the form are optional and can be left blank. Click **Next**.
+
+11.	The ESM Manager import certificate window is shown. Select **Import the certificate to connector from destination** and click **Next**. The **Add connector Summary** window is displayed and the certificate is imported.
+
+12. Verify that the details in the **Add connector Summary** window is correct, then click **Next**.
+
+13. Select **Install as a service** and click **Next**.
+
+14.	Type a name in the **Service Internal Name** field. All other values in the form can be retained with the default values or left blank . Click **Next**.
+
+13.	Type in the service parameters and click **Next**. A window with the **Install Service Summary** is shown. Click **Next**.
+
+14. Finish the installation by selecting **Exit** and **Next**.
+
+## Install and configure the HP ArcSight console
+1. Follow the installation wizard through the following tasks:
+  - Introduction
+  - License Agreement
+  - Special Notice
+  - Choose ArcSight installation directory
+  - Choose Shortcut Folder
+  - Pre-Installation Summary
+
+2. Click **Install**. After the installation completes, the ArcSight Console Configuration Wizard opens.
+
+3. Type localhost in **Manager Host Name** and 8443 in **Manager Port** then click **Next**.
+
+4. Select **Use direct connection**, then click **Next**.
+
+5. Select **Password Based Authentication**, then click **Next**.
+
+6. Select **This is a single user installation. (Recommended)**, then click **Next**.
+
+7. Click **Done** to quit the installer.
+
+8. Login to the HP ArcSight console.
+
+9. Navigate to **Active channel set** > **New Condition** > **Device** > **Device Product**.
+
+10. Set **Device Product = Windows Defender ATP**. When you've verified that events are flowing to the tool, stop the process again and go to Windows Services and start the ArcSight FlexConnector REST.
+
+You can now run queries in the HP ArcSight console.
+
+Windows Defender ATP alerts will appear as discrete events, with "Microsoft” as the vendor and “Windows Defender ATP” as the device name.
+
+
+## Troubleshooting HP ArcSight connection
+**Problem:** Failed to refresh the token. You can find the log located in C:\\*folder_location*\current\logs where *folder_location* represents the location where you installed the tool. Open _agent.log_ and look for `ERROR/FATAL/WARN`.
+
+**Symptom:** You get the following error message:
+
+`Failed to refresh the token. Set reauthenticate to true: com.arcsight.common.al.e: Failed to refresh access token: status=HTTP/1.1 400 Bad Request FATAL EXCEPTION: Could not refresh the access token`
+
+**Solution:**
+1. Stop the process by clicking Ctrl + C on the Connector window. Click **Y** when asked "Terminate batch job Y/N?".
+2. Navigate to the folder where you stored the WDATP-connector.properties file and edit it to add the following value:
+`reauthenticate=true`.
+
+3. Restart the connector by running the following command: `arcsight.bat connectors`.
+
+  A browser window appears. Allow it to run, it should disappear, and the connector should now be running.
+
+  > [!NOTE]
+  > Verify that the connector is running by stopping the process again. Then start the connector again, and no browser window should appear.
 
 ## Related topics
-- [Configure security information and events management (SIEM) tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md)
+- [Configure security information and events management (SIEM) tools to pull alerts](configure-siem-windows-defender-advanced-threat-protection.md)
-- [Configure Azure Active Directory application for SIEM integration](configure-aad-windows-defender-advanced-threat-protection.md)
+- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
-- [Configure Splunk to consume alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
+- [Configure Splunk to pull alerts](configure-splunk-windows-defender-advanced-threat-protection.md)

windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md

@@ -1,6 +1,6 @@
 ---
-title: Consume alerts and create custom indicators in Windows Defender Advanced Threat Protection
+title: Pull alerts to your SIEM tools from Windows Defender Advanced Threat Protection
-description: Learn how to configure supported security information and events management tools to receive and consume alerts and create custom indicators using REST API.
+description: Learn how to use REST API and configure supported security information and events management tools to receive and pull alerts.
 keywords: configure siem, security information and events management tools, splunk, arcsight, custom indicators, rest api, alert definitions, indicators of compromise
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
@@ -11,7 +11,7 @@ author: mjcaparas
 localizationpriority: high
 ---
 
-# Consume alerts and create custom indicators
+# Pull alerts to your SIEM tools
 
 **Applies to:**
 
@@ -21,8 +21,10 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-## Consume alerts using supported security information and events management (SIEM) tools
+<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
-Windows Defender ATP supports (SIEM) tools to consume alerts. Windows Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to get alerts from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment.
+
+## Pull alerts using supported security information and events management (SIEM) tools
+Windows Defender ATP supports (SIEM) tools to pull alerts. Windows Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull alerts from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment.
 
 
 Windows Defender ATP currently supports the following SIEM tools:
@@ -32,20 +34,26 @@ Windows Defender ATP currently supports the following SIEM tools:
 
 To use either of these supported SIEM tools you'll need to:
 
-- [Configure an Azure Active Directory application for SIEM integration in your tenant](configure-aad-windows-defender-advanced-threat-protection.md)
+- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
 - Configure the supported SIEM tool:
-    - [Configure Splunk to consume alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
+    - [Configure Splunk to pull alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
-    - [Configure HP ArcSight to consume alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
+    - [Configure HP ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
 
-## Create custom threat indicators in Windows Defender ATP
+For more information on the list of fields exposed in the alerts API see, [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md).
-You can also create custom threat indicators using the available REST API so that you can create specific alerts that are applicable to your organization.
+
+
+## Pull Windows Defender ATP alerts using REST API
+Windows Defender ATP supports the OAuth 2.0 protocol to pull alerts using REST API.
+
+For more information, see [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md).
 
-For more information, see [Create custom threat indicators (TI) using REST API](custom-ti-api-windows-defender-advanced-threat-protection.md).
 
 ## In this section
 
 Topic | Description
 :---|:---
-[Configure an Azure Active Directory application](configure-aad-windows-defender-advanced-threat-protection.md)| Learn about configuring an Azure Active Directory application to integrate with supported security information and events management (SIEM) tools.
+[Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)| Learn about enabling the SIEM integration feature in the **Preferences setup** page in the portal so that you can use and generate the required information to configure supported SIEM tools.
- [Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to consume Windows Defender ATP alerts.
+[Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to pull Windows Defender ATP alerts.
- [Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to consume Windows Defender ATP alerts.
+[Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Windows Defender ATP alerts.
+[Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) | Understand what data fields are exposed as part of the alerts API and how they map to the Windows Defender ATP portal.
+[Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) | Use the Client credentials OAuth 2.0 flow to pull alerts from Windows Defender ATP using REST API.

windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md

@@ -1,6 +1,6 @@
 ---
-title: Configure Splunk to consume Windows Defender ATP alerts
+title: Configure Splunk to pull Windows Defender ATP alerts
-description: Configure Splunk to receive and consume alerts from the Windows Defender ATP portal.
+description: Configure Splunk to receive and pull alerts from the Windows Defender ATP portal.
 keywords: configure splunk, security information and events management tools, splunk
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
@@ -11,7 +11,7 @@ author: mjcaparas
 localizationpriority: high
 ---
 
-# Configure Splunk to consume Windows Defender ATP alerts
+# Configure Splunk to pull Windows Defender ATP alerts
 
 **Applies to:**
 
@@ -21,16 +21,19 @@ localizationpriority: high
 - Windows 10 Pro Education
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
-You'll need to configure Splunk so that it can consume Windows Defender ATP alerts.
+You'll need to configure Splunk so that it can pull Windows Defender ATP alerts.
 
