From 0814a29747487973442c2fafb6c463783b352f2d Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 21 Jan 2021 15:30:39 -0800 Subject: [PATCH 01/38] add tables --- .../microsoft-defender-atp/alerts-queue.md | 78 ++++++++++++++----- 1 file changed, 60 insertions(+), 18 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md index e403e8465c..6d06567b44 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md @@ -80,24 +80,50 @@ We've redefined the alert categories to align to the [enterprise attack tactics] The table below lists the current categories and how they generally map to previous categories. -| New category | Previous categories | Detected threat activity or component | -|----------------------|----------------------|-------------| -| Collection | - | Locating and collecting data for exfiltration | -| Command and control | CommandAndControl | Connecting to attacker-controlled network infrastructure to relay data or receive commands | -| Credential access | CredentialTheft | Obtaining valid credentials to extend control over devices and other resources in the network | -| Defense evasion | - | Avoiding security controls by, for example, turning off security apps, deleting implants, and running rootkits | -| Discovery | Reconnaissance, WebFingerprinting | Gathering information about important devices and resources, such as administrator computers, domain controllers, and file servers | -| Execution | Delivery, MalwareDownload | Launching attacker tools and malicious code, including RATs and backdoors | -| Exfiltration | Exfiltration | Extracting data from the network to an external, attacker-controlled location | -| Exploit | Exploit | Exploit code and possible exploitation activity | -| Initial access | SocialEngineering, WebExploit, DocumentExploit | Gaining initial entry to the target network, usually involving password-guessing, exploits, or phishing emails | -| Lateral movement | LateralMovement, NetworkPropagation | Moving between devices in the target network to reach critical resources or gain network persistence | -| Malware | Malware, Backdoor, Trojan, TrojanDownloader, CredentialStealing, Weaponization, RemoteAccessTool | Backdoors, trojans, and other types of malicious code | -| Persistence | Installation, Persistence | Creating autostart extensibility points (ASEPs) to remain active and survive system restarts | -| Privilege escalation | PrivilegeEscalation | Obtaining higher permission levels for code by running it in the context of a privileged process or account | -| Ransomware | Ransomware | Malware that encrypts files and extorts payment to restore access | -| Suspicious activity | General, None, NotApplicable, EnterprisePolicy, SuspiciousNetworkTraffic | Atypical activity that could be malware activity or part of an attack | -| Unwanted software | UnwantedSoftware | Low-reputation apps and apps that impact productivity and the user experience; detected as potentially unwanted applications (PUAs) | +| New category | Previous category | API category name | Detected threat activity or component | +|----------------------------|--------------------------------------------------------------------------------------------------|--------------------------|-------------------------------------------------------------------------------------------------------------------------------------| +| | | AccessGovernance | | +| Backdoor | None | | | +| Collection | None | Collection | Locating and collecting data for exfiltration | +| Command and control | CommandAndControl | CommandAndControl | Connecting to attacker-controlled network infrastructure to relay data or receive commands | +| Credential access | CredentialTheft | CredentialAccess | Obtaining valid credentials to extend control over devices and other resources in the network | +| Credential stealing | CredentialTheft | CredentialStealing | Obtaining valid credentials to extend control over devices and other resources in the network | +| Credential theft | None | CredentialTheft | | +| | | DataGovernance | | +| | | DataLossPrevention | | +| Defense evasion | None | DefenseEvasion | | +| Delivery | None | | | +| Discovery | Reconnaissance, WebFingerprinting | Discovery | Gathering information about important devices and resources, such as administrator computers, domain controllers, and file servers | +| Document exploit | None | DocumentExploit | | +| Enterprise policy | None | EnterprisePolicy | | +| Execution | Delivery, MalwareDownload | Execution | Launching attacker tools and malicious code, including RATs and backdoors | +| Exfiltration | Exfiltration | Exfiltration | Extracting data from the network to an external, attacker-controlled location | +| Exploit | Exploit | Exploit | Exploit code and possible exploitation activity | +| General | None | General | | +| Impact | None | | | +| Initial access | SocialEngineering, WebExploit, DocumentExploit | InitialAccess | Gaining initial entry to the target network, usually involving password-guessing, exploits, or phishing emails | +| Installation | None | Installation | | +| Lateral movement | LateralMovement, NetworkPropagation | LateralMovement | Moving between devices in the target network to reach critical resources or gain network persistence | +| | | MailFlow | | +| Malware | Malware, Backdoor, Trojan, TrojanDownloader, CredentialStealing, Weaponization, RemoteAccessTool | Malware | Backdoors, trojans, and other types of malicious code | +| Malware download | None | MalwareDownload | | +| Network propagation | None | NetworkPropagation | | +| Persistence | Installation, Persistence | Persistence | Creating autostart extensibility points (ASEPs) to remain active and survive system restarts | +| Privilege escalation | PrivilegeEscalation | PrivilegeEscalation | Obtaining higher permission levels for code by running it in the context of a privileged process or account | +| Ransomware | Ransomware | Ransomware | Malware that encrypts files and extorts payment to restore access | +| Reconnaissance | None | Reconnaissance | | +| Remote access tool | None | RemoteAccessTool | | +| Social engineering | None | SocialEngineering | | +| Suspicious activity | General, None, NotApplicable, EnterprisePolicy, SuspiciousNetworkTraffic | SuspiciousActivity | Atypical activity that could be malware activity or part of an attack | +| Suspicious network traffic | None | SuspiciousNetworkTraffic | | +| | | ThreatManagement | | +| Trojan | None | Trojan | | +| Trojan downloader | None | TrojanDownloader | | +| Unwanted software | UnwantedSoftware | UnwantedSoftware | Low-reputation apps and apps that impact productivity and the user experience; detected as potentially unwanted applications (PUAs) | +| Weaponization | None | Weaponization | | +| Web exploit | None | WebExploit | | +| Web fingerprinting | None | WebFingerprinting | | + ### Status @@ -123,6 +149,22 @@ Select the source that triggered the alert detection. Microsoft Threat Experts p >[!NOTE] >The Antivirus filter will only appear if devices are using Microsoft Defender Antivirus as the default real-time protection antimalware product. +| Detection source | API value | +|-----------------------------------|----------------------------| +| 3rd party sensors | ThirdPartySensors | +| Antivirus | WindowsDefenderAv | +| Automated investigation | AutomatedInvestigation | +| Custom detection | CustomDetection | +| Custom TI | CustomerTI | +| EDR | WindowsDefenderAtp | +| Microsoft 365 Defender | MTP | +| Microsoft Defender for Office 365 | OfficeATP | +| Microsoft Threat Experts | ThreatExperts | +| SmartScreen | WindowsDefenderSmartScreen | + + + + ### OS platform From a43ea5f20b8b4ca715388f2c570a0fc29e729473 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 21 Jan 2021 15:46:37 -0800 Subject: [PATCH 02/38] add impact api --- .../threat-protection/microsoft-defender-atp/alerts-queue.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md index 6d06567b44..6986094502 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md @@ -100,7 +100,7 @@ The table below lists the current categories and how they generally map to previ | Exfiltration | Exfiltration | Exfiltration | Extracting data from the network to an external, attacker-controlled location | | Exploit | Exploit | Exploit | Exploit code and possible exploitation activity | | General | None | General | | -| Impact | None | | | +| Impact | None | Impact | | | Initial access | SocialEngineering, WebExploit, DocumentExploit | InitialAccess | Gaining initial entry to the target network, usually involving password-guessing, exploits, or phishing emails | | Installation | None | Installation | | | Lateral movement | LateralMovement, NetworkPropagation | LateralMovement | Moving between devices in the target network to reach critical resources or gain network persistence | From 12652a4a4dc8a8375faecd04cba8009ab2a431fa Mon Sep 17 00:00:00 2001 From: SujudAbu-Atta <78092864+SujudAbu-Atta@users.noreply.github.com> Date: Wed, 27 Jan 2021 18:09:19 +0200 Subject: [PATCH 03/38] Update alerts.md --- .../security/threat-protection/microsoft-defender-atp/alerts.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts.md b/windows/security/threat-protection/microsoft-defender-atp/alerts.md index f6b1666c6c..30de8d7839 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts.md @@ -38,6 +38,7 @@ Method |Return Type |Description [Get alert](get-alert-info-by-id.md) | [Alert](alerts.md) | Get a single [alert](alerts.md) object. [List alerts](get-alerts.md) | [Alert](alerts.md) collection | List [alert](alerts.md) collection. [Update alert](update-alert.md) | [Alert](alerts.md) | Update specific [alert](alerts.md). +[Batch update alerts](batch-update-alerts.md) | | Update a batch of [alerts](alerts.md). [Create alert](create-alert-by-reference.md)|[Alert](alerts.md)|Create an alert based on event data obtained from [Advanced Hunting](run-advanced-query-api.md). [List related domains](get-alert-related-domain-info.md)|Domain collection| List URLs associated with the alert. [List related files](get-alert-related-files-info.md) | [File](files.md) collection | List the [file](files.md) entities that are associated with the [alert](alerts.md). From 17373afad3236dab5eb03bb5e5c14c9777d65091 Mon Sep 17 00:00:00 2001 From: SujudAbu-Atta <78092864+SujudAbu-Atta@users.noreply.github.com> Date: Wed, 27 Jan 2021 18:20:57 +0200 Subject: [PATCH 04/38] Create batch-update-alerts.md --- batch-update-alerts.md | 108 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 108 insertions(+) create mode 100644 batch-update-alerts.md diff --git a/batch-update-alerts.md b/batch-update-alerts.md new file mode 100644 index 0000000000..ef8fdbee18 --- /dev/null +++ b/batch-update-alerts.md @@ -0,0 +1,108 @@ +--- +title: Batch Update alert entities API +description: Learn how to update Microsoft Defender ATP alerts in a batch by using this API. You can update the status, determination, classification, and assignedTo properties. +keywords: apis, graph api, supported apis, get, alert, information, id +search.product: eADQiWindows 10XVcnh +ms.prod: m365-security +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.technology: mde +--- + +# Batch update alerts + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] + + +## API description +Updates properties of a batch of existing [Alerts](alerts.md). +
