Merge branch 'master' into macky-techniques

2025-05-18 16:27:22 +00:00 · 2021-02-10 14:13:57 +08:00 · 2021-02-10 14:13:57 +08:00 · b764cf8307
commit b764cf8307
parent ef9575cb51 9fb538053e
17 changed files with 301 additions and 106 deletions
--- a/windows/deployment/deploy-whats-new.md
+++ b/windows/deployment/deploy-whats-new.md
@ -18,8 +18,8 @@ ms.custom: seo-marvel-apr2020
 # What's new in Windows 10 deployment
-**Applies to**
+**Applies to:**
-   Windows 10
+- Windows 10
 ## In this topic
@ -43,10 +43,10 @@ The [Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/
 ## Microsoft 365
-Microsoft 365 is a new offering from Microsoft that combines 
+Microsoft 365 is a new offering from Microsoft that combines
 - Windows 10
 - Office 365
- Enterprise Mobility and Security (EMS). 
+- Enterprise Mobility and Security (EMS).
 See [Deploy Windows 10 with Microsoft 365](deploy-m365.md) for an overview, which now includes a link to download a nifty [M365 Enterprise poster](deploy-m365.md#m365-enterprise-poster).
@ -61,16 +61,16 @@ Windows PowerShell cmdlets for Delivery Optimization have been improved:
 - **Enable-DeliveryOptimizationVerboseLogs** is a new cmdlet that enables a greater level of logging detail to assist in troubleshooting.
 Additional improvements in [Delivery Optimization](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization) include:
- Enterprise network [throttling is enhanced](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#new-download-throttling-options-for-delivery-optimization-build-18917) to optimize foreground vs. background throttling.
+- Enterprise network [throttling is enhanced](https://docs.microsoft.com/windows-insider/archive/new-for-business#new-download-throttling-options-for-delivery-optimization-build-18917) to optimize foreground vs. background throttling.
 - Automatic cloud-based congestion detection is available for PCs with cloud service support.
- Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Microsoft 365 Apps for enterprise updates, and Intune content, with Microsoft Endpoint Manager content coming soon! 
+- Improved peer efficiency for enterprises and educational institutions with complex networks is enabled with [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Microsoft 365 Apps for enterprise updates and Intune content, with Microsoft Endpoint Manager content coming soon!
 The following Delivery Optimization policies are removed in the Windows 10, version 2004 release:
 - Percentage of Maximum Download Bandwidth (DOPercentageMaxDownloadBandwidth)
  - Reason: Replaced with separate policies for foreground and background
 - Max Upload Bandwidth (DOMaxUploadBandwidth)
-  - Reason: impacts uploads to internet peers only, which isn't used in Enterprises. 
+  - Reason: impacts uploads to internet peers only, which isn't used in enterprises.
 - Absolute max throttle (DOMaxDownloadBandwidth)
  - Reason: separated to foreground and background
@ -80,10 +80,10 @@ The following Delivery Optimization policies are removed in the Windows 10, vers
 - Intune console updates: target version is now available allowing you to specify which version of Windows 10 you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy.
 - Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we have created a new policy that enables admins to opt devices out of the built-in safeguard holds.
- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically log on as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed.  
+- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically log on as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed.
- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will be a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period. 
+- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will be a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
 - **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally.
- **Pause updates**: We have extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you will need to update your device before pausing again. 
+- **Pause updates**: We have extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you will need to update your device before pausing again.
 - **Improved update notifications**: When there's an update requiring you to restart your device, you'll see a colored dot on the Power button in the Start menu and on the Windows icon in your taskbar.
 - **Intelligent active hours**: To further enhance active hours, users will now have the option to let Windows Update intelligently adjust active hours based on their device-specific usage patterns. You must enable the intelligent active hours feature for the system to predict device-specific usage patterns.
 - **Improved update orchestration to improve system responsiveness**: This feature will improve system performance by intelligently coordinating Windows updates and Microsoft Store updates, so they occur when users are away from their devices to minimize disruptions.
@ -104,7 +104,7 @@ For more information, see [Windows 10 Enterprise E3 in CSP](windows-10-enterpris
 ### Windows Autopilot
-[Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) streamlines and automates the process of setting up and configuring new devices, with minimal interaction required from the end user. You can also use Windows Autopilot to reset, repurpose and recover devices. 
+[Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) streamlines and automates the process of setting up and configuring new devices, with minimal interaction required from the end user. You can also use Windows Autopilot to reset, repurpose, and recover devices.