 ## Before you begin
 
 - Install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/) in Splunk.
-- Obtain your refresh token. For more information, see [Obtain a refresh token](configure-aad-windows-defender-advanced-threat-protection.md#obtain-a-refresh-token).
+- Make sure you have enabled the **SIEM integration** feature from the **Preferences setup** menu. For more information, see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
-- Get the following information from your Azure Active Directory (AAD) application by selecting **View Endpoint** on the application configuration page:
+
-    - OAuth 2 Token refresh URL
+- Have the details file you saved from enabling the **SIEM integration** feature ready. You'll need to get the following values:
-    - OAuth 2 Client ID
+  - OAuth 2 Token refresh URL
-    - OAuth 2 Client secret
+  - OAuth 2 Client ID
+  - OAuth 2 Client secret
+
+- Have the refresh token that you generated from the SIEM integration feature ready.
 
 ## Configure Splunk
 
@@ -56,8 +59,7 @@ You'll need to configure Splunk so that it can consume Windows Defender ATP aler
   </tr>
   <tr>
   <td>Endpoint URL</td>
-  <td>Depending on the location of your datacenter, select either the EU or the US URL: </br></br> **For EU**:  https://<i></i>wdatp-alertexporter-eu.windows.com/api/alerts  </br>**For US:** https://<i></i>wdatp-alertexporter-us.windows.com/api/alerts
+  <td>Depending on the location of your datacenter, select either the EU or the US URL: </br></br> **For EU**:  `https://wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts`</br>**For US:**` https://wdatp-alertexporter-us.securitycenter.windows.com/api/alerts`
-
   </tr>
   <tr>
   <td>HTTP Method</td>
@@ -66,16 +68,24 @@ You'll need to configure Splunk so that it can consume Windows Defender ATP aler
   <td>Authentication Type</td>
   <td>oauth2</td>
   <tr>
+  <td>OAuth 2 Access token</td>
+  <td>Use the value that you generated when you enabled the SIEM integration feature. </br></br> NOTE: The access token expires after an hour. </td>
+  </tr>
+  <tr>
+  <td>OAuth 2 Refresh Token</td>
+  <td>Use the value that you generated when you enabled the **SIEM integration** feature.</td>
+  </tr>
+  <tr>
   <td>OAuth 2 Token Refresh URL</td>
-  <td>	Value taken from AAD application</td>
+  <td>Use the value from the details file you saved when you enabled the **SIEM integration** feature.</td>
   </tr>
   <tr>
   <td>OAuth 2 Client ID</td>
-  <td>Value taken from AAD application</td>
+  <td>Use the value from the details file you saved when you enabled the **SIEM integration** feature.</td>
   </tr>
   <tr>
   <td>OAuth 2 Client Secret</td>
-  <td>Value taken from AAD application</td>
+  <td>Use the value from the details file you saved when you enabled the **SIEM integration** feature.</td>
   </tr>
   <tr>
   <td>Response type</td>
@@ -102,11 +112,26 @@ You'll need to configure Splunk so that it can consume Windows Defender ATP aler
 
 After completing these configuration steps, you can go to the Splunk dashboard and run queries.
 
-You can use the following query as an example in Splunk: <br>
+## View alerts using Splunk solution explorer
-```source="rest://windows atp alerts"|spath|table*```
+Use the solution explorer to view alerts in Splunk.
+
+1. In Splunk, go to **Settings** > **Searchers, reports, and alerts**.
+
+2. Select **New**.
+
+3. Enter the following details:
+  - Destination app: Select Search & Reporting (search)
+  - Search name: Enter a name for the query
+  - Search: Enter a query, for example:</br>
+    `source="rest://windows atp alerts"|spath|table*`
+
+    Other values are optional and can be left with the default values.
+4. Click **Save**. The query is saved in the list of searches.
+
+5. Find the query you saved in the list and click **Run**. The results are displayed based on your query.
 
 
 ## Related topics
-- [Configure security information and events management (SIEM) tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md)
+- [Configure security information and events management (SIEM) tools to pull alerts](configure-siem-windows-defender-advanced-threat-protection.md)
-- [Configure Azure Active Directory application for SIEM integration](configure-aad-windows-defender-advanced-threat-protection.md)
+- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
-- [Configure HP ArcSight to consume alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
+- [Configure HP ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)

windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md

@@ -0,0 +1,51 @@
+---
+title: Enable SIEM integration in Windows Defender Advanced Threat Protection
+description: Enable SIEM integration to receive alerts in your security information and event management (SIEM) solution.
+keywords: enable siem connector, siem, connector, security information and events
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+---
+
+# Enable SIEM integration in Windows Defender ATP
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+Enable security information and event management (SIEM) integration so you can pull alerts from the Windows Defender ATP portal using your SIEM solution or by connecting directly to the alerts REST API.
+
+1. In the navigation pane, select **Preferences setup** > **SIEM integration**.
+
+  ![Image of SIEM integration from Preferences setup menu](images/atp-siem-integration.png)
+
+2. Select **Enable SIEM integration**. This activates the **SIEM connector access details** section with pre-populated values and an application is created under you Azure Active Directory (AAD) tenant.
+
+  >[!WARNING]
+  >The client secret is only displayed once. Make sure you keep a copy of it in a safe place.
+  >For more information about getting a new secret see, [Learn how to get a new secret](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md#learn-how-to-get-a-new-client-secret).
+
+3. Choose the SIEM type you use in your organization.
+  >[!NOTE]
+  >If you select HP ArcSight, you'll need to save these two configuration files:
+  > - WDATP-connector.jsonparser.properties
+  > - WDATP-connector.properties
+  > If you want to connect directly to the alerts REST API through programmatic access, choose **Generic API**.
+
+4. Copy the individual values or select **Save details to file** to download a file that contains all the values.
+
+5. Select **Generate tokens** to get an access and refresh token.
+
+You can now proceed with configuring your SIEM solution or connecting to the alerts REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive alerts from the Windows Defender ATP portal.
+
+## Related topics
+- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
+- [Configure HP ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)