Submission of **comment** is available with or without updating properties. +
Updatable properties are: ```status```, ```determination```, ```classification``` and ```assignedTo```. + + +## Limitations +1. You can update alerts that are available in the API. See [List Alerts](get-alerts.md) for more information. +2. Rate limitations for this API are 10 calls per minute and 500 calls per hour. + + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Alerts.ReadWrite.All | 'Read and write all alerts' +Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Alerts investigation' (See [Create and manage roles](user-roles.md) for more information) +>- The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information) + +## HTTP request +```http +POST /api/alerts/batchUpdate +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. +Content-Type | String | application/json. **Required**. + + +## Request body +In the request body, supply the IDs of the alerts to be updated and the values of the relevant fields that you wish to update for these alerts. +
Existing properties that are not included in the request body will maintain their previous values or be recalculated based on changes to other property values. +
For best performance you shouldn't include existing values that haven't changed. + +Property | Type | Description +:---|:---|:--- +alertIds | List<String>| A list of the IDs of the alerts to be updated. **Required** +status | String | Specifies the updated status of the specified alerts. The property values are: 'New', 'InProgress' and 'Resolved'. +assignedTo | String | Owner of the specified alerts +classification | String | Specifies the specification of the specified alerts. The property values are: 'Unknown', 'FalsePositive', 'TruePositive'. +determination | String | Specifies the determination of the specified alerts. The property values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other' +comment | String | Comment to be added to the specified alerts. + +## Response +If successful, this method returns 200 OK, with an empty response body. + + +## Example + +**Request** + +Here is an example of the request. + +```http +POST https://api.securitycenter.microsoft.com/api/alerts/batchUpdate +``` + +```json +{ + "alertIds": ["da637399794050273582_760707377", "da637399989469816469_51697947354"], + "status": "Resolved", + "assignedTo": "secop2@contoso.com", + "classification": "FalsePositive", + "determination": "Malware", + "comment": "Resolve my alert and assign to secop2" +} +``` From 4d216acfb46bc2d681904a398a3a33cf35adbd64 Mon Sep 17 00:00:00 2001 From: SujudAbu-Atta <78092864+SujudAbu-Atta@users.noreply.github.com> Date: Wed, 27 Jan 2021 18:55:56 +0200 Subject: [PATCH 05/38] Update batch-update-alerts.md --- batch-update-alerts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/batch-update-alerts.md b/batch-update-alerts.md index ef8fdbee18..e788391852 100644 --- a/batch-update-alerts.md +++ b/batch-update-alerts.md @@ -1,6 +1,6 @@ --- title: Batch Update alert entities API -description: Learn how to update Microsoft Defender ATP alerts in a batch by using this API. You can update the status, determination, classification, and assignedTo properties. +description: Learn how to update Microsoft Defender for Endpoint alerts in a batch by using this API. You can update the status, determination, classification, and assignedTo properties. keywords: apis, graph api, supported apis, get, alert, information, id search.product: eADQiWindows 10XVcnh ms.prod: m365-security From 9a79c0f8c197b387aab2d5cb30af09bdb34caccd Mon Sep 17 00:00:00 2001 From: SujudAbu-Atta <78092864+SujudAbu-Atta@users.noreply.github.com> Date: Sun, 31 Jan 2021 12:14:41 +0200 Subject: [PATCH 06/38] Update batch-update-alerts.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- batch-update-alerts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/batch-update-alerts.md b/batch-update-alerts.md index e788391852..2b93144552 100644 --- a/batch-update-alerts.md +++ b/batch-update-alerts.md @@ -34,7 +34,7 @@ ms.technology: mde ## API description Updates properties of a batch of existing [Alerts](alerts.md).
Submission of **comment** is available with or without updating properties. -
Updatable properties are: ```status```, ```determination```, ```classification``` and ```assignedTo```. +
Updatable properties are: `status`, `determination`, `classification` and `assignedTo`. ## Limitations From e835446541674c5d0adf2143c5fa2bd2d41b92d6 Mon Sep 17 00:00:00 2001 From: Bill Mcilhargey <19168174+computeronix@users.noreply.github.com> Date: Fri, 5 Feb 2021 17:07:37 -0500 Subject: [PATCH 07/38] GCC / GCC High note Add note on availability of Subscription Activation to GCC / GCC High tenants please verify with PMs this is still accurate and then review for edits/approval --- windows/deployment/windows-10-subscription-activation.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 84fa27310d..eaa65c54aa 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -83,6 +83,9 @@ The following figure illustrates how deploying Windows 10 has evolved with each > [!NOTE] > The following requirements do not apply to general Windows 10 activation on Azure. Azure activation requires a connection to Azure KMS only, and supports workgroup, Hybrid, and Azure AD-joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure Virtual Machines](https://docs.microsoft.com/azure/virtual-machines/troubleshooting/troubleshoot-activation-problems#understanding-azure-kms-endpoints-for-windows-product-activation-of-azure-virtual-machines). +> [!NOTE] +> Currently Subscription Activation is only available on commercial tenants and is not currently available on US GCC or GCC High tenants. + For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following: - Windows 10 (Pro or Enterprise) version 1703 or later installed on the devices to be upgraded. From 3819801080ab2e423b838af2ec627ef14c144844 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Sat, 6 Feb 2021 13:15:18 +0100 Subject: [PATCH 08/38] Link update & minor codestyle improvements From issue ticket #9081 (**"throttling is enhanced" link is dead**): > The link in the Delivery Optimization section to information about enterprise throttling (docs.microsoft.com/en-us/windows-insider/at-work-pro/wip-4-biz-whats-new#new-download-throttling-options-for-delivery-optimization-build-18917) goes to a 404 not found page. Changes proposed: - Update link to the archived content "New download throttling options for Delivery Optimization (Build 18917)" Codestyle & whitespace: - Remove redundant end-of-line blanks (17 occurrences) - Normalize spacing after the dash in bullet point lists, from 3 spaces to 1 (1 occurrence) - Add missing colon in "Applies to:" Closes #9081 --- windows/deployment/deploy-whats-new.md | 36 +++++++++++++------------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index ebdcfa1363..e4e05ad18e 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -18,8 +18,8 @@ ms.custom: seo-marvel-apr2020 # What's new in Windows 10 deployment -**Applies to** -- Windows 10 +**Applies to:** +- Windows 10 ## In this topic @@ -43,10 +43,10 @@ The [Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/ ## Microsoft 365 -Microsoft 365 is a new offering from Microsoft that combines +Microsoft 365 is a new offering from Microsoft that combines - Windows 10 - Office 365 -- Enterprise Mobility and Security (EMS). +- Enterprise Mobility and Security (EMS). See [Deploy Windows 10 with Microsoft 365](deploy-m365.md) for an overview, which now includes a link to download a nifty [M365 Enterprise poster](deploy-m365.md#m365-enterprise-poster). @@ -61,16 +61,16 @@ Windows PowerShell cmdlets for Delivery Optimization have been improved: - **Enable-DeliveryOptimizationVerboseLogs** is a new cmdlet that enables a greater level of logging detail to assist in troubleshooting. Additional improvements in [Delivery Optimization](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization) include: -- Enterprise network [throttling is enhanced](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#new-download-throttling-options-for-delivery-optimization-build-18917) to optimize foreground vs. background throttling. +- Enterprise network [throttling is enhanced](https://docs.microsoft.com/windows-insider/archive/new-for-business#new-download-throttling-options-for-delivery-optimization-build-18917) to optimize foreground vs. background throttling. - Automatic cloud-based congestion detection is available for PCs with cloud service support. -- Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Microsoft 365 Apps for enterprise updates, and Intune content, with Microsoft Endpoint Manager content coming soon! +- Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Microsoft 365 Apps for enterprise updates, and Intune content, with Microsoft Endpoint Manager content coming soon! The following Delivery Optimization policies are removed in the Windows 10, version 2004 release: - Percentage of Maximum Download Bandwidth (DOPercentageMaxDownloadBandwidth) - Reason: Replaced with separate policies for foreground and background - Max Upload Bandwidth (DOMaxUploadBandwidth) - - Reason: impacts uploads to internet peers only, which isn't used in Enterprises. + - Reason: impacts uploads to internet peers only, which isn't used in Enterprises. - Absolute max throttle (DOMaxDownloadBandwidth) - Reason: separated to foreground and background @@ -80,10 +80,10 @@ The following Delivery Optimization policies are removed in the Windows 10, vers - Intune console updates: target version is now available allowing you to specify which version of Windows 10 you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy. - Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we have created a new policy that enables admins to opt devices out of the built-in safeguard holds. -- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically log on as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed. -- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will be