Merge pull request #951 from MicrosoftDocs/public

public to master

devices/surface-hub/surface-hub-2s-account.md

@@ -90,5 +90,5 @@ Import-Module LyncOnlineConnector
 $SfBSession = New-CsOnlineSession -Credential (Get-Credential)
 Import-PSSession $SfBSession -AllowClobber
 Enable the Skype for Business meeting room
-Enable-CsMeetingRoom -Identity account@YourDomain.com -RegistrarPoo(Get-CsTenant).Registrarpool -SipAddressType EmailAddress
+Enable-CsMeetingRoom -Identity account@YourDomain.com -RegistrarPool(Get-CsTenant).Registrarpool -SipAddressType EmailAddress
 ```

windows/client-management/mdm/applocker-csp.md

@@ -17,14 +17,6 @@ ms.date: 07/25/2019
 
 The AppLocker configuration service provider is used to specify which applications are allowed or disallowed. There is no user interface shown for apps that are blocked.
 
-> **Note**  
-> When you create a list of allowed apps, all [inbox apps](#inboxappsandcomponents) are also blocked, and you must include them in your list of allowed apps. Don't forget to add the inbox apps for Phone, Messaging, Settings, Start, Email and accounts, Work and school, and other apps that you need.
->
-> In Windows 10 Mobile, when you create a list of allowed apps, the [settings app that rely on splash apps](#settingssplashapps) are blocked. To unblock these apps, you must include them in your list of allowed apps.
->
-> Delete/unenrollment is not properly supported unless Grouping values are unique across enrollments. If multiple enrollments use the same Grouping value, then unenrollment will not work as expected since there are duplicate URIs that get deleted by the resource manager. To prevent this problem, the Grouping value should include some randomness. The best practice is to use a randomly generated GUID. However, there is no requirement on the exact value of the node.
-
-
 The following diagram shows the AppLocker configuration service provider in tree format.
 
 ![applocker csp](images/provisioning-csp-applocker.png)
@@ -39,6 +31,9 @@ Defines restrictions for applications.
 > When you create a list of allowed apps, all [inbox apps](#inboxappsandcomponents) are also blocked, and you must include them in your list of allowed apps. Don't forget to add the inbox apps for Phone, Messaging, Settings, Start, Email and accounts, Work and school, and other apps that you need.
 >
 > In Windows 10 Mobile, when you create a list of allowed apps, the [settings app that rely on splash apps](#settingssplashapps) are blocked. To unblock these apps, you must include them in your list of allowed apps.
+>
+> Delete/unenrollment is not properly supported unless Grouping values are unique across enrollments. If multiple enrollments use the same Grouping value, then unenrollment will not work as expected since there are duplicate URIs that get deleted by the resource manager. To prevent this problem, the Grouping value should include some randomness. The best practice is to use a randomly generated GUID. However, there is no requirement on the exact value of the node.
+
 
 Additional information:
 
@@ -363,7 +358,8 @@ The product name is first part of the PackageFullName followed by the version nu
 
 The following list shows the apps that may be included in the inbox.
 
-> **Note**  This list identifies system apps that ship as part of Windows that you can add to your AppLocker policy to ensure proper functioning of the operating system. If you decide to block some of these apps, we recommend a thorough testing before deploying to your production environment. Failure to do so may result in unexpected failures and can significantly degrade the user experience.
+> [!NOTE]
+> This list identifies system apps that ship as part of Windows that you can add to your AppLocker policy to ensure proper functioning of the operating system. If you decide to block some of these apps, we recommend a thorough testing before deploying to your production environment. Failure to do so may result in unexpected failures and can significantly degrade the user experience.
 
 
 

windows/client-management/mdm/policy-csp-update.md

@@ -1072,7 +1072,7 @@ The following list shows the supported values:
 -  4  {0x4}  - Windows Insider build - Slow (added in Windows 10, version 1709)
 -  8  {0x8}  - Release Windows Insider build (added in Windows 10, version 1709)
 -  16 {0x10} - (default) Semi-annual Channel (Targeted). Device gets all applicable feature updates from Semi-annual Channel (Targeted). 