windows/keep-secure/enterprise-certificate-pinning.md

@@ -0,0 +1,450 @@
+---
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.author: mstephens
+author: MikeStephens-MS
+description: Enterprise certificate pinning is a Windows feature for remembering, or “pinning” a root, issuing certificate authority, or end entity certificate to a given domain name.  
+manager: alanth
+ms.date: 2016-12-27
+ms.prod: w10
+ms.technology: security
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+---
+
+# Enterprise Certificate Pinning
+
+**Applies to**
+-   Windows 10
+
+Enterprise certificate pinning is a Windows feature for remembering, or “pinning,” a root issuing certificate authority or end entity certificate to a given domain name. 
+Enterprise certificate pinning helps reduce man-in-the-middle attacks by enabling you to protect your internal domain names from chaining to unwanted certificates or to fraudulently issued certificates.
+
+>[!NOTE] 
+> External domain names, where the certificate issued to these domains is issued by a public certificate authority, are not ideal for enterprise certificate pinning. Web administrators should configure their web servers to use HTTP public key pinning (HPKP) and encourage users to use web browsers that support HPKP.
+
+Windows Certificate APIs (CertVerifyCertificateChainPolicy and WinVerifyTrust) are updated to check if the site’s server authentication certificate chain matches a restricted set of certificates. 
+These restrictions are encapsulated in a Pin Rules Certificate Trust List (CTL) that is configured and deployed to Windows 10 computers. 
+Any site certificate triggering a name mismatch causes Windows to write an event to the CAPI2 event log and prevents the user from navigating to the web site using Microsoft Edge or Internet Explorer.
+
+## Deployment
+
+To deploy enterprise certificate pinning, you need to:
+
+- Create a well-formatted certificate pinning rule XML file
+- Create a pin rules certificate trust list file from the XML file
+- Apply the pin rules certificate trust list file to a reference administrative computer
+- Deploy the registry configuration on the reference computer using Group Policy Management Console (GPMC), which is included in the [Remote Server Administration Tools (RSAT)](https://www.microsoft.com/download/details.aspx?id=45520).
+
+### Create a Pin Rules XML file  
+
+The XML-based pin rules file consists of a sequence of PinRule elements. 
+Each PinRule element contains a sequence of one or more Site elements and a sequence of zero or more Certificate elements.
+
+```code
+<PinRules ListIdentifier="PinRulesExample" Duration="P28D">
+
+  <PinRule Name="AllCertificateAttributes" Error="None" Log="true">
+    <Certificate File="Single.cer"/>
+    <Certificate File="Multiple.p7b"/>
+    <Certificate File="Multiple.sst"/>
+    <Certificate Directory="Multiple"/>
+    <Certificate Base64="MIIBy … QFzuM"/>
+    <Certificate File="WillExpire.cer" EndDate="2015-05-12T00:00:00Z"/>
+    <Site Domain="xyz.com"/>
+  </PinRule>
+
+  <PinRule Name="MultipleSites" Log="false">
+    <Certificate File="Root.cer"/>
+    <Site Domain="xyz.com"/>
+    <Site Domain=".xyz.com"/>
+    <Site Domain="*.abc.xyz.com" AllSubdomains="true"/>
+    <Site Domain="WillNormalize.com"/>
+  </PinRule>
+
+</PinRules>
+
+```
+
+#### PinRules Element
+
+The PinRules element can have the following attributes. 
+For help with formatting Pin Rules, see [Representing a Date in XML](#representing-a-date-in-xml) or [Representing a Duration in XML](#representing-a-duration-in-xml). 
+
+- **Duration** or **NextUpdate**
+
+    Specifies when the Pin Rules will expire. 
+    Either is required. 
+    **NextUpdate** takes precedence if both are specified. 
+    
+    **Duration**, represented as an XML TimeSpan data type, does not allow years and months. 
+    You represent the **NextUpdate** attribute as a XML DateTime data type in UTC. 
+    
+    **Required?** Yes. At least one is required.
+
+- **LogDuration** or **LogEndDate**
+
+    Configures auditing only to extend beyond the expiration of enforcing the Pin Rules.
+    
+    **LogEndDate**, represented as an XML DateTime data type in UTC, takes precedence if both are specified. 
+    
+    You represent **LogDuration** as an XML TimeSpan data type, which does not allow years and months. 
+    
+    If neither attribute is specified, auditing expiration uses **Duration** or **NextUpdate** attributes.
+    
+    **Required?** No.
+
+- **ListIdentifier**
+
+    Provides a friendly name for the list of pin rules. 
+    Windows does not use this attribute for certificate pinning enforcement, however it is included when the pin rules are converted to a certificate trust list (CTL).
+
+    **Required?** No.
+
+#### PinRule Element    
+
+The **PinRule** element can have the following attributes: 
+
+- **Name**
+
+    Uniquely identifies the **PinRule**. 
+    Windows uses this attribute to identify the element for a parsing error or for verbose output. 
+    The attribute is not included in the generated certificate trust list (CTL).
+
+    **Required?** Yes.
+
+- **Error**
+
+    Describes the action Windows performs when it encounters a PIN mismatch. 
+    You can choose from the following string values:
+        - **Revoked** - Windows reports the certificate protecting the site as if it was revoked. This typically prevents the user from accessing the site.
+        - **InvalidName** - Windows reports the certificate protecting the site as if the name on the certificate does not match the name of the site. This typically results in prompting the user before accessing the site.
+        - **None** - The default value.  No error is returned. You can use this setting to audit the pin rules without introducing any user friction.      
+
+    **Required?** No.
+
+- **Log**  
+
+    A Boolean value represent as string that equals **true** or **false**. 
+    By default, logging is enabled (**true**).
+
+    **Required?** No.
+
+#### Certificate element 
+
+The **Certificate** element can have the following attributes:
+
+- **File**
+
+    Path to a file containing one or more certificates. 
+    Where the certificate(s) can be encoded as:
+        - single certificate
+        - p7b
+        - sst.
+
+    These files can also be Base64 formatted. 
+    All **Site** elements included in the same **PinRule** element can match any of these certificates.
+    
+    **Required?** Yes (File, Directory or Base64 must be present).
+
+- **Directory** 
+
+    Path to a directory containing one or more of the above certificate files. 
+    Skips any files not containing any certificates.    
+
+    **Required?** Yes (File, Directory or Base64 must be present).
+
+- **Base64**
+
+    Base64 encoded certificate(s). 
+    Where the certificate(s) can be encoded as:
+        - single certificate
+        - p7b
+        - sst.
+
+    This allows the certificates to be included in the XML file without a file directory dependency.
+
+    > [!Note]
+    > You can use **certutil -encode** to a .cer file into base64. You can then use Notepad to copy and paste the base64 encoded certificate into the pin rule.    
+
+    **Required?** Yes (File, Directory or Base64 must be present).
+
+- **EndDate** 
+
+    Enables you to configure an expiration date for when the certificate is no longer valid in the pin rule.  
+
+    If you are in the process of switching to a new root or CA, you can set the **EndDate** to allow matching of this element’s certificates.
+
+    If the current time is past the **EndDate**, then, when creating the certificate trust list (CTL), the parser outputs a warning message and exclude the certificate(s) from the Pin Rule in the generated CTL.
+
+    For help with formatting Pin Rules, see [Representing a Date in XML](#representing-a-date-in-xml).
+
+    **Required?** No. 
+
+#### Site element
+
+The **Site** element can have the following attributes:
+
+- **Domain** 
+
+    Contains the DNS name to be matched for this pin rule. 
+    When creating the certificate trust list, the parser normalizes the input name string value as follows:
+        - If the DNS name has a leading "*" it is removed.
+        - Non-ASCII DNS name are converted to ASCII Puny Code.
+        - Upper case ASCII characters are converted to lower case.
+
+    If the normalized name has a leading ".", then, wildcard left hand label matching is enabled. 
+    For example, ".xyz.com" would match "abc.xyz.com".
+
+    **Required?** Yes.
+
+- **AllSubdomains**
+
+    By default, wildcard left hand label matching is restricted to a single left hand label. 
+    This attribute can be set to "true" to enable wildcard matching of all of the left hand labels. 
+    
+    For example, setting this attribute would also match "123.abc.xyz.com" for the ".xyz.com" domain value.
+    
+    **Required?** No. 
+    
+### Create a Pin Rules Certificate Trust List
+
+The command line utility, **Certutil.exe**, includes the **generatePinRulesCTL** argument to parse the XML file and generate the encoded certificate trust list (CTL) that you add to your reference Windows 10 version 1703 computer and subsequently deploy. 
+The usage syntax is:
+
+```code
+CertUtil [Options] -generatePinRulesCTL XMLFile CTLFile [SSTFile]
+  Generate Pin Rules CTL
+    XMLFile -- input XML file to be parsed.
+    CTLFile -- output CTL file to be generated.
+    SSTFile -- optional .sst file to be created.
+         The .sst file contains all of the certificates
+         used for pinning.
+
+Options:
+  -f                -- Force overwrite
+  -v                -- Verbose operation
+```
+
+The same certificate(s) can occur in multiple **PinRule** elements. 
+The same domain can occur in multiple **PinRule** elements. 
+Certutil coalesces these in the resultant pin rules certificate trust list. 
+
+Certutil.exe does not strictly enforce the XML schema definition. 
+It does perform the following to enable other tools to add/consume their own specific elements and attributes:
+
+- Skips elements before and after the **PinRules** element.
+- Skips any element not matching **Certificate** or **Site** within the **PinRules** element.
+- Skips any attributes not matching the above names for each element type.
+
+Use the **certutil** command with the **generatePinRulesCTL** argument along with your XML file that contains your certificate pinning rules. 
+Lastly, provide the name of an output file that will include your certificate pinning rules in the form of a certificate trust list.
+
+```code
+certutil -generatePinRulesCTL certPinRules.xml pinrules.stl
+```
+
+### Applying Certificate Pinning Rules to a Reference Computer
+