a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period. +- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically log on as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed. +- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will be a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period. - **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally. -- **Pause updates**: We have extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you will need to update your device before pausing again. +- **Pause updates**: We have extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you will need to update your device before pausing again. - **Improved update notifications**: When there's an update requiring you to restart your device, you'll see a colored dot on the Power button in the Start menu and on the Windows icon in your taskbar. - **Intelligent active hours**: To further enhance active hours, users will now have the option to let Windows Update intelligently adjust active hours based on their device-specific usage patterns. You must enable the intelligent active hours feature for the system to predict device-specific usage patterns. - **Improved update orchestration to improve system responsiveness**: This feature will improve system performance by intelligently coordinating Windows updates and Microsoft Store updates, so they occur when users are away from their devices to minimize disruptions. @@ -104,7 +104,7 @@ For more information, see [Windows 10 Enterprise E3 in CSP](windows-10-enterpris ### Windows Autopilot -[Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) streamlines and automates the process of setting up and configuring new devices, with minimal interaction required from the end user. You can also use Windows Autopilot to reset, repurpose and recover devices. +[Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) streamlines and automates the process of setting up and configuring new devices, with minimal interaction required from the end user. You can also use Windows Autopilot to reset, repurpose and recover devices. With the release of Windows 10, version 2004 you can configure [Windows Autopilot user-driven](https://docs.microsoft.com/windows/deployment/windows-autopilot/user-driven) Hybrid Azure Active Directory join with VPN support. This support is also backported to Windows 10, version 1909 and 1903. @@ -116,7 +116,7 @@ The following Windows Autopilot features are available in Windows 10, version 19 - The Intune [enrollment status page](https://docs.microsoft.com/intune/windows-enrollment-status) (ESP) now tracks Intune Management Extensions​. - [Cortana voiceover](https://docs.microsoft.com/windows-hardware/customize/desktop/cortana-voice-support) and speech recognition during OOBE is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs. - Windows Autopilot is self-updating during OOBE. Starting with the Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE. -- Windows Autopilot will set the [diagnostics data](https://docs.microsoft.com/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE. +- Windows Autopilot will set the [diagnostics data](https://docs.microsoft.com/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE. ### Microsoft Endpoint Configuration Manager @@ -138,11 +138,11 @@ During the upgrade process, Windows Setup will extract all its sources files to ### Upgrade Readiness -The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017. +The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017. -Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details. +Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details. -The development of Upgrade Readiness has been heavily influenced by input from the community the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled. +The development of Upgrade Readiness has been heavily influenced by input from the community the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled. For more information about Upgrade Readiness, see the following topics: @@ -164,7 +164,7 @@ Device Health is the newest Windows Analytics solution that complements the exis ### MBR2GPT -MBR2GPT.EXE converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. Previously, it was necessary to image, then wipe and reload a disk to change from MBR format to GPT. +MBR2GPT.EXE converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. Previously, it was necessary to image, then wipe and reload a disk to change from MBR format to GPT. There are many benefits to converting the partition style of a disk to GPT, including the use of larger disk partitions, added data reliability, and faster boot and shutdown speeds. The GPT format also enables you to use the Unified Extensible Firmware Interface (UEFI) which replaces the Basic Input/Output System (BIOS) firmware interface. Security features of Windows 10 that require UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock. @@ -183,14 +183,14 @@ The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can Download the Windows ADK and Windows PE add-on for Windows 10, version 2004 [here](https://docs.microsoft.com/windows-hardware/get-started/adk-install). For information about what's new in the ADK, see [What's new in the Windows ADK for Windows 10, version 2004](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-kits-and-tools#whats-new-in-the-windows-adk-for-windows-10-version-2004). - + Also see [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md). ## Testing and validation guidance ### Windows 10 deployment proof of concept (PoC) -The Windows 10 PoC guide enables you to test Windows 10 deployment in a virtual environment and become familiar with deployment tools such as MDT and Configuration Manager. The PoC guide provides step-by-step instructions for installing and using Hyper-V to create a virtual lab environment. The guide makes extensive use of Windows PowerShell to streamline each phase of the installation and setup. +The Windows 10 PoC guide enables you to test Windows 10 deployment in a virtual environment and become familiar with deployment tools such as MDT and Configuration Manager. The PoC guide provides step-by-step instructions for installing and using Hyper-V to create a virtual lab environment. The guide makes extensive use of Windows PowerShell to streamline each phase of the installation and setup. For more information, see the following guides: From 37b9002bcfd1615d7bdd74ba8921d16bdf39ae47 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Sun, 7 Feb 2021 17:29:44 +0100 Subject: [PATCH 09/38] Lowercase "peer efficiency", remove comma & redundant "of" Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/deployment/deploy-whats-new.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index e4e05ad18e..a99381163d 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -63,7 +63,7 @@ Windows PowerShell cmdlets for Delivery Optimization have been improved: Additional improvements in [Delivery Optimization](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization) include: - Enterprise network [throttling is enhanced](https://docs.microsoft.com/windows-insider/archive/new-for-business#new-download-throttling-options-for-delivery-optimization-build-18917) to optimize foreground vs. background throttling. - Automatic cloud-based congestion detection is available for PCs with cloud service support. -- Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Microsoft 365 Apps for enterprise updates, and Intune content, with Microsoft Endpoint Manager content coming soon! +- Improved peer efficiency for enterprises and educational institutions with complex networks is enabled with [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Microsoft 365 Apps for enterprise updates and Intune content, with Microsoft Endpoint Manager content coming soon! The following Delivery Optimization policies are removed in the Windows 10, version 2004 release: From cd38e99b9cad7f700dc94df80053575f3777c6c4 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Sun, 7 Feb 2021 17:35:21 +0100 Subject: [PATCH 10/38] Add missing Oxford comma Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/deployment/deploy-whats-new.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index a99381163d..3c58742ba5 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -104,7 +104,7 @@ For more information, see [Windows 10 Enterprise E3 in CSP](windows-10-enterpris ### Windows Autopilot -[Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) streamlines and automates the process of setting up and configuring new devices, with minimal interaction required from the end user. You can also use Windows Autopilot to reset, repurpose and recover devices. +[Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) streamlines and automates the process of setting up and configuring new devices, with minimal interaction required from the end user. You can also use Windows Autopilot to reset, repurpose, and recover devices. With the release of Windows 10, version 2004 you can configure [Windows Autopilot user-driven](https://docs.microsoft.com/windows/deployment/windows-autopilot/user-driven) Hybrid Azure Active Directory join with VPN support. This support is also backported to Windows 10, version 1909 and 1903. From 0187b8076ad06ee41851443175b74b281cf7512d Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Sun, 7 Feb 2021 17:38:01 +0100 Subject: [PATCH 11/38] Add one semicolon for better readability Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/deployment/deploy-whats-new.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index 3c58742ba5..3d4db10a53 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -142,7 +142,7 @@ The Upgrade Readiness tool moved from public preview to general availability on Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details. -The development of Upgrade Readiness has been heavily influenced by input from the community the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled. +The development of Upgrade Readiness has been heavily influenced by input from the community; the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled. For more information about Upgrade Readiness, see the following topics: From 71cd9e96a5a7cdd647c015f64f939ffd51bdfbd9 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Sun, 7 Feb 2021 17:42:40 +0100 Subject: [PATCH 12/38] Sentence casing: "Enterprises" to 'enterprises' Reason: impacts uploads to internet peers only, which isn't used in enterprises. --- windows/deployment/deploy-whats-new.