 With the release of Windows 10, version 2004 you can configure [Windows Autopilot user-driven](https://docs.microsoft.com/windows/deployment/windows-autopilot/user-driven) Hybrid Azure Active Directory join with VPN support. This support is also backported to Windows 10, version 1909 and 1903.
@ -116,7 +116,7 @@ The following Windows Autopilot features are available in Windows 10, version 19
 - The Intune [enrollment status page](https://docs.microsoft.com/intune/windows-enrollment-status) (ESP) now tracks Intune Management Extensions.
 - [Cortana voiceover](https://docs.microsoft.com/windows-hardware/customize/desktop/cortana-voice-support) and speech recognition during OOBE is disabled by default for all Windows 10 Pro Education, and Enterprise SKUs.
 - Windows Autopilot is self-updating during OOBE. Starting with the Windows 10, version 1903 Autopilot functional and critical updates will begin downloading automatically during OOBE.
- Windows Autopilot will set the [diagnostics data](https://docs.microsoft.com/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE. 
+- Windows Autopilot will set the [diagnostics data](https://docs.microsoft.com/windows/privacy/windows-diagnostic-data) level to Full on Windows 10 version 1903 and later during OOBE.
 ### Microsoft Endpoint Configuration Manager
@ -138,11 +138,11 @@ During the upgrade process, Windows Setup will extract all its sources files to
 ### Upgrade Readiness
-The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017. 
+The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017.
-Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details. 
+Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details.
-The development of Upgrade Readiness has been heavily influenced by input from the community the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled.  
+The development of Upgrade Readiness has been heavily influenced by input from the community; the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled.
 For more information about Upgrade Readiness, see the following topics:
@ -164,7 +164,7 @@ Device Health is the newest Windows Analytics solution that complements the exis
 ### MBR2GPT
-MBR2GPT.EXE converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. Previously, it was necessary to image, then wipe and reload a disk to change from MBR format to GPT. 
+MBR2GPT.EXE converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. Previously, it was necessary to image, then wipe and reload a disk to change from MBR format to GPT.
 There are many benefits to converting the partition style of a disk to GPT, including the use of larger disk partitions, added data reliability, and faster boot and shutdown speeds. The GPT format also enables you to use the Unified Extensible Firmware Interface (UEFI) which replaces the Basic Input/Output System (BIOS) firmware interface.  Security features of Windows 10 that require UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock.
@ -183,14 +183,14 @@ The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can
 Download the Windows ADK and Windows PE add-on for Windows 10, version 2004 [here](https://docs.microsoft.com/windows-hardware/get-started/adk-install).
 For information about what's new in the ADK, see [What's new in the Windows ADK for Windows 10, version 2004](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-kits-and-tools#whats-new-in-the-windows-adk-for-windows-10-version-2004).
- 
+
 Also see [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md).
 ## Testing and validation guidance
 ### Windows 10 deployment proof of concept (PoC)
-The Windows 10 PoC guide enables you to test Windows 10 deployment in a virtual environment and become familiar with deployment tools such as MDT and Configuration Manager. The PoC guide provides step-by-step instructions for installing and using Hyper-V to create a virtual lab environment. The guide makes extensive use of Windows PowerShell to streamline each phase of the installation and setup. 
+The Windows 10 PoC guide enables you to test Windows 10 deployment in a virtual environment and become familiar with deployment tools such as MDT and Configuration Manager. The PoC guide provides step-by-step instructions for installing and using Hyper-V to create a virtual lab environment. The guide makes extensive use of Windows PowerShell to streamline each phase of the installation and setup.
 For more information, see the following guides:
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@ -83,6 +83,9 @@ The following figure illustrates how deploying Windows 10 has evolved with each
 > [!NOTE]
 > The following requirements do not apply to general Windows 10 activation on Azure. Azure activation requires a connection to Azure KMS only, and supports workgroup, Hybrid, and Azure AD-joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure Virtual Machines](https://docs.microsoft.com/azure/virtual-machines/troubleshooting/troubleshoot-activation-problems#understanding-azure-kms-endpoints-for-windows-product-activation-of-azure-virtual-machines).
 > [!NOTE]
 > Currently, Subscription Activation is only available on commercial tenants and is not currently available on US GCC or GCC High tenants.
 For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following:
 - Windows 10 (Pro or Enterprise) version 1703 or later installed on the devices to be upgraded.