+Now that your certificate pinning rules are in the certificate trust list format, you need to apply the settings to a reference computer as a prerequisite to deploying the setting to your enterprise. 
+To simplify the deployment configuration, it is best to apply your certificate pinning rules to a computer that has the Group Policy Management Console (GPMC) that is include in the Remote Server Administration Tools (RSAT). 
+
+Use **certutil.exe** to apply your certificate pinning rules to your reference computer using the **setreg** argument. 
+The **setreg** argument takes a secondary argument that determines the location of where certutil writes the certificate pining rules. 
+This secondary argument is **chain\PinRules**. 
+The last argument you provide is the name of file that contains your certificate pinning rules in certificate trust list format (.stl). 
+You’ll pass the name of the file as the last argument; however, you need to prefix the file name with the '@' symbol as shown in the following example. 
+You need to perform this command from an elevated command prompt.
+
+```code
+Certutil -setreg chain\PinRules @pinrules.stl 
+```
+
+Certutil writes the binary information to the following registration location:
+
+| Name | Value |
+|------|-------|
+| Key | HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllCreateCertificateChainEngine\Config |
+| Name | PinRules |
+| Value | Binary contents from the certificate pin rules certificate trust list file |
+| Data type | REG_BINARY |
+
+![Registry binary information](images/enterprise-pinning-registry-binary-information.png)
+
+### Deploying Enterprise Pin Rule Settings using Group Policy
+
+You’ve successfully created a certificate pinning rules XML file. 
+From the XML file you have created a certificate pinning trust list file, and you have applied the contents of that file to your reference computer from which you can run the Group Policy Management Console. 
+Now you need to configure a Group Policy object to include the applied certificate pin rule settings and deploy it to your environment.
+
+Sign-in to the reference computer using domain administrator equivalent credentials.
+
+1.	Start the **Group Policy Management Console** (gpmc.msc)
+2.	In the navigation pane, expand the forest node and then expand the domain node.
+3.	Expand the node that has contains your Active Directory’s domain name
+4.	Select the **Group Policy objects** node.  Right-click the **Group Policy objects** node and click **New**.
+5.	In the **New GPO** dialog box, type _Enterprise Certificate Pinning Rules_ in the **Name** text box and click **OK**.
+6.	In the content pane, right-click the **Enterprise Certificate Pinning Rules** Group Policy object and click **Edit**.
+7.	In the **Group Policy Management Editor**, in the navigation pane, expand the **Preferences** node under **Computer Configuration**. Expand **Windows Settings**.
+8.	Right-click the **Registry** node and click **New**.
+9.	In the **New Registry Properties** dialog box, select **Update** from the **Action** list.  Select **HKEY_LOCAL_MACHINE** from the **Hive** list.
+10.	For the **Key Path**, click **…** to launch the **Registry Item Browser**.  Navigate to the following registry key and select the **PinRules** registry value name:
+    HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllCreateCertificateChainEngine\Config  
+    Click **Select** to close the **Registry Item Browser**.
+11.	The **Key Path** should contain the selected registry key. The **Value name** configuration should contain the registry value name **_PinRules_**. **Value type** should read **_REGBINARY_** and **Value data** should contain a long series of numbers from 0-9 and letters ranging from A-F (hexadecimal).  Click **OK** to save your settings and close the dialog box.
+
+    ![PinRules Properties](images/enterprise-certificate-pinning-pinrules-properties.png)
+    
+12. Close the **Group Policy Management Editor** to save your settings.
+13.	Link the **Enterprise Certificate Pinning Rules** Group Policy object to apply to computers that run Windows 10, version 1703 in your enterprise. When these domain-joined computers apply Group Policy, the registry information configured in the Group Policy object is applied to the computer.
+
+## Additional Pin Rules Logging
+
+To assist in constructing certificate pinning rules, you can configure the **PinRulesLogDir** setting under the certificate chain configuration registry key to include a parent directory to log pin rules.
+
+```code
+HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllCreateCertificateChainEngine\Config
+```
+
+| Name | Value |
+|------|-------|
+| Key | HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllCreateCertificateChainEngine\Config |
+| Name | PinRulesLogDir |
+| Value | The Parent directory where Windows should write the additional pin rule logs |
+| Data type | REG_SZ |
+
+### Permission for the Pin Rule Log Folder
+
+The folder in which Windows writes the additional pin rule logs must have permissions so that all users and applications have full access. 
+You can run the following commands from an elevated command prompt to achieved the proper permissions. 
+
+```code
+set PinRulesLogDir=c:\PinRulesLog
+mkdir %PinRulesLogDir%
+icacls %PinRulesLogDir% /grant *S-1-15-2-1:(OI)(CI)(F)
+icacls %PinRulesLogDir% /grant *S-1-1-0:(OI)(CI)(F)  
+icacls %PinRulesLogDir% /grant *S-1-5-12:(OI)(CI)(F)
+icacls %PinRulesLogDir% /inheritance:e /setintegritylevel (OI)(CI)L
+```
+
+Whenever an application verifies a TLS/SSL certificate chain that contains a server name matching a DNS name in the server certificate, Windows writes a .p7b file consisting of all the certificates in the server’s chain to one of three child folders:
+
+- AdminPinRules
+    Matched a site in the enterprise certificate pinning rules.
+- AutoUpdatePinRules
+    Matched a site in the certificate pinning rules managed by Microsoft.
+- NoPinRules
+    Didn’t match any site in the certificate pin rules.
+
+The output file name consists of the leading 8 ASCII hex digits of the root’s SHA1 thumbprint followed by the server name. 
+For example:
+
+- D4DE20D0_xsi.outlook.com.p7b
+- DE28F4A4_www.yammer.com.p7b
+
+If there is either an enterprise certificate pin rule or Microsoft certificate pin rule mismatch, then Windows writes the .p7b file to the **MismatchPinRules** child folder. 
+If the pin rules have expired, then Windows writes the .p7b to the **ExpiredPinRules** child folder. 
+
+## Representing a Date in XML
+
+Many attributes within the pin rules xml file are dates.  
+These dates must be properly formatted and represented in UTC.  
+You can use Windows PowerShell to format these dates.  
+You can then copy and paste the output of the cmdlet into the XML file. 
+
+![Representing a date](images/enterprise-certificate-pinning-representing-a-date.png)
+
+For simplicity, you can truncate decimal point (.) and the numbers after it. 
+However, be certain to append the uppercase “Z” to the end of the XML date string.
+
+```code
+2015-05-11T07:00:00.2655691Z
+2015-05-11T07:00:00Z
+```
+
+## Converting an XML Date
+
+You can also use Windows PowerShell to validate convert an XML date into a human readable date to validate it’s the correct date.
+
+![Converting an XML date](images/enterprise-certificate-pinning-converting-an-xml-date.png)
+
+## Representing a Duration in XML
+
+Some elements may be configured to use a duration rather than a date. 
+You must represent the duration as an XML timespan data type. 
+You can use Windows PowerShell to properly format and validate durations (timespans) and copy and paste them into your XML file.
+
+![Representing a duration](images/enterprise-certificate-pinning-representing-a-duration.png)
+
+## Converting an XML Duration
+
+You can convert a XML formatted timespan into a timespan variable that you can read. 
+
+![Converting an XML duration](images/enterprise-certificate-pinning-converting-a-duration.png)
+
+## Certificate Trust List XML Schema Definition (XSD)
+
+```code
+<xs:schema attributeFormDefault="unqualified" elementFormDefault="qualified" xmlns:xs="http://www.w3.org/2001/XMLSchema">
+  <xs:element name="PinRules">
+    <xs:complexType>
+      <xs:sequence>
+        <xs:element name="PinRule" maxOccurs="unbounded" minOccurs="1">
+          <xs:complexType>
+            <xs:sequence>
+              <xs:element name="Certificate" maxOccurs="unbounded" minOccurs="0">
+                <xs:complexType>
+                  <xs:simpleContent>
+                    <xs:extension base="xs:string">
+                      <xs:attribute type="xs:dateTime" name="EndDate" use="optional"/>
+                      <xs:attribute type="xs:string" name="File" use="optional"/>
+                      <xs:attribute type="xs:string" name="Directory" use="optional"/>
+                      <xs:attribute type="xs:base64Binary" name="Base64" use="optional"/>
+                    </xs:extension>
+                  </xs:simpleContent>
+                </xs:complexType>
+              </xs:element>
+              <xs:element name="Site" maxOccurs="unbounded" minOccurs="1">
+                <xs:complexType>
+                  <xs:simpleContent>
+                    <xs:extension base="xs:string">
+                      <xs:attribute type="xs:string" name="Domain"/>
+                      <xs:attribute type="xs:boolean" name="AllSubdomains" use="optional" default="false"/>
+                    </xs:extension>
+                  </xs:simpleContent>
+                </xs:complexType>
+              </xs:element>
+            </xs:sequence>
+            <xs:attribute type="xs:string" name="Name"/>
+            <xs:attribute name="Error" use="optional" default="None">
+              <xs:simpleType>
+                <xs:restriction base="xs:string">
+                  <xs:enumeration value ="Revoked"/>
+                  <xs:enumeration value ="InvalidName"/>
+                  <xs:enumeration value ="None"/>
+                </xs:restriction>
+              </xs:simpleType>
+            </xs:attribute>
+            <xs:attribute type="xs:boolean" name="Log" use="optional" default="true"/>
+          </xs:complexType>
+        </xs:element>
+      </xs:sequence>
+      <xs:attribute type="xs:duration" name="Duration" use="optional"/>
+      <xs:attribute type="xs:duration" name="LogDuration" use="optional"/>
+      <xs:attribute type="xs:dateTime" name="NextUpdate" use="optional"/>
+      <xs:attribute type="xs:dateTime" name="LogEndDate" use="optional"/>
+      <xs:attribute type="xs:string" name="ListIdentifier" use="optional"/>
+    </xs:complexType>
+  </xs:element>
+</xs:schema>
+```
+
+
+
+
+
+
+
+
+

windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md

@@ -12,77 +12,78 @@ author: brianlic-msft
 # Interactive logon: Display user information when the session is locked
 
 **Applies to**
--   Windows 10
+-   Windows 10
 
 Describes the best practices, location, values, and security considerations for the **Interactive logon: Display user information when the session is locked** security policy setting.
 
 ## Reference
-This security setting controls whether details such as email address or domain\username appear with the username on the sign-in screen. 
+This security setting controls whether details such as email address or domain\username appear with the username on the sign-in screen.
-For clients that run Windows 10 version 1511 and 1507 (RTM), this setting works similarly to previous versions of Windows. 
+For clients that run Windows 10 version 1511 and 1507 (RTM), this setting works similarly to previous versions of Windows.
-However, because of a new **Privacy** setting introduced in Windows 10 version 1607, this security setting affects those clients differently. 
+However, because of a new **Privacy** setting introduced in Windows 10 version 1607, this security setting affects those clients differently.
 
-### Changes in Windows 10 version 1607
+### Changes beginning with Windows 10 version 1607
 
-Beginning with Windows 10 version 1607, new functionality was added to Windows 10 to hide username details such as email address by default, with the ability to change the default to show the details. 
+Beginning with Windows 10 version 1607, new functionality was added to Windows 10 to hide username details such as email address by default, with the ability to change the default to show the details.
-This functionality is controlled by a new **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. 
+This functionality is controlled by a new **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**.
-The Privacy setting is off by default, which hides the details. 
+The Privacy setting is off by default, which hides the details.
 
 ![Privacy setting](images\privacy-setting-in-sign-in-options.png)
 
-The **Interactive logon: Display user information when the session is locked** Group Policy setting controls the same functionality. 
+The **Interactive logon: Display user information when the session is locked** Group Policy setting controls the same functionality.
 
 This setting has these possible values:
 
 -   **User display name, domain and user names**
 
-    For a local logon, the user's full name is displayed. 
+    For a local logon, the user's full name is displayed.
-    If the user signed in using a Microsoft account, the user's email address is displayed. 
+    If the user signed in using a Microsoft account, the user's email address is displayed.
-    For a domain logon, the domain\username is displayed. 
+    For a domain logon, the domain\username is displayed.
-    This has the same effect as turning on the **Privacy** setting. 
+    This has the same effect as turning on the **Privacy** setting.
 
 -   **User display name only**
 
-    The full name of the user who locked the session is displayed. 
+    The full name of the user who locked the session is displayed.
     This has the same effect as turning off the **Privacy** setting.
 
 -   **Do not display user information**
 
-    No names are displayed. 
+    No names are displayed.
-    Beginning with Windows 10 version 1607, this option is not supported. 
+    Beginning with Windows 10 version 1607, this option is not supported.
-    If this option is chosen, the full name of the user who locked the session is displayed instead. 
+    If this option is chosen, the full name of the user who locked the session is displayed instead.
-    This change makes this setting consistent with the functionality of the new **Privacy** setting. 
+    This change makes this setting consistent with the functionality of the new **Privacy** setting.
     To display no user information, enable the Group Policy setting **Interactive logon: Don't display last signed-in**.
 