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index 3d4db10a53..0cea204292 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -70,7 +70,7 @@ The following Delivery Optimization policies are removed in the Windows 10, vers - Percentage of Maximum Download Bandwidth (DOPercentageMaxDownloadBandwidth) - Reason: Replaced with separate policies for foreground and background - Max Upload Bandwidth (DOMaxUploadBandwidth) - - Reason: impacts uploads to internet peers only, which isn't used in Enterprises. + - Reason: impacts uploads to internet peers only, which isn't used in enterprises. - Absolute max throttle (DOMaxDownloadBandwidth) - Reason: separated to foreground and background From 6529d0a432e65cf855d58d2f7cc65695482c3c0b Mon Sep 17 00:00:00 2001 From: Bill Mcilhargey <19168174+computeronix@users.noreply.github.com> Date: Mon, 8 Feb 2021 12:16:23 -0500 Subject: [PATCH 13/38] Update windows/deployment/windows-10-subscription-activation.md agreed and thank you Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- windows/deployment/windows-10-subscription-activation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index eaa65c54aa..eb894fafdc 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -84,7 +84,7 @@ The following figure illustrates how deploying Windows 10 has evolved with each > The following requirements do not apply to general Windows 10 activation on Azure. Azure activation requires a connection to Azure KMS only, and supports workgroup, Hybrid, and Azure AD-joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure Virtual Machines](https://docs.microsoft.com/azure/virtual-machines/troubleshooting/troubleshoot-activation-problems#understanding-azure-kms-endpoints-for-windows-product-activation-of-azure-virtual-machines). > [!NOTE] -> Currently Subscription Activation is only available on commercial tenants and is not currently available on US GCC or GCC High tenants. +> Currently, Subscription Activation is only available on commercial tenants and is not currently available on US GCC or GCC High tenants. For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following: From d2c3fc5d99d39468ed36aafa0bb3f068bde09585 Mon Sep 17 00:00:00 2001 From: MatiG Date: Mon, 8 Feb 2021 20:57:09 +0200 Subject: [PATCH 14/38] add ref to installer script --- .../linux-install-manually.md | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md index 046ec05444..822a741518 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md @@ -41,6 +41,7 @@ This article describes how to deploy Microsoft Defender for Endpoint for Linux m - [Application installation](#application-installation) - [Download the onboarding package](#download-the-onboarding-package) - [Client configuration](#client-configuration) + - [Installer script](#installer-script) - [Log installation issues](#log-installation-issues) - [Operating system upgrades](#operating-system-upgrades) - [Uninstallation](#uninstallation) @@ -343,6 +344,31 @@ Download the onboarding package from Microsoft Defender Security Center: mdatp threat list ``` +## Installer script + +Alternatively, you can use an automated [installer bash script](https://github.com/microsoft/mdatp-xplat/blob/master/linux/installation/mde_installer.sh) provided in our [public github repository](https://github.com/microsoft/mdatp-xplat/). +The script identifies the distribution and version, and sets up the device to pull the latest package and install it. +You can also onboard with a provided script. + +```bash +❯ ./mde_installer.sh --help +usage: basename ./mde_installer.sh [OPTIONS] +Options: +-c|--channel specify the channel from which you want to install. Default: insiders-fast +-i|--install install the product +-r|--remove remove the product +-u|--upgrade upgrade the existing product +-o|--onboard onboard/offboard the product with +-p|--passive-mode set EPP to passive mode +-t|--tag set a tag by declaring and . ex: -t GROUP Coders +-m|--min_req enforce minimum requirements +-w|--clean remove repo from package manager for a specific channel +-v|--version print out script version +-h|--help display help +``` + +read more [here](https://github.com/microsoft/mdatp-xplat/tree/master/linux/installation). + ## Log installation issues See [Log installation issues](linux-resources.md#log-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs. From e040e77165d75a7dbf70726e63717d7d77ce3432 Mon Sep 17 00:00:00 2001 From: Tina Burden Date: Tue, 9 Feb 2021 08:10:49 -0800 Subject: [PATCH 15/38] pencil edits --- .../microsoft-defender-atp/linux-install-manually.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md index 822a741518..46594777a2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md @@ -346,7 +346,7 @@ Download the onboarding package from Microsoft Defender Security Center: ## Installer script -Alternatively, you can use an automated [installer bash script](https://github.com/microsoft/mdatp-xplat/blob/master/linux/installation/mde_installer.sh) provided in our [public github repository](https://github.com/microsoft/mdatp-xplat/). +Alternatively, you can use an automated [installer bash script](https://github.com/microsoft/mdatp-xplat/blob/master/linux/installation/mde_installer.sh) provided in our [public GitHub repository](https://github.com/microsoft/mdatp-xplat/). The script identifies the distribution and version, and sets up the device to pull the latest package and install it. You can also onboard with a provided script. @@ -367,7 +367,7 @@ Options: -h|--help display help ``` -read more [here](https://github.com/microsoft/mdatp-xplat/tree/master/linux/installation). +Read more [here](https://github.com/microsoft/mdatp-xplat/tree/master/linux/installation). ## Log installation issues From dbc7ef3ae92cca6d3abee8372a8eda7bb4ccd325 Mon Sep 17 00:00:00 2001 From: Tudor Dobrila Date: Tue, 9 Feb 2021 09:40:10 -0800 Subject: [PATCH 16/38] Release notes for MDE for Mac 101.19.88 --- .../threat-protection/microsoft-defender-atp/mac-whatsnew.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md index 55c92067b1..b95951bf9e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md @@ -30,6 +30,10 @@ ms.technology: mde > [!IMPORTANT] > Support for macOS 10.13 (High Sierra) will be discontinued on February 15th, 2021. +## 101.19.88 (20.121011.11988.0) + +- Performance improvements & bug fixes + ## 101.19.48 > [!NOTE] From 8250ec6e0a643ff67be112b1c45269486f9a9b93 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 9 Feb 2021 11:03:26 -0800 Subject: [PATCH 17/38] whatsnew toc --- windows/whats-new/TOC.yml | 25 +++++++++ windows/whats-new/index.yml | 100 ++++++++++++++++++++++++++++++++++++ 2 files changed, 125 insertions(+) create mode 100644 windows/whats-new/TOC.yml create mode 100644 windows/whats-new/index.yml diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml new file mode 100644 index 0000000000..6b659904a4 --- /dev/null +++ b/windows/whats-new/TOC.yml @@ -0,0 +1,25 @@ +- name: What's new in Windows 10 + href: index.yml +- name: What's new in Windows 10, version 20H2 + href: whats-new-windows-10-version-20H2.md +- name: What's new in Windows 10, version 2004 + href: whats-new-windows-10-version-2004.md +- name: What's new in Windows 10, version 1909 + href: whats-new-windows-10-version-1909.md +- name: What's new in Windows 10, version 1903 + href: whats-new-windows-10-version-1903.md +- name: What's new in Windows 10, version 1809 + href: whats-new-windows-10-version-1809.md +- name: What's new in Windows 10, version 1803 + href: whats-new-windows-10-version-1803.md + items: + - name: Previous versions + items: + - name: What's new in Windows 10, version 1709 + href: whats-new-windows-10-version-1709.md + - name: What's new in Windows 10, version 1703 + href: whats-new-windows-10-version-1703.md + - name: What's new in Windows 10, version 1607 + href: whats-new-windows-10-version-1607.md + - name: What's new in Windows 10, versions 1507 and 1511 + href: whats-new-windows-10-version-1507-and-1511.md \ No newline at end of file diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml new file mode 100644 index 0000000000..dbd960b4a7 --- /dev/null +++ b/windows/whats-new/index.yml @@ -0,0 +1,100 @@ +### YamlMime:Landing + +title: Windows 10 deployment resources and documentation # < 60 chars +summary: Learn about deploying and keeping Windows 10 up to date. # < 160 chars + +metadata: + title: Windows 10 deployment resources and documentation # Required; page title displayed in search results. Include the brand. < 60 chars. + description: Learn about deploying Windows 10 and keeping it up to date in your organization. # Required; article description that is displayed in search results. < 160 chars. + services: windows-10 + ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. + ms.subservice: subservice + ms.topic: landing-page # Required + ms.collection: windows-10 + author: greg-lindsay #Required; your GitHub user alias, with correct capitalization. + ms.author: greglin #Required; microsoft alias of author; optional team alias. + ms.date: 08/05/2020 #Required; mm/dd/yyyy format. + localization_priority: medium + +# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new + +landingContent: +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: Plan + linkLists: + - linkListType: overview + links: + - text: Create a deployment plan + url: update/create-deployment-plan.md + - text: Define readiness criteria + url: update/plan-define-readiness.md + - text: Evaluate infrastructure and tools + url: update/eval-infra-tools.md + - text: Define your servicing strategy + url: update/plan-define-strategy.md + + # Card (optional) + - title: Prepare + linkLists: + - linkListType: how-to-guide + links: + - text: Prepare to deploy Windows 10 updates + url: update/prepare-deploy-windows.md + - text: Prepare updates using Windows Update for Business + url: update/waas-manage-updates-wufb.md + - text: Prepare for Zero Touch Installation of Windows 10 with Configuration Manager + url: deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md + + # Card (optional) + - title: Deploy + linkLists: + - linkListType: deploy + links: + - text: Deploy Windows 10 with Autopilot + url: https://docs.microsoft.com/mem/autopilot + - text: Assign devices to servicing channels + url: update/waas-servicing-channels-windows-10-updates.md + - text: Deploy Windows updates with Configuration Manager + url: update/deploy-updates-configmgr.md + + # Card + - title: Overview + linkLists: + - linkListType: overview + links: + - text: What's new in Windows deployment + url: windows-10-deployment-scenarios.md + - text: Windows 10 deployment scenarios + url: windows-10-deployment-scenarios.md + - text: Basics of Windows updates, channels, and tools + url: update/get-started-updates-channels-tools.md + - text: Overview of Windows Autopilot + url: https://docs.microsoft.com/mem/autopilot/windows-autopilot + + # Card + - title: Support remote work + linkLists: + - linkListType: concept + links: + - text: Deploy Windows 10 for a remote world + url: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/deploying-a-new-version-of-windows-10-in-a-remote-world/ba-p/1419846 + - text: Empower remote workers with Microsoft 365 + url: https://docs.microsoft.com/microsoft-365/solutions/empower-people-to-work-remotely + - text: Top 12 tasks for security teams to support working from home + url: https://docs.microsoft.com/microsoft-365/security/top-security-tasks-for-remote-work + - text: Support your remote workforce + url: https://docs.microsoft.com/microsoftteams/faq-support-remote-workforce + + # Card (optional) + - title: Microsoft Learn + linkLists: + - linkListType: learn + links: + - text: Plan to deploy updates for Windows 10 and Microsoft 365 Apps + url: https://docs.microsoft.com/learn/modules/windows-plan + - text: Prepare to deploy updates for Windows 10 and Microsoft 365 Apps + url: https://docs.microsoft.com/learn/modules/windows-prepare/ + - text: Deploy updates for Windows 10 and Microsoft 365 Apps + url: https://docs.microsoft.com/learn/modules/windows-deploy From f40c9b29b8b7d84ba466beb0d1460205c5f2af9c Mon Sep 17 00:00:00 2001 From: Tudor Dobrila Date: Tue, 9 Feb 2021 11:14:44 -0800 Subject: [PATCH 18/38] Add more EDR versions --- .../microsoft-defender-atp/mac-whatsnew.