--  32 {0x20} - Semi-annual Channel. Device gets feature updates from Semi-annual Channel. (*Only applicable to releases prior to 1903)
+-  32 {0x20} - Semi-annual Channel. Device gets feature updates from Semi-annual Channel. (*Only applicable to releases prior to 1903, for all releases 1903 and after the Semi-annual Channel and Semi-annual Channel (Targeted) into a single Semi-annual Channel with a value of 16)
 
 <!--/SupportedValues-->
 <!--/Policy-->

windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md

@@ -23,12 +23,12 @@ ms.date: 11/15/2017
 - Windows 10
 
 
->**Looking for consumer information?** [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630)
+> **Looking for consumer information?** [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630)
 
 In Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, version 1703, you can use a provisioning package that you create with Windows Configuration Designer to deploy a customized Start and taskbar layout to users. No reimaging is required, and the Start and taskbar layout can be updated simply by overwriting the .xml file that contains the layout. The provisioning package can be applied to a running device. This enables you to customize Start and taskbar layouts for different departments or organizations, with minimal management overhead.
 
->[!IMPORTANT]
+> [!IMPORTANT]
->If you use a provisioning package to configure the taskbar, your configuration will be reapplied each time the explorer.exe process restarts. If your configuration pins an app and the user unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration and allow users to make changes that will persist, apply your configuration by using Group Policy.
+> If you use a provisioning package to configure the taskbar, your configuration will be reapplied each time the explorer.exe process restarts. If your configuration pins an app and the user unpins that app, the user's change will be overwritten the next time the configuration is applied. To apply a taskbar configuration and allow users to make changes that will persist, apply your configuration by using Group Policy.
 
 **Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions.
 
@@ -39,14 +39,15 @@ Three features enable Start and taskbar layout control:
 
 -   The **Export-StartLayout** cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format. 
 
-    >[!NOTE]
+    > [!NOTE]
-    >To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://docs.microsoft.com/powershell/module/startlayout/import-startlayout) cmdlet.
+    > To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://docs.microsoft.com/powershell/module/startlayout/import-startlayout) cmdlet.
 
 -    [You can modify the Start .xml file](configure-windows-10-taskbar.md) to include  `<CustomTaskbarLayoutCollection>` or create an .xml file just for the taskbar configuration.
 
 -   In Windows Configuration Designer, you use the **Policies/Start/StartLayout** setting to provide the contents of the .xml file that defines the Start and taskbar layout.
 
-<span id="escape" />
+<span id="escape"/>
+
 ## Prepare the Start layout XML file
 
 The **Export-StartLayout** cmdlet produces an XML file. Because Windows Configuration Designer produces a customizations.xml file that contains the configuration settings, adding the Start layout section to the customizations.xml file directly would result in an XML file embedded in an XML file. Before you add the Start layout section to the customizations.xml file, you must replace the markup characters in your layout.xml with escape characters. 
@@ -61,8 +62,8 @@ The **Export-StartLayout** cmdlet produces an XML file. Because Windows Configur
 
 Use the Windows Configuration Designer tool to create a provisioning package. [Learn how to install Windows Configuration Designer.](provisioning-packages/provisioning-install-icd.md)
 
->[!IMPORTANT]
+> [!IMPORTANT]
->When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
+> When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
 
 1.  Open Windows Configuration Designer (by default, %systemdrive%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
 
@@ -76,8 +77,8 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
 
 6. Expand **Runtime settings** &gt; **Policies** &gt; **Start**, and click **StartLayout**.
 
-   >[!TIP]
+   > [!TIP]
-   >If **Start** is not listed, check the type of settings you selected in step 4. You must create the project using settings for **All Windows desktop editions**.
+   > If **Start** is not listed, check the type of settings you selected in step 4. You must create the project using settings for **All Windows desktop editions**.
 
 7. Enter **layout.xml**. This value creates a placeholder in the customizations.xml file that you will replace with the contents of the layout.xml file in a later step.
 

windows/deployment/planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md

@@ -1,93 +1,89 @@
----
+---
-title: Creating a Custom Compatibility Mode in Compatibility Administrator (Windows 10)
+title: Creating a Custom Compatibility Mode in Compatibility Administrator (Windows 10)
-description: Windows® provides several compatibility modes, groups of compatibility fixes found to resolve many common application-compatibility issues.
+description: Windows® provides several compatibility modes, groups of compatibility fixes found to resolve many common application-compatibility issues.