 -   Blank.
 
-    Default setting. 
+    Default setting.
-    This translates to “Not defined,” but it will display the user’s full name in the same manner as the option **User display name only**. 
+    This translates to “Not defined,” but it will display the user’s full name in the same manner as the option **User display name only**.
     When an option is set, you cannot reset this policy to blank, or not defined.
 
 ### Hotfix for Windows 10 version 1607
 
-Clients that run Windows 10 version 1607 will not show details on the sign-in screen even if the **User display name, domain and user names** option is chosen because the **Privacy** setting is off. 
+Clients that run Windows 10 version 1607 will not show details on the sign-in screen even if the **User display name, domain and user names** option is chosen because the **Privacy** setting is off.
-If the **Privacy** setting is turned on, details will show. 
+If the **Privacy** setting is turned on, details will show.
 
-The **Privacy** setting cannot be changed for clients in bulk. 
+The **Privacy** setting cannot be changed for clients in bulk.
 Instead, apply [KB 4013429](http://www.catalog.update.microsoft.com/Search.aspx?q=KB4013429) to clients that run Windows 10 version 1607 so they behave similarly to previous versions of Windows. 
+Clients that run later versions of Windows 10 do not require a hotfix.
 
 There are related Group Policy settings:
 
-- **Computer Configuration\Policies\Administrative Templates\System\Logon\Block user from showing account details on sign-in** prevents users from showing account details on the sign-in screen. 
+- **Computer Configuration\Policies\Administrative Templates\System\Logon\Block user from showing account details on sign-in** prevents users from showing account details on the sign-in screen.
 - **Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Don’t display last signed-in** prevents the username of the last user to sign in from being shown.
-- **Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Don’t display username at sign-in** prevents the username from being shown at Windows sign-in and immediately after credentials are entered and before the desktop appears. 
+- **Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Don’t display username at sign-in** prevents the username from being shown at Windows sign-in and immediately after credentials are entered and before the desktop appears.
 
 ### Interaction with related Group Policy settings
 
-For all versions of Windows 10, only the user display name is shown by default. 
+For all versions of Windows 10, only the user display name is shown by default.
 
-If **Block user from showing account details on sign-in** is enabled, then only the user display name is shown regardless of any other Group Policy settings. 
+If **Block user from showing account details on sign-in** is enabled, then only the user display name is shown regardless of any other Group Policy settings.
 Users will not be able to show details.
 
-If **Block user from showing account details on sign-in** is not enabled, then you can set **Interactive logon: Display user information when the session is locked** to **User display name, domain and user names** to show additional details such as domain\username. 
+If **Block user from showing account details on sign-in** is not enabled, then you can set **Interactive logon: Display user information when the session is locked** to **User display name, domain and user names** to show additional details such as domain\username.
-In this case, clients that run Windows 10 version 1607 need [KB 4013429](http://www.catalog.update.microsoft.com/Search.aspx?q=KB4013429) applied. 
+In this case, clients that run Windows 10 version 1607 need [KB 4013429](http://www.catalog.update.microsoft.com/Search.aspx?q=KB4013429) applied.
-Users will not be able to hide additional details. 
+Users will not be able to hide additional details.
 
 If **Block user from showing account details on sign-in** is not enabled and **Don’t display last signed-in** is enabled, the username will not be shown.
 
@@ -100,13 +101,13 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
 
 | Server type or Group Policy object (GPO) | Default value |
 | - | - |
-| Default domain policy| Not defined| 
+| Default domain policy| Not defined|
-| Default domain controller policy | Not defined| 
+| Default domain controller policy | Not defined|
-| Stand-alone server default settings | Not defined| 
+| Stand-alone server default settings | Not defined|
-| Domain controller effective default settings | **User display name, domain and user names**| 
+| Domain controller effective default settings | **User display name, domain and user names**|
-| Member server effective default settings | **User display name, domain and user names**| 
+| Member server effective default settings | **User display name, domain and user names**|
-| Effective GPO default settings on client computers | **User display name, domain and user names**| 
+| Effective GPO default settings on client computers | **User display name, domain and user names**|
- 
+
 ## Policy management
 
 This section describes features and tools that are available to help you manage this policy.

windows/keep-secure/interactive-logon-do-not-display-last-user-name.md

@@ -40,14 +40,14 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec
 
 ### Default values
 
-| Server type or Group Policy object (GPO) | Default value| 
+| Server type or Group Policy object (GPO) | Default value|
 | - | - |
-| Default domain policy| Disabled| 
+| Default domain policy| Disabled|
-| Default domain controller policy| Disabled| 
+| Default domain controller policy| Disabled|
-| Stand-alone server default settings | Disabled| 
+| Stand-alone server default settings | Disabled|
-| Domain controller effective default settings | Disabled| 
+| Domain controller effective default settings | Disabled|
-| Member server effective default settings | Disabled| 
+| Member server effective default settings | Disabled|
-| Effective GPO default settings on client computers | Disabled| 
+| Effective GPO default settings on client computers | Disabled|
  