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@ -537,7 +537,8 @@
 ####### [Alert methods and properties](microsoft-defender-atp/alerts.md)
 ####### [List alerts](microsoft-defender-atp/get-alerts.md)
 ####### [Create alert](microsoft-defender-atp/create-alert-by-reference.md)
-####### [Update Alert](microsoft-defender-atp/update-alert.md)
+####### [Update alert](microsoft-defender-atp/update-alert.md)
 ####### [Batch update alert](microsoft-defender-atp/batch-update-alerts.md)
 ####### [Get alert information by ID](microsoft-defender-atp/get-alert-info-by-id.md)
 ####### [Get alert related domains information](microsoft-defender-atp/get-alert-related-domain-info.md)
 ####### [Get alert related file information](microsoft-defender-atp/get-alert-related-files-info.md)
--- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
@ -81,24 +81,24 @@ We've redefined the alert categories to align to the [enterprise attack tactics]
 The table below lists the current categories and how they generally map to previous categories. 
-| New category | Previous categories | Detected threat activity or component |
+| New   category       | API category name   | Detected threat activity or   component                                                                                                 |
-|----------------------|----------------------|-------------|
+|----------------------|---------------------|-----------------------------------------------------------------------------------------------------------------------------------------|
-| Collection           | - | Locating and collecting data for exfiltration |
+| Collection           | Collection          | Locating   and collecting data for exfiltration                                                                                         |
-| Command and control  | CommandAndControl | Connecting to attacker-controlled network infrastructure to relay data or receive commands |
+| Command and control  | CommandAndControl   | Connecting   to attacker-controlled network infrastructure to relay data or receive   commands                                          |
-| Credential access    | CredentialTheft | Obtaining valid credentials to extend control over devices and other resources in the network |
+| Credential access    | CredentialAccess    | Obtaining   valid credentials to extend control over devices and other resources in the   network                                       |
-| Defense evasion      | - | Avoiding security controls by, for example, turning off security apps, deleting implants, and running rootkits |
+| Defense evasion      | DefenseEvasion      | Avoiding security controls by, for example, turning off   security apps, deleting implants, and running rootkits                        |
-| Discovery            | Reconnaissance, WebFingerprinting | Gathering information about important devices and resources, such as administrator computers, domain controllers, and file servers |
+| Discovery            | Discovery           | Gathering   information about important devices and resources, such as administrator   computers, domain controllers, and file servers  |
-| Execution            | Delivery, MalwareDownload | Launching attacker tools and malicious code, including RATs and backdoors |
+| Execution            | Execution           | Launching   attacker tools and malicious code, including RATs and backdoors                                                             |
-| Exfiltration         | Exfiltration | Extracting data from the network to an external, attacker-controlled location |
+| Exfiltration         | Exfiltration        | Extracting   data from the network to an external, attacker-controlled location                                                         |
-| Exploit              | Exploit | Exploit code and possible exploitation activity |
+| Exploit              | Exploit             | Exploit   code and possible exploitation activity                                                                                       |
-| Initial access       | SocialEngineering, WebExploit, DocumentExploit | Gaining initial entry to the target network, usually involving password-guessing, exploits, or phishing emails |
+| Initial access       | InitialAccess       | Gaining   initial entry to the target network, usually involving password-guessing,   exploits, or phishing emails                      |
-| Lateral movement     | LateralMovement, NetworkPropagation | Moving between devices in the target network to reach critical resources or gain network persistence |
+| Lateral movement     | LateralMovement     | Moving   between devices in the target network to reach critical resources or gain   network persistence                                |
-| Malware              | Malware, Backdoor, Trojan, TrojanDownloader, CredentialStealing, Weaponization, RemoteAccessTool | Backdoors, trojans, and other types of malicious code |
+| Malware              | Malware             | Backdoors,   trojans, and other types of malicious code                                                                                 |
-| Persistence          | Installation, Persistence | Creating autostart extensibility points (ASEPs) to remain active and survive system restarts |
+| Persistence          | Persistence         | Creating   autostart extensibility points (ASEPs) to remain active and survive system   restarts                                        |
-| Privilege escalation | PrivilegeEscalation | Obtaining higher permission levels for code by running it in the context of a privileged process or account |
+| Privilege escalation | PrivilegeEscalation | Obtaining   higher permission levels for code by running it in the context of a   privileged process or account                         |
-| Ransomware           | Ransomware | Malware that encrypts files and extorts payment to restore access |
+| Ransomware           | Ransomware          | Malware   that encrypts files and extorts payment to restore access                                                                     |
-| Suspicious activity  | General, None, NotApplicable, EnterprisePolicy, SuspiciousNetworkTraffic | Atypical activity that could be malware activity or part of an attack |
+| Suspicious activity  | SuspiciousActivity  | Atypical   activity that could be malware activity or part of an attack                                                                 |
-| Unwanted software    | UnwantedSoftware | Low-reputation apps and apps that impact productivity and the user experience; detected as potentially unwanted applications (PUAs) |
+| Unwanted software    | UnwantedSoftware    | Low-reputation   apps and apps that impact productivity and the user experience; detected as   potentially unwanted applications (PUAs) |
 ### Status
@ -124,6 +124,22 @@ Select the source that triggered the alert detection. Microsoft Threat Experts p
 >[!NOTE]
 >The Antivirus filter will only appear if devices are using Microsoft Defender Antivirus as the default real-time protection antimalware product.