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md index b95951bf9e..f77c7ca89c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md @@ -34,7 +34,7 @@ ms.technology: mde - Performance improvements & bug fixes -## 101.19.48 +## 101.19.48 (20.120121.11948.0) > [!NOTE] > The old command-line tool syntax has been deprecated with this release. For information on the new syntax, see [Resources](mac-resources.md#configuring-from-the-command-line). @@ -42,17 +42,17 @@ ms.technology: mde - Added a new command-line switch to disable the network extension: `mdatp system-extension network-filter disable`. This command can be useful to troubleshoot networking issues that could be related to Microsoft Defender for Endpoint for Mac - Performance improvements & bug fixes -## 101.19.21 +## 101.19.21 (20.120101.11921.0) - Bug fixes -## 101.15.26 +## 101.15.26 (20.120102.11526.0) - Improved the reliability of the agent when running on macOS 11 Big Sur - Added a new command-line switch (`--ignore-exclusions`) to ignore AV exclusions during custom scans (`mdatp scan custom`) - Performance improvements & bug fixes -## 101.13.75 +## 101.13.75 (20.120101.11375.0) - Removed conditions when Microsoft Defender for Endpoint was triggering a macOS 11 (Big Sur) bug that manifests into a kernel panic - Fixed a memory leak in the Endpoint Security system extension when running on mac 11 (Big Sur) From 7d2e7c2abc8ada22b20ee543d16b8f2b0353efa0 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Tue, 9 Feb 2021 11:22:23 -0800 Subject: [PATCH 19/38] remove warning --- .../microsoft-defender-atp/configure-endpoints-vdi.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md index 7eb2606edf..d0ec840095 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md @@ -27,8 +27,6 @@ ms.technology: mde **Applies to:** - Virtual desktop infrastructure (VDI) devices ->[!WARNING] -> Microsoft Defender for Endpoint support for Windows Virtual Desktop multi-user scenarios is currently in Preview and limited up to 25 concurrent sessions per host/VM. However single session scenarios on Windows Virtual Desktop are fully supported. >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configvdi-abovefoldlink) From 98a4caf703d14afdc7a4ce5483049ec010ee09d0 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Tue, 9 Feb 2021 11:45:59 -0800 Subject: [PATCH 20/38] add to toc fix file location --- windows/security/threat-protection/TOC.md | 3 ++- .../microsoft-defender-atp/batch-update-alerts.md | 0 2 files changed, 2 insertions(+), 1 deletion(-) rename batch-update-alerts.md => windows/security/threat-protection/microsoft-defender-atp/batch-update-alerts.md (100%) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 3ddab2049c..d36a6d1b7e 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -536,7 +536,8 @@ ####### [Alert methods and properties](microsoft-defender-atp/alerts.md) ####### [List alerts](microsoft-defender-atp/get-alerts.md) ####### [Create alert](microsoft-defender-atp/create-alert-by-reference.md) -####### [Update Alert](microsoft-defender-atp/update-alert.md) +####### [Update alert](microsoft-defender-atp/update-alert.md) +####### [Batch update alert](microsoft-defender-atp/batch-update-alerts.md) ####### [Get alert information by ID](microsoft-defender-atp/get-alert-info-by-id.md) ####### [Get alert related domains information](microsoft-defender-atp/get-alert-related-domain-info.md) ####### [Get alert related file information](microsoft-defender-atp/get-alert-related-files-info.md) diff --git a/batch-update-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/batch-update-alerts.md similarity index 100% rename from batch-update-alerts.md rename to windows/security/threat-protection/microsoft-defender-atp/batch-update-alerts.md From 5019037e5664c1d24f27076b255caf16416459d0 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 9 Feb 2021 13:03:42 -0800 Subject: [PATCH 21/38] whatsnew index --- windows/whats-new/TOC.md | 12 ----------- windows/whats-new/index.md | 43 -------------------------------------- 2 files changed, 55 deletions(-) delete mode 100644 windows/whats-new/TOC.md delete mode 100644 windows/whats-new/index.md diff --git a/windows/whats-new/TOC.md b/windows/whats-new/TOC.md deleted file mode 100644 index 9be4f860e1..0000000000 --- a/windows/whats-new/TOC.md +++ /dev/null @@ -1,12 +0,0 @@ -# [What's new in Windows 10](index.md) -## [What's new in Windows 10, version 20H2](whats-new-windows-10-version-20H2.md) -## [What's new in Windows 10, version 2004](whats-new-windows-10-version-2004.md) -## [What's new in Windows 10, version 1909](whats-new-windows-10-version-1909.md) -## [What's new in Windows 10, version 1903](whats-new-windows-10-version-1903.md) -## [What's new in Windows 10, version 1809](whats-new-windows-10-version-1809.md) -## [What's new in Windows 10, version 1803](whats-new-windows-10-version-1803.md) -## Previous versions -### [What's new in Windows 10, version 1709](whats-new-windows-10-version-1709.md) -### [What's new in Windows 10, version 1703](whats-new-windows-10-version-1703.md) -### [What's new in Windows 10, version 1607](whats-new-windows-10-version-1607.md) -### [What's new in Windows 10, versions 1507 and 1511](whats-new-windows-10-version-1507-and-1511.md) diff --git a/windows/whats-new/index.md b/windows/whats-new/index.md deleted file mode 100644 index 559ab66233..0000000000 --- a/windows/whats-new/index.md +++ /dev/null @@ -1,43 +0,0 @@ ---- -title: What's new in Windows 10 (Windows 10) -description: Learn about new features in Windows 10 for IT professionals, such as Windows Information Protection, Windows Hello, Device Guard, and more. -ms.assetid: F1867017-76A1-4761-A200-7450B96AEF44 -keywords: ["What's new in Windows 10", "Windows 10"] -ms.prod: w10 -audience: itpro -author: greg-lindsay -ms.author: greglin -manager: laurawi -ms.localizationpriority: high -ms.topic: article ---- - -# What's new in Windows 10 - -Windows 10 provides IT professionals with advanced protection against modern security threats and comprehensive management and control over devices and apps, as well as flexible deployment, update, and support options. Learn about new features in Windows 10 for IT professionals, such as Windows Information Protection, Windows Hello, Device Guard, and more. - -## In this section - -- [What's new in Windows 10, version 20H2](whats-new-windows-10-version-20H2.md) -- [What's new in Windows 10, version 2004](whats-new-windows-10-version-2004.md) -- [What's new in Windows 10, version 1909](whats-new-windows-10-version-1909.md) -- [What's new in Windows 10, version 1903](whats-new-windows-10-version-1903.md) -- [What's new in Windows 10, version 1809](whats-new-windows-10-version-1809.md) -- [What's new in Windows 10, version 1803](whats-new-windows-10-version-1803.md) - - -## Learn more - -- [Windows 10 release information](https://docs.microsoft.com/windows/release-information/) -- [Windows 10 release health dashboard](https://docs.microsoft.com/windows/release-information/status-windows-10-2004) -- [Windows 10 update history](https://support.microsoft.com/help/4555932/windows-10-update-history) -- [What’s new for business in Windows 10 Insider Preview Builds](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new) -- [Windows 10 features we’re no longer developing](https://docs.microsoft.com/windows/deployment/planning/windows-10-deprecated-features) -- [Features and functionality removed in Windows 10](https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features) -- [Compare Windows 10 Editions](https://go.microsoft.com/fwlink/p/?LinkId=690485) - -## See also - -[Windows 10 Enterprise LTSC](ltsc/index.md)
-[Edit an existing topic using the Edit link](contribute-to-a-topic.md) - From 859a78234e3fd751a0e22e2c698fc1aa446a88e0 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 9 Feb 2021 13:20:53 -0800 Subject: [PATCH 22/38] whatsnew index --- windows/whats-new/index.yml | 108 ++++++++++++++---------------------- 1 file changed, 43 insertions(+), 65 deletions(-) diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml index dbd960b4a7..df5c623f4c 100644 --- a/windows/whats-new/index.yml +++ b/windows/whats-new/index.yml @@ -13,88 +13,66 @@ metadata: ms.collection: windows-10 author: greg-lindsay #Required; your GitHub user alias, with correct capitalization. ms.author: greglin #Required; microsoft alias of author; optional team alias. - ms.date: 08/05/2020 #Required; mm/dd/yyyy format. + ms.date: 02/09/2021 #Required; mm/dd/yyyy format. localization_priority: medium # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new +- []() +- []() +- [](whats-new-windows-10-version-1909.md) +- [](whats-new-windows-10-version-1903.md) +- [](whats-new-windows-10-version-1809.md) +- [](whats-new-windows-10-version-1803.md) + + landingContent: # Cards and links should be based on top customer tasks or top subjects # Start card title with a verb # Card (optional) - - title: Plan + - title: What's new in Windows 10 linkLists: - linkListType: overview links: - - text: Create a deployment plan - url: update/create-deployment-plan.md - - text: Define readiness criteria - url: update/plan-define-readiness.md - - text: Evaluate infrastructure and tools - url: update/eval-infra-tools.md - - text: Define your servicing strategy - url: update/plan-define-strategy.md + - text: What's new in Windows 