-ms.assetid: 661a1c0d-267f-4a79-8445-62a9a98d09b0
+ms.assetid: 661a1c0d-267f-4a79-8445-62a9a98d09b0
-ms.reviewer: 
+ms.reviewer: 
-manager: laurawi
+manager: laurawi
-ms.author: greglin
+ms.author: greglin
-ms.prod: w10
+ms.prod: w10
-ms.mktglfcycl: plan
+ms.mktglfcycl: plan
-ms.pagetype: appcompat
+ms.pagetype: appcompat
-ms.sitesec: library
+ms.sitesec: library
-audience: itpro
author: greg-lindsay
+audience: itpro
-ms.date: 04/19/2017
+author: greg-lindsay
-ms.topic: article
+ms.date: 04/19/2017
----
+ms.topic: article
-
+---
-# Creating a Custom Compatibility Mode in Compatibility Administrator
+
-
+# Creating a Custom Compatibility Mode in Compatibility Administrator
-
+
-**Applies to**
+
-
+**Applies to**
--   Windows 10
+
--   Windows 8.1
+-   Windows 10
--   Windows 8
+-   Windows 8.1
--   Windows 7
+-   Windows 8
--   Windows Server 2012
+-   Windows 7
--   Windows Server 2008 R2
+-   Windows Server 2012
-
+-   Windows Server 2008 R2
-Windows® provides several *compatibility modes*, groups of compatibility fixes found to resolve many common application-compatibility issues. While working with Compatibility Administrator, you might decide to group some of your individual compatibility fixes into a custom-compatibility mode, which you can then deploy and use on any of your compatibility databases.
+
-
+Windows® provides several *compatibility modes*, groups of compatibility fixes found to resolve many common application-compatibility issues. While working with Compatibility Administrator, you might decide to group some of your individual compatibility fixes into a custom-compatibility mode, which you can then deploy and use on any of your compatibility databases.
-## What Is a Compatibility Mode?
+
-
+## What Is a Compatibility Mode?
-
+
-A compatibility mode is a group of compatibility fixes. A compatibility fix, previously known as a shim, is a small piece of code that intercepts API calls from applications. The fix transforms the API calls so that the current version of the operating system supports the application in the same way as previous versions of the operating system. This can be anything from disabling a new feature in Windows to emulating a particular behavior of an older version of the Windows API.
+
-
+A compatibility mode is a group of compatibility fixes. A compatibility fix, previously known as a shim, is a small piece of code that intercepts API calls from applications. The fix transforms the API calls so that the current version of the operating system supports the application in the same way as previous versions of the operating system. This can be anything from disabling a new feature in Windows to emulating a particular behavior of an older version of the Windows API.
-## Searching for Existing Compatibility Modes
+
-
+## Searching for Existing Compatibility Modes
-
+
-The Compatibility Administrator tool has preloaded fixes for many common applications, including known compatibility fixes, compatibility modes, and AppHelp messages. Before you create a new compatibility mode, you can search for an existing application and then copy and paste the known fixes into your custom database.
+
-
+The Compatibility Administrator tool has preloaded fixes for many common applications, including known compatibility fixes, compatibility modes, and AppHelp messages. Before you create a new compatibility mode, you can search for an existing application and then copy and paste the known fixes into your custom database.
-**Important**  
+
-Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator tool. You must use the 32-bit version to create custom databases for 32-bit applications and the 64-bit version to create custom databases for 64-bit applications.
+**Important**  
-
+Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator tool. You must use the 32-bit version to create custom databases for 32-bit applications and the 64-bit version to create custom databases for 64-bit applications.
-
+
-
+
-**To search for an existing application**
+
-
+**To search for an existing application**
-1.  In the left-side pane of Compatibility Administrator, expand the **Applications** folder and search for your application name.
+
-
+1.  In the left-side pane of Compatibility Administrator, expand the **Applications** folder and search for your application name.
-2.  Click the application name to view the preloaded compatibility modes, compatibility fixes, or AppHelp messages.
+
-
+2.  Click the application name to view the preloaded compatibility modes, compatibility fixes, or AppHelp messages.
-## Creating a New Compatibility Mode
+
-
+## Creating a New Compatibility Mode
-
+
-If you are unable to find a preloaded compatibility mode for your application, you can create a new one for use by your custom database.
+
-
+If you are unable to find a preloaded compatibility mode for your application, you can create a new one for use by your custom database.