 | Detection source                  | API value                  |
 |-----------------------------------|----------------------------|
 | 3rd party sensors                 | ThirdPartySensors          |
 | Antivirus                         | WindowsDefenderAv          |
 | Automated investigation           | AutomatedInvestigation     |
 | Custom detection                  | CustomDetection            |
 | Custom TI                         | CustomerTI                 |
 | EDR                               | WindowsDefenderAtp         |
 | Microsoft 365 Defender            | MTP                        |
 | Microsoft Defender for Office 365 | OfficeATP                  |
 | Microsoft Threat Experts          | ThreatExperts              |
 | SmartScreen                       | WindowsDefenderSmartScreen |
 ### OS platform
--- a/windows/security/threat-protection/microsoft-defender-atp/alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/alerts.md
@ -38,6 +38,7 @@ Method |Return Type |Description
 [Get alert](get-alert-info-by-id.md) | [Alert](alerts.md) | Get a single [alert](alerts.md) object.
 [List alerts](get-alerts.md) | [Alert](alerts.md) collection | List [alert](alerts.md) collection.
 [Update alert](update-alert.md) | [Alert](alerts.md) | Update specific [alert](alerts.md).
 [Batch update alerts](batch-update-alerts.md) | | Update a batch of [alerts](alerts.md).
 [Create alert](create-alert-by-reference.md)|[Alert](alerts.md)|Create an alert based on event data obtained from [Advanced Hunting](run-advanced-query-api.md).
 [List related domains](get-alert-related-domain-info.md)|Domain collection| List URLs associated with the alert.
 [List related files](get-alert-related-files-info.md) | [File](files.md) collection |  List the [file](files.md) entities that are associated with the [alert](alerts.md).
--- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
@ -107,7 +107,7 @@ You can set attack surface reduction rules for devices that are running any of t
 - Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later
 - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
-To use the entire feature-set of attack surface reduction rules, you need a [Windows 10 Enterprise license](https://www.microsoft.com/licensing/product-licensing/windows10). With a [Windows E5 license](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses), you get advanced management capabilities including monitoring, analytics, and workflows available in [Defender for Endpoint](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the [Microsoft 365 security center](https://docs.microsoft.com/microsoft-365/security/mtp/overview-security-center). These advanced capabilities aren't available with an E3 license, but you can still use Event Viewer to review attack surface reduction rule events.
+Although attack surface reduction rules don't require a [Windows E5 license](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses), if you have Windows E5, you get advanced management capabilities. These capabilities available only in Windows E5 include monitoring, analytics, and workflows available in [Defender for Endpoint](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the [Microsoft 365 security center](https://docs.microsoft.com/microsoft-365/security/mtp/overview-security-center). These advanced capabilities aren't available with a Windows Professional or Windows E3 license; however, if you do have those licenses, you can use Event Viewer and Microsoft Defender Antivirus logs to review your attack surface reduction rule events.
 ## Review attack surface reduction events in the Microsoft Defender Security Center
--- a/windows/security/threat-protection/microsoft-defender-atp/batch-update-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/batch-update-alerts.md
@ -0,0 +1,108 @@
 ---
 title: Batch Update alert entities API
 description: Learn how to update Microsoft Defender for Endpoint alerts in a batch by using this API. You can update the status, determination, classification, and assignedTo properties.
 keywords: apis, graph api, supported apis, get, alert, information, id
 search.product: eADQiWindows 10XVcnh
 ms.prod: m365-security
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
 manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: article
 ms.technology: mde
 ---
 # Batch update alerts
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
 - Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) 
 [!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)]
 [!include[Improve request performance](../../includes/improve-request-performance.md)]
 ## API description
 Updates properties of a batch of existing [Alerts](alerts.md).
 <br>Submission of **comment** is available with or without updating properties.
 <br>Updatable properties are: `status`, `determination`, `classification` and `assignedTo`.