10, version 20H2 + url: whats-new-windows-10-version-20H2.md + - text: What's new in Windows 10, version 2004 + url: whats-new-windows-10-version-2004.md + - text: What's new in Windows 10, version 1909 + url: whats-new-windows-10-version-1909.md + - text: What's new in Windows 10, version 1903 + url: whats-new-windows-10-version-1903.md + - text: What's new in Windows 10, version 1809 + url: whats-new-windows-10-version-1809.md + - text: What's new in Windows 10, version 1803 + url: whats-new-windows-10-version-1803.md # Card (optional) - - title: Prepare - linkLists: - - linkListType: how-to-guide - links: - - text: Prepare to deploy Windows 10 updates - url: update/prepare-deploy-windows.md - - text: Prepare updates using Windows Update for Business - url: update/waas-manage-updates-wufb.md - - text: Prepare for Zero Touch Installation of Windows 10 with Configuration Manager - url: deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md - - # Card (optional) - - title: Deploy - linkLists: - - linkListType: deploy - links: - - text: Deploy Windows 10 with Autopilot - url: https://docs.microsoft.com/mem/autopilot - - text: Assign devices to servicing channels - url: update/waas-servicing-channels-windows-10-updates.md - - text: Deploy Windows updates with Configuration Manager - url: update/deploy-updates-configmgr.md - - # Card - - title: Overview + - title: Lean more linkLists: - linkListType: overview links: - - text: What's new in Windows deployment - url: windows-10-deployment-scenarios.md - - text: Windows 10 deployment scenarios - url: windows-10-deployment-scenarios.md - - text: Basics of Windows updates, channels, and tools - url: update/get-started-updates-channels-tools.md - - text: Overview of Windows Autopilot - url: https://docs.microsoft.com/mem/autopilot/windows-autopilot - - # Card - - title: Support remote work - linkLists: - - linkListType: concept - links: - - text: Deploy Windows 10 for a remote world - url: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/deploying-a-new-version-of-windows-10-in-a-remote-world/ba-p/1419846 - - text: Empower remote workers with Microsoft 365 - url: https://docs.microsoft.com/microsoft-365/solutions/empower-people-to-work-remotely - - text: Top 12 tasks for security teams to support working from home - url: https://docs.microsoft.com/microsoft-365/security/top-security-tasks-for-remote-work - - text: Support your remote workforce - url: https://docs.microsoft.com/microsoftteams/faq-support-remote-workforce + - text: Windows 10 release information + url: https://docs.microsoft.com/windows/release-information/ + - text: Windows 10 release health dashboard + url: https://docs.microsoft.com/windows/release-information/status-windows-10-2004 + - text: Windows 10 update history + url: https://support.microsoft.com/help/4555932/windows-10-update-history + - text: What’s new for business in Windows 10 Insider Preview Builds + url: https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new + - text: Windows 10 features we’re no longer developing + url: https://docs.microsoft.com/windows/deployment/planning/windows-10-deprecated-features + - text: Features and functionality removed in Windows 10 + url: https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features + - text: Compare Windows 10 Editions + url: https://go.microsoft.com/fwlink/p/?LinkId=690485 # Card (optional) - - title: Microsoft Learn + - title: See also linkLists: - - linkListType: learn + - linkListType: overview links: - - text: Plan to deploy updates for Windows 10 and Microsoft 365 Apps - url: https://docs.microsoft.com/learn/modules/windows-plan - - text: Prepare to deploy updates for Windows 10 and Microsoft 365 Apps - url: https://docs.microsoft.com/learn/modules/windows-prepare/ - - text: Deploy updates for Windows 10 and Microsoft 365 Apps - url: https://docs.microsoft.com/learn/modules/windows-deploy + - text: Windows 10 Enterprise LTSC + url: ltsc/index.md + - text: Edit an existing topic using the Edit link + url: contribute-to-a-topic.md \ No newline at end of file From 0abc6ba4bdadb3beed4ee7ff4f66e4722963d385 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 9 Feb 2021 13:30:15 -0800 Subject: [PATCH 23/38] index --- windows/whats-new/whats-new-windows-10-version-1703.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md index 2346ec23c7..3d0d557347 100644 --- a/windows/whats-new/whats-new-windows-10-version-1703.md +++ b/windows/whats-new/whats-new-windows-10-version-1703.md @@ -18,7 +18,7 @@ ms.topic: article Below is a list of some of what's new in Information Technology (IT) pro features in Windows 10, version 1703 (also known as the Creators Update). -For more general info about Windows 10 features, see [Features available only on Windows 10](https://www.microsoft.com/windows/features). For info about previous versions of Windows 10, see [What's New in Windows 10](index.md). Also see this blog post: [What’s new for IT pros in the Windows 10 Creators Update](https://blogs.technet.microsoft.com/windowsitpro/2017/04/05/whats-new-for-it-pros-in-the-windows-10-creators-update/). +For more general info about Windows 10 features, see [Features available only on Windows 10](https://www.microsoft.com/windows/features). For info about previous versions of Windows 10, see [What's New in Windows 10](index.yml). Also see this blog post: [What’s new for IT pros in the Windows 10 Creators Update](https://blogs.technet.microsoft.com/windowsitpro/2017/04/05/whats-new-for-it-pros-in-the-windows-10-creators-update/). >[!NOTE] >Windows 10, version 1703 contains all fixes included in previous cumulative updates to Windows 10, version 1607. For info about each version, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info). For a list of removed features, see [Features that are removed or deprecated in Windows 10 Creators Update](https://support.microsoft.com/help/4014193/features-that-are-removed-or-deprecated-in-windows-10-creators-update). From 3b1c5438b59d9fea58dfde37541d021edb61b15c Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 9 Feb 2021 13:34:22 -0800 Subject: [PATCH 24/38] index --- windows/whats-new/index.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml index df5c623f4c..f68da2e0e7 100644 --- a/windows/whats-new/index.yml +++ b/windows/whats-new/index.yml @@ -18,14 +18,6 @@ metadata: # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new -- []() -- []() -- [](whats-new-windows-10-version-1909.md) -- [](whats-new-windows-10-version-1903.md) -- [](whats-new-windows-10-version-1809.md) -- [](whats-new-windows-10-version-1803.md) - - landingContent: # Cards and links should be based on top customer tasks or top subjects # Start card title with a verb From 87440c9407d54f92668924ec001c1be395b4325f Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 9 Feb 2021 13:41:56 -0800 Subject: [PATCH 25/38] fix link --- windows/whats-new/whats-new-windows-10-version-1703.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md index 3d0d557347..e8b4ac1475 100644 --- a/windows/whats-new/whats-new-windows-10-version-1703.md +++ b/windows/whats-new/whats-new-windows-10-version-1703.md @@ -18,7 +18,7 @@ ms.topic: article Below is a list of some of what's new in Information Technology (IT) pro features in Windows 10, version 1703 (also known as the Creators Update). -For more general info about Windows 10 features, see [Features available only on Windows 10](https://www.microsoft.com/windows/features). For info about previous versions of Windows 10, see [What's New in Windows 10](index.yml). Also see this blog post: [What’s new for IT pros in the Windows 10 Creators Update](https://blogs.technet.microsoft.com/windowsitpro/2017/04/05/whats-new-for-it-pros-in-the-windows-10-creators-update/). +For more general info about Windows 10 features, see [Features available only on Windows 10](https://www.microsoft.com/windows/features). For info about previous versions of Windows 10, see [What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/). Also see this blog post: [What’s new for IT pros in the Windows 10 Creators Update](https://blogs.technet.microsoft.com/windowsitpro/2017/04/05/whats-new-for-it-pros-in-the-windows-10-creators-update/). >[!NOTE] >Windows 10, version 1703 contains all fixes included in previous cumulative updates to Windows 10, version 1607. For info about each version, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info). For a list of removed features, see [Features that are removed or deprecated in Windows 10 Creators Update](https://support.microsoft.com/help/4014193/features-that-are-removed-or-deprecated-in-windows-10-creators-update). From d4c0f1555be7371f9683e6c7c5bdc9b7b66cdc8f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ant=C3=B3nio=20Vasconcelos?= Date: Tue, 9 Feb 2021 21:51:45 +0000 Subject: [PATCH 26/38] Changes to ASR licensing requirements ASR rules don't require an E5 license. It's recommended given the extras like reporting and hunting. --- .../microsoft-defender-atp/attack-surface-reduction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 3ffff68987..c6a1d02751 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -107,7 +107,7 @@ You can set attack surface reduction rules for devices that are running any of t - Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -To use the entire feature-set of attack surface reduction rules, you need a [Windows 10 Enterprise license](https://www.microsoft.com/licensing/product-licensing/windows10). With a [Windows E5 license](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses), you get advanced management capabilities including monitoring, analytics, and workflows available in [Defender for Endpoint](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the [Microsoft 365 security center](https://docs.microsoft.com/microsoft-365/security/mtp/overview-security-center). These advanced capabilities aren't available with an E3 license, but you can still use Event Viewer to review attack surface reduction rule events. +Although attack surface reduction rules don't require a [Windows E5 license](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses), only with Windows E5 you get advanced management capabilities including monitoring, analytics, and workflows available in [Defender for Endpoint](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the [Microsoft 365 security center](https://docs.microsoft.com/microsoft-365/security/mtp/overview-security-center). These advanced capabilities aren't available with a Professional or an E3 license, but you can still use Event Viewer and Defender logs to review attack surface reduction rule events. ## Review attack surface reduction events in the Microsoft Defender Security Center From 070ed372ffbe6600acb9bd7fbb58877c6c201379 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ant=C3=B3nio=20Vasconcelos?