-**Important**  
+
-A compatibility mode includes a set of compatibility fixes and must be deployed as a group. Therefore, you should include only fixes that you intend to deploy together to the database.
+**Important**  
-
+A compatibility mode includes a set of compatibility fixes and must be deployed as a group. Therefore, you should include only fixes that you intend to deploy together to the database.
-
+
-
+
-**To create a new compatibility mode**
+
-
+**To create a new compatibility mode**
-1.  In the left-side pane of Compatibility Administrator, underneath the **Custom Databases** heading, right-click the name of the database to which you will apply the compatibility mode, click **Create New**, and then click **Compatibility Mode**.
+
-
+1.  In the left-side pane of Compatibility Administrator, underneath the **Custom Databases** heading, right-click the name of the database to which you will apply the compatibility mode, click **Create New**, and then click **Compatibility Mode**.
-2.  Type the name of your custom-compatibility mode into the **Name of the compatibility mode** text box.
+
-
+2.  Type the name of your custom-compatibility mode into the **Name of the compatibility mode** text box.
-3.  Select each of the available compatibility fixes to include in your custom-compatibility mode and then click **>**.
+
-
+3.  Select each of the available compatibility fixes to include in your custom-compatibility mode and then click **>**.
-    **Important**  
+
-    If you are unsure which compatibility fixes to add, you can click **Copy Mode**. The **Select Compatibility Mode** dialog box appears and enables you to select from the preloaded compatibility modes. After you select a compatibility mode and click **OK**, any compatibility fixes that are included in the preloaded compatibility mode will be automatically added to your custom-compatibility mode.
+    > [!IMPORTANT]  
-
+    > If you are unsure which compatibility fixes to add, you can click **Copy Mode**. The **Select Compatibility Mode** dialog box appears and enables you to select from the preloaded compatibility modes. After you select a compatibility mode and click **OK**, any compatibility fixes that are included in the preloaded compatibility mode will be automatically added to your custom-compatibility mode.
-
+    > If you have any compatibility fixes that require additional parameters, you can select the fix, and then click **Parameters**. The **Options for <Compatibility\_Fix\_Name>** dialog box appears, enabling you to update the parameter fields.
-
+
-~~~
+4. After you are done selecting the compatibility fixes to include, click **OK**.
-If you have any compatibility fixes that require additional parameters, you can select the fix, and then click **Parameters**. The **Options for <Compatibility\_Fix\_Name>** dialog box appears, enabling you to update the parameter fields.
+
-~~~
+   The compatibility mode is added to your custom database.
-
+
-4. After you are done selecting the compatibility fixes to include, click **OK**.
+## Related topics
-
+[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
-   The compatibility mode is added to your custom database.
+
-
+
-## Related topics
+
-[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md)
+
-
+
-
+
-
+
-
+
-
+
-
-
-
-

windows/deployment/update/waas-overview.md

@@ -90,7 +90,7 @@ With Windows 10, Microsoft will package new features into feature updates that c
 
 Monthly updates in previous Windows versions were often overwhelming because of the sheer number of updates available each month. Many organizations selectively chose which updates they wanted to install and which they didn’t, and this created countless scenarios in which organizations deployed essential security updates but picked only a subset of non-security fixes.
 
-In Windows 10, rather than receiving several updates each month and trying to figure out which the organization needs, which ultimately causes platform fragmentation, administrators will see one cumulative monthly update that supersedes the previous month’s update, containing both security and non-security fixes. This approach makes patching simpler and ensures that customers’ devices are more closely aligned with the testing done at Microsoft, reducing unexpected issues resulting from patching. The left side of Figure 1 provides an example of Windows 7 devices in an enterprise and what their current patch level might look like. On the right is what Microsoft’s test environment devicess contain. This drastic difference is the basis for many compatibility issues and system anomalies related to Windows updates.
+In Windows 10, rather than receiving several updates each month and trying to figure out which the organization needs, which ultimately causes platform fragmentation, administrators will see one cumulative monthly update that supersedes the previous month’s update, containing both security and non-security fixes. This approach makes patching simpler and ensures that customers’ devices are more closely aligned with the testing done at Microsoft, reducing unexpected issues resulting from patching. The left side of Figure 1 provides an example of Windows 7 devices in an enterprise and what their current patch level might look like. On the right is what Microsoft’s test environment devices contain. This drastic difference is the basis for many compatibility issues and system anomalies related to Windows updates.