 ## Policy management
 

windows/keep-secure/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md

@@ -0,0 +1,189 @@
+---
+title: Pull Windows Defender ATP alerts using REST API
+description: Pull alerts from the Windows Defender ATP portal REST API.
+keywords: alerts, pull alerts, rest api, request, response
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mjcaparas
+localizationpriority: high
+---
+
+# Pull Windows Defender ATP alerts using REST API
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+Windows Defender ATP supports the OAuth 2.0 protocol to pull alerts from the portal.
+
+In general, the OAuth 2.0 protocol supports four types of flows:
+- Authorization grant flow
+- Implicit flow
+- Client credentials flow
+- Resource owner flow
+
+For more information about the OAuth specifications, see the [OAuth Website](http://www.oauth.net).
+
+Windows Defender ATP supports the _Authorization grant flow_ and _Client credential flow_ to obtain access to generate alerts from the portal, with Azure Active Directory (AAD) as the authorization server.
+
+The _Authorization grant flow_ uses user credentials to get an authorization code, which is then used to obtain an access token.
+
+The _Client credential flow_ uses client credentials to authenticate against the Windows Defender ATP endpoint URL. This flow is suitable for scenarios when an OAuth client creates requests to an API that doesn't require user credentials.
+
+Use the following method in the Windows Defender ATP API to pull alerts in JSON format.
+
+## Before you begin
+- Before calling the Windows Defender ATP endpoint to pull alerts, you'll need to enable the SIEM integration application in Azure Active Directory (AAD). For more information, see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md).
+
+- Take note of the following values in your Azure application registration. You need these values to configure the OAuth flow in your service or daemon app:
+  - Application ID (unique to your application)
+  - App key, or secret (unique to your application)
+  - Your app's OAuth 2.0 token endpoint
+    - Find this value by clicking **View Endpoints** at the bottom of the Azure Management Portal in your app's page. The endpoint will look like `https://login.microsoftonline.com/{tenantId}/oauth2/token`.
+
+## Get an access token
+Before creating calls to the endpoint, you'll need to get an access token.
+
+You'll use the access token to access the protected resource, which are alerts in Windows Defender ATP.
+
+To get an access token, you'll need to do a POST request to the token issuing endpoint. Here is a sample request:
+
+```syntax
+
+POST /72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/token HTTP/1.1
+Host: login.microsoftonline.com
+Content-Type: application/x-www-form-urlencoded
+
+resource=https%3A%2F%2FWDATPAlertExport.Seville.onmicrosoft.com&client_id=35e0f735-5fe4-4693-9e68-3de80f1d3745&client_secret=IKXc6PxB2eoFNJ%2FIT%2Bl2JZZD9d9032VXz6Ul3D2WyUQ%3D&grant_type=client_credentials
+```
+The response will include an access token and expiry information.
+
+```json
+{
+  "token type": "Bearer",
+  "expires in": "3599"
+  "ext_expires_in": "0",
+  "expires_on": "1488720683",
+  "not_before": "1488720683",
+  "resource": "https://WDATPAlertExport.Seville.onmicrosoft.com",
+  "access_token":"eyJ0eXaioJJOIneiowiouqSuzNiZ345FYOVkaJL0625TueyaJasjhIjEnbMlWqP..."
+}
+```
+You can now use the value in the *access_token* field in a request to the Windows Defender ATP API.
+
+## Request
+With an access token, your app can make authenticated requests to the Windows Defender ATP API. Your app must append the access token to the Authorization header of each request.
+
+### Request syntax
+Method | Request URI
+:---|:---|
+GET| Use the URI applicable for your region. <br><br> **For EU**: `https://wdatp-alertexporter-eu.windows.com/api/alerts` </br> **For US**: `https://wdatp-alertexporter-us.windows.com/api/alerts`
+
+### Request header
+Header | Type | Description|
+:--|:--|:--
+Authorization | string | Required. The Azure AD access token in the form **Bearer** &lt;*token*&gt;. |
+
+### Request parameters
+
+Use optional query parameters to specify and control the amount of data returned in a response. If you call this method without parameters, the response contains all the alerts in your organization.
+
+Name | Value| Description
+:---|:---|:---
+DateTime?sinceTimeUtc | string | Defines the time alerts are retrieved from based from `LastProccesedTimeUtc` time to current time. <br><br> **NOTE**: When not specified, all alerts generated in the last two hours are retrieved.
+int?limit | int | Defines the number of alerts to be retrieved. Most recent alerts will be retrieved based on the number defined.<br><br> **NOTE**: When not specified, all alerts available in the time range will be retrieved.
+
+### Request example
+The following example demonstrates how to retrieve all the alerts in your organization.
+
+```syntax
+GET  https://wdatp-alertexporter-eu.windows.com/api/alerts
+Authorization: Bearer <your access token>
+```
+
+The following example demonstrates a request to get the last 20 alerts since 2016-09-12 00:00:00.
+
+```syntax
+GET  https://wdatp-alertexporter-eu.windows.com/api/alerts?limit=20&sinceTimeUtc="2016-09-12 00:00:00"
+Authorization: Bearer <your access token>
+```
+
+## Response
+The return value is an array of alert objects in JSON format.
+
+Here is an example return value:
+
+```json
+{"AlertTime":"2017-01-23T07:32:54.1861171Z",
+"ComputerDnsName":"desktop-bvccckk",
+"AlertTitle":"Suspicious PowerShell commandline",
+"Category":"SuspiciousActivity",
+"Severity":"Medium",
+"AlertId":"636207535742330111_-1114309685",
+"Actor":null,
+"LinkToWDATP":"https://securitycenter.windows.com/alert/636207535742330111_-1114309685",
+"IocName":null,
+"IocValue":null,
+"CreatorIocName":null,
+"CreatorIocValue":null,
+"Sha1":"69484ca722b4285a234896a2e31707cbedc59ef9",
+"FileName":"powershell.exe",
+"FilePath":"C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0",
+"IpAddress":null,
+"Url":null,
+"IoaDefinitiondId":"7f1c3609-a3ff-40e2-995b-c01770161d68",
+"UserName":null,
+"AlertPart":0,
+"FullId":"636207535742330111_-1114309685:9DE735BA9FF87725E392C6DFBEB2AF279035CDE229FCC00D28C0F3242C5A50AF",
+"LastProcessedTimeUtc":"2017-01-23T11:33:45.0760449Z",
+"ThreatCategory":null,
+"ThreatFamily":null,
+"ThreatName":null,
+"RemediationAction":null,
+"RemediationIsSuccess":null,
+"Source":"Windows Defender ATP",
+"Md5":null,
+"Sha256":null,
+"WasExecutingWhileDetected":null,
+"FileHash":"69484ca722b4285a234896a2e31707cbedc59ef9",
+"IocUniqueId":"9DE735BA9FF87725E392C6DFBEB2AF279035CDE229FCC00D28C0F3242C5A50AF"}
+```
+
+## Code examples
+### Get access token
+The following code example demonstrates how to obtain an access token and call the Windows Defender ATP API.
+
+```syntax
+AuthenticationContext context = new AuthenticationContext(string.Format("https://login.windows.net/{0}/oauth2", tenantId));
+ClientCredential clientCredentials = new ClientCredential(clientId, clientSecret);
+AuthenticationResult authenticationResult  = context.AcquireToken(resource, clientCredentials);
+```
+### Use token to connect to the alerts endpoint
+
+```
+HttpClient httpClient = new HttpClient();
+httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(authenticationResult.AccessTokenType, authenticationResult.AccessToken);
+HttpResponseMessage response = httpClient.GetAsync("https://wdatp-alertexporter-eu.windows.com/api/alert").GetAwaiter().GetResult();
+string alertsJson = response.Content.ReadAsStringAsync().Result;
+Console.WriteLine("Got alert list: {0}", alertsJson);
+
+```
+
+
+
+
+## Error codes
+The Windows Defender ATP REST API returns the following error codes caused by an invalid request.
+
+HTTP error code | Description
+:---|:---
+401 | Malformed request or invalid token.
+403 | Unauthorized exception - any of the domains is not managed by the tenant administrator or tenant state is deleted.
+500 | Error in the service.

windows/manage/change-history-for-manage-and-update-windows-10.md

@@ -65,7 +65,7 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in
 | [Manage device restarts after updates](waas-restart.md) | New |
 | [Manage Windows 10 in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md)  | New |
 | [Cortana integration in your business or enterprise](manage-cortana-in-enterprise.md) |Added an important note about Cortana and Office 365 integration. |
-| [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) | Fixed the explanation for Start behavior when the .xml file containing the layout is not available when the user signs in. | 
+| [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) | Fixed the explanation for Start behavior when the .xml file containing the layout is not available when the user signs in. |
 | [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Added link to the Windows Restricted Traffic Limited Functionality Baseline. Added Teredo Group Policy. |
 | [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) | Added Current Branch for Business (CBB) support for Windows 10 IoT Mobile. |
 
@@ -92,7 +92,7 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in
 
 ## RELEASE: Windows 10, version 1607
 
-The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added: 
+The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added:
 
 - [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md)
 - [Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
@@ -124,7 +124,7 @@ The topics in this library have been updated for Windows 10, version 1607 (also
 | [Configure Windows telemetry in your organization](configure-windows-telemetry-in-your-organization.md) | New telemetry content |
 | [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) |Removed info about sharing wi-fi network access with contacts, since it's been deprecated. |
 | [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Corrected script for setting a custom shell using Shell Launcher |
-| [Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md) | Removed Windows 10 Mobile from **Applies to** | 
+| [Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md) | Removed Windows 10 Mobile from **Applies to** |
 
 
 