= Date: Tue, 9 Feb 2021 21:57:21 +0000 Subject: [PATCH 27/38] Changes to ASR licensing requirements --- .../microsoft-defender-atp/enable-attack-surface-reduction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md index c34737f912..9c9a7895af 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md @@ -33,7 +33,7 @@ Each ASR rule contains one of three settings: - Block: Enable the ASR rule - Audit: Evaluate how the ASR rule would impact your organization if enabled -To use ASR rules, you must have either a Windows 10 Enterprise E3 or E5 license. We recommend E5 licenses so you can take advantage of the advanced monitoring and reporting capabilities that are available in [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) (Defender for Endpoint). Advanced monitoring and reporting capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjunction with ASR rules. +To use ASR rules, you don't need a Windows E5 license, but it is highly recommended given that a Windows E5 license (or similar licensing SKU) provides the ability to make use of the advanced monitoring and reporting capabilities that are available in [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) (Defender for Endpoint). Advanced monitoring and reporting capabilities aren't available with a Windows Professional or E3 license. For non-Windows E5 licenses, you can develop your own monitoring and reporting tools on top of the events that are generated at each endpoint, when ASR rules are triggered (e.g., Event Forwarding). > [!TIP] > To learn more about Windows licensing, see [Windows 10 Licensing](https://www.microsoft.com/licensing/product-licensing/windows10?activetab=windows10-pivot:primaryr5) and get the [Volume Licensing guide for Windows 10](https://download.microsoft.com/download/2/D/1/2D14FE17-66C2-4D4C-AF73-E122930B60F6/Windows-10-Volume-Licensing-Guide.pdf). From 7658c1b294c880a8f6e33ecae5179953bbb73df6 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Tue, 9 Feb 2021 13:58:21 -0800 Subject: [PATCH 28/38] updated table --- .../microsoft-defender-atp/alerts-queue.md | 62 ++++++------------- 1 file changed, 18 insertions(+), 44 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md index b0d0be64a6..bcfca19802 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md @@ -81,50 +81,24 @@ We've redefined the alert categories to align to the [enterprise attack tactics] The table below lists the current categories and how they generally map to previous categories. -| New category | Previous category | API category name | Detected threat activity or component | -|----------------------------|--------------------------------------------------------------------------------------------------|--------------------------|-------------------------------------------------------------------------------------------------------------------------------------| -| | | AccessGovernance | | -| Backdoor | None | | | -| Collection | None | Collection | Locating and collecting data for exfiltration | -| Command and control | CommandAndControl | CommandAndControl | Connecting to attacker-controlled network infrastructure to relay data or receive commands | -| Credential access | CredentialTheft | CredentialAccess | Obtaining valid credentials to extend control over devices and other resources in the network | -| Credential stealing | CredentialTheft | CredentialStealing | Obtaining valid credentials to extend control over devices and other resources in the network | -| Credential theft | None | CredentialTheft | | -| | | DataGovernance | | -| | | DataLossPrevention | | -| Defense evasion | None | DefenseEvasion | | -| Delivery | None | | | -| Discovery | Reconnaissance, WebFingerprinting | Discovery | Gathering information about important devices and resources, such as administrator computers, domain controllers, and file servers | -| Document exploit | None | DocumentExploit | | -| Enterprise policy | None | EnterprisePolicy | | -| Execution | Delivery, MalwareDownload | Execution | Launching attacker tools and malicious code, including RATs and backdoors | -| Exfiltration | Exfiltration | Exfiltration | Extracting data from the network to an external, attacker-controlled location | -| Exploit | Exploit | Exploit | Exploit code and possible exploitation activity | -| General | None | General | | -| Impact | None | Impact | | -| Initial access | SocialEngineering, WebExploit, DocumentExploit | InitialAccess | Gaining initial entry to the target network, usually involving password-guessing, exploits, or phishing emails | -| Installation | None | Installation | | -| Lateral movement | LateralMovement, NetworkPropagation | LateralMovement | Moving between devices in the target network to reach critical resources or gain network persistence | -| | | MailFlow | | -| Malware | Malware, Backdoor, Trojan, TrojanDownloader, CredentialStealing, Weaponization, RemoteAccessTool | Malware | Backdoors, trojans, and other types of malicious code | -| Malware download | None | MalwareDownload | | -| Network propagation | None | NetworkPropagation | | -| Persistence | Installation, Persistence | Persistence | Creating autostart extensibility points (ASEPs) to remain active and survive system restarts | -| Privilege escalation | PrivilegeEscalation | PrivilegeEscalation | Obtaining higher permission levels for code by running it in the context of a privileged process or account | -| Ransomware | Ransomware | Ransomware | Malware that encrypts files and extorts payment to restore access | -| Reconnaissance | None | Reconnaissance | | -| Remote access tool | None | RemoteAccessTool | | -| Social engineering | None | SocialEngineering | | -| Suspicious activity | General, None, NotApplicable, EnterprisePolicy, SuspiciousNetworkTraffic | SuspiciousActivity | Atypical activity that could be malware activity or part of an attack | -| Suspicious network traffic | None | SuspiciousNetworkTraffic | | -| | | ThreatManagement | | -| Trojan | None | Trojan | | -| Trojan downloader | None | TrojanDownloader | | -| Unwanted software | UnwantedSoftware | UnwantedSoftware | Low-reputation apps and apps that impact productivity and the user experience; detected as potentially unwanted applications (PUAs) | -| Weaponization | None | Weaponization | | -| Web exploit | None | WebExploit | | -| Web fingerprinting | None | WebFingerprinting | | - +| New category | API category name | Detected threat activity or component | +|----------------------|---------------------|-----------------------------------------------------------------------------------------------------------------------------------------| +| Collection | Collection | Locating and collecting data for exfiltration | +| Command and control | CommandAndControl | Connecting to attacker-controlled network infrastructure to relay data or receive commands | +| Credential access | CredentialAccess | Obtaining valid credentials to extend control over devices and other resources in the network | +| Defense evasion | DefenseEvasion | Avoiding security controls by, for example, turning off security apps, deleting implants, and running rootkits | +| Discovery | Discovery | Gathering information about important devices and resources, such as administrator computers, domain controllers, and file servers | +| Execution | Execution | Launching attacker tools and malicious code, including RATs and backdoors | +| Exfiltration | Exfiltration | Extracting data from the network to an external, attacker-controlled location | +| Exploit | Exploit | Exploit code and possible exploitation activity | +| Initial access | InitialAccess | Gaining initial entry to the target network, usually involving password-guessing, exploits, or phishing emails | +| Lateral movement | LateralMovement | Moving between devices in the target network to reach critical resources or gain network persistence | +| Malware | Malware | Backdoors, trojans, and other types of malicious code | +| Persistence | Persistence | Creating autostart extensibility points (ASEPs) to remain active and survive system restarts | +| Privilege escalation | PrivilegeEscalation | Obtaining higher permission levels for code by running it in the context of a privileged process or account | +| Ransomware | Ransomware | Malware that encrypts files and extorts payment to restore access | +| Suspicious activity | SuspiciousActivity | Atypical activity that could be malware activity or part of an attack | +| Unwanted software | UnwantedSoftware | Low-reputation apps and apps that impact productivity and the user experience; detected as potentially unwanted applications (PUAs) | ### Status From 6f658922d01d2d99ddd98936ca18226303d8d660 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 9 Feb 2021 14:05:48 -0800 Subject: [PATCH 29/38] add yml to docfx.json --- windows/whats-new/docfx.json | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/whats-new/docfx.json b/windows/whats-new/docfx.json index 6848fc2bdf..2feb1ea5d9 100644 --- a/windows/whats-new/docfx.json +++ b/windows/whats-new/docfx.json @@ -4,6 +4,7 @@ { "files": [ "**/*.md" + "**/*.yml" ], "exclude": [ "**/obj/**", From 82363e84f8c3a134160b5ae6a7fb330dd921708d Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 9 Feb 2021 14:12:04 -0800 Subject: [PATCH 30/38] add comma --- windows/whats-new/docfx.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/docfx.json b/windows/whats-new/docfx.json index 2feb1ea5d9..04908deceb 100644 --- a/windows/whats-new/docfx.json +++ b/windows/whats-new/docfx.json @@ -3,7 +3,7 @@ "content": [ { "files": [ - "**/*.md" + "**/*.md", "**/*.yml" ], "exclude": [ From de46aa583564ea2426ad03cf2f4c37c5830487d7 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 9 Feb 2021 14:19:51 -0800 Subject: [PATCH 31/38] fix links --- windows/whats-new/index.