 
 **Figure 1**
 

windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md

@@ -26,7 +26,7 @@ ms.topic: article
 Create custom detection rules from [Advanced hunting](overview-hunting.md) queries to automatically check for threat indicators and generate alerts whenever these indicators are found.
 
 >[!NOTE]
->To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
+>To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.  For the detection rule to work properly and create alerts, the query must return in each row a set of MachineId, ReportId, EventTime which match to an actual event in advanced hunting.
 
 1. In the navigation pane, select **Advanced hunting**.
 

windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md

@@ -42,7 +42,7 @@ There are specific network-connectivity requirements to ensure your endpoints ca
 2. Select **All services > Intune**.
 3. In the **Intune** pane, select **Device configuration > Profiles**, and then select the **Device restrictions** profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
 4. Select **Properties**, select **Settings: Configure**, and then select **Windows Defender Antivirus**.
-5. On the **Cloud-delivered protection** switch, select **Enable**.
+5. On the **Cloud-delivered protection** switch, select **Not configured**.
 6. In the **Prompt users before sample submission** dropdown, select **Send all data without prompting**. 
 7. In the **Submit samples consent** dropdown, select one of the following:
 

windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md

@@ -148,7 +148,7 @@ realTimeProtectionEnabled               : true
     mdatp --health orgId
     ```
 
-2. Install the configuration file on a client machine:
+2. Run the Python script to install the configuration file:
 
     ```bash
     /usr/bin/python WindowsDefenderATPOnboarding.py

windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md

@@ -55,7 +55,7 @@ The following table lists the services and their associated URLs that your netwo
 | ---------------------------------------- | ----------------------- |
 | Common URLs for all locations            |  x.cp.wd.microsoft.com <br/> cdn.x.cp.wd.microsoft.com <br/> eu-cdn.x.cp.wd.microsoft.com <br/> wu-cdn.x.cp.wd.microsoft.com <br/> *.blob.core.windows.net <br/> officecdn-microsoft-com.akamaized.net |
 | European Union                           | europe.x.cp.wd.microsoft.com |
-| United Kingdon                           | unitedkingdom.x.cp.wd.microsoft.com |
+| United Kingdom                           | unitedkingdom.x.cp.wd.microsoft.com |
 | United States                            | unitedstates.x.cp.wd.microsoft.com |
 
 Microsoft Defender ATP can discover a proxy server by using the following discovery methods:

windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md

@@ -267,7 +267,7 @@ This rule blocks processes through PsExec and WMI commands from running, to prev
 >[!WARNING]
 >Only use this rule if you're managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [System Center Configuration Manager](https://docs.microsoft.com/sccm) because this rule blocks WMI commands the SCCM client uses to function correctly.
 
-This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802
+This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019
 
 Intune name: Process creation from PSExec and WMI commands
 
@@ -297,7 +297,7 @@ This rule prevents Outlook from creating child processes. It protects against so
 >[!NOTE]
 >This rule applies to Outlook and Outlook.com only.
 
-This rule was introduced in: Windows 10 1809, Windows Server 1809, Windows Server 2019, SCCM CB 1810
+This rule was introduced in: Windows 10 1809, Windows Server 1809, Windows Server 2019
 
 Intune name: Process creation from Office communication products (beta)
 
@@ -309,11 +309,11 @@ GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869
 
 Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. This rule prevents attacks like this by blocking Adobe Reader from creating additional processes. 
 
-This rule was introduced in: Windows 10 1809, Windows Server 1809, Windows Server 2019, SCCM CB 1810
+This rule was introduced in: Windows 10 1809, Windows Server 1809, Windows Server 2019
 
 Intune name: Process creation from Adobe Reader (beta)
 
-SCCM name: Not applicable
+SCCM name: Not yet available
 
 GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
 
@@ -321,6 +321,8 @@ GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
 
 Fileless threats employ various tactics to stay hidden, to avoid being seen in the file system, and to gain periodic execution control. Some threats can abuse the WMI repository and event model to stay hidden. With this rule, admins can prevent threats that abuse WMI to persist and stay hidden in WMI repository. 
 
+This rule was introduced in: Windows 10 1903, Windows Server 1903
+
 Intune name: Block persistence through WMI event subscription
 
 SCCM name: Not yet available