@@ -149,12 +149,12 @@ The topics in this library have been updated for Windows 10, version 1607 (also
 | New or changed topic | Description |
 | ---|---|
 | [Configure telemetry and other settings in your organization](disconnect-your-organization-from-microsoft.md) | Added call history and email to the Settings &gt; Privacy section.<br />Added the Turn off Windows Mail application Group Policy to the Mail synchronization section. |
-| [Customize and export Start layout](customize-and-export-start-layout.md) | Added a note to clarify that partial Start layout is only supported in Windows 10, version 1511 and later |
+| [Customize and export Start layout](customize-and-export-start-layout.md) | Added a note to clarify that partial Start layout is only supported in Windows 10, version 1511 and later |
 | [Customize Windows 10 Start with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) | Added instructions for replacing markup characters with escape characters in Start layout XML |
 | [Introduction to configuration service providers (CSPs) for IT pros](how-it-pros-can-use-configuration-service-providers.md) | New |
 | [Windows 10 Mobile and MDM](windows-10-mobile-and-mdm.md) | New |
-| [Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md) | Added information on servicing options for Windows 10 Mobile, Windows 10 Mobile Enterprise, and Windows 10 IoT Core (IoT Core). |
+| [Windows 10 servicing options for updates and upgrades](introduction-to-windows-10-servicing.md) | Added information on servicing options for Windows 10 Mobile, Windows 10 Mobile Enterprise, and Windows 10 IoT Core (IoT Core). |
- 
+
 
 ## December 2015
 
@@ -192,5 +192,3 @@ The topics in this library have been updated for Windows 10, version 1607 (also
 [Change history for Deploy Windows 10](../deploy/change-history-for-deploy-windows-10.md)
 
 [Change history for Keep Windows 10 secure](../keep-secure/change-history-for-keep-windows-10-secure.md)
-
- 

windows/manage/waas-optimize-windows-10-updates.md

@@ -13,24 +13,24 @@ localizationpriority: high
 
 **Applies to**
 
-- Windows 10
+- Windows 10
 
-> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) 
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
 
 When considering your content distribution strategy for Windows 10, think about enabling a form of peer-to-peer content sharing to reduce bandwidth issues during updates. Windows 10 offers two peer-to-peer options for update content distribution: Delivery Optimization and BranchCache. These technologies can be used with several of the servicing tools for Windows 10.
 
-Two methods of peer-to-peer content distribution are available in Windows 10. 
+Two methods of peer-to-peer content distribution are available in Windows 10.
 
-- [Delivery Optimization](waas-delivery-optimization.md) is a new peer-to-peer distribution method in Windows 10. Windows 10 clients can source content from other devices on their local network that have already downloaded the updates or from peers over the internet. Using the settings available for Delivery Optimization, clients can be configured into groups, allowing organizations to identify devices that are possibly the best candidates to fulfil peer-to-peer requests. 
+- [Delivery Optimization](waas-delivery-optimization.md) is a new peer-to-peer distribution method in Windows 10. Windows 10 clients can source content from other devices on their local network that have already downloaded the updates or from peers over the internet. Using the settings available for Delivery Optimization, clients can be configured into groups, allowing organizations to identify devices that are possibly the best candidates to fulfil peer-to-peer requests.
 
-    Windows Update, Windows Update for Business, and Windows Server Update Services (WSUS) can use Delivery Optimization. Delivery Optimization can significantly reduce the amount of network traffic to external Windows Update sources as well as the time it takes for clients to retrieve the updates. 
+    Windows Update, Windows Update for Business, and Windows Server Update Services (WSUS) can use Delivery Optimization. Delivery Optimization can significantly reduce the amount of network traffic to external Windows Update sources as well as the time it takes for clients to retrieve the updates.
 
-- [BranchCache](waas-branchcache.md) is a bandwidth optimization technology that is included in some editions of the Windows Server 2016 Technical Preview and Windows 10 operating systems, as well as in some editions of Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, and Windows 7. 
+- [BranchCache](waas-branchcache.md) is a bandwidth optimization technology that is included in some editions of the Windows Server 2016 Technical Preview and Windows 10 operating systems, as well as in some editions of Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, and Windows 7.
 
     >[!NOTE]
     >Full BranchCache functionality is supported in Windows 10 Enterprise and Education; Windows 10 Pro supports some BranchCache functionality, including BITS transfers used for servicing operations.
 
-    Windows Server Update Services (WSUS) and System Center Configuration Manager can use BranchCache to allow peers to source content from each other versus always having to contact a server. Using BranchCache, files are cached on each individual client, and other clients can retrieve them as needed. This approach distributes the cache rather than having a single point of retrieval, saving a significant amount of bandwidth while drastically reducing the time that it takes for clients to receive the requested content. 
+    Windows Server Update Services (WSUS) and System Center Configuration Manager can use BranchCache to allow peers to source content from each other versus always having to contact a server. Using BranchCache, files are cached on each individual client, and other clients can retrieve them as needed. This approach distributes the cache rather than having a single point of retrieval, saving a significant amount of bandwidth while drastically reducing the time that it takes for clients to receive the requested content.
 
 </br></br>
 
@@ -50,7 +50,7 @@ Windows 10 update downloads can be large because every package contains all prev
 
 ### How Microsoft supports Express
 - **Express on WSUS Standalone**
-  
+
   Express update delivery is available on [all support versions of WSUS](https://technet.microsoft.com/library/cc708456(v=ws.10).aspx).
 - **Express on devices directly connected to Windows Update**
 - **Enterprise devices managed using [Windows Update for Business](waas-manage-updates-wufb.md)** also get the benefit of Express update delivery support without any change in configuration.
@@ -96,7 +96,7 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma
 ## Related topics
 
 - [Update Windows 10 in the enterprise](waas-update-windows-10.md)
-- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) 
+- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md)
 - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
 - [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
 - [Configure Windows Update for Business](waas-configure-wufb.md)
@@ -104,5 +104,3 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma
 - [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
 - [Walkthrough: use Intune to configure Windows Update for Business](waas-wufb-intune.md)
 - [Manage device restarts after updates](waas-restart.md)
-
-

windows/manage/windows-store-for-business-overview.md

@@ -254,6 +254,7 @@ Store for Business is currently available in these markets.
             <li>Luxembourg</li>
             <li>Malaysia</li>
             <li>Malta</li>
+            <li>Mauritius</li>
             <li>Mexico</li>
             <li>Mongolia</li>
             <li>Montenegro</li>
@@ -275,12 +276,12 @@ Store for Business is currently available in these markets.
             <li>Portugal</li>
             <li>Puerto Rico</li>
             <li>Qatar</li>
-            <li>Romania</li>
+            <li>Romania</li>          
-            <li>Rwanda</li>
         </ul>
     </td>
     <td>
         <ul>
+            <li>Rwanda</li>
             <li>Saint Kitts and Nevis</li>
             <li>Saudi Arabia</li>
             <li>Senegal</li>
@@ -305,8 +306,7 @@ Store for Business is currently available in these markets.
             <li>Viet Nam</li>
             <li>Virgin Islands, U.S.</li>
             <li>Zambia</li>
-            <li>Zimbabwe<br>&nbsp;<br>&nbsp;<br>&nbsp;<br>&nbsp;</li>
+            <li>Zimbabwe<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</li>           
-            
         </ul>
     </td>
    </tr>