 ## Limitations
 1. You can update alerts that are available in the API. See [List Alerts](get-alerts.md) for more information.
 2. Rate limitations for this API are 10 calls per minute and 500 calls per hour.
 ## Permissions
 One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
 Permission type |	Permission	|	Permission display name
 :---|:---|:---
 Application |	Alerts.ReadWrite.All |	'Read and write all alerts'
 Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
 >[!Note]
 > When obtaining a token using user credentials:
 >- The user needs to have at least the following role permission: 'Alerts investigation' (See [Create and manage roles](user-roles.md) for more information)
 >- The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
 ## HTTP request
 ```http
 POST /api/alerts/batchUpdate
 ```
 ## Request headers
 Name | Type | Description
 :---|:---|:---
 Authorization | String | Bearer {token}. **Required**.
 Content-Type | String | application/json. **Required**.
 ## Request body
 In the request body, supply the IDs of the alerts to be updated and the values of the relevant fields that you wish to update for these alerts.
 <br>Existing properties that are not included in the request body will maintain their previous values or be recalculated based on changes to other property values. 
 <br>For best performance you shouldn't include existing values that haven't changed.
 Property | Type | Description
 :---|:---|:---
 alertIds | List&lt;String&gt;| A list of the IDs of the alerts to be updated. **Required**
 status | String | Specifies the updated status of the specified alerts. The property values are: 'New', 'InProgress' and 'Resolved'.
 assignedTo | String | Owner of the specified alerts
 classification | String | Specifies the specification of the specified alerts. The property values are: 'Unknown', 'FalsePositive', 'TruePositive'. 
 determination | String | Specifies the determination of the specified alerts. The property values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'
 comment | String | Comment to be added to the specified alerts.
 ## Response
 If successful, this method returns 200 OK, with an empty response body.
 ## Example
 **Request**
 Here is an example of the request.
 ```http
 POST https://api.securitycenter.microsoft.com/api/alerts/batchUpdate
 ```
 ```json
 {
    "alertIds": ["da637399794050273582_760707377", "da637399989469816469_51697947354"],
    "status": "Resolved",
    "assignedTo": "secop2@contoso.com",
    "classification": "FalsePositive",
    "determination": "Malware",
    "comment": "Resolve my alert and assign to secop2"
 }
 ```
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
@ -27,8 +27,6 @@ ms.technology: mde
 **Applies to:**
 - Virtual desktop infrastructure (VDI) devices
 >[!WARNING]
 > Microsoft Defender for Endpoint support for Windows Virtual Desktop multi-user scenarios is currently in Preview and limited up to 25 concurrent sessions per host/VM. However single session scenarios on Windows Virtual Desktop are fully supported.
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configvdi-abovefoldlink)
--- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md
@ -33,7 +33,7 @@ Each ASR rule contains one of three settings:
 - Block: Enable the ASR rule
 - Audit: Evaluate how the ASR rule would impact your organization if enabled
-To use ASR rules, you must have either a Windows 10 Enterprise E3 or E5 license. We recommend E5 licenses so you can take advantage of the advanced monitoring and reporting capabilities that are available in [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) (Defender for Endpoint). Advanced monitoring and reporting capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjunction with ASR rules.
+It's highly recommended you use ASR rules with a Windows E5 license (or similar licensing SKU) to take advantage of the advanced monitoring and reporting capabilities available in [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) (Defender for Endpoint). However, for other licenses like Windows Professional or E3 that don't have access to advanced monitoring and reporting capabilities, you can develop your own monitoring and reporting tools on top of the events that are generated at each endpoint when ASR rules are triggered (e.g., Event Forwarding).
 > [!TIP]
 > To learn more about Windows licensing, see [Windows 10 Licensing](https://www.microsoft.com/licensing/product-licensing/windows10?activetab=windows10-pivot:primaryr5) and get the [Volume Licensing guide for Windows 10](https://download.microsoft.com/download/2/D/1/2D14FE17-66C2-4D4C-AF73-E122930B60F6/Windows-10-Volume-Licensing-Guide.pdf).
--- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
@ -41,6 +41,7 @@ This article describes how to deploy Microsoft Defender for Endpoint for Linux m
  - [Application installation](#application-installation)
  - [Download the onboarding package](#download-the-onboarding-package)
  - [Client configuration](#client-configuration)
  - [Installer script](#installer-script)
  - [Log installation issues](#log-installation-issues)
  - [Operating system upgrades](#operating-system-upgrades)
  - [Uninstallation](#uninstallation)
@ -343,6 +344,31 @@ Download the onboarding package from Microsoft Defender Security Center:
        mdatp threat list
        ```
 ## Installer script
 Alternatively, you can use an automated [installer bash script](https://github.com/microsoft/mdatp-xplat/blob/master/linux/installation/mde_installer.sh) provided in our [public GitHub repository](https://github.com/microsoft/mdatp-xplat/).