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml index f68da2e0e7..78e1de0ebb 100644 --- a/windows/whats-new/index.yml +++ b/windows/whats-new/index.yml @@ -45,9 +45,9 @@ landingContent: - linkListType: overview links: - text: Windows 10 release information - url: https://docs.microsoft.com/windows/release-information/ + url: https://docs.microsoft.com/en-us/windows/release-health/release-information - text: Windows 10 release health dashboard - url: https://docs.microsoft.com/windows/release-information/status-windows-10-2004 + url: https://docs.microsoft.com/windows/release-information/ - text: Windows 10 update history url: https://support.microsoft.com/help/4555932/windows-10-update-history - text: What’s new for business in Windows 10 Insider Preview Builds From 34c44166122c1993fe88a12cc2a4d54577dbdc62 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 9 Feb 2021 14:21:28 -0800 Subject: [PATCH 32/38] fix toc --- windows/whats-new/TOC.yml | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml index 6b659904a4..a0d1667af2 100644 --- a/windows/whats-new/TOC.yml +++ b/windows/whats-new/TOC.yml @@ -12,14 +12,13 @@ href: whats-new-windows-10-version-1809.md - name: What's new in Windows 10, version 1803 href: whats-new-windows-10-version-1803.md - items: - - name: Previous versions - items: - - name: What's new in Windows 10, version 1709 - href: whats-new-windows-10-version-1709.md - - name: What's new in Windows 10, version 1703 - href: whats-new-windows-10-version-1703.md - - name: What's new in Windows 10, version 1607 - href: whats-new-windows-10-version-1607.md - - name: What's new in Windows 10, versions 1507 and 1511 - href: whats-new-windows-10-version-1507-and-1511.md \ No newline at end of file +- name: Previous versions + items: + - name: What's new in Windows 10, version 1709 + href: whats-new-windows-10-version-1709.md + - name: What's new in Windows 10, version 1703 + href: whats-new-windows-10-version-1703.md + - name: What's new in Windows 10, version 1607 + href: whats-new-windows-10-version-1607.md + - name: What's new in Windows 10, versions 1507 and 1511 + href: whats-new-windows-10-version-1507-and-1511.md \ No newline at end of file From ba91cc3181c5401358e4a489e9a3d8061bda5e0a Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 9 Feb 2021 14:28:05 -0800 Subject: [PATCH 33/38] fix spelling --- windows/whats-new/whats-new-windows-10-version-1703.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md index e8b4ac1475..4aec0eab76 100644 --- a/windows/whats-new/whats-new-windows-10-version-1703.md +++ b/windows/whats-new/whats-new-windows-10-version-1703.md @@ -186,7 +186,7 @@ You can also now collect your audit event logs by using the Reporting configurat The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](/windows/deployment/update/waas-configure-wufb#pause-feature-updates) and [Pause Quality Updates](/windows/deployment/update/waas-configure-wufb#pause-quality-updates). -Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details. +Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferral periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details. ### Windows Insider for Business @@ -252,13 +252,13 @@ For more info, see [Implement server-side support for mobile application managem In Windows 10, version 1703, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we are introducing [Microsoft Message Analyzer](https://www.microsoft.com/download/details.aspx?id=44226) as an additional tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost. ### Application Virtualization for Windows (App-V) -Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10, version 1703 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Additionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart. +Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10, version 1703 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Additionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically clean up your unpublished packages after a device restart. For more info, see the following topics: - [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-provision-a-vm) - [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-sequencing) - [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-updating) -- [Automatically cleanup unpublished packages on the App-V client](/windows/application-management/app-v/appv-auto-clean-unpublished-packages) +- [Automatically clean up unpublished packages on the App-V client](/windows/application-management/app-v/appv-auto-clean-unpublished-packages) ### Windows diagnostic data @@ -294,7 +294,7 @@ Windows 10 Mobile, version 1703 also includes the following enhancements: - OTC update tool - Continuum display management - Individually turn off the monitor or phone screen when not in use - - Indiviudally adjust screen time-out settings + - individually adjust screen time-out settings - Continuum docking solutions - Set Ethernet port properties - Set proxy properties for the Ethernet port From cdba8c583b01a4c47e492cb8e5cdff8da22f9a2e Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 9 Feb 2021 14:30:06 -0800 Subject: [PATCH 34/38] fix typo --- windows/whats-new/index.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml index 78e1de0ebb..85a8da545d 100644 --- a/windows/whats-new/index.yml +++ b/windows/whats-new/index.yml @@ -40,7 +40,7 @@ landingContent: url: whats-new-windows-10-version-1803.md # Card (optional) - - title: Lean more + - title: Learn more linkLists: - linkListType: overview links: From d562d0907c876bc763ee51d25f8475badef56e65 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 9 Feb 2021 14:31:08 -0800 Subject: [PATCH 35/38] remove dead link --- windows/whats-new/index.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml index 85a8da545d..151f11ef15 100644 --- a/windows/whats-new/index.yml +++ b/windows/whats-new/index.yml @@ -50,8 +50,6 @@ landingContent: url: https://docs.microsoft.com/windows/release-information/ - text: Windows 10 update history url: https://support.microsoft.com/help/4555932/windows-10-update-history - - text: What’s new for business in Windows 10 Insider Preview Builds - url: https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new - text: Windows 10 features we’re no longer developing url: https://docs.microsoft.com/windows/deployment/planning/windows-10-deprecated-features - text: Features and functionality removed in Windows 10 From 15db6cd475224f71c73e1db41358ca905b753dc7 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 9 Feb 2021 14:33:45 -0800 Subject: [PATCH 36/38] update link --- windows/whats-new/index.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml index 151f11ef15..9efd8ca519 100644 --- a/windows/whats-new/index.yml +++ b/windows/whats-new/index.yml @@ -49,7 +49,7 @@ landingContent: - text: Windows 10 release health dashboard url: https://docs.microsoft.com/windows/release-information/ - text: Windows 10 update history - url: https://support.microsoft.com/help/4555932/windows-10-update-history + url: https://support.microsoft.com/topic/windows-10-update-history-7dd3071a-3906-fa2c-c342-f7f86728a6e3 - text: Windows 10 features we’re no longer developing url: https://docs.microsoft.com/windows/deployment/planning/windows-10-deprecated-features - text: Features and functionality removed in Windows 10 From 974f2ae90b5d9732895ebf23768442d6866c25b2 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 9 Feb 2021 15:13:17 -0800 Subject: [PATCH 37/38] Update attack-surface-reduction.md --- .../microsoft-defender-atp/attack-surface-reduction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index c6a1d02751..eaee14028a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -107,7 +107,7 @@ You can set attack surface reduction rules for devices that are running any of t - Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -Although attack surface reduction rules don't require a [Windows E5 license](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses), only with Windows E5 you get advanced management capabilities including monitoring, analytics, and workflows available in [Defender for Endpoint](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the [Microsoft 365 security center](https://docs.microsoft.com/microsoft-365/security/mtp/overview-security-center). These advanced capabilities aren't available with a Professional or an E3 license, but you can still use Event Viewer and Defender logs to review attack surface reduction rule events. +Although attack surface reduction rules don't require a [Windows E5 license](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses), if you have Windows E5, you get advanced management capabilities. These capabilities available only in Windows E5 include monitoring, analytics, and workflows available in [Defender for Endpoint](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the [Microsoft 365 security center](https://docs.microsoft.com/microsoft-365/security/mtp/overview-security-center). These advanced capabilities aren't available with a Windows Professional or Windows E3 license; however, if you do have those licenses, you can use Event Viewer and Microsoft Defender Antivirus logs to review your attack surface reduction rule events. ## Review attack surface reduction events in the Microsoft Defender Security Center From 6666b6c9e3708340136f5b28b030af299708c05a Mon Sep 17 00:00:00 2001 From: Beth Woodbury <40870842+levinec@users.noreply.github.com> Date: Tue, 9 Feb 2021 15:20:59 -0800 Subject: [PATCH 38/38] Update enable-attack-surface-reduction.md --- .../microsoft-defender-atp/enable-attack-surface-reduction.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md index 9c9a7895af..ecfeae4239 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md @@ -33,7 +33,7 @@ Each ASR rule contains one of three settings: - Block: Enable the ASR rule - Audit: Evaluate how the ASR rule would impact your organization if enabled -To use ASR rules, you don't need a Windows E5 license, but it is highly recommended given that a Windows E5 license (or similar licensing SKU) provides the ability to make use of the advanced monitoring and reporting capabilities that are available in [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) (Defender for Endpoint). Advanced monitoring and reporting capabilities aren't available with a Windows Professional or E3 license. For non-Windows E5 licenses, you can develop your own monitoring and reporting tools on top of the events that are generated at each endpoint, when ASR rules are triggered (e.g., Event Forwarding). +It's highly recommended you use ASR rules with a Windows E5 license (or similar licensing SKU) to take advantage of the advanced monitoring and reporting capabilities available in [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) (Defender for Endpoint). However, for other licenses like Windows Professional or E3 that don't have access to advanced monitoring and reporting capabilities, you can develop your own monitoring and reporting tools on top of the events that are generated at each endpoint when ASR rules are triggered (e.g., Event Forwarding). > [!TIP] > To learn more about Windows licensing, see [Windows 10 Licensing](https://www.microsoft.com/licensing/product-licensing/windows10?activetab=windows10-pivot:primaryr5) and get the [Volume Licensing guide for Windows 10](https://download.microsoft.com/download/2/D/1/2D14FE17-66C2-4D4C-AF73-E122930B60F6/Windows-10-Volume-Licensing-Guide.pdf).