 The script identifies the distribution and version, and sets up the device to pull the latest package and install it.
 You can also onboard with a provided script.
 ```bash
 ❯ ./mde_installer.sh --help
 usage: basename ./mde_installer.sh [OPTIONS]
 Options:
 -c|--channel      specify the channel from which you want to install. Default: insiders-fast
 -i|--install      install the product
 -r|--remove       remove the product
 -u|--upgrade      upgrade the existing product
 -o|--onboard      onboard/offboard the product with <onboarding_script>
 -p|--passive-mode set EPP to passive mode
 -t|--tag          set a tag by declaring <name> and <value>. ex: -t GROUP Coders
 -m|--min_req      enforce minimum requirements
 -w|--clean        remove repo from package manager for a specific channel
 -v|--version      print out script version
 -h|--help         display help
 ```
 Read more [here](https://github.com/microsoft/mdatp-xplat/tree/master/linux/installation).
 ## Log installation issues
 See [Log installation issues](linux-resources.md#log-installation-issues) for more information on how to find the automatically generated log that is created by the installer when an error occurs.
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
@ -30,7 +30,11 @@ ms.technology: mde
 > [!IMPORTANT]
 > Support for macOS 10.13 (High Sierra) will be discontinued on February 15th, 2021.
-## 101.19.48
+## 101.19.88 (20.121011.11988.0)
 - Performance improvements & bug fixes
 ## 101.19.48 (20.120121.11948.0)
 > [!NOTE]
 > The old command-line tool syntax has been deprecated with this release. For information on the new syntax, see [Resources](mac-resources.md#configuring-from-the-command-line).
@ -38,17 +42,17 @@ ms.technology: mde
 - Added a new command-line switch to disable the network extension: `mdatp system-extension network-filter disable`. This command can be useful to troubleshoot networking issues that could be related to Microsoft Defender for Endpoint for Mac
 - Performance improvements & bug fixes
-## 101.19.21
+## 101.19.21 (20.120101.11921.0)
 - Bug fixes
-## 101.15.26
+## 101.15.26 (20.120102.11526.0)
 - Improved the reliability of the agent when running on macOS 11 Big Sur
 - Added a new command-line switch (`--ignore-exclusions`) to ignore AV exclusions during custom scans (`mdatp scan custom`)
 - Performance improvements & bug fixes
-## 101.13.75
+## 101.13.75 (20.120101.11375.0)
 - Removed conditions when Microsoft Defender for Endpoint was triggering a macOS 11 (Big Sur) bug that manifests into a kernel panic
 - Fixed a memory leak in the Endpoint Security system extension when running on mac 11 (Big Sur)
--- a/windows/whats-new/TOC.md
+++ b/windows/whats-new/TOC.md
@ -1,12 +0,0 @@
 # [What's new in Windows 10](index.md)
 ## [What's new in Windows 10, version 20H2](whats-new-windows-10-version-20H2.md)
 ## [What's new in Windows 10, version 2004](whats-new-windows-10-version-2004.md)
 ## [What's new in Windows 10, version 1909](whats-new-windows-10-version-1909.md)
 ## [What's new in Windows 10, version 1903](whats-new-windows-10-version-1903.md)
 ## [What's new in Windows 10, version 1809](whats-new-windows-10-version-1809.md)
 ## [What's new in Windows 10, version 1803](whats-new-windows-10-version-1803.md)
 ## Previous versions
 ### [What's new in Windows 10, version 1709](whats-new-windows-10-version-1709.md)
 ### [What's new in Windows 10, version 1703](whats-new-windows-10-version-1703.md)
 ### [What's new in Windows 10, version 1607](whats-new-windows-10-version-1607.md)
 ### [What's new in Windows 10, versions 1507 and 1511](whats-new-windows-10-version-1507-and-1511.md)
--- a/windows/whats-new/TOC.yml
+++ b/windows/whats-new/TOC.yml
@ -0,0 +1,24 @@
 - name: What's new in Windows 10
  href: index.yml
 - name: What's new in Windows 10, version 20H2
  href: whats-new-windows-10-version-20H2.md
 - name: What's new in Windows 10, version 2004
  href: whats-new-windows-10-version-2004.md
 - name: What's new in Windows 10, version 1909
  href: whats-new-windows-10-version-1909.md
 - name: What's new in Windows 10, version 1903
  href: whats-new-windows-10-version-1903.md
 - name: What's new in Windows 10, version 1809
  href: whats-new-windows-10-version-1809.md
 - name: What's new in Windows 10, version 1803
  href: whats-new-windows-10-version-1803.md
 - name: Previous versions
  items:
    - name: What's new in Windows 10, version 1709
      href: whats-new-windows-10-version-1709.md
    - name: What's new in Windows 10, version 1703
      href: whats-new-windows-10-version-1703.md
    - name: What's new in Windows 10, version 1607
      href: whats-new-windows-10-version-1607.md
    - name: What's new in Windows 10, versions 1507 and 1511
      href: whats-new-windows-10-version-1507-and-1511.md 
--- a/windows/whats-new/docfx.json
+++ b/windows/whats-new/docfx.json
@ -3,7 +3,8 @@
    "content": [
      {
        "files": [
-          "**/*.md"
+          "**/*.md",
          "**/*.yml"
        ],
        "exclude": [
          "**/obj/**",
--- a/windows/whats-new/index.md
+++ b/windows/whats-new/index.md
@ -1,43 +0,0 @@
 ---
 title: What's new in Windows 10 (Windows 10)
 description: Learn about new features in Windows 10 for IT professionals, such as Windows Information Protection, Windows Hello, Device Guard, and more.
 ms.assetid: F1867017-76A1-4761-A200-7450B96AEF44
 keywords: ["What's new in Windows 10", "Windows 10"]
 ms.prod: w10
 audience: itpro
 author: greg-lindsay
 ms.author: greglin
 manager: laurawi
 ms.localizationpriority: high
 ms.topic: article
 ---
 # What's new in Windows 10
 Windows 10 provides IT professionals with advanced protection against modern security threats and comprehensive management and control over devices and apps, as well as flexible deployment, update, and support options. Learn about new features in Windows 10 for IT professionals, such as Windows Information Protection, Windows Hello, Device Guard, and more. 
 ## In this section
 - [What's new in Windows 10, version 20H2](whats-new-windows-10-version-20H2.md)
 - [What's new in Windows 10, version 2004](whats-new-windows-10-version-2004.md)
 - [What's new in Windows 10, version 1909](whats-new-windows-10-version-1909.md)
 - [What's new in Windows 10, version 1903](whats-new-windows-10-version-1903.md)
 - [What's new in Windows 10, version 1809](whats-new-windows-10-version-1809.md)
 - [What's new in Windows 10, version 1803](whats-new-windows-10-version-1803.md)
 ## Learn more
 - [Windows 10 release information](https://docs.microsoft.com/windows/release-health/release-information/)
 - [Windows 10 release health dashboard](https://docs.microsoft.com/windows/release-health/status-windows-10-2004)
 - [Windows 10 update history](https://support.microsoft.com/help/4555932/windows-10-update-history)
 - [What’s new for business in Windows 10 Insider Preview Builds](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new)
 - [Windows 10 features we’re no longer developing](https://docs.microsoft.com/windows/deployment/planning/windows-10-deprecated-features)
 - [Features and functionality removed in Windows 10](https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features)
 - [Compare Windows 10 Editions](https://go.microsoft.com/fwlink/p/?LinkId=690485)
 ## See also
 [Windows 10 Enterprise LTSC](ltsc/index.md)<br>
 [Edit an existing topic using the Edit link](contribute-to-a-topic.md)
--- a/windows/whats-new/index.yml
+++ b/windows/whats-new/index.yml
@ -0,0 +1,68 @@
 ### YamlMime:Landing
 title: Windows 10 deployment resources and documentation # < 60 chars
 summary: Learn about deploying and keeping Windows 10 up to date.  # < 160 chars
 metadata:
  title: Windows 10 deployment resources and documentation # Required; page title displayed in search results. Include the brand. < 60 chars.
  description: Learn about deploying Windows 10 and keeping it up to date in your organization. # Required; article description that is displayed in search results. < 160 chars.
  services: windows-10
  ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
  ms.subservice: subservice
  ms.topic: landing-page # Required
  ms.collection: windows-10
  author: greg-lindsay #Required; your GitHub user alias, with correct capitalization.
  ms.author: greglin #Required; microsoft alias of author; optional team alias.
  ms.date: 02/09/2021 #Required; mm/dd/yyyy format.
  localization_priority: medium
 # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
 landingContent:
 # Cards and links should be based on top customer tasks or top subjects
 # Start card title with a verb
  # Card (optional)
  - title: What's new in Windows 10
    linkLists:
      - linkListType: overview
        links:
          - text: What's new in Windows 10, version 20H2
            url: whats-new-windows-10-version-20H2.md
          - text: What's new in Windows 10, version 2004
            url: whats-new-windows-10-version-2004.md
          - text: What's new in Windows 10, version 1909
            url: whats-new-windows-10-version-1909.md
          - text: What's new in Windows 10, version 1903
            url:  whats-new-windows-10-version-1903.md
          - text: What's new in Windows 10, version 1809
            url:  whats-new-windows-10-version-1809.md
          - text: What's new in Windows 10, version 1803
            url:  whats-new-windows-10-version-1803.md
  # Card (optional)
  - title: Learn more
    linkLists:
      - linkListType: overview
        links:
          - text: Windows 10 release information
            url: https://docs.microsoft.com/en-us/windows/release-health/release-information
          - text: Windows 10 release health dashboard
            url: https://docs.microsoft.com/windows/release-information/
          - text: Windows 10 update history
            url: https://support.microsoft.com/topic/windows-10-update-history-7dd3071a-3906-fa2c-c342-f7f86728a6e3
          - text: Windows 10 features we’re no longer developing
            url: https://docs.microsoft.com/windows/deployment/planning/windows-10-deprecated-features
          - text: Features and functionality removed in Windows 10
            url: https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features
          - text: Compare Windows 10 Editions
            url: https://go.microsoft.com/fwlink/p/?LinkId=690485
  # Card (optional)
  - title: See also
    linkLists:
      - linkListType: overview
        links:
          - text: Windows 10 Enterprise LTSC
            url: ltsc/index.md
          - text: Edit an existing topic using the Edit link
            url: contribute-to-a-topic.md
--- a/windows/whats-new/whats-new-windows-10-version-1703.md
+++ b/windows/whats-new/whats-new-windows-10-version-1703.md
@ -18,7 +18,7 @@ ms.topic: article
 Below is a list of some of what's new in Information Technology (IT) pro features in Windows 10, version 1703 (also known as the Creators Update).
-For more general info about Windows 10 features, see [Features available only on Windows 10](https://www.microsoft.com/windows/features). For info about previous versions of Windows 10, see [What's New in Windows 10](index.md). Also see this blog post: [What’s new for IT pros in the Windows 10 Creators Update](https://blogs.technet.microsoft.com/windowsitpro/2017/04/05/whats-new-for-it-pros-in-the-windows-10-creators-update/).
+For more general info about Windows 10 features, see [Features available only on Windows 10](https://www.microsoft.com/windows/features). For info about previous versions of Windows 10, see [What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/). Also see this blog post: [What’s new for IT pros in the Windows 10 Creators Update](https://blogs.technet.microsoft.com/windowsitpro/2017/04/05/whats-new-for-it-pros-in-the-windows-10-creators-update/).
 >[!NOTE]
 >Windows 10, version 1703 contains all fixes included in previous cumulative updates to Windows 10, version 1607. For info about each version, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info). For a list of removed features, see [Features that are removed or deprecated in Windows 10 Creators Update](https://support.microsoft.com/help/4014193/features-that-are-removed-or-deprecated-in-windows-10-creators-update).
@ -186,7 +186,7 @@ You can also now collect your audit event logs by using the Reporting configurat
 The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](/windows/deployment/update/waas-configure-wufb#pause-feature-updates) and [Pause Quality Updates](/windows/deployment/update/waas-configure-wufb#pause-quality-updates).
-Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details.
+Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferral periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details.
 ### Windows Insider for Business
@ -252,13 +252,13 @@ For more info, see [Implement server-side support for mobile application managem
 In Windows 10, version 1703, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we are introducing [Microsoft Message Analyzer](https://www.microsoft.com/download/details.aspx?id=44226) as an additional tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost.
 ### Application Virtualization for Windows (App-V)
-Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10, version 1703 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Additionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart.
+Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10, version 1703 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Additionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically clean up your unpublished packages after a device restart.
 For more info, see the following topics:
 - [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-provision-a-vm)
 - [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-sequencing)
 - [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-updating)
- [Automatically cleanup unpublished packages on the App-V client](/windows/application-management/app-v/appv-auto-clean-unpublished-packages)
+- [Automatically clean up unpublished packages on the App-V client](/windows/application-management/app-v/appv-auto-clean-unpublished-packages)
 ### Windows diagnostic data
@ -294,7 +294,7 @@ Windows 10 Mobile, version 1703 also includes the following enhancements:
 - OTC update tool
 - Continuum display management
   - Individually turn off the monitor or phone screen when not in use
-   - Indiviudally adjust screen time-out settings
+   - individually adjust screen time-out settings
 - Continuum docking solutions
   - Set Ethernet port properties
   - Set proxy properties